├── LICENSE ├── README.md ├── ha-management ├── README.md ├── docker-compose.yml ├── exercise.md └── verify-readiness.sh ├── observability-monitoring ├── README.md ├── docker-compose.yml ├── exercise.md └── setup.sh ├── observability-stats ├── README.md ├── docker-compose.yml └── exercise.md ├── scaling-seamlessly ├── README.md ├── docker-compose.yml ├── exercise.md └── setup.sh ├── security-acls ├── README.md ├── docker-compose.yml └── exercise.md ├── security-rbac ├── README.md ├── docker-compose.yml ├── exercise.md └── setup.sh └── security-tls ├── Dockerfile ├── README.md ├── docker-compose.yml ├── exercise.md ├── gen-certs.sh └── redis.conf /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2021 Redis Labs Training 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Exercises for Scaling Redis 2 | 3 | - [Security TLS](security-tls/) 4 | - [Security ACLS](security-acls/) 5 | - [Security RBAC](security-rbac/) 6 | - [High Availability Management](ha-management/) 7 | - [Scaling Seamlessly](scaling-seamlessly/) 8 | - [Observability Stats](observability-stats/) 9 | - [Observability Monitoring](observability-monitoring/) -------------------------------------------------------------------------------- /ha-management/README.md: -------------------------------------------------------------------------------- 1 | # Exercise: Enabling TLS in Redis Enterpise 2 | 3 | ## Requirements 4 | 5 | - docker 6 | - docker-compose 7 | - internet connection 8 | 9 | ## Starting Environment 10 | 11 | ``` 12 | docker-compose up -d 13 | ``` 14 | 15 | ## Stopping Environment 16 | 17 | After completing the exercises 18 | 19 | ``` 20 | docker-compose down 21 | ``` 22 | 23 | -------------------------------------------------------------------------------- /ha-management/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: "3" 2 | 3 | services: 4 | #Node 1 5 | re1: 6 | image: redislabs/redis:6.0.12-58 7 | container_name: re1 8 | restart: unless-stopped 9 | tty: true 10 | cap_add: 11 | - sys_resource 12 | ports: 13 | - "18443:8443" 14 | volumes: 15 | - ./:/home 16 | networks: 17 | re_cluster: 18 | ipv4_address: 172.22.0.11 19 | 20 | #Node 2 21 | re2: 22 | image: redislabs/redis:6.0.12-58 23 | container_name: re2 24 | restart: unless-stopped 25 | tty: true 26 | cap_add: 27 | - sys_resource 28 | ports: 29 | - "28443:8443" 30 | volumes: 31 | - ./:/home 32 | networks: 33 | re_cluster: 34 | ipv4_address: 172.22.0.12 35 | 36 | #Node 3 37 | re3: 38 | image: redislabs/redis:6.0.12-58 39 | container_name: re3 40 | restart: unless-stopped 41 | tty: true 42 | cap_add: 43 | - sys_resource 44 | ports: 45 | - "38443:8443" 46 | volumes: 47 | - ./:/home 48 | networks: 49 | re_cluster: 50 | ipv4_address: 172.22.0.13 51 | 52 | #Docker Networks 53 | networks: 54 | re_cluster: 55 | driver: bridge 56 | ipam: 57 | driver: default 58 | config: 59 | - subnet: 172.22.0.0/16 60 | -------------------------------------------------------------------------------- /ha-management/exercise.md: -------------------------------------------------------------------------------- 1 | # Exercise: High Availability in Redis Enterprise 2 | 3 | ## Getting started 4 | After the docker-compose -d command has successfully started up the Redis Enterprise docker container we check to make sure that internally Redis Enterprise is ready to start taking requests. 5 | 6 | Run from this directory: 7 | 8 | ``` 9 | ./verify-readiness.sh 10 | ``` 11 | 12 | Once that completes with a successful message you should be able to proceed to: 13 | 14 | https://localhost:18443/ 15 | 16 | Redis Enterprise creates self-signed certs in the beginning so a secure connection is always created. Since they are not CA signed certificates you will need to allow your browser to accept them. 17 | 18 | Depending on your browser and version you may have an 'advanced' option that allows to accept and continue/proceed. Some Chrome browser versions will not have this option, but you can bypass this warning by just typing 'thisisunsafe' and it will automatically continue through to the site. 19 | 20 | Once you bypass the browser warning you should see a the initial setup screen. 21 | 22 | 23 | ## Create cluster on node 1 24 | 25 | You will see a large red 'Setup' button. Click that to begin setting up the Redis Enterprise cluster. 26 | 27 | The node configuration page will show some initial defaults including local file paths to use, IPs, etc. You can take these defaults. Please note the IP of this first node as you will need it in subsequent steps. 28 | 29 | Make sure the 'Create new cluster' is selected and then enter a 'Cluster name' value: `cluster.local` and click next (leaving the other checkboxes empty). NOTE: In this local setup using docker we will not be able to fully use the DNS capabilities of Redis Enterprise. 30 | 31 | The next screen will prompt you for cluster authentication by asking you to enter a license key. Just click next here and a trial license will automatically be used. 32 | 33 | Now you will need to set admin credentials. These will be used in subsequent steps. Here is an example of something that will work: 34 | 35 | **Email**: admin@redis.com 36 | **Password**: redis123 37 | 38 | After credentials have been set you will be taken immediately to a screen to create a database. We do not need to do that yet. 39 | 40 | ## Join cluster on node 2 41 | 42 | Now let's move to node 2 and join this node to the Redis Enterprise cluster. Enter this address in the browser address bar: 43 | 44 | https://localhost:28443 45 | 46 | This will again require you to bypass the self-signed certificate warning in the browser. Please refer to instructions above to bypass. 47 | 48 | You will again be prompted with the large red setup button, click that to proceed. On the node configuration page you will now select 'Join cluster' in the cluster configuration area. Enter the IP of the first node (`172.22.0.11`) and the credentials you created, then click Next. 49 | 50 | Normally after a cluster is created on a node or a node joins a cluster Redis Enterprise will update the self-signed certs with the cluster domain name configured. In this exercise environment where we keep re-using localhost and don't have unique IPs that we can enter into the host browser it may cause issues. You might need to reload your browser a few times which may lead to accepting the self-signed certs again and another login. 51 | 52 | Once you get past all of this you will be taken to a screen to create a database. As you have noticed this is where Redis Enterprise will redirect you if no database exists yet. 53 | 54 | Let's leave the browser at this place and open up a terminal. 55 | 56 | ## Join cluster on node 3 using rladmin 57 | 58 | You could go through the same steps that we did for node 2 to join node 3 to the cluster, but let's take the opportunity to see that there are other options. Note: there are three ways to create a cluster... administration UI in the browser, `rladmin` CLI and the administration REST API. 59 | 60 | The `rladmin` CLI utility is fairly easy to access in this dockerized exercise environment so let's use that. First connect to node 3 shell: 61 | 62 | ``` 63 | docker-compose exec re3 bash 64 | ``` 65 | 66 | This should land you on a prompt like this (with a diff container ID): 67 | 68 | ``` 69 | redislabs@cc13e2721cd9:/opt$ 70 | ``` 71 | 72 | Now run `rladmin` to get the interactive mode of the utility. At the `rladmin>` prompt you can enter ow enter the tab key twice to view a list of available commands. Since this node is not currently set up there is really only one command `cluster` (besides exit or help). 73 | 74 | Enter `cluster` followed by the tab key twice to view a list of available options....now add `join` to the command. You can enter the tab key twice to view a list of available options: 75 | 76 | ``` 77 | rladmin> cluster join 78 | accept_servers cnm_https_port flash_enabled nodes password replace_node 79 | addr ephemeral_path flash_path override_rack_id persistent_path required_version 80 | ccs_persistent_path external_addr json_file override_repair rack_id username 81 | ``` 82 | 83 | We will not use all of these, but you might remember the management UI node configuration screen during setup and notice some similar fields. Since our setup is simple and we can take most of the defaults let's just provide a minimal command to join this node to the cluster: 84 | 85 | ``` 86 | rladmin> cluster join nodes 172.22.0.11 username admin@redis.com password redis123 87 | Joining cluster... ok 88 | rladmin> 89 | ``` 90 | 91 | You will need to replace the above username and password with the credentials that you created when you created the cluster. 92 | 93 | With the cluster joined you should now have more command options available to you. Enter the tab key twice to view a list of available commands which should include different cluster management commands that can be used to view cluster configurations or even update them. 94 | 95 | View the cluster status by entering: 96 | 97 | ``` 98 | rladmin> status 99 | ``` 100 | 101 | You should have a display with different sections: 102 | 103 | - `CLUSTER NODES` 104 | - `DATABASES` 105 | - `ENDPOINTS` 106 | - `SHARDS` 107 | 108 | Currently you should only have data in the `CLUSTER NODES` section since you have not added a database yet. Speaking of... 109 | 110 | 111 | ## Create database 112 | 113 | Return to the browser window you left before. The session has likely timed out which will require you to login again. After a successful login you should now be presented with the prompt to create a new dataase. Select 'redis database,' 'Runs on ram' and 'Single Region' and click 'Next.' 114 | 115 | You should now have a screen to enter the database details. Let's keep it simple to start with by entering a name and checking the 'Replication' box then click the 'Activate' button. Redis Enterprise will create a single sharded database with replication using it's state machine to stand up necessary resources and connect them together. 116 | 117 | That's it, you just created a database with high availability! 118 | 119 | ## Replication details 120 | 121 | Return to the terminal and run `rladmin status` again and you should see additional sections containing data about your database. Each database has an endpoint and shards associated with it. If you look at the `SHARDS` section in detail you should see two shards one acting as a primary and the other a secondary replica. 122 | 123 | What nodes are the shards on? 124 | 125 | 126 | ## Create another database 127 | 128 | Go back to the browser administration UI and click on 'databases' in the nav menu. You should see the database you created. Redis Enterprise supports multi-tenancy: meaning you can create additional databases and will be allocated resources and managed independently. 129 | 130 | Click on the '+' icon under your database name and create another database with replication (the trial license allows for four shards so you should have enough). 131 | 132 | Now return to the terminal and run `rladmin> status` again. You should now see two databases with unique IDs, two endpoints and four shards total. 133 | 134 | Where were the second database shards placed? 135 | 136 | The cluster manager will place nodes according to available resources and ensure that the primary and secondary replica shards are never on the same node. 137 | 138 | This is a simple single primary shard with replica use-case but when we move on to scaling you will see how Redis Enterprise can maintain sharded databases across nodes with replication. 139 | -------------------------------------------------------------------------------- /ha-management/verify-readiness.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | printf '\nCheck for Redis Enterprise to be ready: ' 4 | 5 | until $(docker exec -it re1 sh -c "curl --output /dev/null --silent --head --fail -k https://localhost:9443/v1/bootstrap"); do 6 | printf '.' 7 | sleep 3 8 | done 9 | printf ' Ready to continue!\n' -------------------------------------------------------------------------------- /observability-monitoring/README.md: -------------------------------------------------------------------------------- 1 | # Exercise: Enabling TLS in Redis Enterpise 2 | 3 | ## Requirements 4 | 5 | - docker 6 | - docker-compose 7 | - internet connection 8 | 9 | ## Starting Environment 10 | 11 | ``` 12 | docker-compose up -d 13 | ``` 14 | 15 | ## Stopping Environment 16 | 17 | After completing the exercises 18 | 19 | ``` 20 | docker-compose down 21 | ``` 22 | 23 | -------------------------------------------------------------------------------- /observability-monitoring/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: "3.9" 2 | 3 | services: 4 | redis_enterprise_monitoring: 5 | image: redislabs/redis:latest 6 | tty: true 7 | cap_add: 8 | - sys_resource 9 | ports: 10 | - "8443:8443" 11 | - "12000:12000" -------------------------------------------------------------------------------- /observability-monitoring/exercise.md: -------------------------------------------------------------------------------- 1 | # Exercise: Monitoring in Redis Enterprise 2 | 3 | ## Setup 4 | After the docker-compose -d command has successfully started up the Redis Enterprise docker container we will need to bootstrap Redis Enterprise. This involves creating a single node cluster. Note that in Redis Enterprise a cluster node equates to an instance resourece on which Redis Enterprise is installed and not just where a Redis server process is running. 5 | 6 | There is a setup.sh script provided which will get things started so you can focus on the exercises. 7 | 8 | Run from this directory: 9 | 10 | ``` 11 | ./setup.sh 12 | ``` 13 | 14 | Once that completes you should be able to load Redis Enterprise admin UI in a browser. 15 | 16 | https://localhost:8443/ 17 | 18 | Redis Enterprise creates self-signed certs in the beginning so a secure connection is always created. Since they are not CA signed certificates you will need to allow your browser to accept them. 19 | 20 | Depending on your browser and version you may have an 'advanced' option that allows to accept and continue/proceed. Some Chrome browser versions will not have this option, but you can bypass this warning by just typing 'thisisunsafe' and it will automatically continue through to the site. 21 | 22 | Once you bypass the browser warning you should see a login screen where you can use the following credentials to login: 23 | 24 | username: admin@redis.com 25 | password: redis123 26 | 27 | Once successfully logged in you should see the Redis Enterprise administration UI. 28 | 29 | 30 | ## Generate some load 31 | 32 | The setup script created a database that we can use exposed on port 12000. Generate some load into the database using another open source load generation utility for Redis called memtier_benchmark. It is included with the Redis Enterprise install so we can simple run: 33 | 34 | ``` 35 | docker-compose exec redis_enterprise_monitoring memtier_benchmark -p 12000 -x 1000 36 | ``` 37 | 38 | That will just take all the defaults for most of the options except the `p` param to specify port which we need to set to 12000 because the database on Redis Enterprise was created to use that port and the `x` param to indicate how many times to run the default test. This will allow us to be able to see some results in Redis Enterprise. 39 | 40 | You can find more information about memtier_benchmarks options using the `--help` option. 41 | 42 | ## Cluster Dashboard 43 | 44 | Now go back to your browser where you logged in and click the 'cluster' nav menu item. By default this will open the metrics tab. 45 | 46 | You should be able to see the overal Cluster Ops/sec and on the right Node 1 Ops/sec. These stats should be the same because in setup (dev/testing only) we have a single node cluster. 47 | 48 | Scroll down to the other metrics and hover over 'Free RAM' this should provide a little more detail and give you the option to move this metic to one of the top spots. If you click on the right side box the metric should move to the top right. 49 | 50 | ## Node Dashboard 51 | 52 | Navigate to the nodes page by clicking the 'nodes' option in the nav menu. This should just display our single node. If we had joined other nodes to the cluster you would see multiple nodes here. 53 | 54 | Click on node 1 to view it's metrics. Now click on the '5 Minutes' text in the time scale to change the sampling time. 55 | 56 | You can view the node specific details by clicking on the 'configuration' tab. This will show the version of Redis Enterprise, Redis, IP address, OS and other details. 57 | 58 | ## Database Dashboard 59 | 60 | Navigate to the databases page by clicking the 'databases' option in the nav menu. Since a Redis Enterprise cluster can support multi-tenancy you can run multiple databases across the same set of resources. This page will show a list of the database that have been created in this cluster. The setup script created one database 'db-1' so click on that now. 61 | 62 | You should be taken into the database metrics view immediately. You can see the Ops/sec and the Latency. Scroll down to view other metrics. 63 | 64 | What is the used memory at? What is the usage percentage? 65 | 66 | How many connections are you getting from the memtier utility? 67 | 68 | What are the total keys? How about your hit ratio? 69 | 70 | Notice at the top there is a rectangular blue switch box with 'Database' selected. You can click on 'Shards' to view shard specific data. 71 | 72 | In our case there won't be much difference in the actual numbers because we are currently running a single shard, but this can be very useful to identify hot shards and get other insights into the database health. 73 | 74 | ## Prometheus Exporter 75 | 76 | You can what data is available on the Prometheus exporter endpoint by calling it on port 8070: 77 | 78 | ``` 79 | docker-compose exec redis_enterprise_monitoring curl -k https://localhost:8070/metrics 80 | ``` 81 | 82 | ## REST API 83 | 84 | The Redis Enterprise REST API also has a way to pull stats directly. You can try pulling stats for the databases: 85 | 86 | ``` 87 | docker-compose exec redis_enterprise_monitoring curl -k -u learn@redislabs.com:redis123 https://localhost:9443/v1/bdbs/stats 88 | ``` 89 | 90 | You can explore the following query params: 91 | 92 | * `interval` – Optional time interval for for which we want stats: 1sec/10sec/5min/15min/1hour/12hour/1week 93 | * `stime` – Optional start time from which we want the stats. Should comply with the ISO_8601 format 94 | * `etime` – 95 | Optional end time after which we don’t want the stats. Should comply with the ISO_8601 format 96 | 97 | Add an interval query param to set the interval time to five minutes. 98 | 99 | Stats can be pulled from different endpoints as well: 100 | 101 | * `/v1/bdbs/stats` - databases 102 | * `/v1/nodes/stats` - nodes stats 103 | * `/v1/cluster/stats` - cluster 104 | 105 | Try each of these endpoints. 