学习redis的途中,碰上了redis.conf,突发奇想,想着来进行一波翻译输出。
源码之前,了无秘密。
文章目录
安全
原文
################################## SECURITY ###################################
# Warning: since Redis is pretty fast an outside user can try up to
# 1 million passwords per second against a modern box. This means that you
# should use very strong passwords, otherwise they will be very easy to break.
# Note that because the password is really a shared secret between the client
# and the server, and should not be memorized by any human, the password
# can be easily a long string from /dev/urandom or whatever, so by using a
# long and unguessable password no brute force attack will be possible.
# Redis ACL users are defined in the following format:
#
# user <username> ... acl rules ...
#
# For example:
#
# user worker +@list +@connection ~jobs:* on >ffa9203c493aa99
#
# The special username "default" is used for new connections. If this user
# has the "nopass" rule, then new connections will be immediately authenticated
# as the "default" user without the need of any password provided via the
# AUTH command. Otherwise if the "default" user is not flagged with "nopass"
# the connections will start in not authenticated state, and will require
# AUTH (or the HELLO command AUTH option) in order to be authenticated and
# start to work.
#
# The ACL rules that describe what an user can do are the following:
#
# on Enable the user: it is possible to authenticate as this user.
# off Disable the user: it's no longer possible to authenticate
# with this user, however the already authenticated connections
# will still work.
# +<command> Allow the execution of that command
# -<command> Disallow the execution of that command
# +@<category> Allow the execution of all the commands in such category
# with valid categories are like @admin, @set, @sortedset, ...
# and so forth, see the full list in the server.c file where
# the Redis command table is described and defined.
# The special category @all means all the commands, but currently
# present in the server, and that will be loaded in the future
# via modules.
# +<command>|subcommand Allow a specific subcommand of an otherwise
# disabled command. Note that this form is not
# allowed as negative like -DEBUG|SEGFAULT, but
# only additive starting with "+".
# allcommands Alias for +@all. Note that it implies the ability to execute
# all the future commands loaded via the modules system.
# nocommands Alias for -@all.
# ~<pattern> Add a pattern of keys that can be mentioned as part of
# commands. For instance ~* allows all the keys. The pattern
# is a glob-style pattern like the one of KEYS.
# It is possible to specify multiple patterns.
# allkeys Alias for ~*
# resetkeys Flush the list of allowed keys patterns.
# ><password> Add this passowrd to the list of valid password for the user.
# For example >mypass will add "mypass" to the list.
# This directive clears the "nopass" flag (see later).
# <<password> Remove this password from the list of valid passwords.
# nopass All the set passwords of the user are removed, and the user
# is flagged as requiring no password: it means that every
# password will work against this user. If this directive is
# used for the default user, every new connection will be
# immediately authenticated with the default user without
# any explicit AUTH command required. Note that the "resetpass"
# directive will clear this condition.
