PSS®X package for Redis®¶

What is Redis®?¶

Info

Redis® is an open source, advanced key-value store.
It is often referred to as a data structure server since keys can contain strings, hashes, lists, sets and sorted sets.

The respective trademarks mentioned in the offering are owned by the respective companies, and use of them does not imply any affiliation or endorsement

Featured tags¶

7.2.5-bookworm-slim-amd64
docker pull registry.gitlab.com/pss-x/support/containers/redis:7.2.5-bookworm-slim-amd64
7.0.14-bookworm-slim-amd64
docker pull registry.gitlab.com/pss-x/support/containers/redis:7.0.14-bookworm-slim-amd64

About this image¶

This is a non-root container image, which adds an extra layer of security and is generally recommended for production environments. However, because they run as a non-root user, privileged tasks are typically off-limits.

How to use this image¶

You can get started with Redis®

docker run --name pssx-redis -e "ALLOW_EMPTY_PASSWORD=yes" -p 6379:6379 -d registry.gitlab.com/pss-x/support/containers/redis:<use-featured-tag>

Warning: These quick setups are only intended for development environments. You are encouraged to change the insecure default credentials and check out the available configuration options in the Configuration section for a more secure deployment.

Configuration¶

Requirements¶

You can build your development environment with non-production hardware, such as a laptop, desktop, or small VM or instance, and with these hardware requirements:

This image requires Docker Engine 1.8+ in any of their supported platforms
You can install on one node but many features require at least two nodes.
Amount of 4GB RAM is needed for each node.
Amount of 10GB storage space is needed for each node.

Environment variables¶

Customizable environment variables¶

Name	Description	Default Value
`REDIS_DATA_DIR`	Redis data directory	`${REDIS_VOLUME_DIR}/data`
`REDIS_OVERRIDES_FILE`	Redis config overrides file	`${REDIS_MOUNTED_CONF_DIR}/overrides.conf`
`REDIS_DISABLE_COMMANDS`	Commands to disable in Redis	`nil`
`REDIS_DATABASE`	Default Redis database	`redis`
`REDIS_AOF_ENABLED`	Enable AOF	`yes`
`REDIS_RDB_POLICY`	Enable RDB policy persitence	`nil`
`REDIS_RDB_POLICY_DISABLED`	Allows to enable RDB policy persistence	`no`
`REDIS_MASTER_HOST`	Redis master host (used by slaves)	`nil`
`REDIS_MASTER_PORT_NUMBER`	Redis master host port (used by slaves)	`6379`
`REDIS_PORT_NUMBER`	Redis port number	`$REDIS_DEFAULT_PORT_NUMBER`
`REDIS_ALLOW_REMOTE_CONNECTIONS`	Allow remote connection to the service	`yes`
`REDIS_REPLICATION_MODE`	Redis replication mode (values: master, slave)	`nil`
`REDIS_REPLICA_IP`	The replication announce ip	`nil`
`REDIS_REPLICA_PORT`	The replication announce port	`nil`
`REDIS_EXTRA_FLAGS`	Additional flags pass to 'redis-server' commands	`nil`
`ALLOW_EMPTY_PASSWORD`	Allow password-less access	`no`
`REDIS_PASSWORD`	Password for Redis	`nil`
`REDIS_MASTER_PASSWORD`	Redis master node password	`nil`
`REDIS_ACLFILE`	Redis ACL file	`nil`
`REDIS_IO_THREADS_DO_READS`	Enable multithreading when reading socket	`nil`
`REDIS_IO_THREADS`	Number of threads	`nil`
`REDIS_TLS_ENABLED`	Enable TLS	`no`
`REDIS_TLS_PORT_NUMBER`	Redis TLS port (requires REDIS_ENABLE_TLS=yes)	`6379`
`REDIS_TLS_CERT_FILE`	Redis TLS certificate file	`nil`
`REDIS_TLS_CA_DIR`	Directory containing TLS CA certificates	`nil`
`REDIS_TLS_KEY_FILE`	Redis TLS key file	`nil`
`REDIS_TLS_KEY_FILE_PASS`	Redis TLS key file passphrase	`nil`
`REDIS_TLS_CA_FILE`	Redis TLS CA file	`nil`
`REDIS_TLS_DH_PARAMS_FILE`	Redis TLS DH parameter file	`nil`
`REDIS_TLS_AUTH_CLIENTS`	Enable Redis TLS client authentication	`yes`
`REDIS_SENTINEL_MASTER_NAME`	Redis Sentinel master name	`nil`
`REDIS_SENTINEL_HOST`	Redis Sentinel host	`nil`
`REDIS_SENTINEL_PORT_NUMBER`	Redis Sentinel host port (used by slaves)	`26379`

