matthew/sonic-buildimage
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[redis] Add redis Group And Grant Read/Write Access to Members (#5289)

Browse Source 
sonic-cfggen is now using Unix Domain Socket for Redis DB. The socket
is created using root account. Subsequently, services that are started
as admin fails to start. This PR creates redis group and add admin
user to redis group. It also grants read/write access on redis.sock
for redis group members.

signed-off-by: Tamer Ahmed <tamer.ahmed@microsoft.com>
This commit is contained in:
Tamer Ahmed 2020-09-02 23:40:22 -07:00 committed by GitHub
parent dd908c2ee2
commit fdb9d028e9
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 10 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
build_debian.sh
View File

@ -242,9 +242,12 @@ sudo cp files/docker/docker.service.conf $_
## Fix systemd race between docker and containerd ## Fix systemd race between docker and containerd
sudo sed -i '/After=/s/$/ containerd.service/' $FILESYSTEM_ROOT/lib/systemd/system/docker.service sudo sed -i '/After=/s/$/ containerd.service/' $FILESYSTEM_ROOT/lib/systemd/system/docker.service
## Create redis group
sudo LANG=C chroot $FILESYSTEM_ROOT groupadd -f redis
## Create default user ## Create default user
## Note: user should be in the group with the same name, and also in sudo/docker group ## Note: user should be in the group with the same name, and also in sudo/docker/redis groups
sudo LANG=C chroot $FILESYSTEM_ROOT useradd -G sudo,docker $USERNAME -c "$DEFAULT_USERINFO" -m -s /bin/bash sudo LANG=C chroot $FILESYSTEM_ROOT useradd -G sudo,docker,redis $USERNAME -c "$DEFAULT_USERINFO" -m -s /bin/bash
## Create password for the default user ## Create password for the default user
echo "$USERNAME:$PASSWORD" | sudo LANG=C chroot $FILESYSTEM_ROOT chpasswd echo "$USERNAME:$PASSWORD" | sudo LANG=C chroot $FILESYSTEM_ROOT chpasswd

12
files/build_templates/docker_image_ctl.j2
View File

@ -131,6 +131,9 @@ function postStartAction()
/usr/bin/db_migrator.py -o migrate /usr/bin/db_migrator.py -o migrate
fi fi
fi fi
# Add redis UDS to the redis group and give read/write access to the group
REDIS_SOCK="/var/run/redis${DEV}/redis.sock"
chgrp -f redis $REDIS_SOCK && chmod -f 0760 $REDIS_SOCK
{%- elif docker_container_name == "swss" %} {%- elif docker_container_name == "swss" %}
docker exec swss$DEV rm -f /ready # remove cruft docker exec swss$DEV rm -f /ready # remove cruft
if [[ "$BOOT_TYPE" == "fast" ]] && [[ -d /host/fast-reboot ]]; then if [[ "$BOOT_TYPE" == "fast" ]] && [[ -d /host/fast-reboot ]]; then
@ -354,13 +357,8 @@ NAMESPACE_PREFIX="asic"
if [ "$DEV" ]; then if [ "$DEV" ]; then
NET_NS="$NAMESPACE_PREFIX$DEV" #name of the network namespace NET_NS="$NAMESPACE_PREFIX$DEV" #name of the network namespace
# While using -n (namespace) argument, sonic-cfggen/sonic-db-cli uses redis UNIX socket SONIC_CFGGEN="sonic-cfggen -n $NET_NS"
# for accessing redis DB in a namespace. This unix socket has permission restrictions since SONIC_DB_CLI="sonic-db-cli -n $NET_NS"
# it is created by systemd database.servce started with [User] as [root].
# sudo is needed here for services which are started by systemd with [User] as [admin]
# and needs to override this unix socket permission restrictions.
SONIC_CFGGEN="sudo sonic-cfggen -n $NET_NS"
SONIC_DB_CLI="sudo sonic-db-cli -n $NET_NS"
else else
NET_NS="" NET_NS=""
SONIC_CFGGEN="sonic-cfggen" SONIC_CFGGEN="sonic-cfggen"