ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

SONiC KVM Testbed

v1.2.0

Deploy and manage a SONiC sonic-mgmt KVM virtual testbed with cEOS neighbors for running pytest-based network tests. Use when setting up a local KVM testbed,...

2· 488·0 current·0 all-time
byYing Xie@yxieca
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
SKILL name/description (SONiC KVM testbed) aligns with the actions in SKILL.md: cloning sonic-mgmt, preparing sonic-vs and cEOS images, running testbed-cli.sh, setting up bridges, and running pytest. No unrelated cloud credentials or external services are requested.
!
Instruction Scope
Runtime instructions directly perform system-level operations: setup management bridge, modprobe/qemu-nbd mounting of images, docker imports/pulls, and run various ansible/testbed scripts. They also instruct creating users on DUTs, adding NOPASSWD sudoers entries, using sshpass with plaintext password files, and running `chmod 666 /var/run/docker.sock` — operations that expand scope to modifying host and DUT security posture and persistently weaken privileges.
Install Mechanism
Instruction-only skill with no install spec and no code files; nothing is downloaded or executed by the skill package itself. This minimizes supply-chain/install risk, but the instructions will cause host changes when followed.
!
Credentials
The skill declares no required env vars or external credentials, which is appropriate, but the included references/scripts create and rely on many plaintext credentials and insecure defaults (passwords like 'password' and 'abc' in files, `group_vars/*` containing secrets, sshpass usage). It also recommends global privilege relaxations (NOPASSWD sudo entries, chmod 666 on docker socket) that are disproportionate unless run in an isolated test environment.
Persistence & Privilege
The skill is not force-included (always: false) and doesn't request platform-level persistence, but the documented steps create persistent artifacts (password.txt, modified ansible group_vars, changed sudoers entries, netplan file for br1) that alter system/DUT configuration across reboots. These persistent changes have real security implications and should be intentionally controlled.
What to consider before installing
This instruction-only skill appears coherent for building a SONiC KVM testbed, but it recommends several insecure or high-privilege actions. Before using it: 1) Run the whole procedure inside an isolated VM or disposable host to avoid weakening a production machine. 2) Replace example passwords ('password', 'abc') and the practice of storing them in plaintext with stronger passwords and secure vaulting. 3) Avoid chmod 666 on /var/run/docker.sock — prefer adding the service account to the docker group or use limited sudo rules. 4) Prefer narrowly-scoped sudoers entries instead of NOPASSWD ALL. 5) Avoid sshpass/plaintext password files where possible; use SSH keys or an encrypted vault. 6) Verify any images/tarballs (cEOS, sonic-vs) come from trusted sources and confirm the github repo/PR mentioned is authentic. 7) Review and restrict any fix scripts (fix-configs.sh) before running; they modify ansible group_vars and can overwrite secrets. If you cannot run in an isolated environment, treat this skill as risky and consider manual, hardened steps instead.

Like a lobster shell, security has layers — review code before you run it.

latestvk9701kf1ng9zvx44kn74zwv70181vjzt
488downloads
2stars
4versions
Updated 6h ago
v1.2.0
MIT-0
Ying Xie@yxieca
latest
Download

SONiC KVM Virtual Testbed

Deploy a local sonic-mgmt KVM testbed with cEOS neighbors on a single machine.

Architecture

Host Machine (KVM + Docker)
├── vlab-XX (KVM VM running sonic-vs) — DUT
├── ceos_vmsX-Y_VMZZ (Docker) — cEOS neighbor(s)
├── ptf_vmsX-Y (Docker) — PTF test traffic generator
└── sonic-mgmt (Docker) — Ansible + pytest framework

Management network: br1 bridge, 10.250.0.0/24 (host at .1).

Supported Topologies

Testbed NameTopoDUTVM BaseNeighbors (raw → converged)
vms-kvm-t0t0vlab-01VM01004 → 1 cEOS
vms-kvm-t1-lagt1-lagvlab-03VM010424 → 2 cEOS

Use use_converged_peers: true in vtestbed.yaml to reduce cEOS containers via multi-VRF convergence (requires PR #22399 in master branch).

