mirror of
http://github.com/valkey-io/valkey
synced 2024-11-22 00:52:38 +00:00
0fc43edc6c
This example of a minimal user account in your Valkey server for Sentinel is incorrect. If you add this ACL as-is to your valkey users.acl, valkey will add resetchannels -@all before the +client which prevents sentinel from publishing messages to the __sentinel__:hello pubsub for sentinel discovery. Fix #744. Signed-off-by: Harkrishn Patro <harkrisp@amazon.com>
359 lines
14 KiB
Plaintext
359 lines
14 KiB
Plaintext
# Example sentinel.conf
|
|
|
|
# By default protected mode is disabled in sentinel mode. Sentinel is reachable
|
|
# from interfaces different than localhost. Make sure the sentinel instance is
|
|
# protected from the outside world via firewalling or other means.
|
|
protected-mode no
|
|
|
|
# port <sentinel-port>
|
|
# The port that this sentinel instance will run on
|
|
port 26379
|
|
|
|
# By default Valkey Sentinel does not run as a daemon. Use 'yes' if you need it.
|
|
# Note that Valkey will write a pid file in /var/run/valkey-sentinel.pid when
|
|
# daemonized.
|
|
daemonize no
|
|
|
|
# When running daemonized, Valkey Sentinel writes a pid file in
|
|
# /var/run/valkey-sentinel.pid by default. You can specify a custom pid file
|
|
# location here.
|
|
pidfile /var/run/valkey-sentinel.pid
|
|
|
|
# Specify the server verbosity level.
|
|
# This can be one of:
|
|
# debug (a lot of information, useful for development/testing)
|
|
# verbose (many rarely useful info, but not a mess like the debug level)
|
|
# notice (moderately verbose, what you want in production probably)
|
|
# warning (only very important / critical messages are logged)
|
|
# nothing (nothing is logged)
|
|
loglevel notice
|
|
|
|
# Specify the log file name. Also the empty string can be used to force
|
|
# Sentinel to log on the standard output. Note that if you use standard
|
|
# output for logging but daemonize, logs will be sent to /dev/null
|
|
logfile ""
