Redis
  • 18 Nov 2024
  • Dark
    Light
  • PDF

Redis

  • Dark
    Light
  • PDF

Article summary

Dependency Requirements

This page summarizes the requirements to install Redis as an IAP dependency.

Also see: Configuring Redis Properties

Redis Installation

Please refer to the official Redis.io site for details on Redis installation.

Redis Server (Post Installation)

If Redis is running on a different server than IAP, the Redis process may bind to the localhost. If this occurs then Redis and IAP may not be able to communicate.

The example steps listed below allow Redis to communicate outside of localhost.

  1. Edit /etc/redis.conf on the Redis server.

  2. Comment out bind 127.0.0.1 so that it becomes #bind 127.0.0.1.

  3. Restart Redis.

    sudo systemctl restart redis
    

These instructions open the Redis TCP port externally, so security hardening should be considered.

Redis Configurations

Apply the following Redis configurations to a production or development environment. These configurations are relevant where Redis is running in a virtual machine. However, many of these configurations may also apply to a bare metal installation.

No Eviction Policy

Release version IAP/2023.2 and later

By default, a noeviction policy is required once the database has reached its memory limit. See the Redis Eviction Policy site for more detail.

AOF Persistence

Release version IAP/2023.2 and later

For data durability, AOF (Append Only File) persistence is required. See the Redis Persistence site for more detail.

Max Memory

Redis should have the capability to allocate as much memory as it can on the system. More or less is required depending on a number of factors including, but not limited to, number of jobs, amount of large items processed within tasks, as well as how often those tasks are run.

Set the maxmemory setting to at least 80% of the system memory.

Refer to Deployment Environments and Requirements for recommendations on the amount memory needed by the Redis server.


Click here for IAP release versions 2022.1 and 2023.1

By default, Redis will consume up to 80% of the memory available on the platform. Set the upper limit to 20% of the available memory so IAP may consume the remaining 80%.


Change the # maxmemory <bytes> value in the /etc/redis.conf file.

Restart Redis to allow the /etc/redis.conf changes to go into effect.

sudo systemctl restart redis

Further information for a production environment can be found in Configuring Redis Properties.

Redis Memory Errors

The maxmemory configuration for Redis should be set as high as possible. If IAP exceeds this limit, it will cause jobs and tasks to error, as well as other IAP errors to appear as Redis is used for all messaging queues between services. The logged error message is similar to this:

ReplyError: OOM command not allowed when used memory > 'maxmemory'.

If this error is found, stop all IAPs to ensure a minimal number of jobs and tasks are affected. After that, check to see what the Redis memory is currently at. In all likelihood, the maxmemory configured by Redis is not sufficient and needs to be increased. In rare circumstances, however, you may find there is plenty of memory. If that is the case, then you will need to stop all IAP instances and flush what memory remains in Redis.

Flushing Data (IAP Stopped)

Itential Automation Platform (IAP) uses Redis for runtime data that is critical for its operation. Performing destructive actions on the Redis database while IAP is running, such as flushing some or all of the Redis data, can put IAP into an unstable state. If for whatever reason this is done by accident, please immediately stop all instances of IAP. Flushing Redis data while IAP is running is not supported, and will not be supported. However, this action is generally safe to do when all IAPs in an instance have been stopped and are no longer running.

Requirements for Non-Default Users

In Redis 6.2 and higher, when authorization is enabled, non-default users must be granted specific permissions to the Redis capabilities used throughout IAP.

Redis Users

Redis 6.x has built-in access control, with a single defined user called default (this is the default configuration). You also have the option to configure additional Redis users during installation. Listed below are some suggested examples.

Username Description
admin The Redis administrative account.
itential The account used by IAP to connect to Redis.
repluser The account used by Redis to perform replication within a Redis cluster.
sentineluser The account used by Redis Sentinel to connect to Redis.

