Merge branch '202505' of https://github.com/sonic-net/sonic-buildimage into 202506

Author: mssonicbld

.azure-pipelines/azure-pipelines-build.yml

@@ -121,7 +121,7 @@ jobs:
 
     buildSteps:
       - template: .azure-pipelines/template-skipvstest.yml@buildimage
-      - template: .azure-pipelines/template-daemon.yml@buildimage
+      - template: template-daemon.yml
       - bash: |
           set -ex
           if echo $(GROUP_NAME) | grep mellanox; then

.azure-pipelines/azure-pipelines-image-template.yml

@@ -85,6 +85,29 @@ jobs:
           BUILD_REASON=$(Build.Reason)
           echo "Build.Reason = $BUILD_REASON"
           echo "Build.DefinitionName = $BUILD_DEFINITIONNAME"
+
+          if [[ "$BUILD_REASON" == "PullRequest" ]]; then
+            echo "Checking for changes to dockers/docker-ptf/Dockerfile.j2 in PR..."
+            # Get the target branch and check for changes
+            TARGET_BRANCH="origin/$(System.PullRequest.TargetBranch)"
+            echo "Comparing against target branch: $TARGET_BRANCH"
+            # Fetch target branch to ensure we have the latest
+            git fetch origin $(System.PullRequest.TargetBranch)
+            # Check if docker-ptf Dockerfile.j2 has changes
+            # NOTE: The PTF_MODIFIED template parameter is of type string
+            # Ensure to set it to "True" or "False" (not boolean true/false)
+            if git diff --name-only $TARGET_BRANCH...HEAD | grep -q "dockers/docker-ptf/Dockerfile.j2"; then
+              echo "docker-ptf/Dockerfile.j2 has been modified in this PR"
+              echo "##vso[task.setvariable variable=PTF_MODIFIED;isOutput=true]True"
+            else
+              echo "docker-ptf/Dockerfile.j2 has not been modified in this PR"
+              echo "##vso[task.setvariable variable=PTF_MODIFIED;isOutput=true]False"
+            fi
+          else
+            echo "Not a PR build, setting PTF_MODIFIED to false"
+            echo "##vso[task.setvariable variable=PTF_MODIFIED;isOutput=true]False"
+          fi
+
           if [[ "$BUILD_REASON" != "PullRequest" && "$BUILD_DEFINITIONNAME" == "Azure.sonic-buildimage.official.vs" ]]
           then
             PORT=443
@@ -103,6 +126,7 @@ jobs:
           mv target/* $(Build.ArtifactStagingDirectory)/target/
         env:
           REGISTRY_PASSWD: $(REGISTRY_PASSWD)
+        name: PublishAndSetPtfTag
         displayName: Publish to Docker Registry and Copy Artifacts
         condition: always()
       - publish:  $(Build.ArtifactStagingDirectory)

.azure-pipelines/template-daemon.yml

@@ -5,18 +5,14 @@ steps:
       do
         sleep 120
         now=$(date +%s)
-        pids=$(ps -C docker-buildx -o pid,etime,args | grep "docker-buildx buildx build" | awk '{print $1}')
+        pids=$(ps -C docker -o pid,etime,args | grep "docker build" | cut -d" " -f2)
         for pid in $pids
         do
-          start_ticks=$(awk '{print $22}' /proc/$pid/stat)
-          boot_time=$(awk '/btime/ {print $2}' /proc/stat)
-          hertz=$(getconf CLK_TCK)
-          start_time=$((boot_time + start_ticks / hertz))
-          ts=$(date -d "@$((now - start_time))" +%s)
-
-          if [[ $ts -gt $(DOCKER_BUILD_TIMEOUT) ]]; then
+          start=$(date --date="$(ls -dl /proc/$pid --time-style full-iso | awk '{print$6,$7}')" +%s)
+          time_s=$(($now-$start))
+          if [[ $time_s -gt $(DOCKER_BUILD_TIMEOUT) ]]; then
             echo =========== $(date +%F%T) $time_s &>> target/daemon.log
-            ps -p $pid -o pid,etime,args ww &>> target/daemon.log
+            ps $pid &>> target/daemon.log
             sudo kill $pid
           fi
         done

azure-pipelines.yml

@@ -109,12 +109,29 @@ stages:
     value: veos_vtb
   - name: testbed_file
     value: vtestbed.csv
+  - name: PTF_MODIFIED
+    value: $[ coalesce(stageDependencies.BuildVS.vs.outputs['PublishAndSetPtfTag.PTF_MODIFIED'], stageDependencies.BuildVS.vs.outputs['script.PTF_MODIFIED'], stageDependencies.BuildVS.vs.outputs['script1.PTF_MODIFIED'], 'False') ]
 
