[database] make Redis process runs as non-root user (sonic-net#16326)

Why I did it Running the Redis server as the "root" user is not recommended. It is suggested that the server should be operated by a non-privileged user. Work item tracking Microsoft ADO (number only): 15895240 How I did it Ensure the Redis process is operating under the 'redis' user in supervisord and make redis user own REDIS_DIR inside db container. How to verify it Built new image, verify redis process is running as 'redis' user and all containers are up. Signed-off-by: Mai Bui <[email protected]>
zhenggen-xu · Nov 19, 2024 · 68baf40 · 68baf40
1 parent 34676f7
commit 68baf40
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 0 deletions.
diff --git a/dockers/docker-database/docker-database-init.sh b/dockers/docker-database/docker-database-init.sh
@@ -99,4 +99,6 @@ TZ=$(cat /etc/timezone)
 rm -rf /etc/localtime
 ln -sf /usr/share/zoneinfo/$TZ /etc/localtime
 
+chown -R redis:redis $REDIS_DIR
+
 exec /usr/local/bin/supervisord
diff --git a/dockers/docker-database/supervisord.conf.j2 b/dockers/docker-database/supervisord.conf.j2
@@ -38,6 +38,7 @@ dependent_startup=true
 {%- endif -%}
 command=/bin/bash -c "{ [[ -s /var/lib/{{ redis_inst }}/dump.rdb ]] || rm -f /var/lib/{{ redis_inst }}/dump.rdb; } && mkdir -p /var/lib/{{ redis_inst }} && exec /usr/bin/redis-server /etc/redis/redis.conf --bind {{ LOOPBACK_IP }} {{ redis_items['hostname'] }} --port {{ redis_items['port'] }} --unixsocket {{ redis_items['unix_socket_path'] }} --pidfile /var/run/redis/{{ redis_inst }}.pid --dir /var/lib/{{ redis_inst }}"
 priority=2
+user=redis
 autostart=false
 autorestart=false
 stdout_logfile=syslog