Update sonic-host-services for changes in Python

This fixes 3 issues: * Specify test dependencies under extra_requires * Update the PAM configuration for Bookworm * Break a cyclical dependency between sonic-host-services and sonic-buildimage by moving the contents of src/sonic-host-services-data into sonic-host-services submodule Signed-off-by: Saikrishna Arcot <sarcot@microsoft.com>
2023-09-07 16:46:11 -07:00 · 2023-09-07 16:46:11 -07:00 · 8ec9672f45
commit 8ec9672f45
parent 675d83066d
32 changed files with 3 additions and 569 deletions
--- a/rules/sonic-host-services-data.dep
+++ b/rules/sonic-host-services-data.dep
@ -1,7 +1,7 @@
 SPATH       := $($(SONIC_HOST_SERVICES_DATA)_SRC_PATH)
 DEP_FILES   := $(SONIC_COMMON_FILES_LIST) rules/sonic-host-services-data.mk rules/sonic-host-services-data.dep
 DEP_FILES   += $(SONIC_COMMON_BASE_FILES_LIST)
-DEP_FILES   += $(shell git ls-files $(SPATH))
+DEP_FILES   += $(addprefix $(SPATH)/,$(shell git -C $(SPATH) ls-files))

 $(SONIC_HOST_SERVICES_DATA)_CACHE_MODE  := GIT_CONTENT_SHA
 $(SONIC_HOST_SERVICES_DATA)_DEP_FLAGS   := $(SONIC_COMMON_FLAGS_LIST)
--- a/rules/sonic-host-services-data.mk
+++ b/rules/sonic-host-services-data.mk
@ -1,5 +1,5 @@
 # SONiC host services data package

 SONIC_HOST_SERVICES_DATA = sonic-host-services-data_1.0-1_all.deb
-$(SONIC_HOST_SERVICES_DATA)_SRC_PATH = $(SRC_PATH)/sonic-host-services-data
+$(SONIC_HOST_SERVICES_DATA)_SRC_PATH = $(SRC_PATH)/sonic-host-services/data
 SONIC_DPKG_DEBS += $(SONIC_HOST_SERVICES_DATA)
--- a/rules/sonic-host-services.dep
+++ b/rules/sonic-host-services.dep
@ -1,7 +1,7 @@
 SPATH       := $($(SONIC_HOST_SERVICES_PY3)_SRC_PATH)
 DEP_FILES   := $(SONIC_COMMON_FILES_LIST) rules/sonic-host-services.mk rules/sonic-host-services.dep
 DEP_FILES   += $(SONIC_COMMON_BASE_FILES_LIST)
-SMDEP_FILES := $(addprefix $(SPATH)/,$(shell cd $(SPATH) && git ls-files))
+SMDEP_FILES := $(addprefix $(SPATH)/,$(shell git -C $(SPATH) ls-files | grep -v ^data))

 $(SONIC_HOST_SERVICES_PY3)_CACHE_MODE  := GIT_CONTENT_SHA
 $(SONIC_HOST_SERVICES_PY3)_DEP_FLAGS   := $(SONIC_COMMON_FLAGS_LIST)
--- a/src/sonic-host-services-data/.gitignore
+++ b/src/sonic-host-services-data/.gitignore
@ -1,6 +0,0 @@
-debian/*.debhelper
-debian/debhelper-build-stamp
-debian/sonic-host-services-data/
-sonic-host-services-data_*.buildinfo
-sonic-host-services-data_*.changes
-sonic-host-services-data_*.deb
--- a/src/sonic-host-services-data/MAINTAINERS
+++ b/src/sonic-host-services-data/MAINTAINERS
@ -1,7 +0,0 @@
-# This file describes the maintainers for sonic-host-services-data
-# See the SONiC project governance document for more information
-
-Name = "Joe LeVeque"
-Email = "jolevequ@microsoft.com"
-Github = jleveque
-Mailinglist = sonicproject@googlegroups.com
--- a/src/sonic-host-services-data/README.md
+++ b/src/sonic-host-services-data/README.md
@ -1,19 +0,0 @@
-# sonic-host-services-data
-Data files required for SONiC host services
-
-
-## To build
-
-```
-dpkg-buildpackage -rfakeroot -b -us -uc
-```
-
-## To clean
-
-```
-dpkg-buildpackage -rfakeroot -Tclean
-```
-
---
-
-See the [SONiC Website](https://sonic-net.github.io/SONiC/) for more information about the SONiC project.