 # For every test job:
 # continueOnError: false means it's a required test job and will block merge if it fails
 # continueOnError: true means it's an optional test job and will not block merge even though it fails(unless a required test job depends on its result)
 
   jobs:
+  - job: debug_variables
+    pool: sonictest
+    displayName: "Debug PTF_MODIFIED Variable"
+    steps:
+    - script: |
+        echo "PTF_MODIFIED variable value: $(PTF_MODIFIED)"
+        echo "Debug: Checking if PTF_MODIFIED is being passed correctly from BuildVS stage"
+        if [ "$(PTF_MODIFIED)" = "True" ]; then
+          echo "SUCCESS: PTF_MODIFIED is True"
+        elif [ "$(PTF_MODIFIED)" = "False" ]; then
+          echo "INFO: PTF_MODIFIED is False"
+        else
+          echo "ERROR: PTF_MODIFIED has unexpected value: $(PTF_MODIFIED)"
+        fi
+      displayName: "Debug PTF_MODIFIED Variable"
   - job:
     pool: sonictest
     displayName: "vstest"
@@ -210,6 +227,7 @@ stages:
           MAX_WORKER: $(INSTANCE_NUMBER)
           KVM_IMAGE_BRANCH: $(BUILD_BRANCH)
           MGMT_BRANCH: $(BUILD_BRANCH)
+          PTF_MODIFIED: ${{ eq(variables['PTF_MODIFIED'], 'true') }}
 
   - job: impacted_area_t0_2vlans_elastictest
     displayName: "impacted-area-kvmtest-t0-2vlans by Elastictest"
@@ -237,6 +255,7 @@ stages:
           DEPLOY_MG_EXTRA_PARAMS: "-e vlan_config=two_vlan_a"
           KVM_IMAGE_BRANCH: $(BUILD_BRANCH)
           MGMT_BRANCH: $(BUILD_BRANCH)
+          PTF_MODIFIED: ${{ eq(variables['PTF_MODIFIED'], 'true') }}
 
   - job: impacted_area_t1_lag_elastictest
     displayName: "impacted-area-kvmtest-t1-lag by Elastictest"
@@ -265,6 +284,7 @@ stages:
           MAX_WORKER: $(INSTANCE_NUMBER)
           KVM_IMAGE_BRANCH: $(BUILD_BRANCH)
           MGMT_BRANCH: $(BUILD_BRANCH)
+          PTF_MODIFIED: ${{ eq(variables['PTF_MODIFIED'], 'true') }}
 
   - job: impacted_area_dualtor_elastictest
     displayName: "impacted-area-kvmtest-dualtor by Elastictest"
@@ -294,6 +314,7 @@ stages:
           COMMON_EXTRA_PARAMS: "--disable_loganalyzer "
           KVM_IMAGE_BRANCH: $(BUILD_BRANCH)
           MGMT_BRANCH: $(BUILD_BRANCH)
+          PTF_MODIFIED: ${{ eq(variables['PTF_MODIFIED'], 'true') }}
 
   - job: impacted_area_multi_asic_elastictest
     displayName: "impacted-area-kvmtest-multi-asic-t1 by Elastictest"
@@ -321,6 +342,7 @@ stages:
           NUM_ASIC: 4
           KVM_IMAGE_BRANCH: $(BUILD_BRANCH)
           MGMT_BRANCH: $(BUILD_BRANCH)
+          PTF_MODIFIED: ${{ eq(variables['PTF_MODIFIED'], 'true') }}
 
