introduce sysrepo group for sysrepo-related processes

Sysrepo made some changes to file permissions and because of that
rousette began to fail because of insufficient permissions to open
sysrepo shm files.
It started to become tricky to manage all the stuff we decided to go
with what their README says [1], i.e., compile sysrepo with flags that
make sysrepo to create files with a specified group (sysrepo) and with
default umask (0007).
This is done via patches to our buildroot tree.

All sysrepo-related services then must run under sysrepo group so they
have access to sysrepo internal files.

Depends-on: https://gerrit.cesnet.cz/c/CzechLight/dependencies/+/5748
Change-Id: I257b9016bf7ca2af20f5627a2fe1b79b077c0232
diff --git a/package/cla-sysrepo/cla-appliance.service.in b/package/cla-sysrepo/cla-appliance.service.in
index 8263bc8..b3ef5b0 100644
--- a/package/cla-sysrepo/cla-appliance.service.in
+++ b/package/cla-sysrepo/cla-appliance.service.in
@@ -11,6 +11,7 @@
 [Service]
 Type=notify
 ExecStart=/usr/bin/cla-sysrepod --io-log-level=5 --properties-log-level=5 --sr-bridge-log-level=5 --sysrepo-log-level=3 --appliance=__MODEL__
+Group=sysrepo
 PrivateTmp=yes
 PrivateDevices=no
 ProtectSystem=yes
diff --git a/package/cla-sysrepo/czechlight-install-yang.service b/package/cla-sysrepo/czechlight-install-yang.service
index b4202b9..4588f71 100644
--- a/package/cla-sysrepo/czechlight-install-yang.service
+++ b/package/cla-sysrepo/czechlight-install-yang.service
@@ -8,6 +8,7 @@
 Type=oneshot
 RemainAfterExit=yes
 ExecStart=/bin/bash /usr/bin/czechlight-install-yang.sh
+Group=sysrepo
 
 [Install]
 WantedBy=multi-user.target
diff --git a/package/cla-sysrepo/czechlight-install-yang.sh b/package/cla-sysrepo/czechlight-install-yang.sh
index db2387e..72b3f33 100755
--- a/package/cla-sysrepo/czechlight-install-yang.sh
+++ b/package/cla-sysrepo/czechlight-install-yang.sh
@@ -48,7 +48,7 @@
 
 sysrepoctl --search-dirs ${CLA_YANG} --install ${CLA_YANG}/iana-hardware@2018-03-13.yang
 sysrepoctl --search-dirs ${CLA_YANG} --install ${CLA_YANG}/ietf-hardware@2018-03-13.yang
-sysrepoctl --change ietf-hardware --permissions 0664 --enable-feature hardware-sensor
+sysrepoctl --change ietf-hardware --permissions 0660 --enable-feature hardware-sensor
 
 if [[ ${YANG_ROADM} == 1 ]]; then
     FEATURE_ARGS=""
@@ -57,54 +57,41 @@
             FEATURE_ARGS="${FEATURE_ARGS} --enable-feature ${FEATURE}"
         done
     fi
-    sysrepoctl --search-dirs ${CLA_YANG} --install ${CLA_YANG}/czechlight-roadm-device@2021-03-05.yang ${FEATURE_ARGS}
-    sysrepoctl --change czechlight-roadm-device --group optics --permissions 0664
+    sysrepoctl --search-dirs ${CLA_YANG} --install ${CLA_YANG}/czechlight-roadm-device@2021-03-05.yang ${FEATURE_ARGS} --permissions 0660
     sysrepocfg --datastore=startup --format=json --module=czechlight-roadm-device --import="${CLA_YANG}/${INITIAL_DATA}.json"
 fi
 