--- a/src/sonic-host-services-data/debian/changelog
+++ b/src/sonic-host-services-data/debian/changelog
@ -1,5 +0,0 @@
-sonic-host-services-data (1.0-1) UNRELEASED; urgency=low
-
-  * Initial release
-
- -- Joe LeVeque <jolevequ@microsoft.com>  Tue, 20 Oct 2020 02:35:43 +0000
--- a/src/sonic-host-services-data/debian/compat
+++ b/src/sonic-host-services-data/debian/compat
@ -1 +0,0 @@
-11
--- a/src/sonic-host-services-data/debian/control
+++ b/src/sonic-host-services-data/debian/control
@ -1,11 +0,0 @@
-Source: sonic-host-services-data
-Maintainer: Joe LeVeque <jolevequ@microsoft.com>
-Section: misc
-Priority: optional
-Standards-Version: 0.1
-Build-Depends: debhelper (>=11)
-
-Package: sonic-host-services-data
-Architecture: all
-Depends: ${misc:Depends}
-Description: Data files required for SONiC host services
--- a/src/sonic-host-services-data/debian/copyright
+++ b/src/sonic-host-services-data/debian/copyright
--- a/src/sonic-host-services-data/debian/install
+++ b/src/sonic-host-services-data/debian/install
@ -1,2 +0,0 @@
-templates/*.j2    /usr/share/sonic/templates/
-org.sonic.hostservice.conf /etc/dbus-1/system.d
--- a/src/sonic-host-services-data/debian/rules
+++ b/src/sonic-host-services-data/debian/rules
@ -1,24 +0,0 @@
-#!/usr/bin/make -f
-
-ifeq (${ENABLE_HOST_SERVICE_ON_START}, y)
-	HOST_SERVICE_OPTS := --no-start
-else
-	HOST_SERVICE_OPTS := --no-start --no-enable
-endif
-
-
-build:
-
-%:
-	dh $@
-
-override_dh_installsystemd:
-	dh_installsystemd --no-start --name=caclmgrd
-	dh_installsystemd --no-start --name=hostcfgd
-	dh_installsystemd --no-start --name=featured
-	dh_installsystemd --no-start --name=aaastatsd
-	dh_installsystemd --no-start --name=procdockerstatsd
-	dh_installsystemd --no-start --name=determine-reboot-cause
-	dh_installsystemd --no-start --name=process-reboot-cause
-	dh_installsystemd $(HOST_SERVICE_OPTS) --name=sonic-hostservice
-
--- a/src/sonic-host-services-data/debian/sonic-host-services-data.aaastatsd.service
+++ b/src/sonic-host-services-data/debian/sonic-host-services-data.aaastatsd.service
@ -1,14 +0,0 @@
-[Unit]
-Description=AAA Statistics Collection daemon
-Requires=hostcfgd.service
-After=hostcfgd.service updategraph.service
-BindsTo=sonic.target
-After=sonic.target
-
-[Service]
-Type=simple
-ExecStart=/usr/local/bin/aaastatsd
-Restart=on-failure
-RestartSec=10
-TimeoutStopSec=3
-
--- a/src/sonic-host-services-data/debian/sonic-host-services-data.aaastatsd.timer
+++ b/src/sonic-host-services-data/debian/sonic-host-services-data.aaastatsd.timer
@ -1,12 +0,0 @@
-[Unit]
-Description=Delays aaastatsd daemon until SONiC has started
-PartOf=aaastatsd.service
-
-[Timer]
-OnUnitActiveSec=0 sec
-OnBootSec=1min 30 sec
-Unit=aaastatsd.service
-
-[Install]
-WantedBy=timers.target sonic.target
-
--- a/src/sonic-host-services-data/debian/sonic-host-services-data.caclmgrd.service
+++ b/src/sonic-host-services-data/debian/sonic-host-services-data.caclmgrd.service
@ -1,15 +0,0 @@
-[Unit]
-Description=Control Plane ACL configuration daemon
-Requires=updategraph.service
-After=updategraph.service
-BindsTo=sonic.target
-After=sonic.target
-
-[Service]
-Type=simple
