登录 注册
开源 企业版 高校版 私有云 Gitee AI NEW
扫描微信二维码支付
取消
支付完成
Watch
不关注 关注所有动态 仅关注版本发行动态 关注但不提醒动态
1 Star 0 Fork 0

Edmund03 / swi-tools

代码 Issues 0 Pull Requests 0 Wiki 统计 流水线
服务
加入 Gitee
与超过 1200万 开发者一起发现、参与优秀开源项目,私有仓库也完全免费 :)
免费加入
克隆/下载
分支 7
标签 3
贡献代码
同步代码
创建 Pull Request
了解更多
对比差异 通过 Pull Request 同步
同步更新到分支
通过 Pull Request 同步
将会在向当前分支创建一个 Pull
Request,合入后将完成同步
取消
提示: 由于 Git 不支持空文件夾,创建文件夹后会生成空的 .keep 文件
.github/workflows
switools
swixtools
tests
.gitignore
LICENSE
MANIFEST.in
README.md
setup.py
Loading...
README
Apache-2.0

swi-tools

Scripts for operating on an Arista SWI or SWIX

A SWI is a SoftWare Image containing the software that will run on the switch when the image is booted. A SWIX is a SoftWare Image eXtension, a collection of files (ex RPMs, squashfs) that can be installed to extend the behavior of the base SWI.

Scripts

  • swi-signature: Add a cryptographic signature to an Arista SWI or SWIX
  • swix-signature: A convenience alias for the above
  • verify-swi: Verify the cryptographic signature of an Arista SWI or SWIX
  • verify-swix: A convenience alias for the above
  • swix-create: Create a new SWIX file
  • swi-signing-service: Simple example of a signing service (all local)

Installation

pip3 install switools

Alternatively:

git clone https://github.com/aristanetworks/swi-tools.git
cd swi-tools
python3 setup.py install

Dependencies

  1. Python3. For a version that works with python2, use the version 1.0 release.
  2. Zip - Used in the swi-signature script to remove a signature from the SWI/X if you want to re-sign it, this comes preinstalled on many operating systems.
  3. M2Crypto - installed automatically with the setup script.
  4. PyYAML - Used to read the manifest.yaml, if added, when creating a SWIX.
  5. jsonschema - Used to verify the manifest.yaml, if added, when creating a SWIX.

Creating a SWIX

Creating a SWIX is a straightforward process involving the swix-create command.

$ swix-create -h
usage: swix-create [-h] [-f] [-i manifest.yaml]
                   OUTFILE.swix PACKAGE.rpm [PACKAGE.rpm ...]

positional arguments:
  OUTFILE.swix          Name of output file
  PACKAGE.rpm           An RPM to add to the SWIX

optional arguments:
  -h, --help            show this help message and exit
  -f, --force           Overwrite OUTFILE.swix if it already exists
  -i manifest.yaml, --info manifest.yaml
                        Location of manifest.yaml file to add metadata to SWIX

1. Creating a simple SWIX

$ swix-create MySwix.swix MyRpm.rpm
  adding: manifest.txt (stored 0%)
  adding: MyRpm.rpm (stored 0%)

Your SWIX is ready to be installed on a switch!

(Arista)# scp user@host:/path/MySwix.swix extension:
Copy completed successfully.
(Arista)# show extensions
Name             Version/Release      Status      Extension
---------------- -------------------- ----------- ---------
MySwix.swix      1.0.3/1.el7          A, NI       1
(Arista)# extension MySwix.swix
Note: no agents to restart

Et voilà! Your extension has been installed. Note that your extension may require some agents to be restarted. e.g., A restart of ConfigAgent is required if any CLI plugins have been added.

2. Adding a manifest.yaml file

The functionality of the SWIX can be enriched by adding a YAML file which contains instructions on when and how to install certain files. Such file is added with the -i switch, followed by the file, which will get validated and added to the SWIX. A sample manifest.yaml

metadataVersion: 1.0
version:
  - 4.21.1*:
    - AppBeta.rpm
    - AppBeta-lib.rpm
    - AppBeta.squashfs:
      - mount: /opt/apps/hello_world
  - 4.20.{6-9}*:
    - AppStable.rpm
    - AppStable.squashfs:
      - mount: /opt/apps/hello_world
agentsToRestart:
  - ConfigAgent
  - IgmpSnoopingAgent

At the moment, the only supported metadata version is 1.0. The other entry is the version-specific instructions for the extension. The first indented entry reads as:

  • For EOS versions 4.25.1 (Also 4.25.1.1, 4.25.1FX, etc., but not 4.25.10)
    • Install AppBeta.rpm
    • Install AppBeta-lib.rpm
    • Mount the SquashFS file AppBeta.squashfs on /opt/apps/hello_world
    • Prompt the user that ConfigAgent and IgmpSnoopingAgent need to be restarted. This only works on EOS versions 4.25.1 and later.

This way, you can publish one SWIX that works on multiple versions of EOS.

Signing an Arista SWI/X

Signing an Arista SWI or SWIX is a multi-step process involving the swi-signature script. First, with swi-signature prepare, a null signature file (a fix-sized signature file made entirely of null bytes) is added to the SWI/X, at the path /swi-signature (for SWI files) or /swix-signature (for SWIX files) in the zip file. Next, a signature is generated from the resulting SWI/X using a signing key. Finally, with swi-signature sign, the null signature file in the SWI/X is updated to reflect both the signature that was generated and the signing certificate used to verify the signature.

For EOS images starting 4.27.2, the process changes a little. For that, version 1.2 of this tool is needed. That is because a 4.27.2 image will contain multiple images, thus the prepare/sign split becomes inpractical. Instead, one has to provide a "swi-signing-server" binary (somewhere in PATH) that given a digest will return it signed. In that case, the swi-signing-server has access to the signer's private key. There is an example of how such a swi-signing-server could look like (it is using a local key). So in case no signer key is provided on the command line, providing a signatureFile instead will no longer do (it will still work though if the image is a pre 4.27.2 image). With 4.27.2+ images, the null-signature is automaticaly added and will overwrite any pre-existing signature forcefully.

1. Preparing the SWI/X for signing

Before generating a signature of the SWI/X, the SWI/X must be pre-signed with a null signature, a fix-sized signature file made entirely of null bytes. This can be done with the prepare option in the swi-signature script. At the end of the preparation, the sha256 hash of the SWI/X with the null signature is printed out in hex format. The hash is used in the next step to generate the real signature of the SWI/X file.

$ swi-signature prepare -h
usage: swi-signature prepare [-h] [--force-sign] [--outfile OUTFILE]
                             [--size SIZE]
                             EOS.swi[x]

positional arguments:
  EOS.swi[x]         Path of the SWI/X to prepare for signing

optional arguments:
  -h, --help         show this help message and exit
  --force-sign       Force signing the SWI/X if it's already signed
  --outfile OUTFILE  Path to save SWI/X with null signature, if not replacing
                     the input SWI/X
  --size SIZE        Size of null signature to add (default 8192 bytes)

Examples:

$ swi-signature prepare EOS.swi
84f6e823976f6d499fb161c2502ba9474b68abca7e98a9c98251ea5bd5e93765

This adds a null signature of 8192 bytes (the default) to EOS.swi, and prints out its sha256 hash in hex format. Keep track of this hash for use in the next step, as input into a signing server to generate a signature signed by a private key.

$ swi-signature prepare EOS.swi --force-sign --outfile EOS_temp.swi --size 9000
deleting: swi-signature
10aa98f4bd283256c8cd922d1bf40fb1b25a13d97049e4c0135e7140cb63d579

This copies EOS.swi to EOS_temp.swi, and signs EOS_temp.swi with a null signature of 9000 bytes, even if it has been signed before (removes the old signature).

Signing SWIX files behaves the same.

2. Signing the SWI/X

After adding a null signature file to the SWI/X, the SWI/X can now be signed. The null signature will be replaced by a real signature that contains both the signature of the SWI/X and the signing certificate that will be used to verify the signature. There are two options depending on whether you have direct access to the signing private key.

