Add Redis ACL support

Author: davidpil2002

dockers/docker-database/Dockerfile.j2

@@ -23,18 +23,27 @@ RUN pip3 install click
 {{ install_debian_packages(docker_database_debs.split(' ')) }}
 {%- endif %}
 
+ENV REDIS_SHADOW_TLS=/etc/ssl/certs_redis/certs/tls/
 # Clean up
 RUN apt-get clean -y                                  && \
     apt-get autoclean -y                              && \
     apt-get autoremove -y                             && \
     rm -rf /debs ~/.cache                             && \
     sed -ri 's/^(save .*$)/# \1/g;                       \
              s/^daemonize yes$/daemonize no/;            \
-             s/^logfile .*$/logfile ""/;                 \
+             s|^logfile .*$|logfile /etc/redis/redis-server.log|;                 \
              s/^# syslog-enabled no$/syslog-enabled no/; \
              s/^# unixsocket/unixsocket/;                \
              s/redis-server.sock/redis.sock/g;           \
              s/^client-output-buffer-limit pubsub [0-9]+mb [0-9]+mb [0-9]+/client-output-buffer-limit pubsub 0 0 0/; \
+             s/^port 6379/# port 6379/;                                 \
+             s/^# port 0/port 0/;                                           \
+             s/^# tls-port 6379/tls-port 6379/;                                     \
+             /tls-auth-clients no/s/^# //;                              \
+             s|# tls-cert-file .*|tls-cert-file '"$REDIS_SHADOW_TLS"'/redis.crt|;    \
+             s|# tls-key-file .*|tls-key-file '"$REDIS_SHADOW_TLS"'/redis.key|;      \
+             s|# tls-ca-cert-file .*|tls-ca-cert-file '"$REDIS_SHADOW_TLS"'/ca.crt|; \
+             /aclfile \/etc\/redis\/users.acl/s/^# //;       \
              s/^notify-keyspace-events ""$/notify-keyspace-events AKE/; \
              s/^databases [0-9]+$/databases 100/ \
             ' /etc/redis/redis.conf
@@ -48,5 +57,6 @@ COPY ["files/supervisor-proc-exit-listener", "/usr/bin"]
 COPY ["files/sysctl-net.conf", "/etc/sysctl.d/"]
 COPY ["files/update_chassisdb_config", "/usr/local/bin/"]
 COPY ["flush_unused_database", "/usr/local/bin/"]
+COPY ["users.acl.template", "/etc/redis/"]
 
 ENTRYPOINT ["/usr/local/bin/docker-database-init.sh"]

dockers/docker-database/docker-database-init.sh

@@ -115,4 +115,14 @@ ln -sf /usr/share/zoneinfo/$TZ /etc/localtime
 
 chown -R redis:redis $REDIS_DIR
 
+# Redis PW update in users.acl
+acl_template=$(< /etc/redis/users.acl.template)
+
+USER_COUNTER_PASSWORD=$(cat /etc/shadow_redis_dir/shadow_redis_admin)
+acl_new_admin_user="${acl_template//\$\{USER_COUNTER_PASSWORD\}/$USER_COUNTER_PASSWORD}"
+
+MONITOR_PASSWORD=$(cat /etc/shadow_redis_dir/shadow_redis_monitor)
+acl_new_admin_monitor_users="${acl_new_admin_user//\$\{MONITOR_PASSWORD\}/$MONITOR_PASSWORD}"
+echo "$acl_new_admin_monitor_users" > /etc/redis/users.acl
+
 exec /usr/local/bin/supervisord

dockers/docker-database/supervisord.conf.j2

@@ -36,9 +36,8 @@ dependent_startup=true
 {%- else -%}
 {%- set LOOPBACK_IP = '' -%}
 {%- endif -%}
-command=/bin/bash -c "{ [[ -s /var/lib/{{ redis_inst }}/dump.rdb ]] || rm -f /var/lib/{{ redis_inst }}/dump.rdb; } && mkdir -p /var/lib/{{ redis_inst }} && exec /usr/bin/redis-server /etc/redis/redis.conf --bind {{ LOOPBACK_IP }} {{ redis_items['hostname'] }} --port {{ redis_items['port'] }} --unixsocket {{ redis_items['unix_socket_path'] }} --pidfile /var/run/redis/{{ redis_inst }}.pid --dir /var/lib/{{ redis_inst }}"
+command=/bin/bash -c "{ [[ -s /var/lib/{{ redis_inst }}/dump.rdb ]] || rm -f /var/lib/{{ redis_inst }}/dump.rdb; } && mkdir -p /var/lib/{{ redis_inst }} && exec /usr/bin/redis-server /etc/redis/redis.conf --bind {{ LOOPBACK_IP }} {{ redis_items['hostname'] }} --unixsocket {{ redis_items['unix_socket_path'] }} --pidfile /var/run/redis/{{ redis_inst }}.pid --dir /var/lib/{{ redis_inst }}"
 priority=2
-user=redis
 autostart=true
 autorestart=false
 stdout_logfile=syslog

