Create GCU Container

Author: xincunli-sonic

dockers/docker-gcu-watchdog/Dockerfile.j2

@@ -0,0 +1,55 @@
+FROM docker-config-engine-bookworm-{{DOCKER_USERNAME}}:{{DOCKER_USERTAG}} AS builder
+
+# Install toolchain prerequisites for building Rust + protobuf code generation.
+# protobuf-compiler is required by tonic-build to compile watchdog.proto.
+RUN apt-get update && apt-get install -y \
+    build-essential \
+    protobuf-compiler \
+    && rm -rf /var/lib/apt/lists/*
+
+# tonic-build uses the PROTOC env var to locate the protobuf compiler.
+# On Bookworm this must be set explicitly; without it 'cargo build' fails
+# with "could not find `protoc` installation".
+ENV PROTOC=/usr/bin/protoc
+
+# Install Rust/Cargo via rustup (pinned toolchain for reproducible builds).
+ARG RUST_ROOT=/usr/.cargo
+RUN RUSTUP_HOME=$RUST_ROOT CARGO_HOME=$RUST_ROOT bash -c \
+    'curl --proto "=https" -sSf https://sh.rustup.rs | sh -s -- --default-toolchain 1.79.0 -y'
+ENV RUSTUP_HOME=$RUST_ROOT
+ENV PATH=$PATH:$RUST_ROOT/bin
+
+# Copy the GCU watchdog Rust source into the build stage.
+# The 'watchdog/' directory inside the docker build context is populated from
+# src/gcu-watchdog/ by the SONiC build system before 'docker build' is invoked.
+WORKDIR /watchdog
+COPY watchdog/ ./
+
+# Build the release binary.  tonic-build will invoke protoc to compile
+# proto/watchdog.proto into Rust gRPC server stubs during this step.
+RUN cargo build --release
+
+# ---------------------------------------------------------------------------
+# Final (runtime) stage
+# ---------------------------------------------------------------------------
+FROM docker-config-engine-bookworm-{{DOCKER_USERNAME}}:{{DOCKER_USERTAG}}
+
+ARG docker_container_name
+ARG image_version
+RUN [ -f /etc/rsyslog.conf ] && sed -ri "s/%syslogtag%/$docker_container_name#%syslogtag%/;" /etc/rsyslog.conf
+
+ENV DEBIAN_FRONTEND=noninteractive
+ENV IMAGE_VERSION=$image_version
+
+# How often (seconds) the watchdog re-checks the venv checksum.
+# Override at container runtime with -e GCU_WATCHDOG_INTERVAL_SECS=<n>.
+ENV GCU_WATCHDOG_INTERVAL_SECS=30
+
+# Copy supervisord configuration
+COPY ["supervisord.conf", "/etc/supervisor/conf.d/"]
+
+# Copy the compiled watchdog binary from the builder stage
+COPY --from=builder /watchdog/target/release/gcu_watchdog /usr/bin/gcu_watchdog
+RUN chmod +x /usr/bin/gcu_watchdog
+
+ENTRYPOINT ["/usr/local/bin/supervisord"]

dockers/docker-gcu-watchdog/feature.json

@@ -0,0 +1,8 @@
+{
+    "name": "gcu-watchdog",
+    "has_per_asic_scope": false,
+    "has_global_scope": true,
+    "auto_restart": "enabled",
+    "high_mem_alert": "disabled",
+    "set_owner": "local"
+}

dockers/docker-gcu-watchdog/supervisord.conf

@@ -0,0 +1,40 @@
+[supervisord]
+logfile_maxbytes=1MB
+logfile_backups=2
+nodaemon=true
+
+[eventlistener:dependent-startup]
+command=python3 -m supervisord_dependent_startup
+autostart=true
+autorestart=unexpected
+startretries=0
+exitcodes=0,3
+events=PROCESS_STATE
+buffer_size=1024
+
+[program:rsyslogd]
+command=/usr/sbin/rsyslogd -n -iNONE
+priority=1
+autostart=false
+autorestart=unexpected
+stdout_logfile=NONE
+stdout_syslog=true
+stderr_logfile=NONE
+stderr_syslog=true
+dependent_startup=true
+
+[program:gcu_watchdog]
+command=/usr/bin/gcu_watchdog
+priority=3
+autostart=false
+# Restart on unexpected exit (crash/panic) but not on clean exit code 0
+# (e.g., graceful SIGTERM shutdown initiated by supervisord).
+autorestart=unexpected
+exitcodes=0
+startsecs=0
+stdout_logfile=NONE
+stdout_syslog=true
+stderr_logfile=NONE
+stderr_syslog=true
+dependent_startup=true
+dependent_startup_wait_for=rsyslogd:running