   - job: impacted_area_t0_sonic_elastictest
     displayName: "impacted-area-kvmtest-t0-sonic by Elastictest"
@@ -354,6 +376,7 @@ stages:
             {"name": "bgp/test_bgp_fact.py", "param": "--neighbor_type=sonic --enable_macsec --macsec_profile=128_SCI,256_XPN_SCI"},
             {"name": "macsec", "param": "--neighbor_type=sonic --enable_macsec --macsec_profile=128_SCI,256_XPN_SCI"}
             ]'
+          PTF_MODIFIED: ${{ eq(variables['PTF_MODIFIED'], 'true') }}
 
   - job: impacted_area_dpu_elastictest
     displayName: "impacted-area-kvmtest-dpu by Elastictest"
@@ -383,3 +406,4 @@ stages:
           SPECIFIC_PARAM: '[
             {"name": "dash/test_dash_vnet.py", "param": "--skip_dataplane_checking"}
             ]'
+          PTF_MODIFIED: ${{ eq(variables['PTF_MODIFIED'], 'true') }}

device/arista/x86_64-arista_7060x6_16pe_384c/sensors.conf

@@ -1,14 +1,40 @@
+bus "i2c-16" "SCD 0000:03:00.0 SMBus master 1 bus 3"
 bus "i2c-19" "SCD 0000:06:00.0 SMBus master 0 bus 0"
+bus "i2c-35" "SCD 0000:06:00.0 SMBus master 2 bus 4"
+bus "i2c-37" "SCD 0000:05:00.0 SMBus master 0 bus 0"
+
+chip "k10temp-pci-00c3"
+    label temp1 "Cpu temp sensor"
 
 chip "max6581-i2c-19-4d"
+    label temp1 "Switch Card temp sensor"
+    label temp2 "TH5 PCB Left"
+    label temp3 "TH5 PCB Right"
+    label temp4 "Inlet Ambiant Air"
     ignore temp5
     ignore temp6
+    label temp7 "TH5 Diode 1"
+    label temp8 "TH5 Diode 2"
 
 chip "nvme-pci-0400"
-    # TODO: sensors complaining about tempX_min and tempX_max
     ignore temp2
     ignore temp3
     ignore temp4
     ignore temp5
     ignore temp6
     ignore temp7
+
+chip "pmbus-i2c-35-10"
+    label temp1 "Power supply 1 internal sensor"
+    ignore temp2
+
+chip "pmbus-i2c-35-12"
+    label temp1 "Power supply 2 internal sensor"
+    ignore temp2
+
+chip "tmp75-i2c-16-48"
+    label temp1 "Outlet"
+
+chip "tmp75-i2c-37-4a"
+    label temp1 "Port Card"
+

device/arista/x86_64-arista_7060x6_16pe_384c_b/sensors.conf

@@ -0,0 +1 @@
+../x86_64-arista_7060x6_16pe_384c/sensors.conf

device/arista/x86_64-arista_7060x6_16pe_384c_b/sensors.conf

@@ -63,6 +63,9 @@ RUN apt update &&            \
         libwrap0            \
         libatomic1
 
+# Security fixes: upgrade vulnerable base packages (S360 scan remediation)
+RUN apt-get update && apt-get upgrade -y
+
 # Add a config file to allow pip to install packages outside of apt/the Debian repos
 COPY ["pip.conf", "/etc/pip.conf"]
 

dockers/docker-base-bookworm/Dockerfile.j2

@@ -96,6 +96,29 @@ RUN apt-get update          \
         freeradius          \
         quilt
 