-ExecStart=/usr/local/bin/caclmgrd
-Restart=always
-RestartSec=30
-
-[Install]
-WantedBy=sonic.target
--- a/src/sonic-host-services-data/debian/sonic-host-services-data.determine-reboot-cause.service
+++ b/src/sonic-host-services-data/debian/sonic-host-services-data.determine-reboot-cause.service
@ -1,12 +0,0 @@
-[Unit]
-Description=Reboot cause determination service
-Requires=rc-local.service database.service
-After=rc-local.service database.service
-
-[Service]
-Type=oneshot
-RemainAfterExit=yes
-ExecStart=/usr/local/bin/determine-reboot-cause
-
-[Install]
-WantedBy=multi-user.target
--- a/src/sonic-host-services-data/debian/sonic-host-services-data.featured.service
+++ b/src/sonic-host-services-data/debian/sonic-host-services-data.featured.service
@ -1,10 +0,0 @@
-[Unit]
-Description=Feature configuration daemon
-Requires=updategraph.service
-After=updategraph.service
-BindsTo=sonic.target
-After=sonic.target
-
-[Service]
-Type=simple
-ExecStart=/usr/local/bin/featured
--- a/src/sonic-host-services-data/debian/sonic-host-services-data.featured.timer
+++ b/src/sonic-host-services-data/debian/sonic-host-services-data.featured.timer
@ -1,12 +0,0 @@
-[Unit]
-Description=Delays feature daemon until SONiC has started
-PartOf=featured.service
-
-[Timer]
-OnUnitActiveSec=0 sec
-OnBootSec=1min 30 sec
-Unit=featured.service
-
-[Install]
-WantedBy=timers.target sonic.target
-
--- a/src/sonic-host-services-data/debian/sonic-host-services-data.hostcfgd.service
+++ b/src/sonic-host-services-data/debian/sonic-host-services-data.hostcfgd.service
@ -1,11 +0,0 @@
-[Unit]
-Description=Host config enforcer daemon
-Requires=updategraph.service
-After=updategraph.service
-BindsTo=sonic.target
-After=sonic.target
-
-[Service]
-Type=simple
-ExecStart=/usr/local/bin/hostcfgd
-
--- a/src/sonic-host-services-data/debian/sonic-host-services-data.hostcfgd.timer
+++ b/src/sonic-host-services-data/debian/sonic-host-services-data.hostcfgd.timer
@ -1,12 +0,0 @@
-[Unit]
-Description=Delays hostcfgd daemon until SONiC has started
-PartOf=hostcfgd.service
-
-[Timer]
-OnUnitActiveSec=0 sec
-OnBootSec=1min 30 sec
-Unit=hostcfgd.service
-
-[Install]
-WantedBy=timers.target sonic.target
-
--- a/src/sonic-host-services-data/debian/sonic-host-services-data.procdockerstatsd.service
+++ b/src/sonic-host-services-data/debian/sonic-host-services-data.procdockerstatsd.service
@ -1,14 +0,0 @@
-[Unit]
-Description=Process and docker CPU/memory utilization data export daemon
-Requires=database.service updategraph.service
-After=database.service updategraph.service
-BindsTo=sonic.target
-After=sonic.target
-
-[Service]
-Type=simple
-ExecStart=/usr/local/bin/procdockerstatsd
-Restart=always
-
-[Install]
-WantedBy=sonic.target
--- a/src/sonic-host-services-data/debian/sonic-host-services-data.process-reboot-cause.service
+++ b/src/sonic-host-services-data/debian/sonic-host-services-data.process-reboot-cause.service
@ -1,8 +0,0 @@
-[Unit]
-Description=Retrieve the reboot cause from the history files and save them to StateDB
-Requires=database.service determine-reboot-cause.service
-After=database.service determine-reboot-cause.service
-
-[Service]
-Type=simple