|
|
|
|
# To enable logging to the system logger, just set 'syslog-enabled' to yes,
|
|
# and optionally update the other syslog parameters to suit your needs.
|
|
# syslog-enabled no
|
|
|
|
# Specify the syslog identity.
|
|
# syslog-ident sentinel
|
|
|
|
# Specify the syslog facility. Must be USER or between LOCAL0-LOCAL7.
|
|
# syslog-facility local0
|
|
|
|
# sentinel announce-ip <ip>
|
|
# sentinel announce-port <port>
|
|
#
|
|
# The above two configuration directives are useful in environments where,
|
|
# because of NAT, Sentinel is reachable from outside via a non-local address.
|
|
#
|
|
# When announce-ip is provided, the Sentinel will claim the specified IP address
|
|
# in HELLO messages used to gossip its presence, instead of auto-detecting the
|
|
# local address as it usually does.
|
|
#
|
|
# Similarly when announce-port is provided and is valid and non-zero, Sentinel
|
|
# will announce the specified TCP port.
|
|
#
|
|
# The two options don't need to be used together, if only announce-ip is
|
|
# provided, the Sentinel will announce the specified IP and the server port
|
|
# as specified by the "port" option. If only announce-port is provided, the
|
|
# Sentinel will announce the auto-detected local IP and the specified port.
|
|
#
|
|
# Example:
|
|
#
|
|
# sentinel announce-ip 1.2.3.4
|
|
|
|
# dir <working-directory>
|
|
# Every long running process should have a well-defined working directory.
|
|
# For Valkey Sentinel to chdir to /tmp at startup is the simplest thing
|
|
# for the process to don't interfere with administrative tasks such as
|
|
# unmounting filesystems.
|
|
dir /tmp
|
|
|
|
# sentinel monitor <master-name> <ip> <valkey-port> <quorum>
|
|
#
|
|
# Tells Sentinel to monitor this master, and to consider it in O_DOWN
|
|
# (Objectively Down) state only if at least <quorum> sentinels agree.
|
|
#
|
|
# Note that whatever is the ODOWN quorum, a Sentinel will require to
|
|
# be elected by the majority of the known Sentinels in order to
|
|
# start a failover, so no failover can be performed in minority.
|
|
#
|
|
# Replicas are auto-discovered, so you don't need to specify replicas in
|
|
# any way. Sentinel itself will rewrite this configuration file adding
|
|
# the replicas using additional configuration options.
|
|
# Also note that the configuration file is rewritten when a
|
|
# replica is promoted to master.
|
|
#
|
|
# Note: master name should not include special characters or spaces.
|
|
# The valid charset is A-z 0-9 and the three characters ".-_".
|
|
sentinel monitor mymaster 127.0.0.1 6379 2
|
|
|
|
# sentinel auth-pass <master-name> <password>
|
|
#
|
|
# Set the password to use to authenticate with the master and replicas.
|
|
# Useful if there is a password set in the Valkey instances to monitor.
|
|
#
|
|
# Note that the master password is also used for replicas, so it is not
|
|
# possible to set a different password in masters and replicas instances
|
|
# if you want to be able to monitor these instances with Sentinel.
|
|
#
|
|
# However you can have Valkey instances without the authentication enabled
|
|
# mixed with Valkey instances requiring the authentication (as long as the
|
|
# password set is the same for all the instances requiring the password) as
|
|
# the AUTH command will have no effect in Valkey instances with authentication
|
|
# switched off.
|
|
#
|
|
# Example:
|
|
#
|
|
# sentinel auth-pass mymaster MySUPER--secret-0123passw0rd
|
|
|
|
# sentinel auth-user <master-name> <username>
|
|
#
|
|
# This is useful in order to authenticate to instances having ACL capabilities,
|
|
# that is, running Valkey. When just auth-pass is provided the
|
|
# Sentinel instance will authenticate to Valkey using the old "AUTH <pass>"
|
|
# method. When also an username is provided, it will use "AUTH <user> <pass>".
|
|
# In the Valkey servers side, the ACL to provide just minimal access to
|
|
# Sentinel instances, should be configured along the following lines:
|
|
#
|
|
# user sentinel-user >somepassword +client +subscribe +publish \
|
|
# +ping +info +multi +slaveof +config +client +exec &__sentinel__:hello on
|
|
|
|
# sentinel down-after-milliseconds <master-name> <milliseconds>
|
|
#
|
|
# Number of milliseconds the master (or any attached replica or sentinel) should
|
|
# be unreachable (as in, not acceptable reply to PING, continuously, for the
|
|
# specified period) in order to consider it in S_DOWN state (Subjectively
|
|
# Down).
|
|
#
|
|
# Default is 30 seconds.
|
|
sentinel down-after-milliseconds mymaster 30000
|
|
|
|
|
|
# Sentinel's ACL users are defined in the following format:
|
|
#
|
|
# user <username> ... acl rules ...
|
|
#
|
|
# For example:
|
|
#
|
|
# user worker +@admin +@connection ~* on >ffa9203c493aa99
|
|
#
|
|
