sonic-net · davidpil2002 · Dec 11, 2023 · Dec 7, 2023 · liuh-80 · Jan 18, 2024
@@ -23,18 +23,27 @@ RUN pip3 install click
 {{ install_debian_packages(docker_database_debs.split(' ')) }}
 {%- endif %}
 
+ENV REDIS_SHADOW_TLS=/etc/ssl/certs_redis/certs/tls/
 # Clean up
 RUN apt-get clean -y                                  && \
     apt-get autoclean -y                              && \
     apt-get autoremove -y                             && \
     rm -rf /debs ~/.cache                             && \
     sed -ri 's/^(save .*$)/# \1/g;                       \
              s/^daemonize yes$/daemonize no/;            \
-             s/^logfile .*$/logfile ""/;                 \
+             s|^logfile .*$|logfile /etc/redis/redis-server.log|;                 \
              s/^# syslog-enabled no$/syslog-enabled no/; \
              s/^# unixsocket/unixsocket/;                \
              s/redis-server.sock/redis.sock/g;           \
              s/^client-output-buffer-limit pubsub [0-9]+mb [0-9]+mb [0-9]+/client-output-buffer-limit pubsub 0 0 0/; \
+             s/^port 6379/# port 6379/;                                 \
+             s/^# port 0/port 0/;                                           \
+             s/^# tls-port 6379/tls-port 6379/;                                     \
+             /tls-auth-clients no/s/^# //;                              \
+             s|# tls-cert-file .*|tls-cert-file '"$REDIS_SHADOW_TLS"'/redis.crt|;    \
+             s|# tls-key-file .*|tls-key-file '"$REDIS_SHADOW_TLS"'/redis.key|;      \
+             s|# tls-ca-cert-file .*|tls-ca-cert-file '"$REDIS_SHADOW_TLS"'/ca.crt|; \
+             /aclfile \/etc\/redis\/users.acl/s/^# //;       \
              s/^notify-keyspace-events ""$/notify-keyspace-events AKE/; \
              s/^databases [0-9]+$/databases 100/ \
             ' /etc/redis/redis.conf
@@ -48,5 +57,6 @@ COPY ["files/supervisor-proc-exit-listener", "/usr/bin"]
 COPY ["files/sysctl-net.conf", "/etc/sysctl.d/"]
 COPY ["files/update_chassisdb_config", "/usr/local/bin/"]
 COPY ["flush_unused_database", "/usr/local/bin/"]
+COPY ["users.acl.template", "/etc/redis/"]
 
 ENTRYPOINT ["/usr/local/bin/docker-database-init.sh"]
@@ -115,4 +115,14 @@ ln -sf /usr/share/zoneinfo/$TZ /etc/localtime
 
 chown -R redis:redis $REDIS_DIR
 
+# Redis PW update in users.acl
+acl_template=$(< /etc/redis/users.acl.template)
+
+USER_COUNTER_PASSWORD=$(cat /etc/shadow_redis_dir/shadow_redis_admin)
+acl_new_admin_user="${acl_template//\$\{USER_COUNTER_PASSWORD\}/$USER_COUNTER_PASSWORD}"
+
+MONITOR_PASSWORD=$(cat /etc/shadow_redis_dir/shadow_redis_monitor)
+acl_new_admin_monitor_users="${acl_new_admin_user//\$\{MONITOR_PASSWORD\}/$MONITOR_PASSWORD}"
+echo "$acl_new_admin_monitor_users" > /etc/redis/users.acl
+
 exec /usr/local/bin/supervisord
@@ -36,9 +36,8 @@ dependent_startup=true
 {%- else -%}
 {%- set LOOPBACK_IP = '' -%}
 {%- endif -%}
-command=/bin/bash -c "{ [[ -s /var/lib/{{ redis_inst }}/dump.rdb ]] || rm -f /var/lib/{{ redis_inst }}/dump.rdb; } && mkdir -p /var/lib/{{ redis_inst }} && exec /usr/bin/redis-server /etc/redis/redis.conf --bind {{ LOOPBACK_IP }} {{ redis_items['hostname'] }} --port {{ redis_items['port'] }} --unixsocket {{ redis_items['unix_socket_path'] }} --pidfile /var/run/redis/{{ redis_inst }}.pid --dir /var/lib/{{ redis_inst }}"
+command=/bin/bash -c "{ [[ -s /var/lib/{{ redis_inst }}/dump.rdb ]] || rm -f /var/lib/{{ redis_inst }}/dump.rdb; } && mkdir -p /var/lib/{{ redis_inst }} && exec /usr/bin/redis-server /etc/redis/redis.conf --bind {{ LOOPBACK_IP }} {{ redis_items['hostname'] }} --unixsocket {{ redis_items['unix_socket_path'] }} --pidfile /var/run/redis/{{ redis_inst }}.pid --dir /var/lib/{{ redis_inst }}"
 priority=2
-user=redis
 autostart=true
 autorestart=false
 stdout_logfile=syslog

