Add service to restore TACACS from old config (#7560)
Why I did it In upgrade scenarios, where config_db.json is not carry forwarded to new image, it could be left w/o TACACS credentials. Added a service to trigger 5 minutes after boot and restore TACACS, if /etc/sonic/old_config/tacacs.json is present. How I did it By adding a service, that would fire 5 mins after boot. This service apply tacacs if available. How to verify it Upgrade and watch status of tacacs.timer & tacacs.service You may create /etc/sonic/old_config/tacacs.json, with updated credentials (before 5mins after boot) and see that appears in config & persisted too. Which release branch to backport (provide reason below if selected) 201911 202006 202012
This commit is contained in:
parent
b30cf44b93
commit
73447efc31
@ -527,6 +527,13 @@ sudo cp $IMAGE_CONFIGS/config-setup/config-setup $FILESYSTEM_ROOT/usr/bin/config
|
||||
echo "config-setup.service" | sudo tee -a $GENERATED_SERVICE_FILE
|
||||
sudo LANG=C chroot $FILESYSTEM_ROOT systemctl enable config-setup.service
|
||||
|
||||
# Add delayed tacacs application service
|
||||
sudo cp files/build_templates/tacacs-config.timer $FILESYSTEM_ROOT_USR_LIB_SYSTEMD_SYSTEM/
|
||||
echo "tacacs-config.timer" | sudo tee -a $GENERATED_SERVICE_FILE
|
||||
|
||||
sudo cp files/build_templates/tacacs-config.service $FILESYSTEM_ROOT_USR_LIB_SYSTEMD_SYSTEM/
|
||||
echo "tacacs-config.service" | sudo tee -a $GENERATED_SERVICE_FILE
|
||||
|
||||
# Copy config-chassisdb script and service file
|
||||
j2 files/build_templates/config-chassisdb.service.j2 | sudo tee $FILESYSTEM_ROOT_USR_LIB_SYSTEMD_SYSTEM/config-chassisdb.service
|
||||
sudo cp $IMAGE_CONFIGS/config-chassisdb/config-chassisdb $FILESYSTEM_ROOT/usr/bin/config-chassisdb
|
||||
|
12
files/build_templates/tacacs-config.service
Normal file
12
files/build_templates/tacacs-config.service
Normal file
@ -0,0 +1,12 @@
|
||||
[Unit]
|
||||
Description=TACACS application
|
||||
Requires=updategraph.service
|
||||
After=updategraph.service
|
||||
BindsTo=sonic.target
|
||||
After=sonic.target
|
||||
|
||||
[Service]
|
||||
Type=oneshot
|
||||
ExecStart=/usr/bin/config-setup apply_tacacs
|
||||
RemainAfterExit=yes
|
||||
|
12
files/build_templates/tacacs-config.timer
Normal file
12
files/build_templates/tacacs-config.timer
Normal file
@ -0,0 +1,12 @@
|
||||
[Unit]
|
||||
Description=Delays tacacs apply until SONiC has started
|
||||
PartOf=tacacs-config.service
|
||||
After=updategraph.service
|
||||
|
||||
[Timer]
|
||||
OnUnitActiveSec=0 sec
|
||||
OnBootSec=5min 30 sec
|
||||
Unit=tacacs-config.service
|
||||
|
||||
[Install]
|
||||
WantedBy=timers.target updategraph.service
|
@ -110,12 +110,19 @@ reload_minigraph()
|
||||
{
|
||||
echo "Reloading minigraph..."
|
||||
config load_minigraph -y -n
|
||||
config save -y
|
||||
}
|
||||
|
||||
# Apply tacacs config
|
||||
apply_tacacs()
|
||||
{
|
||||
if [ -r /etc/sonic/old_config/${TACACS_JSON_BACKUP} ]; then
|
||||
sonic-cfggen -j /etc/sonic/old_config/${TACACS_JSON_BACKUP} --write-to-db
|
||||
echo "Applied tacacs json to restore tacacs credentials"
|
||||
config save -y
|
||||
else
|
||||
echo "Missing tacacs json to restore tacacs credentials"
|
||||
fi
|
||||
config save -y
|
||||
}
|
||||
|
||||
# Reload existing config db file on disk
|
||||
@ -423,4 +430,9 @@ if [ "$CMD" = "backup" ]; then
|
||||
do_config_backup
|
||||
fi
|
||||
|
||||
# Apply tacacs from old configuration
|
||||
if [ "$CMD" = "apply_tacacs" ]; then
|
||||
apply_tacacs
|
||||
fi
|
||||
|
||||
exit 0
|
||||
|
Loading…
Reference in New Issue
Block a user