Merge PR 6794666

Project Collection Build Service (msazure) · Project Collection Build Service (msazure) · commit ef6581ee0801 · 2022-09-24T02:21:56.000Z
diff --git a/.azure-pipelines/docker-sonic-slave-template.yml b/.azure-pipelines/docker-sonic-slave-template.yml
@@ -38,12 +38,12 @@ jobs:
 - job: Build_${{ parameters.dist }}_${{ parameters.march }}${{ parameters.arch }}
   timeoutInMinutes: 360
   variables:
-  - template: .azure-pipelines/template-variables.yml@buildimage
-  - template: .azure-pipelines/azure-pipelines-repd-build-variables.yml@buildimage
+  - template: /.azure-pipelines/template-variables.yml@buildimage
+  - template: /.azure-pipelines/azure-pipelines-repd-build-variables.yml@buildimage
   pool: ${{ parameters.pool }}
   steps:
   - template: cleanup.yml
-  - template: .azure-pipelines/template-clean-sonic-slave.yml@buildimage
+  - template: /.azure-pipelines/template-clean-sonic-slave.yml@buildimage
   - checkout: self
     clean: true
     submodules: recursive
@@ -62,7 +62,7 @@ jobs:
         exit 0
       fi
 
-      DOCKER_DATA_ROOT_FOR_MULTIARCH=/data/march/docker make configure PLATFORM=generic PLATFORM_ARCH=${{ parameters.arch }} $args || docker image ls $image_tag
+      DOCKER_DATA_ROOT_FOR_MULTIARCH=/data/march/docker BLDENV=${{ parameters.dist }} make -f Makefile.work configure PLATFORM=generic PLATFORM_ARCH=${{ parameters.arch }} $args || docker image ls $image_tag
       if [[ "$(Build.Reason)" == "PullRequest" ]];then
         exit 0
       fi
diff --git a/build_debian.sh b/build_debian.sh
@@ -480,10 +480,16 @@ rm /files/etc/ssh/sshd_config/ClientAliveInterval
 rm /files/etc/ssh/sshd_config/ClientAliveCountMax
 touch /files/etc/ssh/sshd_config/EmptyLineHack
 rename /files/etc/ssh/sshd_config/EmptyLineHack ""
-set /files/etc/ssh/sshd_config/ClientAliveInterval 900
+set /files/etc/ssh/sshd_config/ClientAliveInterval 300
 set /files/etc/ssh/sshd_config/ClientAliveCountMax 1
 ins #comment before /files/etc/ssh/sshd_config/ClientAliveInterval
-set /files/etc/ssh/sshd_config/#comment[following-sibling::*[1][self::ClientAliveInterval]] "Close inactive client sessions after 15 minutes"
+set /files/etc/ssh/sshd_config/#comment[following-sibling::*[1][self::ClientAliveInterval]] "Close inactive client sessions after 5 minutes"
+rm /files/etc/ssh/sshd_config/MaxAuthTries
+set /files/etc/ssh/sshd_config/MaxAuthTries 3
+rm /files/etc/ssh/sshd_config/LogLevel
+set /files/etc/ssh/sshd_config/LogLevel VERBOSE
+rm /files/etc/ssh/sshd_config/Banner
+set /files/etc/ssh/sshd_config/Banner /etc/issue
 save
 quit
 EOF
diff --git a/build_image.sh b/build_image.sh
@@ -191,6 +191,7 @@ elif [ "$IMAGE_TYPE" = "aboot" ]; then
     zip -g $ABOOT_BOOT_IMAGE .imagehash
     rm .imagehash
     echo "SWI_VERSION=42.0.0" > version
+    echo "BUILD_DATE=$(date -d "${build_date}" -u +%Y%m%dT%H%M%SZ)" >> version
     echo "SWI_MAX_HWEPOCH=2" >> version
     echo "SWI_VARIANT=US" >> version
     zip -g $OUTPUT_ABOOT_IMAGE version
diff --git a/platform/broadcom/sonic-platform-modules-cel/debian/platform-modules-haliburton.init b/platform/broadcom/sonic-platform-modules-cel/debian/platform-modules-haliburton.init
@@ -11,6 +11,26 @@
 # Short-Description: Setup Haliburton board.
 ### END INIT INFO
 
+setup_swap () {
+    SWAPFILE=/host/myswapfile
+
+    if [ ! -f $SWAPFILE ]; then
+        availspace=`df -h --output=avail /host | sed '1d;s/\s//g;s/[^0-9].*//g'`
+        diff=$(( availspace - 2*$1 ))
+        if [ $diff -gt 0 ]; then
+            fallocate -l ${1}G $SWAPFILE
+            chmod 600 $SWAPFILE
+            echo "swap file created successfully"
+        else
+            echo "not enough disk space to turn on swap."
+            return
+        fi
+    fi
+    mkswap $SWAPFILE
+    swapon $SWAPFILE
+    echo "swap on successfully"
+}
+
 case "$1" in
 start)
         echo -n "Setting up board... "
@@ -74,6 +94,8 @@ start)
 