-ExecStart=/usr/local/bin/process-reboot-cause
--- a/src/sonic-host-services-data/debian/sonic-host-services-data.process-reboot-cause.timer
+++ b/src/sonic-host-services-data/debian/sonic-host-services-data.process-reboot-cause.timer
@ -1,9 +0,0 @@
-[Unit]
-Description=Delays process-reboot-cause until network is stably connected
-
-[Timer]
-OnBootSec=1min 30 sec
-Unit=process-reboot-cause.service
-
-[Install]
-WantedBy=timers.target
--- a/src/sonic-host-services-data/debian/sonic-host-services-data.sonic-hostservice.service
+++ b/src/sonic-host-services-data/debian/sonic-host-services-data.sonic-hostservice.service
@ -1,16 +0,0 @@
-[Unit]
-Description=SONiC Host Service
-
-[Service]
-Type=dbus
-BusName=org.SONiC.HostService
-
-ExecStart=/usr/bin/python3 -u /usr/local/bin/sonic-host-server
-
-Restart=on-failure
-RestartSec=10
-TimeoutStopSec=3
-
-[Install]
-WantedBy=mgmt-framework.service telemetry.service
-
--- a/src/sonic-host-services-data/org.sonic.hostservice.conf
+++ b/src/sonic-host-services-data/org.sonic.hostservice.conf
@ -1,18 +0,0 @@
-<!DOCTYPE busconfig PUBLIC
- "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
- "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
-<busconfig>
-
-  <!-- Only root can own the bus -->
-
-  <policy user="root">
-    <allow own_prefix="org.SONiC.HostService"/>
-  </policy>
-
-  <!-- Allow user "root" to invoke methods on the bus -->
-  <policy user="root">
-    <allow send_destination="org.SONiC.HostService"/>
-    <allow receive_sender="org.SONiC.HostService"/>
-  </policy>
-
-</busconfig>
--- a/src/sonic-host-services-data/templates/common-auth-sonic.j2
+++ b/src/sonic-host-services-data/templates/common-auth-sonic.j2
@ -1,83 +0,0 @@
-#THIS IS AN AUTO-GENERATED FILE
-#
-# /etc/pam.d/common-auth- authentication settings common to all services
-# This file is included from other service-specific PAM config files,
-# and should contain a list of the authentication modules that define
-# the central authentication scheme for use on the system
-# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the
-# traditional Unix authentication mechanisms.
-#
-# here are the per-package modules (the "Primary" block)
-
-{% if auth['login'] == 'local' %}
-auth	[success=1 default=ignore]	pam_unix.so nullok try_first_pass
-
-{% elif auth['login'] == 'local,tacacs+' %}
-auth	[success=done new_authtok_reqd=done default=ignore{{ ' auth_err=die' if not auth['failthrough'] }}]	pam_unix.so nullok try_first_pass
-{% for server in servers | sub(0, -1) %}
-auth	[success=done new_authtok_reqd=done default=ignore{{ ' auth_err=die' if not auth['failthrough'] }}]	pam_tacplus.so server={{ server.ip }}:{{ server.tcp_port }} secret={{ server.passkey }} login={{ server.auth_type }} timeout={{ server.timeout }} {% if server.vrf %} vrf={{ server.vrf }} {% endif %} {{ 'source_ip=%s' % src_ip if src_ip }} try_first_pass
-{% endfor %}
-{% if servers | count %}
-{% set last_server = servers | last %}
-auth	[success=1 default=ignore]	pam_tacplus.so server={{ last_server.ip }}:{{ last_server.tcp_port }} secret={{ last_server.passkey }} login={{ last_server.auth_type }} timeout={{ last_server.timeout }} {% if last_server.vrf %} vrf={{ last_server.vrf }} {% endif %} {{ 'source_ip=%s' % src_ip if src_ip }} try_first_pass
