can't connect to redis: permission denied #567

norabruns · 2021-10-22T08:10:24Z

When irrd is started as root, and irrd.user and irrd.group is set, and access to the redis unix domain socket is granted to that user through a supplementary group (e.g. redis on ubuntu/debian), irrd will not be able to connect to redis.

Logs look like this:

systemd[1]: Starting IRRD4...
irrd[1720]: [irrd.daemon.main#INFO] IRRd attempting to secure PID
irrd[1720]: [irrd.daemon.main#INFO] IRRd 4.2.0 starting, PID 1720, PID file in /home/irrd/
irrd-whois-serv[1729]: [irrd.server.whois.server#INFO] Starting whois server on TCP ('0.0.0.0', 43)
irrd-preload-st[1730]: [root#INFO] Starting preload store manager
irrd-preload-st[1730]: [irrd.storage.preload#ERROR] Failed to empty preload store due to redis connection error, queries may have outdated results until full reload is completed (max 30s): Error 13 connecting to unix socket: /var/run/redis/redis-server.sock. Permission denied.
irrd-preload-st[1730]: [irrd.storage.preload#ERROR] Failed redis pubsub connection, attempting reconnect and reload in 5s: Error 13 connecting to unix socket: /var/run/redis/redis-server.sock. Permission denied.
irrd-http-serve[1731]: [uvicorn.error#INFO] Uvicorn running on http://[::1]:8080 (Press CTRL+C to quit)
irrd-http-serve[1731]: [uvicorn.error#INFO] Started parent process [1731]
irrd-whois-serv[1734]: [irrd.storage.preload#ERROR] Failed redis pubsub connection, attempting reconnect and reload in 5s: Error 13 connecting to unix socket: /var/run/redis/redis-server.sock. Permission denied.
irrd-whois-serv[1735]: [irrd.storage.preload#ERROR] Failed redis pubsub connection, attempting reconnect and reload in 5s: Error 13 connecting to unix socket: /var/run/redis/redis-server.sock. Permission denied.
irrd-whois-serv[1737]: [irrd.storage.preload#ERROR] Failed redis pubsub connection, attempting reconnect and reload in 5s: Error 13 connecting to unix socket: /var/run/redis/redis-server.sock. Permission denied.

IRRd version you are running
irrd 4.2.0

Cause (I assume)
This is caused by change_process_owner being called with initgroups=False, so the irrd process does not have any supplementary groups. See https://pagure.io/python-daemon/blob/main/f/daemon/daemon.py#_609

I do not understand why initgroups=False is the default, as it results in very confusing behavior.

The text was updated successfully, but these errors were encountered:

mxsasha · 2021-10-24T11:19:15Z

Entirely agree, thanks for the report and PR!

mxsasha · 2021-10-28T15:23:30Z

Still needs backport to 4.2

mxsasha · 2021-10-29T14:47:21Z

Released in 4.2.1

norabruns mentioned this issue Oct 22, 2021

initialize supplementary groups on startup #568

Merged

mxsasha closed this as completed in #568 Oct 24, 2021

mxsasha self-assigned this Oct 24, 2021

mxsasha added the backport Should be backported to previous releases label Oct 24, 2021

mxsasha added the bug Something isn't working label Oct 24, 2021

mxsasha reopened this Oct 28, 2021

mxsasha closed this as completed Oct 29, 2021

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

can't connect to redis: permission denied #567

can't connect to redis: permission denied #567

norabruns commented Oct 22, 2021

mxsasha commented Oct 24, 2021

mxsasha commented Oct 28, 2021

mxsasha commented Oct 29, 2021

can't connect to redis: permission denied #567

can't connect to redis: permission denied #567

Comments

norabruns commented Oct 22, 2021

mxsasha commented Oct 24, 2021

mxsasha commented Oct 28, 2021

mxsasha commented Oct 29, 2021