From 3ea38a9788f39a1d8771c880639f36aa6c7126be Mon Sep 17 00:00:00 2001 From: Renuka Manavalan <47282725+renukamanavalan@users.noreply.github.com> Date: Tue, 15 Jun 2021 10:52:31 -0700 Subject: [PATCH] Add service to restore TACACS from old config (#7560) (#7865) In upgrade scenarios, where config_db.json is not carry forwarded to new image, it could be left w/o TACACS credentials. Added a service to trigger 5 minutes after boot and restore TACACS, if /etc/sonic/old_config/tacacs.json is present. How I did it By adding a service, that would fire 5 mins after boot. This service apply tacacs if available. How to verify it Upgrade and watch status of tacacs.timer & tacacs.service You may create /etc/sonic/old_config/tacacs.json, with updated credentials (before 5mins after boot) and see that appears in config & persisted too. --- files/build_templates/sonic_debian_extension.j2 | 7 +++++++ files/build_templates/tacacs-config.service | 10 ++++++++++ files/build_templates/tacacs-config.timer | 12 ++++++++++++ files/image_config/config-setup/config-setup | 14 +++++++++++++- 4 files changed, 42 insertions(+), 1 deletion(-) create mode 100644 files/build_templates/tacacs-config.service create mode 100644 files/build_templates/tacacs-config.timer diff --git a/files/build_templates/sonic_debian_extension.j2 b/files/build_templates/sonic_debian_extension.j2 index f008b0c271..8920b4409c 100644 --- a/files/build_templates/sonic_debian_extension.j2 +++ b/files/build_templates/sonic_debian_extension.j2 @@ -334,6 +334,13 @@ sudo cp $IMAGE_CONFIGS/config-setup/config-setup $FILESYSTEM_ROOT/usr/bin/config echo "config-setup.service" | sudo tee -a $GENERATED_SERVICE_FILE sudo LANG=C chroot $FILESYSTEM_ROOT systemctl enable config-setup.service +# Add delayed tacacs application service +sudo cp files/build_templates/tacacs-config.timer $FILESYSTEM_ROOT_USR_LIB_SYSTEMD_SYSTEM/ +echo "tacacs-config.timer" | sudo tee -a $GENERATED_SERVICE_FILE + +sudo cp files/build_templates/tacacs-config.service $FILESYSTEM_ROOT_USR_LIB_SYSTEMD_SYSTEM/ +echo "tacacs-config.service" | sudo tee -a $GENERATED_SERVICE_FILE + # Copy SNMP configuration files sudo cp $IMAGE_CONFIGS/snmp/snmp.yml $FILESYSTEM_ROOT/etc/sonic/ diff --git a/files/build_templates/tacacs-config.service b/files/build_templates/tacacs-config.service new file mode 100644 index 0000000000..878ff60338 --- /dev/null +++ b/files/build_templates/tacacs-config.service @@ -0,0 +1,10 @@ +[Unit] +Description=TACACS application +Requires=updategraph.service +After=updategraph.service + +[Service] +Type=oneshot +ExecStart=/usr/bin/config-setup apply_tacacs +RemainAfterExit=yes + diff --git a/files/build_templates/tacacs-config.timer b/files/build_templates/tacacs-config.timer new file mode 100644 index 0000000000..28314e06f4 --- /dev/null +++ b/files/build_templates/tacacs-config.timer @@ -0,0 +1,12 @@ +[Unit] +Description=Delays tacacs apply until SONiC has started +PartOf=tacacs-config.service +After=updategraph.service + +[Timer] +OnUnitActiveSec=0 sec +OnBootSec=5min 30 sec +Unit=tacacs-config.service + +[Install] +WantedBy=timers.target updategraph.service diff --git a/files/image_config/config-setup/config-setup b/files/image_config/config-setup/config-setup index 09c4d448cd..d57c4a6888 100755 --- a/files/image_config/config-setup/config-setup +++ b/files/image_config/config-setup/config-setup @@ -110,12 +110,19 @@ reload_minigraph() { echo "Reloading minigraph..." config load_minigraph -y -n + config save -y +} + +# Apply tacacs config +apply_tacacs() +{ if [ -r /etc/sonic/old_config/${TACACS_JSON_BACKUP} ]; then sonic-cfggen -j /etc/sonic/old_config/${TACACS_JSON_BACKUP} --write-to-db + echo "Applied tacacs json to restore tacacs credentials" + config save -y else echo "Missing tacacs json to restore tacacs credentials" fi - config save -y } # Reload exisitng config db file on disk @@ -445,4 +452,9 @@ if [ "$CMD" = "backup" ]; then do_config_backup fi +# Apply tacacs from old configuration +if [ "$CMD" = "apply_tacacs" ]; then + apply_tacacs +fi + exit 0