-
-{% endif %}
-{% elif auth['login'] == 'tacacs+' or auth['login'] == 'tacacs+,local' %}
-{% for server in servers %}
-auth	[success=done new_authtok_reqd=done default=ignore{{ ' auth_err=die' if not auth['failthrough'] }}]	pam_tacplus.so server={{ server.ip }}:{{ server.tcp_port }} secret={{ server.passkey }} login={{ server.auth_type }} timeout={{ server.timeout }} {%if server.vrf %} vrf={{ server.vrf }} {% endif %} {{ 'source_ip=%s' % src_ip if src_ip }} try_first_pass
-{% endfor %}
-auth	[success=1 default=ignore]	pam_unix.so nullok try_first_pass
-
-{% elif auth['login'] == 'local,radius' %}
-auth	[success=done new_authtok_reqd=done default=ignore{{ ' auth_err=die maxtries=die' if not auth['failthrough'] }}]	pam_unix.so nullok try_first_pass
-# For the RADIUS servers, on success jump to the cacheing the MPL(Privilege)
-{% for server in servers %}
-auth	[success={{ (servers | count) - loop.index0 }} new_authtok_reqd=done default=ignore{{ ' auth_err=die' if not auth['failthrough'] }}]	pam_radius_auth.so conf=/etc/pam_radius_auth.d/{{ server.ip }}_{{ server.auth_port }}.conf privilege_level protocol={{ server.auth_type }} retry={{ server.retransmit }}{% if server.nas_ip is defined %} nas_ip_address={{ server.nas_ip }}{% endif %}{% if server.nas_id is defined %} client_id={{ server.nas_id }}{% endif %}{% if debug %} debug{% endif %}{% if trace %} trace{% endif %}{% if server.statistics %} statistics={{ server.ip }}{% endif %} try_first_pass
-{% endfor %}
-auth	requisite	pam_deny.so
-# Cache MPL(Privilege)
-auth	[success=1 default=ignore]	pam_exec.so /usr/sbin/cache_radius
-
-{% elif auth['login'] == 'radius,local' %}
-# root user can only be authenticated locally. Jump to local.
-{% if servers | count %}
-auth	[success={{ (servers | count) }} default=ignore]	pam_succeed_if.so user = root
-{% else %}
-auth	[success=ok default=ignore]	pam_succeed_if.so user = root
-{% endif %}
-# For the RADIUS servers, on success jump to the cache the MPL(Privilege)
-{% for server in servers %}
-auth	[success={{ (servers | count) + 1 - loop.index0 }} new_authtok_reqd=done default=ignore{{ ' auth_err=die' if not auth['failthrough'] }}]	pam_radius_auth.so conf=/etc/pam_radius_auth.d/{{ server.ip }}_{{ server.auth_port }}.conf privilege_level protocol={{ server.auth_type }} retry={{ server.retransmit }}{% if server.nas_ip is defined %} nas_ip_address={{ server.nas_ip }}{% endif %}{% if server.nas_id is defined %} client_id={{ server.nas_id }}{% endif %}{% if debug %} debug{% endif %}{% if trace %} trace{% endif %}{% if server.statistics %} statistics={{ server.ip }}{% endif %} try_first_pass
-{% endfor %}
-# Local
-auth	[success=done new_authtok_reqd=done default=ignore{{ ' auth_err=die maxtries=die' if not auth['failthrough'] }}]	pam_unix.so nullok try_first_pass
-auth	requisite	pam_deny.so
-# Cache MPL(Privilege)
-auth	[success=1 default=ignore]	pam_exec.so /usr/sbin/cache_radius
-
-{% elif auth['login'] == 'radius' %}
-# root user can only be authenticated locally. Jump to local.
