From c2b65107ca71f019119cef97cd408751222383df Mon Sep 17 00:00:00 2001
From: Tamer Ahmed <tamer.ahmed@microsoft.com>
Date: Mon, 31 Aug 2020 16:09:06 -0700
Subject: [PATCH 1/3] [redis] Add redis Group And Grant Read/Write Access to
 Members

sonic-cfggen is now using Unix Domain Socket for Redis DB. The socket
is created using root account. Subsequently, services that are started
as admin fails to start. This PR creates redis group and add admin
user to redis group. It also grants read/write access on redis.sock
for redis group members.

signed-off-by: Tamer Ahmed <tamer.ahmed@microsoft.com>
---
 build_debian.sh                           | 7 +++++--
 files/build_templates/docker_image_ctl.j2 | 3 +++
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/build_debian.sh b/build_debian.sh
index 346bf969af9b..033482bec6ee 100755
--- a/build_debian.sh
+++ b/build_debian.sh
@@ -242,9 +242,12 @@ sudo cp files/docker/docker.service.conf $_
 ## Fix systemd race between docker and containerd
 sudo sed -i '/After=/s/$/ containerd.service/' $FILESYSTEM_ROOT/lib/systemd/system/docker.service
 
+## Create redis group
+sudo LANG=C chroot $FILESYSTEM_ROOT groupadd -f redis
+
 ## Create default user
-## Note: user should be in the group with the same name, and also in sudo/docker group
-sudo LANG=C chroot $FILESYSTEM_ROOT useradd -G sudo,docker $USERNAME -c "$DEFAULT_USERINFO" -m -s /bin/bash
+## Note: user should be in the group with the same name, and also in sudo/docker/redis group
+sudo LANG=C chroot $FILESYSTEM_ROOT useradd -G sudo,docker,redis $USERNAME -c "$DEFAULT_USERINFO" -m -s /bin/bash
 ## Create password for the default user
 echo "$USERNAME:$PASSWORD" | sudo LANG=C chroot $FILESYSTEM_ROOT chpasswd
 
diff --git a/files/build_templates/docker_image_ctl.j2 b/files/build_templates/docker_image_ctl.j2
index e252af17718b..a2de7ea8489a 100644
--- a/files/build_templates/docker_image_ctl.j2
+++ b/files/build_templates/docker_image_ctl.j2
@@ -131,6 +131,9 @@ function postStartAction()
             /usr/bin/db_migrator.py -o migrate
         fi
     fi
+    # Add redis UDS to the redis group and give read/write access to the group
+    REDIS_SOCK="/var/run/redis/redis.sock"
+    chgrp -f redis $REDIS_SOCK && chmod -f 0760 $REDIS_SOCK
 {%- elif docker_container_name == "swss" %}
     docker exec swss$DEV rm -f /ready   # remove cruft
     if [[ "$BOOT_TYPE" == "fast" ]] && [[ -d /host/fast-reboot ]]; then

From 9a51470d3ead5a0b99103324f6d891ed69e6cc03 Mon Sep 17 00:00:00 2001
From: Tamer Ahmed <tamer.ahmed@microsoft.com>
Date: Mon, 31 Aug 2020 16:30:43 -0700
Subject: [PATCH 2/3] nit-picking.

---
 build_debian.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/build_debian.sh b/build_debian.sh
index 033482bec6ee..c0d7a321e4bf 100755
--- a/build_debian.sh
+++ b/build_debian.sh
@@ -246,7 +246,7 @@ sudo sed -i '/After=/s/$/ containerd.service/' $FILESYSTEM_ROOT/lib/systemd/syst
 sudo LANG=C chroot $FILESYSTEM_ROOT groupadd -f redis
 
 ## Create default user
-## Note: user should be in the group with the same name, and also in sudo/docker/redis group
+## Note: user should be in the group with the same name, and also in sudo/docker/redis groups
 sudo LANG=C chroot $FILESYSTEM_ROOT useradd -G sudo,docker,redis $USERNAME -c "$DEFAULT_USERINFO" -m -s /bin/bash
 ## Create password for the default user
 echo "$USERNAME:$PASSWORD" | sudo LANG=C chroot $FILESYSTEM_ROOT chpasswd

From 5a14b5fe4277688e88fc1f4b565adf074bbaae37 Mon Sep 17 00:00:00 2001
From: Tamer Ahmed <tamer.ahmed@microsoft.com>
Date: Tue, 1 Sep 2020 12:54:44 -0700
Subject: [PATCH 3/3] support for multi-asic platform

---
 files/build_templates/docker_image_ctl.j2 | 11 +++--------
 1 file changed, 3 insertions(+), 8 deletions(-)

diff --git a/files/build_templates/docker_image_ctl.j2 b/files/build_templates/docker_image_ctl.j2
index a2de7ea8489a..965d927bc5c5 100644
--- a/files/build_templates/docker_image_ctl.j2
+++ b/files/build_templates/docker_image_ctl.j2
@@ -132,7 +132,7 @@ function postStartAction()
         fi
     fi
     # Add redis UDS to the redis group and give read/write access to the group
-    REDIS_SOCK="/var/run/redis/redis.sock"
+    REDIS_SOCK="/var/run/redis${DEV}/redis.sock"
     chgrp -f redis $REDIS_SOCK && chmod -f 0760 $REDIS_SOCK
 {%- elif docker_container_name == "swss" %}
     docker exec swss$DEV rm -f /ready   # remove cruft
@@ -357,13 +357,8 @@ NAMESPACE_PREFIX="asic"
 if [ "$DEV" ]; then
     NET_NS="$NAMESPACE_PREFIX$DEV" #name of the network namespace
 
-    # While using -n (namespace) argument, sonic-cfggen/sonic-db-cli uses redis UNIX socket 
-    # for accessing redis DB in a namespace. This unix socket has permission restrictions since 
-    # it is created by systemd database.servce started with [User] as [root].
-    # sudo is needed here for services which are started by systemd with [User] as [admin]
-    # and needs to override this unix socket permission restrictions.
-    SONIC_CFGGEN="sudo sonic-cfggen -n $NET_NS"
-    SONIC_DB_CLI="sudo sonic-db-cli -n $NET_NS"
+    SONIC_CFGGEN="sonic-cfggen -n $NET_NS"
+    SONIC_DB_CLI="sonic-db-cli -n $NET_NS"
  else
     NET_NS=""
     SONIC_CFGGEN="sonic-cfggen"