redis.conf翻译与配置(三)【redis6.0.6】

2022-05-06 14:00:52 浏览数 (1)

学习redis的途中,碰上了redis.conf,突发奇想,想着来进行一波翻译输出。 源码之前,了无秘密。

文章目录
  • 安全
    • 原文
      • 译文
  • 客户端
    • 原文
      • 译文
  • 内存管理
    • 原文
      • 译文

安全

原文

代码语言:javascript复制
################################## SECURITY ###################################

# Warning: since Redis is pretty fast an outside user can try up to
# 1 million passwords per second against a modern box. This means that you
# should use very strong passwords, otherwise they will be very easy to break.
# Note that because the password is really a shared secret between the client
# and the server, and should not be memorized by any human, the password
# can be easily a long string from /dev/urandom or whatever, so by using a
# long and unguessable password no brute force attack will be possible.

# Redis ACL users are defined in the following format:
#
#   user <username> ... acl rules ...
#
# For example:
#
#   user worker  @list  @connection ~jobs:* on >ffa9203c493aa99
#
# The special username "default" is used for new connections. If this user
# has the "nopass" rule, then new connections will be immediately authenticated
# as the "default" user without the need of any password provided via the
# AUTH command. Otherwise if the "default" user is not flagged with "nopass"
# the connections will start in not authenticated state, and will require
# AUTH (or the HELLO command AUTH option) in order to be authenticated and
# start to work.
#
# The ACL rules that describe what an user can do are the following:
#
#  on           Enable the user: it is possible to authenticate as this user.
#  off          Disable the user: it's no longer possible to authenticate
#               with this user, however the already authenticated connections
#               will still work.
#   <command>   Allow the execution of that command
#  -<command>   Disallow the execution of that command
#   @<category> Allow the execution of all the commands in such category
#               with valid categories are like @admin, @set, @sortedset, ...
#               and so forth, see the full list in the server.c file where
#               the Redis command table is described and defined.
#               The special category @all means all the commands, but currently
#               present in the server, and that will be loaded in the future
#               via modules.
#   <command>|subcommand    Allow a specific subcommand of an otherwise
#                           disabled command. Note that this form is not
#                           allowed as negative like -DEBUG|SEGFAULT, but
#                           only additive starting with " ".
#  allcommands  Alias for  @all. Note that it implies the ability to execute
#               all the future commands loaded via the modules system.
#  nocommands   Alias for -@all.
#  ~<pattern>   Add a pattern of keys that can be mentioned as part of
#               commands. For instance ~* allows all the keys. The pattern
#               is a glob-style pattern like the one of KEYS.
#               It is possible to specify multiple patterns.
#  allkeys      Alias for ~*
#  resetkeys    Flush the list of allowed keys patterns.
#  ><password>  Add this passowrd to the list of valid password for the user.
#               For example >mypass will add "mypass" to the list.
#               This directive clears the "nopass" flag (see later).
#  <<password>  Remove this password from the list of valid passwords.
#  nopass       All the set passwords of the user are removed, and the user
#               is flagged as requiring no password: it means that every
#               password will work against this user. If this directive is
#               used for the default user, every new connection will be
#               immediately authenticated with the default user without
#               any explicit AUTH command required. Note that the "resetpass"
#               directive will clear this condition.
#  resetpass    Flush the list of allowed passwords. Moreover removes the
#               "nopass" status. After "resetpass" the user has no associated
#               passwords and there is no way to authenticate without adding
#               some password (or setting it as "nopass" later).
#  reset        Performs the following actions: resetpass, resetkeys, off,
#               -@all. The user returns to the same state it has immediately
#               after its creation.
#
# ACL rules can be specified in any order: for instance you can start with
# passwords, then flags, or key patterns. However note that the additive
# and subtractive rules will CHANGE MEANING depending on the ordering.
# For instance see the following example:
#
#   user alice on  @all -DEBUG ~* >somepassword
#
# This will allow "alice" to use all the commands with the exception of the
# DEBUG command, since  @all added all the commands to the set of the commands
# alice can use, and later DEBUG was removed. However if we invert the order
# of two ACL rules the result will be different:
#
#   user alice on -DEBUG  @all ~* >somepassword
#
# Now DEBUG was removed when alice had yet no commands in the set of allowed
# commands, later all the commands are added, so the user will be able to
# execute everything.
#
# Basically ACL rules are processed left-to-right.
#
# For more information about ACL configuration please refer to
# the Redis web site at https://redis.io/topics/acl

