sonic-buildimage/dockers/docker-database/supervisord.conf.j2
Mai Bui ff5f46955c
[database] make Redis process runs as non-root user (#16326)
Why I did it
Running the Redis server as the "root" user is not recommended. It is suggested that the server should be operated by a non-privileged user.

Work item tracking
Microsoft ADO (number only): 15895240

How I did it
Ensure the Redis process is operating under the 'redis' user in supervisord and make redis user own REDIS_DIR inside db container.

How to verify it
Built new image, verify redis process is running as 'redis' user and all containers are up.

Signed-off-by: Mai Bui <maibui@microsoft.com>
2023-09-01 23:03:15 -07:00

60 lines
1.8 KiB
Django/Jinja

[supervisord]
logfile_maxbytes=1MB
logfile_backups=2
nodaemon=true
[eventlistener:dependent-startup]
command=python3 -m supervisord_dependent_startup
autostart=true
autorestart=unexpected
startretries=0
exitcodes=0,3
events=PROCESS_STATE
buffer_size=1024
[eventlistener:supervisor-proc-exit-listener]
command=/usr/bin/supervisor-proc-exit-listener --container-name database
events=PROCESS_STATE_EXITED,PROCESS_STATE_RUNNING
autostart=true
autorestart=unexpected
buffer_size=1024
[program:rsyslogd]
command=/usr/sbin/rsyslogd -n -iNONE
priority=1
autostart=false
autorestart=false
stdout_logfile=syslog
stderr_logfile=syslog
dependent_startup=true
{% if INSTANCES %}
{% for redis_inst, redis_items in INSTANCES.items() %}
[program:{{ redis_inst }}]
{% if redis_items['hostname'] != '127.0.0.1' and redis_inst != 'redis_chassis' %}
{%- set LOOPBACK_IP = '127.0.0.1' -%}
{%- else -%}
{%- set LOOPBACK_IP = '' -%}
{%- endif -%}
command=/bin/bash -c "{ [[ -s /var/lib/{{ redis_inst }}/dump.rdb ]] || rm -f /var/lib/{{ redis_inst }}/dump.rdb; } && mkdir -p /var/lib/{{ redis_inst }} && exec /usr/bin/redis-server /etc/redis/redis.conf --bind {{ LOOPBACK_IP }} {{ redis_items['hostname'] }} --port {{ redis_items['port'] }} --unixsocket {{ redis_items['unix_socket_path'] }} --pidfile /var/run/redis/{{ redis_inst }}.pid --dir /var/lib/{{ redis_inst }}"
priority=2
user=redis
autostart=false
autorestart=false
stdout_logfile=syslog
stderr_logfile=syslog
dependent_startup=true
dependent_startup_wait_for=rsyslogd:running
{% endfor %}
{% endif %}
[program:flushdb]
command=/bin/bash -c "sleep 300 && /usr/local/bin/flush_unused_database"
priority=3
autostart=false
autorestart=false
stdout_logfile=syslog
stderr_logfile=syslog
dependent_startup=true
dependent_startup_wait_for=rsyslogd:running