dockers/docker-database/users.acl.template

@@ -0,0 +1,3 @@
+user admin on +@all -DEBUG ~* >${USER_COUNTER_PASSWORD}
+user monitor on +hgetall +keys +select +get +mget +hget -DEBUG ~* >${MONITOR_PASSWORD}
+user default off

dockers/docker-orchagent/buffermgrd.sh

@@ -1,6 +1,6 @@
 #!/usr/bin/env bash
 
-BUFFER_CALCULATION_MODE=$(redis-cli -n 4 hget "DEVICE_METADATA|localhost" buffer_model)
+BUFFER_CALCULATION_MODE=$(sonic-db-cli CONFIG_DB hget "DEVICE_METADATA|localhost" buffer_model)
 
 if [ "$BUFFER_CALCULATION_MODE" == "dynamic" ]; then
     BUFFERMGRD_ARGS="-a /etc/sonic/asic_table.json"

files/build_templates/docker_image_ctl.j2

@@ -575,6 +575,7 @@ start() {
     # TODO: Mellanox will remove the --tmpfs exception after SDK socket path changed in new SDK version
 {%- endif %}
     docker create {{docker_image_run_opt}} \
+        -v /etc/shadow_redis_dir:/etc/shadow_redis_dir:ro \
 {%- if docker_container_name != "dhcp_server" %}
         --net=$NET \
 {%- endif %}
@@ -627,6 +628,7 @@ start() {
 {%- endif %}
 {%- if docker_container_name == "database" %}
         $DB_OPT \
+        -v /etc/ssl/certs_redis:/etc/ssl/certs_redis:ro \
 {%- else %}
         -v /var/run/redis$DEV:/var/run/redis:rw \
         -v /var/run/redis-chassis:/var/run/redis-chassis:ro \

files/build_templates/sonic_debian_extension.j2

@@ -113,6 +113,12 @@ sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get -y in
 # Install j2cli for handling jinja template
 sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get -y install j2cli
 
+# Create an empty Redis dir for the generation of Redis ACL passwords
+sudo mkdir $FILESYSTEM_ROOT/etc/shadow_redis_dir
+
+# Create an empty Redis dir for the public cacert of Redis TLS
+sudo mkdir $FILESYSTEM_ROOT/etc/shadow_redis_dir/certs_redis
+
 # Install Python client for Redis
 sudo https_proxy=$https_proxy LANG=C chroot $FILESYSTEM_ROOT pip3 install "redis==3.5.3"
 
@@ -932,6 +938,13 @@ sudo LANG=C cp $SCRIPTS_DIR/mgmt-framework.sh $FILESYSTEM_ROOT/usr/local/bin/mgm
 sudo LANG=C cp $SCRIPTS_DIR/asic_status.sh $FILESYSTEM_ROOT/usr/local/bin/asic_status.sh
 sudo LANG=C cp $SCRIPTS_DIR/asic_status.py $FILESYSTEM_ROOT/usr/local/bin/asic_status.py
 
+# Copy Redis Certificate generator script
+FSROOT_ETC_SSL_CERTS_REDIS=$FILESYSTEM_ROOT/etc/ssl/certs_redis
+sudo LANG=C mkdir $FSROOT_ETC_SSL_CERTS_REDIS
+sudo LANG=C cp $SCRIPTS_DIR/gen-redis-certs.sh $FSROOT_ETC_SSL_CERTS_REDIS/gen-redis-certs.sh
+sudo chroot $FILESYSTEM_ROOT chown admin:admin /etc/ssl/certs_redis/gen-redis-certs.sh
+sudo chmod 770 $FSROOT_ETC_SSL_CERTS_REDIS/gen-redis-certs.sh
+
 # Copy sonic-netns-exec script
 sudo LANG=C cp $SCRIPTS_DIR/sonic-netns-exec $FILESYSTEM_ROOT/usr/bin/sonic-netns-exec
 