dockers/docker-gcu/Dockerfile.j2

@@ -0,0 +1,40 @@
+{% from "dockers/dockerfile-macros.j2" import install_debian_packages, install_python_wheels, copy_files %}
+ARG BASE=docker-config-engine-bookworm-{{DOCKER_USERNAME}}:{{DOCKER_USERTAG}}
+
+FROM $BASE
+
+ARG docker_container_name
+ARG image_version
+
+## Make apt-get non-interactive
+ENV DEBIAN_FRONTEND=noninteractive
+
+# Pass the image_version to container
+ENV IMAGE_VERSION=$image_version
+
+RUN [ -f /etc/rsyslog.conf ] && sed -ri "s/%syslogtag%/$docker_container_name#%syslogtag%/;" /etc/rsyslog.conf
+
+# Install Python venv support.
+# Note: 'sudo' is intentionally omitted — SONiC containers run as root,
+# so there is no need for sudo inside the container.
+RUN apt-get update && \
+    apt-get install -f -y \
+        python3-venv && \
+    apt-get clean -y && \
+    apt-get autoclean -y && \
+    apt-get autoremove -y && \
+    rm -rf /var/lib/apt/lists/*
+
+{% if docker_sonic_gcu_whls.strip() %}
+# Copy locally-built sonic-gcu Python wheel and its dependencies
+{{ copy_files("python-wheels/", docker_sonic_gcu_whls.split(' '), "/python-wheels/") }}
+{% endif %}
+
+# Copy init/health-check script and make it executable
+COPY ["docker-init.sh", "/usr/bin/gcu-init.sh"]
+RUN chmod +x /usr/bin/gcu-init.sh
+
+# Copy supervisord configuration
+COPY ["supervisord.conf", "/etc/supervisor/conf.d/"]
+
+ENTRYPOINT ["/usr/local/bin/supervisord"]