+# Install Go toolchain for building grpcurl and gnoic from source
+# to ensure they use a patched Go stdlib (GO-2026-4337: crypto/tls)
+{% if CONFIGURED_ARCH == "armhf" %}
+RUN GO_ARCH=armv6l \
+{% elif CONFIGURED_ARCH == "arm64" %}
+RUN GO_ARCH=arm64 \
+{% else %}
+RUN GO_ARCH=amd64 \
+{% endif %}
+    && GO_VERSION=1.25.8 \
+    && curl -L "https://go.dev/dl/go${GO_VERSION}.linux-${GO_ARCH}.tar.gz" -o /tmp/go.tar.gz \
+    && tar -C /usr/local -xzf /tmp/go.tar.gz \
+    && rm /tmp/go.tar.gz
+
+ENV PATH="/usr/local/go/bin:$HOME/go/bin:$PATH"
+
+# Build grpcurl from source with patched Go (GO-2026-4337)
+RUN go install github.com/fullstorydev/grpcurl/cmd/grpcurl@v1.9.3 \
+    && mv "$(go env GOPATH)/bin/grpcurl" /usr/local/bin/grpcurl \
+    && chmod +x /usr/local/bin/grpcurl
+# Security fixes: upgrade all vulnerable system packages (S360 scan remediation)
+RUN apt-get update && apt-get upgrade -y \
+    && rm -rf /var/lib/apt/lists/*
 {% if PTF_ENV_PY_VER == "py3" %}
 RUN update-alternatives --install /usr/bin/python python /usr/bin/python3 1 \
     && update-alternatives --install /usr/bin/pip pip /usr/bin/pip3 1 \
@@ -116,7 +139,7 @@ RUN rm -rf /debs \
     && rm -f get-pip.py \
     && pip install setuptools \
     && pip install supervisor \
-    && pip install ipython==5.4.1 \
+    && pip install ipython \
     && git clone https://github.com/p4lang/scapy-vxlan.git \
     && cd scapy-vxlan \
     && python setup.py install \
@@ -176,10 +199,12 @@ RUN rm -rf /debs \
     && wget https://raw.githubusercontent.com/p4lang/ptf/master/ptf_nn/ptf_nn_agent.py
 
 {% if PTF_ENV_PY_VER == "py3" %}
-RUN git clone https://github.com/facebook/tac_plus \
+RUN curl -L -o tacacs.tar.gz https://shrubbery.net/pub/tac_plus/tacacs-F4.0.4.31.tar.gz\
+    && mkdir -p tac_plus\
+    && tar -xvzf tacacs.tar.gz -C tac_plus\
     && cd tac_plus \
-    && cd tacacs-F4.0.4.28 \
-    && ./configure \
+    && cd tacacs-F4.0.4.31 \
+    && ./configure LDFLAGS="-Wl,-rpath=/usr/local/lib" \
     && make install \
     && ln -s /usr/local/sbin/tac_plus /usr/sbin/tac_plus \
     && ln -s /usr/local/bin/tac_pwd /usr/sbin/tac_pwd \
@@ -196,6 +221,9 @@ ENV VIRTUAL_ENV=/root/env-python3
 ARG BACKUP_OF_PATH="$PATH"
 ENV PATH="$VIRTUAL_ENV/bin:$PATH"
 ENV LANG=C.UTF-8 LC_ALL=C.UTF-8 PYTHONIOENCODING=UTF-8
+
+# Upgrade pip to address CVE vulnerabilities in older pip versions
+RUN pip3 install --upgrade pip
 {% endif %}
 
 {% if PTF_ENV_PY_VER == "mixed" %}
@@ -253,6 +281,9 @@ RUN pip3 install Flask \
     && pip3 install retrying \
     && pip3 install jinja2
 
+# Keep protobuf aligned with generated gNMI stubs.
+RUN pip3 install protobuf==6.33.5
+
 {% if docker_ptf_whls.strip() -%}
 # Copy locally-built Python wheel dependencies
 {{ copy_files("python-wheels/", docker_ptf_whls.split(' '), "/python-wheels/") }}
@@ -266,6 +297,10 @@ RUN pip3 install Flask \
 ENV PATH="$BACKUP_OF_PATH"
 {% endif %}
 