# For more information about ACL configuration please refer to the Valkey
|
|
# website at https://valkey.io/topics/acl and valkey server configuration
|
|
# template valkey.conf.
|
|
|
|
# ACL LOG
|
|
#
|
|
# The ACL Log tracks failed commands and authentication events associated
|
|
# with ACLs. The ACL Log is useful to troubleshoot failed commands blocked
|
|
# by ACLs. The ACL Log is stored in memory. You can reclaim memory with
|
|
# ACL LOG RESET. Define the maximum entry length of the ACL Log below.
|
|
acllog-max-len 128
|
|
|
|
# Using an external ACL file
|
|
#
|
|
# Instead of configuring users here in this file, it is possible to use
|
|
# a stand-alone file just listing users. The two methods cannot be mixed:
|
|
# if you configure users here and at the same time you activate the external
|
|
# ACL file, the server will refuse to start.
|
|
#
|
|
# The format of the external ACL user file is exactly the same as the
|
|
# format that is used inside valkey.conf to describe users.
|
|
#
|
|
# aclfile /etc/valkey/sentinel-users.acl
|
|
|
|
# requirepass <password>
|
|
#
|
|
# You can configure Sentinel itself to require a password, however when doing
|
|
# so Sentinel will try to authenticate with the same password to all the
|
|
# other Sentinels. So you need to configure all your Sentinels in a given
|
|
# group with the same "requirepass" password. Check the following documentation
|
|
# for more info: https://valkey.io/topics/sentinel
|
|
#
|
|
# IMPORTANT NOTE: "requirepass" is a compatibility
|
|
# layer on top of the ACL system. The option effect will be just setting
|
|
# the password for the default user. Clients will still authenticate using
|
|
# AUTH <password> as usually, or more explicitly with AUTH default <password>
|
|
# if they follow the new protocol: both will work.
|
|
#
|
|
# New config files are advised to use separate authentication control for
|
|
# incoming connections (via ACL), and for outgoing connections (via
|
|
# sentinel-user and sentinel-pass)
|
|
#
|
|
# The requirepass is not compatible with aclfile option and the ACL LOAD
|
|
# command, these will cause requirepass to be ignored.
|
|
|
|
# sentinel sentinel-user <username>
|
|
#
|
|
# You can configure Sentinel to authenticate with other Sentinels with specific
|
|
# user name.
|
|
|
|
# sentinel sentinel-pass <password>
|
|
#
|
|
# The password for Sentinel to authenticate with other Sentinels. If sentinel-user
|
|
# is not configured, Sentinel will use 'default' user with sentinel-pass to authenticate.
|
|
|
|
# sentinel parallel-syncs <master-name> <numreplicas>
|
|
#
|
|
# How many replicas we can reconfigure to point to the new replica simultaneously
|
|
# during the failover. Use a low number if you use the replicas to serve query
|
|
# to avoid that all the replicas will be unreachable at about the same
|
|
# time while performing the synchronization with the master.
|
|
sentinel parallel-syncs mymaster 1
|
|
|
|
# sentinel failover-timeout <master-name> <milliseconds>
|
|
#
|
|
# Specifies the failover timeout in milliseconds. It is used in many ways:
|
|
#
|
|
# - The time needed to re-start a failover after a previous failover was
|
|
# already tried against the same master by a given Sentinel, is two
|
|
# times the failover timeout.
|
|
#
|
|
# - The time needed for a replica replicating to a wrong master according
|
|
# to a Sentinel current configuration, to be forced to replicate
|
|
# with the right master, is exactly the failover timeout (counting since
|
|
# the moment a Sentinel detected the misconfiguration).
|
|
#
|
|
# - The time needed to cancel a failover that is already in progress but
|
|
# did not produced any configuration change (SLAVEOF NO ONE yet not
|
|
# acknowledged by the promoted replica).
|
|
#
|
|
# - The maximum time a failover in progress waits for all the replicas to be
|
|
# reconfigured as replicas of the new master. However even after this time
|
|
# the replicas will be reconfigured by the Sentinels anyway, but not with
|
|
# the exact parallel-syncs progression as specified.
|
|
#
|
|
# Default is 3 minutes.
|
|
sentinel failover-timeout mymaster 180000
|
|
|
|
# SCRIPTS EXECUTION
|
|
#
|
|
# sentinel notification-script and sentinel reconfig-script are used in order
|
|
# to configure scripts that are called to notify the system administrator
|
|
# or to reconfigure clients after a failover. The scripts are executed
|
|
# with the following rules for error handling:
|
|
#
|
|
# If script exits with "1" the execution is retried later (up to a maximum
|
|
# number of times currently set to 10).
|
|
#
|
|
# If script exits with "2" (or an higher value) the script execution is
|
|
# not retried.
|
|
#
|
|
# If script terminates because it receives a signal the behavior is the same
|
|
# as exit code 1.
|
