Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[MACsecMgr]: Add MACsec Manager #1475

Merged
merged 17 commits into from
Jan 29, 2021
Merged

[MACsecMgr]: Add MACsec Manager #1475

merged 17 commits into from
Jan 29, 2021

Conversation

Pterosaur
Copy link
Contributor

@Pterosaur Pterosaur commented Oct 22, 2020

What I did
Add MACsec Manager for MACsec feature.
MACsecMgr is a daemon in MACsec container, that receives the message from CONFIG DB and uses wpa_cli instructions to manage the functionality of MACsec in the specified port. The below figure is the flow chart of MACsecMgr which shows the MACsec profile management according to MACsec Profile Table and the functionality of MACsec in the specified port according to PortTable.
The main functions are defined in class MACsecMgr as follow

    task_process_status removeProfile(const std::string & profile_name, const TaskArgs & profile_attr);
    task_process_status loadProfile(const std::string & profile_name, const TaskArgs & profile_attr);
    task_process_status enableMACsec(const std::string & port_name, const TaskArgs & port_attr);
    task_process_status disableMACsec(const std::string & port_name, const TaskArgs & port_attr);

The HLD of MACsec Manager is at MACsec HLD

Why I did it
The MACsec Manager will be used to manage wpa_supplicant processes according to config db.

How I verified it

  1. Copy macsecmgr and wpa_supplicant executable files into MACsec container
  2. Set config db by following instructs:
hmset "MACSEC_PROFILE|test_profile" "priority" "64" "cipher_suite" "GCM-AES-128" "primary_cak" "0123456789ABCDEF0123456789ABCDEF" "primary_ckn" "6162636465666768696A6B6C6D6E6F707172737475767778797A303132333435" "fallback_cak" "" "fallback_ckn" "" "policy" "security" "enable_replay_protect" "0" "replay_window" "0" "send_sci" "1" "rekey_period" ""

hmset "PORT|Ethernet0" "macsec" "test_profile"

The wpa_supplicant process should be started.

Details if related
This PR depends on : sonic-net/sonic-wpa-supplicant#16 and sonic-net/sonic-buildimage#5700 and sonic-net/sonic-swss-common#434

Verified

This commit was signed with the committer’s verified signature.
UlisesGascon Ulises Gascón
Signed-off-by: Ze Gan <[email protected]>
Signed-off-by: Ze Gan <[email protected]>
Signed-off-by: Ze Gan <[email protected]>
Signed-off-by: Ze Gan <[email protected]>
Signed-off-by: Ze Gan <[email protected]>
@Pterosaur Pterosaur changed the title Macsecmgr MACsecMgr Oct 22, 2020
@Pterosaur Pterosaur marked this pull request as draft October 22, 2020 14:29
@Pterosaur Pterosaur changed the title MACsecMgr [MACsecMgr]: Add MACsec Manager Nov 3, 2020
Signed-off-by: Ze Gan <[email protected]>
@Pterosaur Pterosaur force-pushed the macsecmgr branch 2 times, most recently from 420b0ea to 943bf8c Compare November 3, 2020 15:53
@Pterosaur Pterosaur marked this pull request as ready for review November 3, 2020 16:40
@lguohan lguohan added the macsec label Nov 4, 2020
cfgmgr/macsecmgr.cpp Outdated Show resolved Hide resolved
cfgmgr/macsecmgr.cpp Outdated Show resolved Hide resolved
Copy link

@samitabh samitabh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Few comments in macsecmgr.cpp.

@samitabh
Copy link

Question: How is the Config Db being updated ?

@Pterosaur
Copy link
Contributor Author

Question: How is the Config Db being updated ?

Right now, we have two method to update the config DB.

  1. directly to edit the /etc/sonic/config_db.json and execute sudo config reload -y
  2. To use redis-cli to update the config db.

In the future, we would like to provide some CLI tool to update the MACsec state.

lguohan
lguohan previously approved these changes Dec 4, 2020
@Pterosaur
Copy link
Contributor Author

retest vs please

lguohan
lguohan previously approved these changes Dec 4, 2020
return istream;
}

static std::istringstream &operator>>(
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can this be in swss-common?

@caizhenghui-juniper
Copy link
Contributor

In the code, is there process to check all the instances alive and restart it when it's dead/killed?

@Pterosaur
Copy link
Contributor Author

retest vs please

2 similar comments
@Pterosaur
Copy link
Contributor Author

retest vs please

@Pterosaur
Copy link
Contributor Author

retest vs please

@Pterosaur
Copy link
Contributor Author

retest vs please

@lguohan lguohan merged commit dd4e409 into sonic-net:master Jan 29, 2021
DavidZagury pushed a commit to DavidZagury/sonic-swss that referenced this pull request Mar 4, 2021
Add MACsec Manager for MACsec feature.
MACsecMgr is a daemon in MACsec container, that receives the message from CONFIG DB and uses wpa_cli instructions to manage the functionality of MACsec in the specified port. The below figure is the flow chart of MACsecMgr which shows the MACsec profile management according to MACsec Profile Table and the functionality of MACsec in the specified port according to PortTable.
The main functions are defined in class MACsecMgr as follow
```
    task_process_status removeProfile(const std::string & profile_name, const TaskArgs & profile_attr);
    task_process_status loadProfile(const std::string & profile_name, const TaskArgs & profile_attr);
    task_process_status enableMACsec(const std::string & port_name, const TaskArgs & port_attr);
    task_process_status disableMACsec(const std::string & port_name, const TaskArgs & port_attr);
```

The HLD of MACsec Manager is at [MACsec HLD](https://github.com/Azure/SONiC/blob/master/doc/macsec/MACsec_hld.md#341-macsec-mgr)

Signed-off-by: Ze Gan <[email protected]>
raphaelt-nvidia pushed a commit to raphaelt-nvidia/sonic-swss that referenced this pull request Oct 5, 2021
Add MACsec Manager for MACsec feature.
MACsecMgr is a daemon in MACsec container, that receives the message from CONFIG DB and uses wpa_cli instructions to manage the functionality of MACsec in the specified port. The below figure is the flow chart of MACsecMgr which shows the MACsec profile management according to MACsec Profile Table and the functionality of MACsec in the specified port according to PortTable.
The main functions are defined in class MACsecMgr as follow
```
    task_process_status removeProfile(const std::string & profile_name, const TaskArgs & profile_attr);
    task_process_status loadProfile(const std::string & profile_name, const TaskArgs & profile_attr);
    task_process_status enableMACsec(const std::string & port_name, const TaskArgs & port_attr);
    task_process_status disableMACsec(const std::string & port_name, const TaskArgs & port_attr);
```

The HLD of MACsec Manager is at [MACsec HLD](https://github.com/Azure/SONiC/blob/master/doc/macsec/MACsec_hld.md#341-macsec-mgr)

Signed-off-by: Ze Gan <[email protected]>
EdenGri pushed a commit to EdenGri/sonic-swss that referenced this pull request Feb 28, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants