[redis] Add redis Group And Grant Read/Write Access to Members (#5289)

sonic-cfggen is now using Unix Domain Socket for Redis DB. The socket is created using root account. Subsequently, services that are started as admin fails to start. This PR creates redis group and add admin user to redis group. It also grants read/write access on redis.sock for redis group members. signed-off-by: Tamer Ahmed <tamer.ahmed@microsoft.com>
2020-09-02 23:40:22 -07:00 · 2020-09-02 23:40:22 -07:00 · fdb9d028e9
commit fdb9d028e9
parent dd908c2ee2
2 changed files with 10 additions and 9 deletions
--- a/build_debian.sh
+++ b/build_debian.sh
@ -242,9 +242,12 @@ sudo cp files/docker/docker.service.conf $_
 ## Fix systemd race between docker and containerd
 sudo sed -i '/After=/s/$/ containerd.service/' $FILESYSTEM_ROOT/lib/systemd/system/docker.service

+## Create redis group
+sudo LANG=C chroot $FILESYSTEM_ROOT groupadd -f redis
+
 ## Create default user
-## Note: user should be in the group with the same name, and also in sudo/docker group
-sudo LANG=C chroot $FILESYSTEM_ROOT useradd -G sudo,docker $USERNAME -c "$DEFAULT_USERINFO" -m -s /bin/bash
+## Note: user should be in the group with the same name, and also in sudo/docker/redis groups
+sudo LANG=C chroot $FILESYSTEM_ROOT useradd -G sudo,docker,redis $USERNAME -c "$DEFAULT_USERINFO" -m -s /bin/bash
 ## Create password for the default user
 echo "$USERNAME:$PASSWORD" | sudo LANG=C chroot $FILESYSTEM_ROOT chpasswd

--- a/files/build_templates/docker_image_ctl.j2
+++ b/files/build_templates/docker_image_ctl.j2
@ -131,6 +131,9 @@ function postStartAction()
            /usr/bin/db_migrator.py -o migrate
        fi
    fi
+    # Add redis UDS to the redis group and give read/write access to the group
+    REDIS_SOCK="/var/run/redis${DEV}/redis.sock"
+    chgrp -f redis $REDIS_SOCK && chmod -f 0760 $REDIS_SOCK
 {%- elif docker_container_name == "swss" %}
    docker exec swss$DEV rm -f /ready   # remove cruft
    if [[ "$BOOT_TYPE" == "fast" ]] && [[ -d /host/fast-reboot ]]; then
@ -354,13 +357,8 @@ NAMESPACE_PREFIX="asic"
 if [ "$DEV" ]; then
    NET_NS="$NAMESPACE_PREFIX$DEV" #name of the network namespace

-    # While using -n (namespace) argument, sonic-cfggen/sonic-db-cli uses redis UNIX socket 
-    # for accessing redis DB in a namespace. This unix socket has permission restrictions since 
-    # it is created by systemd database.servce started with [User] as [root].
-    # sudo is needed here for services which are started by systemd with [User] as [admin]
-    # and needs to override this unix socket permission restrictions.
-    SONIC_CFGGEN="sudo sonic-cfggen -n $NET_NS"
-    SONIC_DB_CLI="sudo sonic-db-cli -n $NET_NS"
+    SONIC_CFGGEN="sonic-cfggen -n $NET_NS"
+    SONIC_DB_CLI="sonic-db-cli -n $NET_NS"
 else
    NET_NS=""
    SONIC_CFGGEN="sonic-cfggen"