From 118c451cfa1a7e74899283e3b9ba2cde6d12c8d4 Mon Sep 17 00:00:00 2001 From: stegar123 <53397145+stegar123@users.noreply.github.com> Date: Mon, 15 Jul 2024 13:42:41 -0400 Subject: [PATCH] Feature/debian12 (#8215) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Move from debian 11 to debian 12 * Debian12 on proxysql Dockerfile * Debian12: move from deb11 to deb12 * Change from latest to feature-debian12 #NEED TO BE REVERTED LATER * Rules replace spaces by tab * test build package12 [perl-client] * add unittest for debian [perl-client] * add sign-package for debian 12 [perl-client] * add upload package for debian 12 [perl-client] * add packetfence-perl for debian 12 [perl] * packetfence-perl fix error buid debian12 [perl] * Remove reference to debian11 for debian12 * Move debian 11 to debian 12 missing part * Update PF-perl container version * test new build [perl] * upgrade [perl] modules * update changelog [perl] * upgrade spec files for packetfence and debian * Wake up gitlab * Fix mariadb on pfsetacls containers * Fixing: PEP 668 – Marking Python base environments as “externally managed” * Fixing: PEP 668 – Marking Python base environments as "externally managed" on pfsetacls * Fix sudo issue * Remove version of netdata and mariadb, we will use debian repos and version * Update redis conf to redis 5:7.0.15-1~deb12u1 config * Remove python3-twisted-bin from control * Fix specific values for redis configs * Revert "Change from latest to feature-debian12 #NEED TO BE REVERTED LATER" This reverts commit 913d84ae546556747c4512ae1f0c5781fa18a5e7. * Remove vagrant image to default image see #8166 * Update bookworm vagrant version * jump to samba-4.20.1 version with bookworm * CI: Fix AD samba answer * CI: fix dot1x eap peap * Debian12 Bring back debian11 on other VM for tests * Revert "CI: fix dot1x eap peap" This reverts commit 16dcf730eccc0f29fe1896f4a19bf054190bdecb. * Revert "CI: Fix AD samba answer" This reverts commit 48592891a11d7ea0e31125fc663395dadf09a8f6. * Debian12: Bring back debain11 to samba4ad for testing * Debian12 adding -legacy to fix #8172 in tests * Debian12 change OS value to ansible vars OS * Firewalld Start changing ssh module to exec module on venom tests * Debian12 fix debianize.patch * Debian12 revert preprovisionning OS for nodes * Debian12 Add bookworm for packetfence-test on node01 * Debian12 CI Nodes: add 13.2 for other deb needed on debian11 * test pf_api_service_restart_async * fix lib check_internet_access_on_host_with_ping * restore pf_api_system_service_restart_async * test Sanitize logs * update repo for wireless device * variable ansible_distribution_release is not see by wrieless device [perl] * upgrade redis to 7.2.5 for rhel * add break_system_packages option for pip * update installation o xmltodict * pdate installation o xmltodict debian and redhat * fix issue for sanitize logs * use ssh instead type exec for check_internet_access_on_host * add retry for http on get_id_of_radius_audit_log_entry * remove time from check_radius_audit_log * decrease retry to 3 seconds * change get_id_of_radius_audit_log_entry * add custum config dor openssl.cnf on ntlm-auth-api container * fix dot1x_eap_tls issues * openssl -legacy option is not supported on rhel8, I have added an exception * remove anused lines on run_tests.yml playbooks * Upgrade Template-Toolkit 3.009 -> 3.010 [perl] * improve wired_dot1x_eap_peap_firewall_sso_radius/56_check_firewall_sso_start.yml * improve wired_dot1x_eap_peap_firewall_sso_https/56_check_firewall_sso_start.yml * remove get_time task from check_radius_audit_log * restore no_log for Sanitize logs * remove retry_if condition for check_mock_history_request check * remove trailing space * update box_version on addons/vagrant/inventory/hosts * upgrade golang --------- Co-authored-by: JeGoi <13801368+JeGoi@users.noreply.github.com> --- .github/workflows/main_packetfence-perl.yml | 8 +- .github/workflows/main_perl-client.yml | 8 +- .../packetfence-perl_build_image_package.yml | 12 +- .../workflows/perl-client_build_package.yml | 20 +- .github/workflows/reusable_sign_packages.yml | 11 +- .github/workflows/reusable_unit_test.yml | 8 +- .../workflows/reusable_upload_packages.yml | 2 +- .gitlab-ci.yml | 124 +- addons/dev-helpers/setup-dev-env.sh | 2 +- addons/full-upgrade/run-upgrade.sh | 4 +- addons/ntlm-auth-api/openssl.cnf | 400 ++++ addons/packetfence-perl/debian/changelog | 10 + addons/packetfence-perl/dependencies.csv | 12 +- .../rhel8/SPECS/packetfence-perl.spec | 9 +- addons/perl-client/vagrant/Makefile | 10 +- .../group_vars/fbservers/apt_preferences.yml | 2 +- addons/perl-client/vagrant/inventory/hosts | 6 +- .../group_vars/dev/apt_preferences.yml | 2 +- .../group_vars/wireless/apt_preferences.yml | 2 +- .../wireless/gitlab_buildpkg_tools.yml | 6 +- addons/vagrant/inventory/hosts | 404 ++-- addons/vagrant/playbooks/get_logs.yml | 1 + .../playbooks/nodes/pre_prov/packages.yml | 6 +- .../create-debian-installer.sh | 4 +- .../postinst-debian-installer.sh | 2 +- ci/debian-installer/preseed.cfg.tmpl | 4 +- ci/lib/common/functions.sh | 2 +- ci/packer/cpanbuild.json | 16 +- ci/packer/packer-wrapper.sh | 2 +- ci/packer/pfbuild.json | 16 +- ci/packer/vagrant_img/Makefile | 12 +- ci/packer/vagrant_img/build.pkr.hcl | 6 +- ci/packer/vagrant_img/sources.pkr.hcl | 8 +- ci/packer/zen/Makefile | 6 +- ci/packer/zen/build.pkr.hcl | 2 +- ci/packer/zen/files/preseed.cfg | 2 +- ci/packer/zen/files/preseed.cfg.example | 2 +- ci/packer/zen/sources.pkr.hcl | 6 +- conf/redis_cache.conf.example | 1870 +++++++++++++++-- conf/redis_ntlm_cache.conf.example | 1869 ++++++++++++++-- conf/redis_queue.conf.example | 1868 ++++++++++++++-- containers/api-frontend/Dockerfile | 2 +- containers/httpd.admin_dispatcher/Dockerfile | 2 +- containers/httpd.dispatcher/Dockerfile | 2 +- containers/ntlm-auth-api/Dockerfile | 13 +- .../Dockerfile_debian11} | 0 .../debian12/Dockerfile_debian12 | 59 + containers/pfacct/Dockerfile | 2 +- containers/pfconnector/Dockerfile | 2 +- containers/pfcron/Dockerfile | 2 +- containers/pfdebian/Dockerfile | 4 +- containers/pfldapexplorer/Dockerfile | 2 +- containers/pfpki/Dockerfile | 2 +- containers/pfsetacls/Dockerfile | 9 +- containers/pfsso/Dockerfile | 2 +- containers/proxysql/Dockerfile | 4 +- containers/radiusd/Dockerfile | 2 +- debian/control | 10 +- debian/packetfence-config.postinst | 2 +- debian/packetfence-config.prerm | 2 +- debian/packetfence-redis-cache.postinst | 4 +- debian/packetfence-redis-cache.prerm | 2 +- debian/packetfence.postinst | 8 +- debian/packetfence.prerm | 2 +- debian/patches/debianize.patch | 354 +++- debian/rules | 3 + .../subnets_and_ips.asciidoc | 4 +- docs/installation/installation.asciidoc | 4 +- docs/installation/linode/linode.asciidoc | 10 +- .../installation/system_requirements.asciidoc | 2 +- rpm/packetfence.spec | 7 +- t/venom/Makefile | 90 +- t/venom/lib/check_internet_access_on_host.yml | 4 +- ...heck_internet_access_on_host_with_ping.yml | 10 +- t/venom/lib/extract_certificates_http.yml | 6 +- t/venom/lib/extract_certificates_radius.yml | 6 +- t/venom/lib/extract_certificates_user.yml | 6 +- .../lib/node01/node01_deploy_certificates.yml | 10 +- t/venom/lib/venom_wrapper_command_on_host.yml | 9 +- .../dot1x_eap_peap/playbooks/configure.yml | 9 + .../dot1x_eap_peap/playbooks/run_tests.yml | 2 - .../export_import/ansible_inventory.yml | 6 +- .../pfappserver/playbooks/localdev.yml | 4 +- .../scenarios/template/ansible_inventory.yml | 6 +- .../captive_portal/22_sleep_some_time.yml | 6 - .../25_check_radius_audit_log.yml | 26 +- .../50_run_configurator_step4.yml | 1 + .../32_sleep_some_time.yml | 6 - .../33_check_radius_audit_log.yml | 25 +- .../50_sleep_some_time.yml | 6 - .../55_check_radius_audit_log.yml | 25 +- .../50_sleep_some_time.yml | 1 - .../56_check_firewall_sso_start.yml | 21 +- .../50_sleep_some_time.yml | 1 - .../54_check_radius_audit_log.yml | 25 +- .../56_check_firewall_sso_start.yml | 22 +- .../90_sleep_some_time.yml | 6 - .../91_check_radius_audit_log.yml | 25 +- .../90_sleep_some_time.yml | 6 - .../91_check_radius_audit_log.yml | 25 +- .../05_create_pki.yml | 12 +- .../90_sleep_some_time.yml | 6 - .../91_check_radius_audit_log.yml | 25 +- .../wired_mac_auth/22_sleep_some_time.yml | 6 - .../25_check_radius_audit_log.yml | 25 +- .../45_sleep_some_time.yml | 1 - .../50_check_radius_audit_log.yml | 25 +- .../wireless_mac_auth/22_sleep_some_time.yml | 6 - .../25_check_radius_audit_log.yml | 25 +- t/venom/utils/sanitize-venom-logs.sh | 4 +- 110 files changed, 6413 insertions(+), 1406 deletions(-) create mode 100644 addons/ntlm-auth-api/openssl.cnf rename containers/packetfence-perl/{debian/Dockerfile_debian => debian11/Dockerfile_debian11} (100%) create mode 100644 containers/packetfence-perl/debian12/Dockerfile_debian12 delete mode 100644 t/venom/test_suites/captive_portal/22_sleep_some_time.yml delete mode 100644 t/venom/test_suites/inline_l2_and_radius/32_sleep_some_time.yml delete mode 100644 t/venom/test_suites/wired_dot1x_eap_peap/50_sleep_some_time.yml delete mode 120000 t/venom/test_suites/wired_dot1x_eap_peap_firewall_sso_https/50_sleep_some_time.yml delete mode 120000 t/venom/test_suites/wired_dot1x_eap_peap_firewall_sso_radius/50_sleep_some_time.yml delete mode 100644 t/venom/test_suites/wired_dot1x_eap_tls_manual/90_sleep_some_time.yml delete mode 100644 t/venom/test_suites/wired_dot1x_eap_tls_pki/90_sleep_some_time.yml delete mode 100644 t/venom/test_suites/wired_dot1x_eap_tls_scep/90_sleep_some_time.yml delete mode 100644 t/venom/test_suites/wired_mac_auth/22_sleep_some_time.yml delete mode 120000 t/venom/test_suites/wireless_dot1x_eap_peap/45_sleep_some_time.yml delete mode 100644 t/venom/test_suites/wireless_mac_auth/22_sleep_some_time.yml diff --git a/.github/workflows/main_packetfence-perl.yml b/.github/workflows/main_packetfence-perl.yml index 26d24012622f..356c9617ed49 100644 --- a/.github/workflows/main_packetfence-perl.yml +++ b/.github/workflows/main_packetfence-perl.yml @@ -74,7 +74,7 @@ jobs: if: ${{ contains( github.event.head_commit.message, '[perl]') || needs.build_preparation.outputs.path_changes == 'true' && needs.build_preparation.outputs.regex_match_branch != '' }} strategy: matrix: - images: ['debian', 'rhel8'] + images: ['debian11', 'debian12', 'rhel8'] uses: ./.github/workflows/packetfence-perl_build_image_package.yml needs: ['build_preparation'] with: @@ -87,7 +87,7 @@ jobs: unit_tests_packages: strategy: matrix: - images: ['debian', 'rhel8'] + images: ['debian11', 'debian12', 'rhel8'] uses: ./.github/workflows/reusable_unit_test.yml needs: ['build_preparation', 'build_images_and_packages'] with: @@ -97,7 +97,7 @@ jobs: sign_package: strategy: matrix: - images: ['debian', 'rhel8'] + images: ['debian11', 'debian12', 'rhel8'] uses: ./.github/workflows/reusable_sign_packages.yml needs: ['build_preparation', 'build_images_and_packages', 'unit_tests_packages'] with: @@ -110,7 +110,7 @@ jobs: upload_packages: strategy: matrix: - images: ['debian', 'rhel8'] + images: ['debian11', 'debian12', 'rhel8'] uses: ./.github/workflows/reusable_upload_packages.yml needs: ['build_preparation', 'build_images_and_packages', 'unit_tests_packages', 'sign_package'] with: diff --git a/.github/workflows/main_perl-client.yml b/.github/workflows/main_perl-client.yml index 64acfb9c80ff..a19cbedc9ea0 100644 --- a/.github/workflows/main_perl-client.yml +++ b/.github/workflows/main_perl-client.yml @@ -70,7 +70,7 @@ jobs: if: ${{ contains( github.event.head_commit.message, '[perl-client]') || needs.build_preparation.outputs.path_changes == 'true' && needs.build_preparation.outputs.regex_match_branch != '' }} strategy: matrix: - images: ['debian', 'rhel8'] + images: ['debian11', 'debian12', 'rhel8'] uses: ./.github/workflows/perl-client_build_package.yml needs: ['build_preparation'] with: @@ -84,7 +84,7 @@ jobs: unit_tests_packages: strategy: matrix: - images: ['debian', 'rhel8'] + images: ['debian11', 'debian12', 'rhel8'] uses: ./.github/workflows/reusable_unit_test.yml needs: ['build_preparation', 'build_packages'] with: @@ -94,7 +94,7 @@ jobs: sign_package: strategy: matrix: - images: ['debian', 'rhel8'] + images: ['debian11', 'debian12', 'rhel8'] uses: ./.github/workflows/reusable_sign_packages.yml needs: ['build_preparation', 'build_packages', 'unit_tests_packages'] with: @@ -107,7 +107,7 @@ jobs: upload_packages: strategy: matrix: - images: ['debian', 'rhel8'] + images: ['debian11', 'debian12', 'rhel8'] uses: ./.github/workflows/reusable_upload_packages.yml needs: ['build_preparation', 'build_packages', 'unit_tests_packages', 'sign_package'] with: diff --git a/.github/workflows/packetfence-perl_build_image_package.yml b/.github/workflows/packetfence-perl_build_image_package.yml index 91d07f6e4a1a..67bea66c0c0e 100644 --- a/.github/workflows/packetfence-perl_build_image_package.yml +++ b/.github/workflows/packetfence-perl_build_image_package.yml @@ -95,13 +95,17 @@ jobs: run: | cd /root set -e && python3 install_cpan.py -d dependencies.csv -vi true && ./build_package.sh - ls -la ${{ inputs._OUTPUT_DIRECTORY }}/${{inputs._IMAGE_TYPE}}/packages/ + ls -la ${{ inputs._OUTPUT_DIRECTORY }} + ls -la ${{ inputs._OUTPUT_DIRECTORY }}/${{env.PATH_PACKAGE}}/packages/ + env: + PATH_PACKAGE: ${{ inputs._IMAGE_TYPE == 'rhel8' && 'rhel8' || 'debian' }} - name: Upload the package to artifactory ${{inputs._IMAGE_TYPE}} uses: actions/upload-artifact@v3 with: name: ${{ env.ARTIFACTORY_NAME }} - path: ${{ inputs._OUTPUT_DIRECTORY }}/${{ inputs._IMAGE_TYPE}}/packages/${{ env.PACKAGE_NAME }} + path: ${{ inputs._OUTPUT_DIRECTORY }}/${{ env.PATH_PACKAGE }}/packages/${{ env.PACKAGE_NAME }} env: - PACKAGE_NAME: ${{ inputs._IMAGE_TYPE == 'rhel8' && 'packetfence-perl-*.rpm' || 'packetfence-perl*.deb' }} - ARTIFACTORY_NAME: ${{ inputs._IMAGE_TYPE == 'rhel8' && 'package-rpm' || 'package-deb' }} \ No newline at end of file + PACKAGE_NAME: ${{ inputs._IMAGE_TYPE == 'rhel8' && 'packetfence-perl-*.rpm' || inputs._IMAGE_TYPE == 'debian11' && 'packetfence-perl*.deb' || inputs._IMAGE_TYPE == 'debian12' && 'packetfence-perl*.deb' }} + ARTIFACTORY_NAME: ${{ inputs._IMAGE_TYPE == 'rhel8' && 'package-rpm8' || inputs._IMAGE_TYPE == 'debian11' && 'package-deb11' || inputs._IMAGE_TYPE == 'debian12' && 'package-deb12' }} + PATH_PACKAGE: ${{ inputs._IMAGE_TYPE == 'rhel8' && 'rhel8' || 'debian' }} diff --git a/.github/workflows/perl-client_build_package.yml b/.github/workflows/perl-client_build_package.yml index 264aef091b1b..7a3fb6033e72 100644 --- a/.github/workflows/perl-client_build_package.yml +++ b/.github/workflows/perl-client_build_package.yml @@ -26,7 +26,7 @@ jobs: runs-on: package-build needs: git_checkout container: - image: registry.gitlab.com/orange-opensource/gitlab-buildpkg/${{ inputs._IMAGE_TYPE == 'rhel8' && 'centos:8' || 'debian:bullseye'}} + image: registry.gitlab.com/orange-opensource/gitlab-buildpkg/${{ inputs._IMAGE_TYPE == 'rhel8' && 'centos:8' || inputs._IMAGE_TYPE == 'debian11' && 'debian:bullseye' || inputs._IMAGE_TYPE == 'debian12' && 'debian:bookworm' }} env: EXECUTION_DIRECTORY: '/mnt/packetfence/' # volumes: @@ -41,8 +41,10 @@ jobs: run: dnf -y install rpm-sign python39 && python3.9 -m pip install -q -U pip && pip install -q pynacl requests - name: Install Debian dependencies ${{ inputs._IMAGE_TYPE }} - if: inputs._IMAGE_TYPE == 'debian' - run: apt -qq update && apt -qq -y install python3 python3-pip && python3 -m pip install -q -U pip && pip install -q pynacl requests + if: inputs._IMAGE_TYPE == 'debian11' || inputs._IMAGE_TYPE == 'debian12' + run: apt -qq update && apt -qq -y install python3 python3-pip && python3 -m pip install -q -U pip ${{ env.BREAK_OPTION}} && pip install -q pynacl requests ${{ env.BREAK_OPTION}} + env: + BREAK_OPTION: ${{ inputs._IMAGE_TYPE == 'debian12' && '--break-system-packages' || '' }} - name: Safety add directory shell: bash @@ -63,7 +65,7 @@ jobs: cd "${EXECUTION_DIRECTORY}"/addons/perl-client/ set -e && export FINGERBANK_API_KEY=$(set -e && python3 "${EXECUTION_DIRECTORY}"/addons/packetfence-perl/psono.py --api_key_id=${{ secrets.PSONO_API_KEY_ID }} --api_key_secret_key=${{ secrets.PSONO_API_KEY_SECRET_KEY }} --secret_id=${{ vars.PSONO_BUILDS_KEY_FINGERBANK }} --return_value=password) set -e && make SHELL='sh' -e ${{ inputs._IMAGE_TYPE == 'rhel8' && 'build_rpm' || 'build_deb'}} - ls -la "${EXECUTION_DIRECTORY}"/addons/perl-client/result/${{ inputs._IMAGE_TYPE == 'rhel8' && 'centos/8' || 'debian/bullseye'}} + ls -la "${EXECUTION_DIRECTORY}"/addons/perl-client/result/${{ inputs._IMAGE_TYPE == 'rhel8' && 'centos/8' || inputs._IMAGE_TYPE == 'debian11' && 'debian/bullseye' || inputs._IMAGE_TYPE == 'debian12' && 'debian/bookworm'}} env: CI_COMMIT_REF_NAME: ${{ inputs._BRANCH_NAME }} @@ -71,15 +73,15 @@ jobs: uses: actions/upload-artifact@v3 with: name: ${{ env.ARTIFACTORY_NAME }} -# path: /__w/packetfence/packetfence/addons/perl-client/result/${{ inputs._IMAGE_TYPE == 'rhel8' && 'centos/8' || 'debian/bullseye'}}/${{ env.PACKAGE_NAME }} - path: /mnt/packetfence/addons/perl-client/result/${{ inputs._IMAGE_TYPE == 'rhel8' && 'centos/8' || 'debian/bullseye'}}/${{ env.PACKAGE_NAME }} +# path: /__w/packetfence/packetfence/addons/perl-client/result/${{ inputs._IMAGE_TYPE == 'rhel8' && 'centos/8' || inputs._IMAGE_TYPE == 'debian11' && 'debian/bookworm'}}/${{ env.PACKAGE_NAME }} + path: /mnt/packetfence/addons/perl-client/result/${{ inputs._IMAGE_TYPE == 'rhel8' && 'centos/8' || inputs._IMAGE_TYPE == 'debian11' && 'debian/bullseye' || inputs._IMAGE_TYPE == 'debian12' && 'debian/bookworm'}}/${{ env.PACKAGE_NAME }} env: - PACKAGE_NAME: ${{ inputs._IMAGE_TYPE == 'rhel8' && 'fingerbank-*.noarch.rpm' || 'fingerbank*.deb' }} - ARTIFACTORY_NAME: ${{ inputs._IMAGE_TYPE == 'rhel8' && 'package-rpm' || 'package-deb' }} + PACKAGE_NAME: ${{ inputs._IMAGE_TYPE == 'rhel8' && 'fingerbank-*.noarch.rpm' || inputs._IMAGE_TYPE == 'debian11' && 'fingerbank*.deb' || inputs._IMAGE_TYPE == 'debian12' && 'fingerbank*.deb' }} + ARTIFACTORY_NAME: ${{ inputs._IMAGE_TYPE == 'rhel8' && 'package-rpm8' || inputs._IMAGE_TYPE == 'debian11' && 'package-deb11' || inputs._IMAGE_TYPE == 'debian12' && 'package-deb12' }} PATH: "${GITHUB_WORKSPACE}" - name: Clean directory if: always() run: | rm -rf "${EXECUTION_DIRECTORY}" - rm -rf ${HOME}/rpmbuild \ No newline at end of file + rm -rf ${HOME}/rpmbuild diff --git a/.github/workflows/reusable_sign_packages.yml b/.github/workflows/reusable_sign_packages.yml index 0e7518f7d241..fd0b45690841 100644 --- a/.github/workflows/reusable_sign_packages.yml +++ b/.github/workflows/reusable_sign_packages.yml @@ -18,7 +18,7 @@ on: jobs: sign_package_deb: - if: inputs._IMAGE_TYPE == 'debian' + if: inputs._IMAGE_TYPE == 'debian11' || inputs._IMAGE_TYPE == 'debian12' runs-on: packetfence-perl-package-build container: image: debian:11.0 @@ -31,7 +31,7 @@ jobs: name: ${{ env.ARTIFACTORY_NAME }} path: /mnt env: - ARTIFACTORY_NAME: ${{ inputs._IMAGE_TYPE == 'rhel8' && 'package-rpm' || 'package-deb' }} + ARTIFACTORY_NAME: ${{ inputs._IMAGE_TYPE == 'rhel8' && 'package-rpm8' || inputs._IMAGE_TYPE == 'debian11' && 'package-deb11' || inputs._IMAGE_TYPE == 'debian12' && 'package-deb12' }} - name: Install Debian dependencies ${{ inputs._IMAGE_TYPE }} run: apt -qq update && apt -qq -y install gpg dpkg-sig python3 python3-pip && python3 -m pip install -q -U pip && pip install -q pynacl requests @@ -55,7 +55,7 @@ jobs: path: /mnt/${{ env.PACKAGE_NAME }} env: PACKAGE_NAME: ${{ inputs._IMAGE_TYPE == 'rhel8' && env.RPM_FORMAT_PACKAGE_NAME || env.DEB_FORMAT_PACKAGE_NAME }} - ARTIFACTORY_NAME: ${{ inputs._IMAGE_TYPE == 'rhel8' && 'package-rpm' || 'package-deb' }} + ARTIFACTORY_NAME: ${{ inputs._IMAGE_TYPE == 'rhel8' && 'package-rpm8' || inputs._IMAGE_TYPE == 'debian11' && 'package-deb11' || inputs._IMAGE_TYPE == 'debian12' && 'package-deb12' }} DEB_FORMAT_PACKAGE_NAME: "${{ inputs._PACKAGE_NAME }}*.deb" RPM_FORMAT_PACKAGE_NAME: "${{ inputs._PACKAGE_NAME }}*.rpm" @@ -73,7 +73,8 @@ jobs: name: ${{ env.ARTIFACTORY_NAME }} path: /mnt env: - ARTIFACTORY_NAME: ${{ inputs._IMAGE_TYPE == 'rhel8' && 'package-rpm' || 'package-deb' }} + ARTIFACTORY_NAME: ${{ inputs._IMAGE_TYPE == 'rhel8' && 'package-rpm8' || inputs._IMAGE_TYPE == 'debian11' && 'package-deb11' || inputs._IMAGE_TYPE == 'debian12' && 'package-deb12' }} + - name: Install RHEL dependencies ${{ inputs._IMAGE_TYPE }} run: dnf -y install rpm-sign python39 && python3.9 -m pip install -q -U pip && pip install -q pynacl requests @@ -103,6 +104,6 @@ jobs: path: /mnt/${{ env.PACKAGE_NAME }} env: PACKAGE_NAME: ${{ inputs._IMAGE_TYPE == 'rhel8' && env.RPM_FORMAT_PACKAGE_NAME || env.DEB_FORMAT_PACKAGE_NAME }} - ARTIFACTORY_NAME: ${{ inputs._IMAGE_TYPE == 'rhel8' && 'package-rpm' || 'package-deb' }} + ARTIFACTORY_NAME: ${{ inputs._IMAGE_TYPE == 'rhel8' && 'package-rpm8' || inputs._IMAGE_TYPE == 'debian11' && 'package-deb11' || inputs._IMAGE_TYPE == 'debian12' && 'package-deb12' }} DEB_FORMAT_PACKAGE_NAME: "${{ inputs._PACKAGE_NAME }}*.deb" RPM_FORMAT_PACKAGE_NAME: "${{ inputs._PACKAGE_NAME }}*.rpm" diff --git a/.github/workflows/reusable_unit_test.yml b/.github/workflows/reusable_unit_test.yml index c1fb5f27541b..3759bdc05d39 100644 --- a/.github/workflows/reusable_unit_test.yml +++ b/.github/workflows/reusable_unit_test.yml @@ -13,7 +13,7 @@ jobs: unit-test: runs-on: packetfence-perl-package-build container: - image: ${{ inputs._IMAGE_TYPE == 'rhel8' && 'redhat/ubi8:8.8' || 'debian:11.0'}} + image: ${{ inputs._IMAGE_TYPE == 'rhel8' && 'redhat/ubi8:8.8' || inputs._IMAGE_TYPE == 'debian11' && 'debian:bullseye' || inputs._IMAGE_TYPE == 'debian12' && 'debian:bookworm'}} steps: - name: Download artifactory ${{ inputs._IMAGE_TYPE }} uses: actions/download-artifact@v3 @@ -21,7 +21,7 @@ jobs: name: ${{ env.ARTIFACTORY_NAME }} path: /mnt env: - ARTIFACTORY_NAME: ${{ inputs._IMAGE_TYPE == 'rhel8' && 'package-rpm' || 'package-deb' }} + ARTIFACTORY_NAME: ${{ inputs._IMAGE_TYPE == 'rhel8' && 'package-rpm8' || inputs._IMAGE_TYPE == 'debian11' && 'package-deb11' || inputs._IMAGE_TYPE == 'debian12' && 'package-deb12' }} - name: Install the package ${{ inputs._PACKAGE_NAME}} rhel8 if: inputs._IMAGE_TYPE == 'rhel8' @@ -36,14 +36,14 @@ jobs: rpm -qa | grep ${{ inputs._PACKAGE_NAME }} - name: Install the package ${{ inputs._PACKAGE_NAME}} debian - if: inputs._IMAGE_TYPE == 'debian' + if: inputs._IMAGE_TYPE == 'debian11' || inputs._IMAGE_TYPE == 'debian12' run: | ls -la /mnt apt update; apt install -y gnupg sudo wget curl PF_RELEASE_PATH=https://raw.githubusercontent.com/inverse-inc/packetfence/devel/conf/pf-release PF_MINOR_RELEASE=$(curl -s ${PF_RELEASE_PATH} | grep -oE '[0-9]+\.[0-9]+') wget -q -O - https://inverse.ca/downloads/GPG_PUBLIC_KEY | apt-key add - - echo "deb http://inverse.ca/downloads/PacketFence/debian/${PF_MINOR_RELEASE} bullseye bullseye" > /etc/apt/sources.list.d/packetfence.list + echo "deb http://inverse.ca/downloads/PacketFence/debian/${PF_MINOR_RELEASE} bookworm bookworm" > /etc/apt/sources.list.d/packetfence.list apt update set -e && find /mnt -name ${{ inputs._PACKAGE_NAME }}*.deb -exec bash -c 'apt install -f -y {}' \; echo "Next packages ${{ inputs._PACKAGE_NAME }} was installed successfuly: " diff --git a/.github/workflows/reusable_upload_packages.yml b/.github/workflows/reusable_upload_packages.yml index 9d0b02abd5e5..7748e404c2ab 100644 --- a/.github/workflows/reusable_upload_packages.yml +++ b/.github/workflows/reusable_upload_packages.yml @@ -32,7 +32,7 @@ jobs: name: ${{ env.ARTIFACTORY_NAME }} path: /mnt env: - ARTIFACTORY_NAME: ${{ inputs._IMAGE_TYPE == 'rhel8' && 'package-rpm' || 'package-deb' }} + ARTIFACTORY_NAME: ${{ inputs._IMAGE_TYPE == 'rhel8' && 'package-rpm8' || inputs._IMAGE_TYPE == 'debian11' && 'package-deb11' || inputs._IMAGE_TYPE == 'debian12' && 'package-deb12' }} - name: Install dependencies ${{ inputs._IMAGE_TYPE }} run: apt -qq update && apt -qq -y install openssh-client rsync python3 python3-pip && python3 -m pip install -q -U pip && pip install -q pynacl requests diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 134be4a50010..4821d4e6c98e 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -28,8 +28,8 @@ variables: PIPELINE_TIMEOUT_SCRIPT: 160m PIPELINE_TIMEOUT_CLEANUP: 10m BUILD_PFAPPSERVER_VUE: "yes" - PFBUILD_CENTOS_8_IMG: ghcr.io/inverse-inc/packetfence/pfbuild-centos-8 - PFBUILD_DEB_BULLSEYE_IMG: ghcr.io/inverse-inc/packetfence/pfbuild-debian-bullseye + PFBUILD_RHEL_IMG: ghcr.io/inverse-inc/packetfence/pfbuild-centos-8 + PFBUILD_DEB_IMG: ghcr.io/inverse-inc/packetfence/pfbuild-debian-bookworm KANIKO_DEBUG_IMG: gcr.io/kaniko-project/executor:debug KANIKOBUILD_IMG: ghcr.io/inverse-inc/packetfence/kaniko-build KNK_REGISTRY: ghcr.io @@ -583,7 +583,7 @@ variables: # CHECK JOBS ######################################## run_pipeline_if_necessary: - image: ${PFBUILD_DEB_BULLSEYE_IMG}:${PFBUILD_DEFAULT_DEV_TAG} + image: ${PFBUILD_DEB_IMG}:${PFBUILD_DEFAULT_DEV_TAG} extends: - .check_job - .check_devel_branches_and_maintenance_rules @@ -959,25 +959,25 @@ build_img_docker_el8_release: ACTIVE_BUILDS: 'pfbuild-centos-8' # Debian -build_img_docker_deb11_devel: +build_img_docker_deb12_devel: extends: - .build_img_docker_job - .build_img_docker_devel_rules variables: DOCKER_TAGS: latest,devel,maintenance-99-9 - ACTIVE_BUILDS: 'pfbuild-bullseye' + ACTIVE_BUILDS: 'pfbuild-bookworm' -build_img_docker_deb11_branches_and_maintenance: +build_img_docker_deb12_branches_and_maintenance: extends: - .build_img_docker_job - .build_img_docker_branches_and_maintenance_rules variables: DOCKER_TAGS: ${CI_COMMIT_REF_SLUG} - ACTIVE_BUILDS: 'pfbuild-bullseye' + ACTIVE_BUILDS: 'pfbuild-bookworm' # build a docker image at release # used to build release and maintenance packages -build_img_docker_deb11_release: +build_img_docker_deb12_release: extends: - .build_img_docker_job - .release_only_rules @@ -987,7 +987,7 @@ build_img_docker_deb11_release: ANSIBLE_CENTOS8_GROUP: stable_centos8 ANSIBLE_DEBIAN_GROUP: common_debian ANSIBLE_RUBYGEMS_GROUP: stable_rubygems - ACTIVE_BUILDS: 'pfbuild-bullseye' + ACTIVE_BUILDS: 'pfbuild-bookworm' ### build Docker images on cloud nac branches build_img_docker_el8_cloud_nac: @@ -998,13 +998,13 @@ build_img_docker_el8_cloud_nac: DOCKER_TAGS: ${CI_COMMIT_REF_SLUG},${CI_COMMIT_REF_SLUG}-${CI_PIPELINE_ID} ACTIVE_BUILDS: 'pfbuild-centos-8' -build_img_docker_deb11_cloud_nac: +build_img_docker_deb12_cloud_nac: extends: - .build_img_docker_job - .build_img_docker_cloud_nac_rules variables: DOCKER_TAGS: ${CI_COMMIT_REF_SLUG},${CI_COMMIT_REF_SLUG}-${CI_PIPELINE_ID} - ACTIVE_BUILDS: 'pfbuild-bullseye' + ACTIVE_BUILDS: 'pfbuild-bookworm' ### build_img_vagrant jobs # build_img_vagrant_devel_and_branches_el_8: @@ -1014,26 +1014,26 @@ build_img_docker_deb11_cloud_nac: # variables: # BOX_NAME: pfel8dev -build_img_vagrant_devel_and_branches_debian_bullseye: +build_img_vagrant_devel_and_branches_debian_bookworm: extends: - .build_img_vagrant_devel_and_branches_job - .build_img_vagrant_devel_and_branches_rules variables: - BOX_NAME: pfdeb11dev + BOX_NAME: pfdeb12dev ######################################## # BUILD_ARTIFACTS JOBS ######################################## # build_artifacts_pkg jobs for development (devel) build_artifacts_pkg_devel_centos_8: - image: ${PFBUILD_CENTOS_8_IMG}:${PFBUILD_DEFAULT_DEV_TAG} + image: ${PFBUILD_RHEL_IMG}:${PFBUILD_DEFAULT_DEV_TAG} extends: - .build_artifacts_pkg_job - .rpm_script_job - .build_artifacts_pkg_devel_rules -build_artifacts_pkg_devel_debian_bullseye: - image: ${PFBUILD_DEB_BULLSEYE_IMG}:${PFBUILD_DEFAULT_DEV_TAG} +build_artifacts_pkg_devel_debian_bookworm: + image: ${PFBUILD_DEB_IMG}:${PFBUILD_DEFAULT_DEV_TAG} extends: - .build_artifacts_pkg_job - .deb_script_job @@ -1041,14 +1041,14 @@ build_artifacts_pkg_devel_debian_bullseye: # build_artifacts_pkg jobs for development (branches other than devel and maintenance) build_artifacts_pkg_branches_centos_8: - image: ${PFBUILD_CENTOS_8_IMG}:${CI_COMMIT_REF_SLUG} + image: ${PFBUILD_RHEL_IMG}:${CI_COMMIT_REF_SLUG} extends: - .build_artifacts_pkg_job - .rpm_script_job - .build_artifacts_pkg_branches_rules -build_artifacts_pkg_branches_debian_bullseye: - image: ${PFBUILD_DEB_BULLSEYE_IMG}:${CI_COMMIT_REF_SLUG} +build_artifacts_pkg_branches_debian_bookworm: + image: ${PFBUILD_DEB_IMG}:${CI_COMMIT_REF_SLUG} extends: - .build_artifacts_pkg_job - .deb_script_job @@ -1057,14 +1057,14 @@ build_artifacts_pkg_branches_debian_bullseye: # build_artifacts_pkg jobs for release # CI_COMMIT_TAG contains vX.Y.X build_artifacts_pkg_release_centos_8: - image: ${PFBUILD_CENTOS_8_IMG}:${CI_COMMIT_TAG} + image: ${PFBUILD_RHEL_IMG}:${CI_COMMIT_TAG} extends: - .build_artifacts_pkg_job - .rpm_script_job - .release_only_rules -build_artifacts_pkg_release_debian_bullseye: - image: ${PFBUILD_DEB_BULLSEYE_IMG}:${CI_COMMIT_TAG} +build_artifacts_pkg_release_debian_bookworm: + image: ${PFBUILD_DEB_IMG}:${CI_COMMIT_TAG} extends: - .build_artifacts_pkg_job - .deb_script_job @@ -1072,14 +1072,14 @@ build_artifacts_pkg_release_debian_bullseye: # CI_COMMIT_REF_SLUG contains maintenance-X-Y build_artifacts_pkg_maintenance_centos_8: - image: ${PFBUILD_CENTOS_8_IMG}:${CI_COMMIT_REF_SLUG} + image: ${PFBUILD_RHEL_IMG}:${CI_COMMIT_REF_SLUG} extends: - .build_artifacts_pkg_job - .rpm_script_job - .maintenance_only_rules -build_artifacts_pkg_maintenance_debian_bullseye: - image: ${PFBUILD_DEB_BULLSEYE_IMG}:${CI_COMMIT_REF_SLUG} +build_artifacts_pkg_maintenance_debian_bookworm: + image: ${PFBUILD_DEB_IMG}:${CI_COMMIT_REF_SLUG} extends: - .build_artifacts_pkg_job - .deb_script_job @@ -1087,7 +1087,7 @@ build_artifacts_pkg_maintenance_debian_bullseye: # build_artifacts_website jobs for development build_artifacts_website_devel_and_branches: - image: ${PFBUILD_DEB_BULLSEYE_IMG}:${PFBUILD_DEFAULT_DEV_TAG} + image: ${PFBUILD_DEB_IMG}:${PFBUILD_DEFAULT_DEV_TAG} extends: - .build_artifacts_website_job - .build_artifacts_website_devel_and_branches_rules @@ -1095,35 +1095,35 @@ build_artifacts_website_devel_and_branches: # build_artifacts_website job for release # CI_COMMIT_TAG contains vX.Y.X build_artifacts_website_release: - image: ${PFBUILD_DEB_BULLSEYE_IMG}:${CI_COMMIT_TAG} + image: ${PFBUILD_DEB_IMG}:${CI_COMMIT_TAG} extends: - .build_artifacts_website_job - .release_only_rules # build_artificats_material job for development material_devel_and_branches: - image: ${PFBUILD_DEB_BULLSEYE_IMG}:${PFBUILD_DEFAULT_DEV_TAG} + image: ${PFBUILD_DEB_IMG}:${PFBUILD_DEFAULT_DEV_TAG} extends: - .build_artifacts_material_job - .build_artifacts_material_devel_and_branches_rules # build_artificats_material job for release material_release: - image: ${PFBUILD_DEB_BULLSEYE_IMG}:${CI_COMMIT_TAG} + image: ${PFBUILD_DEB_IMG}:${CI_COMMIT_TAG} extends: - .build_artifacts_material_job - .release_only_rules # build_artifacts_doc jobs for development build_artifacts_doc_devel_and_branches: - image: ${PFBUILD_DEB_BULLSEYE_IMG}:${PFBUILD_DEFAULT_DEV_TAG} + image: ${PFBUILD_DEB_IMG}:${PFBUILD_DEFAULT_DEV_TAG} extends: - .build_artifacts_doc_job - .build_artifacts_doc_devel_and_branches_rules # build_artifacts_doc jobs for release build_artifacts_doc_release: - image: ${PFBUILD_DEB_BULLSEYE_IMG}:${CI_COMMIT_TAG} + image: ${PFBUILD_DEB_IMG}:${CI_COMMIT_TAG} extends: - .build_artifacts_doc_job - .release_only_rules @@ -1140,13 +1140,13 @@ sign_devel_release_branches_and_maintenance: - ci-sign-pkg dependencies: - build_artifacts_pkg_devel_centos_8 - - build_artifacts_pkg_devel_debian_bullseye + - build_artifacts_pkg_devel_debian_bookworm - build_artifacts_pkg_branches_centos_8 - - build_artifacts_pkg_branches_debian_bullseye + - build_artifacts_pkg_branches_debian_bookworm - build_artifacts_pkg_release_centos_8 - - build_artifacts_pkg_release_debian_bullseye + - build_artifacts_pkg_release_debian_bookworm - build_artifacts_pkg_maintenance_centos_8 - - build_artifacts_pkg_maintenance_debian_bullseye + - build_artifacts_pkg_maintenance_debian_bookworm artifacts: expire_in: 1 day paths: @@ -1188,7 +1188,7 @@ configurator_el8: - .test_script_job - .test_devel_and_maintenance_rules -configurator_deb11: +configurator_deb12: variables: VAGRANT_PF_DOTFILE_PATH: /var/local/gitlab-runner/vagrant/vagrant-${CI_JOB_NAME}-${CI_JOB_ID} extends: @@ -1204,7 +1204,7 @@ pfappserver_el8: - .test_script_job - .test_devel_and_maintenance_rules -pfappserver_deb11: +pfappserver_deb12: variables: VAGRANT_PF_DOTFILE_PATH: /var/local/gitlab-runner/vagrant/vagrant-${CI_JOB_NAME}-${CI_JOB_ID} extends: @@ -1220,7 +1220,7 @@ dot1x_eap_peap_el8: - .test_script_job - .test_devel_and_maintenance_rules -dot1x_eap_peap_deb11: +dot1x_eap_peap_deb12: variables: VAGRANT_PF_DOTFILE_PATH: /var/local/gitlab-runner/vagrant/vagrant-${CI_JOB_NAME}-${CI_JOB_ID} extends: @@ -1236,7 +1236,7 @@ mac_auth_el8: - .test_script_job - .test_devel_and_maintenance_rules -mac_auth_deb11: +mac_auth_deb12: variables: VAGRANT_PF_DOTFILE_PATH: /var/local/gitlab-runner/vagrant/vagrant-${CI_JOB_NAME}-${CI_JOB_ID} extends: @@ -1252,7 +1252,7 @@ dot1x_eap_tls_el8: - .test_script_job - .test_devel_and_maintenance_rules -dot1x_eap_tls_deb11: +dot1x_eap_tls_deb12: variables: VAGRANT_PF_DOTFILE_PATH: /var/local/gitlab-runner/vagrant/vagrant-${CI_JOB_NAME}-${CI_JOB_ID} extends: @@ -1260,7 +1260,7 @@ dot1x_eap_tls_deb11: - .test_script_job - .test_devel_and_maintenance_rules -fingerbank_invalid_db_deb11: +fingerbank_invalid_db_deb12: variables: VAGRANT_PF_DOTFILE_PATH: /var/local/gitlab-runner/vagrant/vagrant-${CI_JOB_NAME}-${CI_JOB_ID} extends: @@ -1268,7 +1268,7 @@ fingerbank_invalid_db_deb11: - .test_script_job - .test_devel_and_maintenance_rules -security_events_deb11: +security_events_deb12: variables: VAGRANT_PF_DOTFILE_PATH: /var/local/gitlab-runner/vagrant/vagrant-${CI_JOB_NAME}-${CI_JOB_ID} extends: @@ -1276,7 +1276,7 @@ security_events_deb11: - .test_script_job - .test_devel_and_maintenance_rules -cli_login_deb11: +cli_login_deb12: variables: VAGRANT_PF_DOTFILE_PATH: /var/local/gitlab-runner/vagrant/vagrant-${CI_JOB_NAME}-${CI_JOB_ID} extends: @@ -1292,7 +1292,7 @@ cli_login_el8: - .test_script_job - .test_devel_and_maintenance_rules -external_integrations_deb11: +external_integrations_deb12: variables: VAGRANT_PF_DOTFILE_PATH: /var/local/gitlab-runner/vagrant/vagrant-${CI_JOB_NAME}-${CI_JOB_ID} extends: @@ -1308,7 +1308,7 @@ captive_portal_el8: - .test_script_job - .test_devel_and_maintenance_rules -captive_portal_deb11: +captive_portal_deb12: variables: VAGRANT_PF_DOTFILE_PATH: /var/local/gitlab-runner/vagrant/vagrant-${CI_JOB_NAME}-${CI_JOB_ID} extends: @@ -1316,7 +1316,7 @@ captive_portal_deb11: - .test_script_job - .test_devel_and_maintenance_rules -inline_deb11: +inline_deb12: variables: VAGRANT_PF_DOTFILE_PATH: /var/local/gitlab-runner/vagrant/vagrant-${CI_JOB_NAME}-${CI_JOB_ID} extends: @@ -1352,7 +1352,7 @@ configurator_el8_branches: - .test_script_job - .test_branches_only_rules -configurator_deb11_branches: +configurator_deb12_branches: variables: VAGRANT_PF_DOTFILE_PATH: /var/local/gitlab-runner/vagrant/vagrant-${CI_JOB_NAME}-${CI_JOB_ID} VAGRANT_COMMON_DOTFILE_PATH: /var/local/gitlab-runner/vagrant/vagrant-common-devel @@ -1370,7 +1370,7 @@ pfappserver_el8_branches: - .test_script_job - .test_branches_only_rules -pfappserver_deb11_branches: +pfappserver_deb12_branches: variables: VAGRANT_PF_DOTFILE_PATH: /var/local/gitlab-runner/vagrant/vagrant-${CI_JOB_NAME}-${CI_JOB_ID} VAGRANT_COMMON_DOTFILE_PATH: /var/local/gitlab-runner/vagrant/vagrant-common-devel @@ -1388,7 +1388,7 @@ dot1x_eap_peap_el8_branches: - .test_script_job - .test_branches_only_rules -dot1x_eap_peap_deb11_branches: +dot1x_eap_peap_deb12_branches: variables: VAGRANT_PF_DOTFILE_PATH: /var/local/gitlab-runner/vagrant/vagrant-${CI_JOB_NAME}-${CI_JOB_ID} VAGRANT_COMMON_DOTFILE_PATH: /var/local/gitlab-runner/vagrant/vagrant-common-devel @@ -1406,7 +1406,7 @@ mac_auth_el8_branches: - .test_script_job - .test_branches_only_rules -mac_auth_deb11_branches: +mac_auth_deb12_branches: variables: VAGRANT_PF_DOTFILE_PATH: /var/local/gitlab-runner/vagrant/vagrant-${CI_JOB_NAME}-${CI_JOB_ID} VAGRANT_COMMON_DOTFILE_PATH: /var/local/gitlab-runner/vagrant/vagrant-common-devel @@ -1424,7 +1424,7 @@ dot1x_eap_tls_el8_branches: - .test_script_job - .test_branches_only_rules -dot1x_eap_tls_deb11_branches: +dot1x_eap_tls_deb12_branches: variables: VAGRANT_PF_DOTFILE_PATH: /var/local/gitlab-runner/vagrant/vagrant-${CI_JOB_NAME}-${CI_JOB_ID} VAGRANT_COMMON_DOTFILE_PATH: /var/local/gitlab-runner/vagrant/vagrant-common-devel @@ -1433,7 +1433,7 @@ dot1x_eap_tls_deb11_branches: - .test_script_job - .test_branches_only_rules -fingerbank_invalid_db_deb11_branches: +fingerbank_invalid_db_deb12_branches: variables: VAGRANT_PF_DOTFILE_PATH: /var/local/gitlab-runner/vagrant/vagrant-${CI_JOB_NAME}-${CI_JOB_ID} VAGRANT_COMMON_DOTFILE_PATH: /var/local/gitlab-runner/vagrant/vagrant-common-devel @@ -1442,7 +1442,7 @@ fingerbank_invalid_db_deb11_branches: - .test_script_job - .test_branches_only_rules -security_events_deb11_branches: +security_events_deb12_branches: variables: VAGRANT_PF_DOTFILE_PATH: /var/local/gitlab-runner/vagrant/vagrant-${CI_JOB_NAME}-${CI_JOB_ID} VAGRANT_COMMON_DOTFILE_PATH: /var/local/gitlab-runner/vagrant/vagrant-common-devel @@ -1451,7 +1451,7 @@ security_events_deb11_branches: - .test_script_job - .test_branches_only_rules -cli_login_deb11_branches: +cli_login_deb12_branches: variables: VAGRANT_PF_DOTFILE_PATH: /var/local/gitlab-runner/vagrant/vagrant-${CI_JOB_NAME}-${CI_JOB_ID} VAGRANT_COMMON_DOTFILE_PATH: /var/local/gitlab-runner/vagrant/vagrant-common-devel @@ -1469,7 +1469,7 @@ cli_login_el8_branches: - .test_script_job - .test_branches_only_rules -external_integrations_deb11_branches: +external_integrations_deb12_branches: variables: VAGRANT_PF_DOTFILE_PATH: /var/local/gitlab-runner/vagrant/vagrant-${CI_JOB_NAME}-${CI_JOB_ID} VAGRANT_COMMON_DOTFILE_PATH: /var/local/gitlab-runner/vagrant/vagrant-common-devel @@ -1487,7 +1487,7 @@ captive_portal_el8_branches: - .test_script_job - .test_branches_only_rules -captive_portal_deb11_branches: +captive_portal_deb12_branches: variables: VAGRANT_PF_DOTFILE_PATH: /var/local/gitlab-runner/vagrant/vagrant-${CI_JOB_NAME}-${CI_JOB_ID} VAGRANT_COMMON_DOTFILE_PATH: /var/local/gitlab-runner/vagrant/vagrant-common-devel @@ -1496,7 +1496,7 @@ captive_portal_deb11_branches: - .test_script_job - .test_branches_only_rules -inline_deb11_branches: +inline_deb12_branches: variables: VAGRANT_PF_DOTFILE_PATH: /var/local/gitlab-runner/vagrant/vagrant-${CI_JOB_NAME}-${CI_JOB_ID} VAGRANT_COMMON_DOTFILE_PATH: /var/local/gitlab-runner/vagrant/vagrant-common-devel @@ -1523,7 +1523,7 @@ configurator_el8_pristine: - .test_script_job - .release_only_rules -configurator_deb11_pristine: +configurator_deb12_pristine: variables: VAGRANT_PF_DOTFILE_PATH: /var/local/gitlab-runner/vagrant/vagrant-${CI_COMMIT_TAG}-${CI_JOB_ID} extends: @@ -1671,13 +1671,13 @@ build_pf_img_zen_devel_branches_and_maintenance: - .build_pf_img_zen_job - .build_pf_img_zen_devel_branches_and_maintenance_rules script: - - timeout ${PIPELINE_TIMEOUT_SCRIPT} make -e -C ${ZENDIR} zen-deb11 + - timeout ${PIPELINE_TIMEOUT_SCRIPT} make -e -C ${ZENDIR} zen-deb12 build_pf_img_zen_release: extends: - .build_pf_img_zen_job script: - - timeout ${PIPELINE_TIMEOUT_SCRIPT} make -e -C ${ZENDIR} zen-deb11 + - timeout ${PIPELINE_TIMEOUT_SCRIPT} make -e -C ${ZENDIR} zen-deb12 # workaround for https://forum.gitlab.com/t/specify-when-at-job-level-with-a-job-that-has-rules/4769 rules: - if: '$CI_COMMIT_TAG' @@ -1721,11 +1721,11 @@ build_pf_img_iso_release: # when: manual # allow_failure: true -build_pf_img_vagrant_release_debian_bullseye: +build_pf_img_vagrant_release_debian_bookworm: extends: - .build_pf_img_vagrant_release_job variables: - BOX_NAME: pfdeb11stable + BOX_NAME: pfdeb12stable # workaround for https://forum.gitlab.com/t/specify-when-at-job-level-with-a-job-that-has-rules/4769 rules: - if: '$CI_COMMIT_TAG' diff --git a/addons/dev-helpers/setup-dev-env.sh b/addons/dev-helpers/setup-dev-env.sh index 7153ae11ea74..09af1abddb94 100644 --- a/addons/dev-helpers/setup-dev-env.sh +++ b/addons/dev-helpers/setup-dev-env.sh @@ -79,7 +79,7 @@ TAG_OR_BRANCH_NAME=`git rev-parse --abbrev-ref HEAD | sed 's#[/|.]#-#g'` echo -n TAG_OR_BRANCH_NAME=$TAG_OR_BRANCH_NAME > conf/build_id echo LOCAL_DEV=true > containers/.local_env -for img in pfbuild-debian-bullseye pfdebian radiusd; do +for img in pfbuild-debian-bookworm pfdebian radiusd; do docker pull ghcr.io/inverse-inc/packetfence/$img:$TAG_OR_BRANCH_NAME docker tag ghcr.io/inverse-inc/packetfence/$img:$TAG_OR_BRANCH_NAME packetfence/$img:$TAG_OR_BRANCH_NAME done diff --git a/addons/full-upgrade/run-upgrade.sh b/addons/full-upgrade/run-upgrade.sh index 8994e3fbf65f..5b68b6dfa941 100755 --- a/addons/full-upgrade/run-upgrade.sh +++ b/addons/full-upgrade/run-upgrade.sh @@ -87,7 +87,7 @@ function find_latest_stable() { if is_rpm_based; then OS="RHEL-8" elif is_deb_based; then - OS="Debian-11" + OS="Debian-12" fi curl https://www.packetfence.org/downloads/PacketFence/latest-stable-$OS.txt } @@ -107,7 +107,7 @@ function set_upgrade_to() { function apt_upgrade_packetfence_package() { set_upgrade_to - echo "deb http://inverse.ca/downloads/PacketFence/debian/$UPGRADE_TO bullseye bullseye" > /etc/apt/sources.list.d/packetfence.list + echo "deb http://inverse.ca/downloads/PacketFence/debian/$UPGRADE_TO bookworm bookworm" > /etc/apt/sources.list.d/packetfence.list apt update if is_enabled $1; then apt-mark hold packetfence-upgrade diff --git a/addons/ntlm-auth-api/openssl.cnf b/addons/ntlm-auth-api/openssl.cnf new file mode 100644 index 000000000000..038091c23592 --- /dev/null +++ b/addons/ntlm-auth-api/openssl.cnf @@ -0,0 +1,400 @@ +# +# OpenSSL example configuration file. +# See doc/man5/config.pod for more info. +# +# This is mostly being used for generation of certificate requests, +# but may be used for auto loading of providers + +# Note that you can include other files from the main configuration +# file using the .include directive. +#.include filename + +# This definition stops the following lines choking if HOME isn't +# defined. +HOME = . + + # Use this in order to automatically load providers. +openssl_conf = openssl_init + +# Comment out the next line to ignore configuration errors +config_diagnostics = 1 + +# Extra OBJECT IDENTIFIER info: +# oid_file = $ENV::HOME/.oid +oid_section = new_oids + +# To use this configuration file with the "-extfile" option of the +# "openssl x509" utility, name here the section containing the +# X.509v3 extensions to use: +# extensions = +# (Alternatively, use a configuration file that has only +# X.509v3 extensions in its main [= default] section.) + +[ new_oids ] +# We can add new OIDs in here for use by 'ca', 'req' and 'ts'. +# Add a simple OID like this: +# testoid1=1.2.3.4 +# Or use config file substitution like this: +# testoid2=${testoid1}.5.6 + +# Policies used by the TSA examples. +tsa_policy1 = 1.2.3.4.1 +tsa_policy2 = 1.2.3.4.5.6 +tsa_policy3 = 1.2.3.4.5.7 + +# For FIPS +# Optionally include a file that is generated by the OpenSSL fipsinstall +# application. This file contains configuration data required by the OpenSSL +# fips provider. It contains a named section e.g. [fips_sect] which is +# referenced from the [provider_sect] below. +# Refer to the OpenSSL security policy for more information. +# .include fipsmodule.cnf + +[openssl_init] +providers = provider_sect + +# List of providers to load +# [provider_sect] +# default = default_sect +# The fips section name should match the section name inside the +# included fipsmodule.cnf. +# fips = fips_sect + +# If no providers are activated explicitly, the default one is activated implicitly. +# See man 7 OSSL_PROVIDER-default for more details. +# +# If you add a section explicitly activating any other provider(s), you most +# probably need to explicitly activate the default provider, otherwise it +# becomes unavailable in openssl. As a consequence applications depending on +# OpenSSL may not work correctly which could lead to significant system +# problems including inability to remotely access the system. +# [default_sect] +# activate = 1 + + +#################################################################### +[ ca ] +default_ca = CA_default # The default ca section + +#################################################################### +[ CA_default ] + +dir = ./demoCA # Where everything is kept +certs = $dir/certs # Where the issued certs are kept +crl_dir = $dir/crl # Where the issued crl are kept +database = $dir/index.txt # database index file. +#unique_subject = no # Set to 'no' to allow creation of + # several certs with same subject. +new_certs_dir = $dir/newcerts # default place for new certs. + +certificate = $dir/cacert.pem # The CA certificate +serial = $dir/serial # The current serial number +crlnumber = $dir/crlnumber # the current crl number + # must be commented out to leave a V1 CRL +crl = $dir/crl.pem # The current CRL +private_key = $dir/private/cakey.pem# The private key + +x509_extensions = usr_cert # The extensions to add to the cert + +# Comment out the following two lines for the "traditional" +# (and highly broken) format. +name_opt = ca_default # Subject Name options +cert_opt = ca_default # Certificate field options + +# Extension copying option: use with caution. +# copy_extensions = copy + +# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs +# so this is commented out by default to leave a V1 CRL. +# crlnumber must also be commented out to leave a V1 CRL. +# crl_extensions = crl_ext + +default_days = 365 # how long to certify for +default_crl_days= 30 # how long before next CRL +default_md = default # use public key default MD +preserve = no # keep passed DN ordering + +# A few difference way of specifying how similar the request should look +# For type CA, the listed attributes must be the same, and the optional +# and supplied fields are just that :-) +policy = policy_match + +# For the CA policy +[ policy_match ] +countryName = match +stateOrProvinceName = match +organizationName = match +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +# For the 'anything' policy +# At this point in time, you must list all acceptable 'object' +# types. +[ policy_anything ] +countryName = optional +stateOrProvinceName = optional +localityName = optional +organizationName = optional +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +#################################################################### +[ req ] +default_bits = 2048 +default_keyfile = privkey.pem +distinguished_name = req_distinguished_name +attributes = req_attributes +x509_extensions = v3_ca # The extensions to add to the self signed cert + +# Passwords for private keys if not present they will be prompted for +# input_password = secret +# output_password = secret + +# This sets a mask for permitted string types. There are several options. +# default: PrintableString, T61String, BMPString. +# pkix : PrintableString, BMPString (PKIX recommendation before 2004) +# utf8only: only UTF8Strings (PKIX recommendation after 2004). +# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). +# MASK:XXXX a literal mask value. +# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings. +string_mask = utf8only + +# req_extensions = v3_req # The extensions to add to a certificate request + +[ req_distinguished_name ] +countryName = Country Name (2 letter code) +countryName_default = AU +countryName_min = 2 +countryName_max = 2 + +stateOrProvinceName = State or Province Name (full name) +stateOrProvinceName_default = Some-State + +localityName = Locality Name (eg, city) + +0.organizationName = Organization Name (eg, company) +0.organizationName_default = Internet Widgits Pty Ltd + +# we can do this but it is not needed normally :-) +#1.organizationName = Second Organization Name (eg, company) +#1.organizationName_default = World Wide Web Pty Ltd + +organizationalUnitName = Organizational Unit Name (eg, section) +#organizationalUnitName_default = + +commonName = Common Name (e.g. server FQDN or YOUR name) +commonName_max = 64 + +emailAddress = Email Address +emailAddress_max = 64 + +# SET-ex3 = SET extension number 3 + +[ req_attributes ] +challengePassword = A challenge password +challengePassword_min = 4 +challengePassword_max = 20 + +unstructuredName = An optional company name + +[ usr_cert ] + +# These extensions are added when 'ca' signs a request. + +# This goes against PKIX guidelines but some CAs do it and some software +# requires this to avoid interpreting an end user certificate as a CA. + +basicConstraints=CA:FALSE + +# This is typical in keyUsage for a client certificate. +# keyUsage = nonRepudiation, digitalSignature, keyEncipherment + +# PKIX recommendations harmless if included in all certificates. +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer + +# This stuff is for subjectAltName and issuerAltname. +# Import the email address. +# subjectAltName=email:copy +# An alternative to produce certificates that aren't +# deprecated according to PKIX. +# subjectAltName=email:move + +# Copy subject details +# issuerAltName=issuer:copy + +# This is required for TSA certificates. +# extendedKeyUsage = critical,timeStamping + +[ v3_req ] + +# Extensions to add to a certificate request + +basicConstraints = CA:FALSE +keyUsage = nonRepudiation, digitalSignature, keyEncipherment + +[ v3_ca ] + + +# Extensions for a typical CA + + +# PKIX recommendation. + +subjectKeyIdentifier=hash + +authorityKeyIdentifier=keyid:always,issuer + +basicConstraints = critical,CA:true + +# Key usage: this is typical for a CA certificate. However since it will +# prevent it being used as an test self-signed certificate it is best +# left out by default. +# keyUsage = cRLSign, keyCertSign + +# Include email address in subject alt name: another PKIX recommendation +# subjectAltName=email:copy +# Copy issuer details +# issuerAltName=issuer:copy + +# DER hex encoding of an extension: beware experts only! +# obj=DER:02:03 +# Where 'obj' is a standard or added object +# You can even override a supported extension: +# basicConstraints= critical, DER:30:03:01:01:FF + +[ crl_ext ] + +# CRL extensions. +# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. + +# issuerAltName=issuer:copy +authorityKeyIdentifier=keyid:always + +[ proxy_cert_ext ] +# These extensions should be added when creating a proxy certificate + +# This goes against PKIX guidelines but some CAs do it and some software +# requires this to avoid interpreting an end user certificate as a CA. + +basicConstraints=CA:FALSE + +# This is typical in keyUsage for a client certificate. +# keyUsage = nonRepudiation, digitalSignature, keyEncipherment + +# PKIX recommendations harmless if included in all certificates. +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer + +# This stuff is for subjectAltName and issuerAltname. +# Import the email address. +# subjectAltName=email:copy +# An alternative to produce certificates that aren't +# deprecated according to PKIX. +# subjectAltName=email:move + +# Copy subject details +# issuerAltName=issuer:copy + +# This really needs to be in place for it to be a proxy certificate. +proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo + +#################################################################### +[ tsa ] + +default_tsa = tsa_config1 # the default TSA section + +[ tsa_config1 ] + +# These are used by the TSA reply generation only. +dir = ./demoCA # TSA root directory +serial = $dir/tsaserial # The current serial number (mandatory) +crypto_device = builtin # OpenSSL engine to use for signing +signer_cert = $dir/tsacert.pem # The TSA signing certificate + # (optional) +certs = $dir/cacert.pem # Certificate chain to include in reply + # (optional) +signer_key = $dir/private/tsakey.pem # The TSA private key (optional) +signer_digest = sha256 # Signing digest to use. (Optional) +default_policy = tsa_policy1 # Policy if request did not specify it + # (optional) +other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional) +digests = sha1, sha256, sha384, sha512 # Acceptable message digests (mandatory) +accuracy = secs:1, millisecs:500, microsecs:100 # (optional) +clock_precision_digits = 0 # number of digits after dot. (optional) +ordering = yes # Is ordering defined for timestamps? + # (optional, default: no) +tsa_name = yes # Must the TSA name be included in the reply? + # (optional, default: no) +ess_cert_id_chain = no # Must the ESS cert id chain be included? + # (optional, default: no) +ess_cert_id_alg = sha1 # algorithm to compute certificate + # identifier (optional, default: sha1) + +[insta] # CMP using Insta Demo CA +# Message transfer +server = pki.certificate.fi:8700 +# proxy = # set this as far as needed, e.g., http://192.168.1.1:8080 +# tls_use = 0 +path = pkix/ + +# Server authentication +recipient = "/C=FI/O=Insta Demo/CN=Insta Demo CA" # or set srvcert or issuer +ignore_keyusage = 1 # potentially needed quirk +unprotected_errors = 1 # potentially needed quirk +extracertsout = insta.extracerts.pem + +# Client authentication +ref = 3078 # user identification +secret = pass:insta # can be used for both client and server side + +# Generic message options +cmd = ir # default operation, can be overridden on cmd line with, e.g., kur + +# Certificate enrollment +subject = "/CN=openssl-cmp-test" +newkey = insta.priv.pem +out_trusted = apps/insta.ca.crt # does not include keyUsage digitalSignature +certout = insta.cert.pem + +[pbm] # Password-based protection for Insta CA +# Server and client authentication +ref = $insta::ref # 3078 +secret = $insta::secret # pass:insta + +[signature] # Signature-based protection for Insta CA +# Server authentication +trusted = $insta::out_trusted # apps/insta.ca.crt + +# Client authentication +secret = # disable PBM +key = $insta::newkey # insta.priv.pem +cert = $insta::certout # insta.cert.pem + +[ir] +cmd = ir + +[cr] +cmd = cr + +[kur] +# Certificate update +cmd = kur +oldcert = $insta::certout # insta.cert.pem + +[rr] +# Certificate revocation +cmd = rr +oldcert = $insta::certout # insta.cert.pem + +[provider_sect] +default = default_sect +legacy = legacy_sect + +[default_sect] +activate = 1 + +[legacy_sect] +activate = 1 diff --git a/addons/packetfence-perl/debian/changelog b/addons/packetfence-perl/debian/changelog index 9997f797d904..dbb49d3b9155 100644 --- a/addons/packetfence-perl/debian/changelog +++ b/addons/packetfence-perl/debian/changelog @@ -1,3 +1,13 @@ +packetfence-perl (1.2.4) unstable; urgency=medium + + * Upgrade Template-Toolkit 3.009 -> 3.010 + * Upgrade Sereal::Decoder 4.018 -> 5.004 + * Upgrade Sereal::Encoder 4.018 -> 5.004 + * Upgrade Crypt::OpenSSL::RSA 0.31 -> 0.33 + * Upgrade Crypt::OpenSSL::X509 1.910 -> 1.914 + + -- Inverse Wed, 04 Jul 2024 17:28:00 +0100 + packetfence-perl (1.2.3) unstable; urgency=medium * Add dependencies Digest-MD4 1.9 diff --git a/addons/packetfence-perl/dependencies.csv b/addons/packetfence-perl/dependencies.csv index 44860ffff2a2..3761f119769a 100755 --- a/addons/packetfence-perl/dependencies.csv +++ b/addons/packetfence-perl/dependencies.csv @@ -90,11 +90,11 @@ MooX::Types::MooseLike::Numeric,1.03,MATEU/MooX-Types-MooseLike-Numeric-1.03.tar MooseX::Types,0.50,ETHER/MooseX-Types-0.50.tar.gz,True,E/ET/ETHER/MooseX-Types-0.50.tar.gz,6 common::sense,3.75,MLEHMANN/common-sense-3.75.tar.gz,True,M/ML/MLEHMANN/common-sense-3.75.tar.gz,6 Log::Dispatch::Configurator::Any,1.122640,OLIVER/Log-Dispatch-Configurator-Any-1.122640.tar.gz,True,O/OL/OLIVER/Log-Dispatch-Configurator-Any-1.122640.tar.gz,6 -Template,3.009,ATOOMIC/Template-Toolkit-3.009.tar.gz,True,A/AT/ATOOMIC/Template-Toolkit-3.009.tar.gz,6 +Template,3.010,ATOOMIC/Template-Toolkit-3.010.tar.gz,True,A/AT/ATOOMIC/Template-Toolkit-3.010.tar.gz,6 CHI,0.60,JSWARTZ/CHI-0.60.tar.gz,True,J/JS/JSWARTZ/CHI-0.60.tar.gz,4 CGI::Session::Driver::chi,1.0.3,ROUZIER/CGI-Session-Driver-chi-1.0.3.tar.gz,True,R/RO/ROUZIER/CGI-Session-Driver-chi-1.0.3.tar.gz,5 Crypt::SmbHash,0.12,BJKUIT/Crypt-SmbHash-0.12.tar.gz,True,B/BJ/BJKUIT/Crypt-SmbHash-0.12.tar.gz,5 -Sereal::Decoder,4.018,YVES/Sereal-Decoder-4.018.tar.gz,True,Y/YV/YVES/Sereal-Decoder-4.018.tar.gz,4 +Sereal::Decoder,5.004,YVES/Sereal-Decoder-5.004.tar.gz,True,Y/YV/YVES/Sereal-Decoder-5.004.tar.gz,4 File::Slurp,9999.32,CAPOEIRAB/File-Slurp-9999.32.tar.gz,True,C/CA/CAPOEIRAB/File-Slurp-9999.32.tar.gz,4 Net::IP,1.26,MANU/Net-IP-1.26.tar.gz,True,M/MA/MANU/Net-IP-1.26.tar.gz,4 Data::Phrasebook,0.35,BARBIE/Data-Phrasebook-0.35.tar.gz,True,B/BA/BARBIE/Data-Phrasebook-0.35.tar.gz,4 @@ -108,9 +108,9 @@ Catalyst::Action::REST,1.21,JJNAPIORK/Catalyst-Action-REST-1.21.tar.gz,True,J/JJ LWP::Protocol::https,6.10,OALDERS/LWP-Protocol-https-6.10.tar.gz,True,O/OA/OALDERS/LWP-Protocol-https-6.10.tar.gz,4 Rose::DB,0.783,JSIRACUSA/Rose-DB-0.783.tar.gz,True,J/JS/JSIRACUSA/Rose-DB-0.783.tar.gz,4 IPTables::Parse,1.6,MRASH/IPTables-Parse-1.6.tar.gz,True,M/MR/MRASH/IPTables-Parse-1.6.tar.gz,4 -Sereal::Encoder,4.018,YVES/Sereal-Encoder-4.018.tar.gz,True,Y/YV/YVES/Sereal-Encoder-4.018.tar.gz,4 +Sereal::Encoder,5.004,YVES/Sereal-Encoder-5.004.tar.gz,True,Y/YV/YVES/Sereal-Encoder-5.004.tar.gz,4 ExtUtils::CppGuess,0.23,ETJ/ExtUtils-CppGuess-0.23.tar.gz,True,E/ET/ETJ/ExtUtils-CppGuess-0.23.tar.gz,4 -Crypt::OpenSSL::RSA,0.31,TODDR/Crypt-OpenSSL-RSA-0.31.tar.gz,True,T/TO/TODDR/Crypt-OpenSSL-RSA-0.31.tar.gz,4 +Crypt::OpenSSL::RSA,0.33,TODDR/Crypt-OpenSSL-RSA-0.33.tar.gz,True,T/TO/TODDR/Crypt-OpenSSL-RSA-0.33.tar.gz,4 Text::CSV,2.01,ISHIGAKI/Text-CSV-2.01.tar.gz,True,I/IS/ISHIGAKI/Text-CSV-2.01.tar.gz,4 HTML::FormFu::MultiForm,1.03,NIGELM/HTML-FormFu-MultiForm-1.03.tar.gz,True,N/NI/NIGELM/HTML-FormFu-MultiForm-1.03.tar.gz,4 Catalyst::View::TT,0.45,HAARG/Catalyst-View-TT-0.45.tar.gz,True,H/HA/HAARG/Catalyst-View-TT-0.45.tar.gz,4 @@ -197,7 +197,7 @@ Readonly::XS,1.05,ROODE/Readonly-XS-1.05.tar.gz,True,R/RO/ROODE/Readonly-XS-1.05 Switch,2.17,CHORNY/Switch-2.17.tar.gz,True,C/CH/CHORNY/Switch-2.17.tar.gz,2 Rose::DB::Object,0.820,JSIRACUSA/Rose-DB-Object-0.820.tar.gz,True,J/JS/JSIRACUSA/Rose-DB-Object-0.820.tar.gz,2 Data::Phrasebook::Loader::YAML,0.13,BARBIE/Data-Phrasebook-Loader-YAML-0.13.tar.gz,True,B/BA/BARBIE/Data-Phrasebook-Loader-YAML-0.13.tar.gz,2 -Crypt::OpenSSL::X509,1.910,JONASBN/Crypt-OpenSSL-X509-1.910.tar.gz,True,J/JO/JONASBN/Crypt-OpenSSL-X509-1.910.tar.gz,2 +Crypt::OpenSSL::X509,1.914,JONASBN/Crypt-OpenSSL-X509-1.914.tar.gz,True,J/JO/JONASBN/Crypt-OpenSSL-X509-1.914.tar.gz,2 Template::AutoFilter,0.143050,MITHALDU/Template-AutoFilter-0.143050.tar.gz,True,M/MI/MITHALDU/Template-AutoFilter-0.143050.tar.gz,2 Config::IniFiles,3.000003,SHLOMIF/Config-IniFiles-3.000003.tar.gz,True,S/SH/SHLOMIF/Config-IniFiles-3.000003.tar.gz,2 MIME::Lite::TT,0.02,HORIUCHI/MIME-Lite-TT-0.02.tar.gz,True,H/HO/HORIUCHI/MIME-Lite-TT-0.02.tar.gz,2 @@ -238,4 +238,4 @@ re::engine::RE2,0.14,DGL/re-engine-RE2-0.14.tar.gz,True,D/DG/DGL/re-engine-RE2-0 HTML::Parser,3.76,OALDERS/HTML-Parser-3.76.tar.gz,True,O/OA/OALDERS/HTML-Parser-3.76.tar.gz,2 CryptX,0.076,MIK/CryptX-0.076.tar.gz,True,M/MI/MIK/CryptX-0.076.tar.gz,? Crypt::JWT,0.033,MIK/Crypt-JWT-0.033.tar.gz,True,/M/MI/MIK/Crypt-JWT-0.033.tar.gz,? -Digest::MD4,1.9,MIKEM/DigestMD4/Digest-MD4-1.9.tar.gz,True,M/MI/MIKEM/DigestMD4/Digest-MD4-1.9.tar.gz,? \ No newline at end of file +Digest::MD4,1.9,MIKEM/DigestMD4/Digest-MD4-1.9.tar.gz,True,M/MI/MIKEM/DigestMD4/Digest-MD4-1.9.tar.gz,? diff --git a/addons/packetfence-perl/rhel8/SPECS/packetfence-perl.spec b/addons/packetfence-perl/rhel8/SPECS/packetfence-perl.spec index 477e0faeacde..8a1e54c63560 100755 --- a/addons/packetfence-perl/rhel8/SPECS/packetfence-perl.spec +++ b/addons/packetfence-perl/rhel8/SPECS/packetfence-perl.spec @@ -1,5 +1,5 @@ Name: packetfence-perl -Version: 1.2.3 +Version: 1.2.4 Release: 1%{?dist} Summary: All modules loaded with cpan BuildArch: x86_64 @@ -33,6 +33,13 @@ export PKG_CONFIG_PATH=/usr/lib/pkgconfig/ /usr/local/pf/lib_perl/* %changelog +* Tue Jul 4 2024 Inverse 1.2.4-1 +- Upgrade Template-Toolkit 3.009 -> 3.010 +- Upgrade Sereal::Decoder 4.018 -> 5.004 +- Upgrade Sereal::Encoder 4.018 -> 5.004 +- Upgrade Crypt::OpenSSL::RSA 0.31 -> 0.33 +- Upgrade Crypt::OpenSSL::X509 1.910 -> 1.914 + * Thu Nov 16 2023 Inverse 1.2.3-1 - Add dependencies Digest-MD4 1.9 diff --git a/addons/perl-client/vagrant/Makefile b/addons/perl-client/vagrant/Makefile index a7bf0d15ae21..e4c62c3d1ffc 100644 --- a/addons/perl-client/vagrant/Makefile +++ b/addons/perl-client/vagrant/Makefile @@ -1,13 +1,13 @@ include ../vars.mk -fbdeb11dev: clean-fbdeb11dev +fbdeb12dev: clean-fbdeb12dev PF_MINOR_RELEASE=$(PF_DEV_MINOR_RELEASE) vagrant up $@ --provider=libvirt --no-destroy-on-error -halt-fbdeb11dev: - vagrant halt -f fbdeb11dev +halt-fbdeb12dev: + vagrant halt -f fbdeb12dev -clean-fbdeb11dev: - vagrant destroy -f fbdeb11dev +clean-fbdeb12dev: + vagrant destroy -f fbdeb12dev rm -rf roles/ fbel8dev: clean-fbel8dev diff --git a/addons/perl-client/vagrant/inventory/group_vars/fbservers/apt_preferences.yml b/addons/perl-client/vagrant/inventory/group_vars/fbservers/apt_preferences.yml index 37c90efb658e..8ac2e48bac52 100644 --- a/addons/perl-client/vagrant/inventory/group_vars/fbservers/apt_preferences.yml +++ b/addons/perl-client/vagrant/inventory/group_vars/fbservers/apt_preferences.yml @@ -2,6 +2,6 @@ apt_preferences__list: - filename: 'fingerbank-local.pref' package: 'fingerbank' - pin: 'release a=bullseye-gitlab,n=bullseye,c=main,b=amd64' + pin: 'release a=bookworm-gitlab,n=bookworm,c=main,b=amd64' priority: '900' reason: 'always install fingerbank package from fingerbank-local repository' diff --git a/addons/perl-client/vagrant/inventory/hosts b/addons/perl-client/vagrant/inventory/hosts index 234b60b7c92d..75715cedbc87 100644 --- a/addons/perl-client/vagrant/inventory/hosts +++ b/addons/perl-client/vagrant/inventory/hosts @@ -14,9 +14,9 @@ all: mgmt_ip: 172.17.18.10 mgmt_netmask: 255.255.255.0 ansible_host: "{{ mgmt_ip}}" - fbdeb11dev: - box: debian/bullseye64 - box_version: 11.20210409.1 + fbdeb12dev: + box: debian/bookworm64 + box_version: 12.20240212.1 mgmt_ip: 172.17.18.11 mgmt_netmask: 255.255.255.0 ansible_host: "{{ mgmt_ip }}" diff --git a/addons/vagrant/inventory/group_vars/dev/apt_preferences.yml b/addons/vagrant/inventory/group_vars/dev/apt_preferences.yml index 354e3bc348c8..5ea23beb7f10 100644 --- a/addons/vagrant/inventory/group_vars/dev/apt_preferences.yml +++ b/addons/vagrant/inventory/group_vars/dev/apt_preferences.yml @@ -2,6 +2,6 @@ apt_preferences__list: - filename: 'packetfence-ppa.pref' package: 'packetfence*' - pin: 'release a=bullseye-gitlab,n=bullseye,c=main,b=amd64' + pin: 'release a=bookworm-gitlab,n=bookworm,c=main,b=amd64' priority: '900' reason: 'always install packetfence packages from packetfence-ppa repository' diff --git a/addons/vagrant/inventory/group_vars/wireless/apt_preferences.yml b/addons/vagrant/inventory/group_vars/wireless/apt_preferences.yml index 354e3bc348c8..5ea23beb7f10 100644 --- a/addons/vagrant/inventory/group_vars/wireless/apt_preferences.yml +++ b/addons/vagrant/inventory/group_vars/wireless/apt_preferences.yml @@ -2,6 +2,6 @@ apt_preferences__list: - filename: 'packetfence-ppa.pref' package: 'packetfence*' - pin: 'release a=bullseye-gitlab,n=bullseye,c=main,b=amd64' + pin: 'release a=bookworm-gitlab,n=bookworm,c=main,b=amd64' priority: '900' reason: 'always install packetfence packages from packetfence-ppa repository' diff --git a/addons/vagrant/inventory/group_vars/wireless/gitlab_buildpkg_tools.yml b/addons/vagrant/inventory/group_vars/wireless/gitlab_buildpkg_tools.yml index ebd8b487aa4a..a4ac2e80d60e 100644 --- a/addons/vagrant/inventory/group_vars/wireless/gitlab_buildpkg_tools.yml +++ b/addons/vagrant/inventory/group_vars/wireless/gitlab_buildpkg_tools.yml @@ -11,13 +11,15 @@ gitlab_buildpkg_tools__ppa_url_deb: '{{ gitlab_buildpkg_tools__ppa_url }}/debian # redefine this variables to avoid confusion with official "packetfence" repositories gitlab_buildpkg_tools__deb_ppa: - name: 'packetfence-ppa' - baseurl: "{{ gitlab_buildpkg_tools__ppa_url_deb }} {{ ansible_distribution_release }} main" + baseurl: "{{ gitlab_buildpkg_tools__ppa_url_deb }} bookworm main" gpgkey: 'http://inverse.ca/downloads/GPG_PUBLIC_KEY' # added for local dev environment where we only want devel packages gitlab_buildpkg_tools__deb_deps_repos: - name: 'packetfence' - baseurl: 'http://inverse.ca/downloads/PacketFence/debian/{{ pf_minor_release }} {{ ansible_distribution_release }} {{ ansible_distribution_release }}' + baseurl: 'http://inverse.ca/downloads/PacketFence/debian/{{ pf_minor_release }} bookworm bookworm' + - name: 'other-tools' + baseurl: 'http://inverse.ca/downloads/PacketFence/debian/13.2 bullseye bullseye' # added for local dev environment where we only want devel packages gitlab_buildpkg_tools__deb_keys: diff --git a/addons/vagrant/inventory/hosts b/addons/vagrant/inventory/hosts index 2bbbf3d199f7..dd3b51cef14e 100644 --- a/addons/vagrant/inventory/hosts +++ b/addons/vagrant/inventory/hosts @@ -18,7 +18,7 @@ all: hosts: node01: box: debian/bullseye64 - box_version: 11.20221219.1 + box_version: 11.20240503.1 mgmt_ip: "{{ users_vars[dict_name]['vms']['node01']['ip'] }}" mgmt_netmask: "{{ users_vars[dict_name]['vms']['node01']['netmask'] }}" ansible_host: "{{ mgmt_ip }}" @@ -26,7 +26,7 @@ all: ansible_python_interpreter: '/usr/bin/python3' node02: box: debian/bullseye64 - box_version: 11.20221219.1 + box_version: 11.20240503.1 mgmt_ip: "{{ users_vars[dict_name]['vms']['node02']['ip'] }}" mgmt_netmask: "{{ users_vars[dict_name]['vms']['node02']['netmask'] }}" ansible_host: "{{ mgmt_ip }}" @@ -34,7 +34,7 @@ all: ansible_python_interpreter: '/usr/bin/python3' node03: box: debian/bullseye64 - box_version: 11.20221219.1 + box_version: 11.20240503.1 mgmt_ip: "{{ users_vars[dict_name]['vms']['node03']['ip'] }}" mgmt_netmask: "{{ users_vars[dict_name]['vms']['node03']['netmask'] }}" ansible_host: "{{ mgmt_ip }}" @@ -45,7 +45,7 @@ all: hosts: wireless01: box: debian/bullseye64 - box_version: 11.20221219.1 + box_version: 11.20240503.1 mgmt_ip: "{{ users_vars[dict_name]['vms']['wireless01']['ip'] }}" mgmt_netmask: "{{ users_vars[dict_name]['vms']['wireless01']['netmask'] }}" ansible_host: "{{ mgmt_ip }}" @@ -61,7 +61,7 @@ all: hosts: linux01: box: debian/bullseye64 - box_version: 11.20221219.1 + box_version: 11.20240503.1 mgmt_ip: "{{ users_vars[dict_name]['vms']['linux01']['ip'] }}" mgmt_netmask: "{{ users_vars[dict_name]['vms']['linux01']['netmask'] }}" ansible_host: "{{ mgmt_ip }}" @@ -70,7 +70,7 @@ all: memory: 512 linux02: box: debian/bullseye64 - box_version: 11.20221219.1 + box_version: 11.20240503.1 mgmt_ip: "{{ users_vars[dict_name]['vms']['linux02']['ip'] }}" mgmt_netmask: "{{ users_vars[dict_name]['vms']['linux02']['netmask'] }}" ansible_host: "{{ mgmt_ip }}" @@ -79,7 +79,7 @@ all: memory: 512 ad: box: debian/bullseye64 - box_version: 11.20221219.1 + box_version: 11.20240503.1 mgmt_ip: "{{ users_vars[dict_name]['vms']['ad']['ip'] }}" mgmt_netmask: "{{ users_vars[dict_name]['vms']['ad']['netmask'] }}" ansible_host: "{{ mgmt_ip }}" @@ -141,31 +141,31 @@ all: cpus: 8 memory: 16384 disk_size: 130 - pf1deb11dev: - box: inverse-inc/pfdeb11dev - box_version: 14.0.20240517144600 - mgmt_ip: "{{ users_vars[dict_name]['vms']['pf1deb11dev']['ip'] }}" - mgmt_netmask: "{{ users_vars[dict_name]['vms']['pf1deb11dev']['netmask'] }}" + pf1deb12dev: + box: debian/bookworm64 + box_version: 12.20240503.1 + mgmt_ip: "{{ users_vars[dict_name]['vms']['pf1deb12dev']['ip'] }}" + mgmt_netmask: "{{ users_vars[dict_name]['vms']['pf1deb12dev']['netmask'] }}" ansible_host: "{{ mgmt_ip }}" ansible_python_interpreter: '/usr/bin/python3' cpus: 8 memory: 16384 disk_size: 130 - pf2deb11dev: - box: inverse-inc/pfdeb11dev - box_version: 14.0.20240517144600 - mgmt_ip: "{{ users_vars[dict_name]['vms']['pf2deb11dev']['ip'] }}" - mgmt_netmask: "{{ users_vars[dict_name]['vms']['pf2deb11dev']['netmask'] }}" + pf2deb12dev: + box: debian/bookworm64 + box_version: 12.20240503.1 + mgmt_ip: "{{ users_vars[dict_name]['vms']['pf2deb12dev']['ip'] }}" + mgmt_netmask: "{{ users_vars[dict_name]['vms']['pf2deb12dev']['netmask'] }}" ansible_host: "{{ mgmt_ip }}" ansible_python_interpreter: '/usr/bin/python3' cpus: 8 memory: 16384 disk_size: 130 - pf3deb11dev: - box: inverse-inc/pfdeb11dev - box_version: 14.0.20240517144600 - mgmt_ip: "{{ users_vars[dict_name]['vms']['pf3deb11dev']['ip'] }}" - mgmt_netmask: "{{ users_vars[dict_name]['vms']['pf3deb11dev']['netmask'] }}" + pf3deb12dev: + box: debian/bookworm64 + box_version: 12.20240503.1 + mgmt_ip: "{{ users_vars[dict_name]['vms']['pf3deb12dev']['ip'] }}" + mgmt_netmask: "{{ users_vars[dict_name]['vms']['pf3deb12dev']['netmask'] }}" ansible_host: "{{ mgmt_ip }}" ansible_python_interpreter: '/usr/bin/python3' cpus: 8 @@ -201,31 +201,31 @@ all: cpus: 8 memory: 16384 disk_size: 130 - pf1deb11localdev: - box: inverse-inc/pfdeb11dev - box_version: 14.0.20240517144600 - mgmt_ip: "{{ users_vars[dict_name]['vms']['pf1deb11localdev']['ip'] }}" - mgmt_netmask: "{{ users_vars[dict_name]['vms']['pf1deb11localdev']['netmask'] }}" + pf1deb12localdev: + box: debian/bookworm64 + box_version: 12.20240503.1 + mgmt_ip: "{{ users_vars[dict_name]['vms']['pf1deb12localdev']['ip'] }}" + mgmt_netmask: "{{ users_vars[dict_name]['vms']['pf1deb12localdev']['netmask'] }}" ansible_host: "{{ mgmt_ip }}" ansible_python_interpreter: '/usr/bin/python3' cpus: 8 memory: 16384 disk_size: 130 - pf2deb11localdev: - box: inverse-inc/pfdeb11dev - box_version: 14.0.20240517144600 - mgmt_ip: "{{ users_vars[dict_name]['vms']['pf2deb11localdev']['ip'] }}" - mgmt_netmask: "{{ users_vars[dict_name]['vms']['pf2deb11localdev']['netmask'] }}" + pf2deb12localdev: + box: debian/bookworm64 + box_version: 12.20240503.1 + mgmt_ip: "{{ users_vars[dict_name]['vms']['pf2deb12localdev']['ip'] }}" + mgmt_netmask: "{{ users_vars[dict_name]['vms']['pf2deb12localdev']['netmask'] }}" ansible_host: "{{ mgmt_ip }}" ansible_python_interpreter: '/usr/bin/python3' cpus: 8 memory: 16384 disk_size: 130 - pf3deb11localdev: - box: inverse-inc/pfdeb11dev - box_version: 14.0.20240517144600 - mgmt_ip: "{{ users_vars[dict_name]['vms']['pf3deb11localdev']['ip'] }}" - mgmt_netmask: "{{ users_vars[dict_name]['vms']['pf3deb11localdev']['netmask'] }}" + pf3deb12localdev: + box: debian/bookworm64 + box_version: 12.20240503.1 + mgmt_ip: "{{ users_vars[dict_name]['vms']['pf3deb12localdev']['ip'] }}" + mgmt_netmask: "{{ users_vars[dict_name]['vms']['pf3deb12localdev']['netmask'] }}" ansible_host: "{{ mgmt_ip }}" ansible_python_interpreter: '/usr/bin/python3' cpus: 8 @@ -244,11 +244,11 @@ all: cpus: 8 memory: 16384 disk_size: 130 - pfdeb11dev: - box: inverse-inc/pfdeb11dev - box_version: 14.0.20240517144600 - mgmt_ip: "{{ users_vars[dict_name]['vms']['pfdeb11dev']['ip'] }}" - mgmt_netmask: "{{ users_vars[dict_name]['vms']['pfdeb11dev']['netmask'] }}" + pfdeb12dev: + box: debian/bookworm64 + box_version: 12.20240503.1 + mgmt_ip: "{{ users_vars[dict_name]['vms']['pfdeb12dev']['ip'] }}" + mgmt_netmask: "{{ users_vars[dict_name]['vms']['pfdeb12dev']['netmask'] }}" ansible_host: "{{ mgmt_ip }}" ansible_python_interpreter: '/usr/bin/python3' cpus: 8 @@ -264,11 +264,11 @@ all: cpus: 8 memory: 16384 disk_size: 130 - deb11dev: - box: debian/bullseye64 - box_version: 11.20221219.1 - mgmt_ip: "{{ users_vars[dict_name]['vms']['deb11dev']['ip'] }}" - mgmt_netmask: "{{ users_vars[dict_name]['vms']['deb11dev']['netmask'] }}" + deb12dev: + box: debian/bookworm64 + box_version: 12.20240503.1 + mgmt_ip: "{{ users_vars[dict_name]['vms']['deb12dev']['ip'] }}" + mgmt_netmask: "{{ users_vars[dict_name]['vms']['deb12dev']['netmask'] }}" ansible_host: "{{ mgmt_ip }}" ansible_python_interpreter: '/usr/bin/python3' cpus: 8 @@ -288,11 +288,11 @@ all: cpus: 8 memory: 16384 disk_size: 130 - pfdeb11localdev: - box: inverse-inc/pfdeb11dev + pfdeb12localdev: + box: inverse-inc/pfdeb12dev box_version: 14.0.20240517144600 - mgmt_ip: "{{ users_vars[dict_name]['vms']['pfdeb11localdev']['ip'] }}" - mgmt_netmask: "{{ users_vars[dict_name]['vms']['pfdeb11localdev']['netmask'] }}" + mgmt_ip: "{{ users_vars[dict_name]['vms']['pfdeb12localdev']['ip'] }}" + mgmt_netmask: "{{ users_vars[dict_name]['vms']['pfdeb12localdev']['netmask'] }}" ansible_host: "{{ mgmt_ip }}" ansible_python_interpreter: '/usr/bin/python3' cpus: 8 @@ -308,11 +308,11 @@ all: cpus: 8 memory: 16384 disk_size: 130 - deb11localdev: - box: debian/bullseye64 - box_version: 11.20221219.1 - mgmt_ip: "{{ users_vars[dict_name]['vms']['deb11dev']['ip'] }}" - mgmt_netmask: "{{ users_vars[dict_name]['vms']['deb11dev']['netmask'] }}" + deb12localdev: + box: debian/bookworm64 + box_version: 12.20240503.1 + mgmt_ip: "{{ users_vars[dict_name]['vms']['deb12dev']['ip'] }}" + mgmt_netmask: "{{ users_vars[dict_name]['vms']['deb12dev']['netmask'] }}" ansible_host: "{{ mgmt_ip }}" ansible_python_interpreter: '/usr/bin/python3' cpus: 8 @@ -338,11 +338,11 @@ all: cpus: 8 memory: 16384 disk_size: 130 - pfdeb11stable: - box: debian/bullseye64 - box_version: 11.20221219.1 - mgmt_ip: "{{ users_vars[dict_name]['vms']['pfdeb11stable']['ip'] }}" - mgmt_netmask: "{{ users_vars[dict_name]['vms']['pfdeb11stable']['netmask'] }}" + pfdeb12stable: + box: debian/bookworm64 + box_version: 12.20240503.1 + mgmt_ip: "{{ users_vars[dict_name]['vms']['pfdeb12stable']['ip'] }}" + mgmt_netmask: "{{ users_vars[dict_name]['vms']['pfdeb12stable']['netmask'] }}" ansible_host: "{{ mgmt_ip }}" ansible_python_interpreter: '/usr/bin/python3' cpus: 8 @@ -353,34 +353,34 @@ all: dev: hosts: pfel8dev: {} - pfdeb11dev: {} + pfdeb12dev: {} el8dev: {} - deb11dev: {} + deb12dev: {} pf1el8dev: {} pf2el8dev: {} pf3el8dev: {} - pf1deb11dev: {} - pf2deb11dev: {} - pf3deb11dev: {} + pf1deb12dev: {} + pf2deb12dev: {} + pf3deb12dev: {} localdev: hosts: localhost: {} pfel8localdev: {} - pfdeb11localdev: {} + pfdeb12localdev: {} el8localdev: {} - deb11localdev: {} + deb12localdev: {} pf1el8localdev: {} pf2el8localdev: {} pf3el8localdev: {} - pf1deb11localdev: {} - pf2deb11localdev: {} - pf3deb11localdev: {} + pf1deb12localdev: {} + pf2deb12localdev: {} + pf3deb12localdev: {} stable: hosts: pfel8stable: {} - pfdeb11stable: {} + pfdeb12stable: {} pfdeb9stable: {} vars: @@ -421,11 +421,11 @@ all: ip_mgmt: '172.18.200.27' ip_reg: '172.18.201.27' ip_iso: '172.18.202.27' - cluster_deb11dev: + cluster_deb12dev: ip_mgmt: '172.18.200.31' ip_reg: '172.18.201.31' ip_iso: '172.18.202.31' - cluster_deb11localdev: + cluster_deb12localdev: ip_mgmt: '172.18.200.35' ip_reg: '172.18.201.35' ip_iso: '172.18.202.35' @@ -464,10 +464,10 @@ all: el8dev: ip: '172.18.200.11' netmask: '255.255.255.0' - pfdeb11dev: + pfdeb12dev: ip: '172.18.200.12' netmask: '255.255.255.0' - deb11dev: + deb12dev: ip: '172.18.200.13' netmask: '255.255.255.0' localhost: @@ -476,13 +476,13 @@ all: pfel8localdev: ip: '172.18.200.14' netmask: '255.255.255.0' - pfdeb11localdev: + pfdeb12localdev: ip: '172.18.200.15' netmask: '255.255.255.0' el8localdev: ip: '172.18.200.8' netmask: '255.255.255.0' - deb11localdev: + deb12localdev: ip: '172.18.200.9' netmask: '255.255.255.0' pfel8stable: @@ -491,7 +491,7 @@ all: pfdeb9stable: ip: '172.18.200.17' netmask: '255.255.255.0' - pfdeb11stable: + pfdeb12stable: ip: '172.18.200.18' netmask: '255.255.255.0' pf1el8dev: @@ -524,32 +524,32 @@ all: netmask: '255.255.255.0' ip_reg: '172.18.201.26' ip_iso: '172.18.202.26' - pf1deb11dev: + pf1deb12dev: ip: '172.18.200.28' netmask: '255.255.255.0' ip_reg: '172.18.201.28' ip_iso: '172.18.202.28' - pf2deb11dev: + pf2deb12dev: ip: '172.18.200.29' netmask: '255.255.255.0' ip_reg: '172.18.201.29' ip_iso: '172.18.202.29' - pf3deb11dev: + pf3deb12dev: ip: '172.18.200.30' netmask: '255.255.255.0' ip_reg: '172.18.201.30' ip_iso: '172.18.202.30' - pf1deb11localdev: + pf1deb12localdev: ip: '172.18.200.32' netmask: '255.255.255.0' ip_reg: '172.18.201.32' ip_iso: '172.18.202.32' - pf2deb11localdev: + pf2deb12localdev: ip: '172.18.200.33' netmask: '255.255.255.0' ip_reg: '172.18.201.33' ip_iso: '172.18.202.33' - pf3deb11localdev: + pf3deb12localdev: ip: '172.18.200.34' netmask: '255.255.255.0' ip_reg: '172.18.201.34' @@ -585,11 +585,11 @@ all: ip_mgmt: '172.18.140.27' ip_reg: '172.18.141.27' ip_iso: '172.18.142.27' - cluster_deb11dev: + cluster_deb12dev: ip_mgmt: '172.18.140.31' ip_reg: '172.18.141.31' ip_iso: '172.18.142.31' - cluster_deb11localdev: + cluster_deb12localdev: ip_mgmt: '172.18.140.35' ip_reg: '172.18.141.35' ip_iso: '172.18.142.35' @@ -628,10 +628,10 @@ all: el8dev: ip: '172.18.140.11' netmask: '255.255.255.0' - pfdeb11dev: + pfdeb12dev: ip: '172.18.140.12' netmask: '255.255.255.0' - deb11dev: + deb12dev: ip: '172.18.140.13' netmask: '255.255.255.0' localhost: @@ -640,13 +640,13 @@ all: pfel8localdev: ip: '172.18.140.14' netmask: '255.255.255.0' - pfdeb11localdev: + pfdeb12localdev: ip: '172.18.140.15' netmask: '255.255.255.0' el8localdev: ip: '172.18.140.8' netmask: '255.255.255.0' - deb11localdev: + deb12localdev: ip: '172.18.140.9' netmask: '255.255.255.0' pfel8stable: @@ -655,7 +655,7 @@ all: pfdeb9stable: ip: '172.18.140.17' netmask: '255.255.255.0' - pfdeb11stable: + pfdeb12stable: ip: '172.18.140.18' netmask: '255.255.255.0' pf1el8dev: @@ -688,32 +688,32 @@ all: netmask: '255.255.255.0' ip_reg: '172.18.141.26' ip_iso: '172.18.142.26' - pf1deb11dev: + pf1deb12dev: ip: '172.18.140.28' netmask: '255.255.255.0' ip_reg: '172.18.141.28' ip_iso: '172.18.142.28' - pf2deb11dev: + pf2deb12dev: ip: '172.18.140.29' netmask: '255.255.255.0' ip_reg: '172.18.141.29' ip_iso: '172.18.142.29' - pf3deb11dev: + pf3deb12dev: ip: '172.18.140.30' netmask: '255.255.255.0' ip_reg: '172.18.141.30' ip_iso: '172.18.142.30' - pf1deb11localdev: + pf1deb12localdev: ip: '172.18.140.32' netmask: '255.255.255.0' ip_reg: '172.18.141.32' ip_iso: '172.18.142.32' - pf2deb11localdev: + pf2deb12localdev: ip: '172.18.140.33' netmask: '255.255.255.0' ip_reg: '172.18.141.33' ip_iso: '172.18.142.33' - pf3deb11localdev: + pf3deb12localdev: ip: '172.18.140.34' netmask: '255.255.255.0' ip_reg: '172.18.141.34' @@ -748,11 +748,11 @@ all: ip_mgmt: '172.18.115.27' ip_reg: '172.18.116.27' ip_iso: '172.18.117.27' - cluster_deb11dev: + cluster_deb12dev: ip_mgmt: '172.18.115.31' ip_reg: '172.18.116.31' ip_iso: '172.18.117.31' - cluster_deb11localdev: + cluster_deb12localdev: ip_mgmt: '172.18.115.35' ip_reg: '172.18.116.35' ip_iso: '172.18.117.35' @@ -791,10 +791,10 @@ all: el8dev: ip: '172.18.115.11' netmask: '255.255.255.0' - pfdeb11dev: + pfdeb12dev: ip: '172.18.115.12' netmask: '255.255.255.0' - deb11dev: + deb12dev: ip: '172.18.115.13' netmask: '255.255.255.0' localhost: @@ -803,13 +803,13 @@ all: pfel8localdev: ip: '172.18.115.14' netmask: '255.255.255.0' - pfdeb11localdev: + pfdeb12localdev: ip: '172.18.115.15' netmask: '255.255.255.0' el8localdev: ip: '172.18.115.8' netmask: '255.255.255.0' - deb11localdev: + deb12localdev: ip: '172.18.115.9' netmask: '255.255.255.0' pfel8stable: @@ -818,7 +818,7 @@ all: pfdeb9stable: ip: '172.18.115.17' netmask: '255.255.255.0' - pfdeb11stable: + pfdeb12stable: ip: '172.18.115.18' netmask: '255.255.255.0' pf1el8dev: @@ -851,32 +851,32 @@ all: netmask: '255.255.255.0' ip_reg: '172.18.116.26' ip_iso: '172.18.117.26' - pf1deb11dev: + pf1deb12dev: ip: '172.18.115.28' netmask: '255.255.255.0' ip_reg: '172.18.116.28' ip_iso: '172.18.117.28' - pf2deb11dev: + pf2deb12dev: ip: '172.18.115.29' netmask: '255.255.255.0' ip_reg: '172.18.116.29' ip_iso: '172.18.117.29' - pf3deb11dev: + pf3deb12dev: ip: '172.18.115.30' netmask: '255.255.255.0' ip_reg: '172.18.116.30' ip_iso: '172.18.117.30' - pf1deb11localdev: + pf1deb12localdev: ip: '172.18.115.32' netmask: '255.255.255.0' ip_reg: '172.18.116.32' ip_iso: '172.18.117.32' - pf2deb11localdev: + pf2deb12localdev: ip: '172.18.115.33' netmask: '255.255.255.0' ip_reg: '172.18.116.33' ip_iso: '172.18.117.33' - pf3deb11localdev: + pf3deb12localdev: ip: '172.18.115.34' netmask: '255.255.255.0' ip_reg: '172.18.116.34' @@ -911,11 +911,11 @@ all: ip_mgmt: '172.18.145.27' ip_reg: '172.18.146.27' ip_iso: '172.18.147.27' - cluster_deb11dev: + cluster_deb12dev: ip_mgmt: '172.18.145.31' ip_reg: '172.18.146.31' ip_iso: '172.18.147.31' - cluster_deb11localdev: + cluster_deb12localdev: ip_mgmt: '172.18.145.35' ip_reg: '172.18.146.35' ip_iso: '172.18.147.35' @@ -954,10 +954,10 @@ all: el8dev: ip: '172.18.145.11' netmask: '255.255.255.0' - pfdeb11dev: + pfdeb12dev: ip: '172.18.145.12' netmask: '255.255.255.0' - deb11dev: + deb12dev: ip: '172.18.145.13' netmask: '255.255.255.0' localhost: @@ -966,13 +966,13 @@ all: pfel8localdev: ip: '172.18.145.14' netmask: '255.255.255.0' - pfdeb11localdev: + pfdeb12localdev: ip: '172.18.145.15' netmask: '255.255.255.0' el8localdev: ip: '172.18.145.8' netmask: '255.255.255.0' - deb11localdev: + deb12localdev: ip: '172.18.145.9' netmask: '255.255.255.0' pfel8stable: @@ -981,7 +981,7 @@ all: pfdeb9stable: ip: '172.18.145.17' netmask: '255.255.255.0' - pfdeb11stable: + pfdeb12stable: ip: '172.18.145.18' netmask: '255.255.255.0' pf1el8dev: @@ -1014,32 +1014,32 @@ all: netmask: '255.255.255.0' ip_reg: '172.18.146.26' ip_iso: '172.18.147.26' - pf1deb11dev: + pf1deb12dev: ip: '172.18.145.28' netmask: '255.255.255.0' ip_reg: '172.18.146.28' ip_iso: '172.18.147.28' - pf2deb11dev: + pf2deb12dev: ip: '172.18.145.29' netmask: '255.255.255.0' ip_reg: '172.18.146.29' ip_iso: '172.18.147.29' - pf3deb11dev: + pf3deb12dev: ip: '172.18.145.30' netmask: '255.255.255.0' ip_reg: '172.18.146.30' ip_iso: '172.18.147.30' - pf1deb11localdev: + pf1deb12localdev: ip: '172.18.145.32' netmask: '255.255.255.0' ip_reg: '172.18.146.32' ip_iso: '172.18.147.32' - pf2deb11localdev: + pf2deb12localdev: ip: '172.18.145.33' netmask: '255.255.255.0' ip_reg: '172.18.146.33' ip_iso: '172.18.147.33' - pf3deb11localdev: + pf3deb12localdev: ip: '172.18.145.34' netmask: '255.255.255.0' ip_reg: '172.18.146.34' @@ -1074,11 +1074,11 @@ all: ip_mgmt: '172.18.120.27' ip_reg: '172.18.121.27' ip_iso: '172.18.122.27' - cluster_deb11dev: + cluster_deb12dev: ip_mgmt: '172.18.120.31' ip_reg: '172.18.121.31' ip_iso: '172.18.122.31' - cluster_deb11localdev: + cluster_deb12localdev: ip_mgmt: '172.18.120.35' ip_reg: '172.18.121.35' ip_iso: '172.18.122.35' @@ -1117,10 +1117,10 @@ all: el8dev: ip: '172.18.120.11' netmask: '255.255.255.0' - pfdeb11dev: + pfdeb12dev: ip: '172.18.120.12' netmask: '255.255.255.0' - deb11dev: + deb12dev: ip: '172.18.120.13' netmask: '255.255.255.0' localhost: @@ -1129,13 +1129,13 @@ all: pfel8localdev: ip: '172.18.120.14' netmask: '255.255.255.0' - pfdeb11localdev: + pfdeb12localdev: ip: '172.18.120.15' netmask: '255.255.255.0' el8localdev: ip: '172.18.120.8' netmask: '255.255.255.0' - deb11localdev: + deb12localdev: ip: '172.18.120.9' netmask: '255.255.255.0' pfel8stable: @@ -1144,7 +1144,7 @@ all: pfdeb9stable: ip: '172.18.120.17' netmask: '255.255.255.0' - pfdeb11stable: + pfdeb12stable: ip: '172.18.120.18' netmask: '255.255.255.0' pf1el8dev: @@ -1177,32 +1177,32 @@ all: netmask: '255.255.255.0' ip_reg: '172.18.121.26' ip_iso: '172.18.122.26' - pf1deb11dev: + pf1deb12dev: ip: '172.18.120.28' netmask: '255.255.255.0' ip_reg: '172.18.121.28' ip_iso: '172.18.122.28' - pf2deb11dev: + pf2deb12dev: ip: '172.18.120.29' netmask: '255.255.255.0' ip_reg: '172.18.121.29' ip_iso: '172.18.122.29' - pf3deb11dev: + pf3deb12dev: ip: '172.18.120.30' netmask: '255.255.255.0' ip_reg: '172.18.121.30' ip_iso: '172.18.122.30' - pf1deb11localdev: + pf1deb12localdev: ip: '172.18.120.32' netmask: '255.255.255.0' ip_reg: '172.18.121.32' ip_iso: '172.18.122.32' - pf2deb11localdev: + pf2deb12localdev: ip: '172.18.120.33' netmask: '255.255.255.0' ip_reg: '172.18.121.33' ip_iso: '172.18.122.33' - pf3deb11localdev: + pf3deb12localdev: ip: '172.18.120.34' netmask: '255.255.255.0' ip_reg: '172.18.121.34' @@ -1237,11 +1237,11 @@ all: ip_mgmt: '172.18.125.27' ip_reg: '172.18.126.27' ip_iso: '172.18.127.27' - cluster_deb11dev: + cluster_deb12dev: ip_mgmt: '172.18.125.31' ip_reg: '172.18.126.31' ip_iso: '172.18.127.31' - cluster_deb11localdev: + cluster_deb12localdev: ip_mgmt: '172.18.125.35' ip_reg: '172.18.126.35' ip_iso: '172.18.127.35' @@ -1280,10 +1280,10 @@ all: el8dev: ip: '172.18.125.11' netmask: '255.255.255.0' - pfdeb11dev: + pfdeb12dev: ip: '172.18.125.12' netmask: '255.255.255.0' - deb11dev: + deb12dev: ip: '172.18.125.13' netmask: '255.255.255.0' localhost: @@ -1292,13 +1292,13 @@ all: pfel8localdev: ip: '172.18.125.14' netmask: '255.255.255.0' - pfdeb11localdev: + pfdeb12localdev: ip: '172.18.125.15' netmask: '255.255.255.0' el8localdev: ip: '172.18.125.8' netmask: '255.255.255.0' - deb11localdev: + deb12localdev: ip: '172.18.125.9' netmask: '255.255.255.0' pfel8stable: @@ -1307,7 +1307,7 @@ all: pfdeb9stable: ip: '172.18.125.17' netmask: '255.255.255.0' - pfdeb11stable: + pfdeb12stable: ip: '172.18.125.18' netmask: '255.255.255.0' pf1el8dev: @@ -1340,32 +1340,32 @@ all: netmask: '255.255.255.0' ip_reg: '172.18.126.26' ip_iso: '172.18.127.26' - pf1deb11dev: + pf1deb12dev: ip: '172.18.125.28' netmask: '255.255.255.0' ip_reg: '172.18.126.28' ip_iso: '172.18.127.28' - pf2deb11dev: + pf2deb12dev: ip: '172.18.125.29' netmask: '255.255.255.0' ip_reg: '172.18.126.29' ip_iso: '172.18.127.29' - pf3deb11dev: + pf3deb12dev: ip: '172.18.125.30' netmask: '255.255.255.0' ip_reg: '172.18.126.30' ip_iso: '172.18.127.30' - pf1deb11localdev: + pf1deb12localdev: ip: '172.18.125.32' netmask: '255.255.255.0' ip_reg: '172.18.126.32' ip_iso: '172.18.127.32' - pf2deb11localdev: + pf2deb12localdev: ip: '172.18.125.33' netmask: '255.255.255.0' ip_reg: '172.18.126.33' ip_iso: '172.18.127.33' - pf3deb11localdev: + pf3deb12localdev: ip: '172.18.125.34' netmask: '255.255.255.0' ip_reg: '172.18.126.34' @@ -1400,11 +1400,11 @@ all: ip_mgmt: '172.18.135.27' ip_reg: '172.18.136.27' ip_iso: '172.18.137.27' - cluster_deb11dev: + cluster_deb12dev: ip_mgmt: '172.18.135.31' ip_reg: '172.18.136.31' ip_iso: '172.18.137.31' - cluster_deb11localdev: + cluster_deb12localdev: ip_mgmt: '172.18.135.35' ip_reg: '172.18.136.35' ip_iso: '172.18.137.35' @@ -1443,10 +1443,10 @@ all: el8dev: ip: '172.18.135.11' netmask: '255.255.255.0' - pfdeb11dev: + pfdeb12dev: ip: '172.18.135.12' netmask: '255.255.255.0' - deb11dev: + deb12dev: ip: '172.18.135.13' netmask: '255.255.255.0' localhost: @@ -1455,13 +1455,13 @@ all: pfel8localdev: ip: '172.18.135.14' netmask: '255.255.255.0' - pfdeb11localdev: + pfdeb12localdev: ip: '172.18.135.15' netmask: '255.255.255.0' el8localdev: ip: '172.18.135.8' netmask: '255.255.255.0' - deb11localdev: + deb12localdev: ip: '172.18.135.9' netmask: '255.255.255.0' pfel8stable: @@ -1470,7 +1470,7 @@ all: pfdeb9stable: ip: '172.18.135.17' netmask: '255.255.255.0' - pfdeb11stable: + pfdeb12stable: ip: '172.18.135.18' netmask: '255.255.255.0' pf1el8dev: @@ -1503,32 +1503,32 @@ all: netmask: '255.255.255.0' ip_reg: '172.18.136.26' ip_iso: '172.18.137.26' - pf1deb11dev: + pf1deb12dev: ip: '172.18.135.28' netmask: '255.255.255.0' ip_reg: '172.18.136.28' ip_iso: '172.18.137.28' - pf2deb11dev: + pf2deb12dev: ip: '172.18.135.29' netmask: '255.255.255.0' ip_reg: '172.18.136.29' ip_iso: '172.18.137.29' - pf3deb11dev: + pf3deb12dev: ip: '172.18.135.30' netmask: '255.255.255.0' ip_reg: '172.18.136.30' ip_iso: '172.18.137.30' - pf1deb11localdev: + pf1deb12localdev: ip: '172.18.135.32' netmask: '255.255.255.0' ip_reg: '172.18.136.32' ip_iso: '172.18.137.32' - pf2deb11localdev: + pf2deb12localdev: ip: '172.18.135.33' netmask: '255.255.255.0' ip_reg: '172.18.136.33' ip_iso: '172.18.137.33' - pf3deb11localdev: + pf3deb12localdev: ip: '172.18.135.34' netmask: '255.255.255.0' ip_reg: '172.18.136.34' @@ -1563,11 +1563,11 @@ all: ip_mgmt: '172.18.155.27' ip_reg: '172.18.156.27' ip_iso: '172.18.157.27' - cluster_deb11dev: + cluster_deb12dev: ip_mgmt: '172.18.155.31' ip_reg: '172.18.156.31' ip_iso: '172.18.157.31' - cluster_deb11localdev: + cluster_deb12localdev: ip_mgmt: '172.18.155.35' ip_reg: '172.18.156.35' ip_iso: '172.18.157.35' @@ -1606,10 +1606,10 @@ all: el8dev: ip: '172.18.155.11' netmask: '255.255.255.0' - pfdeb11dev: + pfdeb12dev: ip: '172.18.155.12' netmask: '255.255.255.0' - deb11dev: + deb12dev: ip: '172.18.155.13' netmask: '255.255.255.0' localhost: @@ -1618,13 +1618,13 @@ all: pfel8localdev: ip: '172.18.155.14' netmask: '255.255.255.0' - pfdeb11localdev: + pfdeb12localdev: ip: '172.18.155.15' netmask: '255.255.255.0' el8localdev: ip: '172.18.155.8' netmask: '255.255.255.0' - deb11localdev: + deb12localdev: ip: '172.18.155.9' netmask: '255.255.255.0' pfel8stable: @@ -1633,7 +1633,7 @@ all: pfdeb9stable: ip: '172.18.155.17' netmask: '255.255.255.0' - pfdeb11stable: + pfdeb12stable: ip: '172.18.155.18' netmask: '255.255.255.0' pf1el8dev: @@ -1666,32 +1666,32 @@ all: netmask: '255.255.255.0' ip_reg: '172.18.156.26' ip_iso: '172.18.157.26' - pf1deb11dev: + pf1deb12dev: ip: '172.18.155.28' netmask: '255.255.255.0' ip_reg: '172.18.156.28' ip_iso: '172.18.157.28' - pf2deb11dev: + pf2deb12dev: ip: '172.18.155.29' netmask: '255.255.255.0' ip_reg: '172.18.156.29' ip_iso: '172.18.157.29' - pf3deb11dev: + pf3deb12dev: ip: '172.18.155.30' netmask: '255.255.255.0' ip_reg: '172.18.156.30' ip_iso: '172.18.157.30' - pf1deb11localdev: + pf1deb12localdev: ip: '172.18.155.32' netmask: '255.255.255.0' ip_reg: '172.18.156.32' ip_iso: '172.18.157.32' - pf2deb11localdev: + pf2deb12localdev: ip: '172.18.155.33' netmask: '255.255.255.0' ip_reg: '172.18.156.33' ip_iso: '172.18.157.33' - pf3deb11localdev: + pf3deb12localdev: ip: '172.18.155.34' netmask: '255.255.255.0' ip_reg: '172.18.156.34' @@ -1726,11 +1726,11 @@ all: ip_mgmt: '172.18.160.27' ip_reg: '172.18.161.27' ip_iso: '172.18.162.27' - cluster_deb11dev: + cluster_deb12dev: ip_mgmt: '172.18.160.31' ip_reg: '172.18.161.31' ip_iso: '172.18.162.31' - cluster_deb11localdev: + cluster_deb12localdev: ip_mgmt: '172.18.160.35' ip_reg: '172.18.161.35' ip_iso: '172.18.162.35' @@ -1769,10 +1769,10 @@ all: el8dev: ip: '172.18.160.11' netmask: '255.255.255.0' - pfdeb11dev: + pfdeb12dev: ip: '172.18.160.12' netmask: '255.255.255.0' - deb11dev: + deb12dev: ip: '172.18.160.13' netmask: '255.255.255.0' localhost: @@ -1781,13 +1781,13 @@ all: pfel8localdev: ip: '172.18.160.14' netmask: '255.255.255.0' - pfdeb11localdev: + pfdeb12localdev: ip: '172.18.160.15' netmask: '255.255.255.0' el8localdev: ip: '172.18.160.8' netmask: '255.255.255.0' - deb11localdev: + deb12localdev: ip: '172.18.160.9' netmask: '255.255.255.0' pfel8stable: @@ -1796,7 +1796,7 @@ all: pfdeb9stable: ip: '172.18.160.17' netmask: '255.255.255.0' - pfdeb11stable: + pfdeb12stable: ip: '172.18.160.18' netmask: '255.255.255.0' pf1el8dev: @@ -1829,32 +1829,32 @@ all: netmask: '255.255.255.0' ip_reg: '172.18.161.26' ip_iso: '172.18.162.26' - pf1deb11dev: + pf1deb12dev: ip: '172.18.160.28' netmask: '255.255.255.0' ip_reg: '172.18.161.28' ip_iso: '172.18.162.28' - pf2deb11dev: + pf2deb12dev: ip: '172.18.160.29' netmask: '255.255.255.0' ip_reg: '172.18.161.29' ip_iso: '172.18.162.29' - pf3deb11dev: + pf3deb12dev: ip: '172.18.160.30' netmask: '255.255.255.0' ip_reg: '172.18.161.30' ip_iso: '172.18.162.30' - pf1deb11localdev: + pf1deb12localdev: ip: '172.18.160.32' netmask: '255.255.255.0' ip_reg: '172.18.161.32' ip_iso: '172.18.162.32' - pf2deb11localdev: + pf2deb12localdev: ip: '172.18.160.33' netmask: '255.255.255.0' ip_reg: '172.18.161.33' ip_iso: '172.18.162.33' - pf3deb11localdev: + pf3deb12localdev: ip: '172.18.160.34' netmask: '255.255.255.0' ip_reg: '172.18.161.34' @@ -1889,11 +1889,11 @@ all: ip_mgmt: '172.18.170.27' ip_reg: '172.18.171.27' ip_iso: '172.18.172.27' - cluster_deb11dev: + cluster_deb12dev: ip_mgmt: '172.18.170.31' ip_reg: '172.18.171.31' ip_iso: '172.18.172.31' - cluster_deb11localdev: + cluster_deb12localdev: ip_mgmt: '172.18.170.35' ip_reg: '172.18.171.35' ip_iso: '172.18.172.35' @@ -1932,10 +1932,10 @@ all: el8dev: ip: '172.18.170.11' netmask: '255.255.255.0' - pfdeb11dev: + pfdeb12dev: ip: '172.18.170.12' netmask: '255.255.255.0' - deb11dev: + deb12dev: ip: '172.18.170.13' netmask: '255.255.255.0' localhost: @@ -1944,13 +1944,13 @@ all: pfel8localdev: ip: '172.18.170.14' netmask: '255.255.255.0' - pfdeb11localdev: + pfdeb12localdev: ip: '172.18.170.15' netmask: '255.255.255.0' el8localdev: ip: '172.18.170.8' netmask: '255.255.255.0' - deb11localdev: + deb12localdev: ip: '172.18.170.9' netmask: '255.255.255.0' pfel8stable: @@ -1959,7 +1959,7 @@ all: pfdeb9stable: ip: '172.18.170.17' netmask: '255.255.255.0' - pfdeb11stable: + pfdeb12stable: ip: '172.18.170.18' netmask: '255.255.255.0' pf1el8dev: @@ -1992,32 +1992,32 @@ all: netmask: '255.255.255.0' ip_reg: '172.18.171.26' ip_iso: '172.18.172.26' - pf1deb11dev: + pf1deb12dev: ip: '172.18.170.28' netmask: '255.255.255.0' ip_reg: '172.18.171.28' ip_iso: '172.18.172.28' - pf2deb11dev: + pf2deb12dev: ip: '172.18.170.29' netmask: '255.255.255.0' ip_reg: '172.18.171.29' ip_iso: '172.18.172.29' - pf3deb11dev: + pf3deb12dev: ip: '172.18.170.30' netmask: '255.255.255.0' ip_reg: '172.18.171.30' ip_iso: '172.18.172.30' - pf1deb11localdev: + pf1deb12localdev: ip: '172.18.170.32' netmask: '255.255.255.0' ip_reg: '172.18.171.32' ip_iso: '172.18.172.32' - pf2deb11localdev: + pf2deb12localdev: ip: '172.18.170.33' netmask: '255.255.255.0' ip_reg: '172.18.171.33' ip_iso: '172.18.172.33' - pf3deb11localdev: + pf3deb12localdev: ip: '172.18.170.34' netmask: '255.255.255.0' ip_reg: '172.18.171.34' diff --git a/addons/vagrant/playbooks/get_logs.yml b/addons/vagrant/playbooks/get_logs.yml index 95891b1cbb9a..5bf307759930 100644 --- a/addons/vagrant/playbooks/get_logs.yml +++ b/addons/vagrant/playbooks/get_logs.yml @@ -30,3 +30,4 @@ src: '{{ venom_dir }}/results-{{ ansible_fqdn }}.tar.gz' dest: '{{ result_dir }}/' flat: True + failed_when: false diff --git a/addons/vagrant/playbooks/nodes/pre_prov/packages.yml b/addons/vagrant/playbooks/nodes/pre_prov/packages.yml index cffe71bd5507..2c14fbdb8384 100644 --- a/addons/vagrant/playbooks/nodes/pre_prov/packages.yml +++ b/addons/vagrant/playbooks/nodes/pre_prov/packages.yml @@ -26,14 +26,16 @@ # redefine this variables to avoid confusion with official "packetfence" repositories gitlab_buildpkg_tools__deb_ppa: - name: 'packetfence-ppa' - baseurl: "{{ gitlab_buildpkg_tools__ppa_url_deb }} {{ ansible_distribution_release }} main" + baseurl: "{{ gitlab_buildpkg_tools__ppa_url_deb }} bookworm main" gpgkey: 'http://inverse.ca/downloads/GPG_PUBLIC_KEY' # added for local dev environment where we only want devel packages # **and** for dependencies in CI environment gitlab_buildpkg_tools__deb_deps_repos: - name: 'packetfence' - baseurl: 'http://inverse.ca/downloads/PacketFence/debian/{{ pf_minor_release }} {{ ansible_distribution_release }} {{ ansible_distribution_release }}' + baseurl: 'http://inverse.ca/downloads/PacketFence/debian/{{ pf_minor_release }} bookworm {{ ansible_distribution_release }}' + - name: 'other-tools' + baseurl: 'http://inverse.ca/downloads/PacketFence/debian/13.2 bullseye bullseye' # added for local dev environment gitlab_buildpkg_tools__deb_keys: diff --git a/ci/debian-installer/create-debian-installer.sh b/ci/debian-installer/create-debian-installer.sh index 386ac56f1f41..40a503d2c468 100755 --- a/ci/debian-installer/create-debian-installer.sh +++ b/ci/debian-installer/create-debian-installer.sh @@ -8,13 +8,13 @@ function clean() { chmod a+rw $ISO_OUT } -ISO_IN=${ISO_IN:-debian-11.9.0-amd64-netinst.iso} +ISO_IN=${ISO_IN:-debian-12.4.0-amd64-netinst.iso} ISO_OUT=${ISO_OUT:-packetfence-debian-installer.iso} trap clean EXIT if ! [ -f $ISO_IN ]; then - wget https://cdimage.debian.org/cdimage/archive/latest-oldstable/amd64/iso-cd/$ISO_IN + wget https://cdimage.debian.org/cdimage/archive/12.4.0/amd64/iso-cd/$ISO_IN fi rm -fr isofiles/ diff --git a/ci/debian-installer/postinst-debian-installer.sh b/ci/debian-installer/postinst-debian-installer.sh index 87412b96d0b5..176757eec69f 100644 --- a/ci/debian-installer/postinst-debian-installer.sh +++ b/ci/debian-installer/postinst-debian-installer.sh @@ -7,7 +7,7 @@ apt install packetfence -y sed -i '/^deb cdrom:/s/^/#/' /etc/apt/sources.list sed -i 's/#PermitRootLogin.*/PermitRootLogin yes/g' /etc/ssh/sshd_config sed -i 's/.*inverse\.ca.*//g' /etc/apt/sources.list -echo "deb http://inverse.ca/downloads/PacketFence/debian/${PF_VERSION} bullseye bullseye" > /etc/apt/sources.list.d/packetfence.list +echo "deb http://inverse.ca/downloads/PacketFence/debian/${PF_VERSION} bookworm bookworm" > /etc/apt/sources.list.d/packetfence.list echo "SET PASSWORD FOR root@'localhost' = PASSWORD('');" > /tmp/reset-root.sql mkdir /run/mysqld chown mysql: /run/mysqld/ diff --git a/ci/debian-installer/preseed.cfg.tmpl b/ci/debian-installer/preseed.cfg.tmpl index 7a600246cfab..9f22323a2c7a 100644 --- a/ci/debian-installer/preseed.cfg.tmpl +++ b/ci/debian-installer/preseed.cfg.tmpl @@ -1,5 +1,5 @@ #_preseed_V1 -#### Contents of the preconfiguration file (for bullseye) +#### Contents of the preconfiguration file (for bookworm) ### Localization # Preseeding only locale sets language, country and locale. d-i debian-installer/locale string en_US @@ -340,7 +340,7 @@ d-i partman/confirm_nooverwrite boolean true # currently not supported. d-i apt-setup/local0/repository string \ - http://inverse.ca/downloads/PacketFence/debian/%%PF_VERSION%% bullseye bullseye + http://inverse.ca/downloads/PacketFence/debian/%%PF_VERSION%% bookworm bookworm d-i apt-setup/local0/source boolean true d-i apt-setup/local0/key string https://inverse.ca/downloads/GPG_PUBLIC_KEY diff --git a/ci/lib/common/functions.sh b/ci/lib/common/functions.sh index f2cc1b034c65..c4a477a777ad 100644 --- a/ci/lib/common/functions.sh +++ b/ci/lib/common/functions.sh @@ -6,7 +6,7 @@ SCRIPT_DIR=$(readlink -e $(dirname ${BASH_SOURCE[0]})) # full path to root of PF sources PF_SRC_DIR=$(echo ${SCRIPT_DIR} | grep -oP '.*?(?=\/ci\/)') -OS_SUPPORTED='RHEL-8 Debian-11' +OS_SUPPORTED='RHEL-8 Debian-12' die() { diff --git a/ci/packer/cpanbuild.json b/ci/packer/cpanbuild.json index ef2acb0c20e8..503c337c2a78 100644 --- a/ci/packer/cpanbuild.json +++ b/ci/packer/cpanbuild.json @@ -37,9 +37,9 @@ ] }, { - "name": "{{user `builder_prefix`}}-bullseye", + "name": "{{user `builder_prefix`}}-bookworm", "type": "docker", - "image": "{{user `buildpkg_user`}}/debian:bullseye", + "image": "{{user `buildpkg_user`}}/debian:bookworm", "run_command": ["-d", "-i", "-t", "--", "{{.Image}}"], "commit": true, "changes": [ @@ -74,7 +74,7 @@ "ansible_env_vars": ["PF_MINOR_RELEASE={{ user `pf_minor_release`}}", "ANSIBLE_ROLES_PATH={{user `prov_dir`}}/roles", "ANSIBLE_COLLECTIONS_PATH={{user `prov_dir`}}/"], "groups": ["{{user `ansible_debian_group`}}"], "user": "{{user `ansible_user`}}", - "only": ["{{user `builder_prefix`}}-bullseye"] + "only": ["{{user `builder_prefix`}}-bookworm"] }, { "type": "shell", @@ -92,7 +92,7 @@ "type": "file", "source": "{{user `pf_root`}}/debian", "destination": "{{user `tmp_dir`}}", - "only": ["{{user `builder_prefix`}}-bullseye"] + "only": ["{{user `builder_prefix`}}-bookworm"] }, { "type": "shell", @@ -131,7 +131,7 @@ "inline": ["rm -rf {{user `tmp_dir`}}/debian", "apt-get clean" ], - "only": ["{{user `builder_prefix`}}-bullseye"] + "only": ["{{user `builder_prefix`}}-bookworm"] } ], @@ -158,14 +158,14 @@ { "type": "docker-tag", "name": "set-tag", - "only": ["{{user `builder_prefix`}}-bullseye"], - "repository": "{{user `docker_user`}}/{{user `builder_prefix`}}-debian-bullseye", + "only": ["{{user `builder_prefix`}}-bookworm"], + "repository": "{{user `docker_user`}}/{{user `builder_prefix`}}-debian-bookworm", "tags": "{{user `docker_tags`}}" }, { "type": "docker-push", "name": "push-tag", - "only": ["{{user `builder_prefix`}}-bullseye"], + "only": ["{{user `builder_prefix`}}-bookworm"], "login": true, "login_username": "{{user `docker_user`}}", "login_password": "{{user `docker_password`}}", diff --git a/ci/packer/packer-wrapper.sh b/ci/packer/packer-wrapper.sh index 05e20dd0bc8b..a5b1488fbb70 100755 --- a/ci/packer/packer-wrapper.sh +++ b/ci/packer/packer-wrapper.sh @@ -13,7 +13,7 @@ configure_and_check() { ANSIBLE_DEBIAN_GROUP=${ANSIBLE_DEBIAN_GROUP:-common_debian} ANSIBLE_RUBYGEMS_GROUP=${ANSIBLE_RUBYGEMS_GROUP:-devel_rubygems} ON_ERROR=${ON_ERROR:-cleanup} - ACTIVE_BUILDS=${ACTIVE_BUILDS:-'pfbuild-centos-8,pfbuild-bullseye'} + ACTIVE_BUILDS=${ACTIVE_BUILDS:-'pfbuild-centos-8,pfbuild-bookworm'} PARALLEL=${PARALLEL:-2} PACKER_TEMPLATE=${PACKER_TEMPLATE:-pfbuild.json} diff --git a/ci/packer/pfbuild.json b/ci/packer/pfbuild.json index 0fea664414cb..80a3c9bd35ca 100644 --- a/ci/packer/pfbuild.json +++ b/ci/packer/pfbuild.json @@ -38,9 +38,9 @@ ] }, { - "name": "{{user `builder_prefix`}}-bullseye", + "name": "{{user `builder_prefix`}}-bookworm", "type": "docker", - "image": "{{user `buildpkg_user`}}/debian:bullseye", + "image": "{{user `buildpkg_user`}}/debian:bookworm", "run_command": ["-d", "-i", "-t", "--", "{{.Image}}"], "commit": true, "changes": [ @@ -80,7 +80,7 @@ "ansible_env_vars": ["PF_MINOR_RELEASE={{ user `pf_minor_release`}}", "ANSIBLE_ROLES_PATH={{user `prov_dir`}}/roles", "ANSIBLE_COLLECTIONS_PATH={{user `prov_dir`}}/"], "groups": ["{{user `ansible_debian_group`}}"], "user": "{{user `ansible_user`}}", - "only": ["{{user `builder_prefix`}}-bullseye"] + "only": ["{{user `builder_prefix`}}-bookworm"] }, { "type": "shell", @@ -98,7 +98,7 @@ "type": "file", "source": "{{user `pf_root`}}/debian", "destination": "{{user `tmp_dir`}}", - "only": ["{{user `builder_prefix`}}-bullseye"] + "only": ["{{user `builder_prefix`}}-bookworm"] }, { "type": "shell", @@ -135,7 +135,7 @@ "inline": ["rm -rf {{user `tmp_dir`}}/debian", "apt-get clean" ], - "only": ["{{user `builder_prefix`}}-bullseye"] + "only": ["{{user `builder_prefix`}}-bookworm"] } ], @@ -162,14 +162,14 @@ { "type": "docker-tag", "name": "set-tag", - "only": ["{{user `builder_prefix`}}-bullseye"], - "repository": "{{user `docker_registry_url`}}/{{user `builder_prefix`}}-debian-bullseye", + "only": ["{{user `builder_prefix`}}-bookworm"], + "repository": "{{user `docker_registry_url`}}/{{user `builder_prefix`}}-debian-bookworm", "tags": "{{user `docker_tags`}}" }, { "type": "docker-push", "name": "push-tag", - "only": ["{{user `builder_prefix`}}-bullseye"], + "only": ["{{user `builder_prefix`}}-bookworm"], "login": true, "login_username": "{{user `docker_user`}}", "login_password": "{{user `docker_password`}}", diff --git a/ci/packer/vagrant_img/Makefile b/ci/packer/vagrant_img/Makefile index f5bb2f5a5fe2..6cbf2d096a51 100644 --- a/ci/packer/vagrant_img/Makefile +++ b/ci/packer/vagrant_img/Makefile @@ -68,22 +68,22 @@ pfel8stable: pfbox # Debian builds -.PHONY: pfdeb11dev -pfdeb11dev: +.PHONY: pfdeb12dev +pfdeb12dev: VAGRANT_LIBVIRT_VIRT_SYSPREP_OPTIONS="'--run $(CURDIR)/provisioners/shell/sysprep.sh'" \ make -e \ BOX_NAME=$@ \ ANSIBLE_GROUP=$(DEV_GROUP) \ - BUILD_NAME="$(DEV_GROUP).vagrant.debian-11" \ + BUILD_NAME="$(DEV_GROUP).vagrant.debian-12" \ pfbox -.PHONY: pfdeb11stable -pfdeb11stable: +.PHONY: pfdeb12stable +pfdeb12stable: VAGRANT_LIBVIRT_VIRT_SYSPREP_OPTIONS="'--run $(CURDIR)/provisioners/shell/sysprep.sh'" \ make -e \ BOX_NAME=$@ \ ANSIBLE_GROUP=$(STABLE_GROUP) \ - BUILD_NAME="$(STABLE_GROUP).vagrant.debian-11" \ + BUILD_NAME="$(STABLE_GROUP).vagrant.debian-12" \ pfbox # Cleanup diff --git a/ci/packer/vagrant_img/build.pkr.hcl b/ci/packer/vagrant_img/build.pkr.hcl index 541d4dd90dd4..c54363514595 100644 --- a/ci/packer/vagrant_img/build.pkr.hcl +++ b/ci/packer/vagrant_img/build.pkr.hcl @@ -2,7 +2,7 @@ build { name = "dev" sources = [ "source.vagrant.el-8", - "source.vagrant.debian-11" + "source.vagrant.debian-12" ] provisioner "ansible" { @@ -37,7 +37,7 @@ build { } provisioner "shell" { - only = ["vagrant.debian-11"] + only = ["vagrant.debian-12"] execute_command = "echo 'vagrant' | {{.Vars}} sudo -S -E bash '{{.Path}}'" script = "${var.pfroot_dir}/addons/dev-helpers/debian/install-pf-dependencies.sh" } @@ -58,7 +58,7 @@ build { name = "stable" sources = [ "source.vagrant.el-8", - "source.vagrant.debian-11" + "source.vagrant.debian-12" ] provisioner "ansible" { diff --git a/ci/packer/vagrant_img/sources.pkr.hcl b/ci/packer/vagrant_img/sources.pkr.hcl index 8b4d466a94e0..e27f556e1ef3 100644 --- a/ci/packer/vagrant_img/sources.pkr.hcl +++ b/ci/packer/vagrant_img/sources.pkr.hcl @@ -8,11 +8,11 @@ source "vagrant" "el-8" { template = "templates/vagrantfile_template" } -# Vagrant Debian 11 builds -source "vagrant" "debian-11" { +# Vagrant Debian 12 builds +source "vagrant" "debian-12" { communicator = "ssh" - source_path = "debian/bullseye64" - box_version = "11.20221219.1" + source_path = "debian/bookworm64" + box_version = "12.20240503.1" provider = "libvirt" output_dir = "${var.output_dir}" template = "templates/vagrantfile_template" diff --git a/ci/packer/zen/Makefile b/ci/packer/zen/Makefile index 4126a6306546..372d4dcafbc9 100644 --- a/ci/packer/zen/Makefile +++ b/ci/packer/zen/Makefile @@ -49,10 +49,10 @@ clean: clean_cache: rm -rf packer_cache -.PHONY: zen-deb11 -zen-deb11: +.PHONY: zen-deb12 +zen-deb12: make \ - BUILD_NAME=debian-11 \ + BUILD_NAME=debian-12 \ zen .PHONY: zen-el8 diff --git a/ci/packer/zen/build.pkr.hcl b/ci/packer/zen/build.pkr.hcl index 8d9f2d7378a8..68d5829ab4b3 100644 --- a/ci/packer/zen/build.pkr.hcl +++ b/ci/packer/zen/build.pkr.hcl @@ -1,6 +1,6 @@ build { sources = [ - "source.virtualbox-iso.debian-11", + "source.virtualbox-iso.debian-12", ] provisioner "ansible" { playbook_file = "${var.provisioner_dir}/site.yml" diff --git a/ci/packer/zen/files/preseed.cfg b/ci/packer/zen/files/preseed.cfg index 3760babc4994..7620779d0add 100644 --- a/ci/packer/zen/files/preseed.cfg +++ b/ci/packer/zen/files/preseed.cfg @@ -1,5 +1,5 @@ #_preseed_V1 -#### Contents of the preconfiguration file (for bullseye) +#### Contents of the preconfiguration file (for bookworm) ### Localization # Preseeding only locale sets language, country and locale. d-i debian-installer/locale string en_US diff --git a/ci/packer/zen/files/preseed.cfg.example b/ci/packer/zen/files/preseed.cfg.example index 570b2c96fc14..59b1a54980fc 100644 --- a/ci/packer/zen/files/preseed.cfg.example +++ b/ci/packer/zen/files/preseed.cfg.example @@ -1,5 +1,5 @@ #_preseed_V1 -#### Contents of the preconfiguration file (for bullseye) +#### Contents of the preconfiguration file (for bookworm) ### Localization # Preseeding only locale sets language, country and locale. d-i debian-installer/locale string en_US diff --git a/ci/packer/zen/sources.pkr.hcl b/ci/packer/zen/sources.pkr.hcl index e4c1d3f001ed..307809358604 100644 --- a/ci/packer/zen/sources.pkr.hcl +++ b/ci/packer/zen/sources.pkr.hcl @@ -1,5 +1,5 @@ # VirtualBox builds -source "virtualbox-iso" "debian-11" { +source "virtualbox-iso" "debian-12" { vm_name = "${var.vm_name}" disk_size = "200000" guest_os_type = "Debian_64" @@ -17,8 +17,8 @@ source "virtualbox-iso" "debian-11" { ["modifyvm", "{{.Name}}", "--uartmode1", "disconnected"], ["storagectl", "{{.Name}}", "--name", "IDE Controller", "--remove"] ] - iso_url = "https://cdimage.debian.org/cdimage/archive/latest-oldstable/amd64/iso-cd/debian-11.9.0-amd64-netinst.iso" - iso_checksum = "sha256:01c540225250d42cda3809d7130d0c27e934c8aca260d01a86d33dee19623b0f" + iso_url = "https://cdimage.debian.org/cdimage/archive/12.4.0/amd64/iso-cd/debian-12.4.0-amd64-netinst.iso" + iso_checksum = "64d727dd5785ae5fcfd3ae8ffbede5f40cca96f1580aaa2820e8b99dae989d94" # boot parameters to preseed questions # all parameters below can't be moved to preseed file boot_command = [ diff --git a/conf/redis_cache.conf.example b/conf/redis_cache.conf.example index 305576f9ad54..373f30e58d98 100644 --- a/conf/redis_cache.conf.example +++ b/conf/redis_cache.conf.example @@ -1,5 +1,10 @@ # Copyright (C) Inverse inc. -# Redis configuration file example +# Redis configuration file example. +# +# Note that in order to read the configuration file, Redis must be +# started with the file path as first argument: +# +# ./redis-server /path/to/redis.conf # Note on units: when memory size is needed, it is possible to specify # it in the usual form of 1k 5GB 4M and so forth: @@ -20,7 +25,7 @@ # to customize a few per-server settings. Include files can include # other files, so use this wisely. # -# Notice option "include" won't be rewritten by command "CONFIG REWRITE" +# Note that option "include" won't be rewritten by command "CONFIG REWRITE" # from admin or Redis Sentinel. Since Redis always uses the last processed # line as value of a configuration directive, you'd better put includes # at the beginning of this file to avoid overwriting config change at runtime. @@ -28,42 +33,122 @@ # If instead you are interested in using includes to override configuration # options, it is better to use include as the last line. # +# Included paths may contain wildcards. All files matching the wildcards will +# be included in alphabetical order. +# Note that if an include path contains a wildcards but no files match it when +# the server is started, the include statement will be ignored and no error will +# be emitted. It is safe, therefore, to include wildcard files from empty +# directories. +# # include /path/to/local.conf # include /path/to/other.conf +# include /path/to/fragments/*.conf +# -################################ GENERAL ##################################### +################################## MODULES ##################################### -# By default Redis does not run as a daemon. Use 'yes' if you need it. -# Note that Redis will write a pid file in /var/run/redis.pid when daemonized. -daemonize no +# Load modules at startup. If the server is not able to load modules +# it will abort. It is possible to use multiple loadmodule directives. +# +# loadmodule /path/to/my_module.so +# loadmodule /path/to/other_module.so -# When running daemonized, Redis writes a pid file in /var/run/redis.pid by -# default. You can specify a custom pid file location here. -pidfile /usr/local/pf/var/run/redis_cache.pid +################################## NETWORK ##################################### -# Accept connections on the specified port, default is 6379. +# By default, if no "bind" configuration directive is specified, Redis listens +# for connections from all available network interfaces on the host machine. +# It is possible to listen to just one or multiple selected interfaces using +# the "bind" configuration directive, followed by one or more IP addresses. +# Each address can be prefixed by "-", which means that redis will not fail to +# start if the address is not available. Being not available only refers to +# addresses that does not correspond to any network interface. Addresses that +# are already in use will always fail, and unsupported protocols will always BE +# silently skipped. +# +# Examples: +# +# bind 192.168.1.100 10.0.0.1 # listens on two specific IPv4 addresses +# bind 127.0.0.1 ::1 # listens on loopback IPv4 and IPv6 +# bind * -::* # like the default, all available interfaces +# +# ~~~ WARNING ~~~ If the computer running Redis is directly exposed to the +# internet, binding to all the interfaces is dangerous and will expose the +# instance to everybody on the internet. So by default we uncomment the +# following bind directive, that will force Redis to listen only on the +# IPv4 and IPv6 (if available) loopback interface addresses (this means Redis +# will only be able to accept client connections from the same host that it is +# running on). +# +# IF YOU ARE SURE YOU WANT YOUR INSTANCE TO LISTEN TO ALL THE INTERFACES +# COMMENT OUT THE FOLLOWING LINE. +# +# You will also need to set a password unless you explicitly disable protected +# mode. +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +bind 127.0.0.1 100.64.0.1 + +# By default, outgoing connections (from replica to master, from Sentinel to +# instances, cluster bus, etc.) are not bound to a specific local address. In +# most cases, this means the operating system will handle that based on routing +# and the interface through which the connection goes out. +# +# Using bind-source-addr it is possible to configure a specific address to bind +# to, which may also affect how the connection gets routed. +# +# Example: +# +# bind-source-addr 10.0.0.1 + +# Protected mode is a layer of security protection, in order to avoid that +# Redis instances left open on the internet are accessed and exploited. +# +# When protected mode is on and the default user has no password, the server +# only accepts local connections from the IPv4 address (127.0.0.1), IPv6 address +# (::1) or Unix domain sockets. +# +# By default protected mode is enabled. You should disable it only if +# you are sure you want clients from other hosts to connect to Redis +# even if no authentication is configured. +protected-mode no + +# Redis uses default hardened security configuration directives to reduce the +# attack surface on innocent users. Therefore, several sensitive configuration +# directives are immutable, and some potentially-dangerous commands are blocked. +# +# Configuration directives that control files that Redis writes to (e.g., 'dir' +# and 'dbfilename') and that aren't usually modified during runtime +# are protected by making them immutable. +# +# Commands that can increase the attack surface of Redis and that aren't usually +# called by users are blocked by default. +# +# These can be exposed to either all connections or just local ones by setting +# each of the configs listed below to either of these values: +# +# no - Block for any connection (remain immutable) +# yes - Allow for any connection (no protection) +# local - Allow only for local connections. Ones originating from the +# IPv4 address (127.0.0.1), IPv6 address (::1) or Unix domain sockets. +# +# enable-protected-configs no +# enable-debug-command no +# enable-module-command no + +# Accept connections on the specified port, default is 6379 (IANA #815344). # If port 0 is specified Redis will not listen on a TCP socket. port 6379 # TCP listen() backlog. # -# In high requests-per-second environments you need an high backlog in order -# to avoid slow clients connections issues. Note that the Linux kernel +# In high requests-per-second environments you need a high backlog in order +# to avoid slow clients connection issues. Note that the Linux kernel # will silently truncate it to the value of /proc/sys/net/core/somaxconn so # make sure to raise both the value of somaxconn and tcp_max_syn_backlog # in order to get the desired effect. tcp-backlog 511 -# By default Redis listens for connections from all the network interfaces -# available on the server. It is possible to listen to just one or multiple -# interfaces using the "bind" configuration directive, followed by one or -# more IP addresses. +# Unix socket. # -# Examples: -# -# bind 192.168.1.100 10.0.0.1 -bind 127.0.0.1 100.64.0.1 - # Specify the path for the Unix socket that will be used to listen for # incoming connections. There is no default, so Redis will not listen # on a unix socket when not specified. @@ -80,16 +165,182 @@ timeout 0 # of communication. This is useful for two reasons: # # 1) Detect dead peers. -# 2) Take the connection alive from the point of view of network -# equipment in the middle. +# 2) Force network equipment in the middle to consider the connection to be +# alive. # # On Linux, the specified value (in seconds) is the period used to send ACKs. # Note that to close the connection the double of the time is needed. # On other kernels the period depends on the kernel configuration. # -# A reasonable value for this option is 60 seconds. +# A reasonable value for this option is 300 seconds, which is the new +# Redis default starting with Redis 3.2.1. tcp-keepalive 0 +# Apply OS-specific mechanism to mark the listening socket with the specified +# ID, to support advanced routing and filtering capabilities. +# +# On Linux, the ID represents a connection mark. +# On FreeBSD, the ID represents a socket cookie ID. +# On OpenBSD, the ID represents a route table ID. +# +# The default value is 0, which implies no marking is required. +# socket-mark-id 0 + +################################# TLS/SSL ##################################### + +# By default, TLS/SSL is disabled. To enable it, the "tls-port" configuration +# directive can be used to define TLS-listening ports. To enable TLS on the +# default port, use: +# +# port 0 +# tls-port 6379 + +# Configure a X.509 certificate and private key to use for authenticating the +# server to connected clients, masters or cluster peers. These files should be +# PEM formatted. +# +# tls-cert-file redis.crt +# tls-key-file redis.key +# +# If the key file is encrypted using a passphrase, it can be included here +# as well. +# +# tls-key-file-pass secret + +# Normally Redis uses the same certificate for both server functions (accepting +# connections) and client functions (replicating from a master, establishing +# cluster bus connections, etc.). +# +# Sometimes certificates are issued with attributes that designate them as +# client-only or server-only certificates. In that case it may be desired to use +# different certificates for incoming (server) and outgoing (client) +# connections. To do that, use the following directives: +# +# tls-client-cert-file client.crt +# tls-client-key-file client.key +# +# If the key file is encrypted using a passphrase, it can be included here +# as well. +# +# tls-client-key-file-pass secret + +# Configure a DH parameters file to enable Diffie-Hellman (DH) key exchange, +# required by older versions of OpenSSL (<3.0). Newer versions do not require +# this configuration and recommend against it. +# +# tls-dh-params-file redis.dh + +# Configure a CA certificate(s) bundle or directory to authenticate TLS/SSL +# clients and peers. Redis requires an explicit configuration of at least one +# of these, and will not implicitly use the system wide configuration. +# +# tls-ca-cert-file ca.crt +# tls-ca-cert-dir /etc/ssl/certs + +# By default, clients (including replica servers) on a TLS port are required +# to authenticate using valid client side certificates. +# +# If "no" is specified, client certificates are not required and not accepted. +# If "optional" is specified, client certificates are accepted and must be +# valid if provided, but are not required. +# +# tls-auth-clients no +# tls-auth-clients optional + +# By default, a Redis replica does not attempt to establish a TLS connection +# with its master. +# +# Use the following directive to enable TLS on replication links. +# +# tls-replication yes + +# By default, the Redis Cluster bus uses a plain TCP connection. To enable +# TLS for the bus protocol, use the following directive: +# +# tls-cluster yes + +# By default, only TLSv1.2 and TLSv1.3 are enabled and it is highly recommended +# that older formally deprecated versions are kept disabled to reduce the attack surface. +# You can explicitly specify TLS versions to support. +# Allowed values are case insensitive and include "TLSv1", "TLSv1.1", "TLSv1.2", +# "TLSv1.3" (OpenSSL >= 1.1.1) or any combination. +# To enable only TLSv1.2 and TLSv1.3, use: +# +# tls-protocols "TLSv1.2 TLSv1.3" + +# Configure allowed ciphers. See the ciphers(1ssl) manpage for more information +# about the syntax of this string. +# +# Note: this configuration applies only to <= TLSv1.2. +# +# tls-ciphers DEFAULT:!MEDIUM + +# Configure allowed TLSv1.3 ciphersuites. See the ciphers(1ssl) manpage for more +# information about the syntax of this string, and specifically for TLSv1.3 +# ciphersuites. +# +# tls-ciphersuites TLS_CHACHA20_POLY1305_SHA256 + +# When choosing a cipher, use the server's preference instead of the client +# preference. By default, the server follows the client's preference. +# +# tls-prefer-server-ciphers yes + +# By default, TLS session caching is enabled to allow faster and less expensive +# reconnections by clients that support it. Use the following directive to disable +# caching. +# +# tls-session-caching no + +# Change the default number of TLS sessions cached. A zero value sets the cache +# to unlimited size. The default size is 20480. +# +# tls-session-cache-size 5000 + +# Change the default timeout of cached TLS sessions. The default timeout is 300 +# seconds. +# +# tls-session-cache-timeout 60 + +################################# GENERAL ##################################### + +# By default Redis does not run as a daemon. Use 'yes' if you need it. +# Note that Redis will write a pid file in /var/run/redis.pid when daemonized. +# When Redis is supervised by upstart or systemd, this parameter has no impact. +daemonize no + +# If you run Redis from upstart or systemd, Redis can interact with your +# supervision tree. Options: +# supervised no - no supervision interaction +# supervised upstart - signal upstart by putting Redis into SIGSTOP mode +# requires "expect stop" in your upstart job config +# supervised systemd - signal systemd by writing READY=1 to $NOTIFY_SOCKET +# on startup, and updating Redis status on a regular +# basis. +# supervised auto - detect upstart or systemd method based on +# UPSTART_JOB or NOTIFY_SOCKET environment variables +# Note: these supervision methods only signal "process is ready." +# They do not enable continuous pings back to your supervisor. +# +# The default is "no". To run under upstart/systemd, you can simply uncomment +# the line below: +# +# supervised auto + +# If a pid file is specified, Redis writes it where specified at startup +# and removes it at exit. +# +# When the server runs non daemonized, no pid file is created if none is +# specified in the configuration. When the server is daemonized, the pid file +# is used even if not specified, defaulting to "/var/run/redis.pid". +# +# Creating a pid file is best effort: if Redis is not able to create it +# nothing bad happens, the server will start and run normally. +# +# Note that on modern Linux systems "/run/redis.pid" is more conforming +# and should be used instead. +pidfile /usr/local/pf/var/run/redis_cache.pid + # Specify the server verbosity level. # This can be one of: # debug (a lot of information, useful for development/testing) @@ -101,7 +352,7 @@ loglevel notice # Specify the log file name. Also the empty string can be used to force # Redis to log on the standard output. Note that if you use standard # output for logging but daemonize, logs will be sent to /dev/null -#logfile /usr/local/pf/logs/redis_cache.log +#logfile /var/log/redis/redis-server.log # To enable logging to the system logger, just set 'syslog-enabled' to yes, # and optionally update the other syslog parameters to suit your needs. @@ -113,33 +364,74 @@ syslog-ident redis-cache # Specify the syslog facility. Must be USER or between LOCAL0-LOCAL7. syslog-facility local5 +# To disable the built in crash log, which will possibly produce cleaner core +# dumps when they are needed, uncomment the following: +# +# crash-log-enabled no + +# To disable the fast memory check that's run as part of the crash log, which +# will possibly let redis terminate sooner, uncomment the following: +# +# crash-memcheck-enabled no + # Set the number of databases. The default database is DB 0, you can select # a different one on a per-connection basis using SELECT where # dbid is a number between 0 and 'databases'-1 databases 1 +# By default Redis shows an ASCII art logo only when started to log to the +# standard output and if the standard output is a TTY and syslog logging is +# disabled. Basically this means that normally a logo is displayed only in +# interactive sessions. +# +# However it is possible to force the pre-4.0 behavior and always show a +# ASCII art logo in startup logs by setting the following option to yes. +always-show-logo no + +# By default, Redis modifies the process title (as seen in 'top' and 'ps') to +# provide some runtime information. It is possible to disable this and leave +# the process name as executed by setting the following to no. +set-proc-title yes + +# When changing the process title, Redis uses the following template to construct +# the modified title. +# +# Template variables are specified in curly brackets. The following variables are +# supported: +# +# {title} Name of process as executed if parent, or type of child process. +# {listen-addr} Bind address or '*' followed by TCP or TLS port listening on, or +# Unix socket if only that's available. +# {server-mode} Special mode, i.e. "[sentinel]" or "[cluster]". +# {port} TCP port listening on, or 0. +# {tls-port} TLS port listening on, or 0. +# {unixsocket} Unix domain socket listening on, or "". +# {config-file} Name of configuration file used. +# +proc-title-template "{title} {listen-addr} {server-mode}" + ################################ SNAPSHOTTING ################################ + +# Save the DB to disk. # -# Save the DB on disk: +# save [ ...] # -# save +# Redis will save the DB if the given number of seconds elapsed and it +# surpassed the given number of write operations against the DB. # -# Will save the DB if both the given number of seconds and the given -# number of write operations against the DB occurred. +# Snapshotting can be completely disabled with a single empty string argument +# as in following example: # -# In the example below the behaviour will be to save: -# after 900 sec (15 min) if at least 1 key changed -# after 300 sec (5 min) if at least 10 keys changed -# after 60 sec if at least 10000 keys changed +# save "" # -# Note: you can disable saving completely by commenting out all "save" lines. +# Unless specified otherwise, by default Redis will save the DB: +# * After 3600 seconds (an hour) if at least 1 change was performed +# * After 300 seconds (5 minutes) if at least 100 changes were performed +# * After 60 seconds if at least 10000 changes were performed # -# It is also possible to remove all the previously configured save -# points by adding a save directive with a single empty string argument -# like in the following example: +# You can set these explicitly by uncommenting the following line. # -# save "" - +# save 3600 1 300 100 60 10000 save 900 1 save 300 10 save 60 10000 @@ -160,7 +452,7 @@ save 60 10000 stop-writes-on-bgsave-error yes # Compress string objects using LZF when dump .rdb databases? -# For default that's set to 'yes' as it's almost always a win. +# By default compression is enabled as it's almost always a win. # If you want to save some CPU in the saving child set it to 'no' but # the dataset will likely be bigger if you have compressible values or keys. rdbcompression yes @@ -174,9 +466,37 @@ rdbcompression yes # tell the loading code to skip the check. rdbchecksum yes +# Enables or disables full sanitization checks for ziplist and listpack etc when +# loading an RDB or RESTORE payload. This reduces the chances of a assertion or +# crash later on while processing commands. +# Options: +# no - Never perform full sanitization +# yes - Always perform full sanitization +# clients - Perform full sanitization only for user connections. +# Excludes: RDB files, RESTORE commands received from the master +# connection, and client connections which have the +# skip-sanitize-payload ACL flag. +# The default should be 'clients' but since it currently affects cluster +# resharding via MIGRATE, it is temporarily set to 'no' by default. +# +# sanitize-dump-payload no + # The filename where to dump the DB dbfilename dump.rdb +# Remove RDB files used by replication in instances without persistence +# enabled. By default this option is disabled, however there are environments +# where for regulations or other security concerns, RDB files persisted on +# disk by masters in order to feed replicas, or stored on disk by replicas +# in order to load them for the initial synchronization, should be deleted +# ASAP. Note that this option ONLY WORKS in instances that have both AOF +# and RDB persistence disabled, otherwise is completely ignored. +# +# An alternative (and sometimes better) way to obtain the same effect is +# to use diskless replication on both master and replicas instances. However +# in the case of replicas, diskless is not always an option. +rdb-del-sync-files no + # The working directory. # # The DB will be written inside this directory, with the filename specified @@ -189,209 +509,556 @@ dir /usr/local/pf/var/redis_cache ################################# REPLICATION ################################# -# Master-Slave replication. Use slaveof to make a Redis instance a copy of +# Master-Replica replication. Use replicaof to make a Redis instance a copy of # another Redis server. A few things to understand ASAP about Redis replication. # +# +------------------+ +---------------+ +# | Master | ---> | Replica | +# | (receive writes) | | (exact copy) | +# +------------------+ +---------------+ +# # 1) Redis replication is asynchronous, but you can configure a master to # stop accepting writes if it appears to be not connected with at least -# a given number of slaves. -# 2) Redis slaves are able to perform a partial resynchronization with the +# a given number of replicas. +# 2) Redis replicas are able to perform a partial resynchronization with the # master if the replication link is lost for a relatively small