-auth	[success={{ (servers | count) + 2 }} default=ignore]	pam_succeed_if.so user = root
-# For the RADIUS servers, on success jump to the cache the MPL(Privilege)
-{% for server in servers %}
-auth	[success={{ (servers | count) - loop.index0 }} new_authtok_reqd=done default=ignore{{ ' auth_err=die' if not auth['failthrough'] }}]	pam_radius_auth.so conf=/etc/pam_radius_auth.d/{{ server.ip }}_{{ server.auth_port }}.conf privilege_level protocol={{ server.auth_type }} retry={{ server.retransmit }}{% if server.nas_ip is defined %} nas_ip_address={{ server.nas_ip }}{% endif %}{% if server.nas_id is defined %} client_id={{ server.nas_id }}{% endif %}{% if debug %} debug{% endif %}{% if trace %} trace{% endif %}{% if server.statistics %} statistics={{ server.ip }}{% endif %} try_first_pass
-{% endfor %}
-auth	requisite	pam_deny.so
-# Cache MPL(Privilege)
-auth	[success=2 default=ignore]	pam_exec.so /usr/sbin/cache_radius
-# Local
-auth	[success=done new_authtok_reqd=done default=ignore{{ ' auth_err=die maxtries=die' if not auth['failthrough'] }}]	pam_unix.so nullok try_first_pass
-
-{% else %}
-auth	[success=1 default=ignore]	pam_unix.so nullok try_first_pass
-
-{% endif %}
-#
-# here's the fallback if no module succeeds
-auth    requisite                       pam_deny.so
-# prime the stack with a positive return value if there isn't one already;
-# this avoids us returning an error just because nothing sets a success code
-# since the modules above will each just jump around
-auth    required                        pam_permit.so
-# and here are more per-package modules (the "Additional" block)
-
--- a/src/sonic-host-services-data/templates/common-password.j2
+++ b/src/sonic-host-services-data/templates/common-password.j2
@ -1,43 +0,0 @@
-#THIS IS AN AUTO-GENERATED FILE
-#
-# /etc/pam.d/common-password - password-related modules common to all services
-#
-# This file is included from other service-specific PAM config files,
-# and should contain a list of modules that define the services to be
-# used to change user passwords.  The default is pam_unix.
-
-# Explanation of pam_unix options:
-# The "yescrypt" option enables
-#hashed passwords using the yescrypt algorithm, introduced in Debian
-#11.  Without this option, the default is Unix crypt.  Prior releases
-#used the option "sha512"; if a shadow password hash will be shared
-#between Debian 11 and older releases replace "yescrypt" with "sha512"
-#for compatibility .  The "obscure" option replaces the old
-#`OBSCURE_CHECKS_ENAB' option in login.defs.  See the pam_unix manpage
-#for other options.
-
-# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
-# To take advantage of this, it is recommended that you configure any
-# local modules either before or after the default block, and use
-# pam-auth-update to manage selection of other modules.  See
-# pam-auth-update(8) for details.
-
-# here are the per-package modules (the "Primary" block)
-
-{% if passw_policies %}
-{% if passw_policies['state'] == 'enabled' %}
-password    requisite      pam_cracklib.so retry=3 maxrepeat=0 {% if passw_policies['len_min'] %}minlen={{passw_policies['len_min']}}{% endif %} {% if passw_policies['upper_class'] %}ucredit=-1{% else %}ucredit=0{% endif %} {% if passw_policies['lower_class'] %}lcredit=-1{% else %}lcredit=0{% endif %} {% if passw_policies['digits_class'] %}dcredit=-1{% else %}dcredit=0{% endif %} {% if passw_policies['special_class'] %}ocredit=-1{% else %}ocredit=0{% endif %} {% if passw_policies['reject_user_passw_match'] %}reject_username{% endif %} enforce_for_root
-
-password    required       pam_pwhistory.so {% if passw_policies['history_cnt'] %}remember={{passw_policies['history_cnt']}}{% endif %} use_authtok enforce_for_root
-{% endif %}
-{% endif %}
-
-password    [success=1 default=ignore]    pam_unix.so obscure yescrypt
-# here's the fallback if no module succeeds
-password    requisite            pam_deny.so
-# prime the stack with a positive return value if there isn't one already;
-# this avoids us returning an error just because nothing sets a success code
-# since the modules above will each just jump around
-password    required            pam_permit.so
-# and here are more per-package modules (the "Additional" block)
-# end of pam-auth-update config
--- a/src/sonic-host-services-data/templates/limits.conf.j2
+++ b/src/sonic-host-services-data/templates/limits.conf.j2
@ -1,69 +0,0 @@
-# /etc/security/limits.conf
-#
-# This file generate by j2 template file: src/sonic-host-services-data/templates/limits.conf.j2
-#
-# Each line describes a limit for a user in the form:
-#
-# <domain>        <type>  <item>  <value>
-#
-# Where:
-# <domain> can be:
-#        - a user name
-#        - a group name, with @group syntax
-#        - the wildcard *, for default entry
-#        - the wildcard %, can be also used with %group syntax,
-#                 for maxlogin limit
-#        - NOTE: group and wildcard limits are not applied to root.
