From 1bdefd16facd142d1a50a6e0e68a418d1567668d Mon Sep 17 00:00:00 2001
From: Renuka Manavalan <47282725+renukamanavalan@users.noreply.github.com>
Date: Thu, 7 Jan 2021 16:45:38 -0800
Subject: [PATCH] Take a copy of existing TACACS credentials and restore it
 during upgrade (#6285)

In scenario where upgrade gets config from minigraph, it could miss tacacs credentials as they are not in minigraph. Hence restore explicitly upon load-minigraph, if present.

- Why I did it
Upon boot, when config migration is required, the switch could load config from minigraph. The config-load from minigraph would wipe off TACACS key and disable login via TACACS, which would disable all remote user access. This change, would re-configure the TACACS if there is a saved copy available.

- How I did it
When config is loaded from minigraph, look for a TACACS credentials back up (tacacs.json) under /etc/sonic/old_config. If present, load the credentials into running config, before config-save is called.

- How to verify it
Remove /etc/sonic/config_db.json and do an image update. Upon reboot, w/o this change, you would not be able ssh in as remote user. You may login as admin and check out, "show tacacs" & "show aaa" to verify that tacacs-key is missing and login is not enabled for tacacs.
With this change applied, remove /etc/sonic/config_db.json, but save tacacs & aaa credentials as tacacs.json in /etc/sonic/. Upon reboot, you should see remote user access possible.
---
 files/image_config/config-setup/config-setup | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/files/image_config/config-setup/config-setup b/files/image_config/config-setup/config-setup
index 4ed841cd3c..9bb7b33b6b 100755
--- a/files/image_config/config-setup/config-setup
+++ b/files/image_config/config-setup/config-setup
@@ -41,6 +41,8 @@ CONFIG_SETUP_PRE_MIGRATION_FLAG=${CONFIG_SETUP_VAR_DIR}/pending_pre_migration
 CONFIG_SETUP_POST_MIGRATION_FLAG=${CONFIG_SETUP_VAR_DIR}/pending_post_migration
 CONFIG_SETUP_INITIALIZATION_FLAG=${CONFIG_SETUP_VAR_DIR}/pending_initialization
 
+TACACS_JSON_BACKUP=tacacs.json
+
 # Command usage and help
 usage()
 {
@@ -108,6 +110,11 @@ reload_minigraph()
 {
     echo "Reloading minigraph..."
     config load_minigraph -y -n 
+    if [ -r /etc/sonic/old_config/${TACACS_JSON_BACKUP} ]; then
+        sonic-cfggen -j /etc/sonic/old_config/${TACACS_JSON_BACKUP} --write-to-db
+    else
+        echo "Missing tacacs json to restore tacacs credentials"
+    fi
     config save -y
 }