Skip to content

Bind default namespace database container to midplane ip #23837

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open

Bind default namespace database container to midplane ip #23837

wants to merge 3 commits into from

Conversation

@manish1-arista
Copy link

@manish1-arista manish1-arista commented Aug 28, 2025
edited
Loading

This feature has been tracked at: sonic-net/SONiC#2020

Why I did it

On a linecard, the default namespace database container is only bound to localhost (127.0.0.1).
This prevents other components in the chassis, such as the supervisor card,
from accessing the linecard's default namespace database over the midplane network to aggregate the VOQ counters for Single ASIC Linecards.

Work item tracking
  • Microsoft ADO (number only):

How I did it

Set the protected-mode no and bind the linecard's eth1-midplane IP address to the default namespace database container, allowing for remote access from the supervisor to collect the VOQ counters.

How to verify it

Check1: Default Namespace Database container on LC should not be in protected Mode

Before:

docker exec -it database redis-cli config get protected-mode

##### Command Output #####
1) "protected-mode"
2) "yes"
#########################

After:

docker exec -it database redis-cli config get protected-mode

##### Command Output #####
1) "protected-mode"
2) "no"
#########################

Check2: Default Namespace Database container on LC bind with a midplane IP
Before:

# Command to check the midplane IPs binded to the redis DB
docker exec -it database redis-cli config get bind

##### Command Output #####
1) "bind"
2) "127.0.0.1"
#########################

After:

# Command to check the midplane IPs binded to the redis DB
docker exec -it database redis-cli config get bind

##### Command Output #####
1) "bind"
2) "127.0.0.1 127.100.3.1"
#########################

Check3: No database container on supervisor is affected(protection mode or midplane IPs)

Before:

---Config for: 'database5' ---
  protected-mode: no
  bind: 127.0.0.1 240.127.1.13
---Config for: 'database11' ---
  protected-mode: no
  bind: 127.0.0.1 240.127.1.9
---Config for: 'database8' ---
  protected-mode: no
  bind: 127.0.0.1 240.127.1.12
---Config for: 'database6' ---
  protected-mode: no
  bind: 127.0.0.1 240.127.1.10
---Config for: 'database7' ---
  protected-mode: no
  bind: 127.0.0.1 240.127.1.11
---Config for: 'database0' ---
  protected-mode: no
  bind: 127.0.0.1 240.127.1.8
---Config for: 'database9' ---
  protected-mode: no
  bind: 127.0.0.1 240.127.1.4
---Config for: 'database1' ---
  protected-mode: no
  bind: 127.0.0.1 240.127.1.6
---Config for: 'database2' ---
  protected-mode: no
  bind: 127.0.0.1 240.127.1.7
---Config for: 'database3' ---
  protected-mode: no
  bind: 127.0.0.1 240.127.1.5
---Config for: 'database4' ---
  protected-mode: no
  bind: 127.0.0.1 240.127.1.3
---Config for: 'database10' ---
  protected-mode: no
  bind: 127.0.0.1 240.127.1.2
---Config for: 'database' ---
  protected-mode: yes
  bind: 127.0.0.1
--- Config for: 'database-chassis' ---
  protected-mode: no
  bind: redis_chassis.server

After:

---Config for: 'database5' ---
  protected-mode: no
  bind: 127.0.0.1 240.127.1.13
---Config for: 'database11' ---
  protected-mode: no
  bind: 127.0.0.1 240.127.1.9
---Config for: 'database8' ---
  protected-mode: no
  bind: 127.0.0.1 240.127.1.12
---Config for: 'database6' ---
  protected-mode: no
  bind: 127.0.0.1 240.127.1.10
---Config for: 'database7' ---
  protected-mode: no
  bind: 127.0.0.1 240.127.1.11
---Config for: 'database0' ---
  protected-mode: no
  bind: 127.0.0.1 240.127.1.8
---Config for: 'database9' ---
  protected-mode: no
  bind: 127.0.0.1 240.127.1.4
---Config for: 'database1' ---
  protected-mode: no
  bind: 127.0.0.1 240.127.1.6
---Config for: 'database2' ---
  protected-mode: no
  bind: 127.0.0.1 240.127.1.7
---Config for: 'database3' ---
  protected-mode: no
  bind: 127.0.0.1 240.127.1.5
---Config for: 'database4' ---
  protected-mode: no
  bind: 127.0.0.1 240.127.1.3
---Config for: 'database10' ---
  protected-mode: no
  bind: 127.0.0.1 240.127.1.2
---Config for: 'database' ---
  protected-mode: yes
  bind: 127.0.0.1
--- Config for: 'database-chassis' ---
  protected-mode: no
  bind: redis_chassis.server

Check4: Aggregate VOQ command is working properly for the Single ASIC Linecards on supervisor

## Working on Supervisor for single Asic LC 

###### OUTPUT ######
admin@cmp312:~$ show queue counters "cmp312-3|Asic0|Ethernet156" --voq
                      Port    Voq    Counter/pkts    Counter/bytes    Drop/pkts    Drop/bytes    Credit-WD-Del/pkts
--------------------------  -----  --------------  ---------------  -----------  ------------  --------------------
cmp312-3|Asic0|Ethernet156   VOQ0              19              950            0             0                     0
cmp312-3|Asic0|Ethernet156   VOQ1               0                0            0             0                     0
cmp312-3|Asic0|Ethernet156   VOQ2               0                0            0             0                     0
cmp312-3|Asic0|Ethernet156   VOQ3               0                0            0             0                     0
cmp312-3|Asic0|Ethernet156   VOQ4              19              950            0             0                     0
cmp312-3|Asic0|Ethernet156   VOQ5               0                0            0             0                     0
cmp312-3|Asic0|Ethernet156   VOQ6               0                0            0             0                     0
cmp312-3|Asic0|Ethernet156   VOQ7             173            52706            0             0                     0

Check5: Fixed systems the database container is on protected mode

Before:

# Command to check the protection mode
docker exec -it database redis-cli config get protected-mode


##### Command Output #####
1) "protected-mode"
2) "yes"
#########################


# Command to check the midplane Ips binded to the redis DB
docker exec -it database redis-cli config get bind

##### Command Output #####
1) "bind"
2) "127.0.0.1"
#########################

After:

# Command to check the protection mode
docker exec -it database redis-cli config get protected-mode


##### Command Output #####
1) "protected-mode"
2) "yes"
#########################


# Command to check the midplane Ips binded to the redis DB
docker exec -it database redis-cli config get bind

##### Command Output #####
1) "bind"
2) "127.0.0.1"
#########################

Which release branch to backport (provide reason below if selected)

  • 202205
  • 202211
  • 202305
  • 202311
  • 202405
  • 202411
  • 202505

Tested branch (Please provide the tested image version)

Master

Description for the changelog

Link to config_db schema for YANG module changes

A picture of a cute animal (not mandatory but encouraged)

@mssonicbld
Copy link
Collaborator

mssonicbld commented Aug 28, 2025

/azp run Azure.sonic-buildimage

@azure-pipelines
Copy link

azure-pipelines bot commented Aug 28, 2025

Azure Pipelines successfully started running 1 pipeline(s).

@vivekverma-arista
Copy link
Contributor

vivekverma-arista commented Aug 28, 2025
edited
Loading

@qiluo-msft @arlakshm @judyjoseph please review. This is a continuation of: #20803 for single ASIC linecards

cc @kenneth-arista @pandurangan-arista @vmittal-msft

This was referenced Aug 28, 2025
Open
Merged
@abdosi
Copy link
Contributor

abdosi commented Sep 17, 2025

can we update PR subject as this is more of infrastructure change

@vmittal-msft
Copy link
Contributor

vmittal-msft commented Sep 24, 2025

@manish1-arista Did we make sure it is not impacting exiting T2 VoQ stats aggregation? Also, please update subject as per Abhishek comment.

@manish1-arista manish1-arista changed the title Add Aggregate VOQ counters support for single ASIC linecards Bind default namespace database container to midplane ip Sep 24, 2025
@manish1-arista
Copy link
Author

manish1-arista commented Sep 24, 2025

can we update PR subject as this is more of infrastructure change

Updated

@manish1-arista
Copy link
Author

manish1-arista commented Sep 24, 2025

@manish1-arista Did we make sure it is not impacting exiting T2 VoQ stats aggregation? Also, please update subject as per Abhishek comment.

Yes, we have verified this. The changes do not cause any regressions to the existing T2 VoQ stats aggregation.