-#          To apply a limit to the root user, <domain> must be
-#          the literal username root.
-#
-# <type> can have the two values:
-#        - "soft" for enforcing the soft limits
-#        - "hard" for enforcing hard limits
-#
-# <item> can be one of the following:
-#        - core - limits the core file size (KB)
-#        - data - max data size (KB)
-#        - fsize - maximum filesize (KB)
-#        - memlock - max locked-in-memory address space (KB)
-#        - nofile - max number of open file descriptors
-#        - rss - max resident set size (KB)
-#        - stack - max stack size (KB)
-#        - cpu - max CPU time (MIN)
-#        - nproc - max number of processes
-#        - as - address space limit (KB)
-#        - maxlogins - max number of logins for this user
-#        - maxsyslogins - max number of logins on the system
-#        - priority - the priority to run user process with
-#        - locks - max number of file locks the user can hold
-#        - sigpending - max number of pending signals
-#        - msgqueue - max memory used by POSIX message queues (bytes)
-#        - nice - max nice priority allowed to raise to values: [-20, 19]
-#        - rtprio - max realtime priority
-#        - chroot - change root to directory (Debian-specific)
-#
-#
-# <value> is related with <item>:
-#          All items support the values -1, unlimited or infinity indicating
-#          no limit, except for priority and nice.
-#
-#          If a hard limit or soft limit of a resource is set to a valid value,
-#          but outside of the supported range of the local system, the system
-#          may reject the new limit or unexpected behavior may occur. If the
-#          control value required is used, the module will reject the login if
-#          a limit could not be set.
-#
-# <domain>      <type>  <item>         <value>
-#
-
-# *               soft    core            0
-# root            hard    core            100000
-# *               hard    rss             10000
-# @student        hard    nproc           20
-# @faculty        soft    nproc           20
-# @faculty        hard    nproc           50
-# ftp             hard    nproc           0
-# ftp             -       chroot          /ftp
-# @student        -       maxlogins       4
-
-# End of file
--- a/src/sonic-host-services-data/templates/pam_limits.j2
+++ b/src/sonic-host-services-data/templates/pam_limits.j2
@ -1,12 +0,0 @@
-#THIS IS AN AUTO-GENERATED FILE
-#
-# This file generate by j2 template file: src/sonic-host-services-data/templates/pam_limits.j2
-#
-# /etc/pam.d/pam-limits settings common to all services
-# This file is included from other service-specific PAM config files,
-# and should contain a list of the authentication modules that define
-# the central authentication scheme for use on the system
-# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the
-# traditional Unix authentication mechanisms.