Read-only environment variables¶

Name	Description	Value
`REDIS_VOLUME_DIR`	Persistence base directory	`/bitnami/redis`
`REDIS_BASE_DIR`	Redis installation directory	`${BITNAMI_ROOT_DIR}/redis`
`REDIS_CONF_DIR`	Redis configuration directory	`${REDIS_BASE_DIR}/etc`
`REDIS_DEFAULT_CONF_DIR`	Redis default configuration directory	`${REDIS_BASE_DIR}/etc.default`
`REDIS_MOUNTED_CONF_DIR`	Redis mounted configuration directory	`${REDIS_BASE_DIR}/mounted-etc`
`REDIS_CONF_FILE`	Redis configuration file	`${REDIS_CONF_DIR}/redis.conf`
`REDIS_LOG_DIR`	Redis logs directory	`${REDIS_BASE_DIR}/logs`
`REDIS_LOG_FILE`	Redis log file	`${REDIS_LOG_DIR}/redis.log`
`REDIS_TMP_DIR`	Redis temporary directory	`${REDIS_BASE_DIR}/tmp`
`REDIS_PID_FILE`	Redis PID file	`${REDIS_TMP_DIR}/redis.pid`
`REDIS_BIN_DIR`	Redis executables directory	`${REDIS_BASE_DIR}/bin`
`REDIS_DAEMON_USER`	Redis system user	`redis`
`REDIS_DAEMON_GROUP`	Redis system group	`redis`
`REDIS_DEFAULT_PORT_NUMBER`	Redis port number (Build time)	`6379`

Using a Docker Compose file¶

Using Docker container networking, a Redis® server running inside a container can easily be accessed by your application containers.

Containers attached to the same network can communicate with each other using the container name as the hostname.

services:
  redis:
    container_name: pssx-redis
    image: registry.gitlab.com/pss-x/support/containers/redis:<use-featured-tag>
    ports:
      - 6379:6379
    environment:
      - ALLOW_EMPTY_PASSWORD=yes
    networks:
      - pssx-network

networks:
  pssx-network:
    name: app-pssx-network
    driver: bridge

Setting up a standalone instance¶

By default, this image is set up to launch Redis® in standalone mode on port 6379. Should you need to change this behavior, setting the REDIS_PORT_NUMBER environment variable will modify the port number.

This is not to be confused with REDIS_MASTER_PORT_NUMBER or REDIS_REPLICA_PORT environment variables that are applicable in replication mode.

services:
  redis:
  ...
    environment:
      - REDIS_PORT_NUMBER=7000
    ...
    ports:
      - '7000:7000'
  ...

Persisting your database¶

Redis® provides a different range of persistence options. This contanier uses AOF persistence by default but it is easy to overwrite that configuration in a docker-compose.yaml file with this entry command: /opt/bitnami/scripts/redis/run.sh --appendonly no. Alternatively, you may use the REDIS_AOF_ENABLED env variable as explained in Disabling AOF persistence.

If you remove the container all your data will be lost, and the next time you run the image the database will be reinitialized. To avoid this loss of data, you should mount a volume that will persist even after the container is removed.

For persistence you should mount a directory at the /bitnami/redis/data path. If the mounted directory is empty, it will be initialized on the first run.

docker run \
    -e ALLOW_EMPTY_PASSWORD=yes \
    -v /path/to/redis-persistence:/bitnami/redis/data \
    registry.gitlab.com/pss-x/support/containers/redis:<use-featured-tag>

You can also do this by modifying the docker-compose.yml file present in this repository:

services:
  redis:
    ...
    volumes:
      - redis_data:/bitnami/redis/data
    ...

volumes:
  redis_data:
    name: pssx_redisdata
    driver: local
    ...

