From aec41bba8ed6332e4e11ffa85e228aa8831ae3a8 Mon Sep 17 00:00:00 2001
From: jumao <junhong.mao@nokia.com>
Date: Tue, 28 May 2024 20:11:31 -0400
Subject: [PATCH 1/2] Update for the procedures for insertion/hot swap of
 Switch Fabric Module(SFM) by using "config chassis modules shutdown/startup"
 commands

---
 sonic-chassisd/scripts/chassisd | 37 +++++++++++++++++++++++----------
 1 file changed, 26 insertions(+), 11 deletions(-)
 mode change 100644 => 100755 sonic-chassisd/scripts/chassisd

diff --git a/sonic-chassisd/scripts/chassisd b/sonic-chassisd/scripts/chassisd
old mode 100644
new mode 100755
index 46881ea8b..d78329bd2
--- a/sonic-chassisd/scripts/chassisd
+++ b/sonic-chassisd/scripts/chassisd
@@ -90,6 +90,7 @@ INVALID_SLOT = ModuleBase.MODULE_INVALID_SLOT
 INVALID_MODULE_INDEX = -1
 INVALID_IP = '0.0.0.0'
 
+CHASSIS_MODULE_ADMIN_STATUS = 'admin_status'
 MODULE_ADMIN_DOWN = 0
 MODULE_ADMIN_UP = 1
 
@@ -257,8 +258,18 @@ class ModuleUpdater(logger.Logger):
         if isinstance(fvs, list) and fvs[0] is True:
             fvs = dict(fvs[-1])
             return fvs[CHASSIS_MODULE_INFO_OPERSTATUS_FIELD]
-        return ModuleBase.MODULE_STATUS_EMPTY        
-            
+        return ModuleBase.MODULE_STATUS_EMPTY
+
+    def get_module_admin_status(self, chassis_module_name):
+        config_db = daemon_base.db_connect("CONFIG_DB")
+        vtable = swsscommon.Table(config_db, CHASSIS_CFG_TABLE)
+        fvs = vtable.get(chassis_module_name)
+        if isinstance(fvs, list) and fvs[0] is True:
+            fvs = dict(fvs[-1])
+            return fvs[CHASSIS_MODULE_ADMIN_STATUS]
+        else:
+            return 'up'
+
     def module_db_update(self):
         notOnlineModules = []
 
@@ -317,16 +328,20 @@ class ModuleUpdater(logger.Logger):
                     elif prev_status != ModuleBase.MODULE_STATUS_ONLINE:
                         self.log_notice("Module {} is on-line!".format(key))
 
-                for asic_id, asic in enumerate(module_info_dict[CHASSIS_MODULE_INFO_ASICS]):
-                    asic_global_id, asic_pci_addr = asic
-                    asic_key = "%s%s" % (CHASSIS_ASIC, asic_global_id)
-                    if not self._is_supervisor():
-                        asic_key = "%s|%s" % (key, asic_key)
+                    module_cfg_status = self.get_module_admin_status(key)
+
+                    #Only populate the related tables when the module configure is up
+                    if module_cfg_status != 'down':
+                        for asic_id, asic in enumerate(module_info_dict[CHASSIS_MODULE_INFO_ASICS]):
+                            asic_global_id, asic_pci_addr = asic
+                            asic_key = "%s%s" % (CHASSIS_ASIC, asic_global_id)
+                            if not self._is_supervisor():
+                                asic_key = "%s|%s" % (key, asic_key)
 
-                    asic_fvs = swsscommon.FieldValuePairs([(CHASSIS_ASIC_PCI_ADDRESS_FIELD, asic_pci_addr),
-                                                            (CHASSIS_MODULE_INFO_NAME_FIELD, key),
-                                                            (CHASSIS_ASIC_ID_IN_MODULE_FIELD, str(asic_id))])
-                    self.asic_table.set(asic_key, asic_fvs)
+                            asic_fvs = swsscommon.FieldValuePairs([(CHASSIS_ASIC_PCI_ADDRESS_FIELD, asic_pci_addr),
+                                                                    (CHASSIS_MODULE_INFO_NAME_FIELD, key),
+                                                                    (CHASSIS_ASIC_ID_IN_MODULE_FIELD, str(asic_id))])
+                            self.asic_table.set(asic_key, asic_fvs)
 
         # In line card push the hostname of the module and num_asics to the chassis state db.
         # The hostname is used as key to access chassis app db entries 

From 0847b4897c4fdeec45961076349b72910cb3de6b Mon Sep 17 00:00:00 2001
From: jumao <junhong.mao@nokia.com>
Date: Wed, 29 May 2024 11:36:43 -0400
Subject: [PATCH 2/2] Fix checking error of semgrep ci
 sonic-chassisd/scripts/chassisd   
 python.lang.security.audit.subprocess-shell-true.subprocess-shell-true 
   Found 'subprocess' function 'Popen' with 'shell=True'. This is dangerous
 because this call will 	  spawn the command using a shell process.
 Doing so propagates current shell settings and variables, 	  which makes
 it much easier for a malicious actor to execute commands. Use 'shell=False'
 instead. 	  Details: https://sg.run/J92w

---
 sonic-chassisd/scripts/chassisd | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/sonic-chassisd/scripts/chassisd b/sonic-chassisd/scripts/chassisd
index d78329bd2..8243f784d 100755
--- a/sonic-chassisd/scripts/chassisd
+++ b/sonic-chassisd/scripts/chassisd
@@ -533,9 +533,9 @@ class ModuleUpdater(logger.Logger):
             asic = CHASSIS_ASIC+str(asic_id)
 
             # Cleanup the chassis app db entries using lua script
-            redis_cmd = 'redis-cli -h redis_chassis.server -p 6380 -n 12 EVALSHA ' + self.chassis_app_db_clean_sha + ' 0 ' + lc + ' ' + asic
+            redis_cmd = ['redis-cli', '-h', 'redis_chassis.server', '-p', '6380', '-n', '12', 'EVALSHA', self.chassis_app_db_clean_sha, '0', lc, asic]
             try:
-                subp = subprocess.Popen(redis_cmd, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, universal_newlines=True)
+                subp = subprocess.Popen(redis_cmd, shell=False, stdout=subprocess.PIPE, stderr=subprocess.PIPE, universal_newlines=True)
                 subp.communicate()
                 self.log_notice("Cleaned up chassis app db entries for {}({})/{}".format(module, lc, asic))
             except Exception: