introduce sysrepo group for sysrepo-related processes
Sysrepo made some changes to file permissions and because of that
rousette began to fail because of insufficient permissions to open
sysrepo shm files.
It started to become tricky to manage all the stuff we decided to go
with what their README says [1], i.e., compile sysrepo with flags that
make sysrepo to create files with a specified group (sysrepo) and with
default umask (0007).
This is done via patches to our buildroot tree.
All sysrepo-related services then must run under sysrepo group so they
have access to sysrepo internal files.
Depends-on: https://gerrit.cesnet.cz/c/CzechLight/dependencies/+/5748
Change-Id: I257b9016bf7ca2af20f5627a2fe1b79b077c0232
diff --git a/package/cla-sysrepo/cla-appliance.service.in b/package/cla-sysrepo/cla-appliance.service.in
index 8263bc8..b3ef5b0 100644
--- a/package/cla-sysrepo/cla-appliance.service.in
+++ b/package/cla-sysrepo/cla-appliance.service.in
@@ -11,6 +11,7 @@
[Service]
Type=notify
ExecStart=/usr/bin/cla-sysrepod --io-log-level=5 --properties-log-level=5 --sr-bridge-log-level=5 --sysrepo-log-level=3 --appliance=__MODEL__
+Group=sysrepo
PrivateTmp=yes
PrivateDevices=no
ProtectSystem=yes
diff --git a/package/cla-sysrepo/czechlight-install-yang.service b/package/cla-sysrepo/czechlight-install-yang.service
index b4202b9..4588f71 100644
--- a/package/cla-sysrepo/czechlight-install-yang.service
+++ b/package/cla-sysrepo/czechlight-install-yang.service
@@ -8,6 +8,7 @@
Type=oneshot
RemainAfterExit=yes
ExecStart=/bin/bash /usr/bin/czechlight-install-yang.sh
+Group=sysrepo
[Install]
WantedBy=multi-user.target
diff --git a/package/cla-sysrepo/czechlight-install-yang.sh b/package/cla-sysrepo/czechlight-install-yang.sh
index db2387e..72b3f33 100755
--- a/package/cla-sysrepo/czechlight-install-yang.sh
+++ b/package/cla-sysrepo/czechlight-install-yang.sh
@@ -48,7 +48,7 @@
sysrepoctl --search-dirs ${CLA_YANG} --install ${CLA_YANG}/iana-hardware@2018-03-13.yang
sysrepoctl --search-dirs ${CLA_YANG} --install ${CLA_YANG}/ietf-hardware@2018-03-13.yang
-sysrepoctl --change ietf-hardware --permissions 0664 --enable-feature hardware-sensor
+sysrepoctl --change ietf-hardware --permissions 0660 --enable-feature hardware-sensor
if [[ ${YANG_ROADM} == 1 ]]; then
FEATURE_ARGS=""
@@ -57,54 +57,41 @@
FEATURE_ARGS="${FEATURE_ARGS} --enable-feature ${FEATURE}"
done
fi
- sysrepoctl --search-dirs ${CLA_YANG} --install ${CLA_YANG}/czechlight-roadm-device@2021-03-05.yang ${FEATURE_ARGS}
- sysrepoctl --change czechlight-roadm-device --group optics --permissions 0664
+ sysrepoctl --search-dirs ${CLA_YANG} --install ${CLA_YANG}/czechlight-roadm-device@2021-03-05.yang ${FEATURE_ARGS} --permissions 0660
sysrepocfg --datastore=startup --format=json --module=czechlight-roadm-device --import="${CLA_YANG}/${INITIAL_DATA}.json"
fi
if [[ ${YANG_COHERENT} == 1 ]]; then
- sysrepoctl --search-dirs ${CLA_YANG} --install ${CLA_YANG}/czechlight-coherent-add-drop@2021-03-05.yang
