[redis] Add redis Group And Grant Read/Write Access to Members

[tahmed-dev]

sonic-cfggen is now using Unix Domain Socket for Redis DB. The socket
is created using root account. Subsequently, services that are started
as admin fail to start. This PR creates redis group and add admin
user to redis group. It also grants read/write access on redis.sock
for redis group members.

closes #5277
resolves #5277

signed-off-by: Tamer Ahmed tamer.ahmed@microsoft.com

- Why I did it
Access to redis.sock fails when using admin account

- How I did it
Added redis group
Changed redis.sock group to the new group redis
Gave read/write access to redis group on redis.sock

- How to verify it
without this change

admin@str-s6000-acs-14:~$ groups
admin sudo docker

admin@str-s6000-acs-14:~$ ls -alrt /var/run/redis/redis.sock 
srwx------ 1 root root 0 Aug 31 18:48 /var/run/redis/redis.sock

admin@str-s6000-acs-14:~$ sonic-cfggen -d -v 'DEVICE_METADATA["localhost"]["hwsku"]'
Traceback (most recent call last):
  File "/usr/local/bin/sonic-cfggen", line 420, in <module>
    main()
  File "/usr/local/bin/sonic-cfggen", line 347, in main
    configdb.connect()
  File "/usr/local/lib/python2.7/dist-packages/swsssdk/configdb.py", line 74, in connect
    self.db_connect('CONFIG_DB', wait_for_init, retry_on)
  File "/usr/local/lib/python2.7/dist-packages/swsssdk/configdb.py", line 69, in db_connect
    SonicV2Connector.connect(self, self.db_name, retry_on)
  File "/usr/local/lib/python2.7/dist-packages/swsssdk/dbconnector.py", line 250, in connect
    self.dbintf.connect(db_id, retry_on)
  File "/usr/local/lib/python2.7/dist-packages/swsssdk/interface.py", line 171, in connect
    self._onetime_connect(db_id)
  File "/usr/local/lib/python2.7/dist-packages/swsssdk/interface.py", line 183, in _onetime_connect
    client.config_set('notify-keyspace-events', self.KEYSPACE_EVENTS)
  File "/usr/local/lib/python2.7/dist-packages/redis/client.py", line 1243, in config_set
    return self.execute_command('CONFIG SET', name, value)
  File "/usr/local/lib/python2.7/dist-packages/redis/client.py", line 898, in execute_command
    conn = self.connection or pool.get_connection(command_name, **options)
  File "/usr/local/lib/python2.7/dist-packages/redis/connection.py", line 1192, in get_connection
    connection.connect()
  File "/usr/local/lib/python2.7/dist-packages/redis/connection.py", line 563, in connect
    raise ConnectionError(self._error_message(e))
redis.exceptions.ConnectionError: Error 13 connecting to unix socket: /var/run/redis/redis.sock. Permission denied.

with this change

admin@str-s6000-acs-14:~$ groups
admin sudo docker redis

admin@str-s6000-acs-14:~$ ls -alrt /var/run/redis/redis.sock 
srwxrw---- 1 root redis 0 Aug 31 23:00 /var/run/redis/redis.sock

admin@str-s6000-acs-14:~$ sonic-cfggen -d -v 'DEVICE_METADATA["localhost"]["hwsku"]'
Force10-S6000

- Which release branch to backport (provide reason below if selected)

• 201811
• 201911
• 202006

- Description for the changelog

- A picture of a cute animal (not mandatory but encouraged)

[jleveque]

LGTM. Please wait for other reviewers.

[pavel-shirshov]

LGTM but wait for others

[judyjoseph]

Looks ok with multi-asic platform. One observation though I don't see this new redis group inside the docker. But I feel it is ok as long as the owner is root.

admin@str--acs-1:~$ docker exec -it database bash
root@str--acs-1:/# ls -la /var/run/redis/redis.sock
srwxrw---- 1 root 1000 0 Sep 3 05:29 /var/run/redis/redis.sock

[tahmed-dev]

Looks ok with multi-asic platform. One observation though I don't see this new redis group inside the docker. But I feel it is ok as long as the owner is root.

admin@str--acs-1:~$ docker exec -it database bash
root@str--acs-1:/# ls -la /var/run/redis/redis.sock
srwxrw---- 1 root 1000 0 Sep 3 05:29 /var/run/redis/redis.sock

docker has user root AFAIKT. user admin is not available inside docker