|
#
|
|
# A script has a maximum running time of 60 seconds. After this limit is
|
|
# reached the script is terminated with a SIGKILL and the execution retried.
|
|
|
|
# NOTIFICATION SCRIPT
|
|
#
|
|
# sentinel notification-script <master-name> <script-path>
|
|
#
|
|
# Call the specified notification script for any sentinel event that is
|
|
# generated in the WARNING level (for instance -sdown, -odown, and so forth).
|
|
# This script should notify the system administrator via email, SMS, or any
|
|
# other messaging system, that there is something wrong with the monitored
|
|
# Valkey systems.
|
|
#
|
|
# The script is called with just two arguments: the first is the event type
|
|
# and the second the event description.
|
|
#
|
|
# The script must exist and be executable in order for sentinel to start if
|
|
# this option is provided.
|
|
#
|
|
# Example:
|
|
#
|
|
# sentinel notification-script mymaster /var/valkey/notify.sh
|
|
|
|
# CLIENTS RECONFIGURATION SCRIPT
|
|
#
|
|
# sentinel client-reconfig-script <master-name> <script-path>
|
|
#
|
|
# When the master changed because of a failover a script can be called in
|
|
# order to perform application-specific tasks to notify the clients that the
|
|
# configuration has changed and the master is at a different address.
|
|
#
|
|
# The following arguments are passed to the script:
|
|
#
|
|
# <master-name> <role> <state> <from-ip> <from-port> <to-ip> <to-port>
|
|
#
|
|
# <state> is currently always "start"
|
|
# <role> is either "leader" or "observer"
|
|
#
|
|
# The arguments from-ip, from-port, to-ip, to-port are used to communicate
|
|
# the old address of the master and the new address of the elected replica
|
|
# (now a master).
|
|
#
|
|
# This script should be resistant to multiple invocations.
|
|
#
|
|
# Example:
|
|
#
|
|
# sentinel client-reconfig-script mymaster /var/valkey/reconfig.sh
|
|
|
|
# SECURITY
|
|
#
|
|
# By default SENTINEL SET will not be able to change the notification-script
|
|
# and client-reconfig-script at runtime. This avoids a trivial security issue
|
|
# where clients can set the script to anything and trigger a failover in order
|
|
# to get the program executed.
|
|
|
|
sentinel deny-scripts-reconfig yes
|
|
|
|
# VALKEY COMMANDS RENAMING (DEPRECATED)
|
|
#
|
|
# WARNING: avoid using this option if possible, instead use ACLs.
|
|
#
|
|
# Sometimes the Valkey server has certain commands, that are needed for Sentinel
|
|
# to work correctly, renamed to unguessable strings. This is often the case
|
|
# of CONFIG and SLAVEOF in the context of providers that provide Valkey as
|
|
# a service, and don't want the customers to reconfigure the instances outside
|
|
# of the administration console.
|
|
#
|
|
# In such case it is possible to tell Sentinel to use different command names
|
|
# instead of the normal ones. For example if the master "mymaster", and the
|
|
# associated replicas, have "CONFIG" all renamed to "GUESSME", I could use:
|
|
#
|
|
# SENTINEL rename-command mymaster CONFIG GUESSME
|
|
#
|
|
# After such configuration is set, every time Sentinel would use CONFIG it will
|
|
# use GUESSME instead. Note that there is no actual need to respect the command
|
|
# case, so writing "config guessme" is the same in the example above.
|
|
#
|
|
# SENTINEL SET can also be used in order to perform this configuration at runtime.
|
|
#
|
|
# In order to set a command back to its original name (undo the renaming), it
|
|
# is possible to just rename a command to itself:
|
|
#
|
|
# SENTINEL rename-command mymaster CONFIG CONFIG
|
|
|
|
# HOSTNAMES SUPPORT
|
|
#
|
|
# Normally Sentinel uses only IP addresses and requires SENTINEL MONITOR
|
|
# to specify an IP address. Also, it requires the Valkey replica-announce-ip
|
|
# keyword to specify only IP addresses.
|
|
#
|
|
# You may enable hostnames support by enabling resolve-hostnames. Note
|
|
# that you must make sure your DNS is configured properly and that DNS
|
|
# resolution does not introduce very long delays.
|
|
#
|
|
SENTINEL resolve-hostnames no
|
|
|
|
# When resolve-hostnames is enabled, Sentinel still uses IP addresses
|
|
# when exposing instances to users, configuration files, etc. If you want
|
|
# to retain the hostnames when announced, enable announce-hostnames below.
|
|
#
|
|
SENTINEL announce-hostnames no
|
|
|
|
# When primary-reboot-down-after-period is set to 0, Sentinel does not fail over
|
|
# when receiving a -LOADING response from a primary. This was the only supported
|
|
# behavior before Redis OSS 7.0.
|
|
#
|
|
# Otherwise, Sentinel will use this value as the time (in ms) it is willing to
|
|
# accept a -LOADING response after a primary has been rebooted, before failing
|
|
# over.
|
|
|
|
SENTINEL primary-reboot-down-after-period myprimary 0
|