Add service to restore TACACS from old config (#7560)

Why I did it In upgrade scenarios, where config_db.json is not carry forwarded to new image, it could be left w/o TACACS credentials. Added a service to trigger 5 minutes after boot and restore TACACS, if /etc/sonic/old_config/tacacs.json is present. How I did it By adding a service, that would fire 5 mins after boot. This service apply tacacs if available. How to verify it Upgrade and watch status of tacacs.timer & tacacs.service You may create /etc/sonic/old_config/tacacs.json, with updated credentials (before 5mins after boot) and see that appears in config & persisted too. Which release branch to backport (provide reason below if selected) 201911 202006 202012
2021-06-03 20:07:17 -07:00 · 2021-06-03 20:07:17 -07:00 · 32e5137ab7
commit 32e5137ab7
parent 1e9cb30008
4 changed files with 44 additions and 1 deletions
--- a/files/build_templates/sonic_debian_extension.j2
+++ b/files/build_templates/sonic_debian_extension.j2
@ -507,6 +507,13 @@ sudo cp $IMAGE_CONFIGS/config-setup/config-setup $FILESYSTEM_ROOT/usr/bin/config
 echo "config-setup.service" | sudo tee -a $GENERATED_SERVICE_FILE
 sudo LANG=C chroot $FILESYSTEM_ROOT systemctl enable config-setup.service

+# Add delayed tacacs application service
+sudo cp files/build_templates/tacacs-config.timer $FILESYSTEM_ROOT_USR_LIB_SYSTEMD_SYSTEM/
+echo "tacacs-config.timer" | sudo tee -a $GENERATED_SERVICE_FILE
+
+sudo cp files/build_templates/tacacs-config.service $FILESYSTEM_ROOT_USR_LIB_SYSTEMD_SYSTEM/
+echo "tacacs-config.service" | sudo tee -a $GENERATED_SERVICE_FILE
+
 # Copy config-chassisdb script and service file
 j2 files/build_templates/config-chassisdb.service.j2 | sudo tee $FILESYSTEM_ROOT_USR_LIB_SYSTEMD_SYSTEM/config-chassisdb.service
 sudo cp $IMAGE_CONFIGS/config-chassisdb/config-chassisdb $FILESYSTEM_ROOT/usr/bin/config-chassisdb
--- a/files/build_templates/tacacs-config.service
+++ b/files/build_templates/tacacs-config.service
@ -0,0 +1,12 @@
+[Unit]
+Description=TACACS application
+Requires=updategraph.service
+After=updategraph.service
+BindsTo=sonic.target
+After=sonic.target
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/config-setup apply_tacacs
+RemainAfterExit=yes
+
--- a/files/build_templates/tacacs-config.timer
+++ b/files/build_templates/tacacs-config.timer
@ -0,0 +1,12 @@
+[Unit]
+Description=Delays tacacs apply until SONiC has started
+PartOf=tacacs-config.service
+After=updategraph.service
+
+[Timer]
+OnUnitActiveSec=0 sec
+OnBootSec=5min 30 sec
+Unit=tacacs-config.service
+
+[Install]
+WantedBy=timers.target updategraph.service
--- a/files/image_config/config-setup/config-setup
+++ b/files/image_config/config-setup/config-setup
@ -110,12 +110,19 @@ reload_minigraph()
 {
    echo "Reloading minigraph..."
    config load_minigraph -y -n 
+    config save -y
+}
+
+# Apply tacacs config
+apply_tacacs()
+{
    if [ -r /etc/sonic/old_config/${TACACS_JSON_BACKUP} ]; then
        sonic-cfggen -j /etc/sonic/old_config/${TACACS_JSON_BACKUP} --write-to-db
+        echo "Applied tacacs json to restore tacacs credentials"
+        config save -y
    else
        echo "Missing tacacs json to restore tacacs credentials"
    fi
-    config save -y
 }

 # Reload exisitng config db file on disk
@ -421,4 +428,9 @@ if [ "$CMD" = "backup" ]; then
    do_config_backup
 fi

+# Apply tacacs from old configuration
+if [ "$CMD" = "apply_tacacs" ]; then
+    apply_tacacs
+fi
+
 exit 0