Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This is a first attempt at fixing issue #1704.
Some security applications require the ability to disable all disk persistence. Redis makes globally disabling persistence difficult since multiple places enable/disable persistence and persistence can always be manipulated by
CONFIG SET
during runtime. This commit removes the ability to enable persistence after the server starts.New configuration options (can be set at start only, no live changes):
disable-replication
- removesSYNC
,PSYNC
,SLAVEOF
,MIGRATE
,CLUSTER
,REPLCONF
commands.disable-all-persistence
- removesSAVE
,BGSAVE
,BGREWRITEAOF
commands. Disables reading AOF or RDB on startup. DisablesCONFIG REWRITE
so people can't try to change configuration options to hold data then save it to disk. DisablesSHUTDOWN SAVE
. Avoids spawning the background I/O threads.disable-all-persistence
automatically enablesdisable-replication
because a.) we don't want replicas to persist our data and b.) replication requires serializing the DB to disk to send to the replica.disable-replication
automatically setscluster-enabled
tono
.If you're on Linux,
disable-all-persistence
also attempts to lock all memory into RAM to stop anything from entering your swap space. That can only happen if you either run as root or have explicit capabilityCAP_IPC_LOCK
.The implementation is very paranoid. It disables commands then, in the commands themselves, each potential write command aborts if nopersist is set, then in the functions performing writes or network connections, the function immediately returns if nopersist (or noreplication) is set.
The reason for the multi-layered approach is: some operations (like saving an RDB) have multiple entry points (
SAVE
,BGSAVE
, thesave
config option,SHUTDOWN SAVE
, ...) and I wanted to make sure, even if we miss disabling an entry point, that write functions are still disabled. Multi-layered blocks will make security audit people happier too.