$ swi-signature sign -h
usage: swi-signature sign [-h]
                          (--signature SIGNATURE.txt | --key SIGNINGKEY.key)
                          EOS.swi[x] SIGNINGCERT.crt ROOTCERT.crt

positional arguments:
  EOS.swi[x]            Path of the SWI/X to sign.
  SIGNINGCERT.crt       Path of signing certificate.
  ROOTCERT.crt          Root certificate of signing certificate to verify
                        against 

optional arguments:
  -h, --help            show this help message and exit
  --signature SIGNATURE.txt
                        Path of base64-encoded SHA-256 signature file of EOS.swi or swix, signed by
                        signing cerificate.
  --key SIGNINGKEY.key  Path of signing key, used to generate the signature

2a. Signing SWI/X without direct access to private key

If there is no direct access to the private key, we assume that the private key is stored remotely in some form of signing server. A user should be able to query this signing server to use the signing key to sign an input hash and return the resulting signature. The input hash that should be used is printed out in the swi-signature prepare step. Since it is given in hex format, the signing server should be able to accept this sha256 hash in hex format as an input. The signing server should then sign the input hash with its signing private key, and then return the resulting signature as well as the signing certificate corresponding to the private key. The resulting signature must be converted to base64 format to be used in the swi-signature sign script.

Example:

$ # Prepare EOS.swi for signing and save the hash to input_hash.txt
$ swi-signature prepare EOS.swi > input_hash.txt                    
 
$ # input_hash.txt is a sha256 hash of EOS.swi in hex format
$ cat input_hash.txt
0f1f680a7c97f274cf2b6d131595521fec2a97509aceaddac529b7ab46ef6f8f

$ # Invoke a script that talks to a signing server that takes a hash as input and returns the signing certificate and generated signature.
$ ./talk-to-signing-server --input input_hash.txt --outputCertFile signing.crt --outputSignatureFile signature.txt 

$ # The resulting signature must be in base64 format
$ cat signature.txt
MEYCIQCcpjTgTZm9c+QdlVJ0W6xe7sxhjs7KXbwDngwC3/66QwIhAL7SRpkPOtOSyJPDlEqhyLzziQyght/E1iUSpmvEXmxg
$
$ swi-signature sign EOS.swi signing.crt root.crt --signature signature.txt
SWI file EOS.swi successfully signed and verified.

Signs EOS.swi with a pre-generated signature. At the end of signing, the resulting SWI will be automatically verified with the user-provided root certificate. SWIX signing behaves the same.

2b. Signing SWI/X with direct access to private key

If there is direct access to the private key, the key can be used directly in the input to the signing script as follows: Examples:

$ swi-signature sign EOS.swi signing.crt root.crt --key signing.key
SWI file EOS.swi successfully signed and verified.

Signs EOS.swi using signing.crt. The signature used is created by signing the hash of EOS.swi with signing.key.

2c. Signing EOS 4.27.2+ SWI with direct access to private key

Example:

$ swi-signature sign EOS.swi /etc/swi-signing/signing.crt /etc/swi-signing/root.crt --key /etc/swi-signing/signing.key
Optimizations in EOS.swi: Default Sand-4GB Strata-4GB
Default sha256: a3276b9976bb2471838dc95fbd2a38dcf1e7e5510bcfa8dfe0f0eff8b935a709
Sand-4GB sha256: 4d0d23293eaecc7f55e7ee9776b0c250bef1a335e1b4ea28ef4eea989eb917f9
Strata-4GB sha256: 520cbde6d60d1089bfbc95d9086c47ce4a6fc0399a5b8a29fc6c1bd95c7d029a
Adding signature files to EOS.swi: Default.signature Sand-4GB.signature Strata-4GB.signature
EOS.swi sha256: 913eb842e408ceddea914543230c9e13ff63e360fc6a6735ef9c0c1571209fb3
SWI/X file EOS.swi successfully signed and verified.

2d. Signing EOS 4.27.2+ SWI without direct access to private key

Example:

$ which swi-signing-service
/usr/local/bin/swi-signing-service

$ swi-signature sign EOS.swi /etc/swi-signing/signing.crt /etc/swi-signing/root.crt
... (same as above)

Verifying an Arista SWI/X signature

The verify-swi script verifies the signature in a SWI or SWIX by checking that the signing certificate used to sign the SWI/X is trusted by a specified root certificate, and that signing the SWI/X with the signing certificate matches the signature of the SWI/X. By default, the script verifies the signing certificate against the Arista root certificate, which is installed with the package.

$ verify-swi -h
usage: verify-swi [-h] [--CAfile CAFILE] EOS.swi[x]

Verify Arista SWI image or SWIX extension

positional arguments:
  EOS.swi[x]       SWI/X file to verify

optional arguments:
  -h, --help       show this help message and exit
  --CAfile CAFILE  Root certificate to verify against. (default:
                   ARISTA_ROOT_CA.crt)

Examples:

$ verify-swi EOS.swi 
SWI verification failed.
$ echo $?
4

The above example verifies EOS.swi using the Arista root certificate. However, the signature is not valid. Invalid signature verification returns a non-zero return code.

