sonic-buildimage: Bind linecard database instance to midplane IP

On a linecard, the database container is bound to localhost (127.0.0.1)
by default. This prevents other components in the chassis, such as the
supervisor card, from accessing the linecard's database over the midplane network.
This change exposes the database instance to the midplane, allowing for remote
access from the supervisor.

Signed-off-by: manish <[email protected]>

Author: manish1-arista

dockers/docker-database/docker-database-init.sh

@@ -82,8 +82,10 @@ if [[ $DATABASE_TYPE == "chassisdb" ]]; then
     VAR_LIB_REDIS_CHASSIS_DIR="/var/lib/redis_chassis"
     mkdir -p $VAR_LIB_REDIS_CHASSIS_DIR   
     update_chassisdb_config -j $db_cfg_file_tmp -k -p $chassis_db_port
+    # Set protected mode based on the hostname
+    additional_data_json=$(jq -c '{INSTANCES: .INSTANCES | map_values({is_protected_mode: (.hostname == "127.0.0.1")})}' "$db_cfg_file_tmp")
     # generate all redis server supervisord configuration file
-    sonic-cfggen -j $db_cfg_file_tmp \
+    sonic-cfggen -j $db_cfg_file_tmp -a "$additional_data_json" \
     -t /usr/share/sonic/templates/supervisord.conf.j2,/etc/supervisor/conf.d/supervisord.conf \
     -t /usr/share/sonic/templates/critical_processes.j2,/etc/supervisor/critical_processes
     rm $db_cfg_file_tmp
@@ -104,7 +106,13 @@ then
 fi
 # delete chassisdb config to generate supervisord config
 update_chassisdb_config -j $db_cfg_file_tmp -d
-sonic-cfggen -j $db_cfg_file_tmp \
+# Set protected mode based on the hostname
+additional_data_json=$(jq -c '{INSTANCES: .INSTANCES | map_values({is_protected_mode: (.hostname == "127.0.0.1")})}' "$db_cfg_file_tmp")
+# For Linecard databases, disable Redis protected mode to expose them to the midplane.
+if [ -f "$chassisdb_config" ] && [[ "$start_chassis_db" != "1" ]]; then
+    additional_data_json=$(jq -c '{INSTANCES: .INSTANCES | map_values({is_protected_mode: false})}' "$db_cfg_file_tmp")
+fi
+sonic-cfggen -j "$db_cfg_file_tmp" -a "$additional_data_json" \
 -t /usr/share/sonic/templates/supervisord.conf.j2,/etc/supervisor/conf.d/supervisord.conf \
 -t /usr/share/sonic/templates/critical_processes.j2,/etc/supervisor/critical_processes
 

dockers/docker-database/supervisord.conf.j2

@@ -35,12 +35,15 @@ dependent_startup=true
 {%- if redis_inst != 'remote_redis' %}
 [program:{{ redis_inst }}]
 {% if redis_items['hostname'] != '127.0.0.1' %}
-{%- set ADDITIONAL_OPTS = '--protected-mode no' %}
 {%- if redis_inst != 'redis_chassis' %}
 {%- set LOOPBACK_IP = '127.0.0.1' -%}
 {%- endif -%}
 {%- else -%}
 {%- set LOOPBACK_IP = '' -%}
+{%- endif -%}
+{%- if not redis_items['is_protected_mode'] %}
+{%- set ADDITIONAL_OPTS = '--protected-mode no' %}
+{%- else %}
 {%- set ADDITIONAL_OPTS = '' %}
 {%- endif -%}
 command=/bin/bash -c "{ [[ -s /var/lib/{{ redis_inst }}/dump.rdb ]] || rm -f /var/lib/{{ redis_inst }}/dump.rdb; } && mkdir -p /var/lib/{{ redis_inst }} && exec /usr/bin/redis-server /etc/redis/redis.conf --bind {{ LOOPBACK_IP }} {{ redis_items['hostname'] }} --port {{ redis_items['port'] }} --unixsocket {{ redis_items['unix_socket_path'] }} --pidfile /var/run/redis/{{ redis_inst }}.pid --dir /var/lib/{{ redis_inst }} {{ ADDITIONAL_OPTS }}"

files/build_templates/docker_image_ctl.j2

@@ -173,6 +173,10 @@ function postStartAction()
 {%- if docker_container_name == "database" %}
     midplane_ip=""
     CHASSISDB_CONF="/usr/share/sonic/device/$PLATFORM/chassisdb.conf"
+    if [[ -f $CHASSISDB_CONF && $DATABASE_TYPE != "dpudb" ]]; then
+        slot_id=$(python3 -c 'import sonic_platform.platform; platform_chassis = sonic_platform.platform.Platform().get_chassis(); print(platform_chassis.get_my_slot())' 2>/dev/null)
+        supervisor_slot_id=$(python3 -c 'import sonic_platform.platform; platform_chassis = sonic_platform.platform.Platform().get_chassis(); print(platform_chassis.get_supervisor_slot())' 2>/dev/null)
+    fi
     [ -f $CHASSISDB_CONF ] && source $CHASSISDB_CONF
     if [[ "$DEV" && $DATABASE_TYPE != "dpudb" ]]; then
         # Enable the forwarding on eth0 interface in namespace.
@@ -188,9 +192,6 @@ function postStartAction()
            ip netns exec "$NET_NS" ip addr add 127.0.0.1/16 dev lo
            ip netns exec "$NET_NS" ip addr del 127.0.0.1/8 dev lo
 
-           slot_id=$(python3 -c 'import sonic_platform.platform; platform_chassis = sonic_platform.platform.Platform().get_chassis(); print(platform_chassis.get_my_slot())' 2>/dev/null)
-           supervisor_slot_id=$(python3 -c 'import sonic_platform.platform; platform_chassis = sonic_platform.platform.Platform().get_chassis(); print(platform_chassis.get_supervisor_slot())' 2>/dev/null)
-
            # Create eth1 in database instance
            if [[ "${slot_id}" == "${supervisor_slot_id}" ]]; then
                    ip link add name ns-eth1"$NET_NS" type veth peer name eth1@"$NET_NS"
@@ -235,6 +236,12 @@ function postStartAction()
            fi
        fi
     fi
+
+    # midplane ip for the Linecard database container
+    if [[ -z "$DEV" && "$DATABASE_TYPE" != "dpudb"  && -f $CHASSISDB_CONF && "${slot_id}" != "${supervisor_slot_id}" ]]; then
+        midplane_ip=$(docker exec -i ${DOCKERNAME} ip addr show eth1-midplane | grep 'inet ' | awk '{print $2}' | cut -d'/' -f1)
+    fi
+
     # Setup ebtables configuration
 {%- if sonic_asic_platform != "vs" %}
     ebtables_config
@@ -330,8 +337,8 @@ function postStartAction()
         REDIS_SOCK="/var/run/redis-chassis/redis_chassis.sock"
     fi
     chgrp -f redis $REDIS_SOCK && chmod -f 0760 $REDIS_SOCK
-
-    if [[ $DEV && $midplane_ip ]]; then
+    # Binding the midplane ip to the redisdb
+    if [[ -n "$midplane_ip" ]]; then
         IFS=_ read ip port < <(jq -r '.INSTANCES | [.redis.hostname, .redis.port] | join("_")' /var/run/redis$DEV/sonic-db/database_config.json)
         bound_ips=$(redis-cli --raw -h $ip -p $port config get bind | sed -n '2,2 p')
         redis-cli -h $ip -p $port config set bind "$bound_ips $midplane_ip"