mirror of
http://github.com/valkey-io/valkey
synced 2024-11-22 09:17:20 +00:00
4faddf18ca
* Support BUILD_TLS=module to be loaded as a module via config file or command line. e.g. redis-server --loadmodule redis-tls.so * Updates to redismodule.h to allow it to be used side by side with server.h by defining REDISMODULE_CORE_MODULE * Changes to server.h, redismodule.h and module.c to avoid repeated type declarations (gcc 4.8 doesn't like these) * Add a mechanism for non-ABI neutral modules (ones who include server.h) to refuse loading if they detect not being built together with redis (release.c) * Fix wrong signature of RedisModuleDefragFunc, this could break compilation of a module, but not the ABI * Move initialization of listeners in server.c to be after loading the modules * Config TLS after initialization of listeners * Init cluster after initialization of listeners * Add TLS module to CI * Fix a test suite race conditions: Now that the listeners are initialized later, it's not sufficient to wait for the PID message in the log, we need to wait for the "Server Initialized" message. * Fix issues with moduleconfigs test as a result from start_server waiting for "Server Initialized" * Fix issues with modules/infra test as a result of an additional module present Notes about Sentinel: Sentinel can't really rely on the tls module, since it uses hiredis to initiate connections and depends on OpenSSL (won't be able to use any other connection modules for that), so it was decided that when TLS is built as a module, sentinel does not support TLS at all. This means that it keeps using redis_tls_ctx and redis_tls_client_ctx directly. Example code of config in redis-tls.so(may be use in the future): RedisModuleString *tls_cfg = NULL; void tlsInfo(RedisModuleInfoCtx *ctx, int for_crash_report) { UNUSED(for_crash_report); RedisModule_InfoAddSection(ctx, ""); RedisModule_InfoAddFieldLongLong(ctx, "var", 42); } int tlsCommand(RedisModuleCtx *ctx, RedisModuleString **argv, int argc) { if (argc != 2) return RedisModule_WrongArity(ctx); return RedisModule_ReplyWithString(ctx, argv[1]); } RedisModuleString *getStringConfigCommand(const char *name, void *privdata) { REDISMODULE_NOT_USED(name); REDISMODULE_NOT_USED(privdata); return tls_cfg; } int setStringConfigCommand(const char *name, RedisModuleString *new, void *privdata, RedisModuleString **err) { REDISMODULE_NOT_USED(name); REDISMODULE_NOT_USED(err); REDISMODULE_NOT_USED(privdata); if (tls_cfg) RedisModule_FreeString(NULL, tls_cfg); RedisModule_RetainString(NULL, new); tls_cfg = new; return REDISMODULE_OK; } int RedisModule_OnLoad(void *ctx, RedisModuleString **argv, int argc) { .... if (RedisModule_CreateCommand(ctx,"tls",tlsCommand,"",0,0,0) == REDISMODULE_ERR) return REDISMODULE_ERR; if (RedisModule_RegisterStringConfig(ctx, "cfg", "", REDISMODULE_CONFIG_DEFAULT, getStringConfigCommand, setStringConfigCommand, NULL, NULL) == REDISMODULE_ERR) return REDISMODULE_ERR; if (RedisModule_LoadConfigs(ctx) == REDISMODULE_ERR) { if (tls_cfg) { RedisModule_FreeString(ctx, tls_cfg); tls_cfg = NULL; } return REDISMODULE_ERR; } ... } Co-authored-by: zhenwei pi <pizhenwei@bytedance.com> Signed-off-by: zhenwei pi <pizhenwei@bytedance.com>
105 lines
3.5 KiB
Markdown
105 lines
3.5 KiB
Markdown
TLS Support
|
|
===========
|
|
|
|
Getting Started
|
|
---------------
|
|
|
|
### Building
|
|
|
|
To build with TLS support you'll need OpenSSL development libraries (e.g.
|
|
libssl-dev on Debian/Ubuntu).
|
|
|
|
To build TLS support as Redis built-in:
|
|
Run `make BUILD_TLS=yes`.