# ACL LOG
#
# The ACL Log tracks failed commands and authentication events associated
# with ACLs. The ACL Log is useful to troubleshoot failed commands blocked 
# by ACLs. The ACL Log is stored in memory. You can reclaim memory with 
# ACL LOG RESET. Define the maximum entry length of the ACL Log below.
acllog-max-len 128

# Using an external ACL file
#
# Instead of configuring users here in this file, it is possible to use
# a stand-alone file just listing users. The two methods cannot be mixed:
# if you configure users here and at the same time you activate the exteranl
# ACL file, the server will refuse to start.
#
# The format of the external ACL user file is exactly the same as the
# format that is used inside redis.conf to describe users.
#
# aclfile /etc/redis/users.acl

# IMPORTANT NOTE: starting with Redis 6 "requirepass" is just a compatiblity
# layer on top of the new ACL system. The option effect will be just setting
# the password for the default user. Clients will still authenticate using
# AUTH <password> as usually, or more explicitly with AUTH default <password>
# if they follow the new protocol: both will work.
#
# requirepass foobared

# Command renaming (DEPRECATED).
#
# ------------------------------------------------------------------------
# WARNING: avoid using this option if possible. Instead use ACLs to remove
# commands from the default user, and put them only in some admin user you
# create for administrative purposes.
# ------------------------------------------------------------------------
#
# It is possible to change the name of dangerous commands in a shared
# environment. For instance the CONFIG command may be renamed into something
# hard to guess so that it will still be available for internal-use tools
# but not available for general clients.
#
# Example:
#
# rename-command CONFIG b840fc02d524045429941cc15f59e41cb7be6c52
#
# It is also possible to completely kill a command by renaming it into
# an empty string:
#
# rename-command CONFIG ""
#
# Please note that changing the name of commands that are logged into the
# AOF file or transmitted to replicas may cause problems.
译文

警告:由于Redis非常快,外部用户可以用外部应用去尝试高达每秒100万个密码。这意味着您应该使用非常强的密码,否则它们将非常容易被破解。 注意,因为密码是客户端和服务器之间的秘密,不应该被任何人记住。密码可以是来自/dev/urandom的很长的字符串,所以通过使用长且无法猜测的密码,暴力破解将是不可能的。

Redis ACL用户定义如下格式:

代码语言:javascript复制
user <username> ... acl rules ...

示例:

代码语言:javascript复制
user worker  @list  @connection ~jobs:* on >ffa9203c493aa99

描述用户可以做什么的ACL规则如下:

代码语言:javascript复制
on:启用用户:可以作为该用户进行身份验证。
off:禁用该用户:不再可能对该用户进行身份验证,但是已经通过身份验证的连接仍然可以工作。
 <command>   允许执行该命令
-<command>   不允许执行该命令

 @<category>	允许在此类类别中执行有效类别的所有命令,如@admin, @set, @sortedset,…等等,在server.c文件中可以看到完整的列表,其中描述和定义了Redis命令表。
特殊类别@all表示所有命令,但当前存在于服务器中,将来将通过模块加载。

 <command>|subcommand	允许其他禁用命令的特定子命令。注意,这种形式不允许作为负数,如-DEBUG|SEGFAULT,只允许以“ ”开头。
allcommands		  @all别名。注意,这意味着可以执行通过模块系统加载的所有未来命令。
nocommands      - @all别名。

~<pattern>		添加可以作为命令的一部分提及的键模式。例如~*允许所有的键。该模式是一个全局样式的模式,类似于密钥样式。
				可以指定多个模式。
allkeys      	~* 别名
resetkeys    	刷新允许的键模式列表。

