Redis 6.0 compatibility, its new ACL feature and authentication problems

[mazen-mardini]

How to use GitHub

• Please use the 👍 reaction to show that you are affected by the same issue.
• Please don't comment if you have no relevant information to add. It's just extra noise for everyone subscribed to this issue.
• Subscribe to receive notifications on status change and new comments.

Steps to reproduce

1. Use docker-compose to install Nextcloud+Redis (important: use redis:latest).
2. Configure Nextcloud to use Redis, set the password to false.
3. Go to Settings/Logging and behold the waterfall of Redis authentication errors.

Expected behaviour

Nothing, Nextcloud should connect to Redis.

Actual behaviour

Redis authentication errors: ERR AUTH <password> called without any password configured for the default user. Are you sure your configuration is correct? caused by lib/private/RedisFactory.php:94.

This is probably an issue due to Redis 6 new ACL feature. Redis can have users now, and the "password" for Redis is now the password for a pre-defined user called default.

Server configuration

Operating system: Using Docker, host is Linux 5.4.

Web server: Apache/2.4.38 (Debian)

Database: PostgreSQL 12.3

PHP version: PHP 7.4.8

Nextcloud version: 19.0.1

Updated from an older Nextcloud/ownCloud or fresh install: Updated from Nextcloud 19.0.0

Where did you install Nextcloud from: Docker

Signing status:

Signing status

No errors have been found.

Are you using external storage, if yes which one: no

Are you using encryption: no

Are you using an external user-backend, if yes which one: no

Logs

Nextcloud log (data/nextcloud.log)

{"reqId":"QLcyzLINkWac0l2qxP9b","level":3,"time":"2020-07-20T03:41:19+00:00","remoteAddr":"172.20.0.8","user":"--","app":"no app in context","method":"GET","url":"/apps/files/","message":{"Exception":"RedisException","Message":"ERR AUTH <password> called without any password configured for the default user. Are you sure your configuration is correct?","Code":0,"Trace":[{"file":"/var/www/html/lib/private/RedisFactory.php","line":94,"function":"auth","class":"Redis","type":"->","args":[false]},{"file":"/var/www/html/lib/private/RedisFactory.php","line":108,"function":"create","class":"OC\\RedisFactory","type":"->","args":[]},{"file":"/var/www/html/lib/private/Memcache/Redis.php","line":43,"function":"getInstance","class":"OC\\RedisFactory","type":"->","args":[]},{"file":"/var/www/html/lib/private/Memcache/Factory.php","line":135,"function":"__construct","class":"OC\\Memcache\\Redis","type":"->","args":["9d46c8a2213bb207649fa44a8ef6bd5c/lock"]},{"file":"/var/www/html/lib/private/Server.php","line":1021,"function":"createLocking","class":"OC\\Memcache\\Factory","type":"->","args":["lock"]},{"file":"/var/www/html/3rdparty/pimple/pimple/src/Pimple/Container.php","line":118,"function":"OC\\{closure}","class":"OC\\Server","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/html/lib/private/ServerContainer.php","line":124,"function":"offsetGet","class":"Pimple\\Container","type":"->","args":["OCP\\Lock\\ILockingProvider"]},{"file":"/var/www/html/lib/private/Server.php","line":1970,"function":"query","class":"OC\\ServerContainer","type":"->","args":["OCP\\Lock\\ILockingProvider"]},{"file":"/var/www/html/lib/private/Files/View.php","line":118,"function":"getLockingProvider","class":"OC\\Server","type":"->","args":[]},{"file":"/var/www/html/lib/private/Server.php","line":810,"function":"__construct","class":"OC\\Files\\View","type":"->","args":[]},{"file":"/var/www/html/3rdparty/pimple/pimple/src/Pimple/Container.php","line":118,"function":"OC\\{closure}","class":"OC\\Server","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/html/lib/private/ServerContainer.php","line":124,"function":"offsetGet","class":"Pimple\\Container","type":"->","args":["OCP\\Http\\Client\\IClientService"]},{"file":"/var/www/html/lib/private/AppFramework/DependencyInjection/DIContainer.php","line":388,"function":"query","class":"OC\\ServerContainer","type":"->","args":["OCP\\Http\\Client\\IClientService",true]},{"file":"/var/www/html/lib/private/AppFramework/Utility/SimpleContainer.php","line":71,"function":"query","class":"OC\\AppFramework\\DependencyInjection\\DIContainer","type":"->","args":["OCP\\Http\\Client\\IClientService",true]},{"file":"/var/www/html/lib/private/AppFramework/Utility/SimpleContainer.php","line":101,"function":"buildClass","class":"OC\\AppFramework\\Utility\\SimpleContainer","type":"->","args":[{"name":"OCA\\Support\\Service\\SubscriptionService","__class__":"ReflectionClass"}]},{"file":"/var/www/html/lib/private/AppFramework/Utility/SimpleContainer.php","line":116,"function":"resolve","class":"OC\\AppFramework\\Utility\\SimpleContainer","type":"->","args":["OCA\\Support\\Service\\SubscriptionService"]},{"file":"/var/www/html/lib/private/AppFramework/DependencyInjection/DIContainer.php","line":414,"function":"query","class":"OC\\AppFramework\\Utility\\SimpleContainer","type":"->","args":["OCA\\Support\\Service\\SubscriptionService"]},{"file":"/var/www/html/lib/private/AppFramework/DependencyInjection/DIContainer.php","line":385,"function":"queryNoFallback","class":"OC\\AppFramework\\DependencyInjection\\DIContainer","type":"->","args":["OCA\\Support\\Service\\SubscriptionService"]},{"file":"/var/www/html/lib/private/AppFramework/Utility/SimpleContainer.php","line":71,"function":"query","class":"OC\\AppFramework\\DependencyInjection\\DIContainer","type":"->","args":["OCA\\Support\\Service\\SubscriptionService",true]},{"file":"/var/www/html/lib/private/AppFramework/Utility/SimpleContainer.php","line":101,"function":"buildClass","class":"OC\\AppFramework\\Utility\\SimpleContainer","type":"->","args":[{"name":"OCA\\Support\\Subscription\\SubscriptionAdapter","__class__":"ReflectionClass"}]},{"file":"/var/www/html/lib/private/AppFramework/Utility/SimpleContainer.php","line":116,"function":"resolve","class":"OC\\AppFramework\\Utility\\SimpleContainer","type":"->","args":["OCA\\Support\\Subscription\\SubscriptionAdapter"]},{"file":"/var/www/html/lib/private/AppFramework/DependencyInjection/DIContainer.php","line":414,"function":"query","class":"OC\\AppFramework\\Utility\\SimpleContainer","type":"->","args":["OCA\\Support\\Subscription\\SubscriptionAdapter"]},{"file":"/var/www/html/lib/private/AppFramework/DependencyInjection/DIContainer.php","line":385,"function":"queryNoFallback","class":"OC\\AppFramework\\DependencyInjection\\DIContainer","type":"->","args":["OCA\\Support\\Subscription\\SubscriptionAdapter"]},{"file":"/var/www/html/apps/support/lib/AppInfo/Application.php","line":48,"function":"query","class":"OC\\AppFramework\\DependencyInjection\\DIContainer","type":"->","args":["OCA\\Support\\Subscription\\SubscriptionAdapter"]},{"file":"/var/www/html/apps/support/appinfo/app.php","line":27,"function":"register","class":"OCA\\Support\\AppInfo\\Application","type":"->","args":[]},{"file":"/var/www/html/lib/private/legacy/OC_App.php","line":266,"args":["/var/www/html/apps/support/appinfo/app.php"],"function":"require_once"},{"file":"/var/www/html/lib/private/legacy/OC_App.php","line":155,"function":"requireAppFile","class":"OC_App","type":"::","args":[{"__class__":"OCA\\Support\\AppInfo\\Application"}]},{"file":"/var/www/html/lib/private/legacy/OC_App.php","line":128,"function":"loadApp","class":"OC_App","type":"::","args":["support"]},{"file":"/var/www/html/lib/base.php","line":647,"function":"loadApps","class":"OC_App","type":"::","args":[["session"]]},{"file":"/var/www/html/lib/base.php","line":1090,"function":"init","class":"OC","type":"::","args":[]},{"file":"/var/www/html/index.php","line":35,"args":["/var/www/html/lib/base.php"],"function":"require_once"}],"File":"/var/www/html/lib/private/RedisFactory.php","Line":94,"CustomMessage":"--"},"userAgent":"","version":"19.0.1.1"}

[kesselb]

Does 'password' => array('user' => 'default', 'password' => 'xyz'), in config.php not work?

[mazen-mardini]

Does 'password' => array('user' => 'default', 'password' => 'xyz'), in config.php not work?

I've tried that and Nextcloud wouldn't allow it, it just defaulted to false instead. So the easiest approach for me was to make the change at source code level.

[nocin]

Also did the upgrade from 19.0.0 to 19.0.1 and now having the same issue.
May be rolling back to a previous redis version?