dockers/docker-gcu/docker-init.sh

@@ -0,0 +1,110 @@
+#!/bin/bash
+# docker-init.sh — GCU venv setup and health-check script.
+#
+# Usage:
+#   gcu-init.sh setup       — create /opt/gcu-venv and install the sonic-gcu wheel
+#   gcu-init.sh healthcheck — run lightweight smoke-tests against the installed GCU
+#
+# This script is invoked by supervisord as two separate one-shot programs so that
+# supervisord_dependent_startup can gate execution order:
+#   1. gcu-setup        (priority=2): runs 'setup'       — exits 0 on success
+#   2. gcu-healthcheck  (priority=3): runs 'healthcheck' — exits 0 on success
+
+set -e
+
+VENV_DIR="/opt/gcu-venv"
+WHEEL_DIR="/python-wheels"
+WHEEL_GLOB="${WHEEL_DIR}/sonic_gcu-*.whl"
+SETUP_SENTINEL="${VENV_DIR}/.setup_complete"
+
+###############################################################################
+# setup: create venv and install wheel
+###############################################################################
+do_setup() {
+    echo "[gcu-init] Starting GCU venv setup ..."
+
+    # Create venv with --system-site-packages so C-extension packages
+    # (swsscommon, sonic-py-common, libyang Python bindings, etc.) that are
+    # installed system-wide are visible inside the venv without reinstalling
+    # them. Pure-Python deps that are NOT on the system path must still be
+    # declared in the wheel's install_requires and will be downloaded/installed
+    # into the venv itself.
+    if [ ! -d "${VENV_DIR}" ]; then
+        python3 -m venv --system-site-packages "${VENV_DIR}"
+        echo "[gcu-init] Created venv at ${VENV_DIR}"
+    else
+        echo "[gcu-init] Venv already exists at ${VENV_DIR}, skipping creation"
+    fi
+
+    # Install the sonic-gcu wheel.
+    # shellcheck disable=SC2086
+    WHEEL_FILE=$(ls ${WHEEL_GLOB} 2>/dev/null | head -n 1)
+    if [ -z "${WHEEL_FILE}" ]; then
+        echo "[gcu-init] ERROR: No sonic_gcu wheel found in ${WHEEL_DIR}" >&2
+        exit 1
+    fi
+
+    echo "[gcu-init] Installing ${WHEEL_FILE} into ${VENV_DIR} ..."
+    "${VENV_DIR}/bin/pip" install --no-index --system-site-packages "${WHEEL_FILE}"
+
+    # Write a sentinel file so the healthcheck can verify setup completed OK.
+    touch "${SETUP_SENTINEL}"
+    echo "[gcu-init] GCU venv setup complete."
+}
+
+###############################################################################
+# healthcheck: smoke-test venv GCU + host GCU
+###############################################################################
+do_healthcheck() {
+    echo "[gcu-init] Running GCU health checks ..."
+
+    # Gate on setup sentinel — if setup did not complete successfully, skip
+    # the healthcheck to avoid misleading 'config apply-patch' errors.
+    if [[ ! -f "${SETUP_SENTINEL}" ]]; then
+        echo "[gcu-init] ERROR: Setup sentinel not found at ${SETUP_SENTINEL}." >&2
+        echo "[gcu-init] 'gcu-setup' may have failed. Skipping healthcheck." >&2
+        exit 1
+    fi
+
+    # Health-check 1: venv GCU — apply an empty JSON patch via the venv binary.
+    # An empty patch list '[]' is a no-op and must succeed without error.
+    echo "[gcu-init] Checking venv GCU (${VENV_DIR}/bin/config apply-patch) ..."
+    if echo '[]' | "${VENV_DIR}/bin/config" apply-patch /dev/stdin; then
+        echo "[gcu-init] Venv GCU health check: PASS"
+    else
+        echo "[gcu-init] Venv GCU health check: FAIL" >&2
+        exit 1
+    fi
+
+    # Health-check 2: host (system-installed) GCU — same empty patch via the
+    # system-wide 'config' CLI.  SONiC containers run as root so sudo is not
+    # needed; running it directly avoids requiring a sudoers configuration
+    # inside the container.
+    echo "[gcu-init] Checking host GCU (config apply-patch) ..."
+    if echo '[]' | config apply-patch /dev/stdin; then
+        echo "[gcu-init] Host GCU health check: PASS"
+    else
+        echo "[gcu-init] Host GCU health check: FAIL" >&2
+        exit 1
+    fi
+
+    echo "[gcu-init] All GCU health checks passed."
+}
+
+###############################################################################
+# Dispatch
+###############################################################################
+COMMAND="${1:-setup}"
+
+case "${COMMAND}" in
+    setup)
+        do_setup
+        ;;
+    healthcheck)
+        do_healthcheck
+        ;;
+    *)
+        echo "Usage: $0 {setup|healthcheck}" >&2
+        exit 1
+        ;;
+esac

dockers/docker-gcu/feature.json

@@ -0,0 +1,8 @@
+{
+    "name": "gcu",
+    "has_per_asic_scope": false,
+    "has_global_scope": true,
+    "auto_restart": "enabled",
+    "high_mem_alert": "disabled",
+    "set_owner": "local"
+}

