Skip to content

Commit

Permalink
Install python3 FIPS packages (#21682)
Browse files Browse the repository at this point in the history 
Install python3 FIPS packages

Why I did it
Python3 FIPS package not installed:

admin@vlab-01:~$ sudo apt list --installed | grep libpython
libpython3-stdlib/now 3.11.2-1+b1 amd64 [installed,local]
libpython3.11-minimal/now 3.11.2-6+deb12u5 amd64 [installed,local]
libpython3.11-stdlib/now 3.11.2-6+deb12u5 amd64 [installed,local]
libpython3.11/now 3.11.2-6+deb12u5 amd64 [installed,local]

How I did it
Add python3 FIPS package to install list.
Purge all python3 dev package before install python3 FIPS package, because these dev package will break dependency

How to verify it
Pass all UT.

Manually confirm the package installed
  • Loading branch information
@liuh-80
liuh-80 authored Feb 19, 2025
1 parent ddcd315 commit dddb6cc
Show file tree
Hide file tree
Showing 3 changed files with 20 additions and 1 deletion.
14 changes: 14 additions & 0 deletions files/build_templates/sonic_debian_extension.j2
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1052,7 +1052,12 @@ sudo cp files/build_templates/startup_tsa_tsb.service $FILESYSTEM_ROOT_USR_LIB_S
sudo cp $BUILD_TEMPLATES/sonic.target $FILESYSTEM_ROOT_USR_LIB_SYSTEMD_SYSTEM
sudo LANG=C chroot $FILESYSTEM_ROOT systemctl enable sonic.target

# All Python development packages must be removed, as they will conflict with the dependencies of the Python FIPS packages
sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get purge -y python3-dev
sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get purge -y libpython3-dev
sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get purge -y '^python3\.[0-9]+-dev'
sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get purge -y '^libpython3\.[0-9]+-dev'

sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get purge -y libcairo2-dev libdbus-1-dev libgirepository1.0-dev libsystemd-dev pkg-config
sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get clean -y
sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get autoremove -y
Expand Down Expand Up @@ -1177,6 +1182,15 @@ sudo rm -rf $FILESYSTEM_ROOT/tmp/mask_disabled_services.py

sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get -y install python3-dbus

# Install FIPS python package will break apt-get purge command, so install after all purge command finish
if [ "$INCLUDE_FIPS" == y ]; then
{% if installer_python_debs.strip() -%}
{% for deb in installer_python_debs.strip().split(' ') -%}
sudo dpkg --root=$FILESYSTEM_ROOT -i {{deb}}
{% endfor %}
{% endif %}
fi


{% if installer_debs.strip() -%}
{% for deb in installer_debs.strip().split(' ') -%}
Expand Down
6 changes: 5 additions & 1 deletion rules/sonic-fips.mk
View file
Original file line number Diff line number Diff line change
Expand Up @@ -77,7 +77,11 @@ FIPS_PACKAGE_ALL = $(SYMCRYPT_OPENSSL) $(FIPS_DERIVED_TARGET)


ifeq ($(INCLUDE_FIPS), y)
FIPS_BASEIMAGE_INSTALLERS = $(FIPS_OPENSSL_LIBSSL) $(FIPS_OPENSSL_LIBSSL_DEV) $(FIPS_OPENSSL) $(SYMCRYPT_OPENSSL) $(FIPS_OPENSSH_CLIENT) $(FIPS_OPENSSH) $(FIPS_OPENSSH_SFTP_SERVER) $(FIPS_OPENSSH_SERVER) $(FIPS_KRB5)
FIPS_BASEIMAGE_INSTALLERS = $(FIPS_OPENSSL_LIBSSL) $(FIPS_OPENSSL_LIBSSL_DEV) $(FIPS_OPENSSL) $(SYMCRYPT_OPENSSL) \
$(FIPS_OPENSSH_CLIENT) $(FIPS_OPENSSH) $(FIPS_OPENSSH_SFTP_SERVER) $(FIPS_OPENSSH_SERVER) $(FIPS_KRB5)

# Python need install after purge python-dev
FIPS_BASEIMAGE_PYTHON_INSTALLERS = $(FIPS_LIBPYTHON_MINIMAL) $(FIPS_LIBPYTHON_STDLIB) $(FIPS_LIBPYTHON) $(FIPS_PYTHON_MINIMAL) $(FIPS_PYTHON)
SONIC_MAKE_DEBS += $(SYMCRYPT_OPENSSL)

$(foreach package,$(FIPS_DERIVED_TARGET),$(eval $(call add_extra_package,$(SYMCRYPT_OPENSSL),$(package))))
Expand Down
1 change: 1 addition & 0 deletions slave.mk
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1460,6 +1460,7 @@ $(addprefix $(TARGET_PATH)/, $(SONIC_INSTALLERS)) : $(TARGET_PATH)/% : \
export kube_docker_proxy="$(KUBE_DOCKER_PROXY)"
export enable_pfcwd_on_start="$(ENABLE_PFCWD_ON_START)"
export installer_debs="$(addprefix $(IMAGE_DISTRO_DEBS_PATH)/,$($*_INSTALLS) $(FIPS_BASEIMAGE_INSTALLERS))"
export installer_python_debs="$(addprefix $(IMAGE_DISTRO_DEBS_PATH)/,$(FIPS_BASEIMAGE_PYTHON_INSTALLERS))"
export lazy_installer_debs="$(foreach deb, $($*_LAZY_INSTALLS),$(foreach device, $($(deb)_PLATFORM),$(addprefix $(device)@, $(IMAGE_DISTRO_DEBS_PATH)/$(deb))))"
export lazy_build_installer_debs="$(foreach deb, $($*_LAZY_BUILD_INSTALLS), $(addprefix $($(deb)_MACHINE)|,$(deb)))"
export installer_images="$(foreach docker, $($*_DOCKERS),\
Expand Down

0 comments on commit dddb6cc

Please sign in to comment.