# resetpass Flush the list of allowed passwords. Moreover removes the
# "nopass" status. After "resetpass" the user has no associated
# passwords and there is no way to authenticate without adding
# some password (or setting it as "nopass" later).
# reset Performs the following actions: resetpass, resetkeys, off,
# -@all. The user returns to the same state it has immediately
# after its creation.
#
# ACL rules can be specified in any order: for instance you can start with
# passwords, then flags, or key patterns. However note that the additive
# and subtractive rules will CHANGE MEANING depending on the ordering.
# For instance see the following example:
#
# user alice on +@all -DEBUG ~* >somepassword
#
# This will allow "alice" to use all the commands with the exception of the
# DEBUG command, since +@all added all the commands to the set of the commands
# alice can use, and later DEBUG was removed. However if we invert the order
# of two ACL rules the result will be different:
#
# user alice on -DEBUG +@all ~* >somepassword
#
# Now DEBUG was removed when alice had yet no commands in the set of allowed
# commands, later all the commands are added, so the user will be able to
# execute everything.
#
# Basically ACL rules are processed left-to-right.
#
# For more information about ACL configuration please refer to
# the Redis web site at https://redis.io/topics/acl
# ACL LOG
#
# The ACL Log tracks failed commands and authentication events associated
# with ACLs. The ACL Log is useful to troubleshoot failed commands blocked
# by ACLs. The ACL Log is stored in memory. You can reclaim memory with
# ACL LOG RESET. Define the maximum entry length of the ACL Log below.
acllog-max-len 128
# Using an external ACL file
#
# Instead of configuring users here in this file, it is possible to use
# a stand-alone file just listing users. The two methods cannot be mixed:
# if you configure users here and at the same time you activate the exteranl
# ACL file, the server will refuse to start.
#
# The format of the external ACL user file is exactly the same as the
# format that is used inside redis.conf to describe users.
#
# aclfile /etc/redis/users.acl
# IMPORTANT NOTE: starting with Redis 6 "requirepass" is just a compatiblity
# layer on top of the new ACL system. The option effect will be just setting
# the password for the default user. Clients will still authenticate using
# AUTH <password> as usually, or more explicitly with AUTH default <password>
# if they follow the new protocol: both will work.
#
# requirepass foobared
# Command renaming (DEPRECATED).
#
# ------------------------------------------------------------------------
# WARNING: avoid using this option if possible. Instead use ACLs to remove
# commands from the default user, and put them only in some admin user you
# create for administrative purposes.
# ------------------------------------------------------------------------
#
# It is possible to change the name of dangerous commands in a shared
# environment. For instance the CONFIG command may be renamed into something
# hard to guess so that it will still be available for internal-use tools
# but not available for general clients.
#
# Example:
#
# rename-command CONFIG b840fc02d524045429941cc15f59e41cb7be6c52
#
# It is also possible to completely kill a command by renaming it into
# an empty string:
#
# rename-command CONFIG ""
#
# Please note that changing the name of commands that are logged into the
# AOF file or transmitted to replicas may cause problems.
译文
警告:由于Redis非常快,外部用户可以用外部应用去尝试高达每秒100万个密码。这意味着您应该使用非常强的密码,否则它们将非常容易被破解。
注意,因为密码是客户端和服务器之间的秘密,不应该被任何人记住。密码可以是来自/dev/urandom的很长的字符串,所以通过使用长且无法猜测的密码,暴力破解将是不可能的。
Redis ACL用户定义如下格式:
user <username> ... acl rules ...
示例:
user worker +@list +@connection ~jobs:* on >ffa9203c493aa99
描述用户可以做什么的ACL规则如下:
on:启用用户:可以作为该用户进行身份验证。
off:禁用该用户:不再可能对该用户进行身份验证,但是已经通过身份验证的连接仍然可以工作。
+<command> 允许执行该命令
-<command> 不允许执行该命令
+@<category> 允许在此类类别中执行有效类别的所有命令,如@admin, @set, @sortedset,…等等,在server.c文件中可以看到完整的列表,其中描述和定义了Redis命令表。
特殊类别@all表示所有命令,但当前存在于服务器中,将来将通过模块加载。
+<command>|subcommand 允许其他禁用命令的特定子命令。注意,这种形式不允许作为负数,如-DEBUG|SEGFAULT,只允许以“+”开头。
allcommands + @all别名。注意,这意味着可以执行通过模块系统加载的所有未来命令。
nocommands - @all别名。
~<pattern> 添加可以作为命令的一部分提及的键模式。例如~*允许所有的键。该模式是一个全局样式的模式,类似于密钥样式。
可以指定多个模式。
allkeys ~* 别名
resetkeys 刷新允许的键模式列表。
><password> 将此passowrd添加到该用户的有效密码列表中。
例如,>mypass将添加“mypass”到列表中。
这个指令清除“nopass”标志(稍后见)。
<<password> 将此密码从队列中移出
nopass 删除该用户的所有设置密码,并将该用户标记为不需要密码:这意味着每个密码都将针对该用户工作。如果该指令用于默认用户,则每个新连接都将立即与默认用户进行身份验证,而不需要任何显式的AUTH命令。注意,“resetpass”指令将清除这个效果。
resetpass 刷新允许的密码列表。此外,删除“nopass”状态。在“resetpass”之后,用户没有相关的密码,并且没有办法在不添加一些密码(或稍后将其设置为“nopass”)的情况下进行身份验证。
reset 执行以下操作:resetpass, resetkeys, off, -@all。用户立即返回到创建后的相同状态。
ACL规则可以按照任何顺序指定:例如,可以从密码开始,然后是标志或密钥模式。但是请注意,加法规则和减法规则将根据顺序改变含义。
例如:
user alice on +@all -DEBUG ~* >somepassword
这将允许“alice”使用除调试命令之外的所有命令,因为+@all将所有命令添加到alice可以使用的命令集中,随后的调试被删除。但是,如果我们倒转两个ACL规则的顺序,结果将不同:
user alice on -DEBUG +@all ~* >somepassword
现在,当alice在允许的命令集中还没有命令时,调试被删除,之后所有的命令都被添加,这样用户就可以执行所有的命令了。
更多关于ACL配置的信息,请参考Redis网站https://redis.io/topics/acl
ACL日志
ACL日志跟踪与ACL关联的失败命令和身份验证事件。ACL日志对于排除ACL阻塞的失败命令非常有用。ACL日志存储在内存中。您可以通过ACL日志重置收回内存。定义ACL日志的最大入口长度:
acllog-max-len 128
使用外部ACL文件
不需要在此文件中配置用户,可以使用一个仅列出用户的独立文件。这两种方法不能混合使用:
如果您在这里配置用户,同时激活exteranl ACL文件,服务器将拒绝启动。
外部ACL用户文件的格式与在redis.conf中用于描述用户的格式完全相同。
aclfile /etc/redis/users.acl
重要提示:从Redis 6开始,“requirepass”只是在新的ACL系统之上的一个兼容性层。选项效果将只是设置默认用户的密码。客户端仍然会像往常一样使用AUTH进行身份验证,或者更明确地使用AUTH默认值,如果它们遵循新的协议:两者都可以工作。
命令重命名(不赞成)。
警告:尽可能避免使用此选项。相反,使用acl从默认用户中删除命令,并将它们仅放在为管理目的而创建的某个管理用户中。
在共享环境中可以更改危险命令的名称。例如,CONFIG命令可能会被重命名为一些难以猜测的东西,这样它仍然可以用于内部使用的工具,但不能用于一般的客户端。
就像:rename-command CONFIG b840fc02d524045429941cc15f59e41cb7be6c52
也可以通过将一个命令重命名为空字符串来完全杀死它:rename-command CONFIG " ”
请注意,更改登录到AOF文件或传输到副本的命令的名称可能会导致问题。
客户端
原文
################################### CLIENTS ####################################
# Set the max number of connected clients at the same time. By default
# this limit is set to 10000 clients, however if the Redis server is not
# able to configure the process file limit to allow for the specified limit
# the max number of allowed clients is set to the current file limit
# minus 32 (as Redis reserves a few file descriptors for internal uses).
#
# Once the limit is reached Redis will close all the new connections sending
# an error 'max number of clients reached'.
#
# IMPORTANT: When Redis Cluster is used, the max number of connections is also
# shared with the cluster bus: every node in the cluster will use two
# connections, one incoming and another outgoing. It is important to size the
# limit accordingly in case of very large clusters.
#
# maxclients 10000
译文
同时设置连接的客户端的最大数量。默认情况下这个限制设置为10000个客户,但是,如果Redis服务器不能配置进程文件限制,以允许指定的限制,最大数量的允许客户被设置为当前文件限制减32(作为Redis保留一些文件描述符内部使用)。
一旦达到限制,Redis将关闭所有新连接发送一个错误’最大数量的客户端达到’。
重要提示:当使用Redis集群时,最大连接数也会与集群总线共享:集群中的每个节点将使用两个连接,一个传入,另一个传出。对于非常大的集群,相应地调整限制的大小是很重要的。
内存管理
原文
############################## MEMORY MANAGEMENT ################################
# Set a memory usage limit to the specified amount of bytes.
# When the memory limit is reached Redis will try to remove keys
# according to the eviction policy selected (see maxmemory-policy).
#
# If Redis can't remove keys according to the policy, or if the policy is
# set to 'noeviction', Redis will start to reply with errors to commands
# that would use more memory, like SET, LPUSH, and so on, and will continue
# to reply to read-only commands like GET.
#
# This option is usually useful when using Redis as an LRU or LFU cache, or to
# set a hard memory limit for an instance (using the 'noeviction' policy).
#
# WARNING: If you have replicas attached to an instance with maxmemory on,
# the size of the output buffers needed to feed the replicas are subtracted
# from the used memory count, so that network problems / resyncs will
# not trigger a loop where keys are evicted, and in turn the output
# buffer of replicas is full with DELs of keys evicted triggering the deletion
# of more keys, and so forth until the database is completely emptied.
#
# In short... if you have replicas attached it is suggested that you set a lower
# limit for maxmemory so that there is some free RAM on the system for replica
# output buffers (but this is not needed if the policy is 'noeviction').
#
# maxmemory <bytes>
# MAXMEMORY POLICY: how Redis will select what to remove when maxmemory
# is reached. You can select one from the following behaviors:
#
# volatile-lru -> Evict using approximated LRU, only keys with an expire set.
# allkeys-lru -> Evict any key using approximated LRU.
# volatile-lfu -> Evict using approximated LFU, only keys with an expire set.
# allkeys-lfu -> Evict any key using approximated LFU.
# volatile-random -> Remove a random key having an expire set.
# allkeys-random -> Remove a random key, any key.
# volatile-ttl -> Remove the key with the nearest expire time (minor TTL)
# noeviction -> Don't evict anything, just return an error on write operations.
#
# LRU means Least Recently Used
# LFU means Least Frequently Used
#
# Both LRU, LFU and volatile-ttl are implemented using approximated
# randomized algorithms.
#
# Note: with any of the above policies, Redis will return an error on write
# operations, when there are no suitable keys for eviction.
#
# At the date of writing these commands are: set setnx setex append
# incr decr rpush lpush rpushx lpushx linsert lset rpoplpush sadd
# sinter sinterstore sunion sunionstore sdiff sdiffstore zadd zincrby
# zunionstore zinterstore hset hsetnx hmset hincrby incrby decrby
# getset mset msetnx exec sort
#
# The default is:
#
# maxmemory-policy noeviction
# LRU, LFU and minimal TTL algorithms are not precise algorithms but approximated
# algorithms (in order to save memory), so you can tune it for speed or
# accuracy. For default Redis will check five keys and pick the one that was
# used less recently, you can change the sample size using the following
# configuration directive.
#
# The default of 5 produces good enough results. 10 Approximates very closely
# true LRU but costs more CPU. 3 is faster but not very accurate.
#
# maxmemory-samples 5
# Starting from Redis 5, by default a replica will ignore its maxmemory setting
# (unless it is promoted to master after a failover or manually). It means
# that the eviction of keys will be just handled by the master, sending the
# DEL commands to the replica as keys evict in the master side.