dockers/docker-gcu/supervisord.conf

@@ -0,0 +1,59 @@
+[supervisord]
+logfile_maxbytes=1MB
+logfile_backups=2
+nodaemon=true
+
+[eventlistener:dependent-startup]
+command=python3 -m supervisord_dependent_startup
+autostart=true
+autorestart=unexpected
+startretries=0
+exitcodes=0,3
+events=PROCESS_STATE
+buffer_size=1024
+
+[program:rsyslogd]
+command=/usr/sbin/rsyslogd -n -iNONE
+priority=1
+autostart=false
+autorestart=unexpected
+stdout_logfile=NONE
+stdout_syslog=true
+stderr_logfile=NONE
+stderr_syslog=true
+dependent_startup=true
+
+# One-shot program: create the GCU venv and install the wheel.
+# priority=2 ensures rsyslogd is up first.
+# startsecs=0 means supervisord does not wait for it to stay running.
+# autorestart=false because it exits intentionally on success.
+[program:gcu-setup]
+command=/usr/bin/gcu-init.sh setup
+priority=2
+autostart=false
+autorestart=false
+startsecs=0
+stdout_logfile=/dev/stdout
+stdout_logfile_maxbytes=0
+stderr_logfile=/dev/stderr
+stderr_logfile_maxbytes=0
+dependent_startup=true
+dependent_startup_wait_for=rsyslogd:running
+
+# Health-check program: verifies venv GCU and host GCU respond correctly.
+# Waits for gcu-setup to have exited (supervisord_dependent_startup
+# 'exited' state).  The docker-init.sh healthcheck subcommand additionally
+# checks for the .setup_complete sentinel file so it exits cleanly if
+# gcu-setup failed before the file was written.
+[program:gcu-healthcheck]
+command=/usr/bin/gcu-init.sh healthcheck
+priority=3
+autostart=false
+autorestart=false
+startsecs=0
+stdout_logfile=/dev/stdout
+stdout_logfile_maxbytes=0
+stderr_logfile=/dev/stderr
+stderr_logfile_maxbytes=0
+dependent_startup=true
+dependent_startup_wait_for=gcu-setup:exited

files/build_templates/sonic_debian_extension.j2

@@ -1082,6 +1082,8 @@ sudo LANG=C cp $SCRIPTS_DIR/database.sh $FILESYSTEM_ROOT/usr/local/bin/database.
 sudo LANG=C cp $SCRIPTS_DIR/snmp.sh $FILESYSTEM_ROOT/usr/local/bin/snmp.sh
 sudo LANG=C cp $SCRIPTS_DIR/telemetry.sh $FILESYSTEM_ROOT/usr/local/bin/telemetry.sh
 sudo LANG=C cp $SCRIPTS_DIR/gnmi.sh $FILESYSTEM_ROOT/usr/local/bin/gnmi.sh
+sudo LANG=C cp $SCRIPTS_DIR/gcu.sh $FILESYSTEM_ROOT/usr/local/bin/gcu.sh
+sudo LANG=C cp $SCRIPTS_DIR/gcu-watchdog.sh $FILESYSTEM_ROOT/usr/local/bin/gcu-watchdog.sh
 sudo LANG=C cp $SCRIPTS_DIR/otel.sh $FILESYSTEM_ROOT/usr/local/bin/otel.sh
 sudo LANG=C cp $SCRIPTS_DIR/bmp.sh $FILESYSTEM_ROOT/usr/local/bin/bmp.sh
 sudo LANG=C cp $SCRIPTS_DIR/mgmt-framework.sh $FILESYSTEM_ROOT/usr/local/bin/mgmt-framework.sh

files/scripts/gcu-watchdog.sh

@@ -0,0 +1,39 @@
+#!/bin/bash
+
+function debug()
+{
+    /usr/bin/logger "$1"
+}
+
+start() {
+    debug "Starting ${SERVICE}$DEV service..."
+
+    # start service docker
+    /usr/bin/${SERVICE}.sh start $DEV
+    debug "Started ${SERVICE}$DEV service..."
+}
+
+wait() {
+    /usr/bin/${SERVICE}.sh wait $DEV
+}
+
+stop() {
+    debug "Stopping ${SERVICE}$DEV service..."
+
+    /usr/bin/${SERVICE}.sh stop $DEV
+    debug "Stopped ${SERVICE}$DEV service..."
+}
+
+DEV=$2
+
+SERVICE="gcu-watchdog"
+
+case "$1" in
+    start|wait|stop)
+        $1
+        ;;
+    *)
+        echo "Usage: $0 {start|wait|stop}"
+        exit 1
+        ;;
+esac