-#
-# here are the per-package modules (the "Primary" block)
--- a/src/sonic-host-services-data/templates/pam_radius_auth.conf.j2
+++ b/src/sonic-host-services-data/templates/pam_radius_auth.conf.j2
@ -1,3 +0,0 @@
-# server[:port]      shared_secret    timeout(s)    source_ip     vrf
-[{{ server.ip }}]:{{ server.auth_port }}  {{ server.passkey }}  {{ server.timeout }} {% if server.src_ip %}  {{ server.src_ip }}  {% endif %} {% if server.vrf %} {% if not server.src_ip %} - {% endif %} {{ server.vrf }}{% endif %}
-
--- a/src/sonic-host-services-data/templates/radius_nss.conf.j2
+++ b/src/sonic-host-services-data/templates/radius_nss.conf.j2
@ -1,58 +0,0 @@
-#THIS IS AN AUTO-GENERATED FILE
-# Generated from: /usr/share/sonic/templates/radius_nss.conf.j2
-# RADIUS NSS Configuration File
-#
-# Debug: on|off|trace
-# Default: off
-#
-# debug=on
-{% if debug %}
-debug=on
-{% endif %}
-
-#
-# User Privilege:
-# Default:
-# user_priv=15;pw_info=remote_user_su;gid=1000;group=sudo,docker;shell=/usr/bin/sonic-launch-shell
-# user_priv=1;pw_info=remote_user;gid=999;group=docker;shell=/usr/bin/sonic-launch-shell
-
-# Eg:
-# user_priv=15;pw_info=remote_user_su;gid=1000;group=sudo,docker;shell=/usr/bin/sonic-launch-shell
-# user_priv=7;pw_info=netops;gid=999;group=docker;shell=/usr/bin/sonic-launch-shell
-# user_priv=1;pw_info=operator;gid=100;group=docker;shell=/usr/bin/sonic-launch-shell
-#
-
-# many_to_one:
-#   y: Map RADIUS users to one local user per privilege.
-#   n: Create local user account on first successful authentication.
-# Default: n
-#
-
-# Eg:
-# many_to_one=y
-#
-
-# unconfirmed_disallow:
-#   y: Do not allow unconfirmed users (users created before authentication)
-#   n: Allow unconfirmed users.
-# Default: n
-
-# Eg:
-# unconfirmed_disallow=y
-#
-
-# unconfirmed_ageout:
-#   <seconds>: Wait time before purging unconfirmed users
-# Default: 600
-#
-
-# Eg:
-# unconfirmed_ageout=900
-#
-
-# unconfirmed_regexp:
-#   <regexp>: The RE to match the command line of processes for which the
-#             creation of unconfirmed users are to be allowed.
-# Default: (.*: <user> \[priv\])|(.*: \[accepted\])
-#   where: <user> is the unconfirmed user.
-#
--- a/src/sonic-host-services-data/templates/tacplus_nss.conf.j2
+++ b/src/sonic-host-services-data/templates/tacplus_nss.conf.j2
@ -1,60 +0,0 @@
-# Configuration for libnss-tacplus
-
-# debug - If you want to open debug log, set it on
-# Default: off
-# debug=on
-{% if debug %}
-debug=on
-{% endif %}
-
-# local_accounting - If you want to local accounting, set it
-# Default: None
-# local_accounting
-{% if local_accounting %}
-local_accounting
-{% endif %}
-
-# tacacs_accounting - If you want to tacacs+ accounting, set it
-# Default: None
-# tacacs_accounting
-{% if tacacs_accounting %}
-tacacs_accounting
-{% endif %}
-
-# local_authorization - If you want to local authorization, set it
-# Default: None
-# local_authorization
-{% if local_authorization %}
-local_authorization
-{% endif %}
-
-# tacacs_authorization - If you want to tacacs+ authorization, set it
-# Default: None
-# tacacs_authorization
-{% if tacacs_authorization %}
-tacacs_authorization
-{% endif %}
-
-# src_ip - set source address of TACACS+ protocol packets
-# Default: None (auto source ip address)
-# src_ip=2.2.2.2
-{% if src_ip %}
-src_ip={{ src_ip }}
-{% endif %}
-
-# server - set ip address, tcp port, secret string and timeout for TACACS+ servers
-# Default: None (no TACACS+ server)
-# server=1.1.1.1:49,secret=test,timeout=3
-{% for server in servers %}
-server={{ server.ip }}:{{ server.tcp_port }},secret={{ server.passkey }},timeout={{ server.timeout }}{% if server.vrf %},vrf={{ server.vrf }}{% endif %}{{''}}
-{% endfor %}
-
-# user_priv - set the map between TACACS+ user privilege and local user's passwd
-# Default:
-# user_priv=15;pw_info=remote_user_su;gid=1000;group=sudo,docker;shell=/bin/bash
-# user_priv=1;pw_info=remote_user;gid=999;group=docker;shell=/bin/bash
-
-# many_to_one - create one local user for many TACACS+ users which has the same privilege
-# Default: many_to_one=n
-# many_to_one=y
-