Itential Platform

Redis [IAP 2023.2]

16 Apr 2024

Dark

Light
PDF

Redis [IAP 2023.2]

Updated on 16 Apr 2024

Dark

Light
PDF

Article summary

Did you find this summary helpful?

Thank you for your feedback

Dependency Requirements

This article summarizes the requirements to install Redis as an IAP dependency.

Also see: Configuring Redis Properties in IAP 2023.2

Redis Installation

Please refer to the official Redis.io site for details on Redis installation.

Redis Server (Post Installation)

If Redis is running on a different server than IAP, the Redis process may bind to the localhost. If this occurs then Redis and IAP may not be able to communicate.

The example steps listed below allow Redis to communicate outside of localhost.

Edit /etc/redis.conf on the Redis server.
Comment out bind 127.0.0.1 so that it becomes #bind 127.0.0.1.
Restart Redis.
```
sudo systemctl restart redis
```

⚠ Warning

These instructions open the Redis TCP port externally, so security hardening should be considered.

Redis Configurations

Apply the following Redis configurations to a production or development environment. These configurations are relevant where Redis is running in a virtual machine. However, many of these configurations may also apply to a bare metal installation.

No Eviction Policy

By default, a noeviction policy is required once the database has reached its memory limit. See the Redis Eviction Policy site for more detail.

AOF Persistence

For data durability, AOF (Append Only File) persistence is required. See the Redis Persistence site for more detail.

Max Memory

Redis should have the capability to allocate as much memory as it can on the system. More or less is required depending on a number of factors including, but not limited to, number of jobs, amount of large items processed within tasks, as well as how often those tasks are run.

Set the maxmemory setting to at least 80% of the system memory.

Refer to Deployment Environments and Requirements for recommendations on the amount memory needed by the Redis server.

Change the # maxmemory <bytes> value in the /etc/redis.conf file.

Restart Redis to allow the /etc/redis.conf changes to go into effect.

sudo systemctl restart redis

 Note:

Further details for a production environment can be found in Redis Configuration in IAP.

Redis Memory Errors

The maxmemory configuration for Redis should be set as high as possible. If IAP exceeds this limit, it will cause jobs and tasks to error, as well as other IAP errors to appear as Redis is used for all messaging queues between services. The logged error message is similar to this:

ReplyError: OOM command not allowed when used memory > 'maxmemory'.

If this error is found, stop all IAPs to ensure a minimal number of jobs and tasks are affected. After that, check to see what the Redis memory is currently at. In all likelihood, the maxmemory configured by Redis is not sufficient and needs to be increased. In rare circumstances, however, you may find there is plenty of memory. If that is the case, then you will need to stop all IAP instances and flush what memory remains in Redis.

Flushing Data (IAP Stopped)

Itential Automation Platform (IAP) uses Redis for runtime data that is critical for its operation. Performing destructive actions on the Redis database while IAP is running, such as flushing some or all of the Redis data, can put IAP into an unstable state. If for whatever reason this is done by accident, please immediately stop all instances of IAP. Flushing Redis data while IAP is running is not supported, and will not be supported. However, this action is generally safe to do when all IAPs in an instance have been stopped and are no longer running.

Requirements for Non-Default Users

In Redis 6.2 and higher, when authorization is enabled, non-default users must be granted specific permissions to the Redis capabilities used throughout IAP.

Redis Users

Redis 6.x has built-in access control, with a single defined user called default (this is the default configuration). You also have the option to configure additional Redis users during installation. Listed below are some suggested examples.

Username	Description
`admin`	The Redis administrative account.
`itential`	The account used by IAP to connect to Redis.
`repluser`	The account used by Redis to perform replication within a Redis cluster.
`sentineluser`	The account used by Redis Sentinel to connect to Redis.

User Rules

Under the SECURITY section of the redis.conf file, the user rules should be defined as follows:

user default off

user admin on allkeys allchannels allcommands >admin

user itential on allkeys allchannels allcommands -asking -cluster -readonly -readwrite -acl|deluser -acl|load -acl|log -acl|list -acl|save -acl|setuser -acl|dryrun -bgrewriteaof -bgsave -config|resetstat -config|rewrite -config|set -failover -flushall -flushdb -psync -replconf -replicaof -save -shutdown -sync >itential

user repluser on allchannels +psync +replconf +ping >repluser

user sentineluser on allchannels +multi +slaveof +ping +exec +subscribe +config|rewrite +role +publish +info +client|setname +client|kill +script|kill >sentineluser

User Permissions

The following table outlines and briefly explains what each user line in the rules section above is accomplishing. For more complete information, please see the Related Reading.

Line	Action
1	Disable the `default` user to block permissions to everything.
2	Add the `admin` user. Grant all privileges.
3	Add the `itential` user. Disallow all commands, and then add each command IAP requires (those with the `+`). The `itential` user should be configured in the IAP profile.
4	Add the `repluser`. Disallow all commands and then add each command that replication requires. If running a single Redis instance, the `repluser` is not required.
5	Add the `sentineluser`. Disallow all commands and then add each command that Redis Sentinel requires. If running a single Redis instance, the `sentineluser` is not required.

Excluded Commands

With the following Redis configuration command, the itential user is excluded (disallowed) from executing several cluster management and server management commands.

user itential on allkeys allchannels allcommands -asking -cluster -readonly -readwrite -acl|deluser -acl|load -acl|log -acl|list -acl|save -acl|setuser -acl|dryrun -bgrewriteaof -bgsave -config|resetstat -config|rewrite -config|set -failover -flushall -flushdb -psync -replconf -replicaof -save -shutdown -sync >itential

The set of commands the itential user cannot access (call) are listed below.

Cluster Management Calls

ASKING
CLUSTER ADDSLOTS
CLUSTER ADDSLOTSRANGE
CLUSTER BUMPEPOCH
CLUSTER COUNT-FAILURE-REPORTS
CLUSTER COUNTKEYSINSLOT
CLUSTER DELSLOTS
CLUSTER DELSLOTSRANGE
CLUSTER FAILOVER
CLUSTER FLUSHSLOTS
CLUSTER FORGET
CLUSTER GETKEYSINSLOT
CLUSTER INFO
CLUSTER KEYSLOT
CLUSTER LINKS
CLUSTER MEET
CLUSTER MYID
CLUSTER MYSHARDID
CLUSTER NODES
CLUSTER REPLICAS
CLUSTER REPLICATE
CLUSTER RESET
CLUSTER SAVECONFIG
CLUSTER SET-CONFIG-EPOCH
CLUSTER SETSLOT
CLUSTER SHARDS
CLUSTER SLAVES
CLUSTER SLOTS
READONLY
READWRITE

Server Management Calls

ACL DELUSER
ACL LOAD
ACL LOG
ACL LIST
ACL SAVE
ACL SETUSER
ACL DRYRUN
BGREWRITEAOF
BGSAVE
CONFIG RESETSTAT
CONFIG REWRITE
CONFIG SET
FAILOVER
FLUSHALL
FLUSHDB
PSYNC
REPLCONF
REPLICAOF
SAVE
SHUTDOWN
SYNC

For more information, refer to the following Redis sites:

Earlier Release Versions

For documentation of this step specific to earlier release versions of IAP, click here."

Was this article helpful?

What's Next

Redis [IAP 2022.1.x - 2023.1.x]

Table of contents

Dependency Requirements
Requirements for Non-Default Users
Redis Users
Excluded Commands
Related Reading
Earlier Release Versions