@@ -0,0 +1,3 @@
+user admin on +@all -DEBUG ~* >${USER_COUNTER_PASSWORD}
+user monitor on +hgetall +keys +select +get +mget +hget -DEBUG ~* >${MONITOR_PASSWORD}
+user default off
@@ -1,6 +1,6 @@
 #!/usr/bin/env bash
 
-BUFFER_CALCULATION_MODE=$(redis-cli -n 4 hget "DEVICE_METADATA|localhost" buffer_model)
+BUFFER_CALCULATION_MODE=$(sonic-db-cli CONFIG_DB hget "DEVICE_METADATA|localhost" buffer_model)
 
 if [ "$BUFFER_CALCULATION_MODE" == "dynamic" ]; then
     BUFFERMGRD_ARGS="-a /etc/sonic/asic_table.json"

@@ -575,6 +575,7 @@ start() {
     # TODO: Mellanox will remove the --tmpfs exception after SDK socket path changed in new SDK version
 {%- endif %}
     docker create {{docker_image_run_opt}} \
+        -v /etc/shadow_redis_dir:/etc/shadow_redis_dir:ro \
 {%- if docker_container_name != "dhcp_server" %}
         --net=$NET \
 {%- endif %}
@@ -627,6 +628,7 @@ start() {
 {%- endif %}
 {%- if docker_container_name == "database" %}
         $DB_OPT \
+        -v /etc/ssl/certs_redis:/etc/ssl/certs_redis:ro \
 {%- else %}
         -v /var/run/redis$DEV:/var/run/redis:rw \
         -v /var/run/redis-chassis:/var/run/redis-chassis:ro \

@@ -113,6 +113,12 @@ sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get -y in
 # Install j2cli for handling jinja template
 sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get -y install j2cli
 
+# Create an empty Redis dir for the generation of Redis ACL passwords
+sudo mkdir $FILESYSTEM_ROOT/etc/shadow_redis_dir
+
+# Create an empty Redis dir for the public cacert of Redis TLS
+sudo mkdir $FILESYSTEM_ROOT/etc/shadow_redis_dir/certs_redis
+
 # Install Python client for Redis
 sudo https_proxy=$https_proxy LANG=C chroot $FILESYSTEM_ROOT pip3 install "redis==3.5.3"
 
@@ -932,6 +938,13 @@ sudo LANG=C cp $SCRIPTS_DIR/mgmt-framework.sh $FILESYSTEM_ROOT/usr/local/bin/mgm
 sudo LANG=C cp $SCRIPTS_DIR/asic_status.sh $FILESYSTEM_ROOT/usr/local/bin/asic_status.sh
 sudo LANG=C cp $SCRIPTS_DIR/asic_status.py $FILESYSTEM_ROOT/usr/local/bin/asic_status.py
 
