[redis] Add redis Group And Grant Read/Write Access to Members (#5289)

sonic-cfggen is now using Unix Domain Socket for Redis DB. The socket is created using root account. Subsequently, services that are started as admin fails to start. This PR creates redis group and add admin user to redis group. It also grants read/write access on redis.sock for redis group members. signed-off-by: Tamer Ahmed <tamer.ahmed@microsoft.com>
sonic-net · Sep 3, 2020 · fdb9d02 · fdb9d02
1 parent dd908c2
commit fdb9d02
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 9 deletions.
diff --git a/build_debian.sh b/build_debian.sh
@@ -242,9 +242,12 @@ sudo cp files/docker/docker.service.conf $_
 ## Fix systemd race between docker and containerd
 sudo sed -i '/After=/s/$/ containerd.service/' $FILESYSTEM_ROOT/lib/systemd/system/docker.service
 
+## Create redis group
+sudo LANG=C chroot $FILESYSTEM_ROOT groupadd -f redis
+
 ## Create default user
-## Note: user should be in the group with the same name, and also in sudo/docker group
-sudo LANG=C chroot $FILESYSTEM_ROOT useradd -G sudo,docker $USERNAME -c "$DEFAULT_USERINFO" -m -s /bin/bash
+## Note: user should be in the group with the same name, and also in sudo/docker/redis groups
+sudo LANG=C chroot $FILESYSTEM_ROOT useradd -G sudo,docker,redis $USERNAME -c "$DEFAULT_USERINFO" -m -s /bin/bash
 ## Create password for the default user
 echo "$USERNAME:$PASSWORD" | sudo LANG=C chroot $FILESYSTEM_ROOT chpasswd
 

diff --git a/files/build_templates/docker_image_ctl.j2 b/files/build_templates/docker_image_ctl.j2
@@ -131,6 +131,9 @@ function postStartAction()
  /usr/bin/db_migrator.py -o migrate
  fi
  fi
+ # Add redis UDS to the redis group and give read/write access to the group
+ REDIS_SOCK="/var/run/redis${DEV}/redis.sock"
+ chgrp -f redis $REDIS_SOCK && chmod -f 0760 $REDIS_SOCK
 {%- elif docker_container_name == "swss" %}
  docker exec swss$DEV rm -f /ready # remove cruft
  if [[ "$BOOT_TYPE" == "fast" ]] && [[ -d /host/fast-reboot ]]; then
@@ -354,13 +357,8 @@ NAMESPACE_PREFIX="asic"
 if [ "$DEV" ]; then
  NET_NS="$NAMESPACE_PREFIX$DEV" #name of the network namespace
 
- # While using -n (namespace) argument, sonic-cfggen/sonic-db-cli uses redis UNIX socket 
- # for accessing redis DB in a namespace. This unix socket has permission restrictions since 
- # it is created by systemd database.servce started with [User] as [root].
- # sudo is needed here for services which are started by systemd with [User] as [admin]
- # and needs to override this unix socket permission restrictions.
- SONIC_CFGGEN="sudo sonic-cfggen -n $NET_NS"
- SONIC_DB_CLI="sudo sonic-db-cli -n $NET_NS"
+ SONIC_CFGGEN="sonic-cfggen -n $NET_NS"
+ SONIC_DB_CLI="sonic-db-cli -n $NET_NS"
  else
  NET_NS=""
  SONIC_CFGGEN="sonic-cfggen"