diff --git a/build_debian.sh b/build_debian.sh index a2b762d4db..5c00a2c939 100755 --- a/build_debian.sh +++ b/build_debian.sh @@ -233,9 +233,12 @@ sudo cp files/docker/docker.service.conf $_ ## Fix systemd race between docker and containerd sudo sed -i '/After=/s/$/ containerd.service/' $FILESYSTEM_ROOT/lib/systemd/system/docker.service +## Create redis group +sudo LANG=C chroot $FILESYSTEM_ROOT groupadd -f redis + ## Create default user -## Note: user should be in the group with the same name, and also in sudo/docker group -sudo LANG=C chroot $FILESYSTEM_ROOT useradd -G sudo,docker $USERNAME -c "$DEFAULT_USERINFO" -m -s /bin/bash +## Note: user should be in the group with the same name, and also in sudo/docker/redis groups +sudo LANG=C chroot $FILESYSTEM_ROOT useradd -G sudo,docker,redis $USERNAME -c "$DEFAULT_USERINFO" -m -s /bin/bash ## Create password for the default user echo "$USERNAME:$PASSWORD" | sudo LANG=C chroot $FILESYSTEM_ROOT chpasswd diff --git a/files/build_templates/docker_image_ctl.j2 b/files/build_templates/docker_image_ctl.j2 index b844fb72b7..ed5954635c 100644 --- a/files/build_templates/docker_image_ctl.j2 +++ b/files/build_templates/docker_image_ctl.j2 @@ -131,6 +131,9 @@ function postStartAction() /usr/bin/db_migrator.py -o migrate fi fi + # Add redis UDS to the redis group and give read/write access to the group + REDIS_SOCK="/var/run/redis${DEV}/redis.sock" + chgrp -f redis $REDIS_SOCK && chmod -f 0760 $REDIS_SOCK {%- elif docker_container_name == "swss" %} docker exec swss$DEV rm -f /ready # remove cruft if [[ "$BOOT_TYPE" == "fast" ]] && [[ -d /host/fast-reboot ]]; then @@ -354,13 +357,8 @@ NAMESPACE_PREFIX="asic" if [ "$DEV" ]; then NET_NS="$NAMESPACE_PREFIX$DEV" #name of the network namespace - # While using -n (namespace) argument, sonic-cfggen/sonic-db-cli uses redis UNIX socket - # for accessing redis DB in a namespace. This unix socket has permission restrictions since - # it is created by systemd database.servce started with [User] as [root]. - # sudo is needed here for services which are started by systemd with [User] as [admin] - # and needs to override this unix socket permission restrictions. - SONIC_CFGGEN="sudo sonic-cfggen -n $NET_NS" - SONIC_DB_CLI="sudo sonic-db-cli -n $NET_NS" + SONIC_CFGGEN="sonic-cfggen -n $NET_NS" + SONIC_DB_CLI="sonic-db-cli -n $NET_NS" else NET_NS="" SONIC_CFGGEN="sonic-cfggen"