106 | 107 | Also, the id of a specific entity can be passed, for example if we wanted to just get the stats of our database with the id=1 and not the full array we could run: 108 | 109 | ``` 110 | docker-compose exec redis_enterprise_monitoring curl -k -u learn@redislabs.com:redis123 https://localhost:9443/v1/bdbs/stats/1 111 | ``` 112 | 113 | Now do the same thing for the nodes endpoint and just get the stats for node=1. 114 | 115 | ## Stop Load Generation 116 | 117 | You can just use ctl-c in the terminal window where memtier_benchmark is running to to exit. -------------------------------------------------------------------------------- /observability-monitoring/setup.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | printf '\nCheck for Redis Enterprise to be ready: ' 4 | until $(docker exec -it observability-monitoring_redis_enterprise_monitoring_1 sh -c "curl --output /dev/null --silent --head --fail -k https://localhost:9443/v1/bootstrap"); do 5 | printf '.' 6 | sleep 3 7 | done 8 | printf ' success\n' 9 | 10 | printf '\nBootstrap: ' 11 | docker exec -it observability-monitoring_redis_enterprise_monitoring_1 sh -c "/opt/redislabs/bin/rladmin cluster create name cluster.local username admin@redis.com password redis123" 12 | 13 | 14 | printf '\nCreate DB\n' 15 | docker exec -it observability-monitoring_redis_enterprise_monitoring_1 sh -c "curl --output /dev/null --silent -X POST -H 'cache-control: no-cache' -H 'Content-type: application/json' -u admin@redis.com -d '{ \"name\": \"db-1\", \"memory_size\": 52428800, \"sharding\": false, \"shards_count\": 1, \"type\": \"redis\", \"proxy_policy\": \"single\", \"shards_placement\": \"dense\", \"port\": 12000}' -k https://localhost:9443/v1/bdbs" 16 | 17 | printf '\nGood to go!\n' -------------------------------------------------------------------------------- /observability-stats/README.md: -------------------------------------------------------------------------------- 1 | # Exercise: Enabling TLS in Redis Enterpise 2 | 3 | ## Requirements 4 | 5 | - docker 6 | - docker-compose 7 | - internet connection 8 | 9 | ## Starting Environment 10 | 11 | ``` 12 | docker-compose up -d 13 | ``` 14 | 15 | ## Stopping Environment 16 | 17 | After completing the exercises 18 | 19 | ``` 20 | docker-compose down 21 | ``` 22 | 23 | -------------------------------------------------------------------------------- /observability-stats/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: "3.9" 2 | 3 | services: 4 | redis_stats: 5 | image: redis:6.2 6 | tty: true 7 | ports: 8 | - "6379:6379" -------------------------------------------------------------------------------- /observability-stats/exercise.md: -------------------------------------------------------------------------------- 1 | # Exercise - Get Metrics 2 | 3 | ## Connect to Environment 4 | 5 | In a terminal run this command to get a shell prompt inside the running docker container: 6 | 7 | ``` 8 | docker-compose exec redis_stats bash 9 | ``` 10 | 11 | ## Generate load 12 | 13 | A simple way to to generate some load is to open another terminal and run: 14 | 15 | ``` 16 | docker-compose exec redis_stats redis-benchmark 17 | ``` 18 | 19 | ## Info 20 | 21 | Since most of the stats data comes from the `INFO` command you should first run this to view what there. 22 | 23 | 24 | ``` 25 | # redis-cli INFO 26 | ``` 27 | 28 | Try piping this output to a file. 29 | 30 | 31 | ## Memory usage 32 | 33 | Since we generally recommend setting the `maxmemory` size, it is possible to calculate the percentage of memory in use and alert based on result of the maxmemory configuration value and the used_memory stat. 34 | 35 | First set the `maxmemory`. 36 | 37 | ``` 38 | # redis-cli config set maxmemory 100000 39 | ``` 40 | 41 | Then you can pull the two data points to see how that could be used to calculate memory usage. 42 | 43 | ``` 44 | # redis-cli INFO |grep used_memory: 45 | ``` 46 | 47 | ``` 48 | # redis-cli config get maxmemory 49 | ``` 50 | 51 | ## Client data 52 | 53 | You can pull the clients section of the `INFO` command: 54 | 55 | ``` 56 | # redis-cli info clients 57 | ``` 58 | 59 | or maybe a particular metric you would want to track: 60 | 61 | ``` 62 | # redis-cli info client | grep connected_clients 63 | ``` 64 | 65 | ## Stats section 66 | 67 | Use redis-cli to list the full 'stats' section. 68 | 69 | ## Hit ratio 70 | 71 | A cache hit/miss ratio could be generated using two data points in the stats section. 72 | 73 | ``` 74 | # redis-cli INFO stats |grep keyspace 75 | ``` 76 | 77 | ## Evicted keys 78 | 79 | Eviction occurs when redis has reached its maximum memory and maxmemory-policy in redis.conf is set to something other than volatile-lru. 80 | 81 | ``` 82 | # redis-cli INFO stats | grep evicted_keys 83 | ``` 84 | 85 | ## Expired keys 86 | 87 | It is a good idea to keep an eye on the expirations to make sure redis is performing as expected. 88 | 89 | ``` 90 | # redis-cli INFO stats | grep expired_keys 91 | ``` 92 | 93 | ## Keyspace 94 | 95 | The following data could be used for graphing the size of the keyspace as a quick drop or spike in the number of keys is a good indicator of issues. 96 | 97 | ``` 98 | # redis-cli INFO keyspace 99 | ``` 100 | 101 | ## Workload (connections received, commands processed) 102 | 103 | The following stats are a good indicator of workload on the Redis server. 104 | 105 | ``` 106 | # redis-cli INFO stats |egrep "^total_" 107 | ``` 108 | -------------------------------------------------------------------------------- /scaling-seamlessly/README.md: -------------------------------------------------------------------------------- 1 | # Exercise: Enabling TLS in Redis Enterpise 2 | 3 | ## Requirements 4 | 5 | - docker 6 | - docker-compose 7 | - internet connection 8 | 9 | ## Starting Environment 10 | 11 | ``` 12 | docker-compose up -d 13 | ``` 14 | 15 | ## Stopping Environment 16 | 17 | After completing the exercises 18 | 19 | ``` 20 | docker-compose down 21 | ``` 22 | 23 | -------------------------------------------------------------------------------- /scaling-seamlessly/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: "3" 2 | 3 | services: 4 | #Node 1 5 | re1: 6 | image: redislabs/redis:latest 7 | container_name: re1 8 | restart: unless-stopped 9 | tty: true 10 | cap_add: 11 | - sys_resource 12 | ports: 13 | - "18443:8443" 14 | volumes: 15 | - ./:/home 16 | networks: 17 | re_cluster: 18 | ipv4_address: 172.22.0.11 19 | 20 | #Node 2 21 | re2: 22 | image: redislabs/redis:latest 23 | container_name: re2 24 | restart: unless-stopped 25 | tty: true 26 | cap_add: 27 | - sys_resource 28 | ports: 29 | - "28443:8443" 30 | volumes: 31 | - ./:/home 32 | networks: 33 | re_cluster: 34 | ipv4_address: 172.22.0.12 35 | 36 | #Node 3 37 | re3: 38 | image: redislabs/redis:latest 39 | container_name: re3 40 | restart: unless-stopped 41 | tty: true 42 | cap_add: 43 | - sys_resource 44 | ports: 45 | - "38443:8443" 46 | volumes: 47 | - ./:/home 48 | networks: 49 | re_cluster: 50 | ipv4_address: 172.22.0.13 51 | 52 | #Docker Networks 53 | networks: 54 | re_cluster: 55 | driver: bridge 56 | ipam: 57 | driver: default 58 | config: 59 | - subnet: 172.22.0.0/16 60 | -------------------------------------------------------------------------------- /scaling-seamlessly/exercise.md: -------------------------------------------------------------------------------- 1 | # Exercise: Scaling in Redis Enterprise 2 | 3 | ## Getting started 4 | After the docker-compose -d command has successfully started up the Redis Enterprise docker container we need to setup a Redis Enterprise cluster. Since you have already gone through the individual steps to do this in the High Availability exercise there is a setup script provided. 5 | 6 | Run from this directory: 7 | 8 | ``` 9 | ./setup.sh 10 | ``` 11 | 12 | If you wish to go through the setup manually you can go back to the High Availability exercise and go through the steps there or open the setup.sh and view the commands that are being run. 13 | 14 | Once that completes with a successful message you should be able to open a browser: 15 | 16 | https://localhost:18443/ 17 | 18 | Redis Enterprise creates self-signed certs in the beginning so a secure connection is always created. Since they are not CA signed certificates you will need to allow your browser to accept them. 19 | 20 | Depending on your browser and version you may have an 'advanced' option that allows to accept and continue/proceed. Some Chrome browser versions will not have this option, but you can bypass this warning by just typing 'thisisunsafe' and it will automatically continue through to the site. 21 | 22 | Once you bypass the browser warning you should see a the login screen. Use these credentials 23 | 24 | username: admin@redis.com 25 | password: redis123 26 | 27 | 28 | ## Create database 29 | 30 | After a successful login you should be presented with the prompt to create a new dataase. Select 'redis database,' 'Runs on ram' and 'Single Region' and click 'Next.' 31 | 32 | You should now have a screen to enter the database details. Let's keep it simple to start with by entering a name and hen click the 'Activate' button. Redis Enterprise will create a single sharded database. 33 | 34 | Open a terminal to and connect to the `rladmin` utility and view the cluster status to see the details. 35 | 36 | ``` 37 | docker-compose exec re1 bash 38 | ``` 39 | 40 | During the Redis Enterprise exercise on High Availability you used `rladmin` in interactive mode, but you can also pass commands and options in directly as args. 41 | 42 | ``` 43 | :/opt$ rladmin status shards 44 | ``` 45 | 46 | This will show the `SHARDS` section of the status. You should just have a single shard for the database. Now get the databases section so you can find the endpoint, particularly the port. 47 | 48 | ``` 49 | :/opt$ rladmin status databases 50 | ``` 51 | 52 | Look in the `ENDPOINT` column and copy the port that was generated for this database. Since we dont' have the full features of Redis Enterprise with DNS, etc. in this dockerized environment we will just call the database using it's exertnal port. The request will still go through the proxy. 53 | 54 | ## Create Traffic 55 | 56 | Now let's use that port in `memtier_benchmark` a Redis benchmarking utility. Just replace the port from the example with your own. You should see the benchmark client begin to send traffic to your database: 57 | 58 | ``` 59 | memtier_benchmark -p 19100 -x 1000 60 | [RUN #1] Preparing benchmark client... 61 | [RUN #1] Launching threads now... 62 | ``` 63 | 64 | ## Scale Database 65 | 66 | Go back to your browser and reload the database page. You may need to login again if the session has expired. View the 'metrics' tab and verify traffic is being sent to your database. 67 | 68 | Go back to the configuration view and click 'Edit' at the bottom to edit the database. Enable the checkbox for 'Database clustering' and enter 4 shards and click 'Update' at the bottom. The Redis Enterprise cluster manager will update the database using it's state machine to add the additional Redis processes, re-shard, re-balance and re-bind the endpoint. 69 | 70 | Open the 'metrics' view again. 71 | 72 | Open the 'metrics' view again, your database should still be taking client requests. 73 | 74 | NOTE: With the limited resources of this dockerized environment there may be performance bumps. This exercise is not intended to show an increase in performance just the ease of managing the scaling process. 75 | 76 | ## Stop traffic 77 | 78 | You can use `ctl-c` in the terminal to stop the traffic. 79 | 80 | Exit out of the container shell by entering `exit` back to your own system's terminal. 81 | 82 | 83 | -------------------------------------------------------------------------------- /scaling-seamlessly/setup.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | printf '\nBootstrap endpoint: ' 4 | 5 | until $(docker exec -it re1 sh -c "curl --output /dev/null --silent --head --fail -k https://localhost:9443/v1/bootstrap"); do 6 | printf '.' 7 | sleep 3 8 | done 9 | printf ' ready!\n' 10 | 11 | printf '\nnode 1: ' 12 | docker exec -it re1 rladmin cluster create name cluster.local username admin@redis.com password redis123 13 | 14 | printf '\nnode 2: ' 15 | docker exec -it re2 rladmin cluster join nodes 172.22.0.11 username admin@redis.com password redis123 16 | 17 | printf '\nnode 3: ' 18 | docker exec -it re3 rladmin cluster join nodes 172.22.0.11 username admin@redis.com password redis123 19 | 20 | printf '\nCluster setup complete!\n' -------------------------------------------------------------------------------- /security-acls/README.md: -------------------------------------------------------------------------------- 1 | # Exercise: Enabling TLS in Redis Enterpise 2 | 3 | ## Requirements 4 | 5 | - docker 6 | - docker-compose 7 | - internet connection 8 | 9 | ## Starting Environment 10 | 11 | ``` 12 | docker-compose up -d 13 | ``` 14 | 15 | ## Stopping Environment 16 | 17 | After completing the exercises 18 | 19 | ``` 20 | docker-compose down 21 | ``` 22 | 23 | -------------------------------------------------------------------------------- /security-acls/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: "3.9" 2 | 3 | services: 4 | redis_acls: 5 | image: redis:6.2 6 | tty: true 7 | ports: 8 | - "6379:6379" -------------------------------------------------------------------------------- /security-acls/exercise.md: -------------------------------------------------------------------------------- 1 | # Exercise: Redis ACLs 2 | 3 | ## Connect to Environment 4 | 5 | In a terminal run this command to get a shell prompt inside the running docker container: 6 | 7 | ``` 8 | docker-compose exec redis_acls redis-cli 9 | ``` 10 | 11 | ## Update the default account 12 | 13 | 1. Using the `ACL SETUSER` command set the password for the default account to `Sec&789`. 14 | 1. Aftwards you should be able to run this command and get back an `OK` response: 15 | ``` 16 | AUTH default Sec&789 17 | ``` 18 | If you get this error: `(error) WRONGPASS invalid username-password pair` you have set the password incorrectly. 19 | 20 | 21 | ## Use command category ACLs 22 | 23 | 1. View all categories of commands that can be used with ACLs: 24 | ``` 25 | ACL CAT 26 | ``` 27 | 1. View the specific commands of a given category: 28 | ``` 29 | ACL CAT dangerous 30 | ``` 31 | 1. Add a new user with a password and access to the `hash` category. 32 | 1. Authenticate using the new username and password using the `AUTH` comamnd. 33 | 1. Verify proper access was granted 34 | A `SET` command should return the following error but the `HSET` command should not. 35 | ``` 36 | (error) NOPERM this user has no permissions to run the 'set' command or its subcommand 37 | ``` 38 | Remember to make sure that a key ACL was also set: `~*` otherwise it won't work. 39 | 40 | 41 | ## Use key based ACL 42 | 43 | 1. Auth back to the default user 44 | 1. Set some keys: 45 | ``` 46 | mset bucket:1 dirt bucket:2 turf pail:1 sand 47 | ``` 48 | 1. Add a new user `bucket-reader` that is enabled with a password `redis123` with **read only* access to keys starting with `bucket:` 49 | 1. Authenticate using the new username and password using the `AUTH` comamnd. 50 | 1. Verify proper access was granted: 51 | - can get bucket:1 52 | - can NOT get pail:1 53 | - can NOT set bucket:3 or any other key 54 | Validation should look something like this: 55 | ``` 56 | > auth bucket-reader redis123 57 | OK 58 | > get bucket:1 59 | "dirt" 60 | > get pail:1 61 | (error) NOPERM this user has no permissions to access one of the keys used as arguments 62 | > set bucket:3 water 63 | (error) NOPERM this user has no permissions to run the 'set' command or its subcommand 64 | ``` 65 | 66 | 67 | ## ACL admin and other utilities 68 | 69 | 1. Auth back to the default user 70 | 1. Run `ACL HELP` to view available ACL commands 71 | 1. Verify you are the default user by running `ACL WHOAMI` 72 | 1. Run `ACL LIST` to view all current users and ACLs 73 | 1. Run `ACL LOG` to view auth events 74 | 1. Run `ACL DELUSER bucket-reader` then `ACL LIST` to verify the user was deleted 75 | 76 | -------------------------------------------------------------------------------- /security-rbac/README.md: -------------------------------------------------------------------------------- 1 | # Exercise: RBAC in Redis Enterpise 2 | 3 | ## Requirements 4 | 5 | - docker 6 | - docker-compose 7 | - internet connection 8 | 9 | ## Starting Environment 10 | 11 | ``` 12 | docker-compose up -d 13 | ``` 14 | 15 | ## Stopping Environment 16 | 17 | After completing the exercises 18 | 19 | ``` 20 | docker-compose down 21 | ``` 22 | 23 | -------------------------------------------------------------------------------- /security-rbac/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: "3.9" 2 | 3 | services: 4 | redis_enterprise_rbac: 5 | image: redislabs/redis:latest 6 | tty: true 7 | cap_add: 8 | - sys_resource 9 | ports: 10 | - "8443:8443" 11 | - "12000:12000" -------------------------------------------------------------------------------- /security-rbac/exercise.md: -------------------------------------------------------------------------------- 1 | # Exercise: RBAC in Redis Enterprise 2 | 3 | 4 | ## Setup 5 | After the docker-compose -d command has successfully started up the Redis Enterprise docker container we will need to bootstrap Redis Enterprise. This involved creating a single node cluster. Note that in Redis Enterprise a cluster node equates to an instance resourece on which Redis Enterprise is installed and not just where a Redis server process is running. 6 | 7 | There is a setup.sh script provided which will get things started so you can focus on the RBAC exercises. 8 | 9 | Run from this directory: 10 | 11 | ``` 12 | ./setup.sh 13 | ``` 14 | 15 | Once that completes you should be able to load Redis Enterprise admin UI in a browser. 16 | 17 | https://localhost:8443/ 18 | 19 | Redis Enterprise creates self-signed certs at installation time so that a secure connection is always created. Since these certificates are not CA signed certificates, you will need to allow your browser to accept them. 20 | 21 | In the Firefox browser this consists of just clicking through the Advanced button and finding the button to accept and continue. If you are using a Chrome browser, you can bypass this warning by typing 'thisisunsafe', and it will automatically continue through to the site. 22 | 23 | Once you bypass the browser warning, you should see a login screen where you can use the following credentials to log in: 24 | 25 | username: admin@redis.com 26 | password: redis123 27 | 28 | Once successfully logged in, you should see the Redis Enterprise admin console and be taken to create a database immediately. 29 | 30 | Leave all the defaults and click 'Next', which will take you to a screen where you can name the database, keep the existing defaults and click 'Activate' to create the database. 31 | 32 | Now you should be ready for the RBAC exercises. 33 | 34 | ## Connect to the database 35 | 36 | Redis Enterprise supports multi-tenancy (a single cluster can host separately managed databases) so a unique port and endpoint are created per database. 37 | 38 | 1. Find the database in the 'databases' menu and click on it 39 | 2. View the 'Endpoint' ... grab the port value in particular 40 | 3. Connect to redis-cli in the docker container on that port by running: 41 | 42 | ``` 43 | docker-compose exec redis_enterprise_rbac redis-cli -p 44 | ``` 45 | 46 | If you are successfully connected; you should be able to run the `INFO` command. 47 | 48 | ## Update Default User 49 | 50 | 1. Find the database in the databases menu and click the Edit button for the database 51 | 2. Add a password for the default user 52 | 3. Verify using the redis-cli from the first step and after connecting use the AUTH command with the new password 53 | 4. Disconnect from the database 54 | 55 | ## Create a simple command ACL and update it 56 | 57 | 1. Navigate to the 'access control' menu 58 | 2. View the default roles and redis acls 59 | 3. Add a new Redis ACL where you restrict commands to GEO by removing all commands and adding the geo category for all keys 60 | 4. Create a new role that has no control-plane access 61 | 5. Grant this role access to the database you created (or all databases) and add the new Redis ACL you just created 62 | 6. Now go to the users menu and create at least one new user with this role 63 | 7. Verify your changes were correct: 64 | 1. redis-cli into the db as we did before 65 | 2. auth *new-user* *new-user-pwd* 66 | 3. run a GEO command (https://redis.io/commands#geo) `GEOADD Sicily 13.361389 38.115556 "Palermo" 15.087269 37.502669 "Catania"` 67 | 4. run a string command `set fa la` and you should get a NOPERM error 68 | 8. Now go back to the admin UI and find the 'redis acls' menu again. Append the ACL you just created with '+@string' and Update it. 69 | 9. Go back to the redis-cli prompt and re-run the string command 'set fa la' and it should succeed 70 | 8. Disconnect from your database 71 | 72 | ## Create a key restrictive ACL 73 | 74 | 1. Navigate back to 'redis acls' menu inside of 'access control' tab 75 | 2. Add a new Redis ACL that allows for access to all non-dangerous commands and keys starting with 'public:' 76 | 3. Apply this ACL to your database or all databases 77 | 4. Now navigate to 'roles' and add a new role that utilizes the ACL you just created 78 | 5. Now add this role to a new user 79 | 6. Verify your changes were correct: 80 | 1. redis-cli into the db as we did before 81 | 2. auth *new-user* *new-user-pwd* 82 | 3. create new key/s prefixed with 'public:' like 'public:example' without a NOPERM error 83 | 4. create new key/s not prefixed with 'public:' and get a NOPERM error 84 | 7. You can expirement with updating the key restriction with additional key matches or command inclusion/exclusions and then verifying them via redis-cli 85 | 8. Disconnect from your database 86 | 87 | ## Create new user with control plane access 88 | 89 | 1. In the Redis Enterprise admin UI navigate to the users are again under the access control menu 90 | 2. Use the plus button to create a new user 91 | 3. Fill in all the values with some fake/test values (you will need to remember the email and password) except for Role choose 'DB Viewer' 92 | 4. Now in a nother browser or in an 'incognito' type browser tab open https://localhost:8443 and login with this new user you just created 93 | 5. You should be presented with the databases view only. If you select the database you created notice that you can view the metrics page. If you click on configuration the edit capability is disabled. 94 | 6. If you select the access control nav menu you only have the ability to change your own password. 95 | -------------------------------------------------------------------------------- /security-rbac/setup.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | printf '\nCheck for Redis Enterprise to be ready: ' 4 | until $(docker exec -it security-rbac_redis_enterprise_rbac_1 sh -c "curl --output /dev/null --silent --head --fail -k https://localhost:9443/v1/bootstrap"); do 5 | printf '.' 6 | sleep 3 7 | done 8 | printf ' success\n' 9 | 10 | printf '\nBootstrap: ' 11 | docker exec -it security-rbac_redis_enterprise_rbac_1 sh -c "/opt/redislabs/bin/rladmin cluster create name cluster.local username admin@redis.com password redis123" 12 | 13 | 14 | #printf '\nCreate DB\n' 15 | #docker exec -it security-rbac_redis_enterprise_rbac_1 sh -c "curl --output /dev/null --silent -X POST -H 'cache-control: no-cache' -H 'Content-type: application/json' -u admin@redis.com:redis123 -d '{ \"name\": \"db-1\", \"memory_size\": 52428800, \"sharding\": false, \"shards_count\": 1, \"type\": \"redis\", \"proxy_policy\": \"single\", \"shards_placement\": \"dense\", \"port\": 12000}' -k https://localhost:9443/v1/bdbs" 16 | 17 | printf '\nGood to go!\n' -------------------------------------------------------------------------------- /security-tls/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM redis:6.2 2 | 3 | RUN apt update && apt-get install -y openssl wget 4 | 5 | COPY gen-certs.sh /tmp/ 6 | 7 | RUN /tmp/gen-certs.sh /etc/certs 8 | 9 | WORKDIR / 10 | 11 | RUN mkdir /usr/local/etc/redis 12 | 13 | COPY redis.conf /usr/local/etc/redis/ 14 | 15 | RUN apt-get install -y vim 16 | 17 | ENTRYPOINT ["tail", "-f", "/dev/null"] -------------------------------------------------------------------------------- /security-tls/README.md: -------------------------------------------------------------------------------- 1 | # Exercise: Enabling TLS in Redis 2 | 3 | ## Requirements 4 | 5 | - docker 6 | - docker-compose 7 | - internet connection 8 | 9 | ## Starting Environment 10 | 11 | ``` 12 | docker-compose up -d 13 | ``` 14 | 15 | ## Stopping Environment 16 | 17 | After completing the exercises 18 | 19 | ``` 20 | docker-compose down 21 | ``` 22 | 23 | -------------------------------------------------------------------------------- /security-tls/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: "3.9" 2 | 3 | services: 4 | redis_tls: 5 | build: 6 | context: ./ 7 | ports: 8 | - "6379:6379" -------------------------------------------------------------------------------- /security-tls/exercise.md: -------------------------------------------------------------------------------- 1 | # Exercise: Enabling TLS in Redis 2 | 3 | ## Connect to Environment 4 | 5 | In a terminal run this command to get a shell prompt inside the running docker container: 6 | 7 | ``` 8 | docker-compose exec redis_tls bash 9 | ``` 10 | 11 | ## Container Context 12 | 13 | The docker-compose will startup a docker container based on the standard Redis docker image, but it will create some self-signed certs in order to try out the TLS support. 14 | 15 | If you `ls` the `/etc/certs/` directory you can see there are client and server certs. 16 | 17 | If you wish to understand how these self-signed certs were created you can view the shell script used either in this repo `gen-certs.sh` or inside the container `/tmp/gen-certs.sh` where it was copied. In fact this was adapted from a similiar script in the Redis repo under utilities that is used for testing purposes. 18 | 19 | Using a container like this is just used for a quick lightweight learning environment to help you understand how to enable and work with the TLS settings. It is not intended to demonstrate how to deploy Redis. 20 | 21 | ## Starting up Redis with TLS flags 22 | 23 | One way you can enable TLS support is by adding the TLS flags to the redis-server startup. You can enable the TLS port and disable the regular TCP port, point to the certificate, key and CA cert. 24 | 25 | ``` 26 | redis-server --tls-port 6379 --port 0 --tls-cert-file /etc/certs/server.crt --tls-key-file /etc/certs/server.key --tls-ca-cert-file /etc/certs/ca.crt 27 | ``` 28 | 29 | If you ctl-c to exit the running process the Redis server will also stop. 30 | 31 | ## Starting up Redis with TLS configuration 32 | 33 | The docker container has also had the default redis.conf file copied to: `/usr/local/etc/redis/redis.conf` but in the previous command we did not utilize it. 34 | 35 | Let's try to enable the same TLS settings that we did above in this config and then start Redis with TLS support that way. 36 | 37 | ``` 38 | redis-server /usr/local/etc/redis/redis.conf 39 | ``` 40 | 41 | Now let's verify that we can connect using TLS from a client. 42 | 43 | ## Connecting redis-cli using TLS 44 | 45 | Open another terminal window or tab and run this command to get a shell prompt inside that same docker container: 46 | 47 | ``` 48 | docker-compose exec redis_tls bash 49 | ``` 50 | 51 | We can use `redis-cli` to connect to our TLS enabled Redis server. 52 | 53 | ``` 54 | redis-cli --tls --cert /etc/certs/client.crt --key /etc/certs/client.key --cacert /etc/certs/ca.crt 55 | ``` 56 | 57 | If you are able to run the `INFO` or other commands you know that your client certificates have been accepted and TLS is being used for the connection. If you are returned an error when trying to run a command you may need to: 58 | 59 | - verify you have entered all the flags correctly 60 | - go back to the first terminal window and check the errors 61 | - fix any misconfigurations in the redis.conf and restart the server 62 | - retest after making changes until you can run commands successfully 63 | -------------------------------------------------------------------------------- /security-tls/gen-certs.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Generate some test certificates which are used by the regression test suite: 4 | # 5 | # ${folder}/tls/ca.{crt,key} Self signed CA certificate. 6 | # ${folder}/tls/redis.{crt,key} A certificate with no key usage/policy restrictions. 7 | # ${folder}/tls/client.{crt,key} A certificate restricted for SSL client usage. 8 | # ${folder}/tls/server.{crt,key} A certificate restricted fro SSL server usage. 9 | # ${folder}/tls/redis.dh DH Params file. 10 | 11 | generate_cert() { 12 | local name=$1 13 | local cn="$2" 14 | local opts="$3" 15 | local folder="$4" 16 | 17 | local keyfile=${folder}/${name}.key 18 | local certfile=${folder}/${name}.crt 19 | 20 | [ -f $keyfile ] || openssl genrsa -out $keyfile 2048 21 | openssl req \ 22 | -new -sha256 \ 23 | -subj "/O=Redis Learn/CN=$cn" \ 24 | -key $keyfile | \ 25 | openssl x509 \ 26 | -req -sha256 \ 27 | -CA ${folder}/ca.crt \ 28 | -CAkey ${folder}/ca.key \ 29 | -CAserial ${folder}/ca.txt \ 30 | -CAcreateserial \ 31 | -days 365 \ 32 | $opts \ 33 | -out $certfile 34 | } 35 | 36 | certs_folder=$1 37 | 38 | mkdir -p ${certs_folder} 39 | 40 | [ -f ${certs_folder}/ca.key ] || openssl genrsa -out ${certs_folder}/ca.key 4096 41 | openssl req \ 42 | -x509 -new -nodes -sha256 \ 43 | -key ${certs_folder}/ca.key \ 44 | -days 3650 \ 45 | -subj '/O=Redis Test/CN=Certificate Authority' \ 46 | -out ${certs_folder}/ca.crt 47 | 48 | cat > ${certs_folder}/openssl.cnf <<_END_ 49 | [ server_cert ] 50 | keyUsage = digitalSignature, keyEncipherment 51 | nsCertType = server 52 | 53 | [ client_cert ] 54 | keyUsage = digitalSignature, keyEncipherment 55 | nsCertType = client 56 | _END_ 57 | 58 | generate_cert server "Server-only" "-extfile ${certs_folder}/openssl.cnf -extensions server_cert" $certs_folder 59 | generate_cert client "Client-only" "-extfile ${certs_folder}/openssl.cnf -extensions client_cert" $certs_folder 60 | -------------------------------------------------------------------------------- /security-tls/redis.conf: -------------------------------------------------------------------------------- 1 | # Redis configuration file example. 2 | # 3 | # Note that in order to read the configuration file, Redis must be 4 | # started with the file path as first argument: 5 | # 6 | # ./redis-server /path/to/redis.conf 7 | 8 | # Note on units: when memory size is needed, it is possible to specify 9 | # it in the usual form of 1k 5GB 4M and so forth: 10 | # 11 | # 1k => 1000 bytes 12 | # 1kb => 1024 bytes 13 | # 1m => 1000000 bytes 14 | # 1mb => 1024*1024 bytes 15 | # 1g => 1000000000 bytes 16 | # 1gb => 1024*1024*1024 bytes 17 | # 18 | # units are case insensitive so 1GB 1Gb 1gB are all the same. 19 | 20 | ################################## INCLUDES ################################### 21 | 22 | # Include one or more other config files here. This is useful if you 23 | # have a standard template that goes to all Redis servers but also need 24 | # to customize a few per-server settings. Include files can include 25 | # other files, so use this wisely. 26 | # 27 | # Note that option "include" won't be rewritten by command "CONFIG REWRITE" 28 | # from admin or Redis Sentinel. Since Redis always uses the last processed 29 | # line as value of a configuration directive, you'd better put includes 30 | # at the beginning of this file to avoid overwriting config change at runtime. 31 | # 32 | # If instead you are interested in using includes to override configuration 33 | # options, it is better to use include as the last line. 34 | # 35 | # include /path/to/local.conf 36 | # include /path/to/other.conf 37 | 38 | ################################## MODULES ##################################### 39 | 40 | # Load modules at startup. If the server is not able to load modules 41 | # it will abort. It is possible to use multiple loadmodule directives. 42 | # 43 | # loadmodule /path/to/my_module.so 44 | # loadmodule /path/to/other_module.so 45 | 46 | ################################## NETWORK ##################################### 47 | 48 | # By default, if no "bind" configuration directive is specified, Redis listens 49 | # for connections from all available network interfaces on the host machine. 50 | # It is possible to listen to just one or multiple selected interfaces using 51 | # the "bind" configuration directive, followed by one or more IP addresses. 52 | # Each address can be prefixed by "-", which means that redis will not fail to 53 | # start if the address is not available. Being not available only refers to 54 | # addresses that does not correspond to any network interfece. Addresses that 55 | # are already in use will always fail, and unsupported protocols will always BE 56 | # silently skipped. 57 | # 58 | # Examples: 59 | # 60 | # bind 192.168.1.100 10.0.0.1 # listens on two specific IPv4 addresses 61 | # bind 127.0.0.1 ::1 # listens on loopback IPv4 and IPv6 62 | # bind * -::* # like the default, all available interfaces 63 | # 64 | # ~~~ WARNING ~~~ If the computer running Redis is directly exposed to the 65 | # internet, binding to all the interfaces is dangerous and will expose the 66 | # instance to everybody on the internet. So by default we uncomment the 67 | # following bind directive, that will force Redis to listen only on the 68 | # IPv4 and IPv6 (if available) loopback interface addresses (this means Redis 69 | # will only be able to accept client connections from the same host that it is 70 | # running on). 71 | # 72 | # IF YOU ARE SURE YOU WANT YOUR INSTANCE TO LISTEN TO ALL THE INTERFACES 73 | # JUST COMMENT OUT THE FOLLOWING LINE. 74 | # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 75 | #bind 127.0.0.1 -::1 76 | 77 | # Protected mode is a layer of security protection, in order to avoid that 78 | # Redis instances left open on the internet are accessed and exploited. 79 | # 80 | # When protected mode is on and if: 81 | # 82 | # 1) The server is not binding explicitly to a set of addresses using the 83 | # "bind" directive. 84 | # 2) No password is configured. 85 | # 86 | # The server only accepts connections from clients connecting from the 87 | # IPv4 and IPv6 loopback addresses 127.0.0.1 and ::1, and from Unix domain 88 | # sockets. 89 | # 90 | # By default protected mode is enabled. You should disable it only if 91 | # you are sure you want clients from other hosts to connect to Redis 92 | # even if no authentication is configured, nor a specific set of interfaces 93 | # are explicitly listed using the "bind" directive. 94 | protected-mode no 95 | 96 | # Accept connections on the specified port, default is 6379 (IANA #815344). 97 | # If port 0 is specified Redis will not listen on a TCP socket. 98 | port 6379 99 | 100 | # TCP listen() backlog. 101 | # 102 | # In high requests-per-second environments you need a high backlog in order 103 | # to avoid slow clients connection issues. Note that the Linux kernel 104 | # will silently truncate it to the value of /proc/sys/net/core/somaxconn so 105 | # make sure to raise both the value of somaxconn and tcp_max_syn_backlog 106 | # in order to get the desired effect. 107 | tcp-backlog 511 108 | 109 | # Unix socket. 110 | # 111 | # Specify the path for the Unix socket that will be used to listen for 112 | # incoming connections. There is no default, so Redis will not listen 113 | # on a unix socket when not specified. 114 | # 115 | # unixsocket /run/redis.sock 116 | # unixsocketperm 700 117 | 118 | # Close the connection after a client is idle for N seconds (0 to disable) 119 | timeout 0 120 | 121 | # TCP keepalive. 122 | # 123 | # If non-zero, use SO_KEEPALIVE to send TCP ACKs to clients in absence 124 | # of communication. This is useful for two reasons: 125 | # 126 | # 1) Detect dead peers. 127 | # 2) Force network equipment in the middle to consider the connection to be 128 | # alive. 129 | # 130 | # On Linux, the specified value (in seconds) is the period used to send ACKs. 131 | # Note that to close the connection the double of the time is needed. 132 | # On other kernels the period depends on the kernel configuration. 133 | # 134 | # A reasonable value for this option is 300 seconds, which is the new 135 | # Redis default starting with Redis 3.2.1. 136 | tcp-keepalive 300 137 | 138 | ################################# TLS/SSL ##################################### 139 | 140 | # By default, TLS/SSL is disabled. To enable it, the "tls-port" configuration 141 | # directive can be used to define TLS-listening ports. To enable TLS on the 142 | # default port, use: 143 | # 144 | # port 0 145 | # tls-port 6379 146 | 147 | # Configure a X.509 certificate and private key to use for authenticating the 148 | # server to connected clients, masters or cluster peers. These files should be 149 | # PEM formatted. 150 | # 151 | # tls-cert-file redis.crt 152 | # tls-key-file redis.key 153 | 154 | # Normally Redis uses the same certificate for both server functions (accepting 155 | # connections) and client functions (replicating from a master, establishing 156 | # cluster bus connections, etc.). 157 | # 158 | # Sometimes certificates are issued with attributes that designate them as 159 | # client-only or server-only certificates. In that case it may be desired to use 160 | # different certificates for incoming (server) and outgoing (client) 161 | # connections. To do that, use the following directives: 162 | # 163 | # tls-client-cert-file client.crt 164 | # tls-client-key-file client.key 165 | 166 | # Configure a DH parameters file to enable Diffie-Hellman (DH) key exchange: 167 | # 168 | # tls-dh-params-file redis.dh 169 | 170 | # Configure a CA certificate(s) bundle or directory to authenticate TLS/SSL 171 | # clients and peers. Redis requires an explicit configuration of at least one 172 | # of these, and will not implicitly use the system wide configuration. 