><password>		将此passowrd添加到该用户的有效密码列表中。
				例如,>mypass将添加“mypass”到列表中。
				这个指令清除“nopass”标志(稍后见)。
<<password>  	将此密码从队列中移出
nopass       	删除该用户的所有设置密码,并将该用户标记为不需要密码:这意味着每个密码都将针对该用户工作。如果该指令用于默认用户,则每个新连接都将立即与默认用户进行身份验证,而不需要任何显式的AUTH命令。注意,“resetpass”指令将清除这个效果。
resetpass    	刷新允许的密码列表。此外,删除“nopass”状态。在“resetpass”之后,用户没有相关的密码,并且没有办法在不添加一些密码(或稍后将其设置为“nopass”)的情况下进行身份验证。

reset      		执行以下操作:resetpass, resetkeys, off, -@all。用户立即返回到创建后的相同状态。

ACL规则可以按照任何顺序指定:例如,可以从密码开始,然后是标志或密钥模式。但是请注意,加法规则和减法规则将根据顺序改变含义。 例如:

代码语言:javascript复制
user alice on  @all -DEBUG ~* >somepassword

这将允许“alice”使用除调试命令之外的所有命令,因为 @all将所有命令添加到alice可以使用的命令集中,随后的调试被删除。但是,如果我们倒转两个ACL规则的顺序,结果将不同:

代码语言:javascript复制
user alice on -DEBUG  @all ~* >somepassword

现在,当alice在允许的命令集中还没有命令时,调试被删除,之后所有的命令都被添加,这样用户就可以执行所有的命令了。 更多关于ACL配置的信息,请参考Redis网站https://redis.io/topics/acl

ACL日志 ACL日志跟踪与ACL关联的失败命令和身份验证事件。ACL日志对于排除ACL阻塞的失败命令非常有用。ACL日志存储在内存中。您可以通过ACL日志重置收回内存。定义ACL日志的最大入口长度:

代码语言:javascript复制
acllog-max-len 128

使用外部ACL文件 不需要在此文件中配置用户,可以使用一个仅列出用户的独立文件。这两种方法不能混合使用: 如果您在这里配置用户,同时激活exteranl ACL文件,服务器将拒绝启动。

外部ACL用户文件的格式与在redis.conf中用于描述用户的格式完全相同。

代码语言:javascript复制
aclfile /etc/redis/users.acl

重要提示:从Redis 6开始,“requirepass”只是在新的ACL系统之上的一个兼容性层。选项效果将只是设置默认用户的密码。客户端仍然会像往常一样使用AUTH进行身份验证,或者更明确地使用AUTH默认值,如果它们遵循新的协议:两者都可以工作。

命令重命名(不赞成)。 警告:尽可能避免使用此选项。相反,使用acl从默认用户中删除命令,并将它们仅放在为管理目的而创建的某个管理用户中。

在共享环境中可以更改危险命令的名称。例如,CONFIG命令可能会被重命名为一些难以猜测的东西,这样它仍然可以用于内部使用的工具,但不能用于一般的客户端。 就像:rename-command CONFIG b840fc02d524045429941cc15f59e41cb7be6c52

也可以通过将一个命令重命名为空字符串来完全杀死它:rename-command CONFIG " ”

请注意,更改登录到AOF文件或传输到副本的命令的名称可能会导致问题。

客户端

原文

代码语言:javascript复制
################################### CLIENTS ####################################

# Set the max number of connected clients at the same time. By default
# this limit is set to 10000 clients, however if the Redis server is not
# able to configure the process file limit to allow for the specified limit
# the max number of allowed clients is set to the current file limit
# minus 32 (as Redis reserves a few file descriptors for internal uses).
#
# Once the limit is reached Redis will close all the new connections sending
# an error 'max number of clients reached'.
#
# IMPORTANT: When Redis Cluster is used, the max number of connections is also
# shared with the cluster bus: every node in the cluster will use two
# connections, one incoming and another outgoing. It is important to size the
# limit accordingly in case of very large clusters.
#
# maxclients 10000
译文

同时设置连接的客户端的最大数量。默认情况下这个限制设置为10000个客户,但是,如果Redis服务器不能配置进程文件限制,以允许指定的限制,最大数量的允许客户被设置为当前文件限制减32(作为Redis保留一些文件描述符内部使用)。 一旦达到限制,Redis将关闭所有新连接发送一个错误’最大数量的客户端达到’。

重要提示:当使用Redis集群时,最大连接数也会与集群总线共享:集群中的每个节点将使用两个连接,一个传入,另一个传出。对于非常大的集群,相应地调整限制的大小是很重要的。

内存管理

原文

代码语言:javascript复制
############################## MEMORY MANAGEMENT ################################

