[database] make Redis process runs as non-root user (#16326)

Why I did it
Running the Redis server as the "root" user is not recommended. It is suggested that the server should be operated by a non-privileged user.

Work item tracking
Microsoft ADO (number only): 15895240

How I did it
Ensure the Redis process is operating under the 'redis' user in supervisord and make redis user own REDIS_DIR inside db container.

How to verify it
Built new image, verify redis process is running as 'redis' user and all containers are up.

Signed-off-by: Mai Bui <maibui@microsoft.com>
This commit is contained in:
Mai Bui 2023-09-02 02:03:15 -04:00 committed by GitHub
parent 84cfc3bc69
commit ff5f46955c
No account linked to committer's email address
2 changed files with 3 additions and 0 deletions

View File

@ -99,4 +99,6 @@ TZ=$(cat /etc/timezone)
rm -rf /etc/localtime
ln -sf /usr/share/zoneinfo/$TZ /etc/localtime
chown -R redis:redis $REDIS_DIR
exec /usr/local/bin/supervisord

View File

@ -38,6 +38,7 @@ dependent_startup=true
{%- endif -%}
command=/bin/bash -c "{ [[ -s /var/lib/{{ redis_inst }}/dump.rdb ]] || rm -f /var/lib/{{ redis_inst }}/dump.rdb; } && mkdir -p /var/lib/{{ redis_inst }} && exec /usr/bin/redis-server /etc/redis/redis.conf --bind {{ LOOPBACK_IP }} {{ redis_items['hostname'] }} --port {{ redis_items['port'] }} --unixsocket {{ redis_items['unix_socket_path'] }} --pidfile /var/run/redis/{{ redis_inst }}.pid --dir /var/lib/{{ redis_inst }}"
priority=2
user=redis
autostart=false
autorestart=false
stdout_logfile=syslog