 if [[ ${YANG_COHERENT} == 1 ]]; then
-    sysrepoctl --search-dirs ${CLA_YANG} --install ${CLA_YANG}/czechlight-coherent-add-drop@2021-03-05.yang
+    sysrepoctl --search-dirs ${CLA_YANG} --install ${CLA_YANG}/czechlight-coherent-add-drop@2021-03-05.yang --permissions 0660
     sysrepocfg --datastore=startup --format=json --module=czechlight-coherent-add-drop --new-data="${CLA_YANG}/${INITIAL_DATA}.json"
-    sysrepoctl --change czechlight-coherent-add-drop --group optics --permissions 0664
+    sysrepoctl --change czechlight-coherent-add-drop --permissions 0660
 fi
 
 if [[ ${YANG_INLINE} == 1 ]]; then
-    sysrepoctl --search-dirs ${CLA_YANG} --install ${CLA_YANG}/czechlight-inline-amp@2021-03-05.yang
+    sysrepoctl --search-dirs ${CLA_YANG} --install ${CLA_YANG}/czechlight-inline-amp@2021-03-05.yang --permissions 0660
     sysrepocfg --datastore=startup --format=json --module=czechlight-inline-amp --import="${CLA_YANG}/${INITIAL_DATA}.json"
-    sysrepoctl --change czechlight-inline-amp --group optics --permissions 0664
 fi
 
 if [[ ${YANG_CALIBRATION} == 1 ]]; then
-    sysrepoctl --search-dirs ${CLA_YANG} --install ${CLA_YANG}/czechlight-calibration-device@2019-06-25.yang
+    sysrepoctl --search-dirs ${CLA_YANG} --install ${CLA_YANG}/czechlight-calibration-device@2019-06-25.yang --permissions 0660
     sysrepocfg --datastore=startup --format=json --module=czechlight-calibration-device --import="${CLA_YANG}/${INITIAL_DATA}.json"
-    sysrepoctl --change czechlight-calibration-device --group optics --permissions 0664
 fi
 
-sysrepoctl --search-dirs ${VELIA_YANG} --install ${VELIA_YANG}/ietf-system@2014-08-06.yang
-sysrepoctl --change ietf-system --permissions 0664
+sysrepoctl --search-dirs ${VELIA_YANG} --install ${VELIA_YANG}/ietf-system@2014-08-06.yang --permissions 0660
 
-sysrepoctl --search-dirs ${VELIA_YANG} --install ${VELIA_YANG}/czechlight-lldp@2020-11-04.yang
-sysrepoctl --change czechlight-lldp --permissions 0664
+sysrepoctl --search-dirs ${VELIA_YANG} --install ${VELIA_YANG}/czechlight-lldp@2020-11-04.yang --permissions 0660
 
-sysrepoctl --search-dirs ${VELIA_YANG} --install ${VELIA_YANG}/czechlight-system@2021-01-13.yang
-sysrepoctl --change czechlight-system --permissions 0664
+sysrepoctl --search-dirs ${VELIA_YANG} --install ${VELIA_YANG}/czechlight-system@2021-01-13.yang --permissions 0660
 