+# Copy Redis Certificate generator script
+FSROOT_ETC_SSL_CERTS_REDIS=$FILESYSTEM_ROOT/etc/ssl/certs_redis
+sudo LANG=C mkdir $FSROOT_ETC_SSL_CERTS_REDIS
+sudo LANG=C cp $SCRIPTS_DIR/gen-redis-certs.sh $FSROOT_ETC_SSL_CERTS_REDIS/gen-redis-certs.sh
+sudo chroot $FILESYSTEM_ROOT chown admin:admin /etc/ssl/certs_redis/gen-redis-certs.sh
+sudo chmod 770 $FSROOT_ETC_SSL_CERTS_REDIS/gen-redis-certs.sh
+
 # Copy sonic-netns-exec script
 sudo LANG=C cp $SCRIPTS_DIR/sonic-netns-exec $FILESYSTEM_ROOT/usr/bin/sonic-netns-exec
 

@@ -38,7 +38,7 @@ function check_and_rescan_pcie_devices()
         fi
 
         if [ "$(eval $PCIE_CHK_CMD)" = "$EXPECTED" ]; then
-            redis-cli -n 6 HSET $PCIE_STATUS_TABLE "status" "PASSED"
+            sonic-db-cli STATE_DB HSET $PCIE_STATUS_TABLE "status" "PASSED"
             debug "PCIe check passed"
             exit
         else
@@ -54,7 +54,7 @@ function check_and_rescan_pcie_devices()
 
      done
      debug "PCIe check failed"
-     redis-cli -n 6 HSET $PCIE_STATUS_TABLE "status" "FAILED"
+     sonic-db-cli STATE_DB HSET $PCIE_STATUS_TABLE "status" "FAILED"
 }
 
 check_and_rescan_pcie_devices
@@ -240,6 +240,37 @@ fi
 
 program_console_speed
 
+# Generate password for Redis DB
+echo "Redis PW generation"
+set +x
+REDIS_SHADOW_PATH=/etc/shadow_redis_dir
+openssl_random_cmd=$(openssl rand -base64 32)
+ADMIN_PASSWORD=''
+ADMIN_PASSWORD=$(echo "$openssl_random_cmd" | tr -d '\n')
+REDIS_SHADOW_ADMIN_PATH=$REDIS_SHADOW_PATH/shadow_redis_admin
+touch "$REDIS_SHADOW_ADMIN_PATH"
+chown admin:admin "$REDIS_SHADOW_ADMIN_PATH"
+chmod 640 "$REDIS_SHADOW_ADMIN_PATH"
+echo "$ADMIN_PASSWORD" > "$REDIS_SHADOW_ADMIN_PATH"
+MONITOR_PASSWORD=''
+MONITOR_PASSWORD=$(echo "$openssl_random_cmd" | tr -d '\n')
+echo "$MONITOR_PASSWORD" > $REDIS_SHADOW_PATH/shadow_redis_monitor
+
+# TLS support
+ETC_SSL=/etc/ssl/certs_redis
+REDIS_CERTS=$ETC_SSL/certs
+REDIS_CERTS_TLS=$REDIS_CERTS/tls
+
+# Check if the directory exists and remove it if it does
+[ -d "$REDIS_CERTS" ] && rm -rf "$REDIS_CERTS"
+
+(cd $ETC_SSL && ./gen-redis-certs.sh)
+
+# Copy CA cert to host share location for Redis client usage
+cp  $REDIS_CERTS_TLS/ca.crt $REDIS_SHADOW_PATH/certs_redis
+
+set -x
+
 if [ -f $FIRST_BOOT_FILE ]; then
 
     echo "First boot detected. Performing first boot tasks..."