amount of # time. You may want to configure the replication backlog size (see the next # sections of this file) with a sensible value depending on your needs. # 3) Replication is automatic and does not need user intervention. After a -# network partition slaves automatically try to reconnect to masters +# network partition replicas automatically try to reconnect to masters # and resynchronize with them. # -# slaveof +# replicaof # If the master is password protected (using the "requirepass" configuration -# directive below) it is possible to tell the slave to authenticate before +# directive below) it is possible to tell the replica to authenticate before # starting the replication synchronization process, otherwise the master will -# refuse the slave request. +# refuse the replica request. # # masterauth +# +# However this is not enough if you are using Redis ACLs (for Redis version +# 6 or greater), and the default user is not capable of running the PSYNC +# command and/or other commands needed for replication. In this case it's +# better to configure a special user to use with replication, and specify the +# masteruser configuration as such: +# +# masteruser +# +# When masteruser is specified, the replica will authenticate against its +# master using the new AUTH form: AUTH . -# When a slave loses its connection with the master, or when the replication -# is still in progress, the slave can act in two different ways: +# When a replica loses its connection with the master, or when the replication +# is still in progress, the replica can act in two different ways: # -# 1) if slave-serve-stale-data is set to 'yes' (the default) the slave will +# 1) if replica-serve-stale-data is set to 'yes' (the default) the replica will # still reply to client requests, possibly with out of date data, or the # data set may just be empty if this is the first synchronization. # -# 2) if slave-serve-stale-data is set to 'no' the slave will reply with -# an error "SYNC with master in progress" to all the kind of commands -# but to INFO and SLAVEOF. +# 2) If replica-serve-stale-data is set to 'no' the replica will reply with error +# "MASTERDOWN Link with MASTER is down and replica-serve-stale-data is set to 'no'" +# to all data access commands, excluding commands such as: +# INFO, REPLICAOF, AUTH, SHUTDOWN, REPLCONF, ROLE, CONFIG, SUBSCRIBE, +# UNSUBSCRIBE, PSUBSCRIBE, PUNSUBSCRIBE, PUBLISH, PUBSUB, COMMAND, POST, +# HOST and LATENCY. # -slave-serve-stale-data yes +replica-serve-stale-data yes -# You can configure a slave instance to accept writes or not. Writing against -# a slave instance may be useful to store some ephemeral data (because data -# written on a slave will be easily deleted after resync with the master) but +# You can configure a replica instance to accept writes or not. Writing against +# a replica instance may be useful to store some ephemeral data (because data +# written on a replica will be easily deleted after resync with the master) but # may also cause problems if clients are writing to it because of a # misconfiguration. # -# Since Redis 2.6 by default slaves are read-only. +# Since Redis 2.6 by default replicas are read-only. # -# Note: read only slaves are not designed to be exposed to untrusted clients +# Note: read only replicas are not designed to be exposed to untrusted clients # on the internet. It's just a protection layer against misuse of the instance. -# Still a read only slave exports by default all the administrative commands +# Still a read only replica exports by default all the administrative commands # such as CONFIG, DEBUG, and so forth. To a limited extent you can improve -# security of read only slaves using 'rename-command' to shadow all the +# security of read only replicas using 'rename-command' to shadow all the # administrative / dangerous commands. -slave-read-only yes +replica-read-only yes # Replication SYNC strategy: disk or socket. # -# ------------------------------------------------------- -# WARNING: DISKLESS REPLICATION IS EXPERIMENTAL CURRENTLY -# ------------------------------------------------------- +# New replicas and reconnecting replicas that are not able to continue the +# replication process just receiving differences, need to do what is called a +# "full synchronization". An RDB file is transmitted from the master to the +# replicas. # -# New slaves and reconnecting slaves that are not able to continue the replication -# process just receiving differences, need to do what is called a "full -# synchronization". An RDB file is transmitted from the master to the slaves. # The transmission can happen in two different ways: # # 1) Disk-backed: The Redis master creates a new process that writes the RDB # file on disk. Later the file is transferred by the parent -# process to the slaves incrementally. +# process to the replicas incrementally. # 2) Diskless: The Redis master creates a new process that directly writes the -# RDB file to slave sockets, without touching the disk at all. +# RDB file to replica sockets, without touching the disk at all. # -# With disk-backed replication, while the RDB file is generated, more slaves -# can be queued and served with the RDB file as soon as the current child producing -# the RDB file finishes its work. With diskless replication instead once -# the transfer starts, new slaves arriving will be queued and a new transfer -# will start when the current one terminates. +# With disk-backed replication, while the RDB file is generated, more replicas +# can be queued and served with the RDB file as soon as the current child +# producing the RDB file finishes its work. With diskless replication instead +# once the transfer starts, new replicas arriving will be queued and a new +# transfer will start when the current one terminates. # # When diskless replication is used, the master waits a configurable amount of -# time (in seconds) before starting the transfer in the hope that multiple slaves -# will arrive and the transfer can be parallelized. +# time (in seconds) before starting the transfer in the hope that multiple +# replicas will arrive and the transfer can be parallelized. # # With slow disks and fast (large bandwidth) networks, diskless replication # works better. repl-diskless-sync no # When diskless replication is enabled, it is possible to configure the delay -# the server waits in order to spawn the child that trnasfers the RDB via socket -# to the slaves. +# the server waits in order to spawn the child that transfers the RDB via socket +# to the replicas. # # This is important since once the transfer starts, it is not possible to serve -# new slaves arriving, that will be queued for the next RDB transfer, so the server -# waits a delay in order to let more slaves arrive. +# new replicas arriving, that will be queued for the next RDB transfer, so the +# server waits a delay in order to let more replicas arrive. # # The delay is specified in seconds, and by default is 5 seconds. To disable # it entirely just set it to 0 seconds and the transfer will start ASAP. repl-diskless-sync-delay 5 -# Slaves send PINGs to server in a predefined interval. It's possible to change -# this interval with the repl_ping_slave_period option. The default value is 10 -# seconds. -# -# repl-ping-slave-period 10 +# When diskless replication is enabled with a delay, it is possible to let +# the replication start before the maximum delay is reached if the maximum +# number of replicas expected have connected. Default of 0 means that the +# maximum is not defined and Redis will wait the full delay. +repl-diskless-sync-max-replicas 0 + +# ----------------------------------------------------------------------------- +# WARNING: RDB diskless load is experimental. Since in this setup the replica +# does not immediately store an RDB on disk, it may cause data loss during +# failovers. RDB diskless load + Redis modules not handling I/O reads may also +# cause Redis to abort in case of I/O errors during the initial synchronization +# stage with the master. Use only if you know what you are doing. +# ----------------------------------------------------------------------------- +# +# Replica can load the RDB it reads from the replication link directly from the +# socket, or store the RDB to a file and read that file after it was completely +# received from the master. +# +# In many cases the disk is slower than the network, and storing and loading +# the RDB file may increase replication time (and even increase the master's +# Copy on Write memory and replica buffers). +# However, parsing the RDB file directly from the socket may mean that we have +# to flush the contents of the current database before the full rdb was +# received. For this reason we have the following options: +# +# "disabled" - Don't use diskless load (store the rdb file to the disk first) +# "on-empty-db" - Use diskless load only when it is completely safe. +# "swapdb" - Keep current db contents in RAM while parsing the data directly +# from the socket. Replicas in this mode can keep serving current +# data set while replication is in progress, except for cases where +# they can't recognize master as having a data set from same +# replication history. +# Note that this requires sufficient memory, if you don't have it, +# you risk an OOM kill. +repl-diskless-load disabled + +# Master send PINGs to its replicas in a predefined interval. It's possible to +# change this interval with the repl_ping_replica_period option. The default +# value is 10 seconds. +# +# repl-ping-replica-period 10 # The following option sets the replication timeout for: # -# 1) Bulk transfer I/O during SYNC, from the point of view of slave. -# 2) Master timeout from the point of view of slaves (data, pings). -# 3) Slave timeout from the point of view of masters (REPLCONF ACK pings). +# 1) Bulk transfer I/O during SYNC, from the point of view of replica. +# 2) Master timeout from the point of view of replicas (data, pings). +# 3) Replica timeout from the point of view of masters (REPLCONF ACK pings). # # It is important to make sure that this value is greater than the value -# specified for repl-ping-slave-period otherwise a timeout will be detected -# every time there is low traffic between the master and the slave. +# specified for repl-ping-replica-period otherwise a timeout will be detected +# every time there is low traffic between the master and the replica. The default +# value is 60 seconds. # # repl-timeout 60 -# Disable TCP_NODELAY on the slave socket after SYNC? +# Disable TCP_NODELAY on the replica socket after SYNC? # # If you select "yes" Redis will use a smaller number of TCP packets and -# less bandwidth to send data to slaves. But this can add a delay for -# the data to appear on the slave side, up to 40 milliseconds with +# less bandwidth to send data to replicas. But this can add a delay for +# the data to appear on the replica side, up to 40 milliseconds with # Linux kernels using a default configuration. # -# If you select "no" the delay for data to appear on the slave side will +# If you select "no" the delay for data to appear on the replica side will # be reduced but more bandwidth will be used for replication. # # By default we optimize for low latency, but in very high traffic conditions -# or when the master and slaves are many hops away, turning this to "yes" may +# or when the master and replicas are many hops away, turning this to "yes" may # be a good idea. repl-disable-tcp-nodelay no # Set the replication backlog size. The backlog is a buffer that accumulates -# slave data when slaves are disconnected for some time, so that when a slave -# wants to reconnect again, often a full resync is not needed, but a partial -# resync is enough, just passing the portion of data the slave missed while -# disconnected. +# replica data when replicas are disconnected for some time, so that when a +# replica wants to reconnect again, often a full resync is not needed, but a +# partial resync is enough, just passing the portion of data the replica +# missed while disconnected. # -# The bigger the replication backlog, the longer the time the slave can be -# disconnected and later be able to perform a partial resynchronization. +# The bigger the replication backlog, the longer the replica can endure the +# disconnect and later be able to perform a partial resynchronization. # -# The backlog is only allocated once there is at least a slave connected. +# The backlog is only allocated if there is at least one replica connected. # # repl-backlog-size 1mb -# After a master has no longer connected slaves for some time, the backlog -# will be freed. The following option configures the amount of seconds that -# need to elapse, starting from the time the last slave disconnected, for -# the backlog buffer to be freed. +# After a master has no connected replicas for some time, the backlog will be +# freed. The following option configures the amount of seconds that need to +# elapse, starting from the time the last replica disconnected, for the backlog +# buffer to be freed. +# +# Note that replicas never free the backlog for timeout, since they may be +# promoted to masters later, and should be able to correctly "partially +# resynchronize" with other replicas: hence they should always accumulate backlog. # # A value of 0 means to never release the backlog. # # repl-backlog-ttl 3600 -# The slave priority is an integer number published by Redis in the INFO output. -# It is used by Redis Sentinel in order to select a slave to promote into a -# master if the master is no longer working correctly. +# The replica priority is an integer number published by Redis in the INFO +# output. It is used by Redis Sentinel in order to select a replica to promote +# into a master if the master is no longer working correctly. # -# A slave with a low priority number is considered better for promotion, so -# for instance if there are three slaves with priority 10, 100, 25 Sentinel will -# pick the one with priority 10, that is the lowest. +# A replica with a low priority number is considered better for promotion, so +# for instance if there are three replicas with priority 10, 100, 25 Sentinel +# will pick the one with priority 10, that is the lowest. # -# However a special priority of 0 marks the slave as not able to perform the -# role of master, so a slave with priority of 0 will never be selected by +# However a special priority of 0 marks the replica as not able to perform the +# role of master, so a replica with priority of 0 will never be selected by # Redis Sentinel for promotion. # # By default the priority is 100. -slave-priority 100 +replica-priority 100 + +# The propagation error behavior controls how Redis will behave when it is +# unable to handle a command being processed in the replication stream from a master +# or processed while reading from an AOF file. Errors that occur during propagation +# are unexpected, and can cause data inconsistency. However, there are edge cases +# in earlier versions of Redis where it was possible for the server to replicate or persist +# commands that would fail on future versions. For this reason the default behavior +# is to ignore such errors and continue processing commands. +# +# If an application wants to ensure there is no data divergence, this configuration +# should be set to 'panic' instead. The value can also be set to 'panic-on-replicas' +# to only panic when a replica encounters an error on the replication stream. One of +# these two panic values will become the default value in the future once there are +# sufficient safety mechanisms in place to prevent false positive crashes. +# +# propagation-error-behavior ignore + +# Replica ignore disk write errors controls the behavior of a replica when it is +# unable to persist a write command received from its master to disk. By default, +# this configuration is set to 'no' and will crash the replica in this condition. +# It is not recommended to change this default, however in order to be compatible +# with older versions of Redis this config can be toggled to 'yes' which will just +# log a warning and execute the write command it got from the master. +# +# replica-ignore-disk-write-errors no + +# ----------------------------------------------------------------------------- +# By default, Redis Sentinel includes all replicas in its reports. A replica +# can be excluded from Redis Sentinel's announcements. An unannounced replica +# will be ignored by the 'sentinel replicas ' command and won't be +# exposed to Redis Sentinel's clients. +# +# This option does not change the behavior of replica-priority. Even with +# replica-announced set to 'no', the replica can be promoted to master. To +# prevent this behavior, set replica-priority to 0. +# +# replica-announced yes # It is possible for a master to stop accepting writes if there are less than -# N slaves connected, having a lag less or equal than M seconds. +# N replicas connected, having a lag less or equal than M seconds. # -# The N slaves need to be in "online" state. +# The N replicas need to be in "online" state. # # The lag in seconds, that must be <= the specified value, is calculated from -# the last ping received from the slave, that is usually sent every second. +# the last ping received from the replica, that is usually sent every second. # # This option does not GUARANTEE that N replicas will accept the write, but -# will limit the window of exposure for lost writes in case not enough slaves +# will limit the window of exposure for lost writes in case not enough replicas # are available, to the specified number of seconds. # -# For example to require at least 3 slaves with a lag <= 10 seconds use: +# For example to require at least 3 replicas with a lag <= 10 seconds use: # -# min-slaves-to-write 3 -# min-slaves-max-lag 10 +# min-replicas-to-write 3 +# min-replicas-max-lag 10 # # Setting one or the other to 0 disables the feature. # -# By default min-slaves-to-write is set to 0 (feature disabled) and -# min-slaves-max-lag is set to 10. +# By default min-replicas-to-write is set to 0 (feature disabled) and +# min-replicas-max-lag is set to 10. -################################## SECURITY ################################### +# A Redis master is able to list the address and port of the attached +# replicas in different ways. For example the "INFO replication" section +# offers this information, which is used, among other tools, by +# Redis Sentinel in order to discover replica instances. +# Another place where this info is available is in the output of the +# "ROLE" command of a master. +# +# The listed IP address and port normally reported by a replica is +# obtained in the following way: +# +# IP: The address is auto detected by checking the peer address +# of the socket used by the replica to connect with the master. +# +# Port: The port is communicated by the replica during the replication +# handshake, and is normally the port that the replica is using to +# listen for connections. +# +# However when port forwarding or Network Address Translation (NAT) is +# used, the replica may actually be reachable via different IP and port +# pairs. The following two options can be used by a replica in order to +# report to its master a specific set of IP and port, so that both INFO +# and ROLE will report those values. +# +# There is no need to use both the options if you need to override just +# the port or the IP address. +# +# replica-announce-ip 5.5.5.5 +# replica-announce-port 1234 -# Require clients to issue AUTH before processing any other -# commands. This might be useful in environments in which you do not trust -# others with access to the host running redis-server. +############################### KEYS TRACKING ################################# + +# Redis implements server assisted support for client side caching of values. +# This is implemented using an invalidation table that remembers, using +# a radix key indexed by key name, what clients have which keys. In turn +# this is used in order to send invalidation messages to clients. Please +# check this page to understand more about the feature: +# +# https://redis.io/topics/client-side-caching +# +# When tracking is enabled for a client, all the read only queries are assumed +# to be cached: this will force Redis to store information in the invalidation +# table. When keys are modified, such information is flushed away, and +# invalidation messages are sent to the clients. However if the workload is +# heavily dominated by reads, Redis could use more and more memory in order +# to track the keys fetched by many clients. +# +# For this reason it is possible to configure a maximum fill value for the +# invalidation table. By default it is set to 1M of keys, and once this limit +# is reached, Redis will start to evict keys in the invalidation table +# even if they were not modified, just to reclaim memory: this will in turn +# force the clients to invalidate the cached values. Basically the table +# maximum size is a trade off between the memory you want to spend server +# side to track information about who cached what, and the ability of clients +# to retain cached objects in memory. # -# This should stay commented out for backward compatibility and because most -# people do not need auth (e.g. they run their own servers). +# If you set the value to 0, it means there are no limits, and Redis will +# retain as many keys as needed in the invalidation table. +# In the "stats" INFO section, you can find information about the number of +# keys in the invalidation table at every given moment. # -# Warning: since Redis is pretty fast an outside user can try up to -# 150k passwords per second against a good box. This means that you should -# use a very strong password otherwise it will be very easy to break. +# Note: when key tracking is used in broadcasting mode, no memory is used +# in the server side so this setting is useless. +# +# tracking-table-max-keys 1000000 + +################################## SECURITY ################################### + +# Warning: since Redis is pretty fast, an outside user can try up to +# 1 million passwords per second against a modern box. This means that you +# should use very strong passwords, otherwise they will be very easy to break. +# Note that because the password is really a shared secret between the client +# and the server, and should not be memorized by any human, the password +# can be easily a long string from /dev/urandom or whatever, so by using a +# long and unguessable password no brute force attack will be possible. + +# Redis ACL users are defined in the following format: +# +# user ... acl rules ... +# +# For example: +# +# user worker +@list +@connection ~jobs:* on >ffa9203c493aa99 +# +# The special username "default" is used for new connections. If this user +# has the "nopass" rule, then new connections will be immediately authenticated +# as the "default" user without the need of any password provided via the +# AUTH command. Otherwise if the "default" user is not flagged with "nopass" +# the connections will start in not authenticated state, and will require +# AUTH (or the HELLO command AUTH option) in order to be authenticated and +# start to work. +# +# The ACL rules that describe what a user can do are the following: +# +# on Enable the user: it is possible to authenticate as this user. +# off Disable the user: it's no longer possible to authenticate +# with this user, however the already authenticated connections +# will still work. +# skip-sanitize-payload RESTORE dump-payload sanitization is skipped. +# sanitize-payload RESTORE dump-payload is sanitized (default). +# + Allow the execution of that command. +# May be used with `|` for allowing subcommands (e.g "+config|get") +# - Disallow the execution of that command. +# May be used with `|` for blocking subcommands (e.g "-config|set") +# +@ Allow the execution of all the commands in such category +# with valid categories are like @admin, @set, @sortedset, ... +# and so forth, see the full list in the server.c file where +# the Redis command table is described and defined. +# The special category @all means all the commands, but currently +# present in the server, and that will be loaded in the future +# via modules. +# +|first-arg Allow a specific first argument of an otherwise +# disabled command. It is only supported on commands with +# no sub-commands, and is not allowed as negative form +# like -SELECT|1, only additive starting with "+". This +# feature is deprecated and may be removed in the future. +# allcommands Alias for +@all. Note that it implies the ability to execute +# all the future commands loaded via the modules system. +# nocommands Alias for -@all. +# ~ Add a pattern of keys that can be mentioned as part of +# commands. For instance ~* allows all the keys. The pattern +# is a glob-style pattern like the one of KEYS. +# It is possible to specify multiple patterns. +# %R~ Add key read pattern that specifies which keys can be read +# from. +# %W~ Add key write pattern that specifies which keys can be +# written to. +# allkeys Alias for ~* +# resetkeys Flush the list of allowed keys patterns. +# & Add a glob-style pattern of Pub/Sub channels that can be +# accessed by the user. It is possible to specify multiple channel +# patterns. +# allchannels Alias for &* +# resetchannels Flush the list of allowed channel patterns. +# > Add this password to the list of valid password for the user. +# For example >mypass will add "mypass" to the list. +# This directive clears the "nopass" flag (see later). +# < Remove this password from the list of valid passwords. +# nopass All the set passwords of the user are removed, and the user +# is flagged as requiring no password: it means that every +# password will work against this user. If this directive is +# used for the default user, every new connection will be +# immediately authenticated with the default user without +# any explicit AUTH command required. Note that the "resetpass" +# directive will clear this condition. +# resetpass Flush the list of allowed passwords. Moreover removes the +# "nopass" status. After "resetpass" the user has no associated +# passwords and there is no way to authenticate without adding +# some password (or setting it as "nopass" later). +# reset Performs the following actions: resetpass, resetkeys, off, +# -@all. The user returns to the same state it has immediately +# after its creation. +# () Create a new selector with the options specified within the +# parentheses and attach it to the user. Each option should be +# space separated. The first character must be ( and the last +# character must be ). +# clearselectors Remove all of the currently attached selectors. +# Note this does not change the "root" user permissions, +# which are the permissions directly applied onto the +# user (outside the parentheses). +# +# ACL rules can be specified in any order: for instance you can start with +# passwords, then flags, or key patterns. However note that the additive +# and subtractive rules will CHANGE MEANING depending on the ordering. +# For instance see the following example: +# +# user alice on +@all -DEBUG ~* >somepassword +# +# This will allow "alice" to use all the commands with the exception of the +# DEBUG command, since +@all added all the commands to the set of the commands +# alice can use, and later DEBUG was removed. However if we invert the order +# of two ACL rules the result will be different: +# +# user alice on -DEBUG +@all ~* >somepassword +# +# Now DEBUG was removed when alice had yet no commands in the set of allowed +# commands, later all the commands are added, so the user will be able to +# execute everything. +# +# Basically ACL rules are processed left-to-right. +# +# The following is a list of command categories and their meanings: +# * keyspace - Writing or reading from keys, databases, or their metadata +# in a type agnostic way. Includes DEL, RESTORE, DUMP, RENAME, EXISTS, DBSIZE, +# KEYS, EXPIRE, TTL, FLUSHALL, etc. Commands that may modify the keyspace, +# key or metadata will also have `write` category. Commands that only read +# the keyspace, key or metadata will have the `read` category. +# * read - Reading from keys (values or metadata). Note that commands that don't +# interact with keys, will not have either `read` or `write`. +# * write - Writing to keys (values or metadata) +# * admin - Administrative commands. Normal applications will never need to use +# these. Includes REPLICAOF, CONFIG, DEBUG, SAVE, MONITOR, ACL, SHUTDOWN, etc. +# * dangerous - Potentially dangerous (each should be considered with care for +# various reasons). This includes FLUSHALL, MIGRATE, RESTORE, SORT, KEYS, +# CLIENT, DEBUG, INFO, CONFIG, SAVE, REPLICAOF, etc. +# * connection - Commands affecting the connection or other connections. +# This includes AUTH, SELECT, COMMAND, CLIENT, ECHO, PING, etc. +# * blocking - Potentially blocking the connection until released by another +# command. +# * fast - Fast O(1) commands. May loop on the number of arguments, but not the +# number of elements in the key. +# * slow - All commands that are not Fast. +# * pubsub - PUBLISH / SUBSCRIBE related +# * transaction - WATCH / MULTI / EXEC related commands. +# * scripting - Scripting related. +# * set - Data type: sets related. +# * sortedset - Data type: zsets related. +# * list - Data type: lists related. +# * hash - Data type: hashes related. +# * string - Data type: strings related. +# * bitmap - Data type: bitmaps related. +# * hyperloglog - Data type: hyperloglog related. +# * geo - Data type: geo related. +# * stream - Data type: streams related. +# +# For more information about ACL configuration please refer to +# the Redis web site at https://redis.io/topics/acl + +# ACL LOG +# +# The ACL Log tracks failed commands and authentication events associated +# with ACLs. The ACL Log is useful to troubleshoot failed commands blocked +# by ACLs. The ACL Log is stored in memory. You can reclaim memory with +# ACL LOG RESET. Define the maximum entry length of the ACL Log below. +acllog-max-len 128 + +# Using an external ACL file +# +# Instead of configuring users here in this file, it is possible to use +# a stand-alone file just listing users. The two methods cannot be mixed: +# if you configure users here and at the same time you activate the external +# ACL file, the server will refuse to start. +# +# The format of the external ACL user file is exactly the same as the +# format that is used inside redis.conf to describe users. +# +# aclfile /etc/redis/users.acl + +# IMPORTANT NOTE: starting with Redis 6 "requirepass" is just a compatibility +# layer on top of the new ACL system. The option effect will be just setting +# the password for the default user. Clients will still authenticate using +# AUTH as usually, or more explicitly with AUTH default +# if they follow the new protocol: both will work. +# +# The requirepass is not compatible with aclfile option and the ACL LOAD +# command, these will cause requirepass to be ignored. # # requirepass foobared -# Command renaming. +# New users are initialized with restrictive permissions by default, via the +# equivalent of this ACL rule 'off resetkeys -@all'. Starting with Redis 6.2, it +# is possible to manage access to Pub/Sub channels with ACL rules as well. The +# default Pub/Sub channels permission if new users is controlled by the +# acl-pubsub-default configuration directive, which accepts one of these values: +# +# allchannels: grants access to all Pub/Sub channels +# resetchannels: revokes access to all Pub/Sub channels +# +# From Redis 7.0, acl-pubsub-default defaults to 'resetchannels' permission. +# +# acl-pubsub-default resetchannels + +# Command renaming (DEPRECATED). +# +# ------------------------------------------------------------------------ +# WARNING: avoid using this option if possible. Instead use ACLs to remove +# commands from the default user, and put them only in some admin user you +# create for administrative purposes. +# ------------------------------------------------------------------------ # # It is possible to change the name of dangerous commands in a shared # environment. For instance the CONFIG command may be renamed into something @@ -405,14 +1072,15 @@ slave-priority 100 # It is also possible to completely kill a command by renaming it into # an empty string: # -rename-command CONFIG "" -# -rename-command DEBUG "" +# rename-command CONFIG "" # # Please note that changing the name of commands that are logged into the -# AOF file or transmitted to slaves may cause problems. +# AOF file or transmitted to replicas may cause problems. +rename-command CONFIG "" +rename-command DEBUG "" + -################################### LIMITS #################################### +################################### CLIENTS #################################### # Set the max number of connected clients at the same time. By default # this limit is set to 10000 clients, however if the Redis server is not @@ -423,9 +1091,16 @@ rename-command DEBUG "" # Once the limit is reached Redis will close all the new connections sending # an error 'max number of clients reached'. # +# IMPORTANT: When Redis Cluster is used, the max number of connections is also +# shared with the cluster bus: every node in the cluster will use two +# connections, one incoming and another outgoing. It is important to size the +# limit accordingly in case of very large clusters. +# # maxclients 10000 -# Don't use more memory than the specified amount of bytes. +############################## MEMORY MANAGEMENT ################################ + +# Set a memory usage limit to the specified amount of bytes. # When the memory limit is reached Redis will try to remove keys # according to the eviction policy selected (see maxmemory-policy). # @@ -434,52 +1109,259 @@ rename-command DEBUG "" # that would use more memory, like SET, LPUSH, and so on, and will continue # to reply to read-only commands like GET. # -# This option is usually useful when using Redis as an LRU cache, or to set -# a hard memory limit for an instance (using the 'noeviction' policy). +# This option is usually useful when using Redis as an LRU or LFU cache, or to +# set a hard memory limit for an instance (using the 'noeviction' policy). # -# WARNING: If you have slaves attached to an instance with maxmemory on, -# the size of the output buffers needed to feed the slaves are subtracted +# WARNING: If you have replicas attached to an instance with maxmemory on, +# the size of the output buffers needed to feed the replicas are subtracted # from the used memory count, so that network problems / resyncs will # not trigger a loop where keys are evicted, and in turn the output -# buffer of slaves is full with DELs of keys evicted triggering the deletion +# buffer of replicas is full with DELs of keys evicted triggering the deletion # of more keys, and so forth until the database is completely emptied. # -# In short... if you have slaves attached it is suggested that you set a lower -# limit for maxmemory so that there is some free RAM on the system for slave +# In short... if you have replicas attached it is suggested that you set a lower +# limit for maxmemory so that there is some free RAM on the system for replica # output buffers (but this is not needed if the policy is 'noeviction'). # # maxmemory # MAXMEMORY POLICY: how Redis will select what to remove when maxmemory -# is reached. You can select among five behaviors: -# -# volatile-lru -> remove the key with an expire set using an LRU algorithm -# allkeys-lru -> remove any key according to the LRU algorithm -# volatile-random -> remove a random key with an expire set -# allkeys-random -> remove a random key, any key -# volatile-ttl -> remove the key with the nearest expire time (minor TTL) -# noeviction -> don't expire at all, just return an error on write operations -# -# Note: with any of the above policies, Redis will return an error on write -# operations, when there are no suitable keys for eviction. -# -# At the date of writing these commands are: set setnx setex append -# incr decr rpush lpush rpushx lpushx linsert lset rpoplpush sadd -# sinter sinterstore sunion sunionstore sdiff sdiffstore zadd zincrby -# zunionstore zinterstore hset hsetnx hmset hincrby incrby decrby -# getset mset msetnx exec sort +# is reached. You can select one from the following behaviors: +# +# volatile-lru -> Evict using approximated LRU, only keys with an expire set. +# allkeys-lru -> Evict any key using approximated LRU. +# volatile-lfu -> Evict using approximated LFU, only keys with an expire set. +# allkeys-lfu -> Evict any key using approximated LFU. +# volatile-random -> Remove a random key having an expire set. +# allkeys-random -> Remove a random key, any key. +# volatile-ttl -> Remove the key with the nearest expire time (minor TTL) +# noeviction -> Don't evict anything, just return an error on write operations. +# +# LRU means Least Recently Used +# LFU means Least Frequently Used +# +# Both LRU, LFU and volatile-ttl are implemented using approximated +# randomized algorithms. +# +# Note: with any of the above policies, when there are no suitable keys for +# eviction, Redis will return an error on write operations that require +# more memory. These are usually commands that create new keys, add data or +# modify existing keys. A few examples are: SET, INCR, HSET, LPUSH, SUNIONSTORE, +# SORT (due to the STORE argument), and EXEC (if the transaction includes any +# command that requires memory). # # The default is: # -# maxmemory-policy volatile-lru +# maxmemory-policy noeviction + +# LRU, LFU and minimal TTL algorithms are not precise algorithms but approximated +# algorithms (in order to save memory), so you can tune it for speed or +# accuracy. By default Redis will check five keys and pick the one that was +# used least recently, you can change the sample size using the following +# configuration directive. +# +# The default of 5 produces good enough results. 10 Approximates very closely +# true LRU but costs more CPU. 3 is faster but not very accurate. +# +# maxmemory-samples 5 + +# Eviction processing is designed to function well with the default setting. +# If there is an unusually large amount of write traffic, this value may need to +# be increased. Decreasing this value may reduce latency at the risk of +# eviction processing effectiveness +# 0 = minimum latency, 10 = default, 100 = process without regard to latency +# +# maxmemory-eviction-tenacity 10 + +# Starting from Redis 5, by default a replica will ignore its maxmemory setting +# (unless it is promoted to master after a failover or manually). It means +# that the eviction of keys will be just handled by the master, sending the +# DEL commands to the replica as keys evict in the master side. +# +# This behavior ensures that masters and replicas stay consistent, and is usually +# what you want, however if your replica is writable, or you want the replica +# to have a different memory setting, and you are sure all the writes performed +# to the replica are idempotent, then you may change this default (but be sure +# to understand what you are doing). +# +# Note that since the replica by default does not evict, it may end using more +# memory than the one set via maxmemory (there are certain buffers that may +# be larger on the replica, or data structures may sometimes take more memory +# and so forth). So make sure you monitor your replicas and make sure they +# have enough memory to never hit a real out-of-memory condition before the +# master hits the configured maxmemory setting. +# +# replica-ignore-maxmemory yes + +# Redis reclaims expired keys in two ways: upon access when those keys are +# found to be expired, and also in background, in what is called the +# "active expire key". The key space is slowly and interactively scanned +# looking for expired keys to reclaim, so that it is possible to free memory +# of keys that are expired and will never be accessed again in a short time. +# +# The default effort of the expire cycle will try to avoid having more than +# ten percent of expired keys still in memory, and will try to avoid consuming +# more than 25% of total memory and to add latency to the system. However +# it is possible to increase the expire "effort" that is normally set to +# "1", to a greater value, up to the value "10". At its maximum value the +# system will use more CPU, longer cycles (and technically may introduce +# more latency), and will tolerate less already expired keys still present +# in the system. It's a tradeoff between memory, CPU and latency. +# +# active-expire-effort 1 + +############################# LAZY FREEING #################################### + +# Redis has two primitives to delete keys. One is called DEL and is a blocking +# deletion of the object. It means that the server stops processing new commands +# in order to reclaim all the memory associated with an object in a synchronous +# way. If the key deleted is associated with a small object, the time needed +# in order to execute the DEL command is very small and comparable to most other +# O(1) or O(log_N) commands in Redis. However if the key is associated with an +# aggregated value containing millions of elements, the server can block for +# a long time (even seconds) in order to complete the operation. +# +# For the above reasons Redis also offers non blocking deletion primitives +# such as UNLINK (non blocking DEL) and the ASYNC option of FLUSHALL and +# FLUSHDB commands, in order to reclaim memory in background. Those commands +# are executed in constant time. Another thread will incrementally free the +# object in the background as fast as possible. +# +# DEL, UNLINK and ASYNC option of FLUSHALL and FLUSHDB are user-controlled. +# It's up to the design of the application to understand when it is a good +# idea to use one or the other. However the Redis server sometimes has to +# delete keys or flush the whole database as a side effect of other operations. +# Specifically Redis deletes objects independently of a user call in the +# following scenarios: +# +# 1) On eviction, because of the maxmemory and maxmemory policy configurations, +# in order to make room for new data, without going over the specified +# memory limit. +# 2) Because of expire: when a key with an associated time to live (see the +# EXPIRE command) must be deleted from memory. +# 3) Because of a side effect of a command that stores data on a key that may +# already exist. For example the RENAME command may delete the old key +# content when it is replaced with another one. Similarly SUNIONSTORE +# or SORT with STORE option may delete existing keys. The SET command +# itself removes any old content of the specified key in order to replace +# it with the specified string. +# 4) During replication, when a replica performs a full resynchronization with +# its master, the content of the whole database is removed in order to +# load the RDB file just transferred. +# +# In all the above cases the default is to delete objects in a blocking way, +# like if DEL was called. However you can configure each case specifically +# in order to instead release memory in a non-blocking way like if UNLINK +# was called, using the following configuration directives. + +lazyfree-lazy-eviction no +lazyfree-lazy-expire no +lazyfree-lazy-server-del no +replica-lazy-flush no + +# It is also possible, for the case when to replace the user code DEL calls +# with UNLINK calls is not easy, to modify the default behavior of the DEL +# command to act exactly like UNLINK, using the following configuration +# directive: + +lazyfree-lazy-user-del no + +# FLUSHDB, FLUSHALL, SCRIPT FLUSH and FUNCTION FLUSH support both asynchronous and synchronous +# deletion, which can be controlled by passing the [SYNC|ASYNC] flags into the +# commands. When neither flag is passed, this directive will be used to determine +# if the data should be deleted asynchronously. + +lazyfree-lazy-user-flush no + +################################ THREADED I/O ################################# + +# Redis is mostly single threaded, however there are certain threaded +# operations such as UNLINK, slow I/O accesses and other things that are +# performed on side threads. +# +# Now it is also possible to handle Redis clients socket reads and writes +# in different I/O threads. Since especially writing is so slow, normally +# Redis users use pipelining in order to speed up the Redis performances per +# core, and spawn multiple instances in order to scale more. Using I/O +# threads it is possible to easily speedup two times Redis without resorting +# to pipelining nor sharding of the instance. +# +# By default threading is disabled, we suggest enabling it only in machines +# that have at least 4 or more cores, leaving at least one spare core. +# Using more than 8 threads is unlikely to help much. We also recommend using +# threaded I/O only if you actually have performance problems, with Redis +# instances being able to use a quite big percentage of CPU time, otherwise +# there is no point in using this feature. +# +# So for instance if you have a four cores boxes, try to use 2 or 3 I/O +# threads, if you have a 8 cores, try to use 6 threads. In order to +# enable I/O threads use the following configuration directive: +# +# io-threads 4 +# +# Setting io-threads to 1 will just use the main thread as usual. +# When I/O threads are enabled, we only use threads for writes, that is +# to thread the write(2) syscall and transfer the client buffers to the +# socket. However it is also possible to enable threading of reads and +# protocol parsing using the following configuration directive, by setting +# it to yes: +# +# io-threads-do-reads no +# +# Usually threading reads doesn't help much. +# +# NOTE 1: This configuration directive cannot be changed at runtime via +# CONFIG SET. Also, this feature currently does not work when SSL is +# enabled. +# +# NOTE 2: If you want to test the Redis speedup using redis-benchmark, make +# sure you also run the benchmark itself in threaded mode, using the +# --threads option to match the number of Redis threads, otherwise you'll not +# be able to notice the improvements. + +############################ KERNEL OOM CONTROL ############################## + +# On Linux, it is possible to hint the kernel OOM killer on what processes +# should be killed first when out of memory. +# +# Enabling this feature makes Redis actively control the oom_score_adj value +# for all its processes, depending on their role. The default scores will +# attempt to have background child processes killed before all others, and +# replicas killed before masters. +# +# Redis supports these options: +# +# no: Don't make changes to oom-score-adj (default). +# yes: Alias to "relative" see below. +# absolute: Values in oom-score-adj-values are written as is to the kernel. +# relative: Values are used relative to the initial value of oom_score_adj when +# the server starts and are then clamped to a range of -1000 to 1000. +# Because typically the initial value is 0, they will often match the +# absolute values. +oom-score-adj no + +# When oom-score-adj is used, this directive controls the specific values used +# for master, replica and background child processes. Values range -2000 to +# 2000 (higher means more likely to be killed). +# +# Unprivileged processes (not root, and without CAP_SYS_RESOURCE capabilities) +# can freely increase their value, but not decrease it below its initial +# settings. This means that setting oom-score-adj to "relative" and setting the +# oom-score-adj-values to positive values will always succeed. +oom-score-adj-values 0 200 800 -# LRU and minimal TTL algorithms are not precise algorithms but approximated -# algorithms (in order to save memory), so you can select as well the sample -# size to check. For instance for default Redis will check three keys and -# pick the one that was used less recently, you can change the sample size -# using the following configuration directive. -# -# maxmemory-samples 3 + +#################### KERNEL transparent hugepage CONTROL ###################### + +# Usually the kernel Transparent Huge Pages control is set to "madvise" or +# or "never" by default (/sys/kernel/mm/transparent_hugepage/enabled), in which +# case this config has no effect. On systems in which it is set to "always", +# redis will attempt to disable it specifically for the redis process in order +# to avoid latency problems specifically with fork(2) and CoW. +# If for some reason you prefer to keep it enabled, you can set this config to +# "no" and the kernel global to "always". + +disable-thp yes ############################## APPEND ONLY MODE ############################### @@ -499,14 +1381,43 @@ rename-command DEBUG "" # If the AOF is enabled on startup Redis will load the AOF, that is the file # with the better durability guarantees. # -# Please check http://redis.io/topics/persistence for more information. +# Please check https://redis.io/topics/persistence for more information. appendonly no -# The name of the append only file (default: "appendonly.aof") +# The base name of the append only file. +# +# Redis 7 and newer use a set of append-only files to persist the dataset +# and changes applied to it. There are two basic types of files in use: +# +# - Base files, which are a snapshot representing the complete state of the +# dataset at the time the file was created. Base files can be either in +# the form of RDB (binary serialized) or AOF (textual commands). +# - Incremental files, which contain additional commands that were applied +# to the dataset following the previous file. +# +# In addition, manifest files are used to track the files and the order in +# which they were created and should be applied. +# +# Append-only file names are created by Redis following a specific pattern. +# The file name's prefix is based on the 'appendfilename' configuration +# parameter, followed by additional information about the sequence and type. +# +# For example, if appendfilename is set to appendonly.aof, the following file +# names could be derived: +# +# - appendonly.aof.1.base.rdb as a base file. +# - appendonly.aof.1.incr.aof, appendonly.aof.2.incr.aof as incremental files. +# - appendonly.aof.manifest as a manifest file. appendfilename "appendonly.aof" +# For convenience, Redis stores all persistent append-only files in a dedicated +# directory. The name of the directory is determined by the appenddirname +# configuration parameter. + +appenddirname "appendonlydir" + # The fsync() call tells the Operating System to actually write data on disk # instead of waiting for more data in the output buffer. Some OS will really flush # data on disk, some other OS will just try to do it ASAP. @@ -546,7 +1457,7 @@ appendfsync everysec # BGSAVE or BGREWRITEAOF is in progress. # # This means that while another child is saving, the durability of Redis is -# the same as "appendfsync none". In practical terms, this means that it is +# the same as "appendfsync no". In practical terms, this means that it is # possible to lose up to 30 seconds of log in the worst scenario (with the # default Linux settings). # @@ -570,8 +1481,7 @@ no-appendfsync-on-rewrite no # is reached but it is still pretty small. # # Specify a percentage of zero in order to disable the automatic AOF -# rewrite feature. - +# rewrite feature.auto-aof-rewrite-percentage 100 auto-aof-rewrite-percentage 100 auto-aof-rewrite-min-size 64mb @@ -599,23 +1509,296 @@ auto-aof-rewrite-min-size 64mb # will be found. aof-load-truncated yes -################################ LUA SCRIPTING ############################### +# Redis can create append-only base files in either RDB or AOF formats. Using +# the RDB format is always faster and more efficient, and disabling it is only +# supported for backward compatibility purposes. +aof-use-rdb-preamble yes + +# Redis supports recording timestamp annotations in the AOF to support restoring +# the data from a specific point-in-time. However, using this capability changes +# the AOF format in a way that may not be compatible with existing AOF parsers. +aof-timestamp-enabled no + +################################ SHUTDOWN ##################################### + +# Maximum time to wait for replicas when shutting down, in seconds. +# +# During shut down, a grace period allows any lagging replicas to catch up with +# the latest replication offset before the master exists. This period can +# prevent data loss, especially for deployments without configured disk backups. +# +# The 'shutdown-timeout' value is the grace period's duration in seconds. It is +# only applicable when the instance has replicas. To disable the feature, set +# the value to 0. +# +# shutdown-timeout 10 + +# When Redis receives a SIGINT or SIGTERM, shutdown is initiated and by default +# an RDB snapshot is written to disk in a blocking operation if save points are configured. +# The options used on signaled shutdown can include the following values: +# default: Saves RDB snapshot only if save points are configured. +# Waits for lagging replicas to catch up. +# save: Forces a DB saving operation even if no save points are configured. +# nosave: Prevents DB saving operation even if one or more save points are configured. +# now: Skips waiting for lagging replicas. +# force: Ignores any errors that would normally prevent the server from exiting. +# +# Any combination of values is allowed as long as "save" and "nosave" are not set simultaneously. +# Example: "nosave force now" +# +# shutdown-on-sigint default +# shutdown-on-sigterm default + +################ NON-DETERMINISTIC LONG BLOCKING COMMANDS ##################### -# Max execution time of a Lua script in milliseconds. +# Maximum time in milliseconds for EVAL scripts, functions and in some cases +# modules' commands before Redis can start processing or rejecting other clients. # -# If the maximum execution time is reached Redis will log that a script is -# still in execution after the maximum allowed time and will start to -# reply to queries with an error. +# If the maximum execution time is reached Redis will start to reply to most +# commands with a BUSY error. # -# When a long running script exceeds the maximum execution time only the -# SCRIPT KILL and SHUTDOWN NOSAVE commands are available. The first can be -# used to stop a script that did not yet called write commands. The second -# is the only way to shut down the server in the case a write command was -# already issued by the script but the user doesn't want to wait for the natural -# termination of the script. +# In this state Redis will only allow a handful of commands to be executed. +# For instance, SCRIPT KILL, FUNCTION KILL, SHUTDOWN NOSAVE and possibly some +# module specific 'allow-busy' commands. # -# Set it to 0 or a negative value for unlimited execution without warnings. +# SCRIPT KILL and FUNCTION KILL will only be able to stop a script that did not +# yet call any write commands, so SHUTDOWN NOSAVE may be the only way to stop +# the server in the case a write command was already issued by the script when +# the user doesn't want to wait for the natural termination of the script. +# +# The default is 5 seconds. It is possible to set it to 0 or a negative value +# to disable this mechanism (uninterrupted execution). Note that in the past +# this config had a different name, which is now an alias, so both of these do +# the same: lua-time-limit 5000 +# busy-reply-threshold 5000 + +################################ REDIS CLUSTER ############################### + +# Normal Redis instances can't be part of a Redis Cluster; only nodes that are +# started as cluster nodes can. In order to start a Redis instance as a +# cluster node enable the cluster support uncommenting the following: +# +# cluster-enabled yes + +# Every cluster node has a cluster configuration file. This file is not +# intended to be edited by hand. It is created and updated by Redis nodes. +# Every Redis Cluster node requires a different cluster configuration file. +# Make sure that instances running in the same system do not have +# overlapping cluster configuration file names. +# +# cluster-config-file nodes-6379.conf + +# Cluster node timeout is the amount of milliseconds a node must be unreachable +# for it to be considered in failure state. +# Most other internal time limits are a multiple of the node timeout. +# +# cluster-node-timeout 15000 + +# The cluster port is the port that the cluster bus will listen for inbound connections on. When set +# to the default value, 0, it will be bound to the command port + 10000. Setting this value requires +# you to specify the cluster bus port when executing cluster meet. +# cluster-port 0 + +# A replica of a failing master will avoid to start a failover if its data +# looks too old. +# +# There is no simple way for a replica to actually have an exact measure of +# its "data age", so the following two checks are performed: +# +# 1) If there are multiple replicas able to failover, they exchange messages +# in order to try to give an advantage to the replica with the best +# replication offset (more data from the master processed). +# Replicas will try to get their rank by offset, and apply to the start +# of the failover a delay proportional to their rank. +# +# 2) Every single replica computes the time of the last interaction with +# its master. This can be the last ping or command received (if the master +# is still in the "connected" state), or the time that elapsed since the +# disconnection with the master (if the replication link is currently down). +# If the last interaction is too old, the replica will not try to failover +# at all. +# +# The point "2" can be tuned by user. Specifically a replica will not perform +# the failover if, since the last interaction with the master, the time +# elapsed is greater than: +# +# (node-timeout * cluster-replica-validity-factor) + repl-ping-replica-period +# +# So for example if node-timeout is 30 seconds, and the cluster-replica-validity-factor +# is 10, and assuming a default repl-ping-replica-period of 10 seconds, the +# replica will not try to failover if it was not able to talk with the master +# for longer than 310 seconds. +# +# A large cluster-replica-validity-factor may allow replicas with too old data to failover +# a master, while a too small value may prevent the cluster from being able to +# elect a replica at all. +# +# For maximum availability, it is possible to set the cluster-replica-validity-factor +# to a value of 0, which means, that replicas will always try to failover the +# master regardless of the last time they interacted with the master. +# (However they'll always try to apply a delay proportional to their +# offset rank). +# +# Zero is the only value able to guarantee that when all the partitions heal +# the cluster will always be able to continue. +# +# cluster-replica-validity-factor 10 + +# Cluster replicas are able to migrate to orphaned masters, that are masters +# that are left without working replicas. This improves the cluster ability +# to resist to failures as otherwise an orphaned master can't be failed over +# in case of failure if it has no working replicas. +# +# Replicas migrate to orphaned masters only if there are still at least a +# given number of other working replicas for their old master. This number +# is the "migration barrier". A migration barrier of 1 means that a replica +# will migrate only if there is at least 1 other working replica for its master +# and so forth. It usually reflects the number of replicas you want for every +# master in your cluster. +# +# Default is 1 (replicas migrate only if their masters remain with at least +# one replica). To disable migration just set it to a very large value or +# set cluster-allow-replica-migration to 'no'. +# A value of 0 can be set but is useful only for debugging and dangerous +# in production. +# +# cluster-migration-barrier 1 + +# Turning off this option allows to use less automatic cluster configuration. +# It both disables migration to orphaned masters and migration from masters +# that became empty. +# +# Default is 'yes' (allow automatic migrations). +# +# cluster-allow-replica-migration yes + +# By default Redis Cluster nodes stop accepting queries if they detect there +# is at least a hash slot uncovered (no available node is serving it). +# This way if the cluster is partially down (for example a range of hash slots +# are no longer covered) all the cluster becomes, eventually, unavailable. +# It automatically returns available as soon as all the slots are covered again. +# +# However sometimes you want the subset of the cluster which is working, +# to continue to accept queries for the part of the key space that is still +# covered. In order to do so, just set the cluster-require-full-coverage +# option to no. +# +# cluster-require-full-coverage yes + +# This option, when set to yes, prevents replicas from trying to failover its +# master during master failures. However the replica can still perform a +# manual failover, if forced to do so. +# +# This is useful in different scenarios, especially in the case of multiple +# data center operations, where we want one side to never be promoted if not +# in the case of a total DC failure. +# +# cluster-replica-no-failover no + +# This option, when set to yes, allows nodes to serve read traffic while the +# cluster is in a down state, as long as it believes it owns the slots. +# +# This is useful for two cases. The first case is for when an application +# doesn't require consistency of data during node failures or network partitions. +# One example of this is a cache, where as long as the node has the data it +# should be able to serve it. +# +# The second use case is for configurations that don't meet the recommended +# three shards but want to enable cluster mode and scale later. A +# master outage in a 1 or 2 shard configuration causes a read/write outage to the +# entire cluster without this option set, with it set there is only a write outage. +# Without a quorum of masters, slot ownership will not change automatically. +# +# cluster-allow-reads-when-down no + +# This option, when set to yes, allows nodes to serve pubsub shard traffic while +# the cluster is in a down state, as long as it believes it owns the slots. +# +# This is useful if the application would like to use the pubsub feature even when +# the cluster global stable state is not OK. If the application wants to make sure only +# one shard is serving a given channel, this feature should be kept as yes. +# +# cluster-allow-pubsubshard-when-down yes + +# Cluster link send buffer limit is the limit on the memory usage of an individual +# cluster bus link's send buffer in bytes. Cluster links would be freed if they exceed +# this limit. This is to primarily prevent send buffers from growing unbounded on links +# toward slow peers (E.g. PubSub messages being piled up). +# This limit is disabled by default. Enable this limit when 'mem_cluster_links' INFO field +# and/or 'send-buffer-allocated' entries in the 'CLUSTER LINKS` command output continuously increase. +# Minimum limit of 1gb is recommended so that cluster link buffer can fit in at least a single +# PubSub message by default. (client-query-buffer-limit default value is 1gb) +# +# cluster-link-sendbuf-limit 0 + +# Clusters can configure their announced hostname using this config. This is a common use case for +# applications that need to use TLS Server Name Indication (SNI) or dealing with DNS based +# routing. By default this value is only shown as additional metadata in the CLUSTER SLOTS +# command, but can be changed using 'cluster-preferred-endpoint-type' config. This value is +# communicated along the clusterbus to all nodes, setting it to an empty string will remove +# the hostname and also propagate the removal. +# +# cluster-announce-hostname "" + +# Clusters can advertise how clients should connect to them using either their IP address, +# a user defined hostname, or by declaring they have no endpoint. Which endpoint is +# shown as the preferred endpoint is set by using the cluster-preferred-endpoint-type +# config with values 'ip', 'hostname', or 'unknown-endpoint'. This value controls how +# the endpoint returned for MOVED/ASKING requests as well as the first field of CLUSTER SLOTS. +# If the preferred endpoint type is set to hostname, but no announced hostname is set, a '?' +# will be returned instead. +# +# When a cluster advertises itself as having an unknown endpoint, it's indicating that +# the server doesn't know how clients can reach the cluster. This can happen in certain +# networking situations where there are multiple possible routes to the node, and the +# server doesn't know which one the client took. In this case, the server is expecting +# the client to reach out on the same endpoint it used for making the last request, but use +# the port provided in the response. +# +# cluster-preferred-endpoint-type ip + +# In order to setup your cluster make sure to read the documentation +# available at https://redis.io web site. + +########################## CLUSTER DOCKER/NAT support ######################## + +# In certain deployments, Redis Cluster nodes address discovery fails, because +# addresses are NAT-ted or because ports are forwarded (the typical case is +# Docker and other containers). +# +# In order to make Redis Cluster working in such environments, a static +# configuration where each node knows its public address is needed. The +# following four options are used for this scope, and are: +# +# * cluster-announce-ip +# * cluster-announce-port +# * cluster-announce-tls-port +# * cluster-announce-bus-port +# +# Each instructs the node about its address, client ports (for connections +# without and with TLS) and cluster message bus port. The information is then +# published in the header of the bus packets so that other nodes will be able to +# correctly map the address of the node publishing the information. +# +# If cluster-tls is set to yes and cluster-announce-tls-port is omitted or set +# to zero, then cluster-announce-port refers to the TLS port. Note also that +# cluster-announce-tls-port has no effect if cluster-tls is set to no. +# +# If the above options are not used, the normal Redis Cluster auto-detection +# will be used instead. +# +# Note that when remapped, the bus port may not be at the fixed offset of +# clients port + 10000, so you can specify any port and bus-port depending +# on how they get remapped. If the bus-port is not set, a fixed offset of +# 10000 will be used as usual. +# +# Example: +# +# cluster-announce-ip 10.1.1.5 +# cluster-announce-tls-port 6379 +# cluster-announce-port 0 +# cluster-announce-bus-port 6380 ################################## SLOW LOG ################################### @@ -658,14 +1841,28 @@ slowlog-max-len 128 # By default latency monitoring is disabled since it is mostly not needed # if you don't have latency issues, and collecting data has a performance # impact, that while very small, can be measured under big load. Latency -# monitoring can easily be enalbed at runtime using the command +# monitoring can easily be enabled at runtime using the command # "CONFIG SET latency-monitor-threshold " if needed. latency-monitor-threshold 0 -############################# Event notification ############################## +################################ LATENCY TRACKING ############################## + +# The Redis extended latency monitoring tracks the per command latencies and enables +# exporting the percentile distribution via the INFO latencystats command, +# and cumulative latency distributions (histograms) via the LATENCY command. +# +# By default, the extended latency monitoring is enabled since the overhead +# of keeping track of the command latency is very small. +# latency-tracking yes + +# By default the exported latency percentiles via the INFO latencystats command +# are the p50, p99, and p999. +# latency-tracking-info-percentiles 50 99 99.9 + +############################# EVENT NOTIFICATION ############################## # Redis can notify Pub/Sub clients about events happening in the key space. -# This feature is documented at http://redis.io/topics/notifications +# This feature is documented at https://redis.io/topics/notifications # # For instance if keyspace events notification is enabled, and a client # performs a DEL operation on key "foo" stored in the Database 0, two @@ -687,7 +1884,13 @@ latency-monitor-threshold 0 # z Sorted set commands # x Expired events (events generated every time a key expires) # e Evicted events (events generated when a key is evicted for maxmemory) -# A Alias for g$lshzxe, so that the "AKE" string means all the events. +# n New key events (Note: not included in the 'A' class) +# t Stream commands +# d Module key type events +# m Key-miss events (Note: It is not included in the 'A' class) +# A Alias for g$lshzxetd, so that the "AKE" string means all the events +# (Except key-miss events which are excluded from 'A' due to their +# unique nature). # # The "notify-keyspace-events" takes as argument a string that is composed # of zero or multiple characters. The empty string means that notifications @@ -713,14 +1916,39 @@ notify-keyspace-events "" # Hashes are encoded using a memory efficient data structure when they have a # small number of entries, and the biggest entry does not exceed a given # threshold. These thresholds can be configured using the following directives. -hash-max-ziplist-entries 512 -hash-max-ziplist-value 64 - -# Similarly to hashes, small lists are also encoded in a special way in order -# to save a lot of space. The special representation is only used when -# you are under the following limits: -list-max-ziplist-entries 512 -list-max-ziplist-value 64 +hash-max-listpack-entries 512 +hash-max-listpack-value 64 + +# Lists are also encoded in a special way to save a lot of space. +# The number of entries allowed per internal list node can be specified +# as a fixed maximum size or a maximum number of elements. +# For a fixed maximum size, use -5 through -1, meaning: +# -5: max size: 64 Kb <-- not recommended for normal workloads +# -4: max size: 32 Kb <-- not recommended +# -3: max size: 16 Kb <-- probably not recommended +# -2: max size: 8 Kb <-- good +# -1: max size: 4 Kb <-- good +# Positive numbers mean store up to _exactly_ that number of elements +# per list node. +# The highest performing option is usually -2 (8 Kb size) or -1 (4 Kb size), +# but if your use case is unique, adjust the settings as necessary. +list-max-listpack-size -2 + +# Lists may also be compressed. +# Compress depth is the number of quicklist ziplist nodes from *each* side of +# the list to *exclude* from compression. The head and tail of the list +# are always uncompressed for fast push/pop operations. Settings are: +# 0: disable all list compression +# 1: depth 1 means "don't start compressing until after 1 node into the list, +# going from either the head or tail" +# So: [head]->node->node->...->node->[tail] +# [head], [tail] will always be uncompressed; inner nodes will compress. +# 2: [head]->[next]->node->node->...->node->[prev]->[tail] +# 2 here means: don't compress head or head->next or tail->prev or tail, +# but compress all nodes between them. +# 3: [head]->[next]->[next]->node->node->...->node->[prev]->[prev]->[tail] +# etc. +list-compress-depth 0 # Sets have a special encoding in just one case: when a set is composed # of just strings that happen to be integers in radix 10 in the range @@ -732,8 +1960,8 @@ set-max-intset-entries 512 # Similarly to hashes and lists, sorted sets are also specially encoded in # order to save a lot of space. This encoding is only used when the length and # elements of a sorted set are below the following limits: -zset-max-ziplist-entries 128 -zset-max-ziplist-value 64 +zset-max-listpack-entries 128 +zset-max-listpack-value 64 # HyperLogLog sparse representation bytes limit. The limit includes the # 16 bytes header. When an HyperLogLog using the sparse representation crosses @@ -749,6 +1977,17 @@ zset-max-ziplist-value 64 # composed of many HyperLogLogs with cardinality in the 0 - 15000 range. hll-sparse-max-bytes 3000 +# Streams macro node max size / items. The stream data structure is a radix +# tree of big nodes that encode multiple items inside. Using this configuration +# it is possible to configure how big a single node can be in bytes, and the +# maximum number of items it may contain before switching to a new node when +# appending new stream entries. If any of the following settings are set to +# zero, the limit is ignored, so for instance it is possible to set just a +# max entries limit by setting max-bytes to 0 and max-entries to the desired +# value. +stream-node-max-bytes 4096 +stream-node-max-entries 100 + # Active rehashing uses 1 millisecond every 100 milliseconds of CPU time in # order to help rehashing the main Redis hash table (the one mapping top-level # keys to values). The hash table implementation Redis uses (see dict.c) @@ -777,7 +2016,7 @@ activerehashing yes # The limit can be set differently for the three different classes of clients: # # normal -> normal clients including MONITOR clients -# slave -> slave clients +# replica -> replica clients # pubsub -> clients subscribed to at least one pubsub channel or pattern # # The syntax of every client-output-buffer-limit directive is the following: @@ -798,14 +2037,54 @@ activerehashing yes # asynchronous clients may create a scenario where data is requested faster # than it can read. # -# Instead there is a default limit for pubsub and slave clients, since -# subscribers and slaves receive data in a push fashion. +# Instead there is a default limit for pubsub and replica clients, since +# subscribers and replicas receive data in a push fashion. +# +# Note that it doesn't make sense to set the replica clients output buffer +# limit lower than the repl-backlog-size config (partial sync will succeed +# and then replica will get disconnected). +# Such a configuration is ignored (the size of repl-backlog-size will be used). +# This doesn't have memory consumption implications since the replica client +# will share the backlog buffers memory. # # Both the hard or the soft limit can be disabled by setting them to zero. client-output-buffer-limit normal 0 0 0 -client-output-buffer-limit slave 256mb 64mb 60 +client-output-buffer-limit replica 256mb 64mb 60 client-output-buffer-limit pubsub 32mb 8mb 60 +# Client query buffers accumulate new commands. They are limited to a fixed +# amount by default in order to avoid that a protocol desynchronization (for +# instance due to a bug in the client) will lead to unbound memory usage in +# the query buffer. However you can configure it here if you have very special +# needs, such us huge multi/exec requests or alike. +# +# client-query-buffer-limit 1gb + +# In some scenarios client connections can hog up memory leading to OOM +# errors or data eviction. To avoid this we can cap the accumulated memory +# used by all client connections (all pubsub and normal clients). Once we +# reach that limit connections will be dropped by the server freeing up +# memory. The server will attempt to drop the connections using the most +# memory first. We call this mechanism "client eviction". +# +# Client eviction is configured using the maxmemory-clients setting as follows: +# 0 - client eviction is disabled (default) +# +# A memory value can be used for the client eviction threshold, +# for example: +# maxmemory-clients 1g +# +# A percentage value (between 1% and 100%) means the client eviction threshold +# is based on a percentage of the maxmemory setting. For example to set client +# eviction at 5% of maxmemory: +# maxmemory-clients 5% + +# In the Redis protocol, bulk requests, that are, elements representing single +# strings, are normally limited to 512 mb. However you can change this limit +# here, but must be 1mb or greater +# +# proto-max-bulk-len 512mb + # Redis calls an internal function to perform many background tasks, like # closing connections of clients in timeout, purging expired keys that are # never requested, and so forth. @@ -823,8 +2102,181 @@ client-output-buffer-limit pubsub 32mb 8mb 60 # 100 only in environments where very low latency is required. hz 10 +# Normally it is useful to have an HZ value which is proportional to the +# number of clients connected. This is useful in order, for instance, to +# avoid too many clients are processed for each background task invocation +# in order to avoid latency spikes. +# +# Since the default HZ value by default is conservatively set to 10, Redis +# offers, and enables by default, the ability to use an adaptive HZ value +# which will temporarily raise when there are many connected clients. +# +# When dynamic HZ is enabled, the actual configured HZ will be used +# as a baseline, but multiples of the configured HZ value will be actually +# used as needed once more clients are connected. In this way an idle +# instance will use very little CPU time while a busy instance will be +# more responsive. +dynamic-hz yes + # When a child rewrites the AOF file, if the following option is enabled -# the file will be fsync-ed every 32 MB of data generated. This is useful +# the file will be fsync-ed every 4 MB of data generated. This is useful # in order to commit the file to the disk more incrementally and avoid # big latency spikes. aof-rewrite-incremental-fsync yes + +# When redis saves RDB file, if the following option is enabled +# the file will be fsync-ed every 4 MB of data generated. This is useful +# in order to commit the file to the disk more incrementally and avoid +# big latency spikes. +rdb-save-incremental-fsync yes + +# Redis LFU eviction (see maxmemory setting) can be tuned. However it is a good +# idea to start with the default settings and only change them after investigating +# how to improve the performances and how the keys LFU change over time, which +# is possible to inspect via the OBJECT FREQ command. +# +# There are two tunable parameters in the Redis LFU implementation: the +# counter logarithm factor and the counter decay time. It is important to +# understand what the two parameters mean before changing them. +# +# The LFU counter is just 8 bits per key, it's maximum value is 255, so Redis +# uses a probabilistic increment with logarithmic behavior. Given the value +# of the old counter, when a key is accessed, the counter is incremented in +# this way: +# +# 1. A random number R between 0 and 1 is extracted. +# 2. A probability P is calculated as 1/(old_value*lfu_log_factor+1). +# 3. The counter is incremented only if R < P. +# +# The default lfu-log-factor is 10. This is a table of how the frequency +# counter changes with a different number of accesses with different +# logarithmic factors: +# +# +--------+------------+------------+------------+------------+------------+ +# | factor | 100 hits | 1000 hits | 100K hits | 1M hits | 10M hits | +# +--------+------------+------------+------------+------------+------------+ +# | 0 | 104 | 255 | 255 | 255 | 255 | +# +--------+------------+------------+------------+------------+------------+ +# | 1 | 18 | 49 | 255 | 255 | 255 | +# +--------+------------+------------+------------+------------+------------+ +# | 10 | 10 | 18 | 142 | 255 | 255 | +# +--------+------------+------------+------------+------------+------------+ +# | 100 | 8 | 11 | 49 | 143 | 255 | +# +--------+------------+------------+------------+------------+------------+ +# +# NOTE: The above table was obtained by running the following commands: +# +# redis-benchmark -n 1000000 incr foo +# redis-cli object freq foo +# +# NOTE 2: The counter initial value is 5 in order to give new objects a chance +# to accumulate hits. +# +# The counter decay time is the time, in minutes, that must elapse in order +# for the key counter to be divided by two (or decremented if it has a value +# less <= 10). +# +# The default value for the lfu-decay-time is 1. A special value of 0 means to +# decay the counter every time it happens to be scanned. +# +# lfu-log-factor 10 +# lfu-decay-time 1 + +########################### ACTIVE DEFRAGMENTATION ####################### +# +# What is active defragmentation? +# ------------------------------- +# +# Active (online) defragmentation allows a Redis server to compact the +# spaces left between small allocations and deallocations of data in memory, +# thus allowing to reclaim back memory. +# +# Fragmentation is a natural process that happens with every allocator (but +# less so with Jemalloc, fortunately) and certain workloads. Normally a server +# restart is needed in order to lower the fragmentation, or at least to flush +# away all the data and create it again. However thanks to this feature +# implemented by Oran Agra for Redis 4.0 this process can happen at runtime +# in a "hot" way, while the server is running. +# +# Basically when the fragmentation is over a certain level (see the +# configuration options below) Redis will start to create new copies of the +# values in contiguous memory regions by exploiting certain specific Jemalloc +# features (in order to understand if an allocation is causing fragmentation +# and to allocate it in a better place), and at the same time, will release the +# old copies of the data. This process, repeated incrementally for all the keys +# will cause the fragmentation to drop back to normal values. +# +# Important things to understand: +# +# 1. This feature is disabled by default, and only works if you compiled Redis +# to use the copy of Jemalloc we ship with the source code of Redis. +# This is the default with Linux builds. +# +# 2. You never need to enable this feature if you don't have fragmentation +# issues. +# +# 3. Once you experience fragmentation, you can enable this feature when +# needed with the command "CONFIG SET activedefrag yes". +# +# The configuration parameters are able to fine tune the behavior of the +# defragmentation process. If you are not sure about what they mean it is +# a good idea to leave the defaults untouched. + +# Active defragmentation is disabled by default +# activedefrag no + +# Minimum amount of fragmentation waste to start active defrag +# active-defrag-ignore-bytes 100mb + +# Minimum percentage of fragmentation to start active defrag +# active-defrag-threshold-lower 10 + +# Maximum percentage of fragmentation at which we use maximum effort +# active-defrag-threshold-upper 100 + +# Minimal effort for defrag in CPU percentage, to be used when the lower +# threshold is reached +# active-defrag-cycle-min 1 + +# Maximal effort for defrag in CPU percentage, to be used when the upper +# threshold is reached +# active-defrag-cycle-max 25 + +# Maximum number of set/hash/zset/list fields that will be processed from +# the main dictionary scan +# active-defrag-max-scan-fields 1000 + +# Jemalloc background thread for purging will be enabled by default +jemalloc-bg-thread yes + +# It is possible to pin different threads and processes of Redis to specific +# CPUs in your system, in order to maximize the performances of the server. +# This is useful both in order to pin different Redis threads in different +# CPUs, but also in order to make sure that multiple Redis instances running +# in the same host will be pinned to different CPUs. +# +# Normally you can do this using the "taskset" command, however it is also +# possible to this via Redis configuration directly, both in Linux and FreeBSD. +# +# You can pin the server/IO threads, bio threads, aof rewrite child process, and +# the bgsave child process. The syntax to specify the cpu list is the same as +# the taskset command: +# +# Set redis server/io threads to cpu affinity 0,2,4,6: +# server_cpulist 0-7:2 +# +# Set bio threads to cpu affinity 1,3: +# bio_cpulist 1,3 +# +# Set aof rewrite child process to cpu affinity 8,9,10,11: +# aof_rewrite_cpulist 8-11 +# +# Set bgsave child process to cpu affinity 1,10,11 +# bgsave_cpulist 1,10-11 + +# In some cases redis will emit warnings and even refuse to start if it detects +# that the system is in bad state, it is possible to suppress these warnings +# by setting the following config which takes a space delimited list of warnings +# to suppress +# +# ignore-warnings ARM64-COW-BUG diff --git a/conf/redis_ntlm_cache.conf.example b/conf/redis_ntlm_cache.conf.example index 6be0e7cde7d7..7164849c7cb0 100644 --- a/conf/redis_ntlm_cache.conf.example +++ b/conf/redis_ntlm_cache.conf.example @@ -1,5 +1,10 @@ # Copyright (C) Inverse inc. -# Redis configuration file example +# Redis configuration file example. +# +# Note that in order to read the configuration file, Redis must be +# started with the file path as first argument: +# +# ./redis-server /path/to/redis.conf # Note on units: when memory size is needed, it is possible to specify # it in the usual form of 1k 5GB 4M and so forth: @@ -20,7 +25,7 @@ # to customize a few per-server settings. Include files can include # other files, so use this wisely. # -# Notice option "include" won't be rewritten by command "CONFIG REWRITE" +# Note that option "include" won't be rewritten by command "CONFIG REWRITE" # from admin or Redis Sentinel. Since Redis always uses the last processed # line as value of a configuration directive, you'd better put includes # at the beginning of this file to avoid overwriting config change at runtime. @@ -28,43 +33,122 @@ # If instead you are interested in using includes to override configuration # options, it is better to use include as the last line. # +# Included paths may contain wildcards. All files matching the wildcards will +# be included in alphabetical order. +# Note that if an include path contains a wildcards but no files match it when +# the server is started, the include statement will be ignored and no error will +# be emitted. It is safe, therefore, to include wildcard files from empty +# directories. +# # include /path/to/local.conf # include /path/to/other.conf +# include /path/to/fragments/*.conf +# -################################ GENERAL ##################################### +################################## MODULES ##################################### -# By default Redis does not run as a daemon. Use 'yes' if you need it. -# Note that Redis will write a pid file in /var/run/redis.pid when daemonized. -daemonize no +# Load modules at startup. If the server is not able to load modules +# it will abort. It is possible to use multiple loadmodule directives. +# +# loadmodule /path/to/my_module.so +# loadmodule /path/to/other_module.so -# When running daemonized, Redis writes a pid file in /var/run/redis.pid by -# default. You can specify a custom pid file location here. -pidfile /usr/local/pf/var/run/redis_ntlm_cache.pid +################################## NETWORK ##################################### -# Accept connections on the specified port, default is 6379. +# By default, if no "bind" configuration directive is specified, Redis listens +# for connections from all available network interfaces on the host machine. +# It is possible to listen to just one or multiple selected interfaces using +# the "bind" configuration directive, followed by one or more IP addresses. +# Each address can be prefixed by "-", which means that redis will not fail to +# start if the address is not available. Being not available only refers to +# addresses that does not correspond to any network interface. Addresses that +# are already in use will always fail, and unsupported protocols will always BE +# silently skipped. +# +# Examples: +# +# bind 192.168.1.100 10.0.0.1 # listens on two specific IPv4 addresses +# bind 127.0.0.1 ::1 # listens on loopback IPv4 and IPv6 +# bind * -::* # like the default, all available interfaces +# +# ~~~ WARNING ~~~ If the computer running Redis is directly exposed to the +# internet, binding to all the interfaces is dangerous and will expose the +# instance to everybody on the internet. So by default we uncomment the +# following bind directive, that will force Redis to listen only on the +# IPv4 and IPv6 (if available) loopback interface addresses (this means Redis +# will only be able to accept client connections from the same host that it is +# running on). +# +# IF YOU ARE SURE YOU WANT YOUR INSTANCE TO LISTEN TO ALL THE INTERFACES +# COMMENT OUT THE FOLLOWING LINE. +# +# You will also need to set a password unless you explicitly disable protected +# mode. +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +bind 127.0.0.1 + +# By default, outgoing connections (from replica to master, from Sentinel to +# instances, cluster bus, etc.) are not bound to a specific local address. In +# most cases, this means the operating system will handle that based on routing +# and the interface through which the connection goes out. +# +# Using bind-source-addr it is possible to configure a specific address to bind +# to, which may also affect how the connection gets routed. +# +# Example: +# +# bind-source-addr 10.0.0.1 + +# Protected mode is a layer of security protection, in order to avoid that +# Redis instances left open on the internet are accessed and exploited. +# +# When protected mode is on and the default user has no password, the server +# only accepts local connections from the IPv4 address (127.0.0.1), IPv6 address +# (::1) or Unix domain sockets. +# +# By default protected mode is enabled. You should disable it only if +# you are sure you want clients from other hosts to connect to Redis +# even if no authentication is configured. +protected-mode no + +# Redis uses default hardened security configuration directives to reduce the +# attack surface on innocent users. Therefore, several sensitive configuration +# directives are immutable, and some potentially-dangerous commands are blocked. +# +# Configuration directives that control files that Redis writes to (e.g., 'dir' +# and 'dbfilename') and that aren't usually modified during runtime +# are protected by making them immutable. +# +# Commands that can increase the attack surface of Redis and that aren't usually +# called by users are blocked by default. +# +# These can be exposed to either all connections or just local ones by setting +# each of the configs listed below to either of these values: +# +# no - Block for any connection (remain immutable) +# yes - Allow for any connection (no protection) +# local - Allow only for local connections. Ones originating from the +# IPv4 address (127.0.0.1), IPv6 address (::1) or Unix domain sockets. +# +# enable-protected-configs no +# enable-debug-command no +# enable-module-command no + +# Accept connections on the specified port, default is 6379 (IANA #815344). # If port 0 is specified Redis will not listen on a TCP socket. port 6383 # TCP listen() backlog. # -# In high requests-per-second environments you need an high backlog in order -# to avoid slow clients connections issues. Note that the Linux kernel +# In high requests-per-second environments you need a high backlog in order +# to avoid slow clients connection issues. Note that the Linux kernel # will silently truncate it to the value of /proc/sys/net/core/somaxconn so # make sure to raise both the value of somaxconn and tcp_max_syn_backlog # in order to get the desired effect. tcp-backlog 511 -# By default Redis listens for connections from all the network interfaces -# available on the server. It is possible to listen to just one or multiple -# interfaces using the "bind" configuration directive, followed by one or -# more IP addresses. +# Unix socket. # -# Examples: -# -# bind 192.168.1.100 10.0.0.1 -# bind 127.0.0.1 -bind 127.0.0.1 - # Specify the path for the Unix socket that will be used to listen for # incoming connections. There is no default, so Redis will not listen # on a unix socket when not specified. @@ -81,16 +165,182 @@ timeout 0 # of communication. This is useful for two reasons: # # 1) Detect dead peers. -# 2) Take the connection alive from the point of view of network -# equipment in the middle. +# 2) Force network equipment in the middle to consider the connection to be +# alive. # # On Linux, the specified value (in seconds) is the period used to send ACKs. # Note that to close the connection the double of the time is needed. # On other kernels the period depends on the kernel configuration. # -# A reasonable value for this option is 60 seconds. +# A reasonable value for this option is 300 seconds, which is the new +# Redis default starting with Redis 3.2.1. tcp-keepalive 0 +# Apply OS-specific mechanism to mark the listening socket with the specified +# ID, to support advanced routing and filtering capabilities. +# +# On Linux, the ID represents a connection mark. +# On FreeBSD, the ID represents a socket cookie ID. +# On OpenBSD, the ID represents a route table ID. +# +# The default value is 0, which implies no marking is required. +# socket-mark-id 0 + +################################# TLS/SSL ##################################### + +# By default, TLS/SSL is disabled. To enable it, the "tls-port" configuration +# directive can be used to define TLS-listening ports. To enable TLS on the +# default port, use: +# +# port 0 +# tls-port 6379 + +# Configure a X.509 certificate and private key to use for authenticating the +# server to connected clients, masters or cluster peers. These files should be +# PEM formatted. +# +# tls-cert-file redis.crt +# tls-key-file redis.key +# +# If the key file is encrypted using a passphrase, it can be included here +# as well. +# +# tls-key-file-pass secret + +# Normally Redis uses the same certificate for both server functions (accepting +# connections) and client functions (replicating from a master, establishing +# cluster bus connections, etc.). +# +# Sometimes certificates are issued with attributes that designate them as +# client-only or server-only certificates. In that case it may be desired to use +# different certificates for incoming (server) and outgoing (client) +# connections. To do that, use the following directives: +# +# tls-client-cert-file client.crt +# tls-client-key-file client.key +# +# If the key file is encrypted using a passphrase, it can be included here +# as well. +# +# tls-client-key-file-pass secret + +# Configure a DH parameters file to enable Diffie-Hellman (DH) key exchange, +# required by older versions of OpenSSL (<3.0). Newer versions do not require +# this configuration and recommend against it. +# +# tls-dh-params-file redis.dh + +# Configure a CA certificate(s) bundle or directory to authenticate TLS/SSL +# clients and peers. Redis requires an explicit configuration of at least one +# of these, and will not implicitly use the system wide configuration. +# +# tls-ca-cert-file ca.crt +# tls-ca-cert-dir /etc/ssl/certs + +# By default, clients (including replica servers) on a TLS port are required +# to authenticate using valid client side certificates. +# +# If "no" is specified, client certificates are not required and not accepted. +# If "optional" is specified, client certificates are accepted and must be +# valid if provided, but are not required. +# +# tls-auth-clients no +# tls-auth-clients optional + +# By default, a Redis replica does not attempt to establish a TLS connection +# with its master. +# +# Use the following directive to enable TLS on replication links. +# +# tls-replication yes + +# By default, the Redis Cluster bus uses a plain TCP connection. To enable +# TLS for the bus protocol, use the following directive: +# +# tls-cluster yes + +# By default, only TLSv1.2 and TLSv1.3 are enabled and it is highly recommended +# that older formally deprecated versions are kept disabled to reduce the attack surface. +# You can explicitly specify TLS versions to support. +# Allowed values are case insensitive and include "TLSv1", "TLSv1.1", "TLSv1.2", +# "TLSv1.3" (OpenSSL >= 1.1.1) or any combination. +# To enable only TLSv1.2 and TLSv1.3, use: +# +# tls-protocols "TLSv1.2 TLSv1.3" + +# Configure allowed ciphers. See the ciphers(1ssl) manpage for more information +# about the syntax of this string. +# +# Note: this configuration applies only to <= TLSv1.2. +# +# tls-ciphers DEFAULT:!MEDIUM + +# Configure allowed TLSv1.3 ciphersuites. See the ciphers(1ssl) manpage for more +# information about the syntax of this string, and specifically for TLSv1.3 +# ciphersuites. +# +# tls-ciphersuites TLS_CHACHA20_POLY1305_SHA256 + +# When choosing a cipher, use the server's preference instead of the client +# preference. By default, the server follows the client's preference. +# +# tls-prefer-server-ciphers yes + +# By default, TLS session caching is enabled to allow faster and less expensive +# reconnections by clients that support it. Use the following directive to disable +# caching. +# +# tls-session-caching no + +# Change the default number of TLS sessions cached. A zero value sets the cache +# to unlimited size. The default size is 20480. +# +# tls-session-cache-size 5000 + +# Change the default timeout of cached TLS sessions. The default timeout is 300 +# seconds. +# +# tls-session-cache-timeout 60 + +################################# GENERAL ##################################### + +# By default Redis does not run as a daemon. Use 'yes' if you need it. +# Note that Redis will write a pid file in /var/run/redis.pid when daemonized. +# When Redis is supervised by upstart or systemd, this parameter has no impact. +daemonize no + +# If you run Redis from upstart or systemd, Redis can interact with your +# supervision tree. Options: +# supervised no - no supervision interaction +# supervised upstart - signal upstart by putting Redis into SIGSTOP mode +# requires "expect stop" in your upstart job config +# supervised systemd - signal systemd by writing READY=1 to $NOTIFY_SOCKET +# on startup, and updating Redis status on a regular +# basis. +# supervised auto - detect upstart or systemd method based on +# UPSTART_JOB or NOTIFY_SOCKET environment variables +# Note: these supervision methods only signal "process is ready." +# They do not enable continuous pings back to your supervisor. +# +# The default is "no". To run under upstart/systemd, you can simply uncomment +# the line below: +# +# supervised auto + +# If a pid file is specified, Redis writes it where specified at startup +# and removes it at exit. +# +# When the server runs non daemonized, no pid file is created if none is +# specified in the configuration. When the server is daemonized, the pid file +# is used even if not specified, defaulting to "/var/run/redis.pid". +# +# Creating a pid file is best effort: if Redis is not able to create it +# nothing bad happens, the server will start and run normally. +# +# Note that on modern Linux systems "/run/redis.pid" is more conforming +# and should be used instead. +pidfile /usr/local/pf/var/run/redis_ntlm_cache.pid + # Specify the server verbosity level. # This can be one of: # debug (a lot of information, useful for development/testing) @@ -114,33 +364,74 @@ syslog-ident redis-ntlm-cache # Specify the syslog facility. Must be USER or between LOCAL0-LOCAL7. syslog-facility local5 +# To disable the built in crash log, which will possibly produce cleaner core +# dumps when they are needed, uncomment the following: +# +# crash-log-enabled no + +# To disable the fast memory check that's run as part of the crash log, which +# will possibly let redis terminate sooner, uncomment the following: +# +# crash-memcheck-enabled no + # Set the number of databases. The default database is DB 0, you can select # a different one on a per-connection basis using SELECT where # dbid is a number between 0 and 'databases'-1 databases 1 +# By default Redis shows an ASCII art logo only when started to log to the +# standard output and if the standard output is a TTY and syslog logging is +# disabled. Basically this means that normally a logo is displayed only in +# interactive sessions. +# +# However it is possible to force the pre-4.0 behavior and always show a +# ASCII art logo in startup logs by setting the following option to yes. +always-show-logo no + +# By default, Redis modifies the process title (as seen in 'top' and 'ps') to +# provide some runtime information. It is possible to disable this and leave +# the process name as executed by setting the following to no. +set-proc-title yes + +# When changing the process title, Redis uses the following template to construct +# the modified title. +# +# Template variables are specified in curly brackets. The following variables are +# supported: +# +# {title} Name of process as executed if parent, or type of child process. +# {listen-addr} Bind address or '*' followed by TCP or TLS port listening on, or +# Unix socket if only that's available. +# {server-mode} Special mode, i.e. "[sentinel]" or "[cluster]". +# {port} TCP port listening on, or 0. +# {tls-port} TLS port listening on, or 0. +# {unixsocket} Unix domain socket listening on, or "". +# {config-file} Name of configuration file used. +# +proc-title-template "{title} {listen-addr} {server-mode}" + ################################ SNAPSHOTTING ################################ + +# Save the DB to disk. # -# Save the DB on disk: +# save [ ...] # -# save +# Redis will save the DB if the given number of seconds elapsed and it +# surpassed the given number of write operations against the DB. # -# Will save the DB if both the given number of seconds and the given -# number of write operations against the DB occurred. +# Snapshotting can be completely disabled with a single empty string argument +# as in following example: # -# In the example below the behaviour will be to save: -# after 900 sec (15 min) if at least 1 key changed -# after 300 sec (5 min) if at least 10 keys changed -# after 60 sec if at least 10000 keys changed +# save "" # -# Note: you can disable saving completely by commenting out all "save" lines. +# Unless specified otherwise, by default Redis will save the DB: +# * After 3600 seconds (an hour) if at least 1 change was performed +# * After 300 seconds (5 minutes) if at least 100 changes were performed +# * After 60 seconds if at least 10000 changes were performed # -# It is also possible to remove all the previously configured save -# points by adding a save directive with a single empty string argument -# like in the following example: +# You can set these explicitly by uncommenting the following line. # -# save "" - +# save 3600 1 300 100 60 10000 save 900 1 save 300 10 save 60 10000 @@ -161,7 +452,7 @@ save 60 10000 stop-writes-on-bgsave-error yes # Compress string objects using LZF when dump .rdb databases? -# For default that's set to 'yes' as it's almost always a win. +# By default compression is enabled as it's almost always a win. # If you want to save some CPU in the saving child set it to 'no' but # the dataset will likely be bigger if you have compressible values or keys. rdbcompression yes @@ -175,9 +466,37 @@ rdbcompression yes # tell the loading code to skip the check. rdbchecksum yes +# Enables or disables full sanitization checks for ziplist and listpack etc when +# loading an RDB or RESTORE payload. This reduces the chances of a assertion or +# crash later on while processing commands. +# Options: +# no - Never perform full sanitization +# yes - Always perform full sanitization +# clients - Perform full sanitization only for user connections. +# Excludes: RDB files, RESTORE commands received from the master +# connection, and client connections which have the +# skip-sanitize-payload ACL flag. +# The default should be 'clients' but since it currently affects cluster +# resharding via MIGRATE, it is temporarily set to 'no' by default. +# +# sanitize-dump-payload no + # The filename where to dump the DB dbfilename dump.rdb +# Remove RDB files used by replication in instances without persistence +# enabled. By default this option is disabled, however there are environments +# where for regulations or other security concerns, RDB files persisted on +# disk by masters in order to feed replicas, or stored on disk by replicas +# in order to load them for the initial synchronization, should be deleted +# ASAP. Note that this option ONLY WORKS in instances that have both AOF +# and RDB persistence disabled, otherwise is completely ignored. +# +# An alternative (and sometimes better) way to obtain the same effect is +# to use diskless replication on both master and replicas instances. However +# in the case of replicas, diskless is not always an option. +rdb-del-sync-files no + # The working directory. # # The DB will be written inside this directory, with the filename specified @@ -190,209 +509,556 @@ dir /usr/local/pf/var/redis_ntlm_cache ################################# REPLICATION ################################# -# Master-Slave replication. Use slaveof to make a Redis instance a copy of +# Master-Replica replication. Use replicaof to make a Redis instance a copy of # another Redis server. A few things to understand ASAP about Redis replication. # +# +------------------+ +---------------+ +# | Master | ---> | Replica | +# | (receive writes) | | (exact copy) | +# +------------------+ +---------------+ +# # 1) Redis replication is asynchronous, but you can configure a master to # stop accepting writes if it appears to be not connected with at least -# a given number of slaves. -# 2) Redis slaves are able to perform a partial resynchronization with the +# a given number of replicas. +# 2) Redis replicas are able to perform a partial resynchronization with the # master if the replication link is lost for a relatively small amount of # time. You may want to configure the replication backlog size (see the next # sections of this file) with a sensible value depending on your needs. # 3) Replication is automatic and does not need user intervention. After a -# network partition slaves automatically try to reconnect to masters +# network partition replicas automatically try to reconnect to masters # and resynchronize with them. # -# slaveof +# replicaof # If the master is password protected (using the "requirepass" configuration -# directive below) it is possible to tell the slave to authenticate before +# directive below) it is possible to tell the replica to authenticate before # starting the replication synchronization process, otherwise the master will -# refuse the slave request. +# refuse the replica request. # # masterauth +# +# However this is not enough if you are using Redis ACLs (for Redis version +# 6 or greater), and the default user is not capable of running the PSYNC +# command and/or other commands needed for replication. In this case it's +# better to configure a special user to use with replication, and specify the +# masteruser configuration as such: +# +# masteruser +# +# When masteruser is specified, the replica will authenticate against its +# master using the new AUTH form: AUTH . -# When a slave loses its connection with the master, or when the replication -# is still in progress, the slave can act in two different ways: +# When a replica loses its connection with the master, or when the replication +# is still in progress, the replica can act in two different ways: # -# 1) if slave-serve-stale-data is set to 'yes' (the default) the slave will +# 1) if replica-serve-stale-data is set to 'yes' (the default) the replica will # still reply to client requests, possibly with out of date data, or the # data set may just be empty if this is the first synchronization. # -# 2) if slave-serve-stale-data is set to 'no' the slave will reply with -# an error "SYNC with master in progress" to all the kind of commands -# but to INFO and SLAVEOF. +# 2) If replica-serve-stale-data is set to 'no' the replica will reply with error +# "MASTERDOWN Link with MASTER is down and replica-serve-stale-data is set to 'no'" +# to all data access commands, excluding commands such as: +# INFO, REPLICAOF, AUTH, SHUTDOWN, REPLCONF, ROLE, CONFIG, SUBSCRIBE, +# UNSUBSCRIBE, PSUBSCRIBE, PUNSUBSCRIBE, PUBLISH, PUBSUB, COMMAND, POST, +# HOST and LATENCY. # -slave-serve-stale-data yes +replica-serve-stale-data yes -# You can configure a slave instance to accept writes or not. Writing against -# a slave instance may be useful to store some ephemeral data (because data -# written on a slave will be easily deleted after resync with the master) but +# You can configure a replica instance to accept writes or not. Writing against +# a replica instance may be useful to store some ephemeral data (because data +# written on a replica will be easily deleted after resync with the master) but # may also cause problems if clients are writing to it because of a # misconfiguration. # -# Since Redis 2.6 by default slaves are read-only. +# Since Redis 2.6 by default replicas are read-only. # -# Note: read only slaves are not designed to be exposed to untrusted clients +# Note: read only replicas are not designed to be exposed to untrusted clients # on the internet. It's just a protection layer against misuse of the instance. -# Still a read only slave exports by default all the administrative commands +# Still a read only replica exports by default all the administrative commands # such as CONFIG, DEBUG, and so forth. To a limited extent you can improve -# security of read only slaves using 'rename-command' to shadow all the +# security of read only replicas using 'rename-command' to shadow all the # administrative / dangerous commands. -slave-read-only yes +replica-read-only yes # Replication SYNC strategy: disk or socket. # -# ------------------------------------------------------- -# WARNING: DISKLESS REPLICATION IS EXPERIMENTAL CURRENTLY -# ------------------------------------------------------- +# New replicas and reconnecting replicas that are not able to continue the +# replication process just receiving differences, need to do what is called a +# "full synchronization". An RDB file is transmitted from the master to the +# replicas. # -# New slaves and reconnecting slaves that are not able to continue the replication -# process just receiving differences, need to do what is called a "full -# synchronization". An RDB file is transmitted from the master to the slaves. # The transmission can happen in two different ways: # # 1) Disk-backed: The Redis master creates a new process that writes the RDB # file on disk. Later the file is transferred by the parent -# process to the slaves incrementally. +# process to the replicas incrementally. # 2) Diskless: The Redis master creates a new process that directly writes the -# RDB file to slave sockets, without touching the disk at all. +# RDB file to replica sockets, without touching the disk at all. # -# With disk-backed replication, while the RDB file is generated, more slaves -# can be queued and served with the RDB file as soon as the current child producing -# the RDB file finishes its work. With diskless replication instead once -# the transfer starts, new slaves arriving will be queued and a new transfer -# will start when the current one terminates. +# With disk-backed replication, while the RDB file is generated, more replicas +# can be queued and served with the RDB file as soon as the current child +# producing the RDB file finishes its work. With diskless replication instead +# once the transfer starts, new replicas arriving will be queued and a new +# transfer will start when the current one terminates. # # When diskless replication is used, the master waits a configurable amount of -# time (in seconds) before starting the transfer in the hope that multiple slaves -# will arrive and the transfer can be parallelized. +# time (in seconds) before starting the transfer in the hope that multiple +# replicas will arrive and the transfer can be parallelized. # # With slow disks and fast (large bandwidth) networks, diskless replication # works better. repl-diskless-sync no # When diskless replication is enabled, it is possible to configure the delay -# the server waits in order to spawn the child that trnasfers the RDB via socket -# to the slaves. +# the server waits in order to spawn the child that transfers the RDB via socket +# to the replicas. # # This is important since once the transfer starts, it is not possible to serve -# new slaves arriving, that will be queued for the next RDB transfer, so the server -# waits a delay in order to let more slaves arrive. +# new replicas arriving, that will be queued for the next RDB transfer, so the +# server waits a delay in order to let more replicas arrive. # # The delay is specified in seconds, and by default is 5 seconds. To disable # it entirely just set it to 0 seconds and the transfer will start ASAP. repl-diskless-sync-delay 5 -# Slaves send PINGs to server in a predefined interval. It's possible to change -# this interval with the repl_ping_slave_period option. The default value is 10 -# seconds. -# -# repl-ping-slave-period 10 +# When diskless replication is enabled with a delay, it is possible to let +# the replication start before the maximum delay is reached if the maximum +# number of replicas expected have connected. Default of 0 means that the +# maximum is not defined and Redis will wait the full delay. +repl-diskless-sync-max-replicas 0 + +# ----------------------------------------------------------------------------- +# WARNING: RDB diskless load is experimental. Since in this setup the replica +# does not immediately store an RDB on disk, it may cause data loss during +# failovers. RDB diskless load + Redis modules not handling I/O reads may also +# cause Redis to abort in case of I/O errors during the initial synchronization +# stage with the master. Use only if you know what you are doing. +# ----------------------------------------------------------------------------- +# +# Replica can load the RDB it reads from the replication link directly from the +# socket, or store the RDB to a file and read that file after it was completely +# received from the master. +# +# In many cases the disk is slower than the network, and storing and loading +# the RDB file may increase replication time (and even increase the master's +# Copy on Write memory and replica buffers). +# However, parsing the RDB file directly from the socket may mean that we have +# to flush the contents of the current database before the full rdb was +# received. For this reason we have the following options: +# +# "disabled" - Don't use diskless load (store the rdb file to the disk first) +# "on-empty-db" - Use diskless load only when it is completely safe. +# "swapdb" - Keep current db contents in RAM while parsing the data directly +# from the socket. Replicas in this mode can keep serving current +# data set while replication is in progress, except for cases where +# they can't recognize master as having a data set from same +# replication history. +# Note that this requires sufficient memory, if you don't have it, +# you risk an OOM kill. +repl-diskless-load disabled + +# Master send PINGs to its replicas in a predefined interval. It's possible to +# change this interval with the repl_ping_replica_period option. The default +# value is 10 seconds. +# +# repl-ping-replica-period 10 # The following option sets the replication timeout for: # -# 1) Bulk transfer I/O during SYNC, from the point of view of slave. -# 2) Master timeout from the point of view of slaves (data, pings). -# 3) Slave timeout from the point of view of masters (REPLCONF ACK pings). +# 1) Bulk transfer I/O during SYNC, from the point of view of replica. +# 2) Master timeout from the point of view of replicas (data, pings). +# 3) Replica timeout from the point of view of masters (REPLCONF ACK pings). # # It is important to make sure that this value is greater than the value -# specified for repl-ping-slave-period otherwise a timeout will be detected -# every time there is low traffic between the master and the slave. +# specified for repl-ping-replica-period otherwise a timeout will be detected +# every time there is low traffic between the master and the replica. The default +# value is 60 seconds. # # repl-timeout 60 -# Disable TCP_NODELAY on the slave socket after SYNC? +# Disable TCP_NODELAY on the replica socket after SYNC? # # If you select "yes" Redis will use a smaller number of TCP packets and -# less bandwidth to send data to slaves. But this can add a delay for -# the data to appear on the slave side, up to 40 milliseconds with +# less bandwidth to send data to replicas. But this can add a delay for +# the data to appear on the replica side, up to 40 milliseconds with # Linux kernels using a default configuration. # -# If you select "no" the delay for data to appear on the slave side will +# If you select "no" the delay for data to appear on the replica side will # be reduced but more bandwidth will be used for replication. # # By default we optimize for low latency, but in very high traffic conditions -# or when the master and slaves are many hops away, turning this to "yes" may +# or when the master and replicas are many hops away, turning this to "yes" may # be a good idea. repl-disable-tcp-nodelay no # Set the replication backlog size. The backlog is a buffer that accumulates -# slave data when slaves are disconnected for some time, so that when a slave -# wants to reconnect again, often a full resync is not needed, but a partial -# resync is enough, just passing the portion of data the slave missed while -# disconnected. +# replica data when replicas are disconnected for some time, so that when a +# replica wants to reconnect again, often a full resync is not needed, but a +# partial resync is enough, just passing the portion of data the replica +# missed while disconnected. # -# The bigger the replication backlog, the longer the time the slave can be -# disconnected and later be able to perform a partial resynchronization. +# The bigger the replication backlog, the longer the replica can endure the +# disconnect and later be able to perform a partial resynchronization. # -# The backlog is only allocated once there is at least a slave connected. +# The backlog is only allocated if there is at least one replica connected. # # repl-backlog-size 1mb -# After a master has no longer connected slaves for some time, the backlog -# will be freed. The following option configures the amount of seconds that -# need to elapse, starting from the time the last slave disconnected, for -# the backlog buffer to be freed. +# After a master has no connected replicas for some time, the backlog will be +# freed. The following option configures the amount of seconds that need to +# elapse, starting from the time the last replica disconnected, for the backlog +# buffer to be freed. +# +# Note that replicas never free the backlog for timeout, since they may be +# promoted to masters later, and should be able to correctly "partially +# resynchronize" with other replicas: hence they should always accumulate backlog. # # A value of 0 means to never release the backlog. # # repl-backlog-ttl 3600 -# The slave priority is an integer number published by Redis in the INFO output. -# It is used by Redis Sentinel in order to select a slave to promote into a -# master if the master is no longer working correctly. +# The replica priority is an integer number published by Redis in the INFO +# output. It is used by Redis Sentinel in order to select a replica to promote +# into a master if the master is no longer working correctly. # -# A slave with a low priority number is considered better for promotion, so -# for instance if there are three slaves with priority 10, 100, 25 Sentinel will -# pick the one with priority 10, that is the lowest. +# A replica with a low priority number is considered better for promotion, so +# for instance if there are three replicas with priority 10, 100, 25 Sentinel +# will pick the one with priority 10, that is the lowest. # -# However a special priority of 0 marks the slave as not able to perform the -# role of master, so a slave with priority of 0 will never be selected by +# However a special priority of 0 marks the replica as not able to perform the +# role of master, so a replica with priority of 0 will never be selected by # Redis Sentinel for promotion. # # By default the priority is 100. -slave-priority 100 +replica-priority 100 + +# The propagation error behavior controls how Redis will behave when it is +# unable to handle a command being processed in the replication stream from a master +# or processed while reading from an AOF file. Errors that occur during propagation +# are unexpected, and can cause data inconsistency. However, there are edge cases +# in earlier versions of Redis where it was possible for the server to replicate or persist +# commands that would fail on future versions. For this reason the default behavior +# is to ignore such errors and continue processing commands. +# +# If an application wants to ensure there is no data divergence, this configuration +# should be set to 'panic' instead. The value can also be set to 'panic-on-replicas' +# to only panic when a replica encounters an error on the replication stream. One of +# these two panic values will become the default value in the future once there are +# sufficient safety mechanisms in place to prevent false positive crashes. +# +# propagation-error-behavior ignore + +# Replica ignore disk write errors controls the behavior of a replica when it is +# unable to persist a write command received from its master to disk. By default, +# this configuration is set to 'no' and will crash the replica in this condition. +# It is not recommended to change this default, however in order to be compatible +# with older versions of Redis this config can be toggled to 'yes' which will just +# log a warning and execute the write command it got from the master. +# +# replica-ignore-disk-write-errors no + +# ----------------------------------------------------------------------------- +# By default, Redis Sentinel includes all replicas in its reports. A replica +# can be excluded from Redis Sentinel's announcements. An unannounced replica +# will be ignored by the 'sentinel replicas ' command and won't be +# exposed to Redis Sentinel's clients. +# +# This option does not change the behavior of replica-priority. Even with +# replica-announced set to 'no', the replica can be promoted to master. To +# prevent this behavior, set replica-priority to 0. +# +# replica-announced yes # It is possible for a master to stop accepting writes if there are less than -# N slaves connected, having a lag less or equal than M seconds. +# N replicas connected, having a lag less or equal than M seconds. # -# The N slaves need to be in "online" state. +# The N replicas need to be in "online" state. # # The lag in seconds, that must be <= the specified value, is calculated from -# the last ping received from the slave, that is usually sent every second. +# the last ping received from the replica, that is usually sent every second. # # This option does not GUARANTEE that N replicas will accept the write, but -# will limit the window of exposure for lost writes in case not enough slaves +# will limit the window of exposure for lost writes in case not enough replicas # are available, to the specified number of seconds. # -# For example to require at least 3 slaves with a lag <= 10 seconds use: +# For example to require at least 3 replicas with a lag <= 10 seconds use: # -# min-slaves-to-write 3 -# min-slaves-max-lag 10 +# min-replicas-to-write 3 +# min-replicas-max-lag 10 # # Setting one or the other to 0 disables the feature. # -# By default min-slaves-to-write is set to 0 (feature disabled) and -# min-slaves-max-lag is set to 10. +# By default min-replicas-to-write is set to 0 (feature disabled) and +# min-replicas-max-lag is set to 10. -################################## SECURITY ################################### +# A Redis master is able to list the address and port of the attached +# replicas in different ways. For example the "INFO replication" section +# offers this information, which is used, among other tools, by +# Redis Sentinel in order to discover replica instances. +# Another place where this info is available is in the output of the +# "ROLE" command of a master. +# +# The listed IP address and port normally reported by a replica is +# obtained in the following way: +# +# IP: The address is auto detected by checking the peer address +# of the socket used by the replica to connect with the master. +# +# Port: The port is communicated by the replica during the replication +# handshake, and is normally the port that the replica is using to +# listen for connections. +# +# However when port forwarding or Network Address Translation (NAT) is +# used, the replica may actually be reachable via different IP and port +# pairs. The following two options can be used by a replica in order to +# report to its master a specific set of IP and port, so that both INFO +# and ROLE will report those values. +# +# There is no need to use both the options if you need to override just +# the port or the IP address. +# +# replica-announce-ip 5.5.5.5 +# replica-announce-port 1234 -# Require clients to issue AUTH before processing any other -# commands. This might be useful in environments in which you do not trust -# others with access to the host running redis-server. +############################### KEYS TRACKING ################################# + +# Redis implements server assisted support for client side caching of values. +# This is implemented using an invalidation table that remembers, using +# a radix key indexed by key name, what clients have which keys. In turn +# this is used in order to send invalidation messages to clients. Please +# check this page to understand more about the feature: +# +# https://redis.io/topics/client-side-caching +# +# When tracking is enabled for a client, all the read only queries are assumed +# to be cached: this will force Redis to store information in the invalidation +# table. When keys are modified, such information is flushed away, and +# invalidation messages are sent to the clients. However if the workload is +# heavily dominated by reads, Redis could use more and more memory in order +# to track the keys fetched by many clients. +# +# For this reason it is possible to configure a maximum fill value for the +# invalidation table. By default it is set to 1M of keys, and once this limit +# is reached, Redis will start to evict keys in the invalidation table +# even if they were not modified, just to reclaim memory: this will in turn +# force the clients to invalidate the cached values. Basically the table +# maximum size is a trade off between the memory you want to spend server +# side to track information about who cached what, and the ability of clients +# to retain cached objects in memory. # -# This should stay commented out for backward compatibility and because most -# people do not need auth (e.g. they run their own servers). +# If you set the value to 0, it means there are no limits, and Redis will +# retain as many keys as needed in the invalidation table. +# In the "stats" INFO section, you can find information about the number of +# keys in the invalidation table at every given moment. # -# Warning: since Redis is pretty fast an outside user can try up to -# 150k passwords per second against a good box. This means that you should -# use a very strong password otherwise it will be very easy to break. +# Note: when key tracking is used in broadcasting mode, no memory is used +# in the server side so this setting is useless. +# +# tracking-table-max-keys 1000000 + +################################## SECURITY ################################### + +# Warning: since Redis is pretty fast, an outside user can try up to +# 1 million passwords per second against a modern box. This means that you +# should use very strong passwords, otherwise they will be very easy to break. +# Note that because the password is really a shared secret between the client +# and the server, and should not be memorized by any human, the password +# can be easily a long string from /dev/urandom or whatever, so by using a +# long and unguessable password no brute force attack will be possible. + +# Redis ACL users are defined in the following format: +# +# user ... acl rules ... +# +# For example: +# +# user worker +@list +@connection ~jobs:* on >ffa9203c493aa99 +# +# The special username "default" is used for new connections. If this user +# has the "nopass" rule, then new connections will be immediately authenticated +# as the "default" user without the need of any password provided via the +# AUTH command. Otherwise if the "default" user is not flagged with "nopass" +# the connections will start in not authenticated state, and will require +# AUTH (or the HELLO command AUTH option) in order to be authenticated and +# start to work. +# +# The ACL rules that describe what a user can do are the following: +# +# on Enable the user: it is possible to authenticate as this user. +# off Disable the user: it's no longer possible to authenticate +# with this user, however the already authenticated connections +# will still work. +# skip-sanitize-payload RESTORE dump-payload sanitization is skipped. +# sanitize-payload RESTORE dump-payload is sanitized (default). +# + Allow the execution of that command. +# May be used with `|` for allowing subcommands (e.g "+config|get") +# - Disallow the execution of that command. +# May be used with `|` for blocking subcommands (e.g "-config|set") +# +@ Allow the execution of all the commands in such category +# with valid categories are like @admin, @set, @sortedset, ... +# and so forth, see the full list in the server.c file where +# the Redis command table is described and defined. +# The special category @all means all the commands, but currently +# present in the server, and that will be loaded in the future +# via modules. +# +|first-arg Allow a specific first argument of an otherwise +# disabled command. It is only supported on commands with +# no sub-commands, and is not allowed as negative form +# like -SELECT|1, only additive starting with "+". This +# feature is deprecated and may be removed in the future. +# allcommands Alias for +@all. Note that it implies the ability to execute +# all the future commands loaded via the modules system. +# nocommands Alias for -@all. +# ~ Add a pattern of keys that can be mentioned as part of +# commands. For instance ~* allows all the keys. The pattern +# is a glob-style pattern like the one of KEYS. +# It is possible to specify multiple patterns. +# %R~ Add key read pattern that specifies which keys can be read +# from. +# %W~ Add key write pattern that specifies which keys can be +# written to. +# allkeys Alias for ~* +# resetkeys Flush the list of allowed keys patterns. +# & Add a glob-style pattern of Pub/Sub channels that can be +# accessed by the user. It is possible to specify multiple channel +# patterns. +# allchannels Alias for &* +# resetchannels Flush the list of allowed channel patterns. +# > Add this password to the list of valid password for the user. +# For example >mypass will add "mypass" to the list. +# This directive clears the "nopass" flag (see later). +# < Remove this password from the list of valid passwords. +# nopass All the set passwords of the user are removed, and the user +# is flagged as requiring no password: it means that every +# password will work against this user. If this directive is +# used for the default user, every new connection will be +# immediately authenticated with the default user without +# any explicit AUTH command required. Note that the "resetpass" +# directive will clear this condition. +# resetpass Flush the list of allowed passwords. Moreover removes the +# "nopass" status. After "resetpass" the user has no associated +# passwords and there is no way to authenticate without adding +# some password (or setting it as "nopass" later). +# reset Performs the following actions: resetpass, resetkeys, off, +# -@all. The user returns to the same state it has immediately +# after its creation. +# () Create a new selector with the options specified within the +# parentheses and attach it to the user. Each option should be +# space separated. The first character must be ( and the last +# character must be ). +# clearselectors Remove all of the currently attached selectors. +# Note this does not change the "root" user permissions, +# which are the permissions directly applied onto the +# user (outside the parentheses). +# +# ACL rules can be specified in any order: for instance you can start with +# passwords, then flags, or key patterns. However note that the additive +# and subtractive rules will CHANGE MEANING depending on the ordering. +# For instance see the following example: +# +# user alice on +@all -DEBUG ~* >somepassword +# +# This will allow "alice" to use all the commands with the exception of the +# DEBUG command, since +@all added all the commands to the set of the commands +# alice can use, and later DEBUG was removed. However if we invert the order +# of two ACL rules the result will be different: +# +# user alice on -DEBUG +@all ~* >somepassword +# +# Now DEBUG was removed when alice had yet no commands in the set of allowed +# commands, later all the commands are added, so the user will be able to +# execute everything. +# +# Basically ACL rules are processed left-to-right. +# +# The following is a list of command categories and their meanings: +# * keyspace - Writing or reading from keys, databases, or their metadata +# in a type agnostic way. Includes DEL, RESTORE, DUMP, RENAME, EXISTS, DBSIZE, +# KEYS, EXPIRE, TTL, FLUSHALL, etc. Commands that may modify the keyspace, +# key or metadata will also have `write` category. Commands that only read +# the keyspace, key or metadata will have the `read` category. +# * read - Reading from keys (values or metadata). Note that commands that don't +# interact with keys, will not have either `read` or `write`. +# * write - Writing to keys (values or metadata) +# * admin - Administrative commands. Normal applications will never need to use +# these. Includes REPLICAOF, CONFIG, DEBUG, SAVE, MONITOR, ACL, SHUTDOWN, etc. +# * dangerous - Potentially dangerous (each should be considered with care for +# various reasons). This includes FLUSHALL, MIGRATE, RESTORE, SORT, KEYS, +# CLIENT, DEBUG, INFO, CONFIG, SAVE, REPLICAOF, etc. +# * connection - Commands affecting the connection or other connections. +# This includes AUTH, SELECT, COMMAND, CLIENT, ECHO, PING, etc. +# * blocking - Potentially blocking the connection until released by another +# command. +# * fast - Fast O(1) commands. May loop on the number of arguments, but not the +# number of elements in the key. +# * slow - All commands that are not Fast. +# * pubsub - PUBLISH / SUBSCRIBE related +# * transaction - WATCH / MULTI / EXEC related commands. +# * scripting - Scripting related. +# * set - Data type: sets related. +# * sortedset - Data type: zsets related. +# * list - Data type: lists related. +# * hash - Data type: hashes related. +# * string - Data type: strings related. +# * bitmap - Data type: bitmaps related. +# * hyperloglog - Data type: hyperloglog related. +# * geo - Data type: geo related. +# * stream - Data type: streams related. +# +# For more information about ACL configuration please refer to +# the Redis web site at https://redis.io/topics/acl + +# ACL LOG +# +# The ACL Log tracks failed commands and authentication events associated +# with ACLs. The ACL Log is useful to troubleshoot failed commands blocked +# by ACLs. The ACL Log is stored in memory. You can reclaim memory with +# ACL LOG RESET. Define the maximum entry length of the ACL Log below. +acllog-max-len 128 + +# Using an external ACL file +# +# Instead of configuring users here in this file, it is possible to use +# a stand-alone file just listing users. The two methods cannot be mixed: +# if you configure users here and at the same time you activate the external +# ACL file, the server will refuse to start. +# +# The format of the external ACL user file is exactly the same as the +# format that is used inside redis.conf to describe users. +# +# aclfile /etc/redis/users.acl + +# IMPORTANT NOTE: starting with Redis 6 "requirepass" is just a compatibility +# layer on top of the new ACL system. The option effect will be just setting +# the password for the default user. Clients will still authenticate using +# AUTH as usually, or more explicitly with AUTH default +# if they follow the new protocol: both will work. +# +# The requirepass is not compatible with aclfile option and the ACL LOAD +# command, these will cause requirepass to be ignored. # # requirepass foobared -# Command renaming. +# New users are initialized with restrictive permissions by default, via the +# equivalent of this ACL rule 'off resetkeys -@all'. Starting with Redis 6.2, it +# is possible to manage access to Pub/Sub channels with ACL rules as well. The +# default Pub/Sub channels permission if new users is controlled by the +# acl-pubsub-default configuration directive, which accepts one of these values: +# +# allchannels: grants access to all Pub/Sub channels +# resetchannels: revokes access to all Pub/Sub channels +# +# From Redis 7.0, acl-pubsub-default defaults to 'resetchannels' permission. +# +# acl-pubsub-default resetchannels + +# Command renaming (DEPRECATED). +# +# ------------------------------------------------------------------------ +# WARNING: avoid using this option if possible. Instead use ACLs to remove +# commands from the default user, and put them only in some admin user you +# create for administrative purposes. +# ------------------------------------------------------------------------ # # It is possible to change the name of dangerous commands in a shared # environment. For instance the CONFIG command may be renamed into something @@ -406,14 +1072,15 @@ slave-priority 100 # It is also possible to completely kill a command by renaming it into # an empty string: # -rename-command CONFIG "" -# -rename-command DEBUG "" +# rename-command CONFIG "" # # Please note that changing the name of commands that are logged into the -# AOF file or transmitted to slaves may cause problems. +# AOF file or transmitted to replicas may cause problems. +rename-command CONFIG "" +rename-command DEBUG "" + -################################### LIMITS #################################### +################################### CLIENTS #################################### # Set the max number of connected clients at the same time. By default # this limit is set to 10000 clients, however if the Redis server is not @@ -424,9 +1091,16 @@ rename-command DEBUG "" # Once the limit is reached Redis will close all the new connections sending # an error 'max number of clients reached'. # +# IMPORTANT: When Redis Cluster is used, the max number of connections is also +# shared with the cluster bus: every node in the cluster will use two +# connections, one incoming and another outgoing. It is important to size the +# limit accordingly in case of very large clusters. +# # maxclients 10000 -# Don't use more memory than the specified amount of bytes. +############################## MEMORY MANAGEMENT ################################ + +# Set a memory usage limit to the specified amount of bytes. # When the memory limit is reached Redis will try to remove keys # according to the eviction policy selected (see maxmemory-policy). # @@ -435,52 +1109,259 @@ rename-command DEBUG "" # that would use more memory, like SET, LPUSH, and so on, and will continue # to reply to read-only commands like GET. # -# This option is usually useful when using Redis as an LRU cache, or to set -# a hard memory limit for an instance (using the 'noeviction' policy). +# This option is usually useful when using Redis as an LRU or LFU cache, or to +# set a hard memory limit for an instance (using the 'noeviction' policy). # -# WARNING: If you have slaves attached to an instance with maxmemory on, -# the size of the output buffers needed to feed the slaves are subtracted +# WARNING: If you have replicas attached to an instance with maxmemory on, +# the size of the output buffers needed to feed the replicas are subtracted # from the used memory count, so that network problems / resyncs will # not trigger a loop where keys are evicted, and in turn the output -# buffer of slaves is full with DELs of keys evicted triggering the deletion +# buffer of replicas is full with DELs of keys evicted triggering the deletion # of more keys, and so forth until the database is completely emptied. # -# In short... if you have slaves attached it is suggested that you set a lower -# limit for maxmemory so that there is some free RAM on the system for slave +# In short... if you have replicas attached it is suggested that you set a lower +# limit for maxmemory so that there is some free RAM on the system for replica # output buffers (but this is not needed if the policy is 'noeviction'). # # maxmemory # MAXMEMORY POLICY: how Redis will select what to remove when maxmemory -# is reached. You can select among five behaviors: -# -# volatile-lru -> remove the key with an expire set using an LRU algorithm -# allkeys-lru -> remove any key according to the LRU algorithm -# volatile-random -> remove a random key with an expire set -# allkeys-random -> remove a random key, any key -# volatile-ttl -> remove the key with the nearest expire time (minor TTL) -# noeviction -> don't expire at all, just return an error on write operations -# -# Note: with any of the above policies, Redis will return an error on write -# operations, when there are no suitable keys for eviction. -# -# At the date of writing these commands are: set setnx setex append -# incr decr rpush lpush rpushx lpushx linsert lset rpoplpush sadd -# sinter sinterstore sunion sunionstore sdiff sdiffstore zadd zincrby -# zunionstore zinterstore hset hsetnx hmset hincrby incrby decrby -# getset mset msetnx exec sort +# is reached. You can select one from the following behaviors: +# +# volatile-lru -> Evict using approximated LRU, only keys with an expire set. +# allkeys-lru -> Evict any key using approximated LRU. +# volatile-lfu -> Evict using approximated LFU, only keys with an expire set. +# allkeys-lfu -> Evict any key using approximated LFU. +# volatile-random -> Remove a random key having an expire set. +# allkeys-random -> Remove a random key, any key. +# volatile-ttl -> Remove the key with the nearest expire time (minor TTL) +# noeviction -> Don't evict anything, just return an error on write operations. +# +# LRU means Least Recently Used +# LFU means Least Frequently Used +# +# Both LRU, LFU and volatile-ttl are implemented using approximated +# randomized algorithms. +# +# Note: with any of the above policies, when there are no suitable keys for +# eviction, Redis will return an error on write operations that require +# more memory. These are usually commands that create new keys, add data or +# modify existing keys. A few examples are: SET, INCR, HSET, LPUSH, SUNIONSTORE, +# SORT (due to the STORE argument), and EXEC (if the transaction includes any +# command that requires memory). # # The default is: # -# maxmemory-policy volatile-lru +# maxmemory-policy noeviction + +# LRU, LFU and minimal TTL algorithms are not precise algorithms but approximated +# algorithms (in order to save memory), so you can tune it for speed or +# accuracy. By default Redis will check five keys and pick the one that was +# used least recently, you can change the sample size using the following +# configuration directive. +# +# The default of 5 produces good enough results. 10 Approximates very closely +# true LRU but costs more CPU. 3 is faster but not very accurate. +# +# maxmemory-samples 5 + +# Eviction processing is designed to function well with the default setting. +# If there is an unusually large amount of write traffic, this value may need to +# be increased. Decreasing this value may reduce latency at the risk of +# eviction processing effectiveness +# 0 = minimum latency, 10 = default, 100 = process without regard to latency +# +# maxmemory-eviction-tenacity 10 + +# Starting from Redis 5, by default a replica will ignore its maxmemory setting +# (unless it is promoted to master after a failover or manually). It means +# that the eviction of keys will be just handled by the master, sending the +# DEL commands to the replica as keys evict in the master side. +# +# This behavior ensures that masters and replicas stay consistent, and is usually +# what you want, however if your replica is writable, or you want the replica +# to have a different memory setting, and you are sure all the writes performed +# to the replica are idempotent, then you may change this default (but be sure +# to understand what you are doing). +# +# Note that since the replica by default does not evict, it may end using more +# memory than the one set via maxmemory (there are certain buffers that may +# be larger on the replica, or data structures may sometimes take more memory +# and so forth). So make sure you monitor your replicas and make sure they +# have enough memory to never hit a real out-of-memory condition before the +# master hits the configured maxmemory setting. +# +# replica-ignore-maxmemory yes + +# Redis reclaims expired keys in two ways: upon access when those keys are +# found to be expired, and also in background, in what is called the +# "active expire key". The key space is slowly and interactively scanned +# looking for expired keys to reclaim, so that it is possible to free memory +# of keys that are expired and will never be accessed again in a short time. +# +# The default effort of the expire cycle will try to avoid having more than +# ten percent of expired keys still in memory, and will try to avoid consuming +# more than 25% of total memory and to add latency to the system. However +# it is possible to increase the expire "effort" that is normally set to +# "1", to a greater value, up to the value "10". At its maximum value the +# system will use more CPU, longer cycles (and technically may introduce +# more latency), and will tolerate less already expired keys still present +# in the system. It's a tradeoff between memory, CPU and latency. +# +# active-expire-effort 1 + +############################# LAZY FREEING #################################### + +# Redis has two primitives to delete keys. One is called DEL and is a blocking +# deletion of the object. It means that the server stops processing new commands +# in order to reclaim all the memory associated with an object in a synchronous +# way. If the key deleted is associated with a small object, the time needed +# in order to execute the DEL command is very small and comparable to most other +# O(1) or O(log_N) commands in Redis. However if the key is associated with an +# aggregated value containing millions of elements, the server can block for +# a long time (even seconds) in order to complete the operation. +# +# For the above reasons Redis also offers non blocking deletion primitives +# such as UNLINK (non blocking DEL) and the ASYNC option of FLUSHALL and +# FLUSHDB commands, in order to reclaim memory in background. Those commands +# are executed in constant time. Another thread will incrementally free the +# object in the background as fast as possible. +# +# DEL, UNLINK and ASYNC option of FLUSHALL and FLUSHDB are user-controlled. +# It's up to the design of the application to understand when it is a good +# idea to use one or the other. However the Redis server sometimes has to +# delete keys or flush the whole database as a side effect of other operations. +# Specifically Redis deletes objects independently of a user call in the +# following scenarios: +# +# 1) On eviction, because of the maxmemory and maxmemory policy configurations, +# in order to make room for new data, without going over the specified +# memory limit. +# 2) Because of expire: when a key with an associated time to live (see the +# EXPIRE command) must be deleted from memory. +# 3) Because of a side effect of a command that stores data on a key that may +# already exist. For example the RENAME command may delete the old key +# content when it is replaced with another one. Similarly SUNIONSTORE +# or SORT with STORE option may delete existing keys. The SET command +# itself removes any old content of the specified key in order to replace +# it with the specified string. +# 4) During replication, when a replica performs a full resynchronization with +# its master, the content of the whole database is removed in order to +# load the RDB file just transferred. +# +# In all the above cases the default is to delete objects in a blocking way, +# like if DEL was called. However you can configure each case specifically +# in order to instead release memory in a non-blocking way like if UNLINK +# was called, using the following configuration directives. + +lazyfree-lazy-eviction no +lazyfree-lazy-expire no +lazyfree-lazy-server-del no +replica-lazy-flush no + +# It is also possible, for the case when to replace the user code DEL calls +# with UNLINK calls is not easy, to modify the default behavior of the DEL +# command to act exactly like UNLINK, using the following configuration +# directive: + +lazyfree-lazy-user-del no + +# FLUSHDB, FLUSHALL, SCRIPT FLUSH and FUNCTION FLUSH support both asynchronous and synchronous +# deletion, which can be controlled by passing the [SYNC|ASYNC] flags into the +# commands. When neither flag is passed, this directive will be used to determine +# if the data should be deleted asynchronously. + +lazyfree-lazy-user-flush no + +################################ THREADED I/O ################################# + +# Redis is mostly single threaded, however there are certain threaded +# operations such as UNLINK, slow I/O accesses and other things that are +# performed on side threads. +# +# Now it is also possible to handle Redis clients socket reads and writes +# in different I/O threads. Since especially writing is so slow, normally +# Redis users use pipelining in order to speed up the Redis performances per +# core, and spawn multiple instances in order to scale more. Using I/O +# threads it is possible to easily speedup two times Redis without resorting +# to pipelining nor sharding of the instance. +# +# By default threading is disabled, we suggest enabling it only in machines +# that have at least 4 or more cores, leaving at least one spare core. +# Using more than 8 threads is unlikely to help much. We also recommend using +# threaded I/O only if you actually have performance problems, with Redis +# instances being able to use a quite big percentage of CPU time, otherwise +# there is no point in using this feature. +# +# So for instance if you have a four cores boxes, try to use 2 or 3 I/O +# threads, if you have a 8 cores, try to use 6 threads. In order to +# enable I/O threads use the following configuration directive: +# +# io-threads 4 +# +# Setting io-threads to 1 will just use the main thread as usual. +# When I/O threads are enabled, we only use threads for writes, that is +# to thread the write(2) syscall and transfer the client buffers to the +# socket. However it is also possible to enable threading of reads and +# protocol parsing using the following configuration directive, by setting +# it to yes: +# +# io-threads-do-reads no +# +# Usually threading reads doesn't help much. +# +# NOTE 1: This configuration directive cannot be changed at runtime via +# CONFIG SET. Also, this feature currently does not work when SSL is +# enabled. +# +# NOTE 2: If you want to test the Redis speedup using redis-benchmark, make +# sure you also run the benchmark itself in threaded mode, using the +# --threads option to match the number of Redis threads, otherwise you'll not +# be able to notice the improvements. + +############################ KERNEL OOM CONTROL ############################## + +# On Linux, it is possible to hint the kernel OOM killer on what processes +# should be killed first when out of memory. +# +# Enabling this feature makes Redis actively control the oom_score_adj value +# for all its processes, depending on their role. The default scores will +# attempt to have background child processes killed before all others, and +# replicas killed before masters. +# +# Redis supports these options: +# +# no: Don't make changes to oom-score-adj (default). +# yes: Alias to "relative" see below. +# absolute: Values in oom-score-adj-values are written as is to the kernel. +# relative: Values are used relative to the initial value of oom_score_adj when +# the server starts and are then clamped to a range of -1000 to 1000. +# Because typically the initial value is 0, they will often match the +# absolute values. +oom-score-adj no + +# When oom-score-adj is used, this directive controls the specific values used +# for master, replica and background child processes. Values range -2000 to +# 2000 (higher means more likely to be killed). +# +# Unprivileged processes (not root, and without CAP_SYS_RESOURCE capabilities) +# can freely increase their value, but not decrease it below its initial +# settings. This means that setting oom-score-adj to "relative" and setting the +# oom-score-adj-values to positive values will always succeed. +oom-score-adj-values 0 200 800 -# LRU and minimal TTL algorithms are not precise algorithms but approximated -# algorithms (in order to save memory), so you can select as well the sample -# size to check. For instance for default Redis will check three keys and -# pick the one that was used less recently, you can change the sample size -# using the following configuration directive. -# -# maxmemory-samples 3 + +#################### KERNEL transparent hugepage CONTROL ###################### + +# Usually the kernel Transparent Huge Pages control is set to "madvise" or +# or "never" by default (/sys/kernel/mm/transparent_hugepage/enabled), in which +# case this config has no effect. On systems in which it is set to "always", +# redis will attempt to disable it specifically for the redis process in order +# to avoid latency problems specifically with fork(2) and CoW. +# If for some reason you prefer to keep it enabled, you can set this config to +# "no" and the kernel global to "always". + +disable-thp yes ############################## APPEND ONLY MODE ############################### @@ -500,14 +1381,43 @@ rename-command DEBUG "" # If the AOF is enabled on startup Redis will load the AOF, that is the file # with the better durability guarantees. # -# Please check http://redis.io/topics/persistence for more information. +# Please check https://redis.io/topics/persistence for more information. appendonly no -# The name of the append only file (default: "appendonly.aof") +# The base name of the append only file. +# +# Redis 7 and newer use a set of append-only files to persist the dataset +# and changes applied to it. There are two basic types of files in use: +# +# - Base files, which are a snapshot representing the complete state of the +# dataset at the time the file was created. Base files can be either in +# the form of RDB (binary serialized) or AOF (textual commands). +# - Incremental files, which contain additional commands that were applied +# to the dataset following the previous file. +# +# In addition, manifest files are used to track the files and the order in +# which they were created and should be applied. +# +# Append-only file names are created by Redis following a specific pattern. +# The file name's prefix is based on the 'appendfilename' configuration +# parameter, followed by additional information about the sequence and type. +# +# For example, if appendfilename is set to appendonly.aof, the following file +# names could be derived: +# +# - appendonly.aof.1.base.rdb as a base file. +# - appendonly.aof.1.incr.aof, appendonly.aof.2.incr.aof as incremental files. +# - appendonly.aof.manifest as a manifest file. appendfilename "appendonly.aof" +# For convenience, Redis stores all persistent append-only files in a dedicated +# directory. The name of the directory is determined by the appenddirname +# configuration parameter. + +appenddirname "appendonlydir" + # The fsync() call tells the Operating System to actually write data on disk # instead of waiting for more data in the output buffer. Some OS will really flush # data on disk, some other OS will just try to do it ASAP. @@ -547,7 +1457,7 @@ appendfsync everysec # BGSAVE or BGREWRITEAOF is in progress. # # This means that while another child is saving, the durability of Redis is -# the same as "appendfsync none". In practical terms, this means that it is +# the same as "appendfsync no". In practical terms, this means that it is # possible to lose up to 30 seconds of log in the worst scenario (with the # default Linux settings). # @@ -571,8 +1481,7 @@ no-appendfsync-on-rewrite no # is reached but it is still pretty small. # # Specify a percentage of zero in order to disable the automatic AOF -# rewrite feature. - +# rewrite feature.auto-aof-rewrite-percentage 100 auto-aof-rewrite-percentage 100 auto-aof-rewrite-min-size 64mb @@ -600,23 +1509,296 @@ auto-aof-rewrite-min-size 64mb # will be found. aof-load-truncated yes -################################ LUA SCRIPTING ############################### +# Redis can create append-only base files in either RDB or AOF formats. Using +# the RDB format is always faster and more efficient, and disabling it is only +# supported for backward compatibility purposes. +aof-use-rdb-preamble yes + +# Redis supports recording timestamp annotations in the AOF to support restoring +# the data from a specific point-in-time. However, using this capability changes +# the AOF format in a way that may not be compatible with existing AOF parsers. +aof-timestamp-enabled no + +################################ SHUTDOWN ##################################### + +# Maximum time to wait for replicas when shutting down, in seconds. +# +# During shut down, a grace period allows any lagging replicas to catch up with +# the latest replication offset before the master exists. This period can +# prevent data loss, especially for deployments without configured disk backups. +# +# The 'shutdown-timeout' value is the grace period's duration in seconds. It is +# only applicable when the instance has replicas. To disable the feature, set +# the value to 0. +# +# shutdown-timeout 10 + +# When Redis receives a SIGINT or SIGTERM, shutdown is initiated and by default +# an RDB snapshot is written to disk in a blocking operation if save points are configured. +# The options used on signaled shutdown can include the following values: +# default: Saves RDB snapshot only if save points are configured. +# Waits for lagging replicas to catch up. +# save: Forces a DB saving operation even if no save points are configured. +# nosave: Prevents DB saving operation even if one or more save points are configured. +# now: Skips waiting for lagging replicas. +# force: Ignores any errors that would normally prevent the server from exiting. +# +# Any combination of values is allowed as long as "save" and "nosave" are not set simultaneously. +# Example: "nosave force now" +# +# shutdown-on-sigint default +# shutdown-on-sigterm default + +################ NON-DETERMINISTIC LONG BLOCKING COMMANDS ##################### -# Max execution time of a Lua script in milliseconds. +# Maximum time in milliseconds for EVAL scripts, functions and in some cases +# modules' commands before Redis can start processing or rejecting other clients. # -# If the maximum execution time is reached Redis will log that a script is -# still in execution after the maximum allowed time and will start to -# reply to queries with an error. +# If the maximum execution time is reached Redis will start to reply to most +# commands with a BUSY error. # -# When a long running script exceeds the maximum execution time only the -# SCRIPT KILL and SHUTDOWN NOSAVE commands are available. The first can be -# used to stop a script that did not yet called write commands. The second -# is the only way to shut down the server in the case a write command was -# already issued by the script but the user doesn't want to wait for the natural -# termination of the script. +# In this state Redis will only allow a handful of commands to be executed. +# For instance, SCRIPT KILL, FUNCTION KILL, SHUTDOWN NOSAVE and possibly some +# module specific 'allow-busy' commands. # -# Set it to 0 or a negative value for unlimited execution without warnings. +# SCRIPT KILL and FUNCTION KILL will only be able to stop a script that did not +# yet call any write commands, so SHUTDOWN NOSAVE may be the only way to stop +# the server in the case a write command was already issued by the script when +# the user doesn't want to wait for the natural termination of the script. +# +# The default is 5 seconds. It is possible to set it to 0 or a negative value +# to disable this mechanism (uninterrupted execution). Note that in the past +# this config had a different name, which is now an alias, so both of these do +# the same: lua-time-limit 5000 +# busy-reply-threshold 5000 + +################################ REDIS CLUSTER ############################### + +# Normal Redis instances can't be part of a Redis Cluster; only nodes that are +# started as cluster nodes can. In order to start a Redis instance as a +# cluster node enable the cluster support uncommenting the following: +# +# cluster-enabled yes + +# Every cluster node has a cluster configuration file. This file is not +# intended to be edited by hand. It is created and updated by Redis nodes. +# Every Redis Cluster node requires a different cluster configuration file. +# Make sure that instances running in the same system do not have +# overlapping cluster configuration file names. +# +# cluster-config-file nodes-6379.conf + +# Cluster node timeout is the amount of milliseconds a node must be unreachable +# for it to be considered in failure state. +# Most other internal time limits are a multiple of the node timeout. +# +# cluster-node-timeout 15000 + +# The cluster port is the port that the cluster bus will listen for inbound connections on. When set +# to the default value, 0, it will be bound to the command port + 10000. Setting this value requires +# you to specify the cluster bus port when executing cluster meet. +# cluster-port 0 + +# A replica of a failing master will avoid to start a failover if its data +# looks too old. +# +# There is no simple way for a replica to actually have an exact measure of +# its "data age", so the following two checks are performed: +# +# 1) If there are multiple replicas able to failover, they exchange messages +# in order to try to give an advantage to the replica with the best +# replication offset (more data from the master processed). +# Replicas will try to get their rank by offset, and apply to the start +# of the failover a delay proportional to their rank. +# +# 2) Every single replica computes the time of the last interaction with +# its master. This can be the last ping or command received (if the master +# is still in the "connected" state), or the time that elapsed since the +# disconnection with the master (if the replication link is currently down). +# If the last interaction is too old, the replica will not try to failover +# at all. +# +# The point "2" can be tuned by user. Specifically a replica will not perform +# the failover if, since the last interaction with the master, the time +# elapsed is greater than: +# +# (node-timeout * cluster-replica-validity-factor) + repl-ping-replica-period +# +# So for example if node-timeout is 30 seconds, and the cluster-replica-validity-factor +# is 10, and assuming a default repl-ping-replica-period of 10 seconds, the +# replica will not try to failover if it was not able to talk with the master +# for longer than 310 seconds. +# +# A large cluster-replica-validity-factor may allow replicas with too old data to failover +# a master, while a too small value may prevent the cluster from being able to +# elect a replica at all. +# +# For maximum availability, it is possible to set the cluster-replica-validity-factor +# to a value of 0, which means, that replicas will always try to failover the +# master regardless of the last time they interacted with the master. +# (However they'll always try to apply a delay proportional to their +# offset rank). +# +# Zero is the only value able to guarantee that when all the partitions heal +# the cluster will always be able to continue. +# +# cluster-replica-validity-factor 10 + +# Cluster replicas are able to migrate to orphaned masters, that are masters +# that are left without working replicas. This improves the cluster ability +# to resist to failures as otherwise an orphaned master can't be failed over +# in case of failure if it has no working replicas. +# +# Replicas migrate to orphaned masters only if there are still at least a +# given number of other working replicas for their old master. This number +# is the "migration barrier". A migration barrier of 1 means that a replica +# will migrate only if there is at least 1 other working replica for its master +# and so forth. It usually reflects the number of replicas you want for every +# master in your cluster. +# +# Default is 1 (replicas migrate only if their masters remain with at least +# one replica). To disable migration just set it to a very large value or +# set cluster-allow-replica-migration to 'no'. +# A value of 0 can be set but is useful only for debugging and dangerous +# in production. +# +# cluster-migration-barrier 1 + +# Turning off this option allows to use less automatic cluster configuration. +# It both disables migration to orphaned masters and migration from masters +# that became empty. +# +# Default is 'yes' (allow automatic migrations). +# +# cluster-allow-replica-migration yes + +# By default Redis Cluster nodes stop accepting queries if they detect there +# is at least a hash slot uncovered (no available node is serving it). +# This way if the cluster is partially down (for example a range of hash slots +# are no longer covered) all the cluster becomes, eventually, unavailable. +# It automatically returns available as soon as all the slots are covered again. +# +# However sometimes you want the subset of the cluster which is working, +# to continue to accept queries for the part of the key space that is still +# covered. In order to do so, just set the cluster-require-full-coverage +# option to no. +# +# cluster-require-full-coverage yes + +# This option, when set to yes, prevents replicas from trying to failover its +# master during master failures. However the replica can still perform a +# manual failover, if forced to do so. +# +# This is useful in different scenarios, especially in the case of multiple +# data center operations, where we want one side to never be promoted if not +# in the case of a total DC failure. +# +# cluster-replica-no-failover no + +# This option, when set to yes, allows nodes to serve read traffic while the +# cluster is in a down state, as long as it believes it owns the slots. +# +# This is useful for two cases. The first case is for when an application +# doesn't require consistency of data during node failures or network partitions. +# One example of this is a cache, where as long as the node has the data it +# should be able to serve it. +# +# The second use case is for configurations that don't meet the recommended +# three shards but want to enable cluster mode and scale later. A +# master outage in a 1 or 2 shard configuration causes a read/write outage to the +# entire cluster without this option set, with it set there is only a write outage. +# Without a quorum of masters, slot ownership will not change automatically. +# +# cluster-allow-reads-when-down no + +# This option, when set to yes, allows nodes to serve pubsub shard traffic while +# the cluster is in a down state, as long as it believes it owns the slots. +# +# This is useful if the application would like to use the pubsub feature even when +# the cluster global stable state is not OK. If the application wants to make sure only +# one shard is serving a given channel, this feature should be kept as yes. +# +# cluster-allow-pubsubshard-when-down yes + +# Cluster link send buffer limit is the limit on the memory usage of an individual +# cluster bus link's send buffer in bytes. Cluster links would be freed if they exceed +# this limit. This is to primarily prevent send buffers from growing unbounded on links +# toward slow peers (E.g. PubSub messages being piled up). +# This limit is disabled by default. Enable this limit when 'mem_cluster_links' INFO field +# and/or 'send-buffer-allocated' entries in the 'CLUSTER LINKS` command output continuously increase. +# Minimum limit of 1gb is recommended so that cluster link buffer can fit in at least a single +# PubSub message by default. (client-query-buffer-limit default value is 1gb) +# +# cluster-link-sendbuf-limit 0 + +# Clusters can configure their announced hostname using this config. This is a common use case for +# applications that need to use TLS Server Name Indication (SNI) or dealing with DNS based +# routing. By default this value is only shown as additional metadata in the CLUSTER SLOTS +# command, but can be changed using 'cluster-preferred-endpoint-type' config. This value is +# communicated along the clusterbus to all nodes, setting it to an empty string will remove +# the hostname and also propagate the removal. +# +# cluster-announce-hostname "" + +# Clusters can advertise how clients should connect to them using either their IP address, +# a user defined hostname, or by declaring they have no endpoint. Which endpoint is +# shown as the preferred endpoint is set by using the cluster-preferred-endpoint-type +# config with values 'ip', 'hostname', or 'unknown-endpoint'. This value controls how +# the endpoint returned for MOVED/ASKING requests as well as the first field of CLUSTER SLOTS. +# If the preferred endpoint type is set to hostname, but no announced hostname is set, a '?' +# will be returned instead. +# +# When a cluster advertises itself as having an unknown endpoint, it's indicating that +# the server doesn't know how clients can reach the cluster. This can happen in certain +# networking situations where there are multiple possible routes to the node, and the +# server doesn't know which one the client took. In this case, the server is expecting +# the client to reach out on the same endpoint it used for making the last request, but use +# the port provided in the response. +# +# cluster-preferred-endpoint-type ip + +# In order to setup your cluster make sure to read the documentation +# available at https://redis.io web site. + +########################## CLUSTER DOCKER/NAT support ######################## + +# In certain deployments, Redis Cluster nodes address discovery fails, because +# addresses are NAT-ted or because ports are forwarded (the typical case is +# Docker and other containers). +# +# In order to make Redis Cluster working in such environments, a static +# configuration where each node knows its public address is needed. The +# following four options are used for this scope, and are: +# +# * cluster-announce-ip +# * cluster-announce-port +# * cluster-announce-tls-port +# * cluster-announce-bus-port +# +# Each instructs the node about its address, client ports (for connections +# without and with TLS) and cluster message bus port. The information is then +# published in the header of the bus packets so that other nodes will be able to +# correctly map the address of the node publishing the information. +# +# If cluster-tls is set to yes and cluster-announce-tls-port is omitted or set +# to zero, then cluster-announce-port refers to the TLS port. Note also that +# cluster-announce-tls-port has no effect if cluster-tls is set to no. +# +# If the above options are not used, the normal Redis Cluster auto-detection +# will be used instead. +# +# Note that when remapped, the bus port may not be at the fixed offset of +# clients port + 10000, so you can specify any port and bus-port depending +# on how they get remapped. If the bus-port is not set, a fixed offset of +# 10000 will be used as usual. +# +# Example: +# +# cluster-announce-ip 10.1.1.5 +# cluster-announce-tls-port 6379 +# cluster-announce-port 0 +# cluster-announce-bus-port 6380 ################################## SLOW LOG ################################### @@ -659,14 +1841,28 @@ slowlog-max-len 128 # By default latency monitoring is disabled since it is mostly not needed # if you don't have latency issues, and collecting data has a performance # impact, that while very small, can be measured under big load. Latency -# monitoring can easily be enalbed at runtime using the command +# monitoring can easily be enabled at runtime using the command # "CONFIG SET latency-monitor-threshold " if needed. latency-monitor-threshold 0 -############################# Event notification ############################## +################################ LATENCY TRACKING ############################## + +# The Redis extended latency monitoring tracks the per command latencies and enables +# exporting the percentile distribution via the INFO latencystats command, +# and cumulative latency distributions (histograms) via the LATENCY command. +# +# By default, the extended latency monitoring is enabled since the overhead +# of keeping track of the command latency is very small. +# latency-tracking yes + +# By default the exported latency percentiles via the INFO latencystats command +# are the p50, p99, and p999. +# latency-tracking-info-percentiles 50 99 99.9 + +############################# EVENT NOTIFICATION ############################## # Redis can notify Pub/Sub clients about events happening in the key space. -# This feature is documented at http://redis.io/topics/notifications +# This feature is documented at https://redis.io/topics/notifications # # For instance if keyspace events notification is enabled, and a client # performs a DEL operation on key "foo" stored in the Database 0, two @@ -688,7 +1884,13 @@ latency-monitor-threshold 0 # z Sorted set commands # x Expired events (events generated every time a key expires) # e Evicted events (events generated when a key is evicted for maxmemory) -# A Alias for g$lshzxe, so that the "AKE" string means all the events. +# n New key events (Note: not included in the 'A' class) +# t Stream commands +# d Module key type events +# m Key-miss events (Note: It is not included in the 'A' class) +# A Alias for g$lshzxetd, so that the "AKE" string means all the events +# (Except key-miss events which are excluded from 'A' due to their +# unique nature). # # The "notify-keyspace-events" takes as argument a string that is composed # of zero or multiple characters. The empty string means that notifications @@ -714,14 +1916,39 @@ notify-keyspace-events "" # Hashes are encoded using a memory efficient data structure when they have a # small number of entries, and the biggest entry does not exceed a given # threshold. These thresholds can be configured using the following directives. -hash-max-ziplist-entries 512 -hash-max-ziplist-value 64 - -# Similarly to hashes, small lists are also encoded in a special way in order -# to save a lot of space. The special representation is only used when -# you are under the following limits: -list-max-ziplist-entries 512 -list-max-ziplist-value 64 +hash-max-listpack-entries 512 +hash-max-listpack-value 64 + +# Lists are also encoded in a special way to save a lot of space. +# The number of entries allowed per internal list node can be specified +# as a fixed maximum size or a maximum number of elements. +# For a fixed maximum size, use -5 through -1, meaning: +# -5: max size: 64 Kb <-- not recommended for normal workloads +# -4: max size: 32 Kb <-- not recommended +# -3: max size: 16 Kb <-- probably not recommended +# -2: max size: 8 Kb <-- good +# -1: max size: 4 Kb <-- good +# Positive numbers mean store up to _exactly_ that number of elements +# per list node. +# The highest performing option is usually -2 (8 Kb size) or -1 (4 Kb size), +# but if your use case is unique, adjust the settings as necessary. +list-max-listpack-size -2 + +# Lists may also be compressed. +# Compress depth is the number of quicklist ziplist nodes from *each* side of +# the list to *exclude* from compression. The head and tail of the list +# are always uncompressed for fast push/pop operations. Settings are: +# 0: disable all list compression +# 1: depth 1 means "don't start compressing until after 1 node into the list, +# going from either the head or tail" +# So: [head]->node->node->...->node->[tail] +# [head], [tail] will always be uncompressed; inner nodes will compress. +# 2: [head]->[next]->node->node->...->node->[prev]->[tail] +# 2 here means: don't compress head or head->next or tail->prev or tail, +# but compress all nodes between them. +# 3: [head]->[next]->[next]->node->node->...->node->[prev]->[prev]->[tail] +# etc. +list-compress-depth 0 # Sets have a special encoding in just one case: when a set is composed # of just strings that happen to be integers in radix 10 in the range @@ -733,8 +1960,8 @@ set-max-intset-entries 512 # Similarly to hashes and lists, sorted sets are also specially encoded in # order to save a lot of space. This encoding is only used when the length and # elements of a sorted set are below the following limits: -zset-max-ziplist-entries 128 -zset-max-ziplist-value 64 +zset-max-listpack-entries 128 +zset-max-listpack-value 64 # HyperLogLog sparse representation bytes limit. The limit includes the # 16 bytes header. When an HyperLogLog using the sparse representation crosses @@ -750,6 +1977,17 @@ zset-max-ziplist-value 64 # composed of many HyperLogLogs with cardinality in the 0 - 15000 range. hll-sparse-max-bytes 3000 +# Streams macro node max size / items. The stream data structure is a radix +# tree of big nodes that encode multiple items inside. Using this configuration +# it is possible to configure how big a single node can be in bytes, and the +# maximum number of items it may contain before switching to a new node when +# appending new stream entries. If any of the following settings are set to +# zero, the limit is ignored, so for instance it is possible to set just a +# max entries limit by setting max-bytes to 0 and max-entries to the desired +# value. +stream-node-max-bytes 4096 +stream-node-max-entries 100 + # Active rehashing uses 1 millisecond every 100 milliseconds of CPU time in # order to help rehashing the main Redis hash table (the one mapping top-level # keys to values). The hash table implementation Redis uses (see dict.c) @@ -778,7 +2016,7 @@ activerehashing yes # The limit can be set differently for the three different classes of clients: # # normal -> normal clients including MONITOR clients -# slave -> slave clients +# replica -> replica clients # pubsub -> clients subscribed to at least one pubsub channel or pattern # # The syntax of every client-output-buffer-limit directive is the following: @@ -799,14 +2037,54 @@ activerehashing yes # asynchronous clients may create a scenario where data is requested faster # than it can read. # -# Instead there is a default limit for pubsub and slave clients, since -# subscribers and slaves receive data in a push fashion. +# Instead there is a default limit for pubsub and replica clients, since +# subscribers and replicas receive data in a push fashion. +# +# Note that it doesn't make sense to set the replica clients output buffer +# limit lower than the repl-backlog-size config (partial sync will succeed +# and then replica will get disconnected). +# Such a configuration is ignored (the size of repl-backlog-size will be used). +# This doesn't have memory consumption implications since the replica client +# will share the backlog buffers memory. # # Both the hard or the soft limit can be disabled by setting them to zero. client-output-buffer-limit normal 0 0 0 -client-output-buffer-limit slave 256mb 64mb 60 +client-output-buffer-limit replica 256mb 64mb 60 client-output-buffer-limit pubsub 32mb 8mb 60 +# Client query buffers accumulate new commands. They are limited to a fixed +# amount by default in order to avoid that a protocol desynchronization (for +# instance due to a bug in the client) will lead to unbound memory usage in +# the query buffer. However you can configure it here if you have very special +# needs, such us huge multi/exec requests or alike. +# +# client-query-buffer-limit 1gb + +# In some scenarios client connections can hog up memory leading to OOM +# errors or data eviction. To avoid this we can cap the accumulated memory +# used by all client connections (all pubsub and normal clients). Once we +# reach that limit connections will be dropped by the server freeing up +# memory. The server will attempt to drop the connections using the most +# memory first. We call this mechanism "client eviction". +# +# Client eviction is configured using the maxmemory-clients setting as follows: +# 0 - client eviction is disabled (default) +# +# A memory value can be used for the client eviction threshold, +# for example: +# maxmemory-clients 1g +# +# A percentage value (between 1% and 100%) means the client eviction threshold +# is based on a percentage of the maxmemory setting. For example to set client +# eviction at 5% of maxmemory: +# maxmemory-clients 5% + +# In the Redis protocol, bulk requests, that are, elements representing single +# strings, are normally limited to 512 mb. However you can change this limit +# here, but must be 1mb or greater +# +# proto-max-bulk-len 512mb + # Redis calls an internal function to perform many background tasks, like # closing connections of clients in timeout, purging expired keys that are # never requested, and so forth. @@ -824,8 +2102,181 @@ client-output-buffer-limit pubsub 32mb 8mb 60 # 100 only in environments where very low latency is required. hz 10 +# Normally it is useful to have an HZ value which is proportional to the +# number of clients connected. This is useful in order, for instance, to +# avoid too many clients are processed for each background task invocation +# in order to avoid latency spikes. +# +# Since the default HZ value by default is conservatively set to 10, Redis +# offers, and enables by default, the ability to use an adaptive HZ value +# which will temporarily raise when there are many connected clients. +# +# When dynamic HZ is enabled, the actual configured HZ will be used +# as a baseline, but multiples of the configured HZ value will be actually +# used as needed once more clients are connected. In this way an idle +# instance will use very little CPU time while a busy instance will be +# more responsive. +dynamic-hz yes + # When a child rewrites the AOF file, if the following option is enabled -# the file will be fsync-ed every 32 MB of data generated. This is useful +# the file will be fsync-ed every 4 MB of data generated. This is useful # in order to commit the file to the disk more incrementally and avoid # big latency spikes. aof-rewrite-incremental-fsync yes + +# When redis saves RDB file, if the following option is enabled +# the file will be fsync-ed every 4 MB of data generated. This is useful +# in order to commit the file to the disk more incrementally and avoid +# big latency spikes. +rdb-save-incremental-fsync yes + +# Redis LFU eviction (see maxmemory setting) can be tuned. However it is a good +# idea to start with the default settings and only change them after investigating +# how to improve the performances and how the keys LFU change over time, which +# is possible to inspect via the OBJECT FREQ command. +# +# There are two tunable parameters in the Redis LFU implementation: the +# counter logarithm factor and the counter decay time. It is important to +# understand what the two parameters mean before changing them. +# +# The LFU counter is just 8 bits per key, it's maximum value is 255, so Redis +# uses a probabilistic increment with logarithmic behavior. Given the value +# of the old counter, when a key is accessed, the counter is incremented in +# this way: +# +# 1. A random number R between 0 and 1 is extracted. +# 2. A probability P is calculated as 1/(old_value*lfu_log_factor+1). +# 3. The counter is incremented only if R < P. +# +# The default lfu-log-factor is 10. This is a table of how the frequency +# counter changes with a different number of accesses with different +# logarithmic factors: +# +# +--------+------------+------------+------------+------------+------------+ +# | factor | 100 hits | 1000 hits | 100K hits | 1M hits | 10M hits | +# +--------+------------+------------+------------+------------+------------+ +# | 0 | 104 | 255 | 255 | 255 | 255 | +# +--------+------------+------------+------------+------------+------------+ +# | 1 | 18 | 49 | 255 | 255 | 255 | +# +--------+------------+------------+------------+------------+------------+ +# | 10 | 10 | 18 | 142 | 255 | 255 | +# +--------+------------+------------+------------+------------+------------+ +# | 100 | 8 | 11 | 49 | 143 | 255 | +# +--------+------------+------------+------------+------------+------------+ +# +# NOTE: The above table was obtained by running the following commands: +# +# redis-benchmark -n 1000000 incr foo +# redis-cli object freq foo +# +# NOTE 2: The counter initial value is 5 in order to give new objects a chance +# to accumulate hits. +# +# The counter decay time is the time, in minutes, that must elapse in order +# for the key counter to be divided by two (or decremented if it has a value +# less <= 10). +# +# The default value for the lfu-decay-time is 1. A special value of 0 means to +# decay the counter every time it happens to be scanned. +# +# lfu-log-factor 10 +# lfu-decay-time 1 + +########################### ACTIVE DEFRAGMENTATION ####################### +# +# What is active defragmentation? +# ------------------------------- +# +# Active (online) defragmentation allows a Redis server to compact the +# spaces left between small allocations and deallocations of data in memory, +# thus allowing to reclaim back memory. +# +# Fragmentation is a natural process that happens with every allocator (but +# less so with Jemalloc, fortunately) and certain workloads. Normally a server +# restart is needed in order to lower the fragmentation, or at least to flush +# away all the data and create it again. However thanks to this feature +# implemented by Oran Agra for Redis 4.0 this process can happen at runtime +# in a "hot" way, while the server is running. +# +# Basically when the fragmentation is over a certain level (see the +# configuration options below) Redis will start to create new copies of the +# values in contiguous memory regions by exploiting certain specific Jemalloc +# features (in order to understand if an allocation is causing fragmentation +# and to allocate it in a better place), and at the same time, will release the +# old copies of the data. This process, repeated incrementally for all the keys +# will cause the fragmentation to drop back to normal values. +# +# Important things to understand: +# +# 1. This feature is disabled by default, and only works if you compiled Redis +# to use the copy of Jemalloc we ship with the source code of Redis. +# This is the default with Linux builds. +# +# 2. You never need to enable this feature if you don't have fragmentation +# issues. +# +# 3. Once you experience fragmentation, you can enable this feature when +# needed with the command "CONFIG SET activedefrag yes". +# +# The configuration parameters are able to fine tune the behavior of the +# defragmentation process. If you are not sure about what they mean it is +# a good idea to leave the defaults untouched. + +# Active defragmentation is disabled by default +# activedefrag no + +# Minimum amount of fragmentation waste to start active defrag +# active-defrag-ignore-bytes 100mb + +# Minimum percentage of fragmentation to start active defrag +# active-defrag-threshold-lower 10 + +# Maximum percentage of fragmentation at which we use maximum effort +# active-defrag-threshold-upper 100 + +# Minimal effort for defrag in CPU percentage, to be used when the lower +# threshold is reached +# active-defrag-cycle-min 1 + +# Maximal effort for defrag in CPU percentage, to be used when the upper +# threshold is reached +# active-defrag-cycle-max 25 + +# Maximum number of set/hash/zset/list fields that will be processed from +# the main dictionary scan +# active-defrag-max-scan-fields 1000 + +# Jemalloc background thread for purging will be enabled by default +jemalloc-bg-thread yes + +# It is possible to pin different threads and processes of Redis to specific +# CPUs in your system, in order to maximize the performances of the server. +# This is useful both in order to pin different Redis threads in different +# CPUs, but also in order to make sure that multiple Redis instances running +# in the same host will be pinned to different CPUs. +# +# Normally you can do this using the "taskset" command, however it is also +# possible to this via Redis configuration directly, both in Linux and FreeBSD. +# +# You can pin the server/IO threads, bio threads, aof rewrite child process, and +# the bgsave child process. The syntax to specify the cpu list is the same as +# the taskset command: +# +# Set redis server/io threads to cpu affinity 0,2,4,6: +# server_cpulist 0-7:2 +# +# Set bio threads to cpu affinity 1,3: +# bio_cpulist 1,3 +# +# Set aof rewrite child process to cpu affinity 8,9,10,11: +# aof_rewrite_cpulist 8-11 +# +# Set bgsave child process to cpu affinity 1,10,11 +# bgsave_cpulist 1,10-11 + +# In some cases redis will emit warnings and even refuse to start if it detects +# that the system is in bad state, it is possible to suppress these warnings +# by setting the following config which takes a space delimited list of warnings +# to suppress +# +# ignore-warnings ARM64-COW-BUG diff --git a/conf/redis_queue.conf.example b/conf/redis_queue.conf.example index 87c1bd493429..e5184ea3e1b8 100644 --- a/conf/redis_queue.conf.example +++ b/conf/redis_queue.conf.example @@ -1,5 +1,10 @@ # Copyright (C) Inverse inc. -# Redis configuration file example +# Redis configuration file example. +# +# Note that in order to read the configuration file, Redis must be +# started with the file path as first argument: +# +# ./redis-server /path/to/redis.conf # Note on units: when memory size is needed, it is possible to specify # it in the usual form of 1k 5GB 4M and so forth: @@ -20,7 +25,7 @@ # to customize a few per-server settings. Include files can include # other files, so use this wisely. # -# Notice option "include" won't be rewritten by command "CONFIG REWRITE" +# Note that option "include" won't be rewritten by command "CONFIG REWRITE" # from admin or Redis Sentinel. Since Redis always uses the last processed # line as value of a configuration directive, you'd better put includes # at the beginning of this file to avoid overwriting config change at runtime. @@ -28,42 +33,122 @@ # If instead you are interested in using includes to override configuration # options, it is better to use include as the last line. # +# Included paths may contain wildcards. All files matching the wildcards will +# be included in alphabetical order. +# Note that if an include path contains a wildcards but no files match it when +# the server is started, the include statement will be ignored and no error will +# be emitted. It is safe, therefore, to include wildcard files from empty +# directories. +# # include /path/to/local.conf # include /path/to/other.conf +# include /path/to/fragments/*.conf +# -################################ GENERAL ##################################### +################################## MODULES ##################################### -# By default Redis does not run as a daemon. Use 'yes' if you need it. -# Note that Redis will write a pid file in /var/run/redis.pid when daemonized. -daemonize no +# Load modules at startup. If the server is not able to load modules +# it will abort. It is possible to use multiple loadmodule directives. +# +# loadmodule /path/to/my_module.so +# loadmodule /path/to/other_module.so -# When running daemonized, Redis writes a pid file in /var/run/redis.pid by -# default. You can specify a custom pid file location here. -pidfile %%install_dir%%/var/run/%%name%%.pid +################################## NETWORK ##################################### +# By default, if no "bind" configuration directive is specified, Redis listens +# for connections from all available network interfaces on the host machine. +# It is possible to listen to just one or multiple selected interfaces using +# the "bind" configuration directive, followed by one or more IP addresses. +# Each address can be prefixed by "-", which means that redis will not fail to +# start if the address is not available. Being not available only refers to +# addresses that does not correspond to any network interface. Addresses that +# are already in use will always fail, and unsupported protocols will always BE +# silently skipped. +# +# Examples: +# +# bind 192.168.1.100 10.0.0.1 # listens on two specific IPv4 addresses +# bind 127.0.0.1 ::1 # listens on loopback IPv4 and IPv6 +# bind * -::* # like the default, all available interfaces +# +# ~~~ WARNING ~~~ If the computer running Redis is directly exposed to the +# internet, binding to all the interfaces is dangerous and will expose the +# instance to everybody on the internet. So by default we uncomment the +# following bind directive, that will force Redis to listen only on the +# IPv4 and IPv6 (if available) loopback interface addresses (this means Redis +# will only be able to accept client connections from the same host that it is +# running on). +# +# IF YOU ARE SURE YOU WANT YOUR INSTANCE TO LISTEN TO ALL THE INTERFACES +# COMMENT OUT THE FOLLOWING LINE. +# +# You will also need to set a password unless you explicitly disable protected +# mode. +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +bind 127.0.0.1 100.64.0.1 + +# By default, outgoing connections (from replica to master, from Sentinel to +# instances, cluster bus, etc.) are not bound to a specific local address. In +# most cases, this means the operating system will handle that based on routing +# and the interface through which the connection goes out. +# +# Using bind-source-addr it is possible to configure a specific address to bind +# to, which may also affect how the connection gets routed. +# +# Example: +# +# bind-source-addr 10.0.0.1 + +# Protected mode is a layer of security protection, in order to avoid that +# Redis instances left open on the internet are accessed and exploited. +# +# When protected mode is on and the default user has no password, the server +# only accepts local connections from the IPv4 address (127.0.0.1), IPv6 address +# (::1) or Unix domain sockets. +# +# By default protected mode is enabled. You should disable it only if +# you are sure you want clients from other hosts to connect to Redis +# even if no authentication is configured. +protected-mode no + +# Redis uses default hardened security configuration directives to reduce the +# attack surface on innocent users. Therefore, several sensitive configuration +# directives are immutable, and some potentially-dangerous commands are blocked. +# +# Configuration directives that control files that Redis writes to (e.g., 'dir' +# and 'dbfilename') and that aren't usually modified during runtime +# are protected by making them immutable. +# +# Commands that can increase the attack surface of Redis and that aren't usually +# called by users are blocked by default. +# +# These can be exposed to either all connections or just local ones by setting +# each of the configs listed below to either of these values: +# +# no - Block for any connection (remain immutable) +# yes - Allow for any connection (no protection) +# local - Allow only for local connections. Ones originating from the +# IPv4 address (127.0.0.1), IPv6 address (::1) or Unix domain sockets. +# +# enable-protected-configs no +# enable-debug-command no +# enable-module-command no + +# Accept connections on the specified port, default is 6379 (IANA #815344). # If port 0 is specified Redis will not listen on a TCP socket. port 6380 # TCP listen() backlog. # -# In high requests-per-second environments you need an high backlog in order -# to avoid slow clients connections issues. Note that the Linux kernel +# In high requests-per-second environments you need a high backlog in order +# to avoid slow clients connection issues. Note that the Linux kernel # will silently truncate it to the value of /proc/sys/net/core/somaxconn so # make sure to raise both the value of somaxconn and tcp_max_syn_backlog # in order to get the desired effect. tcp-backlog 511 -# By default Redis listens for connections from all the network interfaces -# available on the server. It is possible to listen to just one or multiple -# interfaces using the "bind" configuration directive, followed by one or -# more IP addresses. +# Unix socket. # -# Examples: -# -# bind 192.168.1.100 10.0.0.1 -# bind 127.0.0.1 -bind 127.0.0.1 100.64.0.1 - # Specify the path for the Unix socket that will be used to listen for # incoming connections. There is no default, so Redis will not listen # on a unix socket when not specified. @@ -80,16 +165,182 @@ timeout 0 # of communication. This is useful for two reasons: # # 1) Detect dead peers. -# 2) Take the connection alive from the point of view of network -# equipment in the middle. +# 2) Force network equipment in the middle to consider the connection to be +# alive. # # On Linux, the specified value (in seconds) is the period used to send ACKs. # Note that to close the connection the double of the time is needed. # On other kernels the period depends on the kernel configuration. # -# A reasonable value for this option is 60 seconds. +# A reasonable value for this option is 300 seconds, which is the new +# Redis default starting with Redis 3.2.1. tcp-keepalive 0 +# Apply OS-specific mechanism to mark the listening socket with the specified +# ID, to support advanced routing and filtering capabilities. +# +# On Linux, the ID represents a connection mark. +# On FreeBSD, the ID represents a socket cookie ID. +# On OpenBSD, the ID represents a route table ID. +# +# The default value is 0, which implies no marking is required. +# socket-mark-id 0 + +################################# TLS/SSL ##################################### + +# By default, TLS/SSL is disabled. To enable it, the "tls-port" configuration +# directive can be used to define TLS-listening ports. To enable TLS on the +# default port, use: +# +# port 0 +# tls-port 6379 + +# Configure a X.509 certificate and private key to use for authenticating the +# server to connected clients, masters or cluster peers. These files should be +# PEM formatted. +# +# tls-cert-file redis.crt +# tls-key-file redis.key +# +# If the key file is encrypted using a passphrase, it can be included here +# as well. +# +# tls-key-file-pass secret + +# Normally Redis uses the same certificate for both server functions (accepting +# connections) and client functions (replicating from a master, establishing +# cluster bus connections, etc.). +# +# Sometimes certificates are issued with attributes that designate them as +# client-only or server-only certificates. In that case it may be desired to use +# different certificates for incoming (server) and outgoing (client) +# connections. To do that, use the following directives: +# +# tls-client-cert-file client.crt +# tls-client-key-file client.key +# +# If the key file is encrypted using a passphrase, it can be included here +# as well. +# +# tls-client-key-file-pass secret + +# Configure a DH parameters file to enable Diffie-Hellman (DH) key exchange, +# required by older versions of OpenSSL (<3.0). Newer versions do not require +# this configuration and recommend against it. +# +# tls-dh-params-file redis.dh + +# Configure a CA certificate(s) bundle or directory to authenticate TLS/SSL +# clients and peers. Redis requires an explicit configuration of at least one +# of these, and will not implicitly use the system wide configuration. +# +# tls-ca-cert-file ca.crt +# tls-ca-cert-dir /etc/ssl/certs + +# By default, clients (including replica servers) on a TLS port are required +# to authenticate using valid client side certificates. +# +# If "no" is specified, client certificates are not required and not accepted. +# If "optional" is specified, client certificates are accepted and must be +# valid if provided, but are not required. +# +# tls-auth-clients no +# tls-auth-clients optional + +# By default, a Redis replica does not attempt to establish a TLS connection +# with its master. +# +# Use the following directive to enable TLS on replication links. +# +# tls-replication yes + +# By default, the Redis Cluster bus uses a plain TCP connection. To enable +# TLS for the bus protocol, use the following directive: +# +# tls-cluster yes + +# By default, only TLSv1.2 and TLSv1.3 are enabled and it is highly recommended +# that older formally deprecated versions are kept disabled to reduce the attack surface. +# You can explicitly specify TLS versions to support. +# Allowed values are case insensitive and include "TLSv1", "TLSv1.1", "TLSv1.2", +# "TLSv1.3" (OpenSSL >= 1.1.1) or any combination. +# To enable only TLSv1.2 and TLSv1.3, use: +# +# tls-protocols "TLSv1.2 TLSv1.3" + +# Configure allowed ciphers. See the ciphers(1ssl) manpage for more information +# about the syntax of this string. +# +# Note: this configuration applies only to <= TLSv1.2. +# +# tls-ciphers DEFAULT:!MEDIUM + +# Configure allowed TLSv1.3 ciphersuites. See the ciphers(1ssl) manpage for more +# information about the syntax of this string, and specifically for TLSv1.3 +# ciphersuites. +# +# tls-ciphersuites TLS_CHACHA20_POLY1305_SHA256 + +# When choosing a cipher, use the server's preference instead of the client +# preference. By default, the server follows the client's preference. +# +# tls-prefer-server-ciphers yes + +# By default, TLS session caching is enabled to allow faster and less expensive +# reconnections by clients that support it. Use the following directive to disable +# caching. +# +# tls-session-caching no + +# Change the default number of TLS sessions cached. A zero value sets the cache +# to unlimited size. The default size is 20480. +# +# tls-session-cache-size 5000 + +# Change the default timeout of cached TLS sessions. The default timeout is 300 +# seconds. +# +# tls-session-cache-timeout 60 + +################################# GENERAL ##################################### + +# By default Redis does not run as a daemon. Use 'yes' if you need it. +# Note that Redis will write a pid file in /var/run/redis.pid when daemonized. +# When Redis is supervised by upstart or systemd, this parameter has no impact. +daemonize no + +# If you run Redis from upstart or systemd, Redis can interact with your +# supervision tree. Options: +# supervised no - no supervision interaction +# supervised upstart - signal upstart by putting Redis into SIGSTOP mode +# requires "expect stop" in your upstart job config +# supervised systemd - signal systemd by writing READY=1 to $NOTIFY_SOCKET +# on startup, and updating Redis status on a regular +# basis. +# supervised auto - detect upstart or systemd method based on +# UPSTART_JOB or NOTIFY_SOCKET environment variables +# Note: these supervision methods only signal "process is ready." +# They do not enable continuous pings back to your supervisor. +# +# The default is "no". To run under upstart/systemd, you can simply uncomment +# the line below: +# +# supervised auto + +# If a pid file is specified, Redis writes it where specified at startup +# and removes it at exit. +# +# When the server runs non daemonized, no pid file is created if none is +# specified in the configuration. When the server is daemonized, the pid file +# is used even if not specified, defaulting to "/var/run/redis.pid". +# +# Creating a pid file is best effort: if Redis is not able to create it +# nothing bad happens, the server will start and run normally. +# +# Note that on modern Linux systems "/run/redis.pid" is more conforming +# and should be used instead. +pidfile %%install_dir%%/var/run/%%name%%.pid + # Specify the server verbosity level. # This can be one of: # debug (a lot of information, useful for development/testing) @@ -113,33 +364,74 @@ syslog-ident redis-queue # Specify the syslog facility. Must be USER or between LOCAL0-LOCAL7. syslog-facility local5 +# To disable the built in crash log, which will possibly produce cleaner core +# dumps when they are needed, uncomment the following: +# +# crash-log-enabled no + +# To disable the fast memory check that's run as part of the crash log, which +# will possibly let redis terminate sooner, uncomment the following: +# +# crash-memcheck-enabled no + # Set the number of databases. The default database is DB 0, you can select # a different one on a per-connection basis using SELECT where # dbid is a number between 0 and 'databases'-1 databases 1 +# By default Redis shows an ASCII art logo only when started to log to the +# standard output and if the standard output is a TTY and syslog logging is +# disabled. Basically this means that normally a logo is displayed only in +# interactive sessions. +# +# However it is possible to force the pre-4.0 behavior and always show a +# ASCII art logo in startup logs by setting the following option to yes. +always-show-logo no + +# By default, Redis modifies the process title (as seen in 'top' and 'ps') to +# provide some runtime information. It is possible to disable this and leave +# the process name as executed by setting the following to no. +set-proc-title yes + +# When changing the process title, Redis uses the following template to construct +# the modified title. +# +# Template variables are specified in curly brackets. The following variables are +# supported: +# +# {title} Name of process as executed if parent, or type of child process. +# {listen-addr} Bind address or '*' followed by TCP or TLS port listening on, or +# Unix socket if only that's available. +# {server-mode} Special mode, i.e. "[sentinel]" or "[cluster]". +# {port} TCP port listening on, or 0. +# {tls-port} TLS port listening on, or 0. +# {unixsocket} Unix domain socket listening on, or "". +# {config-file} Name of configuration file used. +# +proc-title-template "{title} {listen-addr} {server-mode}" + ################################ SNAPSHOTTING ################################ + +# Save the DB to disk. # -# Save the DB on disk: +# save [ ...] # -# save +# Redis will save the DB if the given number of seconds elapsed and it +# surpassed the given number of write operations against the DB. # -# Will save the DB if both the given number of seconds and the given -# number of write operations against the DB occurred. +# Snapshotting can be completely disabled with a single empty string argument +# as in following example: # -# In the example below the behaviour will be to save: -# after 900 sec (15 min) if at least 1 key changed -# after 300 sec (5 min) if at least 10 keys changed -# after 60 sec if at least 10000 keys changed +# save "" # -# Note: you can disable saving completely by commenting out all "save" lines. +# Unless specified otherwise, by default Redis will save the DB: +# * After 3600 seconds (an hour) if at least 1 change was performed +# * After 300 seconds (5 minutes) if at least 100 changes were performed +# * After 60 seconds if at least 10000 changes were performed # -# It is also possible to remove all the previously configured save -# points by adding a save directive with a single empty string argument -# like in the following example: +# You can set these explicitly by uncommenting the following line. # -# save "" - +# save 3600 1 300 100 60 10000 save 900 1 save 300 10 save 60 10000 @@ -160,7 +452,7 @@ save 60 10000 stop-writes-on-bgsave-error yes # Compress string objects using LZF when dump .rdb databases? -# For default that's set to 'yes' as it's almost always a win. +# By default compression is enabled as it's almost always a win. # If you want to save some CPU in the saving child set it to 'no' but # the dataset will likely be bigger if you have compressible values or keys. rdbcompression yes @@ -174,9 +466,37 @@ rdbcompression yes # tell the loading code to skip the check. rdbchecksum yes +# Enables or disables full sanitization checks for ziplist and listpack etc when +# loading an RDB or RESTORE payload. This reduces the chances of a assertion or +# crash later on while processing commands. +# Options: +# no - Never perform full sanitization +# yes - Always perform full sanitization +# clients - Perform full sanitization only for user connections. +# Excludes: RDB files, RESTORE commands received from the master +# connection, and client connections which have the +# skip-sanitize-payload ACL flag. +# The default should be 'clients' but since it currently affects cluster +# resharding via MIGRATE, it is temporarily set to 'no' by default. +# +# sanitize-dump-payload no + # The filename where to dump the DB dbfilename dump.rdb +# Remove RDB files used by replication in instances without persistence +# enabled. By default this option is disabled, however there are environments +# where for regulations or other security concerns, RDB files persisted on +# disk by masters in order to feed replicas, or stored on disk by replicas +# in order to load them for the initial synchronization, should be deleted +# ASAP. Note that this option ONLY WORKS in instances that have both AOF +# and RDB persistence disabled, otherwise is completely ignored. +# +# An alternative (and sometimes better) way to obtain the same effect is +# to use diskless replication on both master and replicas instances. However +# in the case of replicas, diskless is not always an option. +rdb-del-sync-files no + # The working directory. # # The DB will be written inside this directory, with the filename specified @@ -189,209 +509,556 @@ dir %%install_dir%%/var/%%name%% ################################# REPLICATION ################################# -# Master-Slave replication. Use slaveof to make a Redis instance a copy of +# Master-Replica replication. Use replicaof to make a Redis instance a copy of # another Redis server. A few things to understand ASAP about Redis replication. # +# +------------------+ +---------------+ +# | Master | ---> | Replica | +# | (receive writes) | | (exact copy) | +# +------------------+ +---------------+ +# # 1) Redis replication is asynchronous, but you can configure a master to # stop accepting writes if it appears to be not connected with at least -# a given number of slaves. -# 2) Redis slaves are able to perform a partial resynchronization with the +# a given number of replicas. +# 2) Redis replicas are able to perform a partial resynchronization with the # master if the replication link is lost for a relatively small amount of # time. You may want to configure the replication backlog size (see the next # sections of this file) with a sensible value depending on your needs. # 3) Replication is automatic and does not need user intervention. After a -# network partition slaves automatically try to reconnect to masters +# network partition replicas automatically try to reconnect to masters # and resynchronize with them. # -# slaveof +# replicaof # If the master is password protected (using the "requirepass" configuration -# directive below) it is possible to tell the slave to authenticate before +# directive below) it is possible to tell the replica to authenticate before # starting the replication synchronization process, otherwise the master will -# refuse the slave request. +# refuse the replica request. # # masterauth +# +# However this is not enough if you are using Redis ACLs (for Redis version +# 6 or greater), and the default user is not capable of running the PSYNC +# command and/or other commands needed for replication. In this case it's +# better to configure a special user to use with replication, and specify the +# masteruser configuration as such: +# +# masteruser +# +# When masteruser is specified, the replica will authenticate against its +# master using the new AUTH form: AUTH . -# When a slave loses its connection with the master, or when the replication -# is still in progress, the slave can act in two different ways: +# When a replica loses its connection with the master, or when the replication +# is still in progress, the replica can act in two different ways: # -# 1) if slave-serve-stale-data is set to 'yes' (the default) the slave will +# 1) if replica-serve-stale-data is set to 'yes' (the default) the replica will # still reply to client requests, possibly with out of date data, or the # data set may just be empty if this is the first synchronization. # -# 2) if slave-serve-stale-data is set to 'no' the slave will reply with -# an error "SYNC with master in progress" to all the kind of commands -# but to INFO and SLAVEOF. +# 2) If replica-serve-stale-data is set to 'no' the replica will reply with error +# "MASTERDOWN Link with MASTER is down and replica-serve-stale-data is set to 'no'" +# to all data access commands, excluding commands such as: +# INFO, REPLICAOF, AUTH, SHUTDOWN, REPLCONF, ROLE, CONFIG, SUBSCRIBE, +# UNSUBSCRIBE, PSUBSCRIBE, PUNSUBSCRIBE, PUBLISH, PUBSUB, COMMAND, POST, +# HOST and LATENCY. # -slave-serve-stale-data yes +replica-serve-stale-data yes -# You can configure a slave instance to accept writes or not. Writing against -# a slave instance may be useful to store some ephemeral data (because data -# written on a slave will be easily deleted after resync with the master) but +# You can configure a replica instance to accept writes or not. Writing against +# a replica instance may be useful to store some ephemeral data (because data +# written on a replica will be easily deleted after resync with the master) but # may also cause problems if clients are writing to it because of a # misconfiguration. # -# Since Redis 2.6 by default slaves are read-only. +# Since Redis 2.6 by default replicas are read-only. # -# Note: read only slaves are not designed to be exposed to untrusted clients +# Note: read only replicas are not designed to be exposed to untrusted clients # on the internet. It's just a protection layer against misuse of the instance. -# Still a read only slave exports by default all the administrative commands +# Still a read only replica exports by default all the administrative commands # such as CONFIG, DEBUG, and so forth. To a limited extent you can improve -# security of read only slaves using 'rename-command' to shadow all the +# security of read only replicas using 'rename-command' to shadow all the # administrative / dangerous commands. -slave-read-only yes +replica-read-only yes # Replication SYNC strategy: disk or socket. # -# ------------------------------------------------------- -# WARNING: DISKLESS REPLICATION IS EXPERIMENTAL CURRENTLY -# ------------------------------------------------------- +# New replicas and reconnecting replicas that are not able to continue the +# replication process just receiving differences, need to do what is called a +# "full synchronization". An RDB file is transmitted from the master to the +# replicas. # -# New slaves and reconnecting slaves that are not able to continue the replication -# process just receiving differences, need to do what is called a "full -# synchronization". An RDB file is transmitted from the master to the slaves. # The transmission can happen in two different ways: # # 1) Disk-backed: The Redis master creates a new process that writes the RDB # file on disk. Later the file is transferred by the parent -# process to the slaves incrementally. +# process to the replicas incrementally. # 2) Diskless: The Redis master creates a new process that directly writes the -# RDB file to slave sockets, without touching the disk at all. +# RDB file to replica sockets, without touching the disk at all. # -# With disk-backed replication, while the RDB file is generated, more slaves -# can be queued and served with the RDB file as soon as the current child producing -# the RDB file finishes its work. With diskless replication instead once -# the transfer starts, new slaves arriving will be queued and a new transfer -# will start when the current one terminates. +# With disk-backed replication, while the RDB file is generated, more replicas +# can be queued and served with the RDB file as soon as the current child +# producing the RDB file finishes its work. With diskless replication instead +# once the transfer starts, new replicas arriving will be queued and a new +# transfer will start when the current one terminates. # # When diskless replication is used, the master waits a configurable amount of -# time (in seconds) before starting the transfer in the hope that multiple slaves -# will arrive and the transfer can be parallelized. +# time (in seconds) before starting the transfer in the hope that multiple +# replicas will arrive and the transfer can be parallelized. # # With slow disks and fast (large bandwidth) networks, diskless replication # works better. repl-diskless-sync no # When diskless replication is enabled, it is possible to configure the delay -# the server waits in order to spawn the child that trnasfers the RDB via socket -# to the slaves. +# the server waits in order to spawn the child that transfers the RDB via socket +# to the replicas. # # This is important since once the transfer starts, it is not possible to serve -# new slaves arriving, that will be queued for the next RDB transfer, so the server -# waits a delay in order to let more slaves arrive. +# new replicas arriving, that will be queued for the next RDB transfer, so the +# server waits a delay in order to let more replicas arrive. # # The delay is specified in seconds, and by default is 5 seconds. To disable # it entirely just set it to 0 seconds and the transfer will start ASAP. repl-diskless-sync-delay 5 -# Slaves send PINGs to server in a predefined interval. It's possible to change -# this interval with the repl_ping_slave_period option. The default value is 10 -# seconds. -# -# repl-ping-slave-period 10 +# When diskless replication is enabled with a delay, it is possible to let +# the replication start before the maximum delay is reached if the maximum +# number of replicas expected have connected. Default of 0 means that the +# maximum is not defined and Redis will wait the full delay. +repl-diskless-sync-max-replicas 0 + +# ----------------------------------------------------------------------------- +# WARNING: RDB diskless load is experimental. Since in this setup the replica +# does not immediately store an RDB on disk, it may cause data loss during +# failovers. RDB diskless load + Redis modules not handling I/O reads may also +# cause Redis to abort in case of I/O errors during the initial synchronization +# stage with the master. Use only if you know what you are doing. +# ----------------------------------------------------------------------------- +# +# Replica can load the RDB it reads from the replication link directly from the +# socket, or store the RDB to a file and read that file after it was completely +# received from the master. +# +# In many cases the disk is slower than the network, and storing and loading +# the RDB file may increase replication time (and even increase the master's +# Copy on Write memory and replica buffers). +# However, parsing the RDB file directly from the socket may mean that we have +# to flush the contents of the current database before the full rdb was +# received. For this reason we have the following options: +# +# "disabled" - Don't use diskless load (store the rdb file to the disk first) +# "on-empty-db" - Use diskless load only when it is completely safe. +# "swapdb" - Keep current db contents in RAM while parsing the data directly +# from the socket. Replicas in this mode can keep serving current +# data set while replication is in progress, except for cases where +# they can't recognize master as having a data set from same +# replication history. +# Note that this requires sufficient memory, if you don't have it, +# you risk an OOM kill. +repl-diskless-load disabled + +# Master send PINGs to its replicas in a predefined interval. It's possible to +# change this interval with the repl_ping_replica_period option. The default +# value is 10 seconds. +# +# repl-ping-replica-period 10 # The following option sets the replication timeout for: # -# 1) Bulk transfer I/O during SYNC, from the point of view of slave. -# 2) Master timeout from the point of view of slaves (data, pings). -# 3) Slave timeout from the point of view of masters (REPLCONF ACK pings). +# 1) Bulk transfer I/O during SYNC, from the point of view of replica. +# 2) Master timeout from the point of view of replicas (data, pings). +# 3) Replica timeout from the point of view of masters (REPLCONF ACK pings). # # It is important to make sure that this value is greater than the value -# specified for repl-ping-slave-period otherwise a timeout will be detected -# every time there is low traffic between the master and the slave. +# specified for repl-ping-replica-period otherwise a timeout will be detected +# every time there is low traffic between the master and the replica. The default +# value is 60 seconds. # # repl-timeout 60 -# Disable TCP_NODELAY on the slave socket after SYNC? +# Disable TCP_NODELAY on the replica socket after SYNC? # # If you select "yes" Redis will use a smaller number of TCP packets and -# less bandwidth to send data to slaves. But this can add a delay for -# the data to appear on the slave side, up to 40 milliseconds with +# less bandwidth to send data to replicas. But this can add a delay for +# the data to appear on the replica side, up to 40 milliseconds with # Linux kernels using a default configuration. # -# If you select "no" the delay for data to appear on the slave side will +# If you select "no" the delay for data to appear on the replica side will # be reduced but more bandwidth will be used for replication. # # By default we optimize for low latency, but in very high traffic conditions -# or when the master and slaves are many hops away, turning this to "yes" may +# or when the master and replicas are many hops away, turning this to "yes" may # be a good idea. repl-disable-tcp-nodelay no # Set the replication backlog size. The backlog is a buffer that accumulates -# slave data when slaves are disconnected for some time, so that when a slave -# wants to reconnect again, often a full resync is not needed, but a partial -# resync is enough, just passing the portion of data the slave missed while -# disconnected. +# replica data when replicas are disconnected for some time, so that when a +# replica wants to reconnect again, often a full resync is not needed, but a +# partial resync is enough, just passing the portion of data the replica +# missed while disconnected. # -# The bigger the replication backlog, the longer the time the slave can be -# disconnected and later be able to perform a partial resynchronization. +# The bigger the replication backlog, the longer the replica can endure the +# disconnect and later be able to perform a partial resynchronization. # -# The backlog is only allocated once there is at least a slave connected. +# The backlog is only allocated if there is at least one replica connected. # # repl-backlog-size 1mb -# After a master has no longer connected slaves for some time, the backlog -# will be freed. The following option configures the amount of seconds that -# need to elapse, starting from the time the last slave disconnected, for -# the backlog buffer to be freed. +# After a master has no connected replicas for some time, the backlog will be +# freed. The following option configures the amount of seconds that need to +# elapse, starting from the time the last replica disconnected, for the backlog +# buffer to be freed. +# +# Note that replicas never free the backlog for timeout, since they may be +# promoted to masters later, and should be able to correctly "partially +# resynchronize" with other replicas: hence they should always accumulate backlog. # # A value of 0 means to never release the backlog. # # repl-backlog-ttl 3600 -# The slave priority is an integer number published by Redis in the INFO output. -# It is used by Redis Sentinel in order to select a slave to promote into a -# master if the master is no longer working correctly. +# The replica priority is an integer number published by Redis in the INFO +# output. It is used by Redis Sentinel in order to select a replica to promote +# into a master if the master is no longer working correctly. # -# A slave with a low priority number is considered better for promotion, so -# for instance if there are three slaves with priority 10, 100, 25 Sentinel will -# pick the one with priority 10, that is the lowest. +# A replica with a low priority number is considered better for promotion, so +# for instance if there are three replicas with priority 10, 100, 25 Sentinel +# will pick the one with priority 10, that is the lowest. # -# However a special priority of 0 marks the slave as not able to perform the -# role of master, so a slave with priority of 0 will never be selected by +# However a special priority of 0 marks the replica as not able to perform the +# role of master, so a replica with priority of 0 will never be selected by # Redis Sentinel for promotion. # # By default the priority is 100. -slave-priority 100 +replica-priority 100 + +# The propagation error behavior controls how Redis will behave when it is +# unable to handle a command being processed in the replication stream from a master +# or processed while reading from an AOF file. Errors that occur during propagation +# are unexpected, and can cause data inconsistency. However, there are edge cases +# in earlier versions of Redis where it was possible for the server to replicate or persist +# commands that would fail on future versions. For this reason the default behavior +# is to ignore such errors and continue processing commands. +# +# If an application wants to ensure there is no data divergence, this configuration +# should be set to 'panic' instead. The value can also be set to 'panic-on-replicas' +# to only panic when a replica encounters an error on the replication stream. One of +# these two panic values will become the default value in the future once there are +# sufficient safety mechanisms in place to prevent false positive crashes. +# +# propagation-error-behavior ignore + +# Replica ignore disk write errors controls the behavior of a replica when it is +# unable to persist a write command received from its master to disk. By default, +# this configuration is set to 'no' and will crash the replica in this condition. +# It is not recommended to change this default, however in order to be compatible +# with older versions of Redis this config can be toggled to 'yes' which will just +# log a warning and execute the write command it got from the master. +# +# replica-ignore-disk-write-errors no + +# ----------------------------------------------------------------------------- +# By default, Redis Sentinel includes all replicas in its reports. A replica +# can be excluded from Redis Sentinel's announcements. An unannounced replica +# will be ignored by the 'sentinel replicas ' command and won't be +# exposed to Redis Sentinel's clients. +# +# This option does not change the behavior of replica-priority. Even with +# replica-announced set to 'no', the replica can be promoted to master. To +# prevent this behavior, set replica-priority to 0. +# +# replica-announced yes # It is possible for a master to stop accepting writes if there are less than -# N slaves connected, having a lag less or equal than M seconds. +# N replicas connected, having a lag less or equal than M seconds. # -# The N slaves need to be in "online" state. +# The N replicas need to be in "online" state. # # The lag in seconds, that must be <= the specified value, is calculated from -# the last ping received from the slave, that is usually sent every second. +# the last ping received from the replica, that is usually sent every second. # # This option does not GUARANTEE that N replicas will accept the write, but -# will limit the window of exposure for lost writes in case not enough slaves +# will limit the window of exposure for lost writes in case not enough replicas # are available, to the specified number of seconds. # -# For example to require at least 3 slaves with a lag <= 10 seconds use: +# For example to require at least 3 replicas with a lag <= 10 seconds use: # -# min-slaves-to-write 3 -# min-slaves-max-lag 10 +# min-replicas-to-write 3 +# min-replicas-max-lag 10 # # Setting one or the other to 0 disables the feature. # -# By default min-slaves-to-write is set to 0 (feature disabled) and -# min-slaves-max-lag is set to 10. +# By default min-replicas-to-write is set to 0 (feature disabled) and +# min-replicas-max-lag is set to 10. -################################## SECURITY ################################### +# A Redis master is able to list the address and port of the attached +# replicas in different ways. For example the "INFO replication" section +# offers this information, which is used, among other tools, by +# Redis Sentinel in order to discover replica instances. +# Another place where this info is available is in the output of the +# "ROLE" command of a master. +# +# The listed IP address and port normally reported by a replica is +# obtained in the following way: +# +# IP: The address is auto detected by checking the peer address +# of the socket used by the replica to connect with the master. +# +# Port: The port is communicated by the replica during the replication +# handshake, and is normally the port that the replica is using to +# listen for connections. +# +# However when port forwarding or Network Address Translation (NAT) is +# used, the replica may actually be reachable via different IP and port +# pairs. The following two options can be used by a replica in order to +# report to its master a specific set of IP and port, so that both INFO +# and ROLE will report those values. +# +# There is no need to use both the options if you need to override just +# the port or the IP address. +# +# replica-announce-ip 5.5.5.5 +# replica-announce-port 1234 -# Require clients to issue AUTH before processing any other -# commands. This might be useful in environments in which you do not trust -# others with access to the host running redis-server. +############################### KEYS TRACKING ################################# + +# Redis implements server assisted support for client side caching of values. +# This is implemented using an invalidation table that remembers, using +# a radix key indexed by key name, what clients have which keys. In turn +# this is used in order to send invalidation messages to clients. Please +# check this page to understand more about the feature: +# +# https://redis.io/topics/client-side-caching +# +# When tracking is enabled for a client, all the read only queries are assumed +# to be cached: this will force Redis to store information in the invalidation +# table. When keys are modified, such information is flushed away, and +# invalidation messages are sent to the clients. However if the workload is +# heavily dominated by reads, Redis could use more and more memory in order +# to track the keys fetched by many clients. +# +# For this reason it is possible to configure a maximum fill value for the +# invalidation table. By default it is set to 1M of keys, and once this limit +# is reached, Redis will start to evict keys in the invalidation table +# even if they were not modified, just to reclaim memory: this will in turn +# force the clients to invalidate the cached values. Basically the table +# maximum size is a trade off between the memory you want to spend server +# side to track information about who cached what, and the ability of clients +# to retain cached objects in memory. # -# This should stay commented out for backward compatibility and because most -# people do not need auth (e.g. they run their own servers). +# If you set the value to 0, it means there are no limits, and Redis will +# retain as many keys as needed in the invalidation table. +# In the "stats" INFO section, you can find information about the number of +# keys in the invalidation table at every given moment. # -# Warning: since Redis is pretty fast an outside user can try up to -# 150k passwords per second against a good box. This means that you should -# use a very strong password otherwise it will be very easy to break. +# Note: when key tracking is used in broadcasting mode, no memory is used +# in the server side so this setting is useless. +# +# tracking-table-max-keys 1000000 + +################################## SECURITY ################################### + +# Warning: since Redis is pretty fast, an outside user can try up to +# 1 million passwords per second against a modern box. This means that you +# should use very strong passwords, otherwise they will be very easy to break. +# Note that because the password is really a shared secret between the client +# and the server, and should not be memorized by any human, the password +# can be easily a long string from /dev/urandom or whatever, so by using a +# long and unguessable password no brute force attack will be possible. + +# Redis ACL users are defined in the following format: +# +# user ... acl rules ... +# +# For example: +# +# user worker +@list +@connection ~jobs:* on >ffa9203c493aa99 +# +# The special username "default" is used for new connections. If this user +# has the "nopass" rule, then new connections will be immediately authenticated +# as the "default" user without the need of any password provided via the +# AUTH command. Otherwise if the "default" user is not flagged with "nopass" +# the connections will start in not authenticated state, and will require +# AUTH (or the HELLO command AUTH option) in order to be authenticated and +# start to work. +# +# The ACL rules that describe what a user can do are the following: +# +# on Enable the user: it is possible to authenticate as this user. +# off Disable the user: it's no longer possible to authenticate +# with this user, however the already authenticated connections +# will still work. +# skip-sanitize-payload RESTORE dump-payload sanitization is skipped. +# sanitize-payload RESTORE dump-payload is sanitized (default). +# + Allow the execution of that command. +# May be used with `|` for allowing subcommands (e.g "+config|get") +# - Disallow the execution of that command. +# May be used with `|` for blocking subcommands (e.g "-config|set") +# +@ Allow the execution of all the commands in such category +# with valid categories are like @admin, @set, @sortedset, ... +# and so forth, see the full list in the server.c file where +# the Redis command table is described and defined. +# The special category @all means all the commands, but currently +# present in the server, and that will be loaded in the future +# via modules. +# +|first-arg Allow a specific first argument of an otherwise +# disabled command. It is only supported on commands with +# no sub-commands, and is not allowed as negative form +# like -SELECT|1, only additive starting with "+". This +# feature is deprecated and may be removed in the future. +# allcommands Alias for +@all. Note that it implies the ability to execute +# all the future commands loaded via the modules system. +# nocommands Alias for -@all. +# ~ Add a pattern of keys that can be mentioned as part of +# commands. For instance ~* allows all the keys. The pattern +# is a glob-style pattern like the one of KEYS. +# It is possible to specify multiple patterns. +# %R~ Add key read pattern that specifies which keys can be read +# from. +# %W~ Add key write pattern that specifies which keys can be +# written to. +# allkeys Alias for ~* +# resetkeys Flush the list of allowed keys patterns. +# & Add a glob-style pattern of Pub/Sub channels that can be +# accessed by the user. It is possible to specify multiple channel +# patterns. +# allchannels Alias for &* +# resetchannels Flush the list of allowed channel patterns. +# > Add this password to the list of valid password for the user. +# For example >mypass will add "mypass" to the list. +# This directive clears the "nopass" flag (see later). +# < Remove this password from the list of valid passwords. +# nopass All the set passwords of the user are removed, and the user +# is flagged as requiring no password: it means that every +# password will work against this user. If this directive is +# used for the default user, every new connection will be +# immediately authenticated with the default user without +# any explicit AUTH command required. Note that the "resetpass" +# directive will clear this condition. +# resetpass Flush the list of allowed passwords. Moreover removes the +# "nopass" status. After "resetpass" the user has no associated +# passwords and there is no way to authenticate without adding +# some password (or setting it as "nopass" later). +# reset Performs the following actions: resetpass, resetkeys, off, +# -@all. The user returns to the same state it has immediately +# after its creation. +# () Create a new selector with the options specified within the +# parentheses and attach it to the user. Each option should be +# space separated. The first character must be ( and the last +# character must be ). +# clearselectors Remove all of the currently attached selectors. +# Note this does not change the "root" user permissions, +# which are the permissions directly applied onto the +# user (outside the parentheses). +# +# ACL rules can be specified in any order: for instance you can start with +# passwords, then flags, or key patterns. However note that the additive +# and subtractive rules will CHANGE MEANING depending on the ordering. +# For instance see the following example: +# +# user alice on +@all -DEBUG ~* >somepassword +# +# This will allow "alice" to use all the commands with the exception of the +# DEBUG command, since +@all added all the commands to the set of the commands +# alice can use, and later DEBUG was removed. However if we invert the order +# of two ACL rules the result will be different: +# +# user alice on -DEBUG +@all ~* >somepassword +# +# Now DEBUG was removed when alice had yet no commands in the set of allowed +# commands, later all the commands are added, so the user will be able to +# execute everything. +# +# Basically ACL rules are processed left-to-right. +# +# The following is a list of command categories and their meanings: +# * keyspace - Writing or reading from keys, databases, or their metadata +# in a type agnostic way. Includes DEL, RESTORE, DUMP, RENAME, EXISTS, DBSIZE, +# KEYS, EXPIRE, TTL, FLUSHALL, etc. Commands that may modify the keyspace, +# key or metadata will also have `write` category. Commands that only read +# the keyspace, key or metadata will have the `read` category. +# * read - Reading from keys (values or metadata). Note that commands that don't +# interact with keys, will not have either `read` or `write`. +# * write - Writing to keys (values or metadata) +# * admin - Administrative commands. Normal applications will never need to use +# these. Includes REPLICAOF, CONFIG, DEBUG, SAVE, MONITOR, ACL, SHUTDOWN, etc. +# * dangerous - Potentially dangerous (each should be considered with care for +# various reasons). This includes FLUSHALL, MIGRATE, RESTORE, SORT, KEYS, +# CLIENT, DEBUG, INFO, CONFIG, SAVE, REPLICAOF, etc. +# * connection - Commands affecting the connection or other connections. +# This includes AUTH, SELECT, COMMAND, CLIENT, ECHO, PING, etc. +# * blocking - Potentially blocking the connection until released by another +# command. +# * fast - Fast O(1) commands. May loop on the number of arguments, but not the +# number of elements in the key. +# * slow - All commands that are not Fast. +# * pubsub - PUBLISH / SUBSCRIBE related +# * transaction - WATCH / MULTI / EXEC related commands. +# * scripting - Scripting related. +# * set - Data type: sets related. +# * sortedset - Data type: zsets related. +# * list - Data type: lists related. +# * hash - Data type: hashes related. +# * string - Data type: strings related. +# * bitmap - Data type: bitmaps related. +# * hyperloglog - Data type: hyperloglog related. +# * geo - Data type: geo related. +# * stream - Data type: streams related. +# +# For more information about ACL configuration please refer to +# the Redis web site at https://redis.io/topics/acl + +# ACL LOG +# +# The ACL Log tracks failed commands and authentication events associated +# with ACLs. The ACL Log is useful to troubleshoot failed commands blocked +# by ACLs. The ACL Log is stored in memory. You can reclaim memory with +# ACL LOG RESET. Define the maximum entry length of the ACL Log below. +acllog-max-len 128 + +# Using an external ACL file +# +# Instead of configuring users here in this file, it is possible to use +# a stand-alone file just listing users. The two methods cannot be mixed: +# if you configure users here and at the same time you activate the external +# ACL file, the server will refuse to start. +# +# The format of the external ACL user file is exactly the same as the +# format that is used inside redis.conf to describe users. +# +# aclfile /etc/redis/users.acl + +# IMPORTANT NOTE: starting with Redis 6 "requirepass" is just a compatibility +# layer on top of the new ACL system. The option effect will be just setting +# the password for the default user. Clients will still authenticate using +# AUTH as usually, or more explicitly with AUTH default +# if they follow the new protocol: both will work. +# +# The requirepass is not compatible with aclfile option and the ACL LOAD +# command, these will cause requirepass to be ignored. # # requirepass foobared -# Command renaming. +# New users are initialized with restrictive permissions by default, via the +# equivalent of this ACL rule 'off resetkeys -@all'. Starting with Redis 6.2, it +# is possible to manage access to Pub/Sub channels with ACL rules as well. The +# default Pub/Sub channels permission if new users is controlled by the +# acl-pubsub-default configuration directive, which accepts one of these values: +# +# allchannels: grants access to all Pub/Sub channels +# resetchannels: revokes access to all Pub/Sub channels +# +# From Redis 7.0, acl-pubsub-default defaults to 'resetchannels' permission. +# +# acl-pubsub-default resetchannels + +# Command renaming (DEPRECATED). +# +# ------------------------------------------------------------------------ +# WARNING: avoid using this option if possible. Instead use ACLs to remove +# commands from the default user, and put them only in some admin user you +# create for administrative purposes. +# ------------------------------------------------------------------------ # # It is possible to change the name of dangerous commands in a shared # environment. For instance the CONFIG command may be renamed into something @@ -405,14 +1072,15 @@ slave-priority 100 # It is also possible to completely kill a command by renaming it into # an empty string: # -rename-command CONFIG "" -# -rename-command DEBUG "" +# rename-command CONFIG "" # # Please note that changing the name of commands that are logged into the -# AOF file or transmitted to slaves may cause problems. +# AOF file or transmitted to replicas may cause problems. +rename-command CONFIG "" +rename-command DEBUG "" + -################################### LIMITS #################################### +################################### CLIENTS #################################### # Set the max number of connected clients at the same time. By default # this limit is set to 10000 clients, however if the Redis server is not @@ -423,9 +1091,16 @@ rename-command DEBUG "" # Once the limit is reached Redis will close all the new connections sending # an error 'max number of clients reached'. # +# IMPORTANT: When Redis Cluster is used, the max number of connections is also +# shared with the cluster bus: every node in the cluster will use two +# connections, one incoming and another outgoing. It is important to size the +# limit accordingly in case of very large clusters. +# # maxclients 10000 -# Don't use more memory than the specified amount of bytes. +############################## MEMORY MANAGEMENT ################################ + +# Set a memory usage limit to the specified amount of bytes. # When the memory limit is reached Redis will try to remove keys # according to the eviction policy selected (see maxmemory-policy). # @@ -434,52 +1109,259 @@ rename-command DEBUG "" # that would use more memory, like SET, LPUSH, and so on, and will continue # to reply to read-only commands like GET. # -# This option is usually useful when using Redis as an LRU cache, or to set -# a hard memory limit for an instance (using the 'noeviction' policy). +# This option is usually useful when using Redis as an LRU or LFU cache, or to +# set a hard memory limit for an instance (using the 'noeviction' policy). # -# WARNING: If you have slaves attached to an instance with maxmemory on, -# the size of the output buffers needed to feed the slaves are subtracted +# WARNING: If you have replicas attached to an instance with maxmemory on, +# the size of the output buffers needed to feed the replicas are subtracted # from the used memory count, so that network problems / resyncs will # not trigger a loop where keys are evicted, and in turn the output -# buffer of slaves is full with DELs of keys evicted triggering the deletion +# buffer of replicas is full with DELs of keys evicted triggering the deletion # of more keys, and so forth until the database is completely emptied. # -# In short... if you have slaves attached it is suggested that you set a lower -# limit for maxmemory so that there is some free RAM on the system for slave +# In short... if you have replicas attached it is suggested that you set a lower +# limit for maxmemory so that there is some free RAM on the system for replica # output buffers (but this is not needed if the policy is 'noeviction'). # # maxmemory # MAXMEMORY POLICY: how Redis will select what to remove when maxmemory -# is reached. You can select among five behaviors: -# -# volatile-lru -> remove the key with an expire set using an LRU algorithm -# allkeys-lru -> remove any key according to the LRU algorithm -# volatile-random -> remove a random key with an expire set -# allkeys-random -> remove a random key, any key -# volatile-ttl -> remove the key with the nearest expire time (minor TTL) -# noeviction -> don't expire at all, just return an error on write operations -# -# Note: with any of the above policies, Redis will return an error on write -# operations, when there are no suitable keys for eviction. -# -# At the date of writing these commands are: set setnx setex append -# incr decr rpush lpush rpushx lpushx linsert lset rpoplpush sadd -# sinter sinterstore sunion sunionstore sdiff sdiffstore zadd zincrby -# zunionstore zinterstore hset hsetnx hmset hincrby incrby decrby -# getset mset msetnx exec sort +# is reached. You can select one from the following behaviors: +# +# volatile-lru -> Evict using approximated LRU, only keys with an expire set. +# allkeys-lru -> Evict any key using approximated LRU. +# volatile-lfu -> Evict using approximated LFU, only keys with an expire set. +# allkeys-lfu -> Evict any key using approximated LFU. +# volatile-random -> Remove a random key having an expire set. +# allkeys-random -> Remove a random key, any key. +# volatile-ttl -> Remove the key with the nearest expire time (minor TTL) +# noeviction -> Don't evict anything, just return an error on write operations. +# +# LRU means Least Recently Used +# LFU means Least Frequently Used +# +# Both LRU, LFU and volatile-ttl are implemented using approximated +# randomized algorithms. +# +# Note: with any of the above policies, when there are no suitable keys for +# eviction, Redis will return an error on write operations that require +# more memory. These are usually commands that create new keys, add data or +# modify existing keys. A few examples are: SET, INCR, HSET, LPUSH, SUNIONSTORE, +# SORT (due to the STORE argument), and EXEC (if the transaction includes any +# command that requires memory). # # The default is: # -# maxmemory-policy volatile-lru +# maxmemory-policy noeviction + +# LRU, LFU and minimal TTL algorithms are not precise algorithms but approximated +# algorithms (in order to save memory), so you can tune it for speed or +# accuracy. By default Redis will check five keys and pick the one that was +# used least recently, you can change the sample size using the following +# configuration directive. +# +# The default of 5 produces good enough results. 