From fdb9d028e9bb10cce1d1854f7ad19e2e4459bb5e Mon Sep 17 00:00:00 2001 From: Tamer Ahmed Date: Wed, 2 Sep 2020 23:40:22 -0700 Subject: [PATCH] [redis] Add redis Group And Grant Read/Write Access to Members (#5289) sonic-cfggen is now using Unix Domain Socket for Redis DB. The socket is created using root account. Subsequently, services that are started as admin fails to start. This PR creates redis group and add admin user to redis group. It also grants read/write access on redis.sock for redis group members. signed-off-by: Tamer Ahmed --- build_debian.sh | 7 +++++-- files/build_templates/docker_image_ctl.j2 | 12 +++++------- 2 files changed, 10 insertions(+), 9 deletions(-) diff --git a/build_debian.sh b/build_debian.sh index 346bf969af9b..c0d7a321e4bf 100755 --- a/build_debian.sh +++ b/build_debian.sh @@ -242,9 +242,12 @@ sudo cp files/docker/docker.service.conf $_ ## Fix systemd race between docker and containerd sudo sed -i '/After=/s/$/ containerd.service/' $FILESYSTEM_ROOT/lib/systemd/system/docker.service +## Create redis group +sudo LANG=C chroot $FILESYSTEM_ROOT groupadd -f redis + ## Create default user -## Note: user should be in the group with the same name, and also in sudo/docker group -sudo LANG=C chroot $FILESYSTEM_ROOT useradd -G sudo,docker $USERNAME -c "$DEFAULT_USERINFO" -m -s /bin/bash +## Note: user should be in the group with the same name, and also in sudo/docker/redis groups +sudo LANG=C chroot $FILESYSTEM_ROOT useradd -G sudo,docker,redis $USERNAME -c "$DEFAULT_USERINFO" -m -s /bin/bash ## Create password for the default user echo "$USERNAME:$PASSWORD" | sudo LANG=C chroot $FILESYSTEM_ROOT chpasswd diff --git a/files/build_templates/docker_image_ctl.j2 b/files/build_templates/docker_image_ctl.j2 index e252af17718b..965d927bc5c5 100644 --- a/files/build_templates/docker_image_ctl.j2 +++ b/files/build_templates/docker_image_ctl.j2 @@ -131,6 +131,9 @@ function postStartAction() /usr/bin/db_migrator.py -o migrate fi fi + # Add redis UDS to the redis group and give read/write access to the group + REDIS_SOCK="/var/run/redis${DEV}/redis.sock" + chgrp -f redis $REDIS_SOCK && chmod -f 0760 $REDIS_SOCK {%- elif docker_container_name == "swss" %} docker exec swss$DEV rm -f /ready # remove cruft if [[ "$BOOT_TYPE" == "fast" ]] && [[ -d /host/fast-reboot ]]; then @@ -354,13 +357,8 @@ NAMESPACE_PREFIX="asic" if [ "$DEV" ]; then NET_NS="$NAMESPACE_PREFIX$DEV" #name of the network namespace - # While using -n (namespace) argument, sonic-cfggen/sonic-db-cli uses redis UNIX socket - # for accessing redis DB in a namespace. This unix socket has permission restrictions since - # it is created by systemd database.servce started with [User] as [root]. - # sudo is needed here for services which are started by systemd with [User] as [admin] - # and needs to override this unix socket permission restrictions. - SONIC_CFGGEN="sudo sonic-cfggen -n $NET_NS" - SONIC_DB_CLI="sudo sonic-db-cli -n $NET_NS" + SONIC_CFGGEN="sonic-cfggen -n $NET_NS" + SONIC_DB_CLI="sonic-db-cli -n $NET_NS" else NET_NS="" SONIC_CFGGEN="sonic-cfggen"