@@ -0,0 +1,52 @@
+#!/bin/bash
+
+# from redis official repo https://github.com/redis/redis/
+# Generate some test certificates which are used by the regression test suite:
+#
+#   certs/tls/ca.{crt,key}          Self signed CA certificate.
+#   certs/tls/redis.{crt,key}       A certificate with no key usage/policy restrictions.
+
+generate_cert() {
+    local name=$1
+    local cn="$2"
+    local opts="$3"
+
+    local keyfile=certs/tls/${name}.key
+    local certfile=certs/tls/${name}.crt
+
+    [ -f $keyfile ] || openssl genrsa -out $keyfile 2048
+    openssl req \
+        -new -sha256 \
+        -subj "/O=Redis Test/CN=$cn" \
+        -key $keyfile | \
+        openssl x509 \
+            -req -sha256 \
+            -CA certs/tls/ca.crt \
+            -CAkey certs/tls/ca.key \
+            -CAserial certs/tls/ca.txt \
+            -CAcreateserial \
+            -days 365 \
+            $opts \
+            -out $certfile
+}
+
+mkdir -p certs/tls
+[ -f certs/tls/ca.key ] || openssl genrsa -out certs/tls/ca.key 4096
+openssl req \
+    -x509 -new -nodes -sha256 \
+    -key certs/tls/ca.key \
+    -days 3650 \
+    -subj '/O=Redis Test/CN=Certificate Authority' \
+    -out certs/tls/ca.crt
+
+cat > certs/tls/openssl.cnf <<_END_
+[ server_cert ]
+keyUsage = digitalSignature, keyEncipherment
+nsCertType = server
+
+[ client_cert ]
+keyUsage = digitalSignature, keyEncipherment
+nsCertType = client
+_END_
+
+generate_cert redis "Generic-cert"
@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2021 NVIDIA CORPORATION & AFFILIATES.
+# Copyright (c) 2021-2023 NVIDIA CORPORATION & AFFILIATES.
 # Apache-2.0
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -35,7 +35,11 @@ class Module(ModuleBase):
     STATE_DB = 6
     STATE_MODULAR_CHASSIS_SLOT_TABLE = 'MODULAR_CHASSIS_SLOT|{}'
     FIELD_SEQ_NO = 'seq_no'
-    redis_client = redis.Redis(db = STATE_DB)
+    USERNAME = 'admin'
+    PASSWORD = utils.read_str_from_file('/etc/shadow_redis_dir/shadow_redis_admin')
+    REDIS_SHADOW_TLS_CA="/etc/shadow_redis_dir/certs_redis/ca.crt"
+    redis_client = redis.Redis(port=6379, db=STATE_DB, username=USERNAME, password=PASSWORD, ssl=True, ssl_cert_reqs=None, ssl_ca_certs=REDIS_SHADOW_TLS_CA)
+
 
     def __init__(self, slot_id):
         super(Module, self).__init__()

@@ -1,6 +1,6 @@
 #!/usr/bin/env bash
 
-BUFFER_CALCULATION_MODE=$(redis-cli -n 4 hget "DEVICE_METADATA|localhost" buffer_model)
+BUFFER_CALCULATION_MODE=$(sonic-db-cli CONFIG_DB hget "DEVICE_METADATA|localhost" buffer_model)
 export ASIC_VENDOR=vs
 
 if [ "$BUFFER_CALCULATION_MODE" == "dynamic" ]; then

@@ -25,7 +25,7 @@ def test_DefaultRoute(dvs, testlog):
 
     time.sleep(10)
 
-    (exit_code, output) = dvs.runcmd(["redis-cli", "hgetall", "ROUTE_TABLE:0.0.0.0/0"])
+    (exit_code, output) = dvs.runcmd(["sonic-db-cli", "APPL_DB", "hgetall", "ROUTE_TABLE:0.0.0.0/0"])
     print(exit_code, output)
 
     # make sure 10.10.10.1 is the correct next hop for default route
@@ -34,7 +34,7 @@ def test_DefaultRoute(dvs, testlog):
     # insert default route for table default
     dvs.runcmd("ip route add default via 172.17.0.1 table default")
 
-    (exit_code, output) = dvs.runcmd(["redis-cli", "hgetall", "ROUTE_TABLE:0.0.0.0/0"])
+    (exit_code, output) = dvs.runcmd(["sonic-db-cli", "APPL_DB", "hgetall", "ROUTE_TABLE:0.0.0.0/0"])
     print(exit_code, output)
 
     time.sleep(10)

@@ -4,7 +4,7 @@ SONIC_DHCPMON_VERSION = 1.0.0-0
 SONIC_DHCPMON_PKG_NAME = dhcpmon
 
 SONIC_DHCPMON = sonic-$(SONIC_DHCPMON_PKG_NAME)_$(SONIC_DHCPMON_VERSION)_$(CONFIGURED_ARCH).deb
-$(SONIC_DHCPMON)_DEPENDS = $(LIBSWSSCOMMON) $(LIBSWSSCOMMON_DEV)
+$(SONIC_DHCPMON)_DEPENDS = $(LIBSWSSCOMMON) $(LIBHIREDIS) $(LIBSWSSCOMMON_DEV) $(LIBHIREDIS_DEV)
 $(SONIC_DHCPMON)_SRC_PATH = $(SRC_PATH)/$(SONIC_DHCPMON_PKG_NAME)
 SONIC_DPKG_DEBS += $(SONIC_DHCPMON)
 

@@ -4,7 +4,7 @@ SONIC_DHCPRELAY_VERSION = 1.0.0-0
 SONIC_DHCPRELAY_PKG_NAME = dhcp6relay
 
 SONIC_DHCPRELAY = sonic-$(SONIC_DHCPRELAY_PKG_NAME)_$(SONIC_DHCPRELAY_VERSION)_$(CONFIGURED_ARCH).deb
-$(SONIC_DHCPRELAY)_DEPENDS = $(LIBSWSSCOMMON) $(LIBSWSSCOMMON_DEV)
+$(SONIC_DHCPRELAY)_DEPENDS = $(LIBSWSSCOMMON) $(LIBHIREDIS) $(LIBSWSSCOMMON_DEV) $(LIBHIREDIS_DEV)
 $(SONIC_DHCPRELAY)_SRC_PATH = $(SRC_PATH)/dhcprelay
 SONIC_DPKG_DEBS += $(SONIC_DHCPRELAY)
 

@@ -23,7 +23,8 @@ $(DOCKER_CONFIG_ENGINE_BULLSEYE)_FILES += $($(SONIC_CTRMGRD)_HEALTH_PROBE)
 $(DOCKER_CONFIG_ENGINE_BULLSEYE)_FILES += $($(SONIC_CTRMGRD)_STARTUP_SCRIPT)
 
 $(DOCKER_CONFIG_ENGINE_BULLSEYE)_DBG_DEPENDS = $($(DOCKER_BASE_BULLSEYE)_DBG_DEPENDS) \
-                                             $(LIBSWSSCOMMON_DBG)
+                                             $(LIBSWSSCOMMON_DBG) \
+					     $(LIBHIREDIS_DBG)
 $(DOCKER_CONFIG_ENGINE_BULLSEYE)_DBG_IMAGE_PACKAGES = $($(DOCKER_BASE_BULLSEYE)_DBG_IMAGE_PACKAGES)
 
 SONIC_DOCKER_IMAGES += $(DOCKER_CONFIG_ENGINE_BULLSEYE)

@@ -22,7 +22,8 @@ $(DOCKER_CONFIG_ENGINE_BUSTER)_FILES += $($(SONIC_CTRMGRD)_HEALTH_PROBE)
 $(DOCKER_CONFIG_ENGINE_BUSTER)_FILES += $($(SONIC_CTRMGRD)_STARTUP_SCRIPT)
 
