[docker-ptf] re-add gnmic, built from openconfig/gnmic main#27340
Open
ronan-nexthop wants to merge 4 commits into
Open
[docker-ptf] re-add gnmic, built from openconfig/gnmic main#27340ronan-nexthop wants to merge 4 commits into
ronan-nexthop wants to merge 4 commits into
Conversation
Collaborator
|
/azp run Azure.sonic-buildimage |
|
|
|
Azure Pipelines successfully started running 1 pipeline(s). |
PR sonic-net#27059 removed gnmic because three CVEs in v0.45.0's deps couldn't be patched cleanly via `go get @latest` overrides. Those dependency fixes have since landed on openconfig/gnmic main. Build from a pinned main commit (71878d1936327b96883488d5f7a7584b1dda9bf1) so docker-ptf has gnmic available again for gNMI testing while we wait for the next tagged release. Signed-off-by: Ronan Mac Fhlannchadha <ronan@nexthop.ai>
ronan-nexthop
force-pushed
the
ronan.gnmic-from-source-pin
branch
from
aaa9aab to
ff98406
Compare
Collaborator
|
/azp run Azure.sonic-buildimage |
|
Azure Pipelines successfully started running 1 pipeline(s). |
Contributor
Author
Contributor
|
LGTM. @qiluo-msft @auspham Anything we can do to validate this? |
Contributor
|
@hdwhdw lets see if the pipeline scan doesnt show any vulnerability for this |
Contributor
|
/azpw retry |
Collaborator
|
Retrying failed(or canceled) jobs... |
Contributor
|
/azp run |
|
Azure Pipelines successfully started running 1 pipeline(s). |
Collaborator
|
/azp run Azure.sonic-buildimage |
|
Azure Pipelines successfully started running 1 pipeline(s). |
Collaborator
|
/azp run Azure.sonic-buildimage |
|
Azure Pipelines successfully started running 1 pipeline(s). |
Go 1.25.10 is the 2026-05-07 stdlib security release (golang-announce qcCIEXso47M). It closes five DoS/crash CVEs present in 1.25.9, all of which currently compile into the docker-ptf grpcurl, gnoic and gnmic binaries: - CVE-2026-33811 net.LookupCNAME double-free (cgo resolver) - CVE-2026-33814 net/http HTTP/2 SETTINGS_MAX_FRAME_SIZE=0 DoS (the most relevant for these gRPC binaries) - CVE-2026-39820 net/mail.ParseAddress / ParseDate DoS - CVE-2026-39836 net.Dial / LookupPort panic on Windows - CVE-2026-42499 net/mail.consumePhrase DoS x86_64 / arm64 / armv6l Go tarball SHA256s taken from https://go.dev/dl/?mode=json on 2026-05-14. Signed-off-by: Ronan Mac Fhlannchadha <ronan@nexthop.ai>
Closes CVE-2026-42151 / GHSA-wg65-39gg-5wfj (HIGH, CVSS 7.5): Prometheus < v0.311.3 exposes Azure AD OAuth client secrets in plaintext via the config API. Fixed only in v0.311.3. Upstream gnmic main still pins prometheus v0.311.2 at SHA 71878d19. Add a single 'go get github.com/prometheus/prometheus@v0.311.3' override to the from-source build so the docker-ptf gnmic binary picks up the fix without waiting on an upstream gnmic release. Once the corresponding gnmic upstream PR (openconfig/gnmic#872) merges and we move the pinned SHA forward, this override line becomes redundant and can be removed. Signed-off-by: Ronan Mac Fhlannchadha <ronan@nexthop.ai>
ronan-nexthop
force-pushed
the
ronan.gnmic-from-source-pin
branch
from
7499e03 to
f2ea88c
Compare
Collaborator
|
/azp run Azure.sonic-buildimage |
|
Azure Pipelines successfully started running 1 pipeline(s). |
Contributor
Author
|
new go version just go dropped with more CVE's, have raised another PR in gnmic repo to fix this. For this PR i'm upgrading us to go1.25.10 and manually upgrading prometheus one point version, this should have the tooling happy |
|
@hdwhdw Can you take a look? |
Contributor
Author
|
the vuln scanner is not tripping up on gnmic anymore, it is failing for other reasons |
…s override openconfig/gnmic PR sonic-net#872 (Go 1.25.10 + prometheus v0.311.3) merged upstream at SHA 653dc5dd4ddcd3bd4197317875a10c1ce8b06653. Move the pinned commit to that merge SHA and remove the local 'go get github.com/prometheus/prometheus@v0.311.3' override, which is now redundant since v0.311.3 is in gnmic's own go.mod. No change in the resulting binary's prometheus or Go stdlib version; this just collapses the from-source build back to a single git checkout + go build with no dependency overrides. Signed-off-by: Ronan Mac Fhlannchadha <ronan@nexthop.ai>
Collaborator
|
/azp run Azure.sonic-buildimage |
|
Azure Pipelines successfully started running 1 pipeline(s). |
hdwhdw
approved these changes
May 14, 2026
Contributor
Author
|
upstream PR has merged, all scanned CVE's are now fixed. Have updated the build hash to point to gnmic master, will change to a release version once it's released |
Contributor
|
Thanks so much! @ronan-nexthop @qiluo-msft can you sign off? |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
6 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why I did it
Two related changes to
docker-ptf/Dockerfile.j2:1. Re-add gnmic, built from a pinned upstream main commit.