# Set a memory usage limit to the specified amount of bytes.
# When the memory limit is reached Redis will try to remove keys
# according to the eviction policy selected (see maxmemory-policy).
#
# If Redis can't remove keys according to the policy, or if the policy is
# set to 'noeviction', Redis will start to reply with errors to commands
# that would use more memory, like SET, LPUSH, and so on, and will continue
# to reply to read-only commands like GET.
#
# This option is usually useful when using Redis as an LRU or LFU cache, or to
# set a hard memory limit for an instance (using the 'noeviction' policy).
#
# WARNING: If you have replicas attached to an instance with maxmemory on,
# the size of the output buffers needed to feed the replicas are subtracted
# from the used memory count, so that network problems / resyncs will
# not trigger a loop where keys are evicted, and in turn the output
# buffer of replicas is full with DELs of keys evicted triggering the deletion
# of more keys, and so forth until the database is completely emptied.
#
# In short... if you have replicas attached it is suggested that you set a lower
# limit for maxmemory so that there is some free RAM on the system for replica
# output buffers (but this is not needed if the policy is 'noeviction').
#
# maxmemory <bytes>

# MAXMEMORY POLICY: how Redis will select what to remove when maxmemory
# is reached. You can select one from the following behaviors:
#
# volatile-lru -> Evict using approximated LRU, only keys with an expire set.
# allkeys-lru -> Evict any key using approximated LRU.
# volatile-lfu -> Evict using approximated LFU, only keys with an expire set.
# allkeys-lfu -> Evict any key using approximated LFU.
# volatile-random -> Remove a random key having an expire set.
# allkeys-random -> Remove a random key, any key.
# volatile-ttl -> Remove the key with the nearest expire time (minor TTL)
# noeviction -> Don't evict anything, just return an error on write operations.
#
# LRU means Least Recently Used
# LFU means Least Frequently Used
#
# Both LRU, LFU and volatile-ttl are implemented using approximated
# randomized algorithms.
#
# Note: with any of the above policies, Redis will return an error on write
#       operations, when there are no suitable keys for eviction.
#
#       At the date of writing these commands are: set setnx setex append
#       incr decr rpush lpush rpushx lpushx linsert lset rpoplpush sadd
#       sinter sinterstore sunion sunionstore sdiff sdiffstore zadd zincrby
#       zunionstore zinterstore hset hsetnx hmset hincrby incrby decrby
#       getset mset msetnx exec sort
#
# The default is:
#
# maxmemory-policy noeviction

# LRU, LFU and minimal TTL algorithms are not precise algorithms but approximated
# algorithms (in order to save memory), so you can tune it for speed or
# accuracy. For default Redis will check five keys and pick the one that was
# used less recently, you can change the sample size using the following
# configuration directive.
#
# The default of 5 produces good enough results. 10 Approximates very closely
# true LRU but costs more CPU. 3 is faster but not very accurate.
#
# maxmemory-samples 5

# Starting from Redis 5, by default a replica will ignore its maxmemory setting
# (unless it is promoted to master after a failover or manually). It means
# that the eviction of keys will be just handled by the master, sending the
# DEL commands to the replica as keys evict in the master side.
#
# This behavior ensures that masters and replicas stay consistent, and is usually
# what you want, however if your replica is writable, or you want the replica
# to have a different memory setting, and you are sure all the writes performed
# to the replica are idempotent, then you may change this default (but be sure
# to understand what you are doing).
#
# Note that since the replica by default does not evict, it may end using more
# memory than the one set via maxmemory (there are certain buffers that may
# be larger on the replica, or data structures may sometimes take more memory
# and so forth). So make sure you monitor your replicas and make sure they
# have enough memory to never hit a real out-of-memory condition before the
# master hits the configured maxmemory setting.
#
# replica-ignore-maxmemory yes

# Redis reclaims expired keys in two ways: upon access when those keys are
# found to be expired, and also in background, in what is called the
# "active expire key". The key space is slowly and interactively scanned
# looking for expired keys to reclaim, so that it is possible to free memory
# of keys that are expired and will never be accessed again in a short time.
#
# The default effort of the expire cycle will try to avoid having more than
# ten percent of expired keys still in memory, and will try to avoid consuming
# more than 25% of total memory and to add latency to the system. However
# it is possible to increase the expire "effort" that is normally set to
# "1", to a greater value, up to the value "10". At its maximum value the
# system will use more CPU, longer cycles (and technically may introduce
# more latency), and will tollerate less already expired keys still present
# in the system. It's a tradeoff betweeen memory, CPU and latecy.
#
# active-expire-effort 1
译文