$ verify-swi EOS.swi --CAfile root.crt
SWI verification successful.
$ echo $?
0

Here EOS.swi is verified using root.crt. Verification in this case was successful.

$ verify-swi EOS.swi --CAfile /etc/swi-signing/root.crt
Optimizations in EOS.swi: Default Sand-4GB Strata-4GB
Default: SWI/X verification successful.
Sand-4GB: SWI/X verification successful.
Strata-4GB: SWI/X verification successful.
SWI/X verification successful.

Above's output was for a 4.27.2+ image (which has multiple contained images)

Testing

To run unit tests:

python3 setup.py test

End-to-end tests after install:

./tests/swim_test.sh
Apache License Version 2.0, January 2004 http://www.apache.org/licenses/ TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 1. Definitions. "License" shall mean the terms and conditions for use, reproduction, and distribution as defined by Sections 1 through 9 of this document. "Licensor" shall mean the copyright owner or entity authorized by the copyright owner that is granting the License. "Legal Entity" shall mean the union of the acting entity and all other entities that control, are controlled by, or are under common control with that entity. For the purposes of this definition, "control" means (i) the power, direct or indirect, to cause the direction or management of such entity, whether by contract or otherwise, or (ii) ownership of fifty percent (50%) or more of the outstanding shares, or (iii) beneficial ownership of such entity. "You" (or "Your") shall mean an individual or Legal Entity exercising permissions granted by this License. "Source" form shall mean the preferred form for making modifications, including but not limited to software source code, documentation source, and configuration files. "Object" form shall mean any form resulting from mechanical transformation or translation of a Source form, including but not limited to compiled object code, generated documentation, and conversions to other media types. "Work" shall mean the work of authorship, whether in Source or Object form, made available under the License, as indicated by a copyright notice that is included in or attached to the work (an example is provided in the Appendix below). "Derivative Works" shall mean any work, whether in Source or Object form, that is based on (or derived from) the Work and for which the editorial revisions, annotations, elaborations, or other modifications represent, as a whole, an original work of authorship. For the purposes of this License, Derivative Works shall not include works that remain separable from, or merely link (or bind by name) to the interfaces of, the Work and Derivative Works thereof. "Contribution" shall mean any work of authorship, including the original version of the Work and any modifications or additions to that Work or Derivative Works thereof, that is intentionally submitted to Licensor for inclusion in the Work by the copyright owner or by an individual or Legal Entity authorized to submit on behalf of the copyright owner. For the purposes of this definition, "submitted" means any form of electronic, verbal, or written communication sent to the Licensor or its representatives, including but not limited to communication on electronic mailing lists, source code control systems, and issue tracking systems that are managed by, or on behalf of, the Licensor for the purpose of discussing and improving the Work, but excluding communication that is conspicuously marked or otherwise designated in writing by the copyright owner as "Not a Contribution." "Contributor" shall mean Licensor and any individual or Legal Entity on behalf of whom a Contribution has been received by Licensor and subsequently incorporated within the Work. 2. Grant of Copyright License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare Derivative Works of, publicly display, publicly perform, sublicense, and distribute the Work and such Derivative Works in Source or Object form. 3. Grant of Patent License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable (except as stated in this section) patent license to make, have made, use, offer to sell, sell, import, and otherwise transfer the Work, where such license applies only to those patent claims licensable by such Contributor that are necessarily infringed by their Contribution(s) alone or by combination of their Contribution(s) with the Work to which such Contribution(s) was submitted. If You institute patent litigation against any entity (including a cross-claim or counterclaim in a lawsuit) alleging that the Work or a Contribution incorporated within the Work constitutes direct or contributory patent infringement, then any patent licenses granted to You under this License for that Work shall terminate as of the date such litigation is filed. 