 $(DOCKER_CONFIG_ENGINE_BUSTER)_DBG_DEPENDS = $($(DOCKER_BASE_BUSTER)_DBG_DEPENDS) \
-                                             $(LIBSWSSCOMMON_DBG)
+                                             $(LIBSWSSCOMMON_DBG) \
+					     $(LIBHIREDIS_DBG)
 $(DOCKER_CONFIG_ENGINE_BUSTER)_DBG_IMAGE_PACKAGES = $($(DOCKER_BASE_BUSTER)_DBG_IMAGE_PACKAGES)
 
 SONIC_DOCKER_IMAGES += $(DOCKER_CONFIG_ENGINE_BUSTER)

@@ -6,9 +6,9 @@ DOCKER_MUX_DBG = $(DOCKER_MUX_STEM)-$(DBG_IMAGE_MARK).gz
 
 $(DOCKER_MUX)_PATH = $(DOCKERS_PATH)/$(DOCKER_MUX_STEM)
 
-$(DOCKER_MUX)_DEPENDS = $(SONIC_LINKMGRD) $(LIBSWSSCOMMON)
+$(DOCKER_MUX)_DEPENDS = $(SONIC_LINKMGRD) $(LIBSWSSCOMMON) $(LIBHIREDIS)
 $(DOCKER_MUX)_DBG_DEPENDS = $($(DOCKER_CONFIG_ENGINE_BULLSEYE)_DBG_DEPENDS)
-$(DOCKER_MUX)_DBG_DEPENDS += $(SONIC_LINKMGRD_DBG) $(LIBSWSSCOMMON_DBG)
+$(DOCKER_MUX)_DBG_DEPENDS += $(SONIC_LINKMGRD_DBG) $(LIBSWSSCOMMON_DBG) $(LIBHIREDIS_DBG)
 
 $(DOCKER_MUX)_DBG_IMAGE_PACKAGES = $($(DOCKER_CONFIG_ENGINE_BULLSEYE)_DBG_IMAGE_PACKAGES)
 

@@ -3,7 +3,7 @@
 DOCKER_RESTAPI_STEM = docker-sonic-restapi
 DOCKER_RESTAPI = $(DOCKER_RESTAPI_STEM).gz
 
-$(DOCKER_RESTAPI)_DEPENDS += $(LIBNL3) $(LIBNL_GENL3) \
+$(DOCKER_RESTAPI)_DEPENDS += $(LIBHIREDIS) $(LIBNL3) $(LIBNL_GENL3) \
                              $(LIBNL_ROUTE3) $(LIBSWSSCOMMON) $(RESTAPI)
 
 $(DOCKER_RESTAPI)_PATH = $(DOCKERS_PATH)/$(DOCKER_RESTAPI_STEM)

@@ -11,6 +11,7 @@ $(DOCKER_SONIC_SDK_BUILDENV)_DEPENDS += $(LIBSAIVS) \
                                         $(LIBSAIREDIS_DEV) \
                                         $(LIBSAIMETADATA_DEV) \
                                         $(LIBSWSSCOMMON_DEV) \
+					$(LIBHIREDIS_DEV) \
                                         $(LIBNL3_DEV) \
                                         $(LIBNL_GENL3_DEV) \
                                         $(LIBNL_ROUTE3_DEV) \