173 | # 174 | # tls-ca-cert-file ca.crt 175 | # tls-ca-cert-dir /etc/ssl/certs 176 | 177 | # By default, clients (including replica servers) on a TLS port are required 178 | # to authenticate using valid client side certificates. 179 | # 180 | # If "no" is specified, client certificates are not required and not accepted. 181 | # If "optional" is specified, client certificates are accepted and must be 182 | # valid if provided, but are not required. 183 | # 184 | # tls-auth-clients no 185 | # tls-auth-clients optional 186 | 187 | # By default, a Redis replica does not attempt to establish a TLS connection 188 | # with its master. 189 | # 190 | # Use the following directive to enable TLS on replication links. 191 | # 192 | # tls-replication yes 193 | 194 | # By default, the Redis Cluster bus uses a plain TCP connection. To enable 195 | # TLS for the bus protocol, use the following directive: 196 | # 197 | # tls-cluster yes 198 | 199 | # By default, only TLSv1.2 and TLSv1.3 are enabled and it is highly recommended 200 | # that older formally deprecated versions are kept disabled to reduce the attack surface. 201 | # You can explicitly specify TLS versions to support. 202 | # Allowed values are case insensitive and include "TLSv1", "TLSv1.1", "TLSv1.2", 203 | # "TLSv1.3" (OpenSSL >= 1.1.1) or any combination. 204 | # To enable only TLSv1.2 and TLSv1.3, use: 205 | # 206 | # tls-protocols "TLSv1.2 TLSv1.3" 207 | 208 | # Configure allowed ciphers. See the ciphers(1ssl) manpage for more information 209 | # about the syntax of this string. 210 | # 211 | # Note: this configuration applies only to <= TLSv1.2. 212 | # 213 | # tls-ciphers DEFAULT:!MEDIUM 214 | 215 | # Configure allowed TLSv1.3 ciphersuites. See the ciphers(1ssl) manpage for more 216 | # information about the syntax of this string, and specifically for TLSv1.3 217 | # ciphersuites. 218 | # 219 | # tls-ciphersuites TLS_CHACHA20_POLY1305_SHA256 220 | 221 | # When choosing a cipher, use the server's preference instead of the client 222 | # preference. By default, the server follows the client's preference. 223 | # 224 | # tls-prefer-server-ciphers yes 225 | 226 | # By default, TLS session caching is enabled to allow faster and less expensive 227 | # reconnections by clients that support it. Use the following directive to disable 228 | # caching. 229 | # 230 | # tls-session-caching no 231 | 232 | # Change the default number of TLS sessions cached. A zero value sets the cache 233 | # to unlimited size. The default size is 20480. 234 | # 235 | # tls-session-cache-size 5000 236 | 237 | # Change the default timeout of cached TLS sessions. The default timeout is 300 238 | # seconds. 239 | # 240 | # tls-session-cache-timeout 60 241 | 242 | ################################# GENERAL ##################################### 243 | 244 | # By default Redis does not run as a daemon. Use 'yes' if you need it. 245 | # Note that Redis will write a pid file in /var/run/redis.pid when daemonized. 246 | # When Redis is supervised by upstart or systemd, this parameter has no impact. 247 | daemonize no 248 | 249 | # If you run Redis from upstart or systemd, Redis can interact with your 250 | # supervision tree. Options: 251 | # supervised no - no supervision interaction 252 | # supervised upstart - signal upstart by putting Redis into SIGSTOP mode 253 | # requires "expect stop" in your upstart job config 254 | # supervised systemd - signal systemd by writing READY=1 to $NOTIFY_SOCKET 255 | # on startup, and updating Redis status on a regular 256 | # basis. 257 | # supervised auto - detect upstart or systemd method based on 258 | # UPSTART_JOB or NOTIFY_SOCKET environment variables 259 | # Note: these supervision methods only signal "process is ready." 260 | # They do not enable continuous pings back to your supervisor. 261 | # 262 | # The default is "no". To run under upstart/systemd, you can simply uncomment 263 | # the line below: 264 | # 265 | # supervised auto 266 | 267 | # If a pid file is specified, Redis writes it where specified at startup 268 | # and removes it at exit. 269 | # 270 | # When the server runs non daemonized, no pid file is created if none is 271 | # specified in the configuration. When the server is daemonized, the pid file 272 | # is used even if not specified, defaulting to "/var/run/redis.pid". 273 | # 274 | # Creating a pid file is best effort: if Redis is not able to create it 275 | # nothing bad happens, the server will start and run normally. 276 | # 277 | # Note that on modern Linux systems "/run/redis.pid" is more conforming 278 | # and should be used instead. 279 | pidfile /var/run/redis_6379.pid 280 | 281 | # Specify the server verbosity level. 282 | # This can be one of: 283 | # debug (a lot of information, useful for development/testing) 284 | # verbose (many rarely useful info, but not a mess like the debug level) 285 | # notice (moderately verbose, what you want in production probably) 286 | # warning (only very important / critical messages are logged) 287 | loglevel notice 288 | 289 | # Specify the log file name. Also the empty string can be used to force 290 | # Redis to log on the standard output. Note that if you use standard 291 | # output for logging but daemonize, logs will be sent to /dev/null 292 | logfile "" 293 | 294 | # To enable logging to the system logger, just set 'syslog-enabled' to yes, 295 | # and optionally update the other syslog parameters to suit your needs. 296 | # syslog-enabled no 297 | 298 | # Specify the syslog identity. 299 | # syslog-ident redis 300 | 301 | # Specify the syslog facility. Must be USER or between LOCAL0-LOCAL7. 302 | # syslog-facility local0 303 | 304 | # To disable the built in crash log, which will possibly produce cleaner core 305 | # dumps when they are needed, uncomment the following: 306 | # 307 | # crash-log-enabled no 308 | 309 | # To disable the fast memory check that's run as part of the crash log, which 310 | # will possibly let redis terminate sooner, uncomment the following: 311 | # 312 | # crash-memcheck-enabled no 313 | 314 | # Set the number of databases. The default database is DB 0, you can select 315 | # a different one on a per-connection basis using SELECT where 316 | # dbid is a number between 0 and 'databases'-1 317 | databases 16 318 | 319 | # By default Redis shows an ASCII art logo only when started to log to the 320 | # standard output and if the standard output is a TTY and syslog logging is 321 | # disabled. Basically this means that normally a logo is displayed only in 322 | # interactive sessions. 323 | # 324 | # However it is possible to force the pre-4.0 behavior and always show a 325 | # ASCII art logo in startup logs by setting the following option to yes. 326 | always-show-logo no 327 | 328 | # By default, Redis modifies the process title (as seen in 'top' and 'ps') to 329 | # provide some runtime information. It is possible to disable this and leave 330 | # the process name as executed by setting the following to no. 331 | set-proc-title yes 332 | 333 | # When changing the process title, Redis uses the following template to construct 334 | # the modified title. 335 | # 336 | # Template variables are specified in curly brackets. The following variables are 337 | # supported: 338 | # 339 | # {title} Name of process as executed if parent, or type of child process. 340 | # {listen-addr} Bind address or '*' followed by TCP or TLS port listening on, or 341 | # Unix socket if only that's available. 342 | # {server-mode} Special mode, i.e. "[sentinel]" or "[cluster]". 343 | # {port} TCP port listening on, or 0. 344 | # {tls-port} TLS port listening on, or 0. 345 | # {unixsocket} Unix domain socket listening on, or "". 346 | # {config-file} Name of configuration file used. 347 | # 348 | proc-title-template "{title} {listen-addr} {server-mode}" 349 | 350 | ################################ SNAPSHOTTING ################################ 351 | 352 | # Save the DB to disk. 353 | # 354 | # save 355 | # 356 | # Redis will save the DB if both the given number of seconds and the given 357 | # number of write operations against the DB occurred. 358 | # 359 | # Snapshotting can be completely disabled with a single empty string argument 360 | # as in following example: 361 | # 362 | # save "" 363 | # 364 | # Unless specified otherwise, by default Redis will save the DB: 365 | # * After 3600 seconds (an hour) if at least 1 key changed 366 | # * After 300 seconds (5 minutes) if at least 100 keys changed 367 | # * After 60 seconds if at least 10000 keys changed 368 | # 369 | # You can set these explicitly by uncommenting the three following lines. 370 | # 371 | # save 3600 1 372 | # save 300 100 373 | # save 60 10000 374 | 375 | # By default Redis will stop accepting writes if RDB snapshots are enabled 376 | # (at least one save point) and the latest background save failed. 377 | # This will make the user aware (in a hard way) that data is not persisting 378 | # on disk properly, otherwise chances are that no one will notice and some 379 | # disaster will happen. 380 | # 381 | # If the background saving process will start working again Redis will 382 | # automatically allow writes again. 383 | # 384 | # However if you have setup your proper monitoring of the Redis server 385 | # and persistence, you may want to disable this feature so that Redis will 386 | # continue to work as usual even if there are problems with disk, 387 | # permissions, and so forth. 388 | stop-writes-on-bgsave-error yes 389 | 390 | # Compress string objects using LZF when dump .rdb databases? 391 | # By default compression is enabled as it's almost always a win. 392 | # If you want to save some CPU in the saving child set it to 'no' but 393 | # the dataset will likely be bigger if you have compressible values or keys. 394 | rdbcompression yes 395 | 396 | # Since version 5 of RDB a CRC64 checksum is placed at the end of the file. 397 | # This makes the format more resistant to corruption but there is a performance 398 | # hit to pay (around 10%) when saving and loading RDB files, so you can disable it 399 | # for maximum performances. 400 | # 401 | # RDB files created with checksum disabled have a checksum of zero that will 402 | # tell the loading code to skip the check. 403 | rdbchecksum yes 404 | 405 | # Enables or disables full sanitation checks for ziplist and listpack etc when 406 | # loading an RDB or RESTORE payload. This reduces the chances of a assertion or 407 | # crash later on while processing commands. 408 | # Options: 409 | # no - Never perform full sanitation 410 | # yes - Always perform full sanitation 411 | # clients - Perform full sanitation only for user connections. 412 | # Excludes: RDB files, RESTORE commands received from the master 413 | # connection, and client connections which have the 414 | # skip-sanitize-payload ACL flag. 415 | # The default should be 'clients' but since it currently affects cluster 416 | # resharding via MIGRATE, it is temporarily set to 'no' by default. 417 | # 418 | # sanitize-dump-payload no 419 | 420 | # The filename where to dump the DB 421 | dbfilename dump.rdb 422 | 423 | # Remove RDB files used by replication in instances without persistence 424 | # enabled. By default this option is disabled, however there are environments 425 | # where for regulations or other security concerns, RDB files persisted on 426 | # disk by masters in order to feed replicas, or stored on disk by replicas 427 | # in order to load them for the initial synchronization, should be deleted 428 | # ASAP. Note that this option ONLY WORKS in instances that have both AOF 429 | # and RDB persistence disabled, otherwise is completely ignored. 430 | # 431 | # An alternative (and sometimes better) way to obtain the same effect is 432 | # to use diskless replication on both master and replicas instances. However 433 | # in the case of replicas, diskless is not always an option. 434 | rdb-del-sync-files no 435 | 436 | # The working directory. 437 | # 438 | # The DB will be written inside this directory, with the filename specified 439 | # above using the 'dbfilename' configuration directive. 440 | # 441 | # The Append Only File will also be created inside this directory. 442 | # 443 | # Note that you must specify a directory here, not a file name. 444 | dir ./ 445 | 446 | ################################# REPLICATION ################################# 447 | 448 | # Master-Replica replication. Use replicaof to make a Redis instance a copy of 449 | # another Redis server. A few things to understand ASAP about Redis replication. 450 | # 451 | # +------------------+ +---------------+ 452 | # | Master | ---> | Replica | 453 | # | (receive writes) | | (exact copy) | 454 | # +------------------+ +---------------+ 455 | # 456 | # 1) Redis replication is asynchronous, but you can configure a master to 457 | # stop accepting writes if it appears to be not connected with at least 458 | # a given number of replicas. 459 | # 2) Redis replicas are able to perform a partial resynchronization with the 460 | # master if the replication link is lost for a relatively small amount of 461 | # time. You may want to configure the replication backlog size (see the next 462 | # sections of this file) with a sensible value depending on your needs. 463 | # 3) Replication is automatic and does not need user intervention. After a 464 | # network partition replicas automatically try to reconnect to masters 465 | # and resynchronize with them. 466 | # 467 | # replicaof 468 | 469 | # If the master is password protected (using the "requirepass" configuration 470 | # directive below) it is possible to tell the replica to authenticate before 471 | # starting the replication synchronization process, otherwise the master will 472 | # refuse the replica request. 473 | # 474 | # masterauth 475 | # 476 | # However this is not enough if you are using Redis ACLs (for Redis version 477 | # 6 or greater), and the default user is not capable of running the PSYNC 478 | # command and/or other commands needed for replication. In this case it's 479 | # better to configure a special user to use with replication, and specify the 480 | # masteruser configuration as such: 481 | # 482 | # masteruser 483 | # 484 | # When masteruser is specified, the replica will authenticate against its 485 | # master using the new AUTH form: AUTH . 486 | 487 | # When a replica loses its connection with the master, or when the replication 488 | # is still in progress, the replica can act in two different ways: 489 | # 490 | # 1) if replica-serve-stale-data is set to 'yes' (the default) the replica will 491 | # still reply to client requests, possibly with out of date data, or the 492 | # data set may just be empty if this is the first synchronization. 493 | # 494 | # 2) If replica-serve-stale-data is set to 'no' the replica will reply with 495 | # an error "SYNC with master in progress" to all commands except: 496 | # INFO, REPLICAOF, AUTH, PING, SHUTDOWN, REPLCONF, ROLE, CONFIG, SUBSCRIBE, 497 | # UNSUBSCRIBE, PSUBSCRIBE, PUNSUBSCRIBE, PUBLISH, PUBSUB, COMMAND, POST, 498 | # HOST and LATENCY. 499 | # 500 | replica-serve-stale-data yes 501 | 502 | # You can configure a replica instance to accept writes or not. Writing against 503 | # a replica instance may be useful to store some ephemeral data (because data 504 | # written on a replica will be easily deleted after resync with the master) but 505 | # may also cause problems if clients are writing to it because of a 506 | # misconfiguration. 507 | # 508 | # Since Redis 2.6 by default replicas are read-only. 509 | # 510 | # Note: read only replicas are not designed to be exposed to untrusted clients 511 | # on the internet. It's just a protection layer against misuse of the instance. 512 | # Still a read only replica exports by default all the administrative commands 513 | # such as CONFIG, DEBUG, and so forth. To a limited extent you can improve 514 | # security of read only replicas using 'rename-command' to shadow all the 515 | # administrative / dangerous commands. 516 | replica-read-only yes 517 | 518 | # Replication SYNC strategy: disk or socket. 519 | # 520 | # New replicas and reconnecting replicas that are not able to continue the 521 | # replication process just receiving differences, need to do what is called a 522 | # "full synchronization". An RDB file is transmitted from the master to the 523 | # replicas. 524 | # 525 | # The transmission can happen in two different ways: 526 | # 527 | # 1) Disk-backed: The Redis master creates a new process that writes the RDB 528 | # file on disk. Later the file is transferred by the parent 529 | # process to the replicas incrementally. 530 | # 2) Diskless: The Redis master creates a new process that directly writes the 531 | # RDB file to replica sockets, without touching the disk at all. 532 | # 533 | # With disk-backed replication, while the RDB file is generated, more replicas 534 | # can be queued and served with the RDB file as soon as the current child 535 | # producing the RDB file finishes its work. With diskless replication instead 536 | # once the transfer starts, new replicas arriving will be queued and a new 537 | # transfer will start when the current one terminates. 538 | # 539 | # When diskless replication is used, the master waits a configurable amount of 540 | # time (in seconds) before starting the transfer in the hope that multiple 541 | # replicas will arrive and the transfer can be parallelized. 542 | # 543 | # With slow disks and fast (large bandwidth) networks, diskless replication 544 | # works better. 545 | repl-diskless-sync no 546 | 547 | # When diskless replication is enabled, it is possible to configure the delay 548 | # the server waits in order to spawn the child that transfers the RDB via socket 549 | # to the replicas. 550 | # 551 | # This is important since once the transfer starts, it is not possible to serve 552 | # new replicas arriving, that will be queued for the next RDB transfer, so the 553 | # server waits a delay in order to let more replicas arrive. 554 | # 555 | # The delay is specified in seconds, and by default is 5 seconds. To disable 556 | # it entirely just set it to 0 seconds and the transfer will start ASAP. 557 | repl-diskless-sync-delay 5 558 | 559 | # ----------------------------------------------------------------------------- 560 | # WARNING: RDB diskless load is experimental. Since in this setup the replica 561 | # does not immediately store an RDB on disk, it may cause data loss during 562 | # failovers. RDB diskless load + Redis modules not handling I/O reads may also 563 | # cause Redis to abort in case of I/O errors during the initial synchronization 564 | # stage with the master. Use only if you know what you are doing. 565 | # ----------------------------------------------------------------------------- 566 | # 567 | # Replica can load the RDB it reads from the replication link directly from the 568 | # socket, or store the RDB to a file and read that file after it was completely 569 | # received from the master. 570 | # 571 | # In many cases the disk is slower than the network, and storing and loading 572 | # the RDB file may increase replication time (and even increase the master's 573 | # Copy on Write memory and salve buffers). 574 | # However, parsing the RDB file directly from the socket may mean that we have 575 | # to flush the contents of the current database before the full rdb was 576 | # received. For this reason we have the following options: 577 | # 578 | # "disabled" - Don't use diskless load (store the rdb file to the disk first) 579 | # "on-empty-db" - Use diskless load only when it is completely safe. 580 | # "swapdb" - Keep a copy of the current db contents in RAM while parsing 581 | # the data directly from the socket. note that this requires 582 | # sufficient memory, if you don't have it, you risk an OOM kill. 583 | repl-diskless-load disabled 584 | 585 | # Replicas send PINGs to server in a predefined interval. It's possible to 586 | # change this interval with the repl_ping_replica_period option. The default 587 | # value is 10 seconds. 588 | # 589 | # repl-ping-replica-period 10 590 | 591 | # The following option sets the replication timeout for: 592 | # 593 | # 1) Bulk transfer I/O during SYNC, from the point of view of replica. 594 | # 2) Master timeout from the point of view of replicas (data, pings). 595 | # 3) Replica timeout from the point of view of masters (REPLCONF ACK pings). 596 | # 597 | # It is important to make sure that this value is greater than the value 598 | # specified for repl-ping-replica-period otherwise a timeout will be detected 599 | # every time there is low traffic between the master and the replica. The default 600 | # value is 60 seconds. 601 | # 602 | # repl-timeout 60 603 | 604 | # Disable TCP_NODELAY on the replica socket after SYNC? 605 | # 606 | # If you select "yes" Redis will use a smaller number of TCP packets and 607 | # less bandwidth to send data to replicas. But this can add a delay for 608 | # the data to appear on the replica side, up to 40 milliseconds with 609 | # Linux kernels using a default configuration. 610 | # 611 | # If you select "no" the delay for data to appear on the replica side will 612 | # be reduced but more bandwidth will be used for replication. 613 | # 614 | # By default we optimize for low latency, but in very high traffic conditions 615 | # or when the master and replicas are many hops away, turning this to "yes" may 616 | # be a good idea. 617 | repl-disable-tcp-nodelay no 618 | 619 | # Set the replication backlog size. The backlog is a buffer that accumulates 620 | # replica data when replicas are disconnected for some time, so that when a 621 | # replica wants to reconnect again, often a full resync is not needed, but a 622 | # partial resync is enough, just passing the portion of data the replica 623 | # missed while disconnected. 624 | # 625 | # The bigger the replication backlog, the longer the replica can endure the 626 | # disconnect and later be able to perform a partial resynchronization. 627 | # 628 | # The backlog is only allocated if there is at least one replica connected. 629 | # 630 | # repl-backlog-size 1mb 631 | 632 | # After a master has no connected replicas for some time, the backlog will be 633 | # freed. The following option configures the amount of seconds that need to 634 | # elapse, starting from the time the last replica disconnected, for the backlog 635 | # buffer to be freed. 636 | # 637 | # Note that replicas never free the backlog for timeout, since they may be 638 | # promoted to masters later, and should be able to correctly "partially 639 | # resynchronize" with other replicas: hence they should always accumulate backlog. 640 | # 641 | # A value of 0 means to never release the backlog. 642 | # 643 | # repl-backlog-ttl 3600 644 | 645 | # The replica priority is an integer number published by Redis in the INFO 646 | # output. It is used by Redis Sentinel in order to select a replica to promote 647 | # into a master if the master is no longer working correctly. 648 | # 649 | # A replica with a low priority number is considered better for promotion, so 650 | # for instance if there are three replicas with priority 10, 100, 25 Sentinel 651 | # will pick the one with priority 10, that is the lowest. 652 | # 653 | # However a special priority of 0 marks the replica as not able to perform the 654 | # role of master, so a replica with priority of 0 will never be selected by 655 | # Redis Sentinel for promotion. 656 | # 657 | # By default the priority is 100. 658 | replica-priority 100 659 | 660 | # It is possible for a master to stop accepting writes if there are less than 661 | # N replicas connected, having a lag less or equal than M seconds. 662 | # 663 | # The N replicas need to be in "online" state. 664 | # 665 | # The lag in seconds, that must be <= the specified value, is calculated from 666 | # the last ping received from the replica, that is usually sent every second. 667 | # 668 | # This option does not GUARANTEE that N replicas will accept the write, but 669 | # will limit the window of exposure for lost writes in case not enough replicas 670 | # are available, to the specified number of seconds. 671 | # 672 | # For example to require at least 3 replicas with a lag <= 10 seconds use: 673 | # 674 | # min-replicas-to-write 3 675 | # min-replicas-max-lag 10 676 | # 677 | # Setting one or the other to 0 disables the feature. 678 | # 679 | # By default min-replicas-to-write is set to 0 (feature disabled) and 680 | # min-replicas-max-lag is set to 10. 681 | 682 | # A Redis master is able to list the address and port of the attached 683 | # replicas in different ways. For example the "INFO replication" section 684 | # offers this information, which is used, among other tools, by 685 | # Redis Sentinel in order to discover replica instances. 686 | # Another place where this info is available is in the output of the 687 | # "ROLE" command of a master. 688 | # 689 | # The listed IP address and port normally reported by a replica is 690 | # obtained in the following way: 691 | # 692 | # IP: The address is auto detected by checking the peer address 693 | # of the socket used by the replica to connect with the master. 694 | # 695 | # Port: The port is communicated by the replica during the replication 696 | # handshake, and is normally the port that the replica is using to 697 | # listen for connections. 698 | # 699 | # However when port forwarding or Network Address Translation (NAT) is 700 | # used, the replica may actually be reachable via different IP and port 701 | # pairs. The following two options can be used by a replica in order to 702 | # report to its master a specific set of IP and port, so that both INFO 703 | # and ROLE will report those values. 704 | # 705 | # There is no need to use both the options if you need to override just 706 | # the port or the IP address. 707 | # 708 | # replica-announce-ip 5.5.5.5 709 | # replica-announce-port 1234 710 | 711 | ############################### KEYS TRACKING ################################# 712 | 713 | # Redis implements server assisted support for client side caching of values. 714 | # This is implemented using an invalidation table that remembers, using 715 | # a radix key indexed by key name, what clients have which keys. In turn 716 | # this is used in order to send invalidation messages to clients. Please 717 | # check this page to understand more about the feature: 718 | # 719 | # https://redis.io/topics/client-side-caching 720 | # 721 | # When tracking is enabled for a client, all the read only queries are assumed 722 | # to be cached: this will force Redis to store information in the invalidation 723 | # table. When keys are modified, such information is flushed away, and 724 | # invalidation messages are sent to the clients. However if the workload is 725 | # heavily dominated by reads, Redis could use more and more memory in order 726 | # to track the keys fetched by many clients. 727 | # 728 | # For this reason it is possible to configure a maximum fill value for the 729 | # invalidation table. By default it is set to 1M of keys, and once this limit 730 | # is reached, Redis will start to evict keys in the invalidation table 731 | # even if they were not modified, just to reclaim memory: this will in turn 732 | # force the clients to invalidate the cached values. Basically the table 733 | # maximum size is a trade off between the memory you want to spend server 734 | # side to track information about who cached what, and the ability of clients 735 | # to retain cached objects in memory. 736 | # 737 | # If you set the value to 0, it means there are no limits, and Redis will 738 | # retain as many keys as needed in the invalidation table. 739 | # In the "stats" INFO section, you can find information about the number of 740 | # keys in the invalidation table at every given moment. 741 | # 742 | # Note: when key tracking is used in broadcasting mode, no memory is used 743 | # in the server side so this setting is useless. 744 | # 745 | # tracking-table-max-keys 1000000 746 | 747 | ################################## SECURITY ################################### 748 | 749 | # Warning: since Redis is pretty fast, an outside user can try up to 750 | # 1 million passwords per second against a modern box. This means that you 751 | # should use very strong passwords, otherwise they will be very easy to break. 752 | # Note that because the password is really a shared secret between the client 753 | # and the server, and should not be memorized by any human, the password 754 | # can be easily a long string from /dev/urandom or whatever, so by using a 755 | # long and unguessable password no brute force attack will be possible. 756 | 757 | # Redis ACL users are defined in the following format: 758 | # 759 | # user ... acl rules ... 760 | # 761 | # For example: 762 | # 763 | # user worker +@list +@connection ~jobs:* on >ffa9203c493aa99 764 | # 765 | # The special username "default" is used for new connections. If this user 766 | # has the "nopass" rule, then new connections will be immediately authenticated 767 | # as the "default" user without the need of any password provided via the 768 | # AUTH command. Otherwise if the "default" user is not flagged with "nopass" 769 | # the connections will start in not authenticated state, and will require 770 | # AUTH (or the HELLO command AUTH option) in order to be authenticated and 771 | # start to work. 772 | # 773 | # The ACL rules that describe what a user can do are the following: 774 | # 775 | # on Enable the user: it is possible to authenticate as this user. 776 | # off Disable the user: it's no longer possible to authenticate 777 | # with this user, however the already authenticated connections 778 | # will still work. 779 | # skip-sanitize-payload RESTORE dump-payload sanitation is skipped. 780 | # sanitize-payload RESTORE dump-payload is sanitized (default). 781 | # + Allow the execution of that command 782 | # - Disallow the execution of that command 783 | # +@ Allow the execution of all the commands in such category 784 | # with valid categories are like @admin, @set, @sortedset, ... 785 | # and so forth, see the full list in the server.c file where 786 | # the Redis command table is described and defined. 787 | # The special category @all means all the commands, but currently 788 | # present in the server, and that will be loaded in the future 789 | # via modules. 790 | # +|subcommand Allow a specific subcommand of an otherwise 791 | # disabled command. Note that this form is not 792 | # allowed as negative like -DEBUG|SEGFAULT, but 793 | # only additive starting with "+". 794 | # allcommands Alias for +@all. Note that it implies the ability to execute 795 | # all the future commands loaded via the modules system. 796 | # nocommands Alias for -@all. 797 | # ~ Add a pattern of keys that can be mentioned as part of 798 | # commands. For instance ~* allows all the keys. The pattern 799 | # is a glob-style pattern like the one of KEYS. 800 | # It is possible to specify multiple patterns. 801 | # allkeys Alias for ~* 802 | # resetkeys Flush the list of allowed keys patterns. 803 | # & Add a glob-style pattern of Pub/Sub channels that can be 804 | # accessed by the user. It is possible to specify multiple channel 805 | # patterns. 806 | # allchannels Alias for &* 807 | # resetchannels Flush the list of allowed channel patterns. 808 | # > Add this password to the list of valid password for the user. 809 | # For example >mypass will add "mypass" to the list. 810 | # This directive clears the "nopass" flag (see later). 811 | # < Remove this password from the list of valid passwords. 812 | # nopass All the set passwords of the user are removed, and the user 813 | # is flagged as requiring no password: it means that every 814 | # password will work against this user. If this directive is 815 | # used for the default user, every new connection will be 816 | # immediately authenticated with the default user without 817 | # any explicit AUTH command required. Note that the "resetpass" 818 | # directive will clear this condition. 819 | # resetpass Flush the list of allowed passwords. Moreover removes the 820 | # "nopass" status. After "resetpass" the user has no associated 821 | # passwords and there is no way to authenticate without adding 822 | # some password (or setting it as "nopass" later). 823 | # reset Performs the following actions: resetpass, resetkeys, off, 824 | # -@all. The user returns to the same state it has immediately 825 | # after its creation. 826 | # 827 | # ACL rules can be specified in any order: for instance you can start with 828 | # passwords, then flags, or key patterns. However note that the additive 829 | # and subtractive rules will CHANGE MEANING depending on the ordering. 830 | # For instance see the following example: 831 | # 832 | # user alice on +@all -DEBUG ~* >somepassword 833 | # 834 | # This will allow "alice" to use all the commands with the exception of the 835 | # DEBUG command, since +@all added all the commands to the set of the commands 836 | # alice can use, and later DEBUG was removed. However if we invert the order 837 | # of two ACL rules the result will be different: 838 | # 839 | # user alice on -DEBUG +@all ~* >somepassword 840 | # 841 | # Now DEBUG was removed when alice had yet no commands in the set of allowed 842 | # commands, later all the commands are added, so the user will be able to 843 | # execute everything. 844 | # 845 | # Basically ACL rules are processed left-to-right. 846 | # 847 | # For more information about ACL configuration please refer to 848 | # the Redis web site at https://redis.io/topics/acl 849 | 850 | # ACL LOG 851 | # 852 | # The ACL Log tracks failed commands and authentication events associated 853 | # with ACLs. The ACL Log is useful to troubleshoot failed commands blocked 854 | # by ACLs. The ACL Log is stored in memory. You can reclaim memory with 855 | # ACL LOG RESET. Define the maximum entry length of the ACL Log below. 856 | acllog-max-len 128 857 | 858 | # Using an external ACL file 859 | # 860 | # Instead of configuring users here in this file, it is possible to use 861 | # a stand-alone file just listing users. The two methods cannot be mixed: 862 | # if you configure users here and at the same time you activate the external 863 | # ACL file, the server will refuse to start. 864 | # 865 | # The format of the external ACL user file is exactly the same as the 866 | # format that is used inside redis.conf to describe users. 867 | # 868 | # aclfile /etc/redis/users.acl 869 | 870 | # IMPORTANT NOTE: starting with Redis 6 "requirepass" is just a compatibility 871 | # layer on top of the new ACL system. The option effect will be just setting 872 | # the password for the default user. Clients will still authenticate using 873 | # AUTH as usually, or more explicitly with AUTH default 874 | # if they follow the new protocol: both will work. 875 | # 876 | # The requirepass is not compatable with aclfile option and the ACL LOAD 877 | # command, these will cause requirepass to be ignored. 878 | # 879 | # requirepass foobared 880 | 881 | # New users are initialized with restrictive permissions by default, via the 882 | # equivalent of this ACL rule 'off resetkeys -@all'. Starting with Redis 6.2, it 883 | # is possible to manage access to Pub/Sub channels with ACL rules as well. The 884 | # default Pub/Sub channels permission if new users is controlled by the 885 | # acl-pubsub-default configuration directive, which accepts one of these values: 886 | # 887 | # allchannels: grants access to all Pub/Sub channels 888 | # resetchannels: revokes access to all Pub/Sub channels 889 | # 890 | # To ensure backward compatibility while upgrading Redis 6.0, acl-pubsub-default 891 | # defaults to the 'allchannels' permission. 892 | # 893 | # Future compatibility note: it is very likely that in a future version of Redis 894 | # the directive's default of 'allchannels' will be changed to 'resetchannels' in 895 | # order to provide better out-of-the-box Pub/Sub security. Therefore, it is 896 | # recommended that you explicitly define Pub/Sub permissions for all users 897 | # rather then rely on implicit default values. Once you've set explicit 898 | # Pub/Sub for all exisitn users, you should uncomment the following line. 899 | # 900 | # acl-pubsub-default resetchannels 901 | 902 | # Command renaming (DEPRECATED). 903 | # 904 | # ------------------------------------------------------------------------ 905 | # WARNING: avoid using this option if possible. Instead use ACLs to remove 906 | # commands from the default user, and put them only in some admin user you 907 | # create for administrative purposes. 908 | # ------------------------------------------------------------------------ 909 | # 910 | # It is possible to change the name of dangerous commands in a shared 911 | # environment. For instance the CONFIG command may be renamed into something 912 | # hard to guess so that it will still be available for internal-use tools 913 | # but not available for general clients. 914 | # 915 | # Example: 916 | # 917 | # rename-command CONFIG b840fc02d524045429941cc15f59e41cb7be6c52 918 | # 919 | # It is also possible to completely kill a command by renaming it into 920 | # an empty string: 921 | # 922 | # rename-command CONFIG "" 923 | # 924 | # Please note that changing the name of commands that are logged into the 925 | # AOF file or transmitted to replicas may cause problems. 926 | 927 | ################################### CLIENTS #################################### 928 | 929 | # Set the max number of connected clients at the same time. By default 930 | # this limit is set to 10000 clients, however if the Redis server is not 931 | # able to configure the process file limit to allow for the specified limit 932 | # the max number of allowed clients is set to the current file limit 933 | # minus 32 (as Redis reserves a few file descriptors for internal uses). 