10 Approximates very closely +# true LRU but costs more CPU. 3 is faster but not very accurate. +# +# maxmemory-samples 5 + +# Eviction processing is designed to function well with the default setting. +# If there is an unusually large amount of write traffic, this value may need to +# be increased. Decreasing this value may reduce latency at the risk of +# eviction processing effectiveness +# 0 = minimum latency, 10 = default, 100 = process without regard to latency +# +# maxmemory-eviction-tenacity 10 + +# Starting from Redis 5, by default a replica will ignore its maxmemory setting +# (unless it is promoted to master after a failover or manually). It means +# that the eviction of keys will be just handled by the master, sending the +# DEL commands to the replica as keys evict in the master side. +# +# This behavior ensures that masters and replicas stay consistent, and is usually +# what you want, however if your replica is writable, or you want the replica +# to have a different memory setting, and you are sure all the writes performed +# to the replica are idempotent, then you may change this default (but be sure +# to understand what you are doing). +# +# Note that since the replica by default does not evict, it may end using more +# memory than the one set via maxmemory (there are certain buffers that may +# be larger on the replica, or data structures may sometimes take more memory +# and so forth). So make sure you monitor your replicas and make sure they +# have enough memory to never hit a real out-of-memory condition before the +# master hits the configured maxmemory setting. +# +# replica-ignore-maxmemory yes + +# Redis reclaims expired keys in two ways: upon access when those keys are +# found to be expired, and also in background, in what is called the +# "active expire key". The key space is slowly and interactively scanned +# looking for expired keys to reclaim, so that it is possible to free memory +# of keys that are expired and will never be accessed again in a short time. +# +# The default effort of the expire cycle will try to avoid having more than +# ten percent of expired keys still in memory, and will try to avoid consuming +# more than 25% of total memory and to add latency to the system. However +# it is possible to increase the expire "effort" that is normally set to +# "1", to a greater value, up to the value "10". At its maximum value the +# system will use more CPU, longer cycles (and technically may introduce +# more latency), and will tolerate less already expired keys still present +# in the system. It's a tradeoff between memory, CPU and latency. +# +# active-expire-effort 1 + +############################# LAZY FREEING #################################### + +# Redis has two primitives to delete keys. One is called DEL and is a blocking +# deletion of the object. It means that the server stops processing new commands +# in order to reclaim all the memory associated with an object in a synchronous +# way. If the key deleted is associated with a small object, the time needed +# in order to execute the DEL command is very small and comparable to most other +# O(1) or O(log_N) commands in Redis. However if the key is associated with an +# aggregated value containing millions of elements, the server can block for +# a long time (even seconds) in order to complete the operation. +# +# For the above reasons Redis also offers non blocking deletion primitives +# such as UNLINK (non blocking DEL) and the ASYNC option of FLUSHALL and +# FLUSHDB commands, in order to reclaim memory in background. Those commands +# are executed in constant time. Another thread will incrementally free the +# object in the background as fast as possible. +# +# DEL, UNLINK and ASYNC option of FLUSHALL and FLUSHDB are user-controlled. +# It's up to the design of the application to understand when it is a good +# idea to use one or the other. However the Redis server sometimes has to +# delete keys or flush the whole database as a side effect of other operations. +# Specifically Redis deletes objects independently of a user call in the +# following scenarios: +# +# 1) On eviction, because of the maxmemory and maxmemory policy configurations, +# in order to make room for new data, without going over the specified +# memory limit. +# 2) Because of expire: when a key with an associated time to live (see the +# EXPIRE command) must be deleted from memory. +# 3) Because of a side effect of a command that stores data on a key that may +# already exist. For example the RENAME command may delete the old key +# content when it is replaced with another one. Similarly SUNIONSTORE +# or SORT with STORE option may delete existing keys. The SET command +# itself removes any old content of the specified key in order to replace +# it with the specified string. +# 4) During replication, when a replica performs a full resynchronization with +# its master, the content of the whole database is removed in order to +# load the RDB file just transferred. +# +# In all the above cases the default is to delete objects in a blocking way, +# like if DEL was called. However you can configure each case specifically +# in order to instead release memory in a non-blocking way like if UNLINK +# was called, using the following configuration directives. + +lazyfree-lazy-eviction no +lazyfree-lazy-expire no +lazyfree-lazy-server-del no +replica-lazy-flush no + +# It is also possible, for the case when to replace the user code DEL calls +# with UNLINK calls is not easy, to modify the default behavior of the DEL +# command to act exactly like UNLINK, using the following configuration +# directive: + +lazyfree-lazy-user-del no + +# FLUSHDB, FLUSHALL, SCRIPT FLUSH and FUNCTION FLUSH support both asynchronous and synchronous +# deletion, which can be controlled by passing the [SYNC|ASYNC] flags into the +# commands. When neither flag is passed, this directive will be used to determine +# if the data should be deleted asynchronously. + +lazyfree-lazy-user-flush no + +################################ THREADED I/O ################################# + +# Redis is mostly single threaded, however there are certain threaded +# operations such as UNLINK, slow I/O accesses and other things that are +# performed on side threads. +# +# Now it is also possible to handle Redis clients socket reads and writes +# in different I/O threads. Since especially writing is so slow, normally +# Redis users use pipelining in order to speed up the Redis performances per +# core, and spawn multiple instances in order to scale more. Using I/O +# threads it is possible to easily speedup two times Redis without resorting +# to pipelining nor sharding of the instance. +# +# By default threading is disabled, we suggest enabling it only in machines +# that have at least 4 or more cores, leaving at least one spare core. +# Using more than 8 threads is unlikely to help much. We also recommend using +# threaded I/O only if you actually have performance problems, with Redis +# instances being able to use a quite big percentage of CPU time, otherwise +# there is no point in using this feature. +# +# So for instance if you have a four cores boxes, try to use 2 or 3 I/O +# threads, if you have a 8 cores, try to use 6 threads. In order to +# enable I/O threads use the following configuration directive: +# +# io-threads 4 +# +# Setting io-threads to 1 will just use the main thread as usual. +# When I/O threads are enabled, we only use threads for writes, that is +# to thread the write(2) syscall and transfer the client buffers to the +# socket. However it is also possible to enable threading of reads and +# protocol parsing using the following configuration directive, by setting +# it to yes: +# +# io-threads-do-reads no +# +# Usually threading reads doesn't help much. +# +# NOTE 1: This configuration directive cannot be changed at runtime via +# CONFIG SET. Also, this feature currently does not work when SSL is +# enabled. +# +# NOTE 2: If you want to test the Redis speedup using redis-benchmark, make +# sure you also run the benchmark itself in threaded mode, using the +# --threads option to match the number of Redis threads, otherwise you'll not +# be able to notice the improvements. + +############################ KERNEL OOM CONTROL ############################## + +# On Linux, it is possible to hint the kernel OOM killer on what processes +# should be killed first when out of memory. +# +# Enabling this feature makes Redis actively control the oom_score_adj value +# for all its processes, depending on their role. The default scores will +# attempt to have background child processes killed before all others, and +# replicas killed before masters. +# +# Redis supports these options: +# +# no: Don't make changes to oom-score-adj (default). +# yes: Alias to "relative" see below. +# absolute: Values in oom-score-adj-values are written as is to the kernel. +# relative: Values are used relative to the initial value of oom_score_adj when +# the server starts and are then clamped to a range of -1000 to 1000. +# Because typically the initial value is 0, they will often match the +# absolute values. +oom-score-adj no + +# When oom-score-adj is used, this directive controls the specific values used +# for master, replica and background child processes. Values range -2000 to +# 2000 (higher means more likely to be killed). +# +# Unprivileged processes (not root, and without CAP_SYS_RESOURCE capabilities) +# can freely increase their value, but not decrease it below its initial +# settings. This means that setting oom-score-adj to "relative" and setting the +# oom-score-adj-values to positive values will always succeed. +oom-score-adj-values 0 200 800 -# LRU and minimal TTL algorithms are not precise algorithms but approximated -# algorithms (in order to save memory), so you can select as well the sample -# size to check. For instance for default Redis will check three keys and -# pick the one that was used less recently, you can change the sample size -# using the following configuration directive. -# -# maxmemory-samples 3 + +#################### KERNEL transparent hugepage CONTROL ###################### + +# Usually the kernel Transparent Huge Pages control is set to "madvise" or +# or "never" by default (/sys/kernel/mm/transparent_hugepage/enabled), in which +# case this config has no effect. On systems in which it is set to "always", +# redis will attempt to disable it specifically for the redis process in order +# to avoid latency problems specifically with fork(2) and CoW. +# If for some reason you prefer to keep it enabled, you can set this config to +# "no" and the kernel global to "always". + +disable-thp yes ############################## APPEND ONLY MODE ############################### @@ -499,14 +1381,43 @@ rename-command DEBUG "" # If the AOF is enabled on startup Redis will load the AOF, that is the file # with the better durability guarantees. # -# Please check http://redis.io/topics/persistence for more information. +# Please check https://redis.io/topics/persistence for more information. appendonly no -# The name of the append only file (default: "appendonly.aof") +# The base name of the append only file. +# +# Redis 7 and newer use a set of append-only files to persist the dataset +# and changes applied to it. There are two basic types of files in use: +# +# - Base files, which are a snapshot representing the complete state of the +# dataset at the time the file was created. Base files can be either in +# the form of RDB (binary serialized) or AOF (textual commands). +# - Incremental files, which contain additional commands that were applied +# to the dataset following the previous file. +# +# In addition, manifest files are used to track the files and the order in +# which they were created and should be applied. +# +# Append-only file names are created by Redis following a specific pattern. +# The file name's prefix is based on the 'appendfilename' configuration +# parameter, followed by additional information about the sequence and type. +# +# For example, if appendfilename is set to appendonly.aof, the following file +# names could be derived: +# +# - appendonly.aof.1.base.rdb as a base file. +# - appendonly.aof.1.incr.aof, appendonly.aof.2.incr.aof as incremental files. +# - appendonly.aof.manifest as a manifest file. appendfilename "appendonly.aof" +# For convenience, Redis stores all persistent append-only files in a dedicated +# directory. The name of the directory is determined by the appenddirname +# configuration parameter. + +appenddirname "appendonlydir" + # The fsync() call tells the Operating System to actually write data on disk # instead of waiting for more data in the output buffer. Some OS will really flush # data on disk, some other OS will just try to do it ASAP. @@ -546,7 +1457,7 @@ appendfsync everysec # BGSAVE or BGREWRITEAOF is in progress. # # This means that while another child is saving, the durability of Redis is -# the same as "appendfsync none". In practical terms, this means that it is +# the same as "appendfsync no". In practical terms, this means that it is # possible to lose up to 30 seconds of log in the worst scenario (with the # default Linux settings). # @@ -570,8 +1481,7 @@ no-appendfsync-on-rewrite no # is reached but it is still pretty small. # # Specify a percentage of zero in order to disable the automatic AOF -# rewrite feature. - +# rewrite feature.auto-aof-rewrite-percentage 100 auto-aof-rewrite-percentage 100 auto-aof-rewrite-min-size 64mb @@ -599,23 +1509,296 @@ auto-aof-rewrite-min-size 64mb # will be found. aof-load-truncated yes -################################ LUA SCRIPTING ############################### +# Redis can create append-only base files in either RDB or AOF formats. Using +# the RDB format is always faster and more efficient, and disabling it is only +# supported for backward compatibility purposes. +aof-use-rdb-preamble yes + +# Redis supports recording timestamp annotations in the AOF to support restoring +# the data from a specific point-in-time. However, using this capability changes +# the AOF format in a way that may not be compatible with existing AOF parsers. +aof-timestamp-enabled no + +################################ SHUTDOWN ##################################### + +# Maximum time to wait for replicas when shutting down, in seconds. +# +# During shut down, a grace period allows any lagging replicas to catch up with +# the latest replication offset before the master exists. This period can +# prevent data loss, especially for deployments without configured disk backups. +# +# The 'shutdown-timeout' value is the grace period's duration in seconds. It is +# only applicable when the instance has replicas. To disable the feature, set +# the value to 0. +# +# shutdown-timeout 10 + +# When Redis receives a SIGINT or SIGTERM, shutdown is initiated and by default +# an RDB snapshot is written to disk in a blocking operation if save points are configured. +# The options used on signaled shutdown can include the following values: +# default: Saves RDB snapshot only if save points are configured. +# Waits for lagging replicas to catch up. +# save: Forces a DB saving operation even if no save points are configured. +# nosave: Prevents DB saving operation even if one or more save points are configured. +# now: Skips waiting for lagging replicas. +# force: Ignores any errors that would normally prevent the server from exiting. +# +# Any combination of values is allowed as long as "save" and "nosave" are not set simultaneously. +# Example: "nosave force now" +# +# shutdown-on-sigint default +# shutdown-on-sigterm default + +################ NON-DETERMINISTIC LONG BLOCKING COMMANDS ##################### -# Max execution time of a Lua script in milliseconds. +# Maximum time in milliseconds for EVAL scripts, functions and in some cases +# modules' commands before Redis can start processing or rejecting other clients. # -# If the maximum execution time is reached Redis will log that a script is -# still in execution after the maximum allowed time and will start to -# reply to queries with an error. +# If the maximum execution time is reached Redis will start to reply to most +# commands with a BUSY error. # -# When a long running script exceeds the maximum execution time only the -# SCRIPT KILL and SHUTDOWN NOSAVE commands are available. The first can be -# used to stop a script that did not yet called write commands. The second -# is the only way to shut down the server in the case a write command was -# already issued by the script but the user doesn't want to wait for the natural -# termination of the script. +# In this state Redis will only allow a handful of commands to be executed. +# For instance, SCRIPT KILL, FUNCTION KILL, SHUTDOWN NOSAVE and possibly some +# module specific 'allow-busy' commands. # -# Set it to 0 or a negative value for unlimited execution without warnings. +# SCRIPT KILL and FUNCTION KILL will only be able to stop a script that did not +# yet call any write commands, so SHUTDOWN NOSAVE may be the only way to stop +# the server in the case a write command was already issued by the script when +# the user doesn't want to wait for the natural termination of the script. +# +# The default is 5 seconds. It is possible to set it to 0 or a negative value +# to disable this mechanism (uninterrupted execution). Note that in the past +# this config had a different name, which is now an alias, so both of these do +# the same: lua-time-limit 5000 +# busy-reply-threshold 5000 + +################################ REDIS CLUSTER ############################### + +# Normal Redis instances can't be part of a Redis Cluster; only nodes that are +# started as cluster nodes can. In order to start a Redis instance as a +# cluster node enable the cluster support uncommenting the following: +# +# cluster-enabled yes + +# Every cluster node has a cluster configuration file. This file is not +# intended to be edited by hand. It is created and updated by Redis nodes. +# Every Redis Cluster node requires a different cluster configuration file. +# Make sure that instances running in the same system do not have +# overlapping cluster configuration file names. +# +# cluster-config-file nodes-6379.conf + +# Cluster node timeout is the amount of milliseconds a node must be unreachable +# for it to be considered in failure state. +# Most other internal time limits are a multiple of the node timeout. +# +# cluster-node-timeout 15000 + +# The cluster port is the port that the cluster bus will listen for inbound connections on. When set +# to the default value, 0, it will be bound to the command port + 10000. Setting this value requires +# you to specify the cluster bus port when executing cluster meet. +# cluster-port 0 + +# A replica of a failing master will avoid to start a failover if its data +# looks too old. +# +# There is no simple way for a replica to actually have an exact measure of +# its "data age", so the following two checks are performed: +# +# 1) If there are multiple replicas able to failover, they exchange messages +# in order to try to give an advantage to the replica with the best +# replication offset (more data from the master processed). +# Replicas will try to get their rank by offset, and apply to the start +# of the failover a delay proportional to their rank. +# +# 2) Every single replica computes the time of the last interaction with +# its master. This can be the last ping or command received (if the master +# is still in the "connected" state), or the time that elapsed since the +# disconnection with the master (if the replication link is currently down). +# If the last interaction is too old, the replica will not try to failover +# at all. +# +# The point "2" can be tuned by user. Specifically a replica will not perform +# the failover if, since the last interaction with the master, the time +# elapsed is greater than: +# +# (node-timeout * cluster-replica-validity-factor) + repl-ping-replica-period +# +# So for example if node-timeout is 30 seconds, and the cluster-replica-validity-factor +# is 10, and assuming a default repl-ping-replica-period of 10 seconds, the +# replica will not try to failover if it was not able to talk with the master +# for longer than 310 seconds. +# +# A large cluster-replica-validity-factor may allow replicas with too old data to failover +# a master, while a too small value may prevent the cluster from being able to +# elect a replica at all. +# +# For maximum availability, it is possible to set the cluster-replica-validity-factor +# to a value of 0, which means, that replicas will always try to failover the +# master regardless of the last time they interacted with the master. +# (However they'll always try to apply a delay proportional to their +# offset rank). +# +# Zero is the only value able to guarantee that when all the partitions heal +# the cluster will always be able to continue. +# +# cluster-replica-validity-factor 10 + +# Cluster replicas are able to migrate to orphaned masters, that are masters +# that are left without working replicas. This improves the cluster ability +# to resist to failures as otherwise an orphaned master can't be failed over +# in case of failure if it has no working replicas. +# +# Replicas migrate to orphaned masters only if there are still at least a +# given number of other working replicas for their old master. This number +# is the "migration barrier". A migration barrier of 1 means that a replica +# will migrate only if there is at least 1 other working replica for its master +# and so forth. It usually reflects the number of replicas you want for every +# master in your cluster. +# +# Default is 1 (replicas migrate only if their masters remain with at least +# one replica). To disable migration just set it to a very large value or +# set cluster-allow-replica-migration to 'no'. +# A value of 0 can be set but is useful only for debugging and dangerous +# in production. +# +# cluster-migration-barrier 1 + +# Turning off this option allows to use less automatic cluster configuration. +# It both disables migration to orphaned masters and migration from masters +# that became empty. +# +# Default is 'yes' (allow automatic migrations). +# +# cluster-allow-replica-migration yes + +# By default Redis Cluster nodes stop accepting queries if they detect there +# is at least a hash slot uncovered (no available node is serving it). +# This way if the cluster is partially down (for example a range of hash slots +# are no longer covered) all the cluster becomes, eventually, unavailable. +# It automatically returns available as soon as all the slots are covered again. +# +# However sometimes you want the subset of the cluster which is working, +# to continue to accept queries for the part of the key space that is still +# covered. In order to do so, just set the cluster-require-full-coverage +# option to no. +# +# cluster-require-full-coverage yes + +# This option, when set to yes, prevents replicas from trying to failover its +# master during master failures. However the replica can still perform a +# manual failover, if forced to do so. +# +# This is useful in different scenarios, especially in the case of multiple +# data center operations, where we want one side to never be promoted if not +# in the case of a total DC failure. +# +# cluster-replica-no-failover no + +# This option, when set to yes, allows nodes to serve read traffic while the +# cluster is in a down state, as long as it believes it owns the slots. +# +# This is useful for two cases. The first case is for when an application +# doesn't require consistency of data during node failures or network partitions. +# One example of this is a cache, where as long as the node has the data it +# should be able to serve it. +# +# The second use case is for configurations that don't meet the recommended +# three shards but want to enable cluster mode and scale later. A +# master outage in a 1 or 2 shard configuration causes a read/write outage to the +# entire cluster without this option set, with it set there is only a write outage. +# Without a quorum of masters, slot ownership will not change automatically. +# +# cluster-allow-reads-when-down no + +# This option, when set to yes, allows nodes to serve pubsub shard traffic while +# the cluster is in a down state, as long as it believes it owns the slots. +# +# This is useful if the application would like to use the pubsub feature even when +# the cluster global stable state is not OK. If the application wants to make sure only +# one shard is serving a given channel, this feature should be kept as yes. +# +# cluster-allow-pubsubshard-when-down yes + +# Cluster link send buffer limit is the limit on the memory usage of an individual +# cluster bus link's send buffer in bytes. Cluster links would be freed if they exceed +# this limit. This is to primarily prevent send buffers from growing unbounded on links +# toward slow peers (E.g. PubSub messages being piled up). +# This limit is disabled by default. Enable this limit when 'mem_cluster_links' INFO field +# and/or 'send-buffer-allocated' entries in the 'CLUSTER LINKS` command output continuously increase. +# Minimum limit of 1gb is recommended so that cluster link buffer can fit in at least a single +# PubSub message by default. (client-query-buffer-limit default value is 1gb) +# +# cluster-link-sendbuf-limit 0 + +# Clusters can configure their announced hostname using this config. This is a common use case for +# applications that need to use TLS Server Name Indication (SNI) or dealing with DNS based +# routing. By default this value is only shown as additional metadata in the CLUSTER SLOTS +# command, but can be changed using 'cluster-preferred-endpoint-type' config. This value is +# communicated along the clusterbus to all nodes, setting it to an empty string will remove +# the hostname and also propagate the removal. +# +# cluster-announce-hostname "" + +# Clusters can advertise how clients should connect to them using either their IP address, +# a user defined hostname, or by declaring they have no endpoint. Which endpoint is +# shown as the preferred endpoint is set by using the cluster-preferred-endpoint-type +# config with values 'ip', 'hostname', or 'unknown-endpoint'. This value controls how +# the endpoint returned for MOVED/ASKING requests as well as the first field of CLUSTER SLOTS. +# If the preferred endpoint type is set to hostname, but no announced hostname is set, a '?' +# will be returned instead. +# +# When a cluster advertises itself as having an unknown endpoint, it's indicating that +# the server doesn't know how clients can reach the cluster. This can happen in certain +# networking situations where there are multiple possible routes to the node, and the +# server doesn't know which one the client took. In this case, the server is expecting +# the client to reach out on the same endpoint it used for making the last request, but use +# the port provided in the response. +# +# cluster-preferred-endpoint-type ip + +# In order to setup your cluster make sure to read the documentation +# available at https://redis.io web site. + +########################## CLUSTER DOCKER/NAT support ######################## + +# In certain deployments, Redis Cluster nodes address discovery fails, because +# addresses are NAT-ted or because ports are forwarded (the typical case is +# Docker and other containers). +# +# In order to make Redis Cluster working in such environments, a static +# configuration where each node knows its public address is needed. The +# following four options are used for this scope, and are: +# +# * cluster-announce-ip +# * cluster-announce-port +# * cluster-announce-tls-port +# * cluster-announce-bus-port +# +# Each instructs the node about its address, client ports (for connections +# without and with TLS) and cluster message bus port. The information is then +# published in the header of the bus packets so that other nodes will be able to +# correctly map the address of the node publishing the information. +# +# If cluster-tls is set to yes and cluster-announce-tls-port is omitted or set +# to zero, then cluster-announce-port refers to the TLS port. Note also that +# cluster-announce-tls-port has no effect if cluster-tls is set to no. +# +# If the above options are not used, the normal Redis Cluster auto-detection +# will be used instead. +# +# Note that when remapped, the bus port may not be at the fixed offset of +# clients port + 10000, so you can specify any port and bus-port depending +# on how they get remapped. If the bus-port is not set, a fixed offset of +# 10000 will be used as usual. +# +# Example: +# +# cluster-announce-ip 10.1.1.5 +# cluster-announce-tls-port 6379 +# cluster-announce-port 0 +# cluster-announce-bus-port 6380 ################################## SLOW LOG ################################### @@ -658,14 +1841,28 @@ slowlog-max-len 128 # By default latency monitoring is disabled since it is mostly not needed # if you don't have latency issues, and collecting data has a performance # impact, that while very small, can be measured under big load. Latency -# monitoring can easily be enalbed at runtime using the command +# monitoring can easily be enabled at runtime using the command # "CONFIG SET latency-monitor-threshold " if needed. latency-monitor-threshold 0 -############################# Event notification ############################## +################################ LATENCY TRACKING ############################## + +# The Redis extended latency monitoring tracks the per command latencies and enables +# exporting the percentile distribution via the INFO latencystats command, +# and cumulative latency distributions (histograms) via the LATENCY command. +# +# By default, the extended latency monitoring is enabled since the overhead +# of keeping track of the command latency is very small. +# latency-tracking yes + +# By default the exported latency percentiles via the INFO latencystats command +# are the p50, p99, and p999. +# latency-tracking-info-percentiles 50 99 99.9 + +############################# EVENT NOTIFICATION ############################## # Redis can notify Pub/Sub clients about events happening in the key space. -# This feature is documented at http://redis.io/topics/notifications +# This feature is documented at https://redis.io/topics/notifications # # For instance if keyspace events notification is enabled, and a client # performs a DEL operation on key "foo" stored in the Database 0, two @@ -687,7 +1884,13 @@ latency-monitor-threshold 0 # z Sorted set commands # x Expired events (events generated every time a key expires) # e Evicted events (events generated when a key is evicted for maxmemory) -# A Alias for g$lshzxe, so that the "AKE" string means all the events. +# n New key events (Note: not included in the 'A' class) +# t Stream commands +# d Module key type events +# m Key-miss events (Note: It is not included in the 'A' class) +# A Alias for g$lshzxetd, so that the "AKE" string means all the events +# (Except key-miss events which are excluded from 'A' due to their +# unique nature). # # The "notify-keyspace-events" takes as argument a string that is composed # of zero or multiple characters. The empty string means that notifications @@ -713,14 +1916,39 @@ notify-keyspace-events "" # Hashes are encoded using a memory efficient data structure when they have a # small number of entries, and the biggest entry does not exceed a given # threshold. These thresholds can be configured using the following directives. -hash-max-ziplist-entries 512 -hash-max-ziplist-value 64 - -# Similarly to hashes, small lists are also encoded in a special way in order -# to save a lot of space. The special representation is only used when -# you are under the following limits: -list-max-ziplist-entries 512 -list-max-ziplist-value 64 +hash-max-listpack-entries 512 +hash-max-listpack-value 64 + +# Lists are also encoded in a special way to save a lot of space. +# The number of entries allowed per internal list node can be specified +# as a fixed maximum size or a maximum number of elements. +# For a fixed maximum size, use -5 through -1, meaning: +# -5: max size: 64 Kb <-- not recommended for normal workloads +# -4: max size: 32 Kb <-- not recommended +# -3: max size: 16 Kb <-- probably not recommended +# -2: max size: 8 Kb <-- good +# -1: max size: 4 Kb <-- good +# Positive numbers mean store up to _exactly_ that number of elements +# per list node. +# The highest performing option is usually -2 (8 Kb size) or -1 (4 Kb size), +# but if your use case is unique, adjust the settings as necessary. +list-max-listpack-size -2 + +# Lists may also be compressed. +# Compress depth is the number of quicklist ziplist nodes from *each* side of +# the list to *exclude* from compression. The head and tail of the list +# are always uncompressed for fast push/pop operations. Settings are: +# 0: disable all list compression +# 1: depth 1 means "don't start compressing until after 1 node into the list, +# going from either the head or tail" +# So: [head]->node->node->...->node->[tail] +# [head], [tail] will always be uncompressed; inner nodes will compress. +# 2: [head]->[next]->node->node->...->node->[prev]->[tail] +# 2 here means: don't compress head or head->next or tail->prev or tail, +# but compress all nodes between them. +# 3: [head]->[next]->[next]->node->node->...->node->[prev]->[prev]->[tail] +# etc. +list-compress-depth 0 # Sets have a special encoding in just one case: when a set is composed # of just strings that happen to be integers in radix 10 in the range @@ -732,8 +1960,8 @@ set-max-intset-entries 512 # Similarly to hashes and lists, sorted sets are also specially encoded in # order to save a lot of space. This encoding is only used when the length and # elements of a sorted set are below the following limits: -zset-max-ziplist-entries 128 -zset-max-ziplist-value 64 +zset-max-listpack-entries 128 +zset-max-listpack-value 64 # HyperLogLog sparse representation bytes limit. The limit includes the # 16 bytes header. When an HyperLogLog using the sparse representation crosses @@ -749,6 +1977,17 @@ zset-max-ziplist-value 64 # composed of many HyperLogLogs with cardinality in the 0 - 15000 range. hll-sparse-max-bytes 3000 +# Streams macro node max size / items. The stream data structure is a radix +# tree of big nodes that encode multiple items inside. Using this configuration +# it is possible to configure how big a single node can be in bytes, and the +# maximum number of items it may contain before switching to a new node when +# appending new stream entries. If any of the following settings are set to +# zero, the limit is ignored, so for instance it is possible to set just a +# max entries limit by setting max-bytes to 0 and max-entries to the desired +# value. +stream-node-max-bytes 4096 +stream-node-max-entries 100 + # Active rehashing uses 1 millisecond every 100 milliseconds of CPU time in # order to help rehashing the main Redis hash table (the one mapping top-level # keys to values). The hash table implementation Redis uses (see dict.c) @@ -777,7 +2016,7 @@ activerehashing yes # The limit can be set differently for the three different classes of clients: # # normal -> normal clients including MONITOR clients -# slave -> slave clients +# replica -> replica clients # pubsub -> clients subscribed to at least one pubsub channel or pattern # # The syntax of every client-output-buffer-limit directive is the following: @@ -798,14 +2037,54 @@ activerehashing yes # asynchronous clients may create a scenario where data is requested faster # than it can read. # -# Instead there is a default limit for pubsub and slave clients, since -# subscribers and slaves receive data in a push fashion. +# Instead there is a default limit for pubsub and replica clients, since +# subscribers and replicas receive data in a push fashion. +# +# Note that it doesn't make sense to set the replica clients output buffer +# limit lower than the repl-backlog-size config (partial sync will succeed +# and then replica will get disconnected). +# Such a configuration is ignored (the size of repl-backlog-size will be used). +# This doesn't have memory consumption implications since the replica client +# will share the backlog buffers memory. # # Both the hard or the soft limit can be disabled by setting them to zero. client-output-buffer-limit normal 0 0 0 -client-output-buffer-limit slave 256mb 64mb 60 +client-output-buffer-limit replica 256mb 64mb 60 client-output-buffer-limit pubsub 32mb 8mb 60 +# Client query buffers accumulate new commands. They are limited to a fixed +# amount by default in order to avoid that a protocol desynchronization (for +# instance due to a bug in the client) will lead to unbound memory usage in +# the query buffer. However you can configure it here if you have very special +# needs, such us huge multi/exec requests or alike. +# +# client-query-buffer-limit 1gb + +# In some scenarios client connections can hog up memory leading to OOM +# errors or data eviction. To avoid this we can cap the accumulated memory +# used by all client connections (all pubsub and normal clients). Once we +# reach that limit connections will be dropped by the server freeing up +# memory. The server will attempt to drop the connections using the most +# memory first. We call this mechanism "client eviction". +# +# Client eviction is configured using the maxmemory-clients setting as follows: +# 0 - client eviction is disabled (default) +# +# A memory value can be used for the client eviction threshold, +# for example: +# maxmemory-clients 1g +# +# A percentage value (between 1% and 100%) means the client eviction threshold +# is based on a percentage of the maxmemory setting. For example to set client +# eviction at 5% of maxmemory: +# maxmemory-clients 5% + +# In the Redis protocol, bulk requests, that are, elements representing single +# strings, are normally limited to 512 mb. However you can change this limit +# here, but must be 1mb or greater +# +# proto-max-bulk-len 512mb + # Redis calls an internal function to perform many background tasks, like # closing connections of clients in timeout, purging expired keys that are # never requested, and so forth. @@ -823,8 +2102,181 @@ client-output-buffer-limit pubsub 32mb 8mb 60 # 100 only in environments where very low latency is required. hz 50 +# Normally it is useful to have an HZ value which is proportional to the +# number of clients connected. This is useful in order, for instance, to +# avoid too many clients are processed for each background task invocation +# in order to avoid latency spikes. +# +# Since the default HZ value by default is conservatively set to 10, Redis +# offers, and enables by default, the ability to use an adaptive HZ value +# which will temporarily raise when there are many connected clients. +# +# When dynamic HZ is enabled, the actual configured HZ will be used +# as a baseline, but multiples of the configured HZ value will be actually +# used as needed once more clients are connected. In this way an idle +# instance will use very little CPU time while a busy instance will be +# more responsive. +dynamic-hz yes + # When a child rewrites the AOF file, if the following option is enabled -# the file will be fsync-ed every 32 MB of data generated. This is useful +# the file will be fsync-ed every 4 MB of data generated. This is useful # in order to commit the file to the disk more incrementally and avoid # big latency spikes. aof-rewrite-incremental-fsync yes + +# When redis saves RDB file, if the following option is enabled +# the file will be fsync-ed every 4 MB of data generated. This is useful +# in order to commit the file to the disk more incrementally and avoid +# big latency spikes. +rdb-save-incremental-fsync yes + +# Redis LFU eviction (see maxmemory setting) can be tuned. However it is a good +# idea to start with the default settings and only change them after investigating +# how to improve the performances and how the keys LFU change over time, which +# is possible to inspect via the OBJECT FREQ command. +# +# There are two tunable parameters in the Redis LFU implementation: the +# counter logarithm factor and the counter decay time. It is important to +# understand what the two parameters mean before changing them. +# +# The LFU counter is just 8 bits per key, it's maximum value is 255, so Redis +# uses a probabilistic increment with logarithmic behavior. Given the value +# of the old counter, when a key is accessed, the counter is incremented in +# this way: +# +# 1. A random number R between 0 and 1 is extracted. +# 2. A probability P is calculated as 1/(old_value*lfu_log_factor+1). +# 3. The counter is incremented only if R < P. +# +# The default lfu-log-factor is 10. This is a table of how the frequency +# counter changes with a different number of accesses with different +# logarithmic factors: +# +# +--------+------------+------------+------------+------------+------------+ +# | factor | 100 hits | 1000 hits | 100K hits | 1M hits | 10M hits | +# +--------+------------+------------+------------+------------+------------+ +# | 0 | 104 | 255 | 255 | 255 | 255 | +# +--------+------------+------------+------------+------------+------------+ +# | 1 | 18 | 49 | 255 | 255 | 255 | +# +--------+------------+------------+------------+------------+------------+ +# | 10 | 10 | 18 | 142 | 255 | 255 | +# +--------+------------+------------+------------+------------+------------+ +# | 100 | 8 | 11 | 49 | 143 | 255 | +# +--------+------------+------------+------------+------------+------------+ +# +# NOTE: The above table was obtained by running the following commands: +# +# redis-benchmark -n 1000000 incr foo +# redis-cli object freq foo +# +# NOTE 2: The counter initial value is 5 in order to give new objects a chance +# to accumulate hits. +# +# The counter decay time is the time, in minutes, that must elapse in order +# for the key counter to be divided by two (or decremented if it has a value +# less <= 10). +# +# The default value for the lfu-decay-time is 1. A special value of 0 means to +# decay the counter every time it happens to be scanned. +# +# lfu-log-factor 10 +# lfu-decay-time 1 + +########################### ACTIVE DEFRAGMENTATION ####################### +# +# What is active defragmentation? +# ------------------------------- +# +# Active (online) defragmentation allows a Redis server to compact the +# spaces left between small allocations and deallocations of data in memory, +# thus allowing to reclaim back memory. +# +# Fragmentation is a natural process that happens with every allocator (but +# less so with Jemalloc, fortunately) and certain workloads. Normally a server +# restart is needed in order to lower the fragmentation, or at least to flush +# away all the data and create it again. However thanks to this feature +# implemented by Oran Agra for Redis 4.0 this process can happen at runtime +# in a "hot" way, while the server is running. +# +# Basically when the fragmentation is over a certain level (see the +# configuration options below) Redis will start to create new copies of the +# values in contiguous memory regions by exploiting certain specific Jemalloc +# features (in order to understand if an allocation is causing fragmentation +# and to allocate it in a better place), and at the same time, will release the +# old copies of the data. This process, repeated incrementally for all the keys +# will cause the fragmentation to drop back to normal values. +# +# Important things to understand: +# +# 1. This feature is disabled by default, and only works if you compiled Redis +# to use the copy of Jemalloc we ship with the source code of Redis. +# This is the default with Linux builds. +# +# 2. You never need to enable this feature if you don't have fragmentation +# issues. +# +# 3. Once you experience fragmentation, you can enable this feature when +# needed with the command "CONFIG SET activedefrag yes". +# +# The configuration parameters are able to fine tune the behavior of the +# defragmentation process. If you are not sure about what they mean it is +# a good idea to leave the defaults untouched. + +# Active defragmentation is disabled by default +# activedefrag no + +# Minimum amount of fragmentation waste to start active defrag +# active-defrag-ignore-bytes 100mb + +# Minimum percentage of fragmentation to start active defrag +# active-defrag-threshold-lower 10 + +# Maximum percentage of fragmentation at which we use maximum effort +# active-defrag-threshold-upper 100 + +# Minimal effort for defrag in CPU percentage, to be used when the lower +# threshold is reached +# active-defrag-cycle-min 1 + +# Maximal effort for defrag in CPU percentage, to be used when the upper +# threshold is reached +# active-defrag-cycle-max 25 + +# Maximum number of set/hash/zset/list fields that will be processed from +# the main dictionary scan +# active-defrag-max-scan-fields 1000 + +# Jemalloc background thread for purging will be enabled by default +jemalloc-bg-thread yes + +# It is possible to pin different threads and processes of Redis to specific +# CPUs in your system, in order to maximize the performances of the server. +# This is useful both in order to pin different Redis threads in different +# CPUs, but also in order to make sure that multiple Redis instances running +# in the same host will be pinned to different CPUs. +# +# Normally you can do this using the "taskset" command, however it is also +# possible to this via Redis configuration directly, both in Linux and FreeBSD. +# +# You can pin the server/IO threads, bio threads, aof rewrite child process, and +# the bgsave child process. The syntax to specify the cpu list is the same as +# the taskset command: +# +# Set redis server/io threads to cpu affinity 0,2,4,6: +# server_cpulist 0-7:2 +# +# Set bio threads to cpu affinity 1,3: +# bio_cpulist 1,3 +# +# Set aof rewrite child process to cpu affinity 8,9,10,11: +# aof_rewrite_cpulist 8-11 +# +# Set bgsave child process to cpu affinity 1,10,11 +# bgsave_cpulist 1,10-11 + +# In some cases redis will emit warnings and even refuse to start if it detects +# that the system is in bad state, it is possible to suppress these warnings +# by setting the following config which takes a space delimited list of warnings +# to suppress +# +# ignore-warnings ARM64-COW-BUG diff --git a/containers/api-frontend/Dockerfile b/containers/api-frontend/Dockerfile index 6c533e6b4f8b..67e435e92fa1 100644 --- a/containers/api-frontend/Dockerfile +++ b/containers/api-frontend/Dockerfile @@ -1,6 +1,6 @@ ARG KNK_REGISTRY_URL ARG IMAGE_TAG -FROM ${KNK_REGISTRY_URL}/pfbuild-debian-bullseye:${IMAGE_TAG} +FROM ${KNK_REGISTRY_URL}/pfbuild-debian-bookworm:${IMAGE_TAG} RUN mkdir -p /usr/local/pf/ WORKDIR /usr/local/pf/ diff --git a/containers/httpd.admin_dispatcher/Dockerfile b/containers/httpd.admin_dispatcher/Dockerfile index 08269ec91176..220392d13af5 100644 --- a/containers/httpd.admin_dispatcher/Dockerfile +++ b/containers/httpd.admin_dispatcher/Dockerfile @@ -1,6 +1,6 @@ ARG KNK_REGISTRY_URL ARG IMAGE_TAG -FROM ${KNK_REGISTRY_URL}/pfbuild-debian-bullseye:${IMAGE_TAG} +FROM ${KNK_REGISTRY_URL}/pfbuild-debian-bookworm:${IMAGE_TAG} SHELL ["/bin/bash", "-c"] diff --git a/containers/httpd.dispatcher/Dockerfile b/containers/httpd.dispatcher/Dockerfile index 2707df217750..6b14e6bf7f54 100644 --- a/containers/httpd.dispatcher/Dockerfile +++ b/containers/httpd.dispatcher/Dockerfile @@ -1,6 +1,6 @@ ARG KNK_REGISTRY_URL ARG IMAGE_TAG -FROM ${KNK_REGISTRY_URL}/pfbuild-debian-bullseye:${IMAGE_TAG} +FROM ${KNK_REGISTRY_URL}/pfbuild-debian-bookworm:${IMAGE_TAG} RUN mkdir -p /usr/local/pf/ WORKDIR /usr/local/pf/ diff --git a/containers/ntlm-auth-api/Dockerfile b/containers/ntlm-auth-api/Dockerfile index 533f75389eab..79bf17411c7c 100644 --- a/containers/ntlm-auth-api/Dockerfile +++ b/containers/ntlm-auth-api/Dockerfile @@ -3,9 +3,16 @@ ARG IMAGE_TAG FROM ${KNK_REGISTRY_URL}/pfdebian:${IMAGE_TAG} WORKDIR /usr/local/pf/ + COPY bin bin -RUN apt-get update -RUN apt-get -y install python3-pip python3-pymysql python3-sdnotify python3-tz -RUN pip3 install flask-mysql==1.5.2 + +RUN apt-get -qq update && \ + apt-get -yqq install python3-pip python3-pymysql python3-sdnotify python3-tz python3-dev + +RUN VER=`python3 -c 'import sys; val=sys.version_info;print(str(val.major)+"."+str(val.minor))'` ; \ + sudo rm -rf /usr/lib/python$VER/EXTERNALLY-MANAGED && \ + pip3 install flask-mysql==1.5.2 + +COPY addons/ntlm-auth-api/openssl.cnf /usr/lib/ssl/openssl.cnf ENTRYPOINT /usr/bin/python3 /usr/local/pf/bin/pyntlm_auth/app.py diff --git a/containers/packetfence-perl/debian/Dockerfile_debian b/containers/packetfence-perl/debian11/Dockerfile_debian11 similarity index 100% rename from containers/packetfence-perl/debian/Dockerfile_debian rename to containers/packetfence-perl/debian11/Dockerfile_debian11 diff --git a/containers/packetfence-perl/debian12/Dockerfile_debian12 b/containers/packetfence-perl/debian12/Dockerfile_debian12 new file mode 100644 index 000000000000..e95ea02eee1c --- /dev/null +++ b/containers/packetfence-perl/debian12/Dockerfile_debian12 @@ -0,0 +1,59 @@ +FROM debian:12.0 + +ARG workdir \ + output_directory + +ENV WORKDIR=${workdir} \ + OUTPUT_DIRECTORY=${output_directory} \ + BASE_DIR=/usr/local/pf/lib/perl_modules + + +ENV PERL5LIB=/root/perl5/lib/perl5:${BASE_DIR}/lib/perl5/ \ + PKG_CONFIG_PATH=/usr/lib/pkgconfig/ \ + CPAN_BIN_PATH="/usr/bin/cpan" \ + CPAN_VERSION=2.36 + +WORKDIR ${WORKDIR} + +RUN apt update -y && apt -y upgrade && \ + apt install libmodule-signature-perl zip make build-essential \ +libssl-dev zlib1g-dev libmariadb-dev-compat libmariadb-dev libssh2-1-dev libexpat1-dev \ +pkg-config libkrb5-dev libsystemd-dev libgd-dev libcpan-distnameinfo-perl libyaml-perl \ +curl wget graphviz libio-socket-ssl-perl debhelper \ +libnet-ssleay-perl libcpan-perl-releases-perl python3 vim -y && \ + apt-get clean && \ + rm -rf /var/lib/apt/lists/* && \ + rm -rf /tmp/* /var/tmp/* + +RUN mkdir -p ${WORKDIR}/debian && \ + mkdir -p ${BASE_DIR}/lib/perl5/ \ + mkdir -p ${OUTPUT_DIRECTORY} + +# 1. configure CPAN with defaults (answer yes) +# 2. override default conf to UNINST cpan after upgrade (seems mandatory for EL8) +RUN (echo o conf make_install_arg 'UNINST=1'; echo o conf commit)|PERL_MM_USE_DEFAULT=1 ${CPAN_BIN_PATH} &> /dev/null && \ +# upgrade CPAN and show version + ${CPAN_BIN_PATH} -i ANDK/CPAN-${CPAN_VERSION}.tar.gz &> /dev/null && ${CPAN_BIN_PATH} -D CPAN && \ +# install modules in a specific directory + set -o nounset -o errexit && (echo o conf makepl_arg "INSTALL_BASE=${BASE_DIR}"; echo o conf commit)|${CPAN_BIN_PATH} && \ +# hard-coded due to quotes + set -o nounset -o errexit && (echo o conf mbuildpl_arg '"--install_base /usr/local/pf/lib/perl_modules"' ; echo o conf commit)|${CPAN_BIN_PATH} && \ +# allow to installed outdated dists + set -o nounset -o errexit && (echo o conf allow_installing_outdated_dists 'yes'; echo o conf commit)|${CPAN_BIN_PATH} && \ +# allow to downgrade installed modules automatically +# assertion at end of script will check everything is expected + set -o nounset -o errexit && (echo o conf allow_installing_module_downgrades 'yes'; echo o conf commit)|${CPAN_BIN_PATH} && \ +# use cpan.metacpan.org to get outdated modules +# disable pushy_https + set -o nounset -o errexit && (echo o conf urllist 'https://cpan.metacpan.org'; echo o conf commit)|${CPAN_BIN_PATH} && \ + set -o nounset -o errexit && (echo o conf pushy_https '0'; echo o conf commit)|${CPAN_BIN_PATH} && \ +#limit the cache to 100mb + set -o nounset -o errexit && (echo o conf build_cache 100; echo o conf commit)|${CPAN_BIN_PATH} + + +COPY ./addons/packetfence-perl/dependencies.csv ./addons/packetfence-perl/build_package.sh ./addons/packetfence-perl/install_cpan.py ./addons/packetfence-perl/psono.py ${WORKDIR} + +RUN python3 -u install_cpan.py -d dependencies.csv + +#remove logs +RUN rm -rf ${WORKDIR}/.cpan/build/* diff --git a/containers/pfacct/Dockerfile b/containers/pfacct/Dockerfile index 77193e1ee30a..518c80862b6b 100644 --- a/containers/pfacct/Dockerfile +++ b/containers/pfacct/Dockerfile @@ -1,6 +1,6 @@ ARG KNK_REGISTRY_URL ARG IMAGE_TAG -FROM ${KNK_REGISTRY_URL}/pfbuild-debian-bullseye:${IMAGE_TAG} +FROM ${KNK_REGISTRY_URL}/pfbuild-debian-bookworm:${IMAGE_TAG} RUN mkdir -p /usr/local/pf/ WORKDIR /usr/local/pf/ diff --git a/containers/pfconnector/Dockerfile b/containers/pfconnector/Dockerfile index 392fc1c16d98..a7dbf3bd6a87 100644 --- a/containers/pfconnector/Dockerfile +++ b/containers/pfconnector/Dockerfile @@ -1,6 +1,6 @@ ARG KNK_REGISTRY_URL ARG IMAGE_TAG -FROM ${KNK_REGISTRY_URL}/pfbuild-debian-bullseye:${IMAGE_TAG} +FROM ${KNK_REGISTRY_URL}/pfbuild-debian-bookworm:${IMAGE_TAG} RUN mkdir -p /usr/local/pf/ WORKDIR /usr/local/pf/ diff --git a/containers/pfcron/Dockerfile b/containers/pfcron/Dockerfile index b8c1847a7fa0..c3d5b9953ca6 100644 --- a/containers/pfcron/Dockerfile +++ b/containers/pfcron/Dockerfile @@ -1,6 +1,6 @@ ARG KNK_REGISTRY_URL ARG IMAGE_TAG -FROM ${KNK_REGISTRY_URL}/pfbuild-debian-bullseye:${IMAGE_TAG} +FROM ${KNK_REGISTRY_URL}/pfbuild-debian-bookworm:${IMAGE_TAG} RUN mkdir -p /usr/local/pf/ WORKDIR /usr/local/pf/ diff --git a/containers/pfdebian/Dockerfile b/containers/pfdebian/Dockerfile index a633e24ba24b..5b45e80f0bca 100644 --- a/containers/pfdebian/Dockerfile +++ b/containers/pfdebian/Dockerfile @@ -1,4 +1,4 @@ -FROM debian:11 +FROM debian:12 RUN apt-get update && apt-get install -y aptitude wget gnupg @@ -13,7 +13,7 @@ ARG PKGS_TO_EXCLUDE COPY debian/control /tmp/ COPY rpm/packetfence.spec /tmp/ -RUN /bin/bash -c "echo 'deb http://inverse.ca/downloads/PacketFence/debian/${PF_VERSION} bullseye bullseye' > /etc/apt/sources.list.d/packetfence_deps.list" && \ +RUN /bin/bash -c "echo 'deb http://inverse.ca/downloads/PacketFence/debian/${PF_VERSION} bookworm bookworm' > /etc/apt/sources.list.d/packetfence_deps.list" && \ wget -q -O - https://inverse.ca/downloads/GPG_PUBLIC_KEY | apt-key add - RUN /bin/bash -c "echo 'deb https://deb.nodesource.com/node_20.x nodistro main' > /etc/apt/sources.list.d/nodejs.list" && \ diff --git a/containers/pfldapexplorer/Dockerfile b/containers/pfldapexplorer/Dockerfile index 3237ab87352e..217f601ed092 100644 --- a/containers/pfldapexplorer/Dockerfile +++ b/containers/pfldapexplorer/Dockerfile @@ -1,6 +1,6 @@ ARG KNK_REGISTRY_URL ARG IMAGE_TAG -FROM ${KNK_REGISTRY_URL}/pfbuild-debian-bullseye:${IMAGE_TAG} +FROM ${KNK_REGISTRY_URL}/pfbuild-debian-bookworm:${IMAGE_TAG} RUN mkdir -p /usr/local/pf/ WORKDIR /usr/local/pf/ diff --git a/containers/pfpki/Dockerfile b/containers/pfpki/Dockerfile index 6127ca990c8c..33f43fb28a60 100644 --- a/containers/pfpki/Dockerfile +++ b/containers/pfpki/Dockerfile @@ -1,6 +1,6 @@ ARG KNK_REGISTRY_URL ARG IMAGE_TAG -FROM ${KNK_REGISTRY_URL}/pfbuild-debian-bullseye:${IMAGE_TAG} +FROM ${KNK_REGISTRY_URL}/pfbuild-debian-bookworm:${IMAGE_TAG} RUN mkdir -p /usr/local/pf/ WORKDIR /usr/local/pf/ diff --git a/containers/pfsetacls/Dockerfile b/containers/pfsetacls/Dockerfile index eda0f1eeccde..e997112357d9 100644 --- a/containers/pfsetacls/Dockerfile +++ b/containers/pfsetacls/Dockerfile @@ -1,4 +1,5 @@ -FROM golang:1.23rc1-bullseye + +FROM golang:1.23rc1-bookworm ENV SEMAPHORE_VERSION="development" SEMAPHORE_ARCH="linux_amd64" \ SEMAPHORE_CONFIG_PATH="${SEMAPHORE_CONFIG_PATH:-/etc/semaphore}" \ @@ -7,11 +8,13 @@ ENV SEMAPHORE_VERSION="development" SEMAPHORE_ARCH="linux_amd64" \ # hadolint ignore=DL3013 RUN curl -fsSL https://deb.nodesource.com/setup_16.x | bash - -RUN apt update && apt install -y gcc g++ make git mariadb-client-10.5 python3 pip python3-openssl openssl ca-certificates curl libcurl4-openssl-dev openssh-client tini nodejs bash rsync && \ +RUN apt update && apt install -y gcc g++ make git mariadb-client python3 pip python3-openssl openssl ca-certificates curl libcurl4-openssl-dev openssh-client tini nodejs bash rsync && \ apt install -y python3-dev libffi-dev python3-paramiko &&\ rm -rf /var/cache/apt/* -RUN pip3 install --upgrade pip cffi &&\ +RUN VER=`python3 -c 'import sys; val=sys.version_info;print(str(val.major)+"."+str(val.minor))'` ; \ + rm -rf /usr/lib/python$VER/EXTERNALLY-MANAGED && \ + pip3 install --upgrade pip cffi &&\ pip3 install ansible && pip3 install ansible-pylibssh RUN adduser --disabled-password -u 1002 --gecos 0 semaphore && \ diff --git a/containers/pfsso/Dockerfile b/containers/pfsso/Dockerfile index b57c615456e7..2141dc449469 100644 --- a/containers/pfsso/Dockerfile +++ b/containers/pfsso/Dockerfile @@ -1,6 +1,6 @@ ARG KNK_REGISTRY_URL ARG IMAGE_TAG -FROM ${KNK_REGISTRY_URL}/pfbuild-debian-bullseye:${IMAGE_TAG} +FROM ${KNK_REGISTRY_URL}/pfbuild-debian-bookworm:${IMAGE_TAG} RUN mkdir -p /usr/local/pf/ WORKDIR /usr/local/pf/ diff --git a/containers/proxysql/Dockerfile b/containers/proxysql/Dockerfile index cb7c279e25a7..fe8c9ea072f2 100644 --- a/containers/proxysql/Dockerfile +++ b/containers/proxysql/Dockerfile @@ -1,13 +1,13 @@ ARG KNK_REGISTRY_URL ARG IMAGE_TAG -ARG from=${KNK_REGISTRY_URL}/pfbuild-debian-bullseye:${IMAGE_TAG} +ARG from=${KNK_REGISTRY_URL}/pfbuild-debian-bookworm:${IMAGE_TAG} FROM ${from} as build ENV MAKE=make ENV MAKEOPT="-j 1" ENV CURVER=2.6.0 -ENV PKG_RELEASE=debian11 +ENV PKG_RELEASE=debian12 ENV PROXYSQL_BUILD_TYPE=clickhouse ENV CC=cc ENV CXX=g++ diff --git a/containers/radiusd/Dockerfile b/containers/radiusd/Dockerfile index c7aa234e7b0f..3b303069a630 100644 --- a/containers/radiusd/Dockerfile +++ b/containers/radiusd/Dockerfile @@ -1,4 +1,4 @@ -ARG from=debian:bullseye +ARG from=debian:bookworm ARG KNK_REGISTRY_URL ARG IMAGE_TAG diff --git a/debian/control b/debian/control index 5ed5c97c2d7c..ecd2222f994f 100644 --- a/debian/control +++ b/debian/control @@ -21,8 +21,8 @@ Pre-Depends: ca-certificates, fingerbank (>= 4.3.2), fingerbank (<< 5.0.0), fingerbank-collector (>= 1.4.1), fingerbank-collector (<< 2.0.0), packetfence-redis-cache (>= ${source:Version}), - packetfence-perl (>= 1.2.3), - netdata (= 1:1.10.0-1) + packetfence-perl (>= 1.2.4), + netdata # Removed for now # libmariadbd-dev (>= 10.1), libmariadbd-dev (<< 10.5.18) Breaks: libdata-alias-perl @@ -34,8 +34,8 @@ Depends: ${misc:Depends}, vlan, packetfence-archive-keyring (>= ${source:Version}), gpg, jq, - mariadb-server (>= 10.5.15), - mariadb-client (>= 10.5.15), + mariadb-server, + mariadb-client, snmp, snmptrapfmt, snmptrapd, snmp-mibs-downloader, conntrack, rsyslog, # for import/export scripts ipcalc, ipcalc-ng, @@ -163,7 +163,7 @@ Depends: ${misc:Depends}, vlan, # for packaging lsb-release, # nthash cache - libscalar-list-utils-perl (>= 1.41-1),libfile-fcntllock-perl,libjson-xs-perl,libmoo-perl,libnet-dns-perl,python3-twisted-bin,python3-twisted,libconfig-inifiles-perl, + libscalar-list-utils-perl (>= 1.41-1),libfile-fcntllock-perl,libjson-xs-perl,libmoo-perl,libnet-dns-perl,python3-twisted,libconfig-inifiles-perl, # Monit and monitoring scripts monit, uuid-runtime, # Docker runtime diff --git a/debian/packetfence-config.postinst b/debian/packetfence-config.postinst index bc4cbfd795f2..97a3062b9e4e 100644 --- a/debian/packetfence-config.postinst +++ b/debian/packetfence-config.postinst @@ -29,7 +29,7 @@ case "$1" in echo "pfconfig.conf already exists, won't touch it!" fi /sbin/ldconfig - if [ ${DIST} = "jessie" ] || [ ${DIST} = "stretch" ] || [ ${DIST} = "bullseye" ]; then + if [ ${DIST} = "jessie" ] || [ ${DIST} = "stretch" ] || [ ${DIST} = "bullseye" ] || [ ${DIST} = "bookworm" ]; then systemctl enable packetfence-config fi if [ ${DIST} = "wheezy" ] || [ ${DIST} = "precise" ]; then diff --git a/debian/packetfence-config.prerm b/debian/packetfence-config.prerm index ff4a568c9233..b1cf4385f6d6 100644 --- a/debian/packetfence-config.prerm +++ b/debian/packetfence-config.prerm @@ -32,7 +32,7 @@ case "$1" in fi fi fi - if [ ${DIST} = "jessie" ] || [ ${DIST} = "stretch" ] || [ ${DIST} = "bullseye" ]; then + if [ ${DIST} = "jessie" ] || [ ${DIST} = "stretch" ] || [ ${DIST} = "bullseye" ] || [ ${DIST} = "bookworm" ]; then systemctl stop packetfence-config || exit $? fi ;; diff --git a/debian/packetfence-redis-cache.postinst b/debian/packetfence-redis-cache.postinst index 80cc8031e6c7..c02e6da97946 100644 --- a/debian/packetfence-redis-cache.postinst +++ b/debian/packetfence-redis-cache.postinst @@ -27,7 +27,7 @@ case "$1" in if [ ${DIST} = "wheezy" ] || [ ${DIST} = "precise" ]; then update-rc.d packetfence-redis-cache defaults 60 || exit 0 fi - if [ ${DIST} = "jessie" ] || [ ${DIST} = "stretch" ] || [ ${DIST} = "bullseye" ]; then + if [ ${DIST} = "jessie" ] || [ ${DIST} = "stretch" ] || [ ${DIST} = "bullseye" ] || [ ${DIST} = "bookworm" ]; then systemctl enable packetfence-redis-cache fi set +e @@ -42,7 +42,7 @@ case "$1" in fi fi fi - if [ ${DIST} = "jessie" ] || [ ${DIST} = "stretch" ] || [ ${DIST} = "bullseye" ]; then + if [ ${DIST} = "jessie" ] || [ ${DIST} = "stretch" ] || [ ${DIST} = "bullseye" ] || [ ${DIST} = "bookworm" ]; then systemctl disable $service fi done diff --git a/debian/packetfence-redis-cache.prerm b/debian/packetfence-redis-cache.prerm index c4bb24ff62fe..df125a41c5e9 100644 --- a/debian/packetfence-redis-cache.prerm +++ b/debian/packetfence-redis-cache.prerm @@ -32,7 +32,7 @@ case "$1" in fi fi fi - if [ ${DIST} = "jessie" ] || [ ${DIST} = "stretch" ] || [ ${DIST} = "bullseye" ]; then + if [ ${DIST} = "jessie" ] || [ ${DIST} = "stretch" ] || [ ${DIST} = "bullseye" ] || [ ${DIST} = "bookworm" ]; then systemctl stop packetfence-redis-cache fi ;; diff --git a/debian/packetfence.postinst b/debian/packetfence.postinst index d7d243333dd4..c7e9bf679d31 100644 --- a/debian/packetfence.postinst +++ b/debian/packetfence.postinst @@ -117,7 +117,7 @@ case "$1" in update-rc.d $service remove > /dev/null 2>&1 fi fi - if [ ${DIST} = "jessie" ] || [ ${DIST} = "stretch" ] || [ ${DIST} = "bullseye" ]; then + if [ ${DIST} = "jessie" ] || [ ${DIST} = "stretch" ] || [ ${DIST} = "bullseye" ] || [ ${DIST} = "bookworm" ]; then if [ -e "/lib/systemd/system/"$service".service" ] ; then systemctl stop $service systemctl disable $service @@ -236,7 +236,11 @@ case "$1" in /usr/bin/mysql -uroot -e "set password for 'root'@'localhost' = password('')" set -e fi - + if [ ${DIST} = "bookworm" ] && [ "$DEBIAN_ISO_INSTALLER" = "no" ]; then + set +e + /usr/bin/mysql -uroot -e "set password for 'root'@'localhost' = password('')" + set -e + fi # Install the monitoring scripts signing key echo "Install the monitoring scripts signing key" gpg --no-default-keyring --keyring /root/.gnupg/pubring.kbx --import /usr/share/keyrings/monitoring-scripts-keyring.gpg diff --git a/debian/packetfence.prerm b/debian/packetfence.prerm index 74dd573c8258..0c74d6a5d9a4 100644 --- a/debian/packetfence.prerm +++ b/debian/packetfence.prerm @@ -32,7 +32,7 @@ case "$1" in fi fi fi - if [ ${DIST} = "jessie" ] || [ ${DIST} = "stretch" ] || [ ${DIST} = "bullseye" ]; then + if [ ${DIST} = "jessie" ] || [ ${DIST} = "stretch" ] || [ ${DIST} = "bullseye" ] || [ ${DIST} = "bookworm" ]; then systemctl stop packetfence-haproxy-admin systemctl set-default multi-user.target systemctl isolate multi-user.target diff --git a/debian/patches/debianize.patch b/debian/patches/debianize.patch index 7c8e30a7ceb2..9b3c4db50e04 100644 --- a/debian/patches/debianize.patch +++ b/debian/patches/debianize.patch @@ -12,10 +12,10 @@ index 64f5e73f3d..90319cfc09 100644 # Netdata is not designed to be exposed to potentially hostile networks # See https://github.com/firehol/netdata/issues/164 diff --git a/conf/pf.conf.defaults b/conf/pf.conf.defaults -index 5492ed51f1..d2237bc88e 100644 +index 113ce3ba59..5da56b26df 100644 --- a/conf/pf.conf.defaults +++ b/conf/pf.conf.defaults -@@ -443,7 +443,7 @@ radiusd=enabled +@@ -473,7 +473,7 @@ radiusd=enabled # services.radiusd_binary # # Location of the named binary. Only necessary to change if you are not running the RPMed version. @@ -24,7 +24,7 @@ index 5492ed51f1..d2237bc88e 100644 # # services.radiusd_acct # -@@ -518,7 +518,7 @@ httpd_proxy=enabled +@@ -538,7 +538,7 @@ httpd_aaa=enabled # services.httpd_binary # # Location of the apache binary. Only necessary to change if you are not running the RPMed version. @@ -33,7 +33,7 @@ index 5492ed51f1..d2237bc88e 100644 # # services.snmptrapd # -@@ -616,7 +616,7 @@ openssl_binary=/usr/bin/openssl +@@ -637,7 +637,7 @@ openssl_binary=/usr/bin/openssl # services.arp_binary # # location of the arp binary. only necessary to change if you are not running the rpmed version. @@ -42,19 +42,141 @@ index 5492ed51f1..d2237bc88e 100644 # # services.netdata # +diff --git a/conf/systemd/packetfence-api-frontend.service b/conf/systemd/packetfence-api-frontend.service +index 11ab53139c..c42bb668fd 100644 +--- a/conf/systemd/packetfence-api-frontend.service ++++ b/conf/systemd/packetfence-api-frontend.service +@@ -13,7 +13,7 @@ Type=notify + TimeoutStopSec=60 + NotifyAccess=all + LimitNOFILE=infinity +-ExecStartPre=/bin/perl -I/usr/local/pf/lib -I/usr/local/pf/lib_perl/lib/perl5 '-Mpf::services::manager::api_frontend' -e 'pf::services::manager::api_frontend->new()->generateConfig()' ++ExecStartPre=/usr/bin/perl -I/usr/local/pf/lib -I/usr/local/pf/lib_perl/lib/perl5 '-Mpf::services::manager::api_frontend' -e 'pf::services::manager::api_frontend->new()->generateConfig()' + ExecStart=/usr/local/pf/sbin/api-frontend-docker-wrapper + ExecStop=/bin/bash -c "docker stop api-frontend ; echo Stopped" + Restart=on-failure +diff --git a/conf/systemd/packetfence-haproxy-admin.service b/conf/systemd/packetfence-haproxy-admin.service +index 373ddf89be..b7fb8e702e 100644 +--- a/conf/systemd/packetfence-haproxy-admin.service ++++ b/conf/systemd/packetfence-haproxy-admin.service +@@ -12,7 +12,7 @@ Type=notify + NotifyAccess=all + StartLimitBurst=3 + StartLimitInterval=10 +-ExecStartPre=/bin/perl -I/usr/local/pf/lib -I/usr/local/pf/lib_perl/lib/perl5 '-Mpf::services::manager::haproxy_admin' -e 'pf::services::manager::haproxy_admin->new()->generateConfig()' ++ExecStartPre=/usr/bin/perl -I/usr/local/pf/lib -I/usr/local/pf/lib_perl/lib/perl5 '-Mpf::services::manager::haproxy_admin' -e 'pf::services::manager::haproxy_admin->new()->generateConfig()' + ExecStart=/usr/local/pf/sbin/haproxy-admin-docker-wrapper + ExecStop=/bin/bash -c "docker stop haproxy-admin ; echo Stopped" + Restart=on-failure diff --git a/conf/systemd/packetfence-haproxy-db.service b/conf/systemd/packetfence-haproxy-db.service -index 8045a372d3..7437d09bae 100644 +index 8045a372d3..f23aef34ac 100644 --- a/conf/systemd/packetfence-haproxy-db.service +++ b/conf/systemd/packetfence-haproxy-db.service -@@ -8,7 +8,7 @@ Wants=packetfence-config.service +@@ -8,9 +8,9 @@ Wants=packetfence-config.service Type=notify StartLimitBurst=3 StartLimitInterval=10 -ExecStartPre=/bin/perl -I/usr/local/pf/lib -I/usr/local/pf/lib_perl/lib/perl5 '-Mpf::services::manager::haproxy_db' -e 'pf::services::manager::haproxy_db->new()->generateConfig()' +ExecStartPre=/usr/bin/perl -I/usr/local/pf/lib -I/usr/local/pf/lib_perl/lib/perl5 '-Mpf::services::manager::haproxy_db' -e 'pf::services::manager::haproxy_db->new()->generateConfig()' ExecStart=/usr/sbin/haproxy -Ws -f /usr/local/pf/var/conf/haproxy-db.conf -p /usr/local/pf/var/run/haproxy-db.pid - ExecReload=/bin/perl -I/usr/local/pf/lib -I/usr/local/pf/lib_perl/lib/perl5 '-Mpf::services::manager::haproxy_db' -e 'pf::services::manager::haproxy_db->new()->generateConfig()' +-ExecReload=/bin/perl -I/usr/local/pf/lib -I/usr/local/pf/lib_perl/lib/perl5 '-Mpf::services::manager::haproxy_db' -e 'pf::services::manager::haproxy_db->new()->generateConfig()' ++ExecReload=/usr/bin/perl -I/usr/local/pf/lib -I/usr/local/pf/lib_perl/lib/perl5 '-Mpf::services::manager::haproxy_db' -e 'pf::services::manager::haproxy_db->new()->generateConfig()' ExecReload=/bin/kill -USR2 $MAINPID + Restart=on-failure + SuccessExitStatus=143 +diff --git a/conf/systemd/packetfence-haproxy-portal.service b/conf/systemd/packetfence-haproxy-portal.service +index b6f1a195e5..61041666ad 100644 +--- a/conf/systemd/packetfence-haproxy-portal.service ++++ b/conf/systemd/packetfence-haproxy-portal.service +@@ -11,7 +11,7 @@ Type=notify + NotifyAccess=all + StartLimitBurst=3 + StartLimitInterval=10 +-ExecStartPre=/bin/perl -I/usr/local/pf/lib -I/usr/local/pf/lib_perl/lib/perl5 '-Mpf::services::manager::haproxy_portal' -e 'pf::services::manager::haproxy_portal->new()->generateConfig()' ++ExecStartPre=/usr/bin/perl -I/usr/local/pf/lib -I/usr/local/pf/lib_perl/lib/perl5 '-Mpf::services::manager::haproxy_portal' -e 'pf::services::manager::haproxy_portal->new()->generateConfig()' + ExecStart=/usr/local/pf/sbin/haproxy-portal-docker-wrapper + ExecStop=/bin/bash -c "docker stop haproxy-portal ; echo Stopped" + Restart=on-failure +diff --git a/conf/systemd/packetfence-httpd.aaa.service b/conf/systemd/packetfence-httpd.aaa.service +index a4fda39ccc..fa3148a982 100644 +--- a/conf/systemd/packetfence-httpd.aaa.service ++++ b/conf/systemd/packetfence-httpd.aaa.service +@@ -15,7 +15,7 @@ Type=notify + NotifyAccess=all + StartLimitBurst=3 + StartLimitInterval=10 +-ExecStartPre=/bin/perl -I/usr/local/pf/lib -I/usr/local/pf/lib_perl/lib/perl5 '-Mpf::services::manager::httpd_aaa' -e 'pf::services::manager::httpd_aaa->new()->generateConfig()' ++ExecStartPre=/usr/bin/perl -I/usr/local/pf/lib -I/usr/local/pf/lib_perl/lib/perl5 '-Mpf::services::manager::httpd_aaa' -e 'pf::services::manager::httpd_aaa->new()->generateConfig()' + ExecStart=/usr/local/pf/sbin/httpd.aaa-docker-wrapper + ExecStop=/bin/bash -c "docker stop httpd.aaa ; echo Stopped" + TimeoutStopSec=30 +diff --git a/conf/systemd/packetfence-httpd.admin_dispatcher.service b/conf/systemd/packetfence-httpd.admin_dispatcher.service +index c2d7ae7cc2..a108cdeffc 100644 +--- a/conf/systemd/packetfence-httpd.admin_dispatcher.service ++++ b/conf/systemd/packetfence-httpd.admin_dispatcher.service +@@ -14,7 +14,7 @@ TimeoutStartSec=180 + TimeoutStopSec=60 + NotifyAccess=all + LimitNOFILE=8192 +-ExecStartPre=/bin/perl -I/usr/local/pf/lib -I/usr/local/pf/lib_perl/lib/perl5 '-Mpf::services::manager::httpd_admin_dispatcher' -e 'pf::services::manager::httpd_admin_dispatcher->new()->generateConfig()' ++ExecStartPre=/usr/bin/perl -I/usr/local/pf/lib -I/usr/local/pf/lib_perl/lib/perl5 '-Mpf::services::manager::httpd_admin_dispatcher' -e 'pf::services::manager::httpd_admin_dispatcher->new()->generateConfig()' + ExecStart=/usr/local/pf/sbin/httpd.admin_dispatcher-docker-wrapper + ExecStop=/bin/bash -c "docker stop httpd.admin_dispatcher ; echo Stopped" + Restart=on-failure +diff --git a/conf/systemd/packetfence-httpd.dispatcher.service b/conf/systemd/packetfence-httpd.dispatcher.service +index f5995d7a7a..85c10c95d8 100644 +--- a/conf/systemd/packetfence-httpd.dispatcher.service ++++ b/conf/systemd/packetfence-httpd.dispatcher.service +@@ -13,7 +13,7 @@ Type=notify + TimeoutStopSec=60 + NotifyAccess=all + LimitNOFILE=8192 +-ExecStartPre=/bin/perl -I/usr/local/pf/lib -I/usr/local/pf/lib_perl/lib/perl5 '-Mpf::services::manager::httpd_dispatcher' -e 'pf::services::manager::httpd_dispatcher->new()->generateConfig()' ++ExecStartPre=/usr/bin/perl -I/usr/local/pf/lib -I/usr/local/pf/lib_perl/lib/perl5 '-Mpf::services::manager::httpd_dispatcher' -e 'pf::services::manager::httpd_dispatcher->new()->generateConfig()' + ExecStart=/usr/local/pf/sbin/httpd.dispatcher-docker-wrapper + ExecStop=/bin/bash -c "docker stop httpd.dispatcher ; echo Stopped" + Restart=on-failure +diff --git a/conf/systemd/packetfence-httpd.portal.service b/conf/systemd/packetfence-httpd.portal.service +index 732e7c82c9..2d031021cc 100644 +--- a/conf/systemd/packetfence-httpd.portal.service ++++ b/conf/systemd/packetfence-httpd.portal.service +@@ -12,7 +12,7 @@ Type=notify + NotifyAccess=all + StartLimitBurst=3 + StartLimitInterval=10 +-ExecStartPre=/bin/perl -I/usr/local/pf/lib -I/usr/local/pf/lib_perl/lib/perl5 '-Mpf::services::manager::httpd_portal' -e 'pf::services::manager::httpd_portal->new()->generateConfig()' ++ExecStartPre=/usr/bin/perl -I/usr/local/pf/lib -I/usr/local/pf/lib_perl/lib/perl5 '-Mpf::services::manager::httpd_portal' -e 'pf::services::manager::httpd_portal->new()->generateConfig()' + ExecStart=/usr/local/pf/sbin/httpd.portal-docker-wrapper + ExecStop=/bin/bash -c "docker stop httpd.portal ; echo Stopped" + TimeoutStopSec=60 +diff --git a/conf/systemd/packetfence-httpd.webservices.service b/conf/systemd/packetfence-httpd.webservices.service +index 0692f87f8f..dddbf66b54 100644 +--- a/conf/systemd/packetfence-httpd.webservices.service ++++ b/conf/systemd/packetfence-httpd.webservices.service +@@ -14,7 +14,7 @@ Type=notify + NotifyAccess=all + StartLimitBurst=3 + StartLimitInterval=10 +-ExecStartPre=/bin/perl -I/usr/local/pf/lib -I/usr/local/pf/lib_perl/lib/perl5 '-Mpf::services::manager::httpd_webservices' -e 'pf::services::manager::httpd_webservices->new()->generateConfig()' ++ExecStartPre=/usr/bin/perl -I/usr/local/pf/lib -I/usr/local/pf/lib_perl/lib/perl5 '-Mpf::services::manager::httpd_webservices' -e 'pf::services::manager::httpd_webservices->new()->generateConfig()' + ExecStart=/usr/local/pf/sbin/httpd.webservices-docker-wrapper + ExecStop=/bin/bash -c "docker stop httpd.webservices ; echo Stopped" + TimeoutStartSec=300 +diff --git a/conf/systemd/packetfence-ip6tables.service b/conf/systemd/packetfence-ip6tables.service +index 22c4a14db3..7dc96ff370 100644 +--- a/conf/systemd/packetfence-ip6tables.service ++++ b/conf/systemd/packetfence-ip6tables.service +@@ -7,8 +7,8 @@ After=packetfence-base.target packetfence-config.service + [Service] + StartLimitBurst=3 + StartLimitInterval=10 +-ExecStart=/bin/perl -I/usr/local/pf/lib -I/usr/local/pf/lib_perl/lib/perl5 -Mpf::db -Mpf::services::manager::ip6tables -e 'my $db ; while(!