4. Redistribution. You may reproduce and distribute copies of the Work or Derivative Works thereof in any medium, with or without modifications, and in Source or Object form, provided that You meet the following conditions: (a) You must give any other recipients of the Work or Derivative Works a copy of this License; and (b) You must cause any modified files to carry prominent notices stating that You changed the files; and (c) You must retain, in the Source form of any Derivative Works that You distribute, all copyright, patent, trademark, and attribution notices from the Source form of the Work, excluding those notices that do not pertain to any part of the Derivative Works; and (d) If the Work includes a "NOTICE" text file as part of its distribution, then any Derivative Works that You distribute must include a readable copy of the attribution notices contained within such NOTICE file, excluding those notices that do not pertain to any part of the Derivative Works, in at least one of the following places: within a NOTICE text file distributed as part of the Derivative Works; within the Source form or documentation, if provided along with the Derivative Works; or, within a display generated by the Derivative Works, if and wherever such third-party notices normally appear. The contents of the NOTICE file are for informational purposes only and do not modify the License. You may add Your own attribution notices within Derivative Works that You distribute, alongside or as an addendum to the NOTICE text from the Work, provided that such additional attribution notices cannot be construed as modifying the License. You may add Your own copyright statement to Your modifications and may provide additional or different license terms and conditions for use, reproduction, or distribution of Your modifications, or for any such Derivative Works as a whole, provided Your use, reproduction, and distribution of the Work otherwise complies with the conditions stated in this License. 5. Submission of Contributions. Unless You explicitly state otherwise, any Contribution intentionally submitted for inclusion in the Work by You to the Licensor shall be under the terms and conditions of this License, without any additional terms or conditions. Notwithstanding the above, nothing herein shall supersede or modify the terms of any separate license agreement you may have executed with Licensor regarding such Contributions. 6. Trademarks. This License does not grant permission to use the trade names, trademarks, service marks, or product names of the Licensor, except as required for reasonable and customary use in describing the origin of the Work and reproducing the content of the NOTICE file. 7. Disclaimer of Warranty. Unless required by applicable law or agreed to in writing, Licensor provides the Work (and each Contributor provides its Contributions) on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied, including, without limitation, any warranties or conditions of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE. You are solely responsible for determining the appropriateness of using or redistributing the Work and assume any risks associated with Your exercise of permissions under this License. 8. Limitation of Liability. In no event and under no legal theory, whether in tort (including negligence), contract, or otherwise, unless required by applicable law (such as deliberate and grossly negligent acts) or agreed to in writing, shall any Contributor be liable to You for damages, including any direct, indirect, special, incidental, or consequential damages of any character arising as a result of this License or out of the use or inability to use the Work (including but not limited to damages for loss of goodwill, work stoppage, computer failure or malfunction, or any and all other commercial damages or losses), even if such Contributor has been advised of the possibility of such damages. 9. Accepting Warranty or Additional Liability. While redistributing the Work or Derivative Works thereof, You may choose to offer, and charge a fee for, acceptance of support, warranty, indemnity, or other liability obligations and/or rights consistent with this License. However, in accepting such obligations, You may act only on Your own behalf and on Your sole responsibility, not on behalf of any other Contributor, and only if You agree to indemnify, defend, and hold each Contributor harmless for any liability incurred by, or claims asserted against, such Contributor by reason of your accepting any such warranty or additional liability. END OF TERMS AND CONDITIONS APPENDIX: How to apply the Apache License to your work. To apply the Apache License to your work, attach the following boilerplate notice, with the fields enclosed by brackets "[]" replaced with your own identifying information. (Don't include the brackets!) The text should be enclosed in the appropriate comment syntax for the file format. We also recommend that a file or class name and description of purpose be included on the same "printed page" as the copyright notice for easier identification within third-party archives. Copyright [yyyy] [name of copyright owner] Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
Starred
0
Star
0
Fork
0

简介

Scripts for handling Arista SWI and SWIX files 展开 收起
暂无标签
Python 等 2 种语言
Python
92.0%
Shell
8.0%
Apache-2.0
使用 Apache-2.0 开源许可协议
取消

发行版

暂无发行版

贡献者

全部

近期动态

加载更多
不能加载更多了
1
https://gitee.com/edmund03/swi-tools.git
git@gitee.com:edmund03/swi-tools.git
edmund03
swi-tools
swi-tools
master
点此查找更多帮助

搜索帮助

Git 命令在线学习 如何在 Gitee 导入 GitHub 仓库
Git 仓库基础操作
企业版和社区版功能对比
SSH 公钥设置
如何处理代码冲突
仓库体积过大,如何减小?
如何找回被删除的仓库数据
Gitee 产品配额说明
GitHub仓库快速导入Gitee及同步更新
什么是 Release(发行版)
将 PHP 项目自动发布到 packagist.org
评论
仓库举报
回到顶部