934 | # 935 | # Once the limit is reached Redis will close all the new connections sending 936 | # an error 'max number of clients reached'. 937 | # 938 | # IMPORTANT: When Redis Cluster is used, the max number of connections is also 939 | # shared with the cluster bus: every node in the cluster will use two 940 | # connections, one incoming and another outgoing. It is important to size the 941 | # limit accordingly in case of very large clusters. 942 | # 943 | # maxclients 10000 944 | 945 | ############################## MEMORY MANAGEMENT ################################ 946 | 947 | # Set a memory usage limit to the specified amount of bytes. 948 | # When the memory limit is reached Redis will try to remove keys 949 | # according to the eviction policy selected (see maxmemory-policy). 950 | # 951 | # If Redis can't remove keys according to the policy, or if the policy is 952 | # set to 'noeviction', Redis will start to reply with errors to commands 953 | # that would use more memory, like SET, LPUSH, and so on, and will continue 954 | # to reply to read-only commands like GET. 955 | # 956 | # This option is usually useful when using Redis as an LRU or LFU cache, or to 957 | # set a hard memory limit for an instance (using the 'noeviction' policy). 958 | # 959 | # WARNING: If you have replicas attached to an instance with maxmemory on, 960 | # the size of the output buffers needed to feed the replicas are subtracted 961 | # from the used memory count, so that network problems / resyncs will 962 | # not trigger a loop where keys are evicted, and in turn the output 963 | # buffer of replicas is full with DELs of keys evicted triggering the deletion 964 | # of more keys, and so forth until the database is completely emptied. 965 | # 966 | # In short... if you have replicas attached it is suggested that you set a lower 967 | # limit for maxmemory so that there is some free RAM on the system for replica 968 | # output buffers (but this is not needed if the policy is 'noeviction'). 969 | # 970 | # maxmemory 971 | 972 | # MAXMEMORY POLICY: how Redis will select what to remove when maxmemory 973 | # is reached. You can select one from the following behaviors: 974 | # 975 | # volatile-lru -> Evict using approximated LRU, only keys with an expire set. 976 | # allkeys-lru -> Evict any key using approximated LRU. 977 | # volatile-lfu -> Evict using approximated LFU, only keys with an expire set. 978 | # allkeys-lfu -> Evict any key using approximated LFU. 979 | # volatile-random -> Remove a random key having an expire set. 980 | # allkeys-random -> Remove a random key, any key. 981 | # volatile-ttl -> Remove the key with the nearest expire time (minor TTL) 982 | # noeviction -> Don't evict anything, just return an error on write operations. 983 | # 984 | # LRU means Least Recently Used 985 | # LFU means Least Frequently Used 986 | # 987 | # Both LRU, LFU and volatile-ttl are implemented using approximated 988 | # randomized algorithms. 989 | # 990 | # Note: with any of the above policies, when there are no suitable keys for 991 | # eviction, Redis will return an error on write operations that require 992 | # more memory. These are usually commands that create new keys, add data or 993 | # modify existing keys. A few examples are: SET, INCR, HSET, LPUSH, SUNIONSTORE, 994 | # SORT (due to the STORE argument), and EXEC (if the transaction includes any 995 | # command that requires memory). 996 | # 997 | # The default is: 998 | # 999 | # maxmemory-policy noeviction 1000 | 1001 | # LRU, LFU and minimal TTL algorithms are not precise algorithms but approximated 1002 | # algorithms (in order to save memory), so you can tune it for speed or 1003 | # accuracy. By default Redis will check five keys and pick the one that was 1004 | # used least recently, you can change the sample size using the following 1005 | # configuration directive. 1006 | # 1007 | # The default of 5 produces good enough results. 10 Approximates very closely 1008 | # true LRU but costs more CPU. 3 is faster but not very accurate. 1009 | # 1010 | # maxmemory-samples 5 1011 | 1012 | # Eviction processing is designed to function well with the default setting. 1013 | # If there is an unusually large amount of write traffic, this value may need to 1014 | # be increased. Decreasing this value may reduce latency at the risk of 1015 | # eviction processing effectiveness 1016 | # 0 = minimum latency, 10 = default, 100 = process without regard to latency 1017 | # 1018 | # maxmemory-eviction-tenacity 10 1019 | 1020 | # Starting from Redis 5, by default a replica will ignore its maxmemory setting 1021 | # (unless it is promoted to master after a failover or manually). It means 1022 | # that the eviction of keys will be just handled by the master, sending the 1023 | # DEL commands to the replica as keys evict in the master side. 1024 | # 1025 | # This behavior ensures that masters and replicas stay consistent, and is usually 1026 | # what you want, however if your replica is writable, or you want the replica 1027 | # to have a different memory setting, and you are sure all the writes performed 1028 | # to the replica are idempotent, then you may change this default (but be sure 1029 | # to understand what you are doing). 1030 | # 1031 | # Note that since the replica by default does not evict, it may end using more 1032 | # memory than the one set via maxmemory (there are certain buffers that may 1033 | # be larger on the replica, or data structures may sometimes take more memory 1034 | # and so forth). So make sure you monitor your replicas and make sure they 1035 | # have enough memory to never hit a real out-of-memory condition before the 1036 | # master hits the configured maxmemory setting. 1037 | # 1038 | # replica-ignore-maxmemory yes 1039 | 1040 | # Redis reclaims expired keys in two ways: upon access when those keys are 1041 | # found to be expired, and also in background, in what is called the 1042 | # "active expire key". The key space is slowly and interactively scanned 1043 | # looking for expired keys to reclaim, so that it is possible to free memory 1044 | # of keys that are expired and will never be accessed again in a short time. 1045 | # 1046 | # The default effort of the expire cycle will try to avoid having more than 1047 | # ten percent of expired keys still in memory, and will try to avoid consuming 1048 | # more than 25% of total memory and to add latency to the system. However 1049 | # it is possible to increase the expire "effort" that is normally set to 1050 | # "1", to a greater value, up to the value "10". At its maximum value the 1051 | # system will use more CPU, longer cycles (and technically may introduce 1052 | # more latency), and will tolerate less already expired keys still present 1053 | # in the system. It's a tradeoff between memory, CPU and latency. 1054 | # 1055 | # active-expire-effort 1 1056 | 1057 | ############################# LAZY FREEING #################################### 1058 | 1059 | # Redis has two primitives to delete keys. One is called DEL and is a blocking 1060 | # deletion of the object. It means that the server stops processing new commands 1061 | # in order to reclaim all the memory associated with an object in a synchronous 1062 | # way. If the key deleted is associated with a small object, the time needed 1063 | # in order to execute the DEL command is very small and comparable to most other 1064 | # O(1) or O(log_N) commands in Redis. However if the key is associated with an 1065 | # aggregated value containing millions of elements, the server can block for 1066 | # a long time (even seconds) in order to complete the operation. 1067 | # 1068 | # For the above reasons Redis also offers non blocking deletion primitives 1069 | # such as UNLINK (non blocking DEL) and the ASYNC option of FLUSHALL and 1070 | # FLUSHDB commands, in order to reclaim memory in background. Those commands 1071 | # are executed in constant time. Another thread will incrementally free the 1072 | # object in the background as fast as possible. 1073 | # 1074 | # DEL, UNLINK and ASYNC option of FLUSHALL and FLUSHDB are user-controlled. 1075 | # It's up to the design of the application to understand when it is a good 1076 | # idea to use one or the other. However the Redis server sometimes has to 1077 | # delete keys or flush the whole database as a side effect of other operations. 1078 | # Specifically Redis deletes objects independently of a user call in the 1079 | # following scenarios: 1080 | # 1081 | # 1) On eviction, because of the maxmemory and maxmemory policy configurations, 1082 | # in order to make room for new data, without going over the specified 1083 | # memory limit. 1084 | # 2) Because of expire: when a key with an associated time to live (see the 1085 | # EXPIRE command) must be deleted from memory. 1086 | # 3) Because of a side effect of a command that stores data on a key that may 1087 | # already exist. For example the RENAME command may delete the old key 1088 | # content when it is replaced with another one. Similarly SUNIONSTORE 1089 | # or SORT with STORE option may delete existing keys. The SET command 1090 | # itself removes any old content of the specified key in order to replace 1091 | # it with the specified string. 1092 | # 4) During replication, when a replica performs a full resynchronization with 1093 | # its master, the content of the whole database is removed in order to 1094 | # load the RDB file just transferred. 1095 | # 1096 | # In all the above cases the default is to delete objects in a blocking way, 1097 | # like if DEL was called. However you can configure each case specifically 1098 | # in order to instead release memory in a non-blocking way like if UNLINK 1099 | # was called, using the following configuration directives. 1100 | 1101 | lazyfree-lazy-eviction no 1102 | lazyfree-lazy-expire no 1103 | lazyfree-lazy-server-del no 1104 | replica-lazy-flush no 1105 | 1106 | # It is also possible, for the case when to replace the user code DEL calls 1107 | # with UNLINK calls is not easy, to modify the default behavior of the DEL 1108 | # command to act exactly like UNLINK, using the following configuration 1109 | # directive: 1110 | 1111 | lazyfree-lazy-user-del no 1112 | 1113 | # FLUSHDB, FLUSHALL, and SCRIPT FLUSH support both asynchronous and synchronous 1114 | # deletion, which can be controlled by passing the [SYNC|ASYNC] flags into the 1115 | # commands. When neither flag is passed, this directive will be used to determine 1116 | # if the data should be deleted asynchronously. 1117 | 1118 | lazyfree-lazy-user-flush no 1119 | 1120 | ################################ THREADED I/O ################################# 1121 | 1122 | # Redis is mostly single threaded, however there are certain threaded 1123 | # operations such as UNLINK, slow I/O accesses and other things that are 1124 | # performed on side threads. 1125 | # 1126 | # Now it is also possible to handle Redis clients socket reads and writes 1127 | # in different I/O threads. Since especially writing is so slow, normally 1128 | # Redis users use pipelining in order to speed up the Redis performances per 1129 | # core, and spawn multiple instances in order to scale more. Using I/O 1130 | # threads it is possible to easily speedup two times Redis without resorting 1131 | # to pipelining nor sharding of the instance. 1132 | # 1133 | # By default threading is disabled, we suggest enabling it only in machines 1134 | # that have at least 4 or more cores, leaving at least one spare core. 1135 | # Using more than 8 threads is unlikely to help much. We also recommend using 1136 | # threaded I/O only if you actually have performance problems, with Redis 1137 | # instances being able to use a quite big percentage of CPU time, otherwise 1138 | # there is no point in using this feature. 1139 | # 1140 | # So for instance if you have a four cores boxes, try to use 2 or 3 I/O 1141 | # threads, if you have a 8 cores, try to use 6 threads. In order to 1142 | # enable I/O threads use the following configuration directive: 1143 | # 1144 | # io-threads 4 1145 | # 1146 | # Setting io-threads to 1 will just use the main thread as usual. 1147 | # When I/O threads are enabled, we only use threads for writes, that is 1148 | # to thread the write(2) syscall and transfer the client buffers to the 1149 | # socket. However it is also possible to enable threading of reads and 1150 | # protocol parsing using the following configuration directive, by setting 1151 | # it to yes: 1152 | # 1153 | # io-threads-do-reads no 1154 | # 1155 | # Usually threading reads doesn't help much. 1156 | # 1157 | # NOTE 1: This configuration directive cannot be changed at runtime via 1158 | # CONFIG SET. Aso this feature currently does not work when SSL is 1159 | # enabled. 1160 | # 1161 | # NOTE 2: If you want to test the Redis speedup using redis-benchmark, make 1162 | # sure you also run the benchmark itself in threaded mode, using the 1163 | # --threads option to match the number of Redis threads, otherwise you'll not 1164 | # be able to notice the improvements. 1165 | 1166 | ############################ KERNEL OOM CONTROL ############################## 1167 | 1168 | # On Linux, it is possible to hint the kernel OOM killer on what processes 1169 | # should be killed first when out of memory. 1170 | # 1171 | # Enabling this feature makes Redis actively control the oom_score_adj value 1172 | # for all its processes, depending on their role. The default scores will 1173 | # attempt to have background child processes killed before all others, and 1174 | # replicas killed before masters. 1175 | # 1176 | # Redis supports three options: 1177 | # 1178 | # no: Don't make changes to oom-score-adj (default). 1179 | # yes: Alias to "relative" see below. 1180 | # absolute: Values in oom-score-adj-values are written as is to the kernel. 1181 | # relative: Values are used relative to the initial value of oom_score_adj when 1182 | # the server starts and are then clamped to a range of -1000 to 1000. 1183 | # Because typically the initial value is 0, they will often match the 1184 | # absolute values. 1185 | oom-score-adj no 1186 | 1187 | # When oom-score-adj is used, this directive controls the specific values used 1188 | # for master, replica and background child processes. Values range -2000 to 1189 | # 2000 (higher means more likely to be killed). 1190 | # 1191 | # Unprivileged processes (not root, and without CAP_SYS_RESOURCE capabilities) 1192 | # can freely increase their value, but not decrease it below its initial 1193 | # settings. This means that setting oom-score-adj to "relative" and setting the 1194 | # oom-score-adj-values to positive values will always succeed. 1195 | oom-score-adj-values 0 200 800 1196 | 1197 | 1198 | #################### KERNEL transparent hugepage CONTROL ###################### 1199 | 1200 | # Usually the kernel Transparent Huge Pages control is set to "madvise" or 1201 | # or "never" by default (/sys/kernel/mm/transparent_hugepage/enabled), in which 1202 | # case this config has no effect. On systems in which it is set to "always", 1203 | # redis will attempt to disable it specifically for the redis process in order 1204 | # to avoid latency problems specifically with fork(2) and CoW. 1205 | # If for some reason you prefer to keep it enabled, you can set this config to 1206 | # "no" and the kernel global to "always". 1207 | 1208 | disable-thp yes 1209 | 1210 | ############################## APPEND ONLY MODE ############################### 1211 | 1212 | # By default Redis asynchronously dumps the dataset on disk. This mode is 1213 | # good enough in many applications, but an issue with the Redis process or 1214 | # a power outage may result into a few minutes of writes lost (depending on 1215 | # the configured save points). 1216 | # 1217 | # The Append Only File is an alternative persistence mode that provides 1218 | # much better durability. For instance using the default data fsync policy 1219 | # (see later in the config file) Redis can lose just one second of writes in a 1220 | # dramatic event like a server power outage, or a single write if something 1221 | # wrong with the Redis process itself happens, but the operating system is 1222 | # still running correctly. 1223 | # 1224 | # AOF and RDB persistence can be enabled at the same time without problems. 1225 | # If the AOF is enabled on startup Redis will load the AOF, that is the file 1226 | # with the better durability guarantees. 1227 | # 1228 | # Please check http://redis.io/topics/persistence for more information. 1229 | 1230 | appendonly no 1231 | 1232 | # The name of the append only file (default: "appendonly.aof") 1233 | 1234 | appendfilename "appendonly.aof" 1235 | 1236 | # The fsync() call tells the Operating System to actually write data on disk 1237 | # instead of waiting for more data in the output buffer. Some OS will really flush 1238 | # data on disk, some other OS will just try to do it ASAP. 1239 | # 1240 | # Redis supports three different modes: 1241 | # 1242 | # no: don't fsync, just let the OS flush the data when it wants. Faster. 1243 | # always: fsync after every write to the append only log. Slow, Safest. 1244 | # everysec: fsync only one time every second. Compromise. 1245 | # 1246 | # The default is "everysec", as that's usually the right compromise between 1247 | # speed and data safety. It's up to you to understand if you can relax this to 1248 | # "no" that will let the operating system flush the output buffer when 1249 | # it wants, for better performances (but if you can live with the idea of 1250 | # some data loss consider the default persistence mode that's snapshotting), 1251 | # or on the contrary, use "always" that's very slow but a bit safer than 1252 | # everysec. 1253 | # 1254 | # More details please check the following article: 1255 | # http://antirez.com/post/redis-persistence-demystified.html 1256 | # 1257 | # If unsure, use "everysec". 1258 | 1259 | # appendfsync always 1260 | appendfsync everysec 1261 | # appendfsync no 1262 | 1263 | # When the AOF fsync policy is set to always or everysec, and a background 1264 | # saving process (a background save or AOF log background rewriting) is 1265 | # performing a lot of I/O against the disk, in some Linux configurations 1266 | # Redis may block too long on the fsync() call. Note that there is no fix for 1267 | # this currently, as even performing fsync in a different thread will block 1268 | # our synchronous write(2) call. 1269 | # 1270 | # In order to mitigate this problem it's possible to use the following option 1271 | # that will prevent fsync() from being called in the main process while a 1272 | # BGSAVE or BGREWRITEAOF is in progress. 1273 | # 1274 | # This means that while another child is saving, the durability of Redis is 1275 | # the same as "appendfsync none". In practical terms, this means that it is 1276 | # possible to lose up to 30 seconds of log in the worst scenario (with the 1277 | # default Linux settings). 