@rlhui rlhui requested a review from judyjoseph October 2, 2025 05:07
judyjoseph
judyjoseph reviewed Oct 8, 2025
View reviewed changes
judyjoseph
judyjoseph reviewed Oct 8, 2025
View reviewed changes
@judyjoseph
Copy link
Contributor

judyjoseph commented Oct 8, 2025

@manish1-arista, please add to PR description(How did you verify) before and after test results of this change in communication between LC host database <--> chassis db in sup

@judyjoseph
Copy link
Contributor

judyjoseph commented Oct 8, 2025

/azp run

@judyjoseph
Copy link
Contributor

judyjoseph commented Oct 8, 2025

/azp run Azure.sonic-buildimage

@azure-pipelines
Copy link

azure-pipelines bot commented Oct 8, 2025

Azure Pipelines successfully started running 1 pipeline(s).

1 similar comment
@azure-pipelines
Copy link

azure-pipelines bot commented Oct 8, 2025

Azure Pipelines successfully started running 1 pipeline(s).

@manish1-arista
sonic-buildimage: Bind linecard database instance to midplane IP
d23b8db 
On a linecard, the database container is bound to localhost (127.0.0.1)
by default. This prevents other components in the chassis, such as the
supervisor card, from accessing the linecard's database over the midplane network.
This change exposes the database instance to the midplane, allowing for remote
access from the supervisor.

Signed-off-by: manish <[email protected]>
@manish1-arista manish1-arista force-pushed the bind_linecard_db_to_midplane_ip branch from fcde75e to d23b8db Compare October 29, 2025 06:39
@mssonicbld
Copy link
Collaborator

mssonicbld commented Oct 29, 2025

/azp run Azure.sonic-buildimage

@azure-pipelines
Copy link

azure-pipelines bot commented Oct 29, 2025

Azure Pipelines successfully started running 1 pipeline(s).

@manish1-arista
Copy link
Author

manish1-arista commented Nov 10, 2025
edited
Loading

@manish1-arista, please add to PR description(How did you verify) before and after test results of this change in communication between LC host database <--> chassis db in sup

Updated the PR Description(How did you verify) with the detailed testing done for all the database containers on SUP and LC

vmittal-msft
vmittal-msft approved these changes Nov 10, 2025
View reviewed changes
Copy link
Contributor

@vmittal-msft vmittal-msft left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@manish1-arista is there a way to do protected mode == on after binding midplane ip to database container ?

@vivekverma-arista
Copy link
Contributor

vivekverma-arista commented Nov 11, 2025

@rlhui @judyjoseph please help in merging

@manish1-arista
Copy link
Author

manish1-arista commented Nov 11, 2025

@manish1-arista is there a way to do protected mode == on after binding midplane ip to database container ?

Yes, protected-mode can be set to yes by this command
docker exec -it database redis-cli config set protected-mode yes

If we set it to yes, then midplane IP will still be binded but database cannot be accessed over midplane due to protected-mode

@rlhui
Copy link
Contributor

rlhui commented Nov 11, 2025

@rlhui @judyjoseph please help in merging

PR build is not passing, could you please check why/address?

@mssonicbld
Copy link
Collaborator

mssonicbld commented Nov 13, 2025

/azp run Azure.sonic-buildimage

@azure-pipelines
Copy link

azure-pipelines bot commented Nov 13, 2025

Azure Pipelines successfully started running 1 pipeline(s).

@mssonicbld
Copy link
Collaborator

mssonicbld commented Nov 18, 2025

/azp run Azure.sonic-buildimage

@azure-pipelines
Copy link

azure-pipelines bot commented Nov 18, 2025

Azure Pipelines successfully started running 1 pipeline(s).

@vivekverma-arista
Copy link
Contributor

vivekverma-arista commented Nov 18, 2025

@rlhui PR checks have passed

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@vmittal-msft vmittal-msft vmittal-msft approved these changes

@judyjoseph judyjoseph judyjoseph approved these changes

@lguohan lguohan Awaiting requested review from lguohan lguohan is a code owner

@mlok-nokia mlok-nokia Awaiting requested review from mlok-nokia

@anamehra anamehra Awaiting requested review from anamehra

@eswaran-nexthop eswaran-nexthop Awaiting requested review from eswaran-nexthop

Assignees

@manish1-arista manish1-arista

Labels

None yet

Projects

SONiC Chassis
Status: No status

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

7 participants

@manish1-arista @mssonicbld @vivekverma-arista @abdosi @vmittal-msft @judyjoseph @rlhui