+ sysrepoctl --search-dirs ${CLA_YANG} --install ${CLA_YANG}/czechlight-coherent-add-drop@2021-03-05.yang --permissions 0660
sysrepocfg --datastore=startup --format=json --module=czechlight-coherent-add-drop --new-data="${CLA_YANG}/${INITIAL_DATA}.json"
- sysrepoctl --change czechlight-coherent-add-drop --group optics --permissions 0664
+ sysrepoctl --change czechlight-coherent-add-drop --permissions 0660
fi
if [[ ${YANG_INLINE} == 1 ]]; then
- sysrepoctl --search-dirs ${CLA_YANG} --install ${CLA_YANG}/czechlight-inline-amp@2021-03-05.yang
+ sysrepoctl --search-dirs ${CLA_YANG} --install ${CLA_YANG}/czechlight-inline-amp@2021-03-05.yang --permissions 0660
sysrepocfg --datastore=startup --format=json --module=czechlight-inline-amp --import="${CLA_YANG}/${INITIAL_DATA}.json"
- sysrepoctl --change czechlight-inline-amp --group optics --permissions 0664
fi
if [[ ${YANG_CALIBRATION} == 1 ]]; then
- sysrepoctl --search-dirs ${CLA_YANG} --install ${CLA_YANG}/czechlight-calibration-device@2019-06-25.yang
+ sysrepoctl --search-dirs ${CLA_YANG} --install ${CLA_YANG}/czechlight-calibration-device@2019-06-25.yang --permissions 0660
sysrepocfg --datastore=startup --format=json --module=czechlight-calibration-device --import="${CLA_YANG}/${INITIAL_DATA}.json"
- sysrepoctl --change czechlight-calibration-device --group optics --permissions 0664
fi
-sysrepoctl --search-dirs ${VELIA_YANG} --install ${VELIA_YANG}/ietf-system@2014-08-06.yang
-sysrepoctl --change ietf-system --permissions 0664
+sysrepoctl --search-dirs ${VELIA_YANG} --install ${VELIA_YANG}/ietf-system@2014-08-06.yang --permissions 0660
-sysrepoctl --search-dirs ${VELIA_YANG} --install ${VELIA_YANG}/czechlight-lldp@2020-11-04.yang
-sysrepoctl --change czechlight-lldp --permissions 0664
+sysrepoctl --search-dirs ${VELIA_YANG} --install ${VELIA_YANG}/czechlight-lldp@2020-11-04.yang --permissions 0660
-sysrepoctl --search-dirs ${VELIA_YANG} --install ${VELIA_YANG}/czechlight-system@2021-01-13.yang
-sysrepoctl --change czechlight-system --permissions 0664
+sysrepoctl --search-dirs ${VELIA_YANG} --install ${VELIA_YANG}/czechlight-system@2021-01-13.yang --permissions 0660
sysrepoctl --search-dirs ${VELIA_YANG} --install ${VELIA_YANG}/iana-if-type@2017-01-19.yang
-sysrepoctl --search-dirs ${VELIA_YANG} --install ${VELIA_YANG}/ietf-interfaces@2018-02-20.yang
-sysrepoctl --change ietf-interfaces --permissions 0664
-sysrepoctl --search-dirs ${VELIA_YANG} --install ${VELIA_YANG}/ietf-ip@2018-02-22.yang
-sysrepoctl --change ietf-ip --permissions 0664
-sysrepoctl --search-dirs ${VELIA_YANG} --install ${VELIA_YANG}/ietf-routing@2018-03-13.yang
-sysrepoctl --change ietf-routing --permissions 0664
-sysrepoctl --search-dirs ${VELIA_YANG} --install ${VELIA_YANG}/ietf-ipv4-unicast-routing@2018-03-13.yang
-sysrepoctl --change ietf-ipv4-unicast-routing --permissions 0664
-sysrepoctl --search-dirs ${VELIA_YANG} --install ${VELIA_YANG}/ietf-ipv6-unicast-routing@2018-03-13.yang