+# Ensure setuptools stays in a secure range while retaining pkg_resources
+# required by grpc_tools.protoc.
+RUN pip3 install "setuptools>=70.0.0,<78.0"
+
 ## Adjust sshd settings
 RUN mkdir /var/run/sshd \
     && echo 'root:root' | chpasswd \
@@ -296,19 +331,35 @@ RUN cd gnxi \
     && quilt push -a \
     && cd gnmi_cli_py \
 {% if PTF_ENV_PY_VER == "mixed" %}
-    && pip install -r requirements.txt
+    && pip install -r requirements.txt \
+    && pip3 install protobuf==6.33.5 --no-binary=protobuf
 {% else %}
-    && pip3 install setuptools==51.0.0 \
-    && cat requirements.txt | grep -v futures > /tmp/requirements.txt \
-    && pip3 install -r /tmp/requirements.txt
+    && pip3 install "setuptools>=70.0.0,<78.0" "grpcio==1.74.0" "grpcio-tools==1.74.0" "protobuf==6.33.5" \
+    && rm -f gnmi_pb2.py gnmi_ext_pb2.py gnmi_pb2_grpc.py \
+    && wget -q -O gnmi_ext.proto https://raw.githubusercontent.com/openconfig/gnmi/master/proto/gnmi_ext/gnmi_ext.proto \
+    && wget -q -O gnmi.proto https://raw.githubusercontent.com/openconfig/gnmi/master/proto/gnmi/gnmi.proto \
+    && sed -i 's|github.com/openconfig/gnmi/proto/gnmi_ext/gnmi_ext.proto|gnmi_ext.proto|' gnmi.proto \
+    && python3 -m grpc_tools.protoc -I. --python_out=. --grpc_python_out=. gnmi_ext.proto gnmi.proto \
+    && if grep -q _internal_create_key gnmi_ext_pb2.py; then echo "ERROR: gnmi stubs generated with incompatible protoc"; exit 1; fi \
+    && rm -f gnmi.proto gnmi_ext.proto \
+    && cat requirements.txt | grep -Ev '^(futures|grpcio==|grpcio-tools==|protobuf==)' > /tmp/requirements.txt \
+    && pip3 install -r /tmp/requirements.txt \
+    && pip3 install "setuptools>=70.0.0,<78.0" "grpcio==1.74.0" "grpcio-tools==1.74.0" "protobuf==6.33.5"
 {% endif %}
 
 # Install gnoic tool
+# Without specifying the version there is a failure
+# to determine the latest version automatically.
+#
+# root@a2014cb5bc54:~/gnoic# ./install.sh
+# Warning: Failed to verify the package: https://api.github.com/repos/karimra/gnoic/releases/latest, the version is not specified
+# Could not determine the latest release
+# Failed to install gnoic
+# For support, go to https://github.com/karimra/gnoic/issues
 RUN git clone https://github.com/karimra/gnoic.git \
     && cd gnoic \
-    && git checkout 57aac3d \
-    && chmod +x install.sh \
-    && ./install.sh \
+    && git checkout 27bc5a6 \
+    && go build -o /usr/local/bin/gnoic . \
     && cd .. \
     && rm -rf gnoic
 
@@ -323,6 +374,10 @@ RUN dpkg -i \
 debs/{{ deb }}{{' '}}
 {%- endfor %}
 
+# Remove Go toolchain to reduce image size
+RUN rm -rf /usr/local/go "$(go env GOPATH 2>/dev/null || echo $HOME/go)"
+ENV PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+
 {% if PTF_ENV_PY_VER == "py3" %}
 # Create symlink so that test scripts and ptf_runner invocation path
 # is same across python 2 and python 3 envs. Note that for virtual-env
@@ -338,4 +393,4 @@ RUN mkdir -p /root/env-python3/bin \
 COPY ["*.ini", "/etc/ptf/"]
 EXPOSE 22 8009
 
-ENTRYPOINT ["/usr/local/bin/supervisord", "-c", "/etc/supervisor/supervisord.conf"]
+ENTRYPOINT ["/usr/local/bin/supervisord", "-c", "/etc/supervisor/supervisord.conf"]

dockers/docker-ptf/Dockerfile.j2

@@ -320,7 +320,7 @@ index dab2db6..e32b3ff 100644
 -grpcio-tools==1.15.0
 +grpcio==1.41.1
 +grpcio-tools==1.41.1
- protobuf==3.6.1 --no-binary=protobuf
+ protobuf==6.33.5 --no-binary=protobuf
  six==1.12.0
 -- 
 2.48.1.windows.1