 sysrepoctl --search-dirs ${VELIA_YANG} --install ${VELIA_YANG}/iana-if-type@2017-01-19.yang
-sysrepoctl --search-dirs ${VELIA_YANG} --install ${VELIA_YANG}/ietf-interfaces@2018-02-20.yang
-sysrepoctl --change ietf-interfaces --permissions 0664
-sysrepoctl --search-dirs ${VELIA_YANG} --install ${VELIA_YANG}/ietf-ip@2018-02-22.yang
-sysrepoctl --change ietf-ip --permissions 0664
-sysrepoctl --search-dirs ${VELIA_YANG} --install ${VELIA_YANG}/ietf-routing@2018-03-13.yang
-sysrepoctl --change ietf-routing --permissions 0664
-sysrepoctl --search-dirs ${VELIA_YANG} --install ${VELIA_YANG}/ietf-ipv4-unicast-routing@2018-03-13.yang
-sysrepoctl --change ietf-ipv4-unicast-routing --permissions 0664
-sysrepoctl --search-dirs ${VELIA_YANG} --install ${VELIA_YANG}/ietf-ipv6-unicast-routing@2018-03-13.yang
-sysrepoctl --change ietf-ipv6-unicast-routing --permissions 0664
-sysrepoctl --search-dirs ${VELIA_YANG} --install ${VELIA_YANG}/czechlight-network@2021-02-22.yang
-sysrepoctl --change czechlight-network --permissions 0664
+sysrepoctl --search-dirs ${VELIA_YANG} --install ${VELIA_YANG}/ietf-interfaces@2018-02-20.yang --permissions 0660
+sysrepoctl --search-dirs ${VELIA_YANG} --install ${VELIA_YANG}/ietf-ip@2018-02-22.yang --permissions 0660
+sysrepoctl --search-dirs ${VELIA_YANG} --install ${VELIA_YANG}/ietf-routing@2018-03-13.yang --permissions 0660
+sysrepoctl --search-dirs ${VELIA_YANG} --install ${VELIA_YANG}/ietf-ipv4-unicast-routing@2018-03-13.yang --permissions 0660
+sysrepoctl --search-dirs ${VELIA_YANG} --install ${VELIA_YANG}/ietf-ipv6-unicast-routing@2018-03-13.yang --permissions 0660
+sysrepoctl --search-dirs ${VELIA_YANG} --install ${VELIA_YANG}/czechlight-network@2021-02-22.yang --permissions 0660
 
-sysrepoctl --search-dirs ${VELIA_YANG} --install ${VELIA_YANG}/czechlight-firewall@2021-01-25.yang
-sysrepoctl --change czechlight-firewall --permissions 0600
+sysrepoctl --search-dirs ${VELIA_YANG} --install ${VELIA_YANG}/czechlight-firewall@2021-01-25.yang --permissions 0600
 sysrepoctl --change ietf-access-control-list --enable-feature match-on-eth --enable-feature eth --enable-feature match-on-ipv4 --enable-feature ipv4 --enable-feature match-on-ipv6 --enable-feature ipv6 --enable-feature mixed-eth-ipv4-ipv6
 
 # If not do not copy here from startup -> running, running might be stale.
diff --git a/package/czechlight-cfg-fs/cfg-restore-sysrepo.service b/package/czechlight-cfg-fs/cfg-restore-sysrepo.service
index cac0f64..d289933 100644
--- a/package/czechlight-cfg-fs/cfg-restore-sysrepo.service
+++ b/package/czechlight-cfg-fs/cfg-restore-sysrepo.service
@@ -10,6 +10,7 @@
 RemainAfterExit=yes
 ExecStart=/bin/sysrepocfg -d startup -f json --import=/cfg/sysrepo/startup.json
 ExecStart=/bin/sysrepocfg -C startup
+Group=sysrepo
 StandardOutput=journal+console
 
 [Install]
diff --git a/package/czechlight-cfg-fs/nacm-restore.service b/package/czechlight-cfg-fs/nacm-restore.service
index 96dfb7c..2cb3dec 100644
--- a/package/czechlight-cfg-fs/nacm-restore.service
+++ b/package/czechlight-cfg-fs/nacm-restore.service
@@ -9,6 +9,7 @@
 RemainAfterExit=yes
 ExecStart=/bin/sysrepocfg -d startup -m ietf-netconf-acm -f json --import=/usr/share/yang-data/nacm.json
 ExecStart=/bin/sysrepocfg -C startup
+Group=sysrepo
 