#
# This behavior ensures that masters and replicas stay consistent, and is usually
# what you want, however if your replica is writable, or you want the replica
# to have a different memory setting, and you are sure all the writes performed
# to the replica are idempotent, then you may change this default (but be sure
# to understand what you are doing).
#
# Note that since the replica by default does not evict, it may end using more
# memory than the one set via maxmemory (there are certain buffers that may
# be larger on the replica, or data structures may sometimes take more memory
# and so forth). So make sure you monitor your replicas and make sure they
# have enough memory to never hit a real out-of-memory condition before the
# master hits the configured maxmemory setting.
#
# replica-ignore-maxmemory yes
# Redis reclaims expired keys in two ways: upon access when those keys are
# found to be expired, and also in background, in what is called the
# "active expire key". The key space is slowly and interactively scanned
# looking for expired keys to reclaim, so that it is possible to free memory
# of keys that are expired and will never be accessed again in a short time.
#
# The default effort of the expire cycle will try to avoid having more than
# ten percent of expired keys still in memory, and will try to avoid consuming
# more than 25% of total memory and to add latency to the system. However
# it is possible to increase the expire "effort" that is normally set to
# "1", to a greater value, up to the value "10". At its maximum value the
# system will use more CPU, longer cycles (and technically may introduce
# more latency), and will tollerate less already expired keys still present
# in the system. It's a tradeoff betweeen memory, CPU and latecy.
#
# active-expire-effort 1
译文
将内存使用限制设置为指定的字节数。当达到内存限制时,Redis会根据所选的驱逐策略(参见maxmemory-policy)尝试删除键。
如果Redis不能根据策略删除键,或者如果策略被设置为“noeviction”,Redis将开始回复会占用更多内存的命令错误,如set、LPUSH等,并将继续回复只读命令,如GET。
这个选项通常在使用Redis作为LRU或LFU缓存时有用,或者为实例设置硬内存限制(使用’noeviction’策略)。
警告:如果你有副本附加到一个实例与maxmemory,输出缓冲区的大小需要喂副本使用内存数相减时,这网络问题/同步不会触发一个键被驱逐的循环,进而副本的输出缓冲区满del键驱逐触发的删除键,直到完全清空数据库等等。
总之……如果您附加了副本,建议您为maxmemory设置一个下限,以便在系统上有一些空闲RAM用于副本输出缓冲区(但如果策略是‘noeviction’,则不需要这样做)。
MAXMEMORY策略:当达到MAXMEMORY时,Redis将如何选择删除什么。你可以从以下行为中选择一个:
volatile-lru ->退出使用近似的LRU,仅使用设置了过期值的键。
allkeys-lru ->使用近似的LRU驱逐任何密钥。
volatile-lfu ->使用近似的LFU逐出,仅使用具有过期集的键。
allkeys-lfu ->使用近似的LFU驱逐任何密钥。
volatile-random ->删除一个具有过期设置的随机键。
allkeys-random ->删除一个随机键,任意键。
volatile-ttl ->删除最近过期时间的密钥(较小的TTL)
noeviction ->不驱逐任何东西,只是在写操作时返回一个错误。
LRU表示最近最少使用
LFU表示使用频率最低
LRU、LFU和volatile-ttl都是使用近似随机算法实现的。
注意:使用上述任何策略,当没有合适的键用于驱逐时,Redis会在写操作时返回一个错误。
LRU、LFU和最小TTL算法不是精确算法,而是近似算法(为了节省内存),因此您可以调整它以提高速度或精度。对于默认Redis将检查五个键,并选择一个最近使用较少,你可以改变样本大小使用以下配置指令。
默认为5会产生足够好的结果。10非常接近真实的LRU,但需要更多的CPU。3更快,但不是很准确。
# maxmemory-samples 5
从redis5开始,默认情况下副本会忽略它的maxmemory设置(除非它在故障转移后被提升为master或手动)。这意味着键的回收将由主服务器处理,在主服务器端键被回收时将DEL命令发送给副本。
这种行为保持一致,确保是你想要的,但是如果你的复制品是可写的,或者你想要复制不同的内存设置,和你确定都将执行写入副本是等幂的,然后你可能会改变这种默认(但一定要了解你在做什么)。
注意,由于副本在默认情况下不会驱逐,因此它最终使用的内存可能比通过maxmemory设置的一组内存更多(副本上的某些缓冲区可能更大,或者数据结构有时可能占用更多内存等等)。因此,请确保您监视您的副本,并确保它们有足够的内存,在主服务器达到配置的maxmemory设置之前,不会出现真正的内存不足情况。
Redis以两种方式回收过期的密钥:在访问时发现过期的密钥,以及在后台,在所谓的“活动过期密钥”。密钥空间被缓慢而交互式地扫描,以寻找要回收的过期密钥,这样就可以释放过期且在短时间内再也不会被访问的密钥的内存。
过期周期的默认努力将试图避免在内存中仍然有超过10%的过期密钥,并试图避免消耗总内存的25%以上,并增加系统的延迟。但是,可以将通常设置为“1”的过期“努力”增加到更大的值,直到值“10”。在它的最大值,系统将使用更多的CPU,更长的周期(技术上可能引入更多的延迟),并将减少系统中仍然存在的已经过期的密钥。这是内存、CPU和内存之间的权衡。
今天先到这儿吧。