将内存使用限制设置为指定的字节数。当达到内存限制时,Redis会根据所选的驱逐策略(参见maxmemory-policy)尝试删除键。 如果Redis不能根据策略删除键,或者如果策略被设置为“noeviction”,Redis将开始回复会占用更多内存的命令错误,如set、LPUSH等,并将继续回复只读命令,如GET。 这个选项通常在使用Redis作为LRU或LFU缓存时有用,或者为实例设置硬内存限制(使用’noeviction’策略)。

警告:如果你有副本附加到一个实例与maxmemory,输出缓冲区的大小需要喂副本使用内存数相减时,这网络问题/同步不会触发一个键被驱逐的循环,进而副本的输出缓冲区满del键驱逐触发的删除键,直到完全清空数据库等等。

总之……如果您附加了副本,建议您为maxmemory设置一个下限,以便在系统上有一些空闲RAM用于副本输出缓冲区(但如果策略是‘noeviction’,则不需要这样做)。

MAXMEMORY策略:当达到MAXMEMORY时,Redis将如何选择删除什么。你可以从以下行为中选择一个:

代码语言:javascript复制
volatile-lru ->退出使用近似的LRU,仅使用设置了过期值的键。
allkeys-lru ->使用近似的LRU驱逐任何密钥。
volatile-lfu ->使用近似的LFU逐出,仅使用具有过期集的键。
allkeys-lfu ->使用近似的LFU驱逐任何密钥。
volatile-random ->删除一个具有过期设置的随机键。
allkeys-random ->删除一个随机键,任意键。
volatile-ttl ->删除最近过期时间的密钥(较小的TTL)
noeviction ->不驱逐任何东西,只是在写操作时返回一个错误。

LRU表示最近最少使用 LFU表示使用频率最低 LRU、LFU和volatile-ttl都是使用近似随机算法实现的。

注意:使用上述任何策略,当没有合适的键用于驱逐时,Redis会在写操作时返回一个错误。

LRU、LFU和最小TTL算法不是精确算法,而是近似算法(为了节省内存),因此您可以调整它以提高速度或精度。对于默认Redis将检查五个键,并选择一个最近使用较少,你可以改变样本大小使用以下配置指令。 默认为5会产生足够好的结果。10非常接近真实的LRU,但需要更多的CPU。3更快,但不是很准确。

代码语言:javascript复制
# maxmemory-samples 5

从redis5开始,默认情况下副本会忽略它的maxmemory设置(除非它在故障转移后被提升为master或手动)。这意味着键的回收将由主服务器处理,在主服务器端键被回收时将DEL命令发送给副本。 这种行为保持一致,确保是你想要的,但是如果你的复制品是可写的,或者你想要复制不同的内存设置,和你确定都将执行写入副本是等幂的,然后你可能会改变这种默认(但一定要了解你在做什么)。

注意,由于副本在默认情况下不会驱逐,因此它最终使用的内存可能比通过maxmemory设置的一组内存更多(副本上的某些缓冲区可能更大,或者数据结构有时可能占用更多内存等等)。因此,请确保您监视您的副本,并确保它们有足够的内存,在主服务器达到配置的maxmemory设置之前,不会出现真正的内存不足情况。

Redis以两种方式回收过期的密钥:在访问时发现过期的密钥,以及在后台,在所谓的“活动过期密钥”。密钥空间被缓慢而交互式地扫描,以寻找要回收的过期密钥,这样就可以释放过期且在短时间内再也不会被访问的密钥的内存。

过期周期的默认努力将试图避免在内存中仍然有超过10%的过期密钥,并试图避免消耗总内存的25%以上,并增加系统的延迟。但是,可以将通常设置为“1”的过期“努力”增加到更大的值,直到值“10”。在它的最大值,系统将使用更多的CPU,更长的周期(技术上可能引入更多的延迟),并将减少系统中仍然存在的已经过期的密钥。这是内存、CPU和内存之间的权衡。

今天先到这儿吧。

0 人点赞