Prefer the Redis unix socket if available

Unix sockets typically have lower overhead and also allows setting stricter permissions. While iptables can be used to limit access using users, file permissions are much easier to manage.
theforeman · Feb 28, 2024 · 27dbee0 · 27dbee0
1 parent eb8c67c
commit 27dbee0
Show file tree

Hide file tree

Showing 3 changed files with 9 additions and 4 deletions.
diff --git a/manifests/config.pp b/manifests/config.pp
@@ -5,7 +5,14 @@
     $redis_url = $pulpcore::redis_url
   } else {
     contain redis
-    $redis_url = "redis://localhost:${redis::port}/${pulpcore::redis_db}"
+    if $redis::unixsocket != '' {
+      $redis_url = "redis+unix://${redis::unixsocket}?db=${pulpcore::redis_db}"
+    } elsif $redis::port != 0 {
+      # TODO: this assumes $redis::bind at least has localhost in it
+      $redis_url = "redis://localhost:${redis::port}/${pulpcore::redis_db}"
+    } else {
+      fail('Unable to determine Redis URL')
+    }
   }
 
   file { [$pulpcore::config_dir, $pulpcore::certs_dir]:

diff --git a/manifests/database.pp b/manifests/database.pp
@@ -39,6 +39,4 @@
     refreshonly => false,
     require     => Pulpcore::Admin['migrate --noinput'],
   }
-
-  contain redis
 }
diff --git a/spec/classes/pulpcore_spec.rb b/spec/classes/pulpcore_spec.rb
@@ -23,7 +23,7 @@
             .with_content(%r{ALLOWED_EXPORT_PATHS = \[\]})
             .with_content(%r{ALLOWED_IMPORT_PATHS = \["/var/lib/pulp/sync_imports"\]})
             .with_content(%r{ALLOWED_CONTENT_CHECKSUMS = \["sha224", "sha256", "sha384", "sha512"\]})
-            .with_content(%r{REDIS_URL = "redis://localhost:6379/8"})
+            .with_content(%r{REDIS_URL = "redis\+unix:///var/run/redis/redis\.sock\?db=8"})
             .with_content(%r{CACHE_ENABLED = False})
             .with_content(%r{# ANALYTICS = False})
             .without_content(%r{sslmode})