NOTE: As this is a non-root container, the mounted files and directories must have the proper permissions for the UID 1001.

Passing extra command-line flags to redis-server startup¶

Passing extra command-line flags to the redis service command is possible by adding them as arguments to run.sh script:

docker run --name redis -e ALLOW_EMPTY_PASSWORD=yes registry.gitlab.com/pss-x/support/containers/redis:<use-featured-tag> /opt/bitnami/scripts/redis/run.sh --maxmemory 100mb

Alternatively, modify the docker-compose.yml file present in this repository:

services:
  redis:
  ...
    environment:
      - ALLOW_EMPTY_PASSWORD=yes
    command: /opt/bitnami/scripts/redis/run.sh --maxmemory 100mb
  ...

Refer to the Redis® documentation for the complete list of arguments.

Overriding configuration¶

Instead of providing a custom redis.conf, you may also choose to provide only settings you wish to override. The image will look for /opt/bitnami/redis/mounted-etc/overrides.conf. This will be ignored if custom redis.conf is provided.

docker run --name redis \
    -e ALLOW_EMPTY_PASSWORD=yes \
    -v /path/to/overrides.conf:/opt/bitnami/redis/mounted-etc/overrides.conf \
    registry.gitlab.com/pss-x/support/containers/redis:<use-featured-tag>

Alternatively, modify the docker-compose.yml file present in this repository:

services:
  redis:
  ...
    volumes:
      - /path/to/overrides.conf:/opt/bitnami/redis/mounted-etc/overrides.conf
  ...

Disabling Redis® commands¶

For security reasons, you may want to disable some commands. You can specify them by using the following environment variable on the first run:

REDIS_DISABLE_COMMANDS: Comma-separated list of Redis® commands to disable. Defaults to empty.

docker run --name redis -e REDIS_DISABLE_COMMANDS=FLUSHDB,FLUSHALL,CONFIG registry.gitlab.com/pss-x/support/containers/redis:<use-featured-tag>

Alternatively, modify the docker-compose.yml file present in this repository:

services:
  redis:
  ...
    environment:
      - REDIS_DISABLE_COMMANDS=FLUSHDB,FLUSHALL,CONFIG
  ...

As specified in the docker-compose, FLUSHDB and FLUSHALL commands are disabled. Comment out or remove the environment variable if you don't want to disable any commands:

services:
  redis:
  ...
    environment:
      # - REDIS_DISABLE_COMMANDS=FLUSHDB,FLUSHALL
  ...

Disabling AOF persistence¶

Redis® offers different options when it comes to persistence. By default, this image is set up to use the AOF (Append Only File) approach. Should you need to change this behaviour, setting the REDIS_AOF_ENABLED=no env variable will disable this feature.

docker run --name redis -e REDIS_AOF_ENABLED=no registry.gitlab.com/pss-x/support/containers/redis:<use-featured-tag>

Alternatively, modify the docker-compose.yml file present in this repository:

services:
  redis:
  ...
    environment:
      - REDIS_AOF_ENABLED=no
  ...

Handling sensitive information¶

In Docker, environment variables with the _FILE suffix are a convention used to specify that the value of the environment variable should be read from a file.

Environment Variable with _FILE Suffix: When an environment variable ends with _FILE, it indicates that the actual value of the variable should be read from the file specified by the path.
Usage in Docker: This approach is commonly used in Docker to securely pass sensitive information to containers without hardcoding the values in the docker-compose.yml file or Dockerfile.

services:
  redis:
    ...
    environment:
      - ALLOW_EMPTY_PASSWORD=no
      - REDIS_PASSWORD_FILE=/run/secrets/REDIS_PASSWORD
    secrets:
      - REDIS_PASSWORD
    ...

secrets:
  REDIS_PASSWORD:
    file: ./etc/secrets/redis.pwd
    ...

Health checks¶

The healthcheck section in a Docker Compose file allows you to define a command that Docker will run to check the health of a service. This helps ensure that your services are running correctly and can automatically handle failures.

services:
  rabbitmq:
    ports:
      - 6379:6379
    ...
    healthcheck:
      test: ["CMD", "redis-cli","ping"]
    ...

The redis-cli ping command requires tcp port since tls is not activated. Default tcp port is 6379 for Redis®.