-sysrepoctl --change ietf-ipv6-unicast-routing --permissions 0664
-sysrepoctl --search-dirs ${VELIA_YANG} --install ${VELIA_YANG}/czechlight-network@2021-02-22.yang
-sysrepoctl --change czechlight-network --permissions 0664
+sysrepoctl --search-dirs ${VELIA_YANG} --install ${VELIA_YANG}/ietf-interfaces@2018-02-20.yang --permissions 0660
+sysrepoctl --search-dirs ${VELIA_YANG} --install ${VELIA_YANG}/ietf-ip@2018-02-22.yang --permissions 0660
+sysrepoctl --search-dirs ${VELIA_YANG} --install ${VELIA_YANG}/ietf-routing@2018-03-13.yang --permissions 0660
+sysrepoctl --search-dirs ${VELIA_YANG} --install ${VELIA_YANG}/ietf-ipv4-unicast-routing@2018-03-13.yang --permissions 0660
+sysrepoctl --search-dirs ${VELIA_YANG} --install ${VELIA_YANG}/ietf-ipv6-unicast-routing@2018-03-13.yang --permissions 0660
+sysrepoctl --search-dirs ${VELIA_YANG} --install ${VELIA_YANG}/czechlight-network@2021-02-22.yang --permissions 0660
-sysrepoctl --search-dirs ${VELIA_YANG} --install ${VELIA_YANG}/czechlight-firewall@2021-01-25.yang
-sysrepoctl --change czechlight-firewall --permissions 0600
+sysrepoctl --search-dirs ${VELIA_YANG} --install ${VELIA_YANG}/czechlight-firewall@2021-01-25.yang --permissions 0600
sysrepoctl --change ietf-access-control-list --enable-feature match-on-eth --enable-feature eth --enable-feature match-on-ipv4 --enable-feature ipv4 --enable-feature match-on-ipv6 --enable-feature ipv6 --enable-feature mixed-eth-ipv4-ipv6
# If not do not copy here from startup -> running, running might be stale.
diff --git a/package/czechlight-cfg-fs/cfg-restore-sysrepo.service b/package/czechlight-cfg-fs/cfg-restore-sysrepo.service
index cac0f64..d289933 100644
--- a/package/czechlight-cfg-fs/cfg-restore-sysrepo.service
+++ b/package/czechlight-cfg-fs/cfg-restore-sysrepo.service
@@ -10,6 +10,7 @@
RemainAfterExit=yes
ExecStart=/bin/sysrepocfg -d startup -f json --import=/cfg/sysrepo/startup.json
ExecStart=/bin/sysrepocfg -C startup
+Group=sysrepo
StandardOutput=journal+console
[Install]
diff --git a/package/czechlight-cfg-fs/nacm-restore.service b/package/czechlight-cfg-fs/nacm-restore.service
index 96dfb7c..2cb3dec 100644
--- a/package/czechlight-cfg-fs/nacm-restore.service
+++ b/package/czechlight-cfg-fs/nacm-restore.service
@@ -9,6 +9,7 @@
RemainAfterExit=yes
ExecStart=/bin/sysrepocfg -d startup -m ietf-netconf-acm -f json --import=/usr/share/yang-data/nacm.json
ExecStart=/bin/sysrepocfg -C startup
+Group=sysrepo
[Install]
WantedBy=multi-user.target
diff --git a/package/czechlight-cfg-fs/sysrepo-persistent-cfg.service b/package/czechlight-cfg-fs/sysrepo-persistent-cfg.service
index 8f2642c..007bd7b 100644
--- a/package/czechlight-cfg-fs/sysrepo-persistent-cfg.service
+++ b/package/czechlight-cfg-fs/sysrepo-persistent-cfg.service
@@ -7,3 +7,4 @@
Type=simple
UMask=0077
ExecStart=/bin/sh -c 'while true; do inotifywait -e CLOSE_WRITE /etc/sysrepo/data/*.startup && mkdir -p /cfg/sysrepo/ && sysrepocfg -d startup -f json -X > /cfg/sysrepo/startup.json; done'
