[redis] Add redis Group And Grant Read/Write Access to Members (#5289)

tahmed-dev · web-flow · commit fdb9d028e9bb · 2020-09-02T23:40:22.000-07:00
sonic-cfggen is now using Unix Domain Socket for Redis DB. The socket
is created using root account. Subsequently, services that are started
as admin fails to start. This PR creates redis group and add admin
user to redis group. It also grants read/write access on redis.sock
for redis group members.

signed-off-by: Tamer Ahmed &lt;tamer.ahmed@microsoft.com&gt;
diff --git a/build_debian.sh b/build_debian.sh
@@ -242,9 +242,12 @@ sudo cp files/docker/docker.service.conf $_
 ## Fix systemd race between docker and containerd
 sudo sed -i '/After=/s/$/ containerd.service/' $FILESYSTEM_ROOT/lib/systemd/system/docker.service
 
+## Create redis group
+sudo LANG=C chroot $FILESYSTEM_ROOT groupadd -f redis
+
 ## Create default user
-## Note: user should be in the group with the same name, and also in sudo/docker group
-sudo LANG=C chroot $FILESYSTEM_ROOT useradd -G sudo,docker $USERNAME -c "$DEFAULT_USERINFO" -m -s /bin/bash
+## Note: user should be in the group with the same name, and also in sudo/docker/redis groups
+sudo LANG=C chroot $FILESYSTEM_ROOT useradd -G sudo,docker,redis $USERNAME -c "$DEFAULT_USERINFO" -m -s /bin/bash
 ## Create password for the default user
 echo "$USERNAME:$PASSWORD" | sudo LANG=C chroot $FILESYSTEM_ROOT chpasswd
 
diff --git a/files/build_templates/docker_image_ctl.j2 b/files/build_templates/docker_image_ctl.j2
@@ -131,6 +131,9 @@ function postStartAction()
             /usr/bin/db_migrator.py -o migrate
         fi
     fi
+    # Add redis UDS to the redis group and give read/write access to the group
+    REDIS_SOCK="/var/run/redis${DEV}/redis.sock"
+    chgrp -f redis $REDIS_SOCK && chmod -f 0760 $REDIS_SOCK
 {%- elif docker_container_name == "swss" %}
     docker exec swss$DEV rm -f /ready   # remove cruft
     if [[ "$BOOT_TYPE" == "fast" ]] && [[ -d /host/fast-reboot ]]; then
@@ -354,13 +357,8 @@ NAMESPACE_PREFIX="asic"
 if [ "$DEV" ]; then
     NET_NS="$NAMESPACE_PREFIX$DEV" #name of the network namespace
 
-    # While using -n (namespace) argument, sonic-cfggen/sonic-db-cli uses redis UNIX socket 
-    # for accessing redis DB in a namespace. This unix socket has permission restrictions since 
-    # it is created by systemd database.servce started with [User] as [root].
-    # sudo is needed here for services which are started by systemd with [User] as [admin]
-    # and needs to override this unix socket permission restrictions.
-    SONIC_CFGGEN="sudo sonic-cfggen -n $NET_NS"
-    SONIC_DB_CLI="sudo sonic-db-cli -n $NET_NS"
+    SONIC_CFGGEN="sonic-cfggen -n $NET_NS"
+    SONIC_DB_CLI="sonic-db-cli -n $NET_NS"
  else
     NET_NS=""
     SONIC_CFGGEN="sonic-cfggen"
