Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add disable persistence option #1746

Closed
wants to merge 1 commit into from
Closed

Add disable persistence option #1746

wants to merge 1 commit into from

Conversation

mattsta
Copy link
Contributor

@mattsta mattsta commented May 12, 2014

This is a first attempt at fixing issue #1704.

Some security applications require the ability to disable all disk persistence. Redis makes globally disabling persistence difficult since multiple places enable/disable persistence and persistence can always be manipulated by CONFIG SET during runtime. This commit removes the ability to enable persistence after the server starts.

New configuration options (can be set at start only, no live changes):

  • disable-replication - removes SYNC, PSYNC, SLAVEOF, MIGRATE, CLUSTER, REPLCONF commands.
    • Adds guards to replication functions making sure they can't be forced to run.
  • disable-all-persistence - removes SAVE, BGSAVE, BGREWRITEAOF commands. Disables reading AOF or RDB on startup. Disables CONFIG REWRITE so people can't try to change configuration options to hold data then save it to disk. Disables SHUTDOWN SAVE. Avoids spawning the background I/O threads.
    • Adds guards to write functions making sure they can't be circumvented through other entry points.
    • This config option has a long name and includes an annoying-to-type word like "persistence" to hopefully stop people from enabling it by mistake.

disable-all-persistence automatically enables disable-replication because a.) we don't want replicas to persist our data and b.) replication requires serializing the DB to disk to send to the replica.

disable-replication automatically sets cluster-enabled to no.

If you're on Linux, disable-all-persistence also attempts to lock all memory into RAM to stop anything from entering your swap space. That can only happen if you either run as root or have explicit capability CAP_IPC_LOCK.

The implementation is very paranoid. It disables commands then, in the commands themselves, each potential write command aborts if nopersist is set, then in the functions performing writes or network connections, the function immediately returns if nopersist (or noreplication) is set.

The reason for the multi-layered approach is: some operations (like saving an RDB) have multiple entry points (SAVE, BGSAVE, the save config option, SHUTDOWN SAVE, ...) and I wanted to make sure, even if we miss disabling an entry point, that write functions are still disabled. Multi-layered blocks will make security audit people happier too.

@mattsta mattsta force-pushed the nopersist branch 2 times, most recently from 5425f76 to f07513d Compare October 30, 2014 23:39
@mattsta mattsta mentioned this pull request Oct 30, 2014
Open
@mattsta
Add nopersist and noreplication options
066ffab 
Config option "disable-all-persistence" stops Redis from writing
or reading an AOF or RDB.  If you are on Linux and are running
with the proper permissions (a "ulimit -l" of 'unlimited', typically
only settable by root, or the CAP_IPC_LOCK capability), this option
also disables the paging of any Redis memory to disk.

Config option "disable-replication" stops Redis from becoming a master
or replica or migrating keys to other nodes or participating
in a cluster.

disable-all-persistence automatically enables disable-replication.

disable-all-persisitence also stops Redis from creating any
background-I/O threads since they would have zero work to do anyway.

You *can* use disable-replication independently if you want to store
data to disk but turn off all network replication/clustering/migration.

These options can only be set at launch.  You cannot alter these
settings after Redis starts.  Once your server is running with
any of these isolation guarantees, it will remain isolated.

These options are designed to create isolated and "pure" Redis instances
for data that must never leave Redis except by direct client access.

Of course, someone could always just scan your entire database from
a client and copy it that way, but it's still not a live replication channel.

Without these options, it can be tricky to track down every "disable
storage" option.

Without the "disable-replication" option, there isn't any way to stop
Redis from replicating over the network except using firewalls/ACLs.
@msjyoo
Copy link

msjyoo commented Feb 9, 2015

+1

@obriat
Copy link

obriat commented Jan 5, 2018

This feature is also mandatory if you use a MASTER/SLAVE as a cache backend.

If all servers are rebooted, the master will reload an old dump.rdb file which was created (as I understand it) for an inital master/slave sync (even in diskless mode), hence reverting the cache to an old state and breaking the application.

The only solution I found it to delete any rdb files in my startup script.

@yossigo
Copy link
Member

yossigo commented Apr 27, 2021

This is mostly obsolete now, mainly as diskless replication has been around for some time now and other persistence options are tunable anyway.

@yossigo yossigo closed this Apr 27, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@mattsta @msjyoo @obriat @yossigo