|
|
|
|
Or to build TLS as Redis module:
|
|
Run `make BUILD_TLS=module`.
|
|
|
|
Note that sentinel mode does not support TLS module.
|
|
|
|
### Tests
|
|
|
|
To run Redis test suite with TLS, you'll need TLS support for TCL (i.e.
|
|
`tcl-tls` package on Debian/Ubuntu).
|
|
|
|
1. Run `./utils/gen-test-certs.sh` to generate a root CA and a server
|
|
certificate.
|
|
|
|
2. Run `./runtest --tls` or `./runtest-cluster --tls` to run Redis and Redis
|
|
Cluster tests in TLS mode.
|
|
|
|
3. Run `./runtest --tls-module` or `./runtest-cluster --tls-module` to
|
|
run Redis and Redis cluster tests in TLS mode with Redis module.
|
|
|
|
### Running manually
|
|
|
|
To manually run a Redis server with TLS mode (assuming `gen-test-certs.sh` was
|
|
invoked so sample certificates/keys are available):
|
|
|
|
For TLS built-in mode:
|
|
./src/redis-server --tls-port 6379 --port 0 \
|
|
--tls-cert-file ./tests/tls/redis.crt \
|
|
--tls-key-file ./tests/tls/redis.key \
|
|
--tls-ca-cert-file ./tests/tls/ca.crt
|
|
|
|
For TLS module mode:
|
|
./src/redis-server --tls-port 6379 --port 0 \
|
|
--tls-cert-file ./tests/tls/redis.crt \
|
|
--tls-key-file ./tests/tls/redis.key \
|
|
--tls-ca-cert-file ./tests/tls/ca.crt \
|
|
--loadmodule src/redis-tls.so
|
|
|
|
To connect to this Redis server with `redis-cli`:
|
|
|
|
./src/redis-cli --tls \
|
|
--cert ./tests/tls/redis.crt \
|
|
--key ./tests/tls/redis.key \
|
|
--cacert ./tests/tls/ca.crt
|
|
|
|
This will disable TCP and enable TLS on port 6379. It's also possible to have
|
|
both TCP and TLS available, but you'll need to assign different ports.
|
|
|
|
To make a Replica connect to the master using TLS, use `--tls-replication yes`,
|
|
and to make Redis Cluster use TLS across nodes use `--tls-cluster yes`.
|
|
|
|
Connections
|
|
-----------
|
|
|
|
All socket operations now go through a connection abstraction layer that hides
|
|
I/O and read/write event handling from the caller.
|
|
|
|
**Multi-threading I/O is not currently supported for TLS**, as a TLS connection
|
|
needs to do its own manipulation of AE events which is not thread safe. The
|
|
solution is probably to manage independent AE loops for I/O threads and longer
|
|
term association of connections with threads. This may potentially improve
|
|
overall performance as well.
|
|
|
|
Sync IO for TLS is currently implemented in a hackish way, i.e. making the
|
|
socket blocking and configuring socket-level timeout. This means the timeout
|
|
value may not be so accurate, and there would be a lot of syscall overhead.
|
|
However I believe that getting rid of syncio completely in favor of pure async
|
|
work is probably a better move than trying to fix that. For replication it would
|
|
probably not be so hard. For cluster keys migration it might be more difficult,
|
|
but there are probably other good reasons to improve that part anyway.
|
|
|
|
To-Do List
|
|
----------
|
|
|
|
- [ ] redis-benchmark support. The current implementation is a mix of using
|
|
hiredis for parsing and basic networking (establishing connections), but
|
|
directly manipulating sockets for most actions. This will need to be cleaned
|
|
up for proper TLS support. The best approach is probably to migrate to hiredis
|
|
async mode.
|
|
- [ ] redis-cli `--slave` and `--rdb` support.
|
|
|
|
Multi-port
|
|
----------
|
|
|
|
Consider the implications of allowing TLS to be configured on a separate port,
|
|
making Redis listening on multiple ports:
|
|
|
|
1. Startup banner port notification
|
|
2. Proctitle
|
|
3. How slaves announce themselves
|
|
4. Cluster bus port calculation
|