         /bin/sh /usr/local/bin/platform_api_mgnt.sh init
 
+        setup_swap 2
+
         echo "done."
         ;;
 
diff --git a/src/sonic-py-common/sonic_py_common/general.py b/src/sonic-py-common/sonic_py_common/general.py
@@ -1,4 +1,5 @@
 import sys
+from subprocess import Popen, STDOUT, PIPE, CalledProcessError, check_output
 
 
 def load_module_from_source(module_name, file_path):
@@ -23,3 +24,70 @@ def load_module_from_source(module_name, file_path):
     sys.modules[module_name] = module
 
     return module
+
+
+def getstatusoutput_noshell(cmd):
+    """
+    This function implements getstatusoutput API from subprocess module
+    but using shell=False to prevent shell injection.
+    Ref: https://github.com/python/cpython/blob/3.10/Lib/subprocess.py#L602
+    """
+    try:
+        output = check_output(cmd, universal_newlines=True, stderr=STDOUT)
+        exitcode = 0
+    except CalledProcessError as ex:
+        output = ex.output
+        exitcode = ex.returncode
+    if output[-1:] == '\n':
+        output = output[:-1]
+    return exitcode, output
+
+
+def getstatusoutput_noshell_pipe(cmd0, *args):
+    """
+    This function implements getstatusoutput API from subprocess module
+    but using shell=False to prevent shell injection. Input command
+    includes two or more commands connected by shell pipe(s).
+    """
+    popens = [Popen(cmd0, stdout=PIPE, universal_newlines=True)]
+    i = 0
+    while i < len(args):
+        popens.append(Popen(args[i], stdin=popens[i].stdout, stdout=PIPE, universal_newlines=True))
+        popens[i].stdout.close()
+        i += 1
+    output = popens[-1].communicate()[0]
+    if output[-1:] == '\n':
+        output = output[:-1]
+
+    exitcodes = [0] * len(popens)
+    while popens:
+        last = popens.pop(-1)
+        exitcodes[len(popens)] = last.wait()
+
+    return (exitcodes, output)
+
+
+def check_output_pipe(cmd0, *args):
+    """
+    This function implements check_output API from subprocess module.
+    Input command includes two or more commands connected by shell pipe(s)
+    """
+    popens = [Popen(cmd0, stdout=PIPE, universal_newlines=True)]
+    i = 0
+    while i < len(args):
+        popens.append(Popen(args[i], stdin=popens[i].stdout, stdout=PIPE, universal_newlines=True))
+        popens[i].stdout.close()
+        i += 1
+    output = popens[-1].communicate()[0]
+
+    i = 0
+    args_list = [cmd0] + list(args)
+    while popens:
+        current = popens.pop(0)
+        exitcode = current.wait()
+        if exitcode != 0:
+            raise CalledProcessError(returncode=exitcode, cmd=args_list[i], output=current.stdout)
+        i += 1
+
+    return output
+
diff --git a/src/sonic-py-common/tests/test_general.py b/src/sonic-py-common/tests/test_general.py
@@ -0,0 +1,31 @@
+import sys
+import pytest
+import subprocess
+from sonic_py_common.general import getstatusoutput_noshell, getstatusoutput_noshell_pipe, check_output_pipe
+
+
+def test_getstatusoutput_noshell(tmp_path):
+    exitcode, output = getstatusoutput_noshell(['echo', 'sonic'])
+    assert (exitcode, output) == (0, 'sonic')
+
+    exitcode, output = getstatusoutput_noshell([sys.executable, "-c", "import sys; sys.exit(6)"])
+    assert exitcode != 0
+
+def test_getstatusoutput_noshell_pipe():
+    exitcode, output = getstatusoutput_noshell_pipe(['echo', 'sonic'], ['awk', '{print $1}'])
+    assert (exitcode, output) == ([0, 0], 'sonic')
+
+    exitcode, output = getstatusoutput_noshell_pipe([sys.executable, "-c", "import sys; sys.exit(6)"], [sys.executable, "-c", "import sys; sys.exit(8)"])
+    assert exitcode == [6, 8]
+
+def test_check_output_pipe():
+    output = check_output_pipe(['echo', 'sonic'], ['awk', '{print $1}'])
+    assert output == 'sonic\n'
+
+    with pytest.raises(subprocess.CalledProcessError) as e:
+        check_output_pipe([sys.executable, "-c", "import sys; sys.exit(6)"], [sys.executable, "-c", "import sys; sys.exit(0)"])
+        assert e.returncode == [6, 0]
+
+    with pytest.raises(subprocess.CalledProcessError) as e:
+        check_output_pipe([sys.executable, "-c", "import sys; sys.exit(0)"], [sys.executable, "-c", "import sys; sys.exit(6)"])
+        assert e.returncode == [0, 6]
diff --git a/src/system-health/health_checker/service_checker.py b/src/system-health/health_checker/service_checker.py
@@ -127,11 +127,11 @@ def get_critical_process_list_from_file(self, container, critical_processes_file
                         self.bad_containers.add(container)
                         logger.log_error('Invalid syntax in critical_processes file of {}'.format(container))
                     continue
-
-                identifier_key = match.group(2).strip()
-                identifier_value = match.group(3).strip()
-                if identifier_key == "program" and identifier_value:
-                    critical_process_list.append(identifier_value)
+                if match.group(1) is not None:
+                    identifier_key = match.group(2).strip()
+                    identifier_value = match.group(3).strip()
+                    if identifier_key == "program" and identifier_value:
+                        critical_process_list.append(identifier_value)
 
         return critical_process_list
 