files/image_config/pcie-check/pcie-check.sh

@@ -38,7 +38,7 @@ function check_and_rescan_pcie_devices()
         fi
 
         if [ "$(eval $PCIE_CHK_CMD)" = "$EXPECTED" ]; then
-            redis-cli -n 6 HSET $PCIE_STATUS_TABLE "status" "PASSED"
+            sonic-db-cli STATE_DB HSET $PCIE_STATUS_TABLE "status" "PASSED"
             debug "PCIe check passed"
             exit
         else
@@ -54,7 +54,7 @@ function check_and_rescan_pcie_devices()
 
      done
      debug "PCIe check failed"
-     redis-cli -n 6 HSET $PCIE_STATUS_TABLE "status" "FAILED"
+     sonic-db-cli STATE_DB HSET $PCIE_STATUS_TABLE "status" "FAILED"
 }
 
 check_and_rescan_pcie_devices

files/image_config/platform/rc.local

@@ -240,6 +240,37 @@ fi
 
 program_console_speed
 
+# Generate password for Redis DB
+echo "Redis PW generation"
+set +x
+REDIS_SHADOW_PATH=/etc/shadow_redis_dir
+openssl_random_cmd=$(openssl rand -base64 32)
+ADMIN_PASSWORD=''
+ADMIN_PASSWORD=$(echo "$openssl_random_cmd" | tr -d '\n')
+REDIS_SHADOW_ADMIN_PATH=$REDIS_SHADOW_PATH/shadow_redis_admin
+touch "$REDIS_SHADOW_ADMIN_PATH"
+chown admin:admin "$REDIS_SHADOW_ADMIN_PATH"
+chmod 640 "$REDIS_SHADOW_ADMIN_PATH"
+echo "$ADMIN_PASSWORD" > "$REDIS_SHADOW_ADMIN_PATH"
+MONITOR_PASSWORD=''
+MONITOR_PASSWORD=$(echo "$openssl_random_cmd" | tr -d '\n')
+echo "$MONITOR_PASSWORD" > $REDIS_SHADOW_PATH/shadow_redis_monitor
+
+# TLS support
+ETC_SSL=/etc/ssl/certs_redis
+REDIS_CERTS=$ETC_SSL/certs
+REDIS_CERTS_TLS=$REDIS_CERTS/tls
+
+# Check if the directory exists and remove it if it does
+[ -d "$REDIS_CERTS" ] && rm -rf "$REDIS_CERTS"
+
+(cd $ETC_SSL && ./gen-redis-certs.sh)
+
+# Copy CA cert to host share location for Redis client usage
+cp  $REDIS_CERTS_TLS/ca.crt $REDIS_SHADOW_PATH/certs_redis
+
+set -x
+
 if [ -f $FIRST_BOOT_FILE ]; then
 
     echo "First boot detected. Performing first boot tasks..."

files/scripts/gen-redis-certs.sh

@@ -0,0 +1,52 @@
+#!/bin/bash
+
+# from redis official repo https://github.com/redis/redis/
+# Generate some test certificates which are used by the regression test suite:
+#
+#   certs/tls/ca.{crt,key}          Self signed CA certificate.
+#   certs/tls/redis.{crt,key}       A certificate with no key usage/policy restrictions.
+
+generate_cert() {
+    local name=$1
+    local cn="$2"
+    local opts="$3"
+
+    local keyfile=certs/tls/${name}.key
+    local certfile=certs/tls/${name}.crt
+
+    [ -f $keyfile ] || openssl genrsa -out $keyfile 2048
+    openssl req \
+        -new -sha256 \
+        -subj "/O=Redis Test/CN=$cn" \
+        -key $keyfile | \
+        openssl x509 \
+            -req -sha256 \
+            -CA certs/tls/ca.crt \
+            -CAkey certs/tls/ca.key \
+            -CAserial certs/tls/ca.txt \
+            -CAcreateserial \
+            -days 365 \
+            $opts \
+            -out $certfile
+}
+
+mkdir -p certs/tls
+[ -f certs/tls/ca.key ] || openssl genrsa -out certs/tls/ca.key 4096
+openssl req \
+    -x509 -new -nodes -sha256 \
+    -key certs/tls/ca.key \
+    -days 3650 \
+    -subj '/O=Redis Test/CN=Certificate Authority' \
+    -out certs/tls/ca.crt
+
+cat > certs/tls/openssl.cnf <<_END_
+[ server_cert ]
+keyUsage = digitalSignature, keyEncipherment
+nsCertType = server
+
+[ client_cert ]
+keyUsage = digitalSignature, keyEncipherment
+nsCertType = client
+_END_
+
+generate_cert redis "Generic-cert"