- 18 Nov 2024
-
DarkLight
-
PDF
Redis
- Updated on 18 Nov 2024
-
DarkLight
-
PDF
Dependency Requirements
This page summarizes the requirements to install Redis as an IAP dependency.
Also see: Configuring Redis Properties
Redis Installation
Please refer to the official Redis.io site for details on Redis installation.
Redis Server (Post Installation)
If Redis is running on a different server than IAP, the Redis process may bind to the localhost
. If this occurs then Redis and IAP may not be able to communicate.
The example steps listed below allow Redis to communicate outside of localhost
.
-
Edit
/etc/redis.conf
on the Redis server. -
Comment out
bind 127.0.0.1
so that it becomes#bind 127.0.0.1
. -
Restart Redis.
sudo systemctl restart redis
⚠ These instructions open the Redis TCP port externally, so security hardening should be considered.
Redis Configurations
Apply the following Redis configurations to a production or development environment. These configurations are relevant where Redis is running in a virtual machine. However, many of these configurations may also apply to a bare metal installation.
No Eviction Policy
Release version IAP/2023.2 and later
By default, a noeviction
policy is required once the database has reached its memory limit. See the Redis Eviction Policy site for more detail.
AOF Persistence
Release version IAP/2023.2 and later
For data durability, AOF
(Append Only File) persistence is required. See the Redis Persistence site for more detail.
Max Memory
Redis should have the capability to allocate as much memory as it can on the system. More or less is required depending on a number of factors including, but not limited to, number of jobs, amount of large items processed within tasks, as well as how often those tasks are run.
Set the maxmemory
setting to at least 80% of the system memory.
Refer to Deployment Environments and Requirements for recommendations on the amount memory needed by the Redis server.
Click here for IAP release versions 2022.1 and 2023.1
By default, Redis will consume up to 80% of the memory available on the platform. Set the upper limit to 20% of the available memory so IAP may consume the remaining 80%.
Change the # maxmemory <bytes>
value in the /etc/redis.conf
file.
Restart Redis to allow the /etc/redis.conf
changes to go into effect.
sudo systemctl restart redis
Further information for a production environment can be found in Configuring Redis Properties.
Redis Memory Errors
The maxmemory
configuration for Redis should be set as high as possible. If IAP exceeds this limit, it will cause jobs and tasks to error, as well as other IAP errors to appear as Redis is used for all messaging queues between services. The logged error message is similar to this:
ReplyError: OOM command not allowed when used memory > 'maxmemory'.
If this error is found, stop all IAPs to ensure a minimal number of jobs and tasks are affected. After that, check to see what the Redis memory is currently at. In all likelihood, the maxmemory
configured by Redis is not sufficient and needs to be increased. In rare circumstances, however, you may find there is plenty of memory. If that is the case, then you will need to stop all IAP instances and flush what memory remains in Redis.
Flushing Data (IAP Stopped)
Itential Automation Platform (IAP) uses Redis for runtime data that is critical for its operation. Performing destructive actions on the Redis database while IAP is running, such as flushing some or all of the Redis data, can put IAP into an unstable state. If for whatever reason this is done by accident, please immediately stop all instances of IAP. Flushing Redis data while IAP is running is not supported, and will not be supported. However, this action is generally safe to do when all IAPs in an instance have been stopped and are no longer running.
Requirements for Non-Default Users
In Redis 6.2 and higher, when authorization is enabled, non-default users must be granted specific permissions to the Redis capabilities used throughout IAP.
Redis Users
Redis 6.x has built-in access control, with a single defined user called default
(this is the default configuration). You also have the option to configure additional Redis users during installation. Listed below are some suggested examples.
Username | Description |
---|---|
admin |
The Redis administrative account. |
itential |
The account used by IAP to connect to Redis. |
repluser |
The account used by Redis to perform replication within a Redis cluster. |
sentineluser |
The account used by Redis Sentinel to connect to Redis. |
User Rules
Under the SECURITY section of the redis.conf
file, the user rules should be defined as follows:
user default off
user admin on allkeys allchannels allcommands >admin
user itential on allkeys allchannels allcommands -asking -cluster -readonly -readwrite -acl|deluser -acl|load -acl|log -acl|list -acl|save -acl|setuser -acl|dryrun -bgrewriteaof -bgsave -config|resetstat -config|rewrite -config|set -failover -flushall -flushdb -psync -replconf -replicaof -save -shutdown -sync >itential
user repluser on allchannels +psync +replconf +ping >repluser
user sentineluser on allchannels +multi +slaveof +ping +exec +subscribe +config|rewrite +role +publish +info +client|setname +client|kill +script|kill >sentineluser
User Permissions
The following table outlines and briefly explains what each user
line in the rules section above is accomplishing. For more detail, see the Related Reading.
Line | Action |
---|---|
1 | Disable the default user to block permissions to everything. |
2 | Add the admin user. Grant all privileges. |
3 | Add the itential user. Disallow all commands, and then add each command IAP requires (those with the + ). The itential user should be configured in the IAP profile. |
4 | Add the repluser . Disallow all commands and then add each command that replication requires. If running a single Redis instance, the repluser is not required. |
5 | Add the sentineluser . Disallow all commands and then add each command that Redis Sentinel requires. If running a single Redis instance, the sentineluser is not required. |
Excluded Commands
With the following Redis configuration command, the itential
user is excluded (disallowed) from executing several cluster management and server management commands.
user itential on allkeys allchannels allcommands -asking -cluster -readonly -readwrite -acl|deluser -acl|load -acl|log -acl|list -acl|save -acl|setuser -acl|dryrun -bgrewriteaof -bgsave -config|resetstat -config|rewrite -config|set -failover -flushall -flushdb -psync -replconf -replicaof -save -shutdown -sync >itential
The set of commands the itential
user cannot access (call) are listed below.
Cluster Management Calls
- ASKING
- CLUSTER ADDSLOTS
- CLUSTER ADDSLOTSRANGE
- CLUSTER BUMPEPOCH
- CLUSTER COUNT-FAILURE-REPORTS
- CLUSTER COUNTKEYSINSLOT
- CLUSTER DELSLOTS
- CLUSTER DELSLOTSRANGE
- CLUSTER FAILOVER
- CLUSTER FLUSHSLOTS
- CLUSTER FORGET
- CLUSTER GETKEYSINSLOT
- CLUSTER INFO
- CLUSTER KEYSLOT
- CLUSTER LINKS
- CLUSTER MEET
- CLUSTER MYID
- CLUSTER MYSHARDID
- CLUSTER NODES
- CLUSTER REPLICAS
- CLUSTER REPLICATE
- CLUSTER RESET
- CLUSTER SAVECONFIG
- CLUSTER SET-CONFIG-EPOCH
- CLUSTER SETSLOT
- CLUSTER SHARDS
- CLUSTER SLAVES
- CLUSTER SLOTS
- READONLY
- READWRITE
Server Management Calls
- ACL DELUSER
- ACL LOAD
- ACL LOG
- ACL LIST
- ACL SAVE
- ACL SETUSER
- ACL DRYRUN
- BGREWRITEAOF
- BGSAVE
- CONFIG RESETSTAT
- CONFIG REWRITE
- CONFIG SET
- FAILOVER
- FLUSHALL
- FLUSHDB
- PSYNC
- REPLCONF
- REPLICAOF
- SAVE
- SHUTDOWN
- SYNC
Related Reading
Further information is available on these Redis sites: