Skip to content

hostcfgd: Add one shot timer to reload tacacs config from CONFIG-DB #9987

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Feb 17, 2022
Merged

hostcfgd: Add one shot timer to reload tacacs config from CONFIG-DB #9987

merged 1 commit into from
Feb 17, 2022

Conversation

renukamanavalan
Copy link
Contributor

@renukamanavalan renukamanavalan commented Feb 15, 2022
edited
Loading

Why I did it

There is a small window between load & listen to config-DB. If TACACS config got updated during that gap, the listen will not show it, hence hostcfgd would miss it, until another update.

How I did it

porting PR #8223, which uses one shot timer to reload tacacs config.

How to verify it

Copy this binary to a 201811 device and
Run config reload & restart of hostcfd concurrently, multiple times to see, if hostcfgd miss the update or not.

Ran a repeated config reload for testing.
It did succeed.
But it could not really hit the repro, which is kind of expected as it is is very hard to hit the repro in 201811

[Tweaked code with a log message, that dumps the read value with isTimer to indicate normal load vs via timer]

admin@str-s6000-acs-8:/var/log$ zgrep -i istimer syslog*
syslog:Feb 16 18:53:25.006739 str-s6000-acs-8 INFO hostcfgd: pam.d files updated isTimer=False auth={'login': 'tacacs+', 'failthrough': True} global={'auth_type': 'login', 'timeout': '5', 'passkey': 't*****'}
syslog:Feb 16 18:53:55.707662 str-s6000-acs-8 INFO hostcfgd: pam.d files updated isTimer=True auth={'login': 'tacacs+', 'failthrough': True} global={'auth_type': 'login', 'timeout': '5', 'passkey': 't*****'}
syslog.1:Feb 16 18:29:18.661496 str-s6000-acs-8 INFO hostcfgd: pam.d files updated isTimer=False auth={'login': 'tacacs+', 'failthrough': True} global={'auth_type': 'login', 'timeout': '5', 'passkey': 't*****'}
syslog.1:Feb 16 18:29:49.193510 str-s6000-acs-8 INFO hostcfgd: pam.d files updated isTimer=True auth={'login': 'tacacs+', 'failthrough': True} global={'auth_type': 'login', 'timeout': '5', 'passkey': 't*****'}
syslog.1:Feb 16 18:41:22.170889 str-s6000-acs-8 INFO hostcfgd: pam.d files updated isTimer=False auth={'login': 'tacacs+', 'failthrough': True} global={'auth_type': 'login', 'timeout': '5', 'passkey': 't*****'}
...
admin@str-s6000-acs-8:~$ cat scripts/r.sh 
#! /bin/bash

set -x

for ((i=0; i<10; ++i))
do
    echo "-------------------- $i -----------------------"
    sleep 10m
    sudo config reload -y
    t=$(cat /etc/pam.d/common-auth-sonic  | grep testing123 | wc -l) 
    if [ "$t" -eq "1" ]; then
        echo "Success"
    else
        echo "Failure"
        exit -1
    fi
done


admin@str-s6000-acs-8:~$

Which release branch to backport (provide reason below if selected)

This is the backport to 201811

  • 201811
  • 201911
  • 202006
  • 202012
  • 202106
  • 202111

Description for the changelog

Add a one shot timer after load; Reload tacacs config from DB, upon the timer.

Link to config_db schema for YANG module changes

A picture of a cute animal (not mandatory but encouraged)

@renukamanavalan renukamanavalan self-assigned this Feb 15, 2022
@renukamanavalan renukamanavalan merged commit 7910108 into sonic-net:201811 Feb 17, 2022
@renukamanavalan renukamanavalan deleted the hostcfgd_201811 branch February 17, 2022 22:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@yxieca yxieca yxieca approved these changes

Assignees

@renukamanavalan renukamanavalan

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@renukamanavalan @yxieca