1278 | # 1279 | # If you have latency problems turn this to "yes". Otherwise leave it as 1280 | # "no" that is the safest pick from the point of view of durability. 1281 | 1282 | no-appendfsync-on-rewrite no 1283 | 1284 | # Automatic rewrite of the append only file. 1285 | # Redis is able to automatically rewrite the log file implicitly calling 1286 | # BGREWRITEAOF when the AOF log size grows by the specified percentage. 1287 | # 1288 | # This is how it works: Redis remembers the size of the AOF file after the 1289 | # latest rewrite (if no rewrite has happened since the restart, the size of 1290 | # the AOF at startup is used). 1291 | # 1292 | # This base size is compared to the current size. If the current size is 1293 | # bigger than the specified percentage, the rewrite is triggered. Also 1294 | # you need to specify a minimal size for the AOF file to be rewritten, this 1295 | # is useful to avoid rewriting the AOF file even if the percentage increase 1296 | # is reached but it is still pretty small. 1297 | # 1298 | # Specify a percentage of zero in order to disable the automatic AOF 1299 | # rewrite feature. 1300 | 1301 | auto-aof-rewrite-percentage 100 1302 | auto-aof-rewrite-min-size 64mb 1303 | 1304 | # An AOF file may be found to be truncated at the end during the Redis 1305 | # startup process, when the AOF data gets loaded back into memory. 1306 | # This may happen when the system where Redis is running 1307 | # crashes, especially when an ext4 filesystem is mounted without the 1308 | # data=ordered option (however this can't happen when Redis itself 1309 | # crashes or aborts but the operating system still works correctly). 1310 | # 1311 | # Redis can either exit with an error when this happens, or load as much 1312 | # data as possible (the default now) and start if the AOF file is found 1313 | # to be truncated at the end. The following option controls this behavior. 1314 | # 1315 | # If aof-load-truncated is set to yes, a truncated AOF file is loaded and 1316 | # the Redis server starts emitting a log to inform the user of the event. 1317 | # Otherwise if the option is set to no, the server aborts with an error 1318 | # and refuses to start. When the option is set to no, the user requires 1319 | # to fix the AOF file using the "redis-check-aof" utility before to restart 1320 | # the server. 1321 | # 1322 | # Note that if the AOF file will be found to be corrupted in the middle 1323 | # the server will still exit with an error. This option only applies when 1324 | # Redis will try to read more data from the AOF file but not enough bytes 1325 | # will be found. 1326 | aof-load-truncated yes 1327 | 1328 | # When rewriting the AOF file, Redis is able to use an RDB preamble in the 1329 | # AOF file for faster rewrites and recoveries. When this option is turned 1330 | # on the rewritten AOF file is composed of two different stanzas: 1331 | # 1332 | # [RDB file][AOF tail] 1333 | # 1334 | # When loading, Redis recognizes that the AOF file starts with the "REDIS" 1335 | # string and loads the prefixed RDB file, then continues loading the AOF 1336 | # tail. 1337 | aof-use-rdb-preamble yes 1338 | 1339 | ################################ LUA SCRIPTING ############################### 1340 | 1341 | # Max execution time of a Lua script in milliseconds. 1342 | # 1343 | # If the maximum execution time is reached Redis will log that a script is 1344 | # still in execution after the maximum allowed time and will start to 1345 | # reply to queries with an error. 1346 | # 1347 | # When a long running script exceeds the maximum execution time only the 1348 | # SCRIPT KILL and SHUTDOWN NOSAVE commands are available. The first can be 1349 | # used to stop a script that did not yet call any write commands. The second 1350 | # is the only way to shut down the server in the case a write command was 1351 | # already issued by the script but the user doesn't want to wait for the natural 1352 | # termination of the script. 1353 | # 1354 | # Set it to 0 or a negative value for unlimited execution without warnings. 1355 | lua-time-limit 5000 1356 | 1357 | ################################ REDIS CLUSTER ############################### 1358 | 1359 | # Normal Redis instances can't be part of a Redis Cluster; only nodes that are 1360 | # started as cluster nodes can. In order to start a Redis instance as a 1361 | # cluster node enable the cluster support uncommenting the following: 1362 | # 1363 | # cluster-enabled yes 1364 | 1365 | # Every cluster node has a cluster configuration file. This file is not 1366 | # intended to be edited by hand. It is created and updated by Redis nodes. 1367 | # Every Redis Cluster node requires a different cluster configuration file. 1368 | # Make sure that instances running in the same system do not have 1369 | # overlapping cluster configuration file names. 1370 | # 1371 | # cluster-config-file nodes-6379.conf 1372 | 1373 | # Cluster node timeout is the amount of milliseconds a node must be unreachable 1374 | # for it to be considered in failure state. 1375 | # Most other internal time limits are a multiple of the node timeout. 1376 | # 1377 | # cluster-node-timeout 15000 1378 | 1379 | # A replica of a failing master will avoid to start a failover if its data 1380 | # looks too old. 1381 | # 1382 | # There is no simple way for a replica to actually have an exact measure of 1383 | # its "data age", so the following two checks are performed: 1384 | # 1385 | # 1) If there are multiple replicas able to failover, they exchange messages 1386 | # in order to try to give an advantage to the replica with the best 1387 | # replication offset (more data from the master processed). 1388 | # Replicas will try to get their rank by offset, and apply to the start 1389 | # of the failover a delay proportional to their rank. 1390 | # 1391 | # 2) Every single replica computes the time of the last interaction with 1392 | # its master. This can be the last ping or command received (if the master 1393 | # is still in the "connected" state), or the time that elapsed since the 1394 | # disconnection with the master (if the replication link is currently down). 1395 | # If the last interaction is too old, the replica will not try to failover 1396 | # at all. 1397 | # 1398 | # The point "2" can be tuned by user. Specifically a replica will not perform 1399 | # the failover if, since the last interaction with the master, the time 1400 | # elapsed is greater than: 1401 | # 1402 | # (node-timeout * cluster-replica-validity-factor) + repl-ping-replica-period 1403 | # 1404 | # So for example if node-timeout is 30 seconds, and the cluster-replica-validity-factor 1405 | # is 10, and assuming a default repl-ping-replica-period of 10 seconds, the 1406 | # replica will not try to failover if it was not able to talk with the master 1407 | # for longer than 310 seconds. 1408 | # 1409 | # A large cluster-replica-validity-factor may allow replicas with too old data to failover 1410 | # a master, while a too small value may prevent the cluster from being able to 1411 | # elect a replica at all. 1412 | # 1413 | # For maximum availability, it is possible to set the cluster-replica-validity-factor 1414 | # to a value of 0, which means, that replicas will always try to failover the 1415 | # master regardless of the last time they interacted with the master. 1416 | # (However they'll always try to apply a delay proportional to their 1417 | # offset rank). 1418 | # 1419 | # Zero is the only value able to guarantee that when all the partitions heal 1420 | # the cluster will always be able to continue. 1421 | # 1422 | # cluster-replica-validity-factor 10 1423 | 1424 | # Cluster replicas are able to migrate to orphaned masters, that are masters 1425 | # that are left without working replicas. This improves the cluster ability 1426 | # to resist to failures as otherwise an orphaned master can't be failed over 1427 | # in case of failure if it has no working replicas. 1428 | # 1429 | # Replicas migrate to orphaned masters only if there are still at least a 1430 | # given number of other working replicas for their old master. This number 1431 | # is the "migration barrier". A migration barrier of 1 means that a replica 1432 | # will migrate only if there is at least 1 other working replica for its master 1433 | # and so forth. It usually reflects the number of replicas you want for every 1434 | # master in your cluster. 1435 | # 1436 | # Default is 1 (replicas migrate only if their masters remain with at least 1437 | # one replica). To disable migration just set it to a very large value. 1438 | # A value of 0 can be set but is useful only for debugging and dangerous 1439 | # in production. 1440 | # 1441 | # cluster-migration-barrier 1 1442 | 1443 | # By default Redis Cluster nodes stop accepting queries if they detect there 1444 | # is at least a hash slot uncovered (no available node is serving it). 1445 | # This way if the cluster is partially down (for example a range of hash slots 1446 | # are no longer covered) all the cluster becomes, eventually, unavailable. 1447 | # It automatically returns available as soon as all the slots are covered again. 1448 | # 1449 | # However sometimes you want the subset of the cluster which is working, 1450 | # to continue to accept queries for the part of the key space that is still 1451 | # covered. In order to do so, just set the cluster-require-full-coverage 1452 | # option to no. 1453 | # 1454 | # cluster-require-full-coverage yes 1455 | 1456 | # This option, when set to yes, prevents replicas from trying to failover its 1457 | # master during master failures. However the replica can still perform a 1458 | # manual failover, if forced to do so. 1459 | # 1460 | # This is useful in different scenarios, especially in the case of multiple 1461 | # data center operations, where we want one side to never be promoted if not 1462 | # in the case of a total DC failure. 1463 | # 1464 | # cluster-replica-no-failover no 1465 | 1466 | # This option, when set to yes, allows nodes to serve read traffic while the 1467 | # the cluster is in a down state, as long as it believes it owns the slots. 1468 | # 1469 | # This is useful for two cases. The first case is for when an application 1470 | # doesn't require consistency of data during node failures or network partitions. 1471 | # One example of this is a cache, where as long as the node has the data it 1472 | # should be able to serve it. 1473 | # 1474 | # The second use case is for configurations that don't meet the recommended 1475 | # three shards but want to enable cluster mode and scale later. A 1476 | # master outage in a 1 or 2 shard configuration causes a read/write outage to the 1477 | # entire cluster without this option set, with it set there is only a write outage. 1478 | # Without a quorum of masters, slot ownership will not change automatically. 1479 | # 1480 | # cluster-allow-reads-when-down no 1481 | 1482 | # In order to setup your cluster make sure to read the documentation 1483 | # available at http://redis.io web site. 1484 | 1485 | ########################## CLUSTER DOCKER/NAT support ######################## 1486 | 1487 | # In certain deployments, Redis Cluster nodes address discovery fails, because 1488 | # addresses are NAT-ted or because ports are forwarded (the typical case is 1489 | # Docker and other containers). 1490 | # 1491 | # In order to make Redis Cluster working in such environments, a static 1492 | # configuration where each node knows its public address is needed. The 1493 | # following two options are used for this scope, and are: 1494 | # 1495 | # * cluster-announce-ip 1496 | # * cluster-announce-port 1497 | # * cluster-announce-bus-port 1498 | # 1499 | # Each instructs the node about its address, client port, and cluster message 1500 | # bus port. The information is then published in the header of the bus packets 1501 | # so that other nodes will be able to correctly map the address of the node 1502 | # publishing the information. 1503 | # 1504 | # If the above options are not used, the normal Redis Cluster auto-detection 1505 | # will be used instead. 1506 | # 1507 | # Note that when remapped, the bus port may not be at the fixed offset of 1508 | # clients port + 10000, so you can specify any port and bus-port depending 1509 | # on how they get remapped. If the bus-port is not set, a fixed offset of 1510 | # 10000 will be used as usual. 1511 | # 1512 | # Example: 1513 | # 1514 | # cluster-announce-ip 10.1.1.5 1515 | # cluster-announce-port 6379 1516 | # cluster-announce-bus-port 6380 1517 | 1518 | ################################## SLOW LOG ################################### 1519 | 1520 | # The Redis Slow Log is a system to log queries that exceeded a specified 1521 | # execution time. The execution time does not include the I/O operations 1522 | # like talking with the client, sending the reply and so forth, 1523 | # but just the time needed to actually execute the command (this is the only 1524 | # stage of command execution where the thread is blocked and can not serve 1525 | # other requests in the meantime). 1526 | # 1527 | # You can configure the slow log with two parameters: one tells Redis 1528 | # what is the execution time, in microseconds, to exceed in order for the 1529 | # command to get logged, and the other parameter is the length of the 1530 | # slow log. When a new command is logged the oldest one is removed from the 1531 | # queue of logged commands. 1532 | 1533 | # The following time is expressed in microseconds, so 1000000 is equivalent 1534 | # to one second. Note that a negative number disables the slow log, while 1535 | # a value of zero forces the logging of every command. 1536 | slowlog-log-slower-than 10000 1537 | 1538 | # There is no limit to this length. Just be aware that it will consume memory. 1539 | # You can reclaim memory used by the slow log with SLOWLOG RESET. 1540 | slowlog-max-len 128 1541 | 1542 | ################################ LATENCY MONITOR ############################## 1543 | 1544 | # The Redis latency monitoring subsystem samples different operations 1545 | # at runtime in order to collect data related to possible sources of 1546 | # latency of a Redis instance. 1547 | # 1548 | # Via the LATENCY command this information is available to the user that can 1549 | # print graphs and obtain reports. 1550 | # 1551 | # The system only logs operations that were performed in a time equal or 1552 | # greater than the amount of milliseconds specified via the 1553 | # latency-monitor-threshold configuration directive. When its value is set 1554 | # to zero, the latency monitor is turned off. 1555 | # 1556 | # By default latency monitoring is disabled since it is mostly not needed 1557 | # if you don't have latency issues, and collecting data has a performance 1558 | # impact, that while very small, can be measured under big load. Latency 1559 | # monitoring can easily be enabled at runtime using the command 1560 | # "CONFIG SET latency-monitor-threshold " if needed. 1561 | latency-monitor-threshold 0 1562 | 1563 | ############################# EVENT NOTIFICATION ############################## 1564 | 1565 | # Redis can notify Pub/Sub clients about events happening in the key space. 1566 | # This feature is documented at http://redis.io/topics/notifications 1567 | # 1568 | # For instance if keyspace events notification is enabled, and a client 1569 | # performs a DEL operation on key "foo" stored in the Database 0, two 1570 | # messages will be published via Pub/Sub: 1571 | # 1572 | # PUBLISH __keyspace@0__:foo del 1573 | # PUBLISH __keyevent@0__:del foo 1574 | # 1575 | # It is possible to select the events that Redis will notify among a set 1576 | # of classes. Every class is identified by a single character: 1577 | # 1578 | # K Keyspace events, published with __keyspace@__ prefix. 1579 | # E Keyevent events, published with __keyevent@__ prefix. 1580 | # g Generic commands (non-type specific) like DEL, EXPIRE, RENAME, ... 1581 | # $ String commands 1582 | # l List commands 1583 | # s Set commands 1584 | # h Hash commands 1585 | # z Sorted set commands 1586 | # x Expired events (events generated every time a key expires) 1587 | # e Evicted events (events generated when a key is evicted for maxmemory) 1588 | # t Stream commands 1589 | # m Key-miss events (Note: It is not included in the 'A' class) 1590 | # A Alias for g$lshzxet, so that the "AKE" string means all the events 1591 | # (Except key-miss events which are excluded from 'A' due to their 1592 | # unique nature). 1593 | # 1594 | # The "notify-keyspace-events" takes as argument a string that is composed 1595 | # of zero or multiple characters. The empty string means that notifications 1596 | # are disabled. 1597 | # 1598 | # Example: to enable list and generic events, from the point of view of the 1599 | # event name, use: 1600 | # 1601 | # notify-keyspace-events Elg 1602 | # 1603 | # Example 2: to get the stream of the expired keys subscribing to channel 1604 | # name __keyevent@0__:expired use: 1605 | # 1606 | # notify-keyspace-events Ex 1607 | # 1608 | # By default all notifications are disabled because most users don't need 1609 | # this feature and the feature has some overhead. Note that if you don't 1610 | # specify at least one of K or E, no events will be delivered. 1611 | notify-keyspace-events "" 1612 | 1613 | ############################### GOPHER SERVER ################################# 1614 | 1615 | # Redis contains an implementation of the Gopher protocol, as specified in 1616 | # the RFC 1436 (https://www.ietf.org/rfc/rfc1436.txt). 1617 | # 1618 | # The Gopher protocol was very popular in the late '90s. It is an alternative 1619 | # to the web, and the implementation both server and client side is so simple 1620 | # that the Redis server has just 100 lines of code in order to implement this 1621 | # support. 1622 | # 1623 | # What do you do with Gopher nowadays? Well Gopher never *really* died, and 1624 | # lately there is a movement in order for the Gopher more hierarchical content 1625 | # composed of just plain text documents to be resurrected. Some want a simpler 1626 | # internet, others believe that the mainstream internet became too much 1627 | # controlled, and it's cool to create an alternative space for people that 1628 | # want a bit of fresh air. 1629 | # 1630 | # Anyway for the 10nth birthday of the Redis, we gave it the Gopher protocol 1631 | # as a gift. 1632 | # 1633 | # --- HOW IT WORKS? --- 1634 | # 1635 | # The Redis Gopher support uses the inline protocol of Redis, and specifically 1636 | # two kind of inline requests that were anyway illegal: an empty request 1637 | # or any request that starts with "/" (there are no Redis commands starting 1638 | # with such a slash). Normal RESP2/RESP3 requests are completely out of the 1639 | # path of the Gopher protocol implementation and are served as usual as well. 1640 | # 1641 | # If you open a connection to Redis when Gopher is enabled and send it 1642 | # a string like "/foo", if there is a key named "/foo" it is served via the 1643 | # Gopher protocol. 1644 | # 1645 | # In order to create a real Gopher "hole" (the name of a Gopher site in Gopher 1646 | # talking), you likely need a script like the following: 1647 | # 1648 | # https://github.com/antirez/gopher2redis 1649 | # 1650 | # --- SECURITY WARNING --- 1651 | # 1652 | # If you plan to put Redis on the internet in a publicly accessible address 1653 | # to server Gopher pages MAKE SURE TO SET A PASSWORD to the instance. 1654 | # Once a password is set: 1655 | # 1656 | # 1. The Gopher server (when enabled, not by default) will still serve 1657 | # content via Gopher. 1658 | # 2. However other commands cannot be called before the client will 1659 | # authenticate. 1660 | # 1661 | # So use the 'requirepass' option to protect your instance. 1662 | # 1663 | # Note that Gopher is not currently supported when 'io-threads-do-reads' 1664 | # is enabled. 1665 | # 1666 | # To enable Gopher support, uncomment the following line and set the option 1667 | # from no (the default) to yes. 1668 | # 1669 | # gopher-enabled no 1670 | 1671 | ############################### ADVANCED CONFIG ############################### 1672 | 1673 | # Hashes are encoded using a memory efficient data structure when they have a 1674 | # small number of entries, and the biggest entry does not exceed a given 1675 | # threshold. These thresholds can be configured using the following directives. 1676 | hash-max-ziplist-entries 512 1677 | hash-max-ziplist-value 64 1678 | 1679 | # Lists are also encoded in a special way to save a lot of space. 1680 | # The number of entries allowed per internal list node can be specified 1681 | # as a fixed maximum size or a maximum number of elements. 1682 | # For a fixed maximum size, use -5 through -1, meaning: 1683 | # -5: max size: 64 Kb <-- not recommended for normal workloads 1684 | # -4: max size: 32 Kb <-- not recommended 1685 | # -3: max size: 16 Kb <-- probably not recommended 1686 | # -2: max size: 8 Kb <-- good 1687 | # -1: max size: 4 Kb <-- good 1688 | # Positive numbers mean store up to _exactly_ that number of elements 1689 | # per list node. 1690 | # The highest performing option is usually -2 (8 Kb size) or -1 (4 Kb size), 1691 | # but if your use case is unique, adjust the settings as necessary. 1692 | list-max-ziplist-size -2 1693 | 1694 | # Lists may also be compressed. 1695 | # Compress depth is the number of quicklist ziplist nodes from *each* side of 1696 | # the list to *exclude* from compression. The head and tail of the list 1697 | # are always uncompressed for fast push/pop operations. Settings are: 1698 | # 0: disable all list compression 1699 | # 1: depth 1 means "don't start compressing until after 1 node into the list, 1700 | # going from either the head or tail" 1701 | # So: [head]->node->node->...->node->[tail] 1702 | # [head], [tail] will always be uncompressed; inner nodes will compress. 1703 | # 2: [head]->[next]->node->node->...->node->[prev]->[tail] 1704 | # 2 here means: don't compress head or head->next or tail->prev or tail, 1705 | # but compress all nodes between them. 1706 | # 3: [head]->[next]->[next]->node->node->...->node->[prev]->[prev]->[tail] 1707 | # etc. 1708 | list-compress-depth 0 1709 | 1710 | # Sets have a special encoding in just one case: when a set is composed 1711 | # of just strings that happen to be integers in radix 10 in the range 1712 | # of 64 bit signed integers. 1713 | # The following configuration setting sets the limit in the size of the 1714 | # set in order to use this special memory saving encoding. 1715 | set-max-intset-entries 512 1716 | 1717 | # Similarly to hashes and lists, sorted sets are also specially encoded in 1718 | # order to save a lot of space. This encoding is only used when the length and 1719 | # elements of a sorted set are below the following limits: 1720 | zset-max-ziplist-entries 128 1721 | zset-max-ziplist-value 64 1722 | 1723 | # HyperLogLog sparse representation bytes limit. The limit includes the 1724 | # 16 bytes header. When an HyperLogLog using the sparse representation crosses 1725 | # this limit, it is converted into the dense representation. 1726 | # 1727 | # A value greater than 16000 is totally useless, since at that point the 1728 | # dense representation is more memory efficient. 1729 | # 1730 | # The suggested value is ~ 3000 in order to have the benefits of 1731 | # the space efficient encoding without slowing down too much PFADD, 1732 | # which is O(N) with the sparse encoding. The value can be raised to 1733 | # ~ 10000 when CPU is not a concern, but space is, and the data set is 1734 | # composed of many HyperLogLogs with cardinality in the 0 - 15000 range. 1735 | hll-sparse-max-bytes 3000 1736 | 1737 | # Streams macro node max size / items. The stream data structure is a radix 1738 | # tree of big nodes that encode multiple items inside. Using this configuration 1739 | # it is possible to configure how big a single node can be in bytes, and the 1740 | # maximum number of items it may contain before switching to a new node when 1741 | # appending new stream entries. If any of the following settings are set to 1742 | # zero, the limit is ignored, so for instance it is possible to set just a 1743 | # max entries limit by setting max-bytes to 0 and max-entries to the desired 1744 | # value. 1745 | stream-node-max-bytes 4096 1746 | stream-node-max-entries 100 1747 | 1748 | # Active rehashing uses 1 millisecond every 100 milliseconds of CPU time in 1749 | # order to help rehashing the main Redis hash table (the one mapping top-level 1750 | # keys to values). The hash table implementation Redis uses (see dict.c) 1751 | # performs a lazy rehashing: the more operation you run into a hash table 1752 | # that is rehashing, the more rehashing "steps" are performed, so if the 1753 | # server is idle the rehashing is never complete and some more memory is used 1754 | # by the hash table. 1755 | # 1756 | # The default is to use this millisecond 10 times every second in order to 1757 | # actively rehash the main dictionaries, freeing memory when possible. 1758 | # 1759 | # If unsure: 1760 | # use "activerehashing no" if you have hard latency requirements and it is 1761 | # not a good thing in your environment that Redis can reply from time to time 1762 | # to queries with 2 milliseconds delay. 1763 | # 1764 | # use "activerehashing yes" if you don't have such hard requirements but 1765 | # want to free memory asap when possible. 1766 | activerehashing yes 1767 | 1768 | # The client output buffer limits can be used to force disconnection of clients 1769 | # that are not reading data from the server fast enough for some reason (a 1770 | # common reason is that a Pub/Sub client can't consume messages as fast as the 1771 | # publisher can produce them). 1772 | # 1773 | # The limit can be set differently for the three different classes of clients: 1774 | # 1775 | # normal -> normal clients including MONITOR clients 1776 | # replica -> replica clients 1777 | # pubsub -> clients subscribed to at least one pubsub channel or pattern 1778 | # 1779 | # The syntax of every client-output-buffer-limit directive is the following: 1780 | # 1781 | # client-output-buffer-limit 1782 | # 1783 | # A client is immediately disconnected once the hard limit is reached, or if 1784 | # the soft limit is reached and remains reached for the specified number of 1785 | # seconds (continuously). 1786 | # So for instance if the hard limit is 32 megabytes and the soft limit is 1787 | # 16 megabytes / 10 seconds, the client will get disconnected immediately 1788 | # if the size of the output buffers reach 32 megabytes, but will also get 1789 | # disconnected if the client reaches 16 megabytes and continuously overcomes 1790 | # the limit for 10 seconds. 1791 | # 1792 | # By default normal clients are not limited because they don't receive data 1793 | # without asking (in a push way), but just after a request, so only 1794 | # asynchronous clients may create a scenario where data is requested faster 1795 | # than it can read. 1796 | # 1797 | # Instead there is a default limit for pubsub and replica clients, since 1798 | # subscribers and replicas receive data in a push fashion. 1799 | # 1800 | # Both the hard or the soft limit can be disabled by setting them to zero. 1801 | client-output-buffer-limit normal 0 0 0 1802 | client-output-buffer-limit replica 256mb 64mb 60 1803 | client-output-buffer-limit pubsub 32mb 8mb 60 1804 | 1805 | # Client query buffers accumulate new commands. They are limited to a fixed 1806 | # amount by default in order to avoid that a protocol desynchronization (for 1807 | # instance due to a bug in the client) will lead to unbound memory usage in 1808 | # the query buffer. However you can configure it here if you have very special 1809 | # needs, such us huge multi/exec requests or alike. 1810 | # 1811 | # client-query-buffer-limit 1gb 1812 | 1813 | # In the Redis protocol, bulk requests, that are, elements representing single 1814 | # strings, are normally limited to 512 mb. However you can change this limit 1815 | # here, but must be 1mb or greater 1816 | # 1817 | # proto-max-bulk-len 512mb 1818 | 1819 | # Redis calls an internal function to perform many background tasks, like 1820 | # closing connections of clients in timeout, purging expired keys that are 1821 | # never requested, and so forth. 1822 | # 1823 | # Not all tasks are performed with the same frequency, but Redis checks for 1824 | # tasks to perform according to the specified "hz" value. 1825 | # 1826 | # By default "hz" is set to 10. Raising the value will use more CPU when 1827 | # Redis is idle, but at the same time will make Redis more responsive when 1828 | # there are many keys expiring at the same time, and timeouts may be 1829 | # handled with more precision. 1830 | # 1831 | # The range is between 1 and 500, however a value over 100 is usually not 1832 | # a good idea. Most users should use the default of 10 and raise this up to 1833 | # 100 only in environments where very low latency is required. 1834 | hz 10 1835 | 1836 | # Normally it is useful to have an HZ value which is proportional to the 1837 | # number of clients connected. This is useful in order, for instance, to 1838 | # avoid too many clients are processed for each background task invocation 1839 | # in order to avoid latency spikes. 1840 | # 1841 | # Since the default HZ value by default is conservatively set to 10, Redis 1842 | # offers, and enables by default, the ability to use an adaptive HZ value 1843 | # which will temporarily raise when there are many connected clients. 1844 | # 1845 | # When dynamic HZ is enabled, the actual configured HZ will be used 1846 | # as a baseline, but multiples of the configured HZ value will be actually 1847 | # used as needed once more clients are connected. In this way an idle 1848 | # instance will use very little CPU time while a busy instance will be 1849 | # more responsive. 1850 | dynamic-hz yes 1851 | 1852 | # When a child rewrites the AOF file, if the following option is enabled 1853 | # the file will be fsync-ed every 32 MB of data generated. This is useful 1854 | # in order to commit the file to the disk more incrementally and avoid 1855 | # big latency spikes. 1856 | aof-rewrite-incremental-fsync yes 1857 | 1858 | # When redis saves RDB file, if the following option is enabled 1859 | # the file will be fsync-ed every 32 MB of data generated. This is useful 1860 | # in order to commit the file to the disk more incrementally and avoid 1861 | # big latency spikes. 1862 | rdb-save-incremental-fsync yes 1863 | 1864 | # Redis LFU eviction (see maxmemory setting) can be tuned. However it is a good 1865 | # idea to start with the default settings and only change them after investigating 1866 | # how to improve the performances and how the keys LFU change over time, which 1867 | # is possible to inspect via the OBJECT FREQ command. 1868 | # 1869 | # There are two tunable parameters in the Redis LFU implementation: the 1870 | # counter logarithm factor and the counter decay time. It is important to 1871 | # understand what the two parameters mean before changing them. 1872 | # 1873 | # The LFU counter is just 8 bits per key, it's maximum value is 255, so Redis 1874 | # uses a probabilistic increment with logarithmic behavior. Given the value 1875 | # of the old counter, when a key is accessed, the counter is incremented in 1876 | # this way: 1877 | # 1878 | # 1. A random number R between 0 and 1 is extracted. 1879 | # 2. A probability P is calculated as 1/(old_value*lfu_log_factor+1). 1880 | # 3. The counter is incremented only if R < P. 1881 | # 1882 | # The default lfu-log-factor is 10. This is a table of how the frequency 1883 | # counter changes with a different number of accesses with different 1884 | # logarithmic factors: 1885 | # 1886 | # +--------+------------+------------+------------+------------+------------+ 1887 | # | factor | 100 hits | 1000 hits | 100K hits | 1M hits | 10M hits | 1888 | # +--------+------------+------------+------------+------------+------------+ 1889 | # | 0 | 104 | 255 | 255 | 255 | 255 | 1890 | # +--------+------------+------------+------------+------------+------------+ 1891 | # | 1 | 18 | 49 | 255 | 255 | 255 | 1892 | # +--------+------------+------------+------------+------------+------------+ 1893 | # | 10 | 10 | 18 | 142 | 255 | 255 | 1894 | # +--------+------------+------------+------------+------------+------------+ 1895 | # | 100 | 8 | 11 | 49 | 143 | 255 | 1896 | # +--------+------------+------------+------------+------------+------------+ 1897 | # 1898 | # NOTE: The above table was obtained by running the following commands: 1899 | # 1900 | # redis-benchmark -n 1000000 incr foo 1901 | # redis-cli object freq foo 1902 | # 1903 | # NOTE 2: The counter initial value is 5 in order to give new objects a chance 1904 | # to accumulate hits. 1905 | # 1906 | # The counter decay time is the time, in minutes, that must elapse in order 1907 | # for the key counter to be divided by two (or decremented if it has a value 1908 | # less <= 10). 1909 | # 1910 | # The default value for the lfu-decay-time is 1. A special value of 0 means to 1911 | # decay the counter every time it happens to be scanned. 1912 | # 1913 | # lfu-log-factor 10 1914 | # lfu-decay-time 1 1915 | 1916 | ########################### ACTIVE DEFRAGMENTATION ####################### 1917 | # 1918 | # What is active defragmentation? 1919 | # ------------------------------- 1920 | # 1921 | # Active (online) defragmentation allows a Redis server to compact the 1922 | # spaces left between small allocations and deallocations of data in memory, 1923 | # thus allowing to reclaim back memory. 1924 | # 1925 | # Fragmentation is a natural process that happens with every allocator (but 1926 | # less so with Jemalloc, fortunately) and certain workloads. Normally a server 1927 | # restart is needed in order to lower the fragmentation, or at least to flush 1928 | # away all the data and create it again. However thanks to this feature 1929 | # implemented by Oran Agra for Redis 4.0 this process can happen at runtime 1930 | # in a "hot" way, while the server is running. 1931 | # 1932 | # Basically when the fragmentation is over a certain level (see the 1933 | # configuration options below) Redis will start to create new copies of the 1934 | # values in contiguous memory regions by exploiting certain specific Jemalloc 1935 | # features (in order to understand if an allocation is causing fragmentation 1936 | # and to allocate it in a better place), and at the same time, will release the 1937 | # old copies of the data. This process, repeated incrementally for all the keys 1938 | # will cause the fragmentation to drop back to normal values. 1939 | # 1940 | # Important things to understand: 1941 | # 1942 | # 1. This feature is disabled by default, and only works if you compiled Redis 1943 | # to use the copy of Jemalloc we ship with the source code of Redis. 1944 | # This is the default with Linux builds. 1945 | # 1946 | # 2. You never need to enable this feature if you don't have fragmentation 1947 | # issues. 1948 | # 1949 | # 3. Once you experience fragmentation, you can enable this feature when 1950 | # needed with the command "CONFIG SET activedefrag yes". 1951 | # 1952 | # The configuration parameters are able to fine tune the behavior of the 1953 | # defragmentation process. If you are not sure about what they mean it is 1954 | # a good idea to leave the defaults untouched. 1955 | 1956 | # Enabled active defragmentation 1957 | # activedefrag no 1958 | 1959 | # Minimum amount of fragmentation waste to start active defrag 1960 | # active-defrag-ignore-bytes 100mb 1961 | 1962 | # Minimum percentage of fragmentation to start active defrag 1963 | # active-defrag-threshold-lower 10 1964 | 1965 | # Maximum percentage of fragmentation at which we use maximum effort 1966 | # active-defrag-threshold-upper 100 1967 | 1968 | # Minimal effort for defrag in CPU percentage, to be used when the lower 1969 | # threshold is reached 1970 | # active-defrag-cycle-min 1 1971 | 1972 | # Maximal effort for defrag in CPU percentage, to be used when the upper 1973 | # threshold is reached 1974 | # active-defrag-cycle-max 25 1975 | 1976 | # Maximum number of set/hash/zset/list fields that will be processed from 1977 | # the main dictionary scan 1978 | # active-defrag-max-scan-fields 1000 1979 | 1980 | # Jemalloc background thread for purging will be enabled by default 1981 | jemalloc-bg-thread yes 1982 | 1983 | # It is possible to pin different threads and processes of Redis to specific 1984 | # CPUs in your system, in order to maximize the performances of the server. 1985 | # This is useful both in order to pin different Redis threads in different 1986 | # CPUs, but also in order to make sure that multiple Redis instances running 1987 | # in the same host will be pinned to different CPUs. 1988 | # 1989 | # Normally you can do this using the "taskset" command, however it is also 1990 | # possible to this via Redis configuration directly, both in Linux and FreeBSD. 1991 | # 1992 | # You can pin the server/IO threads, bio threads, aof rewrite child process, and 1993 | # the bgsave child process. The syntax to specify the cpu list is the same as 1994 | # the taskset command: 1995 | # 1996 | # Set redis server/io threads to cpu affinity 0,2,4,6: 1997 | # server_cpulist 0-7:2 1998 | # 1999 | # Set bio threads to cpu affinity 1,3: 2000 | # bio_cpulist 1,3 2001 | # 2002 | # Set aof rewrite child process to cpu affinity 8,9,10,11: 2003 | # aof_rewrite_cpulist 8-11 2004 | # 2005 | # Set bgsave child process to cpu affinity 1,10,11 2006 | # bgsave_cpulist 1,10-11 2007 | 2008 | # In some cases redis will emit warnings and even refuse to start if it detects 2009 | # that the system is in bad state, it is possible to suppress these warnings 2010 | # by setting the following config which takes a space delimited list of warnings 2011 | # to suppress 2012 | # 2013 | # ignore-warnings ARM64-COW-BUG 2014 | --------------------------------------------------------------------------------