August 28, 2017 Gautier Franchini

Setup a secured redis-cluster on centos7

Setup a secured redis-cluster on centos7

What is redis exactly?

Redis is an open source (BSD licensed), in-memory data structure store, used as a database, cache and message broker.

Redis Sentinel provides high availability for Redis. In practical terms this means that using Sentinel you can create a Redis deployment that resists without human intervention to certain kind of failures.

⚠️ You need at least three Sentinel instances for a robust deployment.

Sentinel constantly checks if your master and slave instances are working as expected.
Notification.

If a master is not working as expected, Sentinel can start a failover process where a slave is promoted to master, the other additional slaves are reconfigured to use the new master, and the applications using the Redis server informed about the new address to use when connecting.

ℹ️ Sentinel manages the failover, it doesn’t configure Redis for HA. It is an important distinction.

Documentation

service name port
redis-server 6379
redis-sentinel 16379

what we are going to install

Following all the step below you will setup a redis-cluster compose of 2 redis server monitor by 3 redis-sentinel ‘agent’

server name service type port role
vm-centos-01 redis-server 6379 master + sentinel
vm-centos-02 redis-server 6379 slave + sentinel
vm-centos-03 redis-server 6379 sentinel only

Prerequisites

  • have created a dedicated user/group (not mandatory)
groupadd -g 1983 redis
useradd -u 1983 -s "/sbin/nologin" -c "redis user" -g 1983 redis
  • have the epel repository setup properly
# Setup the repository:
curl -L -O https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm && yum install epel-release-latest-7.noarch.rpm
yum repolist
# you should see: epel-testing.repo epel.repo

Installation & Configuration

redis & redis-sentinel packages

  • Install rpm package
# Install the package and dependencies:
 yum search redis && yum install redis
  • Service Management
# start and check redis service:
systemctl start redis.service && systemctl status redis.service
# start and check sentinel service:
systemctl start redis-sentinel.service && systemctl status redis-sentinel.service
  • Check the redis server:
# To test the installation of Redis, use below given command
# If the response output is PONG, it means installation is completed successfully.
redis-cli -h ${SERVER_NODE} -p 6379 ping

redis Configuration

In the example below I only set the minimum parameters that are mandatory for a redis-cluster to run.

💬 In our current configuration the clustername is set to “redis-cluster”

redis.conf

redis.conf
By default, if no “bind” configuration directive is specified, Redis listens for connections from all the network interfaces available on the server.

Of course there are plenty of custom parameters dedicated to redis optimisation. (feel free to browse the official latest stable released redis.conf and a sentinel.conf sample files)

ℹ️ There is some little differences between the master and the slave configuration (see below)

  • master node
bind ${SERVER_IP}
port 6379
dir /var/lib/redis
  • slave node
bind ${SERVER_IP}
port 6379
dir /var/lib/redis
slaveof ${MASTER_NODE_IP} 6379

redis-sentinel.conf

ℹ️ each sentinel process is paired with a redis-server process

sentinel monitor redis-cluster ${MASTER_NODE_IP} 6379 2
sentinel down-after-milliseconds redis-cluster 5000
sentinel parallel-syncs redis-cluster 1
sentinel failover-timeout redis-cluster 10000

💬 For more detailed information please refer to the official sentinel documentation.

secure redis-cluster

ℹ️ Official Redis Security webpage

Require clients to issue AUTH before processing any other commands. This might be useful in environments in which you do not trust others with access to the host running redis-server.

Protected mode is a layer of security protection, in order to avoid that Redis instances left open on the internet are accessed and exploited.

⚠️ Since Redis is pretty fast an outside user can try up to 150k passwords per second against a good box. This means that you should use a very strong password otherwise it will be very easy to break.

generate a random password

REDIS_PASSWD=$(date | md5)
	99c43b31c059dd34a5c6dfc9c1515f58

To set a layer of security on our current redis cluster we have to modify our configuration files as follow

  • redis.conf master node
bind ${SERVER_IP}
port 6379
dir /var/lib/redis
requirepass ${REDIS_PASSWD}
masterauth ${REDIS_PASSWD}
  • redis.conf slave node
bind ${SERVER_IP}
port 6379
dir /var/lib/redis
requirepass ${REDIS_PASSWD}
slaveof ${MASTER_NODE_IP} 6379
  • sentinel file (slave and master)
. . .
sentinel monitor redis-cluster ${REDIS_SRV} ${REDIS_PORT_USED} 1
# sentinel auth-pass <master-name> <password>
sentinel auth-pass redis-cluster ${REDIS_PASSWD}
. . .

Restart services

systemctl restart ${SERVICE_NAME}

Check the Cluster State with authentication enabled.

  • Now you can reach anyone of your redis-cluster member using the set password
redis-cli -h ${REDIS_SRV} -p ${REDIS_PORT_USED} -a ${PASSWORD} info replication

You should see information about the cluster replication displayed in your terminal.

redis-cli, the Redis command line interface

redis-cli is the Redis command line interface, a simple program that allows to send commands to Redis, and read the replies sent by the server, directly from the terminal.

💬 port 6379 for redis-srv and port 26379 for sentinel

redis-cluster test

  • Check redis-cluster status
${SERVER_IP}:26379> sentinel ckquorum  redis-cluster
OK 3 usable Sentinels. Quorum and failover authorization can be reached
  • returns list of slaves
${SERVER_IP}:26379> sentinel slaves redis-cluster```

* returns list of master
```bash
${SERVER_IP}:26379> sentinel master  redis-cluster```

* initiate failover
```bash
${SERVER_IP}:26379> sentinel failover redis-cluster```

Get list of slaves and master
* returns list of slaves
```bash
${SERVER_IP}:26379> sentinel slaves redis-cluster```

* returns list of master
bash```
${SERVER_IP}:26379> sentinel master  redis-cluster```

Initiate the failover
* initiate failover
```bash
${SERVER_IP}:26379> sentinel failover redis-cluster

A complete configuration example

Hoping it’ll help someone one day, I put my configuration files on github; here is the repository url: github.com/orsius/redis-cluster

Keep calm and continue using redis-cluster ッ
G.

 

Tagged: , , , , ,

Contact Us