[vs] Add knob to skip DASH engine image install

[rustiqly]

Why I did it

VS images currently always install docker-dash-engine.gz, even when the user is trying to build a smaller/resource-constrained VS image and does not need DASH engine services. In a recent VS image-size investigation for #26636, docker-dash-engine.gz showed up as a clear optional payload candidate at roughly 167 MB in the image artifacts.

How I did it

Added INCLUDE_VS_DASH_ENGINE ?= y and used it to gate only SONIC_INSTALL_DOCKER_IMAGES for docker-dash-engine.gz.

The default remains y, so existing VS builds are unchanged. Setting INCLUDE_VS_DASH_ENGINE=n still allows the docker image target to be built if requested, but skips installing it into the final VS image.

How I verified it

cat > /tmp/test-dash-engine.mk <<'MAKE'
include rules/config
PLATFORM_PATH = platform/vs
include platform/vs/docker-dash-engine.mk
print:
	@echo SONIC_DOCKER_IMAGES=$(SONIC_DOCKER_IMAGES)
	@echo SONIC_INSTALL_DOCKER_IMAGES=$(SONIC_INSTALL_DOCKER_IMAGES)
MAKE

make -f /tmp/test-dash-engine.mk print
make -f /tmp/test-dash-engine.mk print INCLUDE_VS_DASH_ENGINE=n
git diff --check -- rules/config platform/vs/docker-dash-engine.mk

Output:

SONIC_DOCKER_IMAGES=docker-dash-engine.gz
SONIC_INSTALL_DOCKER_IMAGES=docker-dash-engine.gz
SONIC_DOCKER_IMAGES=docker-dash-engine.gz
SONIC_INSTALL_DOCKER_IMAGES=

Fixes #26636.

[mssonicbld]

/azp run Azure.sonic-buildimage

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).

[rustiqly]

CI note for #27346: the Azure.sonic-buildimage (Test Trivy vulnerability scan (docker-ptf)) failure in Azure build 1112607 appears unrelated to this VS install-list knob change.

The log shows docker-ptf.gz scan findings from base/cached image contents:

• Debian 12.13 package CVEs in liblcms2-2, Wireshark packages, and linux-libc-dev
• Go stdlib CVEs in /usr/local/bin/grpcurl
• existing default SSH/snakeoil private-key findings

This PR only gates whether docker-dash-engine.gz is installed into VS images when INCLUDE_VS_DASH_ENGINE=n; it does not modify docker-ptf, package versions, or image secret handling. Re-running Azure.

[rustiqly]

/azp run Azure.sonic-buildimage

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).

[mssonicbld]

/azp run Azure.sonic-buildimage

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).

[rustiqly]

CI failure looks unrelated to this PR (#27346):

• Required Azure docker-ptf Trivy scan failed in build 1112722: https://github.com/sonic-net/sonic-buildimage/runs/75828308975
• The findings are cached/base docker-ptf contents: Debian package CVEs (liblcms2-2, wireshark*, linux-libc-dev), Go stdlib CVEs, and pre-existing default private-key test fixtures.
• This PR only adds a VS image install knob for docker-dash-engine.gz; it does not modify docker-ptf contents.

Saved log excerpt: /tmp/pr-ci-logs/azure-build1112722-log205.txt. Requesting a fresh Azure run.

[rustiqly]

/azp run Azure.sonic-buildimage

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).

[rustiqly]

CI failure classification for #27346:

Azure build 1112920 failed required Azure.sonic-buildimage (Test Trivy vulnerability scan (docker-ptf)). The failure is unrelated to this VS DASH-engine install knob: docker-ptf is failing on cached/base image findings, including Debian package CVEs (liblcms2-2, wireshark*, linux-libc-dev), Go stdlib CVEs, and existing private-key test fixtures.

The source changes in this PR do not touch docker-ptf, package versions, Trivy policy, or credential fixtures. Re-running Azure.

[rustiqly]

/azp run Azure.sonic-buildimage

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).

[rustiqly]

CI classification for #27346: Azure build 1113201 failed required Azure.sonic-buildimage (Test Trivy vulnerability scan (docker-ptf)). The findings are in the generated/base docker-ptf image (Debian package CVEs including lcms2/wireshark/linux-libc-dev, Go stdlib CVEs in grpcurl, plus default private-key fixtures), not in the VS DASH image install knob. Saved log: /tmp/pr-ci-logs/buildimage-27346-build1113201-log190-trivy.txt. Rerunning Azure.

[rustiqly]

/azp run Azure.sonic-buildimage

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).

[mssonicbld]

/azp run Azure.sonic-buildimage

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).

[rustiqly]

CI failure looks unrelated to this PR.

Azure build 1113637 failed required Azure.sonic-buildimage (Test Trivy vulnerability scan (docker-ptf)), but the findings are in the cached/base docker-ptf image rather than the VS DASH install knob:

• Debian 12.13 package CVE: libnghttp2-14 / CVE-2026-27135.
• Go stdlib CVEs in bundled tooling (CVE-2026-33811, CVE-2026-33814, CVE-2026-39820, CVE-2026-39836, CVE-2026-42499).
• Existing default private-key fixture findings from the image.

Logs saved locally for tracking:

• /tmp/pr-ci-logs/buildimage-27346-build1113637-log310-trivy.txt
• /tmp/pr-ci-logs/buildimage-27346-build1113637-log315-trivy-job.txt

Re-running Azure.

[rustiqly]

/azp run Azure.sonic-buildimage

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).

[rustiqly]

CI classification for #27346: latest Azure build 1113788 failed required Azure.sonic-buildimage (Build aspeed_arm64) before the repo build started because the hosted worker apt-get update failed on the external git-lfs packagecloud repository key (NO_PUBKEY 6B05F25D762E3157). Earlier required failures/cancellations in build 1113637 include the unrelated docker-ptf Trivy generated-key finding. The GitHub Analyze (python) failure is the known CodeQL bundle v2.25.4 404 and is not Azure CI.

Re-running Azure to get a clean required-check result.

[rustiqly]

/azp run Azure.sonic-buildimage

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).

[rustiqly]

CI classification for #27346: Azure build 1113881 failed required Azure.sonic-buildimage (Test Trivy vulnerability scan (docker-ptf)).

The failure is unrelated to this PR's VS DASH install knob. The docker-ptf Trivy scan reported generated/base image findings only: libnghttp2-14 CVE-2026-27135, Go stdlib CVEs from the base docker-ptf payload, and generated host/snakeoil private-key fixtures under /etc/ssh/* and /etc/ssl/private/ssl-cert-snakeoil.key.

Saved log: /tmp/pr-ci-logs/buildimage-27346-build1113881-log275-trivy.txt.

[rustiqly]

/azp run Azure.sonic-buildimage

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).