+Group=sysrepo
diff --git a/package/rousette/rousette.service b/package/rousette/rousette.service
index 1f373e0..cb79d27 100644
--- a/package/rousette/rousette.service
+++ b/package/rousette/rousette.service
@@ -7,6 +7,9 @@
[Service]
Type=simple
ExecStart=/usr/bin/rousette
+User=yangnobody
+Group=yangnobody
+SupplementaryGroups=sysrepo optics
PrivateTmp=yes
PrivateDevices=yes
ProtectSystem=yes
@@ -16,8 +19,6 @@
LogRateLimitIntervalSec=10
LogRateLimitBurst=30000
SyslogLevel=alert
-User=yangnobody
-Group=yangnobody
[Install]
WantedBy=multi-user.target
diff --git a/package/velia/velia-firewall.service b/package/velia/velia-firewall.service
index 2f4a2f9..1fdb318 100644
--- a/package/velia/velia-firewall.service
+++ b/package/velia/velia-firewall.service
@@ -9,6 +9,7 @@
[Service]
Type=simple
ExecStart=/usr/bin/veliad-firewall
+Group=sysrepo
PrivateTmp=yes
PrivateDevices=no
ProtectSystem=yes
diff --git a/package/velia/velia-hardware-g1.service b/package/velia/velia-hardware-g1.service
index bef35f6..6e09df3 100644
--- a/package/velia/velia-hardware-g1.service
+++ b/package/velia/velia-hardware-g1.service
@@ -12,6 +12,7 @@
[Service]
Type=simple
ExecStart=/usr/bin/veliad-hardware --appliance=czechlight-clearfog
+Group=sysrepo
PrivateTmp=yes
PrivateDevices=no
ProtectSystem=yes
diff --git a/package/velia/velia-hardware-g2.service b/package/velia/velia-hardware-g2.service
index c39c3f8..84342b7 100644
--- a/package/velia/velia-hardware-g2.service
+++ b/package/velia/velia-hardware-g2.service
@@ -13,6 +13,7 @@
[Service]
Type=simple
ExecStart=/usr/bin/veliad-hardware --appliance=czechlight-clearfog-g2
+Group=sysrepo
PrivateTmp=yes
PrivateDevices=no
ProtectSystem=yes
diff --git a/package/velia/velia-health.service b/package/velia/velia-health.service
index f779bf6..05f66c2 100644
--- a/package/velia/velia-health.service
+++ b/package/velia/velia-health.service
@@ -9,6 +9,7 @@
ExecStartPre=/bin/sh -c 'for COLOUR in red green blue; do echo none > /sys/class/leds/status:$${COLOUR}/trigger; echo 0 > /sys/class/leds/status:green/brightness; done'
ExecStart=/usr/bin/veliad-health --appliance=czechlight-clearfog --systemd-ignore-unit=systemd-journal-upload.service
ExecStopPost=/bin/sh -c 'for COLOUR in red green blue; do echo 0 > /sys/class/leds/status:$$COLOUR/brightness; done; [[ "$EXIT_CODE" == "exited" ]] && COLOUR="green" || COLOUR="red"; echo timer > /sys/class/leds/status:$$COLOUR/trigger; echo 256 > /sys/class/leds/status:$$COLOUR/brightness'
+Group=sysrepo
PrivateTmp=yes
PrivateDevices=yes
ProtectSystem=yes
diff --git a/package/velia/velia-system.service b/package/velia/velia-system.service
index cd8db60..6963e91 100644
--- a/package/velia/velia-system.service
+++ b/package/velia/velia-system.service
@@ -9,6 +9,7 @@
[Service]
Type=simple
ExecStart=/usr/bin/veliad-system
+Group=sysrepo
PrivateTmp=yes
PrivateDevices=no
ProtectSystem=yes