 [Install]
 WantedBy=multi-user.target
diff --git a/package/czechlight-cfg-fs/sysrepo-persistent-cfg.service b/package/czechlight-cfg-fs/sysrepo-persistent-cfg.service
index 8f2642c..007bd7b 100644
--- a/package/czechlight-cfg-fs/sysrepo-persistent-cfg.service
+++ b/package/czechlight-cfg-fs/sysrepo-persistent-cfg.service
@@ -7,3 +7,4 @@
 Type=simple
 UMask=0077
 ExecStart=/bin/sh -c 'while true; do inotifywait -e CLOSE_WRITE /etc/sysrepo/data/*.startup && mkdir -p /cfg/sysrepo/ && sysrepocfg -d startup -f json -X > /cfg/sysrepo/startup.json; done'
+Group=sysrepo
diff --git a/package/rousette/rousette.service b/package/rousette/rousette.service
index 1f373e0..cb79d27 100644
--- a/package/rousette/rousette.service
+++ b/package/rousette/rousette.service
@@ -7,6 +7,9 @@
 [Service]
 Type=simple
 ExecStart=/usr/bin/rousette
+User=yangnobody
+Group=yangnobody
+SupplementaryGroups=sysrepo optics
 PrivateTmp=yes
 PrivateDevices=yes
 ProtectSystem=yes
@@ -16,8 +19,6 @@
 LogRateLimitIntervalSec=10
 LogRateLimitBurst=30000
 SyslogLevel=alert
-User=yangnobody
-Group=yangnobody
 
 [Install]
 WantedBy=multi-user.target
diff --git a/package/velia/velia-firewall.service b/package/velia/velia-firewall.service
index 2f4a2f9..1fdb318 100644
--- a/package/velia/velia-firewall.service
+++ b/package/velia/velia-firewall.service
@@ -9,6 +9,7 @@
 [Service]
 Type=simple
 ExecStart=/usr/bin/veliad-firewall
+Group=sysrepo
 PrivateTmp=yes
 PrivateDevices=no
 ProtectSystem=yes
diff --git a/package/velia/velia-hardware-g1.service b/package/velia/velia-hardware-g1.service
index bef35f6..6e09df3 100644
--- a/package/velia/velia-hardware-g1.service
+++ b/package/velia/velia-hardware-g1.service
@@ -12,6 +12,7 @@
 [Service]
 Type=simple
 ExecStart=/usr/bin/veliad-hardware --appliance=czechlight-clearfog
+Group=sysrepo
 PrivateTmp=yes
 PrivateDevices=no
 ProtectSystem=yes
diff --git a/package/velia/velia-hardware-g2.service b/package/velia/velia-hardware-g2.service
index c39c3f8..84342b7 100644
--- a/package/velia/velia-hardware-g2.service
+++ b/package/velia/velia-hardware-g2.service
@@ -13,6 +13,7 @@
 [Service]
 Type=simple
 ExecStart=/usr/bin/veliad-hardware --appliance=czechlight-clearfog-g2
+Group=sysrepo
 PrivateTmp=yes
 PrivateDevices=no
 ProtectSystem=yes
diff --git a/package/velia/velia-health.service b/package/velia/velia-health.service
index f779bf6..05f66c2 100644
--- a/package/velia/velia-health.service
+++ b/package/velia/velia-health.service
@@ -9,6 +9,7 @@
 ExecStartPre=/bin/sh -c 'for COLOUR in red green blue; do echo none > /sys/class/leds/status:$${COLOUR}/trigger; echo 0 > /sys/class/leds/status:green/brightness; done'
 ExecStart=/usr/bin/veliad-health --appliance=czechlight-clearfog --systemd-ignore-unit=systemd-journal-upload.service
 ExecStopPost=/bin/sh -c 'for COLOUR in red green blue; do echo 0 > /sys/class/leds/status:$$COLOUR/brightness; done; [[ "$EXIT_CODE" == "exited" ]] && COLOUR="green" || COLOUR="red"; echo timer > /sys/class/leds/status:$$COLOUR/trigger; echo 256 > /sys/class/leds/status:$$COLOUR/brightness'
+Group=sysrepo
 PrivateTmp=yes
 PrivateDevices=yes
 ProtectSystem=yes
diff --git a/package/velia/velia-system.service b/package/velia/velia-system.service
index cd8db60..6963e91 100644
--- a/package/velia/velia-system.service
+++ b/package/velia/velia-system.service
@@ -9,6 +9,7 @@
 [Service]
 Type=simple
 ExecStart=/usr/bin/veliad-system
+Group=sysrepo
 PrivateTmp=yes
 PrivateDevices=no
 ProtectSystem=yes