Securing Redis(R) traffic¶

Starting with version 6, Redis(R) adds the support for SSL/TLS connections. Should you desire to enable this optional feature, you may use the following environment variables to configure the application:

REDIS_TLS_ENABLED: Whether to enable TLS for traffic or not.
Defaults to no.
REDIS_TLS_PORT_NUMBER: Port used for TLS secure traffic.
Defaults to 6379.
REDIS_TLS_CERT_FILE: File containing the certificate file for the TLS traffic.
No defaults.
REDIS_TLS_KEY_FILE: File containing the key for certificate.
No defaults.
REDIS_TLS_CA_FILE: File containing the CA of the certificate (takes precedence over REDIS_TLS_CA_DIR).
No defaults.
REDIS_TLS_CA_DIR: Directory containing the CA certificates.
No defaults.
REDIS_TLS_DH_PARAMS_FILE: File containing DH params (in order to support DH based ciphers).
No defaults.
REDIS_TLS_AUTH_CLIENTS: Whether to require clients to authenticate or not.
Defaults to yes.

services:
  rabbitmq:
    ...
    ports:
      - 6379:6379
      - 7000:7000
    environment:
      - ALLOW_EMPTY_PASSWORD=no
      - REDIS_PASSWORD_FILE=/run/secrets/REDIS_PASSWORD
      - REDIS_TLS_ENABLED=yes
      - REDIS_TLS_PORT_NUMBER=7000
      - REDIS_TLS_CA_FILE=/opt/bitnami/redis/certs/myOrganizationRootCA.pem
      - REDIS_TLS_CERT_FILE=/opt/bitnami/redis/certs/myOrganizationCert.pem
      - REDIS_TLS_KEY_FILE=/opt/bitnami/redis/certs/myOrganizationCertKey.pem
      - REDIS_TLS_AUTH_CLIENTS=yes
      - REDIS_DISABLE_COMMANDS=FLUSHDB,FLUSHALL,CONFIG
    secrets:
      - REDIS_PASSWORD
    volumes:
      - ./etc/certs:/opt/bitnami/redis/certs
    ...
    healthcheck:
      test: ["CMD", "redis-cli","ping"]
    ...

secrets:
  REDIS_PASSWORD:
    external: true

Note that mkcert and the certificate/key pairs it generates are self-signed and only suitable for development and test environments. The vast majority of production environments should use certificates and keys issued by a widely trusted commercial CA.

services:
  rabbitmq:
    ...
    ports:
      - 6379:6379
      - 7000:7000
    environment:
      - ALLOW_EMPTY_PASSWORD=no
      - REDIS_PASSWORD_FILE=/run/secrets/REDIS_PASSWORD
      - REDIS_TLS_ENABLED=yes
      - REDIS_TLS_PORT_NUMBER=7000
      - REDIS_TLS_CA_FILE=/opt/bitnami/redis/certs/rootCA.pem
      - REDIS_TLS_CERT_FILE=/opt/bitnami/redis/certs/cert.pem
      - REDIS_TLS_KEY_FILE=/opt/bitnami/redis/certs/key.pem
      - REDIS_TLS_AUTH_CLIENTS=no
      - REDIS_DISABLE_COMMANDS=FLUSHDB,FLUSHALL,CONFIG
    secrets:
      - REDIS_PASSWORD
    volumes:
      - ./etc/certs:/opt/bitnami/redis/certs
    ...
    healthcheck:
      test: ["CMD", "redis-cli","ping"]
    ...

secrets:
  REDIS_PASSWORD:
    file: ./etc/secrets/redis.pwd

License¶

Starting on March 20^th, 2024, Redis follows a dual-licensing model with the choice of the Redis Source Available License v2 - RSALv2 or the Server Side Public License v1 - SSPLv1. Older versions of Redis (<=7.2.4) are licensed under 3-Clause BSD.

Please also view the Redis License Overview and the Redis Trademark Policy.

As with all Docker images, these likely also contain other software which may be under other licenses (such as Bash, etc from the base distribution, along with any direct or indirect dependencies of the primary software being contained).

Some additional license information which was able to be auto-detected might be found in the repo-info repository's redis/ directory.

As for any pre-built image usage, it is the image user's responsibility to ensure that any use of this image complies with any relevant licenses for all software contained within.