[j-ed]

I'm using Redis with password authentication and it works like a charm. As @kesselb already wrote, you need to set the password in the redis configuration file and adjust the Nextcloud configuration accordingly:

Redis configuration:

requirepass geheim

Nextcloud configuration:

  array (
    'host' => '/var/run/redis.sock',
    'port' => 0,
    'password' => 'geheim',
    'timeout' => 0.0,
  ),

[mazen-mardini]

Also did the upgrade from 19.0.0 to 19.0.1 and now having the same issue.
May be rolling back to a previous redis version?

Yeah, that could be another option.

[nocin]

I'm using Redis with password authentication and it works like a charm. As @kesselb already wrote, you need to set the password in the redis configuration file and adjust the Nextcloud configuration accordingly:

Redis configuration:

requirepass geheim

Nextcloud configuration:

  array (
    'host' => '/var/run/redis.sock',
    'port' => 0,
    'password' => 'geheim',
    'timeout' => 0.0,
  ),

I'm having nextcloud and redis running in docker. Tried to add a redis password with the following in my docker-compose:

nextcloud-redis:
image: redis:alpine
container_name: nextcloud-redis
command: nextcloud-redis --requirepass testpw123

But no success. Does anybody know a way to set a password with redis in docker?

[j-ed]

@mazen-mardini I think if a different syntax is required to access a Redis server, this need to be changed in Nextcloud somehow. But before this is done, could someone please test if the new syntax ('password' => array('user' => 'default', 'password' => 'xyz'),) also works with a Redis 5.0.x server? If yes, this would make it easier to provide a fix.

[mazen-mardini]

@nocin Set this volume ./redis.conf:/usr/local/etc/redis/redis.conf.

[mazen-mardini]

@j-ed I think "password" will just default to false if you pass an array to it.

[j-ed]

@mazen-mardini @kesselb I just applied the patch on my server with Nextcloud 18.0.7 installed,, restarted the web server and checked the log file of my Redis 5.0.9 server, while I used the Nextcloud GUI. I seems that everything still works as expected without an impact on the server.

If someone else confirms that the patch has no impact on the communication with the Redis server (5.0.x) I would recommend to modify the code accordingly.

[kesselb]

@j-ed do you have a docker-composer for me?

[j-ed]

@kesselb No, I'm sorry. I don't have a docker composer for you.

[nocin]

@nocin Set this volume ./redis.conf:/usr/local/etc/redis/redis.conf.

Already tried a similar way, but it just creates a folder with the name "/redis.conf/". Couldn't find the correct way to the redis.conf until now. But hopefully this will be fixed on NC side, that would make much more sense.

[mazen-mardini]

@nocin Set this volume ./redis.conf:/usr/local/etc/redis/redis.conf.

Already tried a similar way, but it just creates a folder with the name "/redis.conf/". Couldn't find the correct way to the redis.conf until now. But hopefully this will be fixed on NC side, that would make much more sense.

The thing is that /usr/local/etc/redis/redis.conf doesn't exist by default in the Docker image. On top of that you don't initially have a file called redis.conf on your host. This means Docker have no way of knowing if you want to map a file or a directory. To solve this simply create a file on the host called redis.conf, then restart the Docker container.

[mazen-mardini]

I figured out the problem. The auth-method call was improperly guarded. Even if a password was not set, auth would be called. I changed lib/private/RedisFactory.php:93-95 and Nextcloud+Redis 6 finally worked without a password:

if (isset($config['password']) && $config['password'] !== '' && $config['password'] !== false) {
	$this->instance->auth($config['password']);
}

isset($config['password']) doesn't even work, smh.

@nocin There is no need to set a Redis password if you apply the changes above.

Although setting a Redis password fixes the problem, the previous patch was pretty useless. I'm deleting it to prevent any confusion.

[kesselb]

Sounds like nextcloud/docker#1179

If password is not defined (no item with name password) isset is false.

If there is a item with name password and value false or '' isset is true.

That should be fixed over at nextcloud/docker. Afaik the current implementation works as documented.

[mazen-mardini]

Sounds like nextcloud/docker#1179

If password is not defined (no item with name password) isset is false.

If there is a item with name password and value false or '' isset is true.

That should be fixed over at nextcloud/docker. Afaik the current implementation works as documented.

Ah, so it's a Docker-image problem. Thanks for the link.

One question, is it wrong to define 'password' as false? Because currently if you do, you'll get issues with Redis.

[kesselb]

One question, is it wrong to define 'password' as false? Because currently if you do, you'll get issues with Redis.

server/config/config.sample.php

Line 1181 in cda6fad

'password' => '', // Optional, if not defined no password will be used.

[szaimen]

Seems like this was fixed in the docker repository.