docker-ptfpreviously shipped gnmic (added in #25537, switched to from-source build with dep overrides shortly after). In #27059 it was removed because three CVEs in v0.45.0's dependency chain could not be patched cleanly viago get @latestoverrides:github.com/docker/dockerneeded a version that didn't exist as a Go module tag (Docker moved tomoby/moby/v2, gnmic still imported the old path).github.com/prometheus/prometheusupgrade pulled ink8s.io/kube-openapiwith a broken transitive dep, breakinggo mod tidy.Those fixes have all since landed on
openconfig/gnmicmain (grpc 1.79.3, otel-sdk 1.43.0, go-git 5.19.0, docker→moby/moby/v2 migration, prometheus v0.311.3). The pinned commit653dc5dd4ddcd3bd4197317875a10c1ce8b06653is the merge of openconfig/gnmic#872 into main and additionally closes CVE-2026-42151 (prometheus → v0.311.3). To unblock gNMI testing in docker-ptf before the next tagged gnmic release, re-add gnmic by building from that pinned main commit.2. Bump Go toolchain to 1.25.10.
Go 1.25.10 is the 2026-05-07 stdlib security release (golang-announce qcCIEXso47M). It closes five DoS/crash CVEs present in 1.25.9, all of which currently end up in the from-source binaries this Dockerfile builds (grpcurl, gnoic, gnmic):
net.LookupCNAMEdouble-free (cgo resolver)net/httpHTTP/2SETTINGS_MAX_FRAME_SIZE=0DoS (most relevant for gRPC tools)net/mail.ParseAddress/ParseDateDoSnet.Dial/LookupPortpanic on Windows with NUL bytenet/mail.consumePhraseDoSHow I did it
dockers/docker-ptf/Dockerfile.j2:RUNblock that clonesopenconfig/gnmic, checks out commit653dc5dd, and runsgo build -o /usr/local/bin/gnmic .— nogo get @latestchains, no gocloud patch; trust upstream's vendored deps. Cleans up/tmp/gnmic,\$GOPATH/pkg/mod, and the Go build cache after the build to keep layer size in check. Placed right before "Remove Go toolchain to reduce image size" so the Go toolchain is still available.GO_VERSION=1.25.9 → 1.25.10and the matching armv6l/arm64/amd64 SHA256s (taken fromhttps://go.dev/dl/?mode=jsonon 2026-05-14).The gnmic pin is temporary — the intent is to swap back to a tagged release once
openconfig/gnmiccuts one that contains the dep fixes from #864 and #872.How to verify it
Build the docker-ptf image and confirm gnmic is on PATH and links against the patched toolchain and prometheus:
```
$ docker run -it --rm --entrypoint bash docker-ptf:latest
root@...:~# gnmic version
```
Expected:
gnmicreports a version string referencing commit653dc5dd(or whatever the pinned SHA is). The compiled binaries (grpcurl, gnoic, gnmic) embed Go 1.25.10 stdlib, and gnmic links againstprometheus/prometheus v0.311.3.Which release branch to backport (provide reason below if selected)
Tested branch (Please provide the tested image version)
Description for the changelog
re-add gnmic to docker-ptf (built from openconfig/gnmic main, pinned); bump Go toolchain to 1.25.10
Link to config_db schema for YANG module changes
N/A