Prerequisites

  • Ubuntu 20.04/22.04/24.04, KVM enabled (kvm-ok)
  • 30GB+ RAM (for single topo) or 20GB+ with reduced VM memory
  • Docker installed, user in docker, kvm, libvirt groups
  • Built sonic-vs.img.gz from sonic-buildimage
  • cEOS image file (e.g., cEOS64-lab-4.32.5M.tar.xz)
  • sshpass installed on host

Deploy Procedure

1. Initial Setup (one-time)

# Clone repo
git clone https://github.com/sonic-net/sonic-mgmt.git ~/sonic-mgmt
cd ~/sonic-mgmt && git checkout master  # PR #22399 needed for auto-convergence

# Prepare images
mkdir -p ~/veos-vm/images ~/sonic-vm/images
gunzip -k sonic-vs.img.gz
cp sonic-vs.img ~/veos-vm/images/ && cp sonic-vs.img ~/sonic-vm/images/

# Import cEOS (docker import, NOT docker load)
xz -d cEOS64-lab-4.32.5M.tar.xz
docker import cEOS64-lab-4.32.5M.tar ceosimage:4.32.5M

# Management bridge
cd ~/sonic-mgmt/ansible && sudo ./setup-management-network.sh

# debian:jessie dependency
docker pull publicmirror.azurecr.io/debian:jessie
docker tag publicmirror.azurecr.io/debian:jessie debian:jessie

# sonic-mgmt container
./setup-container.sh -n sonic-mgmt -d /data

# Create vault password file
echo "abc" > ~/sonic-mgmt/ansible/password.txt

2. Configure Credentials and Settings

See references/credentials.md for all config files.

Critical files (these reset on git operations — automate fixes in a script):

FileKey SettingWhy
group_vars/vm_host/creds.ymlvm_host_user: <your_user>Host SSH access
group_vars/all/creds.ymlsonic_login: "<dut_user>"DUT SSH user (matches sonic-vs build user)
group_vars/all/ceos.ymlskip_ceos_image_downloading: trueUse local cEOS image
group_vars/vm_host/main.ymlmax_fp_num: 127Default 4 is too low for T0/T1
veos_vtbansible_user: <your_user>Inventory host user
veosComment out STR-ACS-SERV-01Avoid dual-host conflict
vars/docker_registry.ymlRemove :443 from host:443 causes docker pull to hang
vtestbed.yamluse_converged_peers: trueEnable multi-VRF convergence

Create a fix script to re-apply all settings. Run it before EVERY testbed operation.

3. Deploy Topology

# Fix configs + remove stale .bak
bash fix-configs.sh
rm -f vars/topo_<TOPO>.yml.bak

# Inside sonic-mgmt container:
./testbed-cli.sh -t vtestbed.yaml add-topo <TESTBED_NAME> password.txt

Duration: ~15-20 minutes (VM boot + cEOS startup).

4. Post-Deploy DUT Setup

After add-topo, the DUT boots with the build user. The multi_passwd_ssh plugin expects admin:

# SSH to DUT as build user
ssh <build_user>@<DUT_IP>

# Create admin user
sudo useradd -m -s /bin/bash -G sudo,docker admin
echo 'admin:password' | sudo chpasswd
sudo bash -c "echo 'admin ALL=(ALL) NOPASSWD:ALL' > /etc/sudoers.d/admin"

# Fix docker socket
sudo chmod 666 /var/run/docker.sock

5. Deploy Minigraph

# Fix configs + remove .bak AGAIN (they revert!)
bash fix-configs.sh
rm -f vars/topo_<TOPO>.yml.bak

./testbed-cli.sh -t vtestbed.yaml deploy-mg <TESTBED_NAME> veos_vtb password.txt

Duration: ~5-10 minutes.

6. Verify

# Check containers
docker ps | grep -E "ceos|ptf"

# Check BGP (use admin after deploy-mg)
sshpass -p password ssh admin@<DUT_IP> "show ip bgp summary"

Expected BGP state with converged peers:

  • T0: ARISTA01T1 Established (6400 prefixes), ARISTA02-04T1 Active (normal — VRF peers without physical port-channels)
  • T1-LAG: 17/24 sessions up (all T0 + 1 T2 spine; remaining T2 spines Active)

7. Run Tests

cd /data/sonic-mgmt/tests
./run_tests.sh -n <TESTBED_NAME> -d <DUT_NAME> -c <test_path> \
  -f vtestbed.yaml -i ../ansible/veos_vtb

Teardown

bash fix-configs.sh
rm -f vars/topo_<TOPO>.yml.bak
./testbed-cli.sh -t vtestbed.yaml remove-topo <TESTBED_NAME> password.txt

Duration: ~12-15 minutes.

Critical Gotchas

  1. Config files revert during git and testbed operations — run fix script before EVERY command
  2. Remove .bak files before add-topo — stale backups cause KeyError in converger
  3. docker import for cEOS (not docker load)
  4. :443 in docker_registry_host silently hangs docker pulls
  5. max_fp_num: 4 is too low — set to 127
  6. br1 bridge is not persistent across reboots — add netplan config
  7. Non-admin builds: sonic-vs uses the build machine's username, not admin
  8. use_converged_peers: true requires master branch (PR #22399) for auto-convergence

Troubleshooting

See references/troubleshooting.md for detailed diagnosis of common failures.

Comments

Loading comments...