@@ -0,0 +1,10 @@
+
+SPATH       := $($(LIBHIREDIS)_SRC_PATH)
+DEP_FILES   := $(SONIC_COMMON_FILES_LIST) rules/hiredis.mk rules/hiredis.dep   
+DEP_FILES   += $(SONIC_COMMON_BASE_FILES_LIST)
+DEP_FILES   += $(shell git ls-files $(SPATH))
+
+$(LIBHIREDIS)_CACHE_MODE  := GIT_CONTENT_SHA 
+$(LIBHIREDIS)_DEP_FLAGS   := $(SONIC_COMMON_FLAGS_LIST)
+$(LIBHIREDIS)_DEP_FILES   := $(DEP_FILES)
+
@@ -0,0 +1,18 @@
+# libhiredis package
+
+HIREDIS_VERSION = 1.2.0
+HIREDIS_VERSION_FULL = ${HIREDIS_VERSION}-4
+
+export HIREDIS_VERSION HIREDIS_VERSION_FULL
+
+LIBHIREDIS = libhiredis1.1.0_$(HIREDIS_VERSION_FULL)_$(CONFIGURED_ARCH).deb
+$(LIBHIREDIS)_SRC_PATH = $(SRC_PATH)/hiredis
+SONIC_MAKE_DEBS += $(LIBHIREDIS)
+
+LIBHIREDIS_DEV = libhiredis-dev_$(HIREDIS_VERSION_FULL)_$(CONFIGURED_ARCH).deb
+$(eval $(call add_derived_package,$(LIBHIREDIS),$(LIBHIREDIS_DEV)))
+
+LIBHIREDIS_DBG = libhiredis1.1.0-dbgsym_$(HIREDIS_VERSION_FULL)_$(CONFIGURED_ARCH).deb
+$(eval $(call add_derived_package,$(LIBHIREDIS),$(LIBHIREDIS_DBG)))
+
+export LIBHIREDIS LIBHIREDIS_DEV LIBHIREDIS_DBG
@@ -7,14 +7,14 @@ export SONIC_LINKMGRD_VERSION SONIC_LINKMGRD_PKG_NAME
 
 SONIC_LINKMGRD = sonic-$(SONIC_LINKMGRD_PKG_NAME)_$(SONIC_LINKMGRD_VERSION)_$(CONFIGURED_ARCH).deb
 $(SONIC_LINKMGRD)_SRC_PATH = $(SRC_PATH)/$(SONIC_LINKMGRD_PKG_NAME)
-$(SONIC_LINKMGRD)_DEPENDS = $(LIBSWSSCOMMON_DEV)
-$(SONIC_LINKMGRD)_RDEPENDS = $(LIBSWSSCOMMON)
+$(SONIC_LINKMGRD)_DEPENDS = $(LIBSWSSCOMMON_DEV) $(LIBHIREDIS_DEV)
+$(SONIC_LINKMGRD)_RDEPENDS = $(LIBSWSSCOMMON) $(LIBHIREDIS)
 
 SONIC_DPKG_DEBS += $(SONIC_LINKMGRD)
 
 SONIC_LINKMGRD_DBG = sonic-$(SONIC_LINKMGRD_PKG_NAME)-dbgsym_$(SONIC_LINKMGRD_VERSION)_$(CONFIGURED_ARCH).deb
-$(SONIC_LINKMGRD)_DBG_DEPENDS = $(LIBSWSSCOMMON_DEV)
-$(SONIC_LINKMGRD)_DBG_RDEPENDS = $(LIBSWSSCOMMON_DBG)
+$(SONIC_LINKMGRD)_DBG_DEPENDS = $(LIBSWSSCOMMON_DEV) $(LIBHIREDIS_DEV)
+$(SONIC_LINKMGRD)_DBG_RDEPENDS = $(LIBSWSSCOMMON_DBG) $(LIBHIREDIS_DBG)
 $(eval $(call add_derived_package,$(SONIC_LINKMGRD),$(SONIC_LINKMGRD_DBG)))
 
 export SONIC_LINKMGRD SONIC_LINKMGRD_DBG
@@ -7,6 +7,8 @@ ifneq ($(BLDENV),buster)
 
     REDIS_TOOLS = redis-tools_$(REDIS_VERSION)_$(CONFIGURED_ARCH).deb
     $(REDIS_TOOLS)_SRC_PATH = $(SRC_PATH)/redis
+    $(REDIS_TOOLS)_DEPENDS += $(LIBHIREDIS_DEV)
+    $(REDIS_TOOLS)_RDEPENDS += $(LIBHIREDIS)
     SONIC_MAKE_DEBS += $(REDIS_TOOLS)
 
     REDIS_TOOLS_DBG = redis-tools-dbgsym_$(REDIS_VERSION)_$(CONFIGURED_ARCH).deb