Add service to restore TACACS from old config (#7560)

Why I did it
In upgrade scenarios, where config_db.json is not carry forwarded to new image, it could be left w/o TACACS credentials.
Added a service to trigger 5 minutes after boot and restore TACACS, if /etc/sonic/old_config/tacacs.json is present.

How I did it
By adding a service, that would fire 5 mins after boot.
This service apply tacacs if available.

How to verify it
Upgrade and watch status of tacacs.timer & tacacs.service
You may create /etc/sonic/old_config/tacacs.json, with updated credentials
(before 5mins after boot) and see that appears in config & persisted too.

Which release branch to backport (provide reason below if selected)
 201911
 202006
 202012
This commit is contained in:
Renuka Manavalan 2021-06-03 20:07:17 -07:00 committed by GitHub
parent b30cf44b93
commit 73447efc31
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 44 additions and 1 deletions

View File

@ -527,6 +527,13 @@ sudo cp $IMAGE_CONFIGS/config-setup/config-setup $FILESYSTEM_ROOT/usr/bin/config
echo "config-setup.service" | sudo tee -a $GENERATED_SERVICE_FILE
sudo LANG=C chroot $FILESYSTEM_ROOT systemctl enable config-setup.service
# Add delayed tacacs application service
sudo cp files/build_templates/tacacs-config.timer $FILESYSTEM_ROOT_USR_LIB_SYSTEMD_SYSTEM/
echo "tacacs-config.timer" | sudo tee -a $GENERATED_SERVICE_FILE
sudo cp files/build_templates/tacacs-config.service $FILESYSTEM_ROOT_USR_LIB_SYSTEMD_SYSTEM/
echo "tacacs-config.service" | sudo tee -a $GENERATED_SERVICE_FILE
# Copy config-chassisdb script and service file
j2 files/build_templates/config-chassisdb.service.j2 | sudo tee $FILESYSTEM_ROOT_USR_LIB_SYSTEMD_SYSTEM/config-chassisdb.service
sudo cp $IMAGE_CONFIGS/config-chassisdb/config-chassisdb $FILESYSTEM_ROOT/usr/bin/config-chassisdb

View File

@ -0,0 +1,12 @@
[Unit]
Description=TACACS application
Requires=updategraph.service
After=updategraph.service
BindsTo=sonic.target
After=sonic.target
[Service]
Type=oneshot
ExecStart=/usr/bin/config-setup apply_tacacs
RemainAfterExit=yes

View File

@ -0,0 +1,12 @@
[Unit]
Description=Delays tacacs apply until SONiC has started
PartOf=tacacs-config.service
After=updategraph.service
[Timer]
OnUnitActiveSec=0 sec
OnBootSec=5min 30 sec
Unit=tacacs-config.service
[Install]
WantedBy=timers.target updategraph.service

View File

@ -110,12 +110,19 @@ reload_minigraph()
{
echo "Reloading minigraph..."
config load_minigraph -y -n
config save -y
}
# Apply tacacs config
apply_tacacs()
{
if [ -r /etc/sonic/old_config/${TACACS_JSON_BACKUP} ]; then
sonic-cfggen -j /etc/sonic/old_config/${TACACS_JSON_BACKUP} --write-to-db
echo "Applied tacacs json to restore tacacs credentials"
config save -y
else
echo "Missing tacacs json to restore tacacs credentials"
fi
config save -y
}
# Reload existing config db file on disk
@ -423,4 +430,9 @@ if [ "$CMD" = "backup" ]; then
do_config_backup
fi
# Apply tacacs from old configuration
if [ "$CMD" = "apply_tacacs" ]; then
apply_tacacs
fi
exit 0