User Rules

Under the SECURITY section of the redis.conf file, the user rules should be defined as follows:

user default off

user admin on allkeys allchannels allcommands >admin

user itential on allkeys allchannels allcommands -asking -cluster -readonly -readwrite -acl|deluser -acl|load -acl|log -acl|list -acl|save -acl|setuser -acl|dryrun -bgrewriteaof -bgsave -config|resetstat -config|rewrite -config|set -failover -flushall -flushdb -psync -replconf -replicaof -save -shutdown -sync >itential

user repluser on allchannels +psync +replconf +ping >repluser

user sentineluser on allchannels +multi +slaveof +ping +exec +subscribe +config|rewrite +role +publish +info +client|setname +client|kill +script|kill >sentineluser

User Permissions

The following table outlines and briefly explains what each user line in the rules section above is accomplishing. For more detail, see the Related Reading.

Line Action
1 Disable the default user to block permissions to everything.
2 Add the admin user. Grant all privileges.
3 Add the itential user. Disallow all commands, and then add each command IAP requires (those with the +). The itential user should be configured in the IAP profile.
4 Add the repluser. Disallow all commands and then add each command that replication requires. If running a single Redis instance, the repluser is not required.
5 Add the sentineluser. Disallow all commands and then add each command that Redis Sentinel requires. If running a single Redis instance, the sentineluser is not required.

Excluded Commands

With the following Redis configuration command, the itential user is excluded (disallowed) from executing several cluster management and server management commands.

user itential on allkeys allchannels allcommands -asking -cluster -readonly -readwrite -acl|deluser -acl|load -acl|log -acl|list -acl|save -acl|setuser -acl|dryrun -bgrewriteaof -bgsave -config|resetstat -config|rewrite -config|set -failover -flushall -flushdb -psync -replconf -replicaof -save -shutdown -sync >itential

The set of commands the itential user cannot access (call) are listed below.

Cluster Management Calls

  • ASKING
  • CLUSTER ADDSLOTS
  • CLUSTER ADDSLOTSRANGE
  • CLUSTER BUMPEPOCH
  • CLUSTER COUNT-FAILURE-REPORTS
  • CLUSTER COUNTKEYSINSLOT
  • CLUSTER DELSLOTS
  • CLUSTER DELSLOTSRANGE
  • CLUSTER FAILOVER
  • CLUSTER FLUSHSLOTS
  • CLUSTER FORGET
  • CLUSTER GETKEYSINSLOT
  • CLUSTER INFO
  • CLUSTER KEYSLOT
  • CLUSTER LINKS
  • CLUSTER MEET
  • CLUSTER MYID
  • CLUSTER MYSHARDID
  • CLUSTER NODES
  • CLUSTER REPLICAS
  • CLUSTER REPLICATE
  • CLUSTER RESET
  • CLUSTER SAVECONFIG
  • CLUSTER SET-CONFIG-EPOCH
  • CLUSTER SETSLOT
  • CLUSTER SHARDS
  • CLUSTER SLAVES
  • CLUSTER SLOTS
  • READONLY
  • READWRITE

Server Management Calls

  • ACL DELUSER
  • ACL LOAD
  • ACL LOG
  • ACL LIST
  • ACL SAVE
  • ACL SETUSER
  • ACL DRYRUN
  • BGREWRITEAOF
  • BGSAVE
  • CONFIG RESETSTAT
  • CONFIG REWRITE
  • CONFIG SET
  • FAILOVER
  • FLUSHALL
  • FLUSHDB
  • PSYNC
  • REPLCONF
  • REPLICAOF
  • SAVE
  • SHUTDOWN
  • SYNC

Further information is available on these Redis sites:


Was this article helpful?

Changing your password will log you out immediately. Use the new password to log back in.
First name must have atleast 2 characters. Numbers and special characters are not allowed.
Last name must have atleast 1 characters. Numbers and special characters are not allowed.
Enter a valid email
Enter a valid password
Your profile has been successfully updated.