$db) { eval { $db = db_connect() } ; sleep 1 } ; pf::services::manager::ip6tables->new()->startAndCheck()' +-ExecStop=/bin/perl -I/usr/local/pf/lib -I/usr/local/pf/lib_perl/lib/perl5 '-Mpf::services::manager::ip6tables' -e 'pf::services::manager::ip6tables->new()->_stop()' ++ExecStart=/usr/bin/perl -I/usr/local/pf/lib -I/usr/local/pf/lib_perl/lib/perl5 -Mpf::db -Mpf::services::manager::ip6tables -e 'my $db ; while(!$db) { eval { $db = db_connect() } ; sleep 1 } ; pf::services::manager::ip6tables->new()->startAndCheck()' ++ExecStop=/usr/bin/perl -I/usr/local/pf/lib -I/usr/local/pf/lib_perl/lib/perl5 '-Mpf::services::manager::ip6tables' -e 'pf::services::manager::ip6tables->new()->_stop()' + Slice=packetfence.slice + + [Install] diff --git a/conf/systemd/packetfence-iptables.service b/conf/systemd/packetfence-iptables.service index a3ac735600..be76136201 100644 --- a/conf/systemd/packetfence-iptables.service @@ -70,6 +192,19 @@ index a3ac735600..be76136201 100644 Slice=packetfence.slice [Install] +diff --git a/conf/systemd/packetfence-kafka.service b/conf/systemd/packetfence-kafka.service +index 07741f392b..0457137d92 100644 +--- a/conf/systemd/packetfence-kafka.service ++++ b/conf/systemd/packetfence-kafka.service +@@ -11,7 +11,7 @@ StartLimitBurst=3 + StartLimitInterval=10 + Type=simple + TimeoutStopSec=60 +-ExecStartPre=/bin/perl -I/usr/local/pf/lib -I/usr/local/pf/lib_perl/lib/perl5 '-Mpf::services::manager::kafka' -e 'pf::services::manager::kafka->new()->generateConfig()' ++ExecStartPre=/usr/bin/perl -I/usr/local/pf/lib -I/usr/local/pf/lib_perl/lib/perl5 '-Mpf::services::manager::kafka' -e 'pf::services::manager::kafka->new()->generateConfig()' + ExecStart=/usr/local/pf/sbin/kafka-docker-wrapper + ExecStop=/bin/bash -c "docker stop kafka ; echo Stopped" + Restart=on-failure diff --git a/conf/systemd/packetfence-keepalived.service b/conf/systemd/packetfence-keepalived.service index 98a2a340d3..9605ef030a 100644 --- a/conf/systemd/packetfence-keepalived.service @@ -96,6 +231,71 @@ index eea70993c2..3876e340cb 100644 PermissionsStartOnly=true TimeoutSec=60 +diff --git a/conf/systemd/packetfence-ntlm-auth-api.service b/conf/systemd/packetfence-ntlm-auth-api.service +index bf33a84a51..8a97755d92 100644 +--- a/conf/systemd/packetfence-ntlm-auth-api.service ++++ b/conf/systemd/packetfence-ntlm-auth-api.service +@@ -11,7 +11,7 @@ Type=forking + TimeoutStopSec=60 + NotifyAccess=all + LimitNOFILE=8192 +-ExecStartPre=/bin/perl -I/usr/local/pf/lib -I/usr/local/pf/lib_perl/lib/perl5 '-Mpf::services::manager::ntlm_auth_api' -e 'pf::services::manager::ntlm_auth_api->new()->generateConfig()' ++ExecStartPre=/usr/bin/perl -I/usr/local/pf/lib -I/usr/local/pf/lib_perl/lib/perl5 '-Mpf::services::manager::ntlm_auth_api' -e 'pf::services::manager::ntlm_auth_api->new()->generateConfig()' + ExecStart=/usr/local/pf/sbin/ntlm-auth-api-docker-wrapper start + ExecStop=/usr/local/pf/sbin/ntlm-auth-api-docker-wrapper stop + Restart=on-failure +diff --git a/conf/systemd/packetfence-pfacct.service b/conf/systemd/packetfence-pfacct.service +index 82e7780190..82ef1f66d4 100644 +--- a/conf/systemd/packetfence-pfacct.service ++++ b/conf/systemd/packetfence-pfacct.service +@@ -9,7 +9,7 @@ Before=packetfence-httpd.portal.service + Type=notify + TimeoutStopSec=60 + NotifyAccess=all +-ExecStartPre=/bin/perl -I/usr/local/pf/lib -I/usr/local/pf/lib_perl/lib/perl5 '-Mpf::services::manager::pfacct' -e 'pf::services::manager::pfacct->new()->generateConfig()' ++ExecStartPre=/usr/bin/perl -I/usr/local/pf/lib -I/usr/local/pf/lib_perl/lib/perl5 '-Mpf::services::manager::pfacct' -e 'pf::services::manager::pfacct->new()->generateConfig()' + ExecStart=/usr/local/pf/sbin/pfacct-docker-wrapper + ExecStop=/bin/bash -c "docker stop pfacct ; echo Stopped" + Restart=on-failure +diff --git a/conf/systemd/packetfence-pfconnector-client.service b/conf/systemd/packetfence-pfconnector-client.service +index 1e39f879a6..44c1e77f21 100644 +--- a/conf/systemd/packetfence-pfconnector-client.service ++++ b/conf/systemd/packetfence-pfconnector-client.service +@@ -9,7 +9,7 @@ PartOf=packetfence-docker-iptables.service + + [Service] + LimitNOFILE=infinity +-ExecStartPre=/bin/perl -I/usr/local/pf/lib -I/usr/local/pf/lib_perl/lib/perl5 '-Mpf::services::manager::pfconnector_client' -e 'pf::services::manager::pfconnector_client->new()->generateConfig()' ++ExecStartPre=/usr/bin/perl -I/usr/local/pf/lib -I/usr/local/pf/lib_perl/lib/perl5 '-Mpf::services::manager::pfconnector_client' -e 'pf::services::manager::pfconnector_client->new()->generateConfig()' + ExecStart=/usr/local/pf/sbin/pfconnector-client-docker-wrapper + ExecStop=/bin/bash -c "docker stop pfconnector-client ; echo Stopped" + Restart=always +diff --git a/conf/systemd/packetfence-pfconnector-server.service b/conf/systemd/packetfence-pfconnector-server.service +index 4485768dce..b93c15dcf2 100644 +--- a/conf/systemd/packetfence-pfconnector-server.service ++++ b/conf/systemd/packetfence-pfconnector-server.service +@@ -9,7 +9,7 @@ PartOf=packetfence-docker-iptables.service + + [Service] + LimitNOFILE=infinity +-ExecStartPre=/bin/perl -I/usr/local/pf/lib -I/usr/local/pf/lib_perl/lib/perl5 '-Mpf::services::manager::pfconnector_server' -e 'pf::services::manager::pfconnector_server->new()->generateConfig()' ++ExecStartPre=/usr/bin/perl -I/usr/local/pf/lib -I/usr/local/pf/lib_perl/lib/perl5 '-Mpf::services::manager::pfconnector_server' -e 'pf::services::manager::pfconnector_server->new()->generateConfig()' + ExecStart=/usr/local/pf/sbin/pfconnector-server-docker-wrapper + ExecStop=/bin/bash -c "docker stop pfconnector-server ; echo Stopped" + Restart=on-failure +diff --git a/conf/systemd/packetfence-pfcron.service b/conf/systemd/packetfence-pfcron.service +index fc123777b2..8377843fbb 100644 +--- a/conf/systemd/packetfence-pfcron.service ++++ b/conf/systemd/packetfence-pfcron.service +@@ -7,7 +7,7 @@ After=packetfence-base.target packetfence-config.service + [Service] + Type=notify + NotifyAccess=all +-ExecStartPre=/bin/perl -I/usr/local/pf/lib -I/usr/local/pf/lib_perl/lib/perl5 '-Mpf::services::manager::pfcron' -e 'pf::services::manager::pfcron->new()->generateConfig()' ++ExecStartPre=/usr/bin/perl -I/usr/local/pf/lib -I/usr/local/pf/lib_perl/lib/perl5 '-Mpf::services::manager::pfcron' -e 'pf::services::manager::pfcron->new()->generateConfig()' + ExecStart=/usr/local/pf/sbin/pfcron-docker-wrapper + ExecStop=/bin/bash -c "docker stop pfcron ; echo Stopped" + Restart=on-failure diff --git a/conf/systemd/packetfence-pfdns.service b/conf/systemd/packetfence-pfdns.service index 69b288b4c4..8e9543e5aa 100644 --- a/conf/systemd/packetfence-pfdns.service @@ -109,8 +309,125 @@ index 69b288b4c4..8e9543e5aa 100644 ExecStart=/usr/local/pf/sbin/pfdns -conf=/usr/local/pf/var/conf/pfdns.conf Restart=on-failure Slice=packetfence.slice +diff --git a/conf/systemd/packetfence-pfipset.service b/conf/systemd/packetfence-pfipset.service +index b98c330943..56936ab818 100644 +--- a/conf/systemd/packetfence-pfipset.service ++++ b/conf/systemd/packetfence-pfipset.service +@@ -10,7 +10,7 @@ StartLimitBurst=3 + StartLimitInterval=60 + Type=notify + Environment=LOG_LEVEL=INFO +-ExecStartPre=/bin/perl -I/usr/local/pf/lib -I/usr/local/pf/lib_perl/lib/perl5 '-Mpf::services::manager::pfipset' -e 'pf::services::manager::pfipset->new()->generateConfig()' ++ExecStartPre=/usr/bin/perl -I/usr/local/pf/lib -I/usr/local/pf/lib_perl/lib/perl5 '-Mpf::services::manager::pfipset' -e 'pf::services::manager::pfipset->new()->generateConfig()' + ExecStart=/bin/bash -c "export $(cat /usr/local/pf/var/conf/pfipset.env | xargs) && /usr/local/pf/sbin/pfhttpd -conf /usr/local/pf/conf/caddy-services/pfipset.conf -log-name=pfipset" + Restart=on-failure + Slice=packetfence.slice +diff --git a/conf/systemd/packetfence-pfldapexplorer.service b/conf/systemd/packetfence-pfldapexplorer.service +index 6d8ba20106..b665aa773e 100644 +--- a/conf/systemd/packetfence-pfldapexplorer.service ++++ b/conf/systemd/packetfence-pfldapexplorer.service +@@ -13,7 +13,7 @@ Type=notify + TimeoutStopSec=60 + NotifyAccess=all + LimitNOFILE=8192 +-ExecStartPre=/bin/perl -I/usr/local/pf/lib -I/usr/local/pf/lib_perl/lib/perl5 '-Mpf::services::manager::pfldapexplorer' -e 'pf::services::manager::pfldapexplorer->new()->generateConfig()' ++ExecStartPre=/usr/bin/perl -I/usr/local/pf/lib -I/usr/local/pf/lib_perl/lib/perl5 '-Mpf::services::manager::pfldapexplorer' -e 'pf::services::manager::pfldapexplorer->new()->generateConfig()' + ExecStart=/usr/local/pf/sbin/pfldapexplorer-docker-wrapper + ExecStop=/bin/bash -c "docker stop pfldapexplorer; echo Stopped" + Restart=on-failure +diff --git a/conf/systemd/packetfence-pfpki.service b/conf/systemd/packetfence-pfpki.service +index 48d4cad49b..d75c071755 100644 +--- a/conf/systemd/packetfence-pfpki.service ++++ b/conf/systemd/packetfence-pfpki.service +@@ -11,7 +11,7 @@ PartOf=packetfence-docker-iptables.service + Type=notify + TimeoutStopSec=60 + NotifyAccess=all +-ExecStartPre=/bin/perl -I/usr/local/pf/lib -I/usr/local/pf/lib_perl/lib/perl5 '-Mpf::services::manager::pfpki' -e 'pf::services::manager::pfpki->new()->generateConfig()' ++ExecStartPre=/usr/bin/perl -I/usr/local/pf/lib -I/usr/local/pf/lib_perl/lib/perl5 '-Mpf::services::manager::pfpki' -e 'pf::services::manager::pfpki->new()->generateConfig()' + ExecStart=/usr/local/pf/sbin/pfpki-docker-wrapper + ExecStop=/bin/bash -c "docker stop pfpki ; echo Stopped" + Restart=on-failure +diff --git a/conf/systemd/packetfence-pfqueue-backend.service b/conf/systemd/packetfence-pfqueue-backend.service +index 189b33112c..66d677b57b 100644 +--- a/conf/systemd/packetfence-pfqueue-backend.service ++++ b/conf/systemd/packetfence-pfqueue-backend.service +@@ -15,7 +15,7 @@ TimeoutStopSec=60 + NotifyAccess=all + StartLimitBurst=3 + StartLimitInterval=10 +-ExecStartPre=/bin/perl -I/usr/local/pf/lib -I/usr/local/pf/lib_perl/lib/perl5 '-Mpf::services::manager::pfqueue_backend' -e 'pf::services::manager::pfqueue_backend->new()->generateConfig()' ++ExecStartPre=/usr/bin/perl -I/usr/local/pf/lib -I/usr/local/pf/lib_perl/lib/perl5 '-Mpf::services::manager::pfqueue_backend' -e 'pf::services::manager::pfqueue_backend->new()->generateConfig()' + ExecStart=/usr/local/pf/sbin/pfqueue-backend + TimeoutStopSec=30 + Restart=on-failure +diff --git a/conf/systemd/packetfence-pfqueue-go.service b/conf/systemd/packetfence-pfqueue-go.service +index 302161716d..92f6e99361 100644 +--- a/conf/systemd/packetfence-pfqueue-go.service ++++ b/conf/systemd/packetfence-pfqueue-go.service +@@ -17,7 +17,7 @@ TimeoutStopSec=60 + NotifyAccess=all + StartLimitBurst=3 + StartLimitInterval=10 +-ExecStartPre=/bin/perl -I/usr/local/pf/lib -I/usr/local/pf/lib_perl/lib/perl5 '-Mpf::services::manager::pfqueue_go' -e 'pf::services::manager::pfqueue_go->new()->generateConfig()' ++ExecStartPre=/usr/bin/perl -I/usr/local/pf/lib -I/usr/local/pf/lib_perl/lib/perl5 '-Mpf::services::manager::pfqueue_go' -e 'pf::services::manager::pfqueue_go->new()->generateConfig()' + ExecStart=/usr/local/pf/sbin/pfqueue-go + TimeoutStopSec=30 + Restart=on-failure +diff --git a/conf/systemd/packetfence-pfqueue-perl.service b/conf/systemd/packetfence-pfqueue-perl.service +index 0aa46eabc2..2146b68b0f 100644 +--- a/conf/systemd/packetfence-pfqueue-perl.service ++++ b/conf/systemd/packetfence-pfqueue-perl.service +@@ -15,7 +15,7 @@ TimeoutStopSec=60 + NotifyAccess=all + StartLimitBurst=3 + StartLimitInterval=10 +-ExecStartPre=/bin/perl -I/usr/local/pf/lib -I/usr/local/pf/lib_perl/lib/perl5 '-Mpf::services::manager::pfqueue_perl' -e 'pf::services::manager::pfqueue_perl->new()->generateConfig()' ++ExecStartPre=/usr/bin/perl -I/usr/local/pf/lib -I/usr/local/pf/lib_perl/lib/perl5 '-Mpf::services::manager::pfqueue_perl' -e 'pf::services::manager::pfqueue_perl->new()->generateConfig()' + ExecStart=/usr/local/pf/sbin/pfqueue + TimeoutStopSec=30 + Restart=on-failure +diff --git a/conf/systemd/packetfence-pfsetacls.service b/conf/systemd/packetfence-pfsetacls.service +index 0a8082d128..3d623403a8 100644 +--- a/conf/systemd/packetfence-pfsetacls.service ++++ b/conf/systemd/packetfence-pfsetacls.service +@@ -12,7 +12,7 @@ StartLimitBurst=3 + StartLimitInterval=10 + Type=simple + TimeoutStopSec=60 +-ExecStartPre=/bin/perl -I/usr/local/pf/lib -I/usr/local/pf/lib_perl/lib/perl5 '-Mpf::services::manager::pfsetacls' -e 'pf::services::manager::pfsetacls->new()->generateConfig()' ++ExecStartPre=/usr/bin/perl -I/usr/local/pf/lib -I/usr/local/pf/lib_perl/lib/perl5 '-Mpf::services::manager::pfsetacls' -e 'pf::services::manager::pfsetacls->new()->generateConfig()' + ExecStartPre=mkdir -p /usr/local/pf/var/conf/pfsetacls + ExecStartPre=chown -R :1002 /usr/local/pf/var/conf/pfsetacls + ExecStartPre=chmod 775 /usr/local/pf/var/conf/pfsetacls +diff --git a/conf/systemd/packetfence-pfsso.service b/conf/systemd/packetfence-pfsso.service +index 043897fe54..0ec81f4380 100644 +--- a/conf/systemd/packetfence-pfsso.service ++++ b/conf/systemd/packetfence-pfsso.service +@@ -13,7 +13,7 @@ Type=notify + TimeoutStopSec=60 + NotifyAccess=all + LimitNOFILE=8192 +-ExecStartPre=/bin/perl -I/usr/local/pf/lib -I/usr/local/pf/lib_perl/lib/perl5 '-Mpf::services::manager::pfsso' -e 'pf::services::manager::pfsso->new()->generateConfig()' ++ExecStartPre=/usr/bin/perl -I/usr/local/pf/lib -I/usr/local/pf/lib_perl/lib/perl5 '-Mpf::services::manager::pfsso' -e 'pf::services::manager::pfsso->new()->generateConfig()' + ExecStart=/usr/local/pf/sbin/pfsso-docker-wrapper + ExecStop=/bin/bash -c "docker stop pfsso ; echo Stopped" + Restart=on-failure +diff --git a/conf/systemd/packetfence-proxysql.service b/conf/systemd/packetfence-proxysql.service +index 672fbee0ef..c863beed54 100644 +--- a/conf/systemd/packetfence-proxysql.service ++++ b/conf/systemd/packetfence-proxysql.service +@@ -12,7 +12,7 @@ Type=notify + NotifyAccess=all + ExecStartPre=/usr/local/pf/containers/docker-minimal-rules.sh + ExecStartPre=/bin/rm -f /usr/local/pf/var/run/proxysql/proxysql.pid +-ExecStartPre=/bin/perl -I/usr/local/pf/lib -I/usr/local/pf/lib_perl/lib/perl5 '-Mpf::services::manager::proxysql' -e 'pf::services::manager::proxysql->new()->generateConfig()' ++ExecStartPre=/usr/bin/perl -I/usr/local/pf/lib -I/usr/local/pf/lib_perl/lib/perl5 '-Mpf::services::manager::proxysql' -e 'pf::services::manager::proxysql->new()->generateConfig()' + ExecStart=/usr/local/pf/sbin/proxysql-docker-wrapper + ExecStop=/bin/bash -c "docker stop proxysql ; docker container rm proxysql -f ; echo Stopped" + TimeoutStopSec=60 diff --git a/conf/systemd/packetfence-radiusd-auth.service b/conf/systemd/packetfence-radiusd-auth.service -index ff346c2b69..b5a3c931bb 100644 +index ff346c2b69..e1d9cc1ad3 100644 --- a/conf/systemd/packetfence-radiusd-auth.service +++ b/conf/systemd/packetfence-radiusd-auth.service @@ -12,9 +12,9 @@ Type=notify @@ -121,13 +438,13 @@ index ff346c2b69..b5a3c931bb 100644 -ExecStartPre=/usr/sbin/radiusd -d /usr/local/pf/raddb -n auth -Cxm -lstdout -ExecStart=/usr/sbin/radiusd -d /usr/local/pf/raddb -n auth -fm +ExecStartPre=/usr/bin/perl -I/usr/local/pf/lib -I/usr/local/pf/lib_perl/lib/perl5 '-Mpf::services::manager::radiusd' -e 'pf::services::manager::radiusd->new()->generateConfig()' -+ExecStartPre=/usr/sbin/freeradius -d /usr/local/pf/raddb -n auth -Cxm -lstdout -+ExecStart=/usr/sbin/freeradius -d /usr/local/pf/raddb -n auth -fm ++ExecStartPre=/usr/sbin/freeradius -d /usr/local/pf/raddb -n auth -Cxm -lstdout ++ExecStart=/usr/sbin/freeradius -d /usr/local/pf/raddb -n auth -fm Restart=on-failure Slice=packetfence.slice diff --git a/conf/systemd/packetfence-radiusd-eduroam.service b/conf/systemd/packetfence-radiusd-eduroam.service -index 5c302445ed..a67fe6ce88 100644 +index 5c302445ed..8ca8f2a905 100644 --- a/conf/systemd/packetfence-radiusd-eduroam.service +++ b/conf/systemd/packetfence-radiusd-eduroam.service @@ -14,9 +14,9 @@ Type=notify @@ -139,7 +456,7 @@ index 5c302445ed..a67fe6ce88 100644 -ExecStart=/usr/sbin/radiusd -d /usr/local/pf/raddb -n eduroam -fm +ExecStartPre=/usr/bin/perl -I/usr/local/pf/lib -I/usr/local/pf/lib_perl/lib/perl5 '-Mpf::services::manager::radiusd' -e 'pf::services::manager::radiusd->new()->generateConfig()' +ExecStartPre=/usr/sbin/freeradius -d /usr/local/pf/raddb -n eduroam -Cxm -lstdout -+ExecStart=/usr/sbin/freeradius -d /usr/local/pf/raddb -n eduroam -fm ++ExecStart=/usr/sbin/freeradius -d /usr/local/pf/raddb -n eduroam -fm Restart=on-failure Slice=packetfence.slice @@ -182,3 +499,16 @@ index 8e2e760d54..306af96f9d 100644 ExecStart=/usr/sbin/snmptrapd -f -n -c /usr/local/pf/var/conf/snmptrapd.conf -C -A -Lf /usr/local/pf/logs/snmptrapd.log -p /usr/local/pf/var/run/snmptrapd.pid -On ExecReload=/bin/kill -HUP $MAINPID Slice=packetfence.slice +diff --git a/t/venom/scenarios/cli_login/playbooks/configure.yml b/t/venom/scenarios/cli_login/playbooks/configure.yml +index 67fbfae99a..b65f191999 100644 +--- a/t/venom/scenarios/cli_login/playbooks/configure.yml ++++ b/t/venom/scenarios/cli_login/playbooks/configure.yml +@@ -221,7 +221,7 @@ + WatchdogSec=20 + StartLimitBurst=3 + StartLimitInterval=10 +- ExecStart=/usr/sbin/radiusd -d /usr/local/pf/raddb -n test -fm ++ ExecStart=/usr/sbin/freeradius -d /usr/local/pf/raddb -n test -fm + Restart=on-failure + when: ansible_facts['os_family'] == "RedHat" + diff --git a/debian/rules b/debian/rules index afef63178445..cc180963802f 100755 --- a/debian/rules +++ b/debian/rules @@ -406,6 +406,9 @@ ifeq ($(DIST),stretch) endif ifeq ($(DIST),bullseye) dh_gencontrol -- '-Vpacketfence:dist=libclass-xsaccessor-perl,acl' +endif +ifeq ($(DIST),bookworm) + dh_gencontrol -- '-Vpacketfence:dist=libclass-xsaccessor-perl,acl' endif dh_md5sums dh_builddeb diff --git a/docs/developer/integration_tests/subnets_and_ips.asciidoc b/docs/developer/integration_tests/subnets_and_ips.asciidoc index 509d7ef393f2..c3647bc27587 100644 --- a/docs/developer/integration_tests/subnets_and_ips.asciidoc +++ b/docs/developer/integration_tests/subnets_and_ips.asciidoc @@ -28,8 +28,8 @@ put them in a desired state. | Virtual machine | Network name | IP address | pfel8dev | Management | 172.17.17.10 | pfel8stable | Management | 172.17.17.14 -| pfdeb11dev | Management | 172.17.17.12 -| pfdeb11stable | Management | 172.17.17.16 +| pfdeb12dev | Management | 172.17.17.12 +| pfdeb12stable | Management | 172.17.17.16 | ad | Management | 172.17.17.100 | linux01 | Management | 172.17.17.101 | linux02 | Management | 172.17.17.102 diff --git a/docs/installation/installation.asciidoc b/docs/installation/installation.asciidoc index 1d90d82fe40b..d69167a4ff61 100644 --- a/docs/installation/installation.asciidoc +++ b/docs/installation/installation.asciidoc @@ -56,7 +56,7 @@ Newer versions of VMware Player handle VLAN trunking a lot better. With that in === Installing PacketFence from the ISO -The ISO edition of PacketFence allows you to install PacketFence on Debian 11 with minimal effort. Instead of manually installing Debian 11 and installing PacketFence after, this will perform both tasks and select the optimal parameters and best practices for installing the operating system. +The ISO edition of PacketFence allows you to install PacketFence on Debian 12 with minimal effort. Instead of manually installing Debian 12 and installing PacketFence after, this will perform both tasks and select the optimal parameters and best practices for installing the operating system. You can download the ISO here: https://www.packetfence.org/download.html#/releases @@ -187,7 +187,7 @@ In order to use the repository, create a file named [filename]`/etc/apt/sources. // subs=attributes allow to substitute {release_minor} in code block [source,bash,subs="attributes"] ---- -echo 'deb http://inverse.ca/downloads/PacketFence/debian/{release_minor} bullseye bullseye' > \ +echo 'deb http://inverse.ca/downloads/PacketFence/debian/{release_minor} bookworm bookworm' > \ /etc/apt/sources.list.d/packetfence.list ---- diff --git a/docs/installation/linode/linode.asciidoc b/docs/installation/linode/linode.asciidoc index 4a1480a994cc..e4bbd10d102b 100644 --- a/docs/installation/linode/linode.asciidoc +++ b/docs/installation/linode/linode.asciidoc @@ -24,7 +24,7 @@ This section will guide you into the high-level steps required to deploy PacketF ==== Installation and Configuration Steps -First, you need to create three 'Debian 11' or 'Rocky 8' Linodes in the same region. The 'Dedicated 16GB' plan or above is required and make sure Private IP is enabled for each instance. +First, you need to create three 'Debian 12' or 'Rocky 8' Linodes in the same region. The 'Dedicated 16GB' plan or above is required and make sure Private IP is enabled for each instance. Once done, make sure to configure the firewall policy similar to the following screenshot: @@ -92,12 +92,12 @@ Current limitations: ===== Installation -To deploy the PacketFence Connector, first provision on your local network (where NAS devices reside) a x86_64 Debian 11 virtual machine with minimal resources (2GB of RAM, 1 CPU core and 10GB of disk space). Then, perform the following commands as root: +To deploy the PacketFence Connector, first provision on your local network (where NAS devices reside) a x86_64 Debian 12 virtual machine with minimal resources (2GB of RAM, 1 CPU core and 10GB of disk space). Then, perform the following commands as root: [source,bash,subs="attributes"] ---- apt update && apt install gnupg sudo -echo 'deb http://inverse.ca/downloads/PacketFence/debian/{release_minor} bullseye bullseye' > \ +echo 'deb http://inverse.ca/downloads/PacketFence/debian/{release_minor} bookworm bookworm' > \ /etc/apt/sources.list.d/packetfence-pfconnector-remote.list wget -q -O - https://inverse.ca/downloads/GPG_PUBLIC_KEY | sudo apt-key add - apt update @@ -137,7 +137,7 @@ to run following commands: [source,bash,subs="attributes"] ---- -echo 'deb http://inverse.ca/downloads/PacketFence/debian/{release_minor} bullseye bullseye' > \ +echo 'deb http://inverse.ca/downloads/PacketFence/debian/{release_minor} bookworm bookworm' > \ /etc/apt/sources.list.d/packetfence-pfconnector-remote.list apt update apt install -y -o Dpkg::Options::="--force-confnew" packetfence-pfconnector-remote @@ -159,7 +159,7 @@ In order to upgrade PacketFence Connector, you need to run following commands: [source,bash,subs="attributes"] ---- -echo 'deb http://inverse.ca/downloads/PacketFence/debian/{release_minor} bullseye bullseye' > \ +echo 'deb http://inverse.ca/downloads/PacketFence/debian/{release_minor} bookworm bookworm' > \ /etc/apt/sources.list.d/packetfence-pfconnector-remote.list apt update apt upgrade diff --git a/docs/installation/system_requirements.asciidoc b/docs/installation/system_requirements.asciidoc index f630d7e3be6c..17e133338686 100644 --- a/docs/installation/system_requirements.asciidoc +++ b/docs/installation/system_requirements.asciidoc @@ -53,7 +53,7 @@ PacketFence supports the following operating systems on the x86_64 architecture: [options="compact"] * Red Hat Enterprise Linux 8.x Server -* Debian 11.x (Bullseye) +* Debian 12.x (Bookworm) Make sure that you can install additional packages from your standard distribution. For example, if you are using Red Hat Enterprise Linux, you have to be subscribed to the Red Hat Network before continuing with the PacketFence software installation. diff --git a/rpm/packetfence.spec b/rpm/packetfence.spec index a53972cb86d7..166df2676f9a 100644 --- a/rpm/packetfence.spec +++ b/rpm/packetfence.spec @@ -52,7 +52,7 @@ Requires: libpcap, libxml2, zlib, zlib-devel, glibc-common, Requires: httpd, mod_ssl Requires: mod_perl, mod_proxy_html requires: libapreq2, perl-libapreq2 -Requires: redis = 5.0.3-2.2 +Requires: redis >= 7.2.5 Requires: freeradius >= 3.2.1, freeradius-mysql >= 3.2.1, freeradius-perl >= 3.2.1, freeradius-ldap >= 3.2.1, freeradius-utils >= 3.2.1, freeradius-redis >= 3.2.1, freeradius-rest >= 3.2.1 Requires: make Requires: net-tools @@ -60,7 +60,7 @@ Requires: sscep Requires: net-snmp >= 5.3.2.2 Requires: net-snmp-perl Requires: perl >= %{perl_version} -Requires: packetfence-perl = 1.2.3 +Requires: packetfence-perl >= 1.2.4 Requires: MariaDB-server >= 10.5.15, MariaDB-server < 10.6.0 Requires: MariaDB-client >= 10.5.15, MariaDB-client < 10.6.0 Requires: perl(DBD::mysql) @@ -1399,6 +1399,9 @@ fi # Changelog #============================================================================== %changelog +* Thu May 23 2024 Inverse - 14.0.0-2 +- Upgrade packetfence-perl 1.2.4 + * Fri May 17 2024 Inverse - 14.0.0-1 - New release 14.0.0 diff --git a/t/venom/Makefile b/t/venom/Makefile index 61b246810176..9084dabe7a9c 100644 --- a/t/venom/Makefile +++ b/t/venom/Makefile @@ -91,9 +91,9 @@ configurator_el8_pristine: SCENARIOS_TO_RUN=configurator \ $(MAKE_TARGET) -configurator_deb11_pristine: +configurator_deb12_pristine: make \ - PF_VM_NAMES=deb11$(DEV_ENV) \ + PF_VM_NAMES=deb12$(DEV_ENV) \ SCENARIOS_TO_RUN=configurator \ $(MAKE_TARGET) @@ -111,9 +111,9 @@ configurator_el8: SCENARIOS_TO_RUN=configurator \ $(MAKE_TARGET) -configurator_deb11: +configurator_deb12: make \ - PF_VM_NAMES=pfdeb11$(DEV_ENV) \ + PF_VM_NAMES=pfdeb12$(DEV_ENV) \ SCENARIOS_TO_RUN=configurator \ $(MAKE_TARGET) @@ -124,9 +124,9 @@ dot1x_eap_peap_el8: SCENARIOS_TO_RUN=dot1x_eap_peap \ $(MAKE_TARGET) -dot1x_eap_peap_deb11: +dot1x_eap_peap_deb12: make \ - PF_VM_NAMES=pfdeb11$(DEV_ENV) \ + PF_VM_NAMES=pfdeb12$(DEV_ENV) \ INT_TEST_VM_NAMES="ad switch01 node01 node03 wireless01" \ SCENARIOS_TO_RUN=dot1x_eap_peap \ $(MAKE_TARGET) @@ -138,9 +138,9 @@ mac_auth_el8: SCENARIOS_TO_RUN=mac_auth \ $(MAKE_TARGET) -mac_auth_deb11: +mac_auth_deb12: make \ - PF_VM_NAMES=pfdeb11$(DEV_ENV) \ + PF_VM_NAMES=pfdeb12$(DEV_ENV) \ INT_TEST_VM_NAMES="switch01 node01 wireless01" \ SCENARIOS_TO_RUN=mac_auth \ $(MAKE_TARGET) @@ -152,16 +152,16 @@ dot1x_eap_tls_el8: SCENARIOS_TO_RUN=dot1x_eap_tls \ $(MAKE_TARGET) -dot1x_eap_tls_deb11: +dot1x_eap_tls_deb12: make \ - PF_VM_NAMES=pfdeb11$(DEV_ENV) \ + PF_VM_NAMES=pfdeb12$(DEV_ENV) \ INT_TEST_VM_NAMES="ad switch01 node01" \ SCENARIOS_TO_RUN=dot1x_eap_tls \ $(MAKE_TARGET) -inline_deb11: +inline_deb12: make \ - PF_VM_NAMES=pfdeb11$(DEV_ENV) \ + PF_VM_NAMES=pfdeb12$(DEV_ENV) \ SCENARIOS_TO_RUN=inline \ $(MAKE_TARGET) @@ -171,23 +171,23 @@ inline_el8: SCENARIOS_TO_RUN=inline \ $(MAKE_TARGET) -fingerbank_invalid_db_deb11: +fingerbank_invalid_db_deb12: make \ - PF_VM_NAMES=pfdeb11$(DEV_ENV) \ + PF_VM_NAMES=pfdeb12$(DEV_ENV) \ INT_TEST_VM_NAMES="ad switch01 node01 wireless01" \ SCENARIOS_TO_RUN=fingerbank_invalid_db \ $(MAKE_TARGET) -external_integrations_deb11: +external_integrations_deb12: make \ - PF_VM_NAMES=pfdeb11$(DEV_ENV) \ + PF_VM_NAMES=pfdeb12$(DEV_ENV) \ INT_TEST_VM_NAMES="linux02" \ SCENARIOS_TO_RUN=external_integrations \ $(MAKE_TARGET) -security_events_deb11: +security_events_deb12: make \ - PF_VM_NAMES=pfdeb11$(DEV_ENV) \ + PF_VM_NAMES=pfdeb12$(DEV_ENV) \ INT_TEST_VM_NAMES="switch01 node01" \ SCENARIOS_TO_RUN=security_events \ $(MAKE_TARGET) @@ -198,9 +198,9 @@ cli_login_el8: SCENARIOS_TO_RUN=cli_login \ $(MAKE_TARGET) -cli_login_deb11: +cli_login_deb12: make \ - PF_VM_NAMES=pfdeb11$(DEV_ENV) \ + PF_VM_NAMES=pfdeb12$(DEV_ENV) \ SCENARIOS_TO_RUN=cli_login \ $(MAKE_TARGET) @@ -211,9 +211,9 @@ captive_portal_el8: SCENARIOS_TO_RUN=captive_portal \ $(MAKE_TARGET) -captive_portal_deb11: +captive_portal_deb12: make \ - PF_VM_NAMES=pfdeb11$(DEV_ENV) \ + PF_VM_NAMES=pfdeb12$(DEV_ENV) \ INT_TEST_VM_NAMES="switch01 node01" \ SCENARIOS_TO_RUN=captive_portal \ $(MAKE_TARGET) @@ -225,9 +225,9 @@ inline_l2_and_radius_el8: SCENARIOS_TO_RUN=inline_l2_and_radius \ $(MAKE_TARGET) -inline_l2_and_radius_deb11: +inline_l2_and_radius_deb12: make \ - PF_VM_NAMES=pfdeb11$(DEV_ENV) \ + PF_VM_NAMES=pfdeb12$(DEV_ENV) \ INT_TEST_VM_NAMES="switch01 node01 node03" \ SCENARIOS_TO_RUN=inline_l2_and_radius \ $(MAKE_TARGET) @@ -238,9 +238,9 @@ pfappserver_el8: SCENARIOS_TO_RUN=pfappserver \ $(MAKE_TARGET) -pfappserver_deb11: +pfappserver_deb12: make \ - PF_VM_NAMES=pfdeb11$(DEV_ENV) \ + PF_VM_NAMES=pfdeb12$(DEV_ENV) \ SCENARIOS_TO_RUN=pfappserver \ $(MAKE_TARGET) @@ -253,24 +253,24 @@ example_el8: $(MAKE_TARGET) # can be overriden like this: -# make -C t/venom/ INT_TEST_VM_NAMES=switch01 SCENARIOS_TO_RUN=configurator example_deb11 -example_deb11: SCENARIOS_TO_RUN=example -example_deb11: +# make -C t/venom/ INT_TEST_VM_NAMES=switch01 SCENARIOS_TO_RUN=configurator example_deb12 +example_deb12: SCENARIOS_TO_RUN=example +example_deb12: make \ - PF_VM_NAMES=pfdeb11$(DEV_ENV) \ + PF_VM_NAMES=pfdeb12$(DEV_ENV) \ INT_TEST_VM_NAMES="$(INT_TEST_VM_NAMES)" \ SCENARIOS_TO_RUN="$(SCENARIOS_TO_RUN)" \ $(MAKE_TARGET) -test_deb11: +test_deb12: make \ - PF_VM_NAMES=pfdeb11$(DEV_ENV) \ + PF_VM_NAMES=pfdeb12$(DEV_ENV) \ SCENARIOS_TO_RUN=test_venom\ $(MAKE_TARGET) -cluster_deb11: +cluster_deb12: make \ - PF_VM_NAMES="pf1deb11$(DEV_ENV) pf2deb11$(DEV_ENV) pf3deb11$(DEV_ENV)" \ + PF_VM_NAMES="pf1deb12$(DEV_ENV) pf2deb12$(DEV_ENV) pf3deb12$(DEV_ENV)" \ CLUSTER_NAME="$@$(DEV_ENV)" \ SCENARIOS_TO_RUN=cluster \ $(MAKE_TARGET) @@ -284,23 +284,23 @@ cluster_el8: ### alias to run tests on other branches # it's a hack to simplify definition of jobs in .gitlab-ci.yml -captive_portal_deb11_branches: captive_portal_deb11 +captive_portal_deb12_branches: captive_portal_deb12 captive_portal_el8_branches: captive_portal_el8 -cli_login_deb11_branches: cli_login_deb11 +cli_login_deb12_branches: cli_login_deb12 cli_login_el8_branches: cli_login_el8 -configurator_deb11_branches: configurator_deb11 +configurator_deb12_branches: configurator_deb12 configurator_el8_branches: configurator_el8 -dot1x_eap_peap_deb11_branches: dot1x_eap_peap_deb11 +dot1x_eap_peap_deb12_branches: dot1x_eap_peap_deb12 dot1x_eap_peap_el8_branches: dot1x_eap_peap_el8 -dot1x_eap_tls_deb11_branches: dot1x_eap_tls_deb11 +dot1x_eap_tls_deb12_branches: dot1x_eap_tls_deb12 dot1x_eap_tls_el8_branches: dot1x_eap_tls_el8 -external_integrations_deb11_branches: external_integrations_deb11 -fingerbank_invalid_db_deb11_branches: fingerbank_invalid_db_deb11 -inline_deb11_branches: inline_deb11 +external_integrations_deb12_branches: external_integrations_deb12 +fingerbank_invalid_db_deb12_branches: fingerbank_invalid_db_deb12 +inline_deb12_branches: inline_deb12 inline_el8_branches: inline_el8 -mac_auth_deb11_branches: mac_auth_deb11 +mac_auth_deb12_branches: mac_auth_deb12 mac_auth_el8_branches: mac_auth_el8 -security_events_deb11_branches: security_events_deb11 +security_events_deb12_branches: security_events_deb12 unit_tests_el8_branches: unit_tests_el8 pfappserver_el8_branches: pfappserver_el8 -pfappserver_deb11_branches: pfappserver_deb11 +pfappserver_deb12_branches: pfappserver_deb12 diff --git a/t/venom/lib/check_internet_access_on_host.yml b/t/venom/lib/check_internet_access_on_host.yml index 802a5a6c7397..1e57cf45e54a 100644 --- a/t/venom/lib/check_internet_access_on_host.yml +++ b/t/venom/lib/check_internet_access_on_host.yml @@ -8,6 +8,4 @@ steps: host: '{{.input.host}}' user: '{{.input.user}}' command: | - cd '{{.venom_dir}}' ; \ - sudo VENOM_COMMON_FLAGS='--output-dir={{.test_suite_results_dir}}/{{.venom.testcase}}' \ - '{{.venom_dir}}/venom-wrapper.sh' '{{.test_suites_dir}}/common/check_internet_access.yml' + cd '{{.venom_dir}}' ; sudo VENOM_COMMON_FLAGS='--output-dir={{.test_suite_results_dir}}/{{.venom.testcase}}' '{{.venom_dir}}/venom-wrapper.sh' '{{.test_suites_dir}}/common/check_internet_access.yml' diff --git a/t/venom/lib/check_internet_access_on_host_with_ping.yml b/t/venom/lib/check_internet_access_on_host_with_ping.yml index bd8152bc74b4..507fd2bf4651 100644 --- a/t/venom/lib/check_internet_access_on_host_with_ping.yml +++ b/t/venom/lib/check_internet_access_on_host_with_ping.yml @@ -5,10 +5,6 @@ input: user: "{{.ssh_user}}" steps: -- type: ssh - host: '{{.input.host}}' - user: '{{.input.user}}' - command: | - cd '{{.venom_dir}}' ; \ - sudo VENOM_COMMON_FLAGS='--output-dir={{.test_suite_results_dir}}/{{.venom.testcase}}' \ - '{{.venom_dir}}/venom-wrapper.sh' '{{.test_suites_dir}}/common/check_internet_access_with_ping.yml' +- type: exec + script: | + ssh {{.input.user}}@{{.input.host}} "cd '{{.venom_dir}}' ; sudo VENOM_COMMON_FLAGS='--output-dir={{.test_suite_results_dir}}/{{.venom.testcase}}' '{{.venom_dir}}/venom-wrapper.sh' '{{.test_suites_dir}}/common/check_internet_access_with_ping.yml'" diff --git a/t/venom/lib/extract_certificates_http.yml b/t/venom/lib/extract_certificates_http.yml index 40e9d19c9542..0b55953ed1a5 100644 --- a/t/venom/lib/extract_certificates_http.yml +++ b/t/venom/lib/extract_certificates_http.yml @@ -21,19 +21,19 @@ steps: - type: exec script: | openssl pkcs12 -in {{.temp_dir}}/{{.input.cn}}.p12 -cacerts -nokeys \ - -out {{.temp_dir}}/{{.input.cn_ca}}.crt -passin pass:secret + -out {{.temp_dir}}/{{.input.cn_ca}}.crt -passin pass:secret $(. /etc/os-release; if [ "${ID}_${VERSION_ID%.*}" != "rhel_8" ]; then echo "-legacy"; fi) # extract_certificate - type: exec script: | openssl pkcs12 -in {{.temp_dir}}/{{.input.cn}}.p12 -clcerts -nokeys \ - -out {{.temp_dir}}/{{.input.cn}}.crt -passin pass:secret + -out {{.temp_dir}}/{{.input.cn}}.crt -passin pass:secret $(. /etc/os-release; if [ "${ID}_${VERSION_ID%.*}" != "rhel_8" ]; then echo "-legacy"; fi) # extract_key - type: exec script: | openssl pkcs12 -in {{.temp_dir}}/{{.input.cn}}.p12 -nocerts -nodes \ - -out {{.temp_dir}}/{{.input.cn}}.key -passin pass:secret + -out {{.temp_dir}}/{{.input.cn}}.key -passin pass:secret $(. /etc/os-release; if [ "${ID}_${VERSION_ID%.*}" != "rhel_8" ]; then echo "-legacy"; fi) # install_ca_cert - type: exec diff --git a/t/venom/lib/extract_certificates_radius.yml b/t/venom/lib/extract_certificates_radius.yml index 8cea28e1640e..f127472bcc98 100644 --- a/t/venom/lib/extract_certificates_radius.yml +++ b/t/venom/lib/extract_certificates_radius.yml @@ -21,19 +21,19 @@ steps: - type: exec script: | openssl pkcs12 -in {{.temp_dir}}/{{.input.cn}}.p12 -cacerts -nokeys \ - -out {{.temp_dir}}/{{.input.cn_ca}}.crt -passin pass:secret + -out {{.temp_dir}}/{{.input.cn_ca}}.crt -passin pass:secret $(. /etc/os-release; if [ "${ID}_${VERSION_ID%.*}" != "rhel_8" ]; then echo "-legacy"; fi) # extract_certificate - type: exec script: | openssl pkcs12 -in {{.temp_dir}}/{{.input.cn}}.p12 -clcerts -nokeys \ - -out {{.temp_dir}}/{{.input.cn}}.crt -passin pass:secret + -out {{.temp_dir}}/{{.input.cn}}.crt -passin pass:secret $(. /etc/os-release; if [ "${ID}_${VERSION_ID%.*}" != "rhel_8" ]; then echo "-legacy"; fi) # extract_key - type: exec script: | openssl pkcs12 -in {{.temp_dir}}/{{.input.cn}}.p12 -nocerts -nodes \ - -out {{.temp_dir}}/{{.input.cn}}.key -passin pass:secret + -out {{.temp_dir}}/{{.input.cn}}.key -passin pass:secret $(. /etc/os-release; if [ "${ID}_${VERSION_ID%.*}" != "rhel_8" ]; then echo "-legacy"; fi) # install_ca_cert - type: exec diff --git a/t/venom/lib/extract_certificates_user.yml b/t/venom/lib/extract_certificates_user.yml index 768aadb5e96b..03f91b6e0c75 100644 --- a/t/venom/lib/extract_certificates_user.yml +++ b/t/venom/lib/extract_certificates_user.yml @@ -19,16 +19,16 @@ steps: - type: exec script: | openssl pkcs12 -in {{.input.extract_directory}}.p12 -cacerts -nokeys \ - -out {{.input.extract_directory}}/ca.pem -passin pass:secret + -out {{.input.extract_directory}}/ca.pem -passin pass:secret $(. /etc/os-release; if [ "${ID}_${VERSION_ID%.*}" != "rhel_8" ]; then echo "-legacy"; fi) # extract_certificate - type: exec script: | openssl pkcs12 -in {{.input.extract_directory}}.p12 -clcerts -nokeys \ - -out {{.input.extract_directory}}/client.pem -passin pass:secret + -out {{.input.extract_directory}}/client.pem -passin pass:secret $(. /etc/os-release; if [ "${ID}_${VERSION_ID%.*}" != "rhel_8" ]; then echo "-legacy"; fi) # extract_key - type: exec script: | openssl pkcs12 -in {{.input.extract_directory}}.p12 -nocerts -nodes \ - -out {{.input.extract_directory}}/client.key -passin pass:secret + -out {{.input.extract_directory}}/client.key -passin pass:secret $(. /etc/os-release; if [ "${ID}_${VERSION_ID%.*}" != "rhel_8" ]; then echo "-legacy"; fi) diff --git a/t/venom/lib/node01/node01_deploy_certificates.yml b/t/venom/lib/node01/node01_deploy_certificates.yml index fecea34605e9..b76ca3d83ea4 100644 --- a/t/venom/lib/node01/node01_deploy_certificates.yml +++ b/t/venom/lib/node01/node01_deploy_certificates.yml @@ -5,11 +5,5 @@ input: steps: - type: exec script: | - /usr/bin/rsync -avz -e "ssh -o StrictHostKeyChecking=no" {{.input.directory}} \ - {{.ssh_user}}@{{.node01_mgmt_ip}}:/home/vagrant/ - -- type: ssh - host: '{{.node01_mgmt_ip}}' - user: '{{.ssh_user}}' - command: | - sudo cp -v /home/vagrant/{{.input.cn}}/* /etc/wpa_supplicant/eap_tls/ + /usr/bin/rsync -avz --rsync-path="sudo rsync" -e "ssh -o StrictHostKeyChecking=no" {{.input.directory}}/* \ + {{.ssh_user}}@{{.node01_mgmt_ip}}:/etc/wpa_supplicant/eap_tls/ diff --git a/t/venom/lib/venom_wrapper_command_on_host.yml b/t/venom/lib/venom_wrapper_command_on_host.yml index 17ec59286cc7..7973e98e5887 100644 --- a/t/venom/lib/venom_wrapper_command_on_host.yml +++ b/t/venom/lib/venom_wrapper_command_on_host.yml @@ -4,9 +4,6 @@ input: user: "" test_suite_path: "" steps: -- type: ssh - host: "{{.input.host}}" - user: "{{.input.user}}" - command: | - cd /usr/local/pf/t/venom ; \ - sudo /usr/local/pf/t/venom/venom-wrapper.sh {{.input.test_suite_path}} +- type: exec + script: | + ssh {{.input.user}}@{{.input.host}} "cd /usr/local/pf/t/venom ; sudo /usr/local/pf/t/venom/venom-wrapper.sh {{.input.test_suite_path}}" diff --git a/t/venom/scenarios/dot1x_eap_peap/playbooks/configure.yml b/t/venom/scenarios/dot1x_eap_peap/playbooks/configure.yml index 9f1665fd0509..07b43e0adf1b 100644 --- a/t/venom/scenarios/dot1x_eap_peap/playbooks/configure.yml +++ b/t/venom/scenarios/dot1x_eap_peap/playbooks/configure.yml @@ -33,3 +33,12 @@ - name: Install xmltodict python package pip: name: xmltodict + when: ansible_facts['os_family'] == "RedHat" + + - name: Install xmltodict python package + shell: | + set -e -o pipefail + pip install xmltodict --break-system-packages + args: + executable: /usr/bin/bash + when: ansible_facts['os_family'] == "Debian" diff --git a/t/venom/scenarios/dot1x_eap_peap/playbooks/run_tests.yml b/t/venom/scenarios/dot1x_eap_peap/playbooks/run_tests.yml index 2032acb07c92..6ce5f3f67e8e 100644 --- a/t/venom/scenarios/dot1x_eap_peap/playbooks/run_tests.yml +++ b/t/venom/scenarios/dot1x_eap_peap/playbooks/run_tests.yml @@ -33,5 +33,3 @@ # useful to make env vars available for Venom environment: '{{ inventory__group_environment | d({}) | combine(venom_wrapper_args | d({})) }}' - - diff --git a/t/venom/scenarios/export_import/ansible_inventory.yml b/t/venom/scenarios/export_import/ansible_inventory.yml index 2ba2460bcc32..aafb7c219268 100644 --- a/t/venom/scenarios/export_import/ansible_inventory.yml +++ b/t/venom/scenarios/export_import/ansible_inventory.yml @@ -2,7 +2,7 @@ apt_preferences__list: - filename: 'packetfence-ppa.pref' package: 'packetfence*' - pin: 'release a=bullseye-gitlab,n=bullseye,c=main,b=amd64' + pin: 'release a=bookworm-gitlab,n=bookworm,c=main,b=amd64' priority: '900' reason: 'always install packetfence packages from packetfence-ppa repository' @@ -16,8 +16,8 @@ gitlab_buildpkg_tools__ppa_url_deb: '{{ gitlab_buildpkg_tools__ppa_url }}/debian # redefine this variables to avoid confusion with official "packetfence" repositories gitlab_buildpkg_tools__deb_ppa: - name: 'packetfence-ppa' - # force to "bullseye" because we don't build anymore for stretch - baseurl: "{{ gitlab_buildpkg_tools__ppa_url_deb }} bullseye main" + # force to "bookworm" because we don't build anymore for stretch + baseurl: "{{ gitlab_buildpkg_tools__ppa_url_deb }} bookworm main" gpgkey: 'http://inverse.ca/downloads/GPG_PUBLIC_KEY' gitlab_buildpkg_tools__deb_pkgs: diff --git a/t/venom/scenarios/pfappserver/playbooks/localdev.yml b/t/venom/scenarios/pfappserver/playbooks/localdev.yml index 53768fbc4862..44101337c3d7 100644 --- a/t/venom/scenarios/pfappserver/playbooks/localdev.yml +++ b/t/venom/scenarios/pfappserver/playbooks/localdev.yml @@ -7,7 +7,7 @@ docker_images: - pfdebian - radiusd - - pfbuild-debian-bullseye + - pfbuild-debian-bookworm tasks: - name: Install python3-docker for images @@ -60,4 +60,4 @@ wait_for: host: "localhost" port: 8890 - timeout: 900 \ No newline at end of file + timeout: 900 diff --git a/t/venom/scenarios/template/ansible_inventory.yml b/t/venom/scenarios/template/ansible_inventory.yml index 2ba2460bcc32..a1d426edbcd8 100644 --- a/t/venom/scenarios/template/ansible_inventory.yml +++ b/t/venom/scenarios/template/ansible_inventory.yml @@ -2,7 +2,7 @@ apt_preferences__list: - filename: 'packetfence-ppa.pref' package: 'packetfence*' - pin: 'release a=bullseye-gitlab,n=bullseye,c=main,b=amd64' + pin: 'release a={{ ansible_distribution_release }}-gitlab,n={{ ansible_distribution_release }},c=main,b=amd64' priority: '900' reason: 'always install packetfence packages from packetfence-ppa repository' @@ -16,8 +16,8 @@ gitlab_buildpkg_tools__ppa_url_deb: '{{ gitlab_buildpkg_tools__ppa_url }}/debian # redefine this variables to avoid confusion with official "packetfence" repositories gitlab_buildpkg_tools__deb_ppa: - name: 'packetfence-ppa' - # force to "bullseye" because we don't build anymore for stretch - baseurl: "{{ gitlab_buildpkg_tools__ppa_url_deb }} bullseye main" + # force to "bookworm" because we don't build anymore for stretch + baseurl: "{{ gitlab_buildpkg_tools__ppa_url_deb }} {{ ansible_distribution_release }} main" gpgkey: 'http://inverse.ca/downloads/GPG_PUBLIC_KEY' gitlab_buildpkg_tools__deb_pkgs: diff --git a/t/venom/test_suites/captive_portal/22_sleep_some_time.yml b/t/venom/test_suites/captive_portal/22_sleep_some_time.yml deleted file mode 100644 index b75f75880852..000000000000 --- a/t/venom/test_suites/captive_portal/22_sleep_some_time.yml +++ /dev/null @@ -1,6 +0,0 @@ -name: Sleep some time -testcases: -- name: sleep_some_time - steps: - - type: sleep - time_to_sleep: 30 diff --git a/t/venom/test_suites/captive_portal/25_check_radius_audit_log.yml b/t/venom/test_suites/captive_portal/25_check_radius_audit_log.yml index 53ed29f9c8af..e39a834e6f26 100644 --- a/t/venom/test_suites/captive_portal/25_check_radius_audit_log.yml +++ b/t/venom/test_suites/captive_portal/25_check_radius_audit_log.yml @@ -8,15 +8,6 @@ testcases: steps: - type: pfcron_flush_radius_audit_log -- name: get_time - steps: - - type: exec - script: "date '+%Y-%m-%d %H:%M:%S' --date='2 minutes ago'" - vars: - two_minutes_ago: - from: result.systemout - -# only latest search entry since two minutes that matches # auth_status equals Accept (to avoid Disconnect) # mac equals {{.node01_ens7_mac_address}}" # connection type of test suite connection profile @@ -26,6 +17,13 @@ testcases: method: POST url: '{{.pfserver_webadmin_url}}/api/v1/radius_audit_logs/search' ignore_verify_ssl: true + retry: 35 + retry_if: + - result.statuscode ShouldNotEqual 404 + delay: 3 + assertions: + - result.statuscode ShouldEqual 200 + body: >- { "cursor": 0, @@ -68,16 +66,6 @@ testcases: "value": "{{.captive_portal.profiles.filters.connection_type}}" } ] - }, - { - "op": "or", - "values": [ - { - "field": "created_at", - "op": "greater_than", - "value": "{{.get_time.two_minutes_ago}}" - } - ] } ] } diff --git a/t/venom/test_suites/configurator/50_run_configurator_step4.yml b/t/venom/test_suites/configurator/50_run_configurator_step4.yml index bacbe209589f..36fdf0fc04ed 100644 --- a/t/venom/test_suites/configurator/50_run_configurator_step4.yml +++ b/t/venom/test_suites/configurator/50_run_configurator_step4.yml @@ -4,6 +4,7 @@ testcases: steps: - type: pf_api_system_service_restart_async service: 'packetfence-config' + time_to_sleep: 5 - name: restart_pfqueue_service steps: diff --git a/t/venom/test_suites/inline_l2_and_radius/32_sleep_some_time.yml b/t/venom/test_suites/inline_l2_and_radius/32_sleep_some_time.yml deleted file mode 100644 index b75f75880852..000000000000 --- a/t/venom/test_suites/inline_l2_and_radius/32_sleep_some_time.yml +++ /dev/null @@ -1,6 +0,0 @@ -name: Sleep some time -testcases: -- name: sleep_some_time - steps: - - type: sleep - time_to_sleep: 30 diff --git a/t/venom/test_suites/inline_l2_and_radius/33_check_radius_audit_log.yml b/t/venom/test_suites/inline_l2_and_radius/33_check_radius_audit_log.yml index 65089a6759c3..3da9f451c2c9 100644 --- a/t/venom/test_suites/inline_l2_and_radius/33_check_radius_audit_log.yml +++ b/t/venom/test_suites/inline_l2_and_radius/33_check_radius_audit_log.yml @@ -8,15 +8,6 @@ testcases: steps: - type: pfcron_flush_radius_audit_log -- name: get_time - steps: - - type: exec - script: "date '+%Y-%m-%d %H:%M:%S' --date='2 minutes ago'" - vars: - two_minute_ago: - from: result.systemout - -# only latest search entry since two minutes that matches # auth_status equals Accept (to avoid Disconnect) # mac equals {{.node01_ens7_mac_address}}" # connection type of test suite connection profile @@ -26,6 +17,12 @@ testcases: method: POST url: '{{.pfserver_webadmin_url}}/api/v1/radius_audit_logs/search' ignore_verify_ssl: true + retry: 35 + retry_if: + - result.statuscode ShouldNotEqual 404 + delay: 3 + assertions: + - result.statuscode ShouldEqual 200 body: >- { "cursor": 0, @@ -68,16 +65,6 @@ testcases: "value": "{{.inline_l2_and_radius.profiles.filters.connection_type}}" } ] - }, - { - "op": "or", - "values": [ - { - "field": "created_at", - "op": "greater_than", - "value": "{{.get_time.two_minutes_ago}}" - } - ] } ] } diff --git a/t/venom/test_suites/wired_dot1x_eap_peap/50_sleep_some_time.yml b/t/venom/test_suites/wired_dot1x_eap_peap/50_sleep_some_time.yml deleted file mode 100644 index d85895d1579d..000000000000 --- a/t/venom/test_suites/wired_dot1x_eap_peap/50_sleep_some_time.yml +++ /dev/null @@ -1,6 +0,0 @@ -name: Sleep some time -testcases: -- name: sleep_some_time - steps: - - type: exec - script: sleep 20 diff --git a/t/venom/test_suites/wired_dot1x_eap_peap/55_check_radius_audit_log.yml b/t/venom/test_suites/wired_dot1x_eap_peap/55_check_radius_audit_log.yml index 29e84d157339..7073f18749ba 100644 --- a/t/venom/test_suites/wired_dot1x_eap_peap/55_check_radius_audit_log.yml +++ b/t/venom/test_suites/wired_dot1x_eap_peap/55_check_radius_audit_log.yml @@ -8,15 +8,6 @@ testcases: steps: - type: pfcron_flush_radius_audit_log -- name: get_time - steps: - - type: exec - script: "date '+%Y-%m-%d %H:%M:%S' --date='2 minutes ago'" - vars: - two_minutes_ago: - from: result.systemout - -# only latest search entry since two minutes that matches # auth_status equals Accept (to avoid Disconnect) # mac equals {{.node01_ens7_mac_address}}" # connection type of test suite connection profile @@ -26,6 +17,12 @@ testcases: method: POST url: '{{.pfserver_webadmin_url}}/api/v1/radius_audit_logs/search' ignore_verify_ssl: true + retry: 35 + retry_if: + - result.statuscode ShouldNotEqual 404 + delay: 3 + assertions: + - result.statuscode ShouldEqual 200 body: >- { "cursor": 0, @@ -68,16 +65,6 @@ testcases: "value": "{{.dot1x_eap_peap.profiles.wired.filters.connection_type}}" } ] - }, - { - "op": "or", - "values": [ - { - "field": "created_at", - "op": "greater_than", - "value": "{{.get_time.two_minutes_ago}}" - } - ] } ] } diff --git a/t/venom/test_suites/wired_dot1x_eap_peap_firewall_sso_https/50_sleep_some_time.yml b/t/venom/test_suites/wired_dot1x_eap_peap_firewall_sso_https/50_sleep_some_time.yml deleted file mode 120000 index 37d64c50cdab..000000000000 --- a/t/venom/test_suites/wired_dot1x_eap_peap_firewall_sso_https/50_sleep_some_time.yml +++ /dev/null @@ -1 +0,0 @@ -../wired_dot1x_eap_peap/50_sleep_some_time.yml \ No newline at end of file diff --git a/t/venom/test_suites/wired_dot1x_eap_peap_firewall_sso_https/56_check_firewall_sso_start.yml b/t/venom/test_suites/wired_dot1x_eap_peap_firewall_sso_https/56_check_firewall_sso_start.yml index 526f5a5baede..c0ed0efe22ed 100644 --- a/t/venom/test_suites/wired_dot1x_eap_peap_firewall_sso_https/56_check_firewall_sso_start.yml +++ b/t/venom/test_suites/wired_dot1x_eap_peap_firewall_sso_https/56_check_firewall_sso_start.yml @@ -3,17 +3,18 @@ testcases: - name: check_mock_history_request steps: - - type: exec - script: | - curl -s http://{{.firewall_sso.https.host}}:{{.firewall_sso.https.port_config}}/history | jq '.[-1].request' + - type: http + method: GET + url: http://{{.firewall_sso.https.host}}:{{.firewall_sso.https.port_config}}/history + retry: 60 + delay: 2 assertions: - - result.code ShouldEqual 0 - - result.systemout ShouldNotBeBlank - - result.systemoutjson.path ShouldEqual "/api/" - - result.systemoutjson.method ShouldEqual "POST" - - result.systemoutjson.query_params.key ShouldEqual [{{.firewall_sso.https.password}}] - retry: 10 - delay: 1 + - result.statuscode ShouldEqual 200 + - result.body ShouldNotBeBlank + - result.bodyjson.bodyjson2.request.path ShouldEqual /api/ + - result.bodyjson.bodyjson2.request.method ShouldEqual POST + - result.bodyjson.bodyjson2.request.query_params.key ShouldEqual [{{.firewall_sso.https.password}}] + - name: check_mock_history_request_body_string steps: diff --git a/t/venom/test_suites/wired_dot1x_eap_peap_firewall_sso_radius/50_sleep_some_time.yml b/t/venom/test_suites/wired_dot1x_eap_peap_firewall_sso_radius/50_sleep_some_time.yml deleted file mode 120000 index 37d64c50cdab..000000000000 --- a/t/venom/test_suites/wired_dot1x_eap_peap_firewall_sso_radius/50_sleep_some_time.yml +++ /dev/null @@ -1 +0,0 @@ -../wired_dot1x_eap_peap/50_sleep_some_time.yml \ No newline at end of file diff --git a/t/venom/test_suites/wired_dot1x_eap_peap_firewall_sso_radius/54_check_radius_audit_log.yml b/t/venom/test_suites/wired_dot1x_eap_peap_firewall_sso_radius/54_check_radius_audit_log.yml index b202f6c299af..6927086dbd50 100644 --- a/t/venom/test_suites/wired_dot1x_eap_peap_firewall_sso_radius/54_check_radius_audit_log.yml +++ b/t/venom/test_suites/wired_dot1x_eap_peap_firewall_sso_radius/54_check_radius_audit_log.yml @@ -8,15 +8,6 @@ testcases: steps: - type: pfcron_flush_radius_audit_log -- name: get_time - steps: - - type: exec - script: "date '+%Y-%m-%d %H:%M:%S' --date='2 minutes ago'" - vars: - two_minutes_ago: - from: result.systemout - -# only latest search entry since two minutes that matches # auth_status equals Accept (to avoid Disconnect) # mac equals {{.node03_ens7_mac_address}}" # connection type of test suite connection profile @@ -26,6 +17,12 @@ testcases: method: POST url: '{{.pfserver_webadmin_url}}/api/v1/radius_audit_logs/search' ignore_verify_ssl: true + retry: 35 + retry_if: + - result.statuscode ShouldNotEqual 404 + delay: 3 + assertions: + - result.statuscode ShouldEqual 200 body: >- { "cursor": 0, @@ -68,16 +65,6 @@ testcases: "value": "{{.dot1x_eap_peap.profiles.wired.filters.connection_type}}" } ] - }, - { - "op": "or", - "values": [ - { - "field": "created_at", - "op": "greater_than", - "value": "{{.get_time.two_minutes_ago}}" - } - ] } ] } diff --git a/t/venom/test_suites/wired_dot1x_eap_peap_firewall_sso_radius/56_check_firewall_sso_start.yml b/t/venom/test_suites/wired_dot1x_eap_peap_firewall_sso_radius/56_check_firewall_sso_start.yml index 76fbb1646a12..17e22c2cf2f3 100644 --- a/t/venom/test_suites/wired_dot1x_eap_peap_firewall_sso_radius/56_check_firewall_sso_start.yml +++ b/t/venom/test_suites/wired_dot1x_eap_peap_firewall_sso_radius/56_check_firewall_sso_start.yml @@ -1,16 +1,14 @@ -name: Check firewall SSO Start testcases: - - name: check_mock_history_request steps: - - type: exec - script: | - sudo curl -s http://{{.firewall_sso.radius.api_host}}:{{.firewall_sso.radius.api_port}}/history | jq '.[-1]' + - type: http + method: GET + url: http://{{.firewall_sso.radius.api_host}}:{{.firewall_sso.radius.api_port}}/history + retry: 60 + delay: 2 assertions: - - result.code ShouldEqual 0 - - result.systemout ShouldNotBeBlank - - result.systemoutjson.code ShouldEqual "Accounting-Request" - - result.systemoutjson.attributes.acct-status-type ShouldEqual "Start" - - result.systemoutjson.attributes.user-name ShouldEqual "{{.ad_domain_user}}" - retry: 10 - delay: 1 + - result.statuscode ShouldEqual 200 + - result.body ShouldNotBeBlank + - result.bodyjson.bodyjson0.code ShouldEqual Accounting-Request + - result.bodyjson.bodyjson0.attributes.acct-status-type ShouldEqual Start + - result.bodyjson.bodyjson0.attributes.user-name ShouldEqual "{{.ad_domain_user}}" diff --git a/t/venom/test_suites/wired_dot1x_eap_tls_manual/90_sleep_some_time.yml b/t/venom/test_suites/wired_dot1x_eap_tls_manual/90_sleep_some_time.yml deleted file mode 100644 index d85895d1579d..000000000000 --- a/t/venom/test_suites/wired_dot1x_eap_tls_manual/90_sleep_some_time.yml +++ /dev/null @@ -1,6 +0,0 @@ -name: Sleep some time -testcases: -- name: sleep_some_time - steps: - - type: exec - script: sleep 20 diff --git a/t/venom/test_suites/wired_dot1x_eap_tls_manual/91_check_radius_audit_log.yml b/t/venom/test_suites/wired_dot1x_eap_tls_manual/91_check_radius_audit_log.yml index 13eed323b9d8..52278554f37c 100644 --- a/t/venom/test_suites/wired_dot1x_eap_tls_manual/91_check_radius_audit_log.yml +++ b/t/venom/test_suites/wired_dot1x_eap_tls_manual/91_check_radius_audit_log.yml @@ -8,15 +8,6 @@ testcases: steps: - type: pfcron_flush_radius_audit_log -- name: get_time - steps: - - type: exec - script: "date '+%Y-%m-%d %H:%M:%S' --date='2 minutes ago'" - vars: - two_minutes_ago: - from: result.systemout - -# only latest search entry since two minutes that matches # auth_status equals Accept (to avoid Disconnect) # mac equals {{.node01_ens7_mac_address}}" # connection type of test suite connection profile @@ -26,6 +17,12 @@ testcases: method: POST url: '{{.pfserver_webadmin_url}}/api/v1/radius_audit_logs/search' ignore_verify_ssl: true + retry: 35 + retry_if: + - result.statuscode ShouldNotEqual 404 + delay: 3 + assertions: + - result.statuscode ShouldEqual 200 body: >- { "cursor": 0, @@ -68,16 +65,6 @@ testcases: "value": "{{.wired_dot1x_eap_tls_manual.profiles.wired.filters.connection_type}}" } ] - }, - { - "op": "or", - "values": [ - { - "field": "created_at", - "op": "greater_than", - "value": "{{.get_time.two_minutes_ago}}" - } - ] } ] } diff --git a/t/venom/test_suites/wired_dot1x_eap_tls_pki/90_sleep_some_time.yml b/t/venom/test_suites/wired_dot1x_eap_tls_pki/90_sleep_some_time.yml deleted file mode 100644 index c8346a2f4df5..000000000000 --- a/t/venom/test_suites/wired_dot1x_eap_tls_pki/90_sleep_some_time.yml +++ /dev/null @@ -1,6 +0,0 @@ -name: Sleep some time -testcases: -- name: sleep_some_time - steps: - - type: sleep - time_to_sleep: 20 diff --git a/t/venom/test_suites/wired_dot1x_eap_tls_pki/91_check_radius_audit_log.yml b/t/venom/test_suites/wired_dot1x_eap_tls_pki/91_check_radius_audit_log.yml index d1ed0e5d3df3..029265da6804 100644 --- a/t/venom/test_suites/wired_dot1x_eap_tls_pki/91_check_radius_audit_log.yml +++ b/t/venom/test_suites/wired_dot1x_eap_tls_pki/91_check_radius_audit_log.yml @@ -4,15 +4,6 @@ testcases: steps: - type: pfcron_flush_radius_audit_log -- name: get_time - steps: - - type: exec - script: "date '+%Y-%m-%d %H:%M:%S' --date='2 minutes ago'" - vars: - two_minutes_ago: - from: result.systemout - -# only latest search entry since two minutes that matches # auth_status equals Accept (to avoid Disconnect) # mac equals {{.node01_ens7_mac_address}}" # connection type of test suite connection profile @@ -28,6 +19,12 @@ testcases: - type: pf_api_action method: POST url: "radius_audit_logs/search" + retry: 35 + retry_if: + - result.statuscode ShouldNotEqual 404 + delay: 3 + assertions: + - result.statuscode ShouldEqual 200 body: >- { "cursor": 0, @@ -70,16 +67,6 @@ testcases: "value": "{{.wired_dot1x_eap_tls_pki.profiles.wired.filters.connection_type}}" } ] - }, - { - "op": "or", - "values": [ - { - "field": "created_at", - "op": "greater_than", - "value": "{{.get_time.two_minutes_ago}}" - } - ] } ] } diff --git a/t/venom/test_suites/wired_dot1x_eap_tls_scep/05_create_pki.yml b/t/venom/test_suites/wired_dot1x_eap_tls_scep/05_create_pki.yml index 660c0e30d3fe..73a9be27f5c3 100644 --- a/t/venom/test_suites/wired_dot1x_eap_tls_scep/05_create_pki.yml +++ b/t/venom/test_suites/wired_dot1x_eap_tls_scep/05_create_pki.yml @@ -112,21 +112,21 @@ testcases: - type: exec script: | openssl pkcs12 -in {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls_scep.certs.radius.cn}}.p12 -cacerts -nokeys \ - -out {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls_scep.certs.ca.cn}}.crt -passin pass:secret + -out {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls_scep.certs.ca.cn}}.crt -passin pass:secret $(. /etc/os-release; if [ "${ID}_${VERSION_ID%.*}" != "rhel_8" ]; then echo "-legacy"; fi) - name: extract_radius_certificate steps: - type: exec script: | openssl pkcs12 -in {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls_scep.certs.radius.cn}}.p12 -clcerts -nokeys \ - -out {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls_scep.certs.radius.cn}}.crt -passin pass:secret + -out {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls_scep.certs.radius.cn}}.crt -passin pass:secret $(. /etc/os-release; if [ "${ID}_${VERSION_ID%.*}" != "rhel_8" ]; then echo "-legacy"; fi) - name: extract_radius_key steps: - type: exec script: | openssl pkcs12 -in {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls_scep.certs.radius.cn}}.p12 -nocerts -nodes \ - -out {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls_scep.certs.radius.cn}}.key -passin pass:secret + -out {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls_scep.certs.radius.cn}}.key -passin pass:secret $(. /etc/os-release; if [ "${ID}_${VERSION_ID%.*}" != "rhel_8" ]; then echo "-legacy"; fi) - name: install_ca_cert steps: @@ -219,21 +219,21 @@ testcases: - type: exec script: | openssl pkcs12 -in {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls_scep.certs.http.cn}}.p12 -cacerts -nokeys \ - -out {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls_scep.certs.ca.cn}}.crt -passin pass:secret + -out {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls_scep.certs.ca.cn}}.crt -passin pass:secret $(. /etc/os-release; if [ "${ID}_${VERSION_ID%.*}" != "rhel_8" ]; then echo "-legacy"; fi) - name: extract_http_certificate steps: - type: exec script: | openssl pkcs12 -in {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls_scep.certs.http.cn}}.p12 -clcerts -nokeys \ - -out {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls_scep.certs.http.cn}}.crt -passin pass:secret + -out {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls_scep.certs.http.cn}}.crt -passin pass:secret $(. /etc/os-release; if [ "${ID}_${VERSION_ID%.*}" != "rhel_8" ]; then echo "-legacy"; fi) - name: extract_http_key steps: - type: exec script: | openssl pkcs12 -in {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls_scep.certs.http.cn}}.p12 -nocerts -nodes \ - -out {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls_scep.certs.http.cn}}.key -passin pass:secret + -out {{.create_temp_directory.temp_dir}}/{{.wired_dot1x_eap_tls_scep.certs.http.cn}}.key -passin pass:secret $(. /etc/os-release; if [ "${ID}_${VERSION_ID%.*}" != "rhel_8" ]; then echo "-legacy"; fi) - name: install_http_cert_portal steps: diff --git a/t/venom/test_suites/wired_dot1x_eap_tls_scep/90_sleep_some_time.yml b/t/venom/test_suites/wired_dot1x_eap_tls_scep/90_sleep_some_time.yml deleted file mode 100644 index d85895d1579d..000000000000 --- a/t/venom/test_suites/wired_dot1x_eap_tls_scep/90_sleep_some_time.yml +++ /dev/null @@ -1,6 +0,0 @@ -name: Sleep some time -testcases: -- name: sleep_some_time - steps: - - type: exec - script: sleep 20 diff --git a/t/venom/test_suites/wired_dot1x_eap_tls_scep/91_check_radius_audit_log.yml b/t/venom/test_suites/wired_dot1x_eap_tls_scep/91_check_radius_audit_log.yml index 627af1094fd1..8d471a918a78 100644 --- a/t/venom/test_suites/wired_dot1x_eap_tls_scep/91_check_radius_audit_log.yml +++ b/t/venom/test_suites/wired_dot1x_eap_tls_scep/91_check_radius_audit_log.yml @@ -8,15 +8,6 @@ testcases: steps: - type: pfcron_flush_radius_audit_log -- name: get_time - steps: - - type: exec - script: "date '+%Y-%m-%d %H:%M:%S' --date='2 minutes ago'" - vars: - two_minutes_ago: - from: result.systemout - -# only latest search entry since two minutes that matches # auth_status equals Accept (to avoid Disconnect) # mac equals {{.node01_ens7_mac_address}}" # connection type of test suite connection profile @@ -26,6 +17,12 @@ testcases: method: POST url: '{{.pfserver_webadmin_url}}/api/v1/radius_audit_logs/search' ignore_verify_ssl: true + retry: 35 + retry_if: + - result.statuscode ShouldNotEqual 404 + delay: 3 + assertions: + - result.statuscode ShouldEqual 200 body: >- { "cursor": 0, @@ -68,16 +65,6 @@ testcases: "value": "{{.wired_dot1x_eap_tls_scep.profiles.wired.filters.connection_type}}" } ] - }, - { - "op": "or", - "values": [ - { - "field": "created_at", - "op": "greater_than", - "value": "{{.get_time.two_minutes_ago}}" - } - ] } ] } diff --git a/t/venom/test_suites/wired_mac_auth/22_sleep_some_time.yml b/t/venom/test_suites/wired_mac_auth/22_sleep_some_time.yml deleted file mode 100644 index d85895d1579d..000000000000 --- a/t/venom/test_suites/wired_mac_auth/22_sleep_some_time.yml +++ /dev/null @@ -1,6 +0,0 @@ -name: Sleep some time -testcases: -- name: sleep_some_time - steps: - - type: exec - script: sleep 20 diff --git a/t/venom/test_suites/wired_mac_auth/25_check_radius_audit_log.yml b/t/venom/test_suites/wired_mac_auth/25_check_radius_audit_log.yml index ce01924fa012..c0d40c1c4345 100644 --- a/t/venom/test_suites/wired_mac_auth/25_check_radius_audit_log.yml +++ b/t/venom/test_suites/wired_mac_auth/25_check_radius_audit_log.yml @@ -8,15 +8,6 @@ testcases: steps: - type: pfcron_flush_radius_audit_log -- name: get_time - steps: - - type: exec - script: "date '+%Y-%m-%d %H:%M:%S' --date='2 minutes ago'" - vars: - two_minutes_ago: - from: result.systemout - -# only latest search entry since two minutes that matches # auth_status equals Accept (to avoid Disconnect) # mac equals {{.node01_ens7_mac_address}}" # connection type of test suite connection profile @@ -26,6 +17,12 @@ testcases: method: POST url: '{{.pfserver_webadmin_url}}/api/v1/radius_audit_logs/search' ignore_verify_ssl: true + retry: 35 + retry_if: + - result.statuscode ShouldNotEqual 404 + delay: 3 + assertions: + - result.statuscode ShouldEqual 200 body: >- { "cursor": 0, @@ -68,16 +65,6 @@ testcases: "value": "{{.wired_mac_auth.profiles.wired.filters.connection_type}}" } ] - }, - { - "op": "or", - "values": [ - { - "field": "created_at", - "op": "greater_than", - "value": "{{.get_time.two_minutes_ago}}" - } - ] } ] } diff --git a/t/venom/test_suites/wireless_dot1x_eap_peap/45_sleep_some_time.yml b/t/venom/test_suites/wireless_dot1x_eap_peap/45_sleep_some_time.yml deleted file mode 120000 index 213553960b60..000000000000 --- a/t/venom/test_suites/wireless_dot1x_eap_peap/45_sleep_some_time.yml +++ /dev/null @@ -1 +0,0 @@ -../common/20s_sleep_some_time.yml \ No newline at end of file diff --git a/t/venom/test_suites/wireless_dot1x_eap_peap/50_check_radius_audit_log.yml b/t/venom/test_suites/wireless_dot1x_eap_peap/50_check_radius_audit_log.yml index 51cd28cb7e07..8caf1a23dd7a 100644 --- a/t/venom/test_suites/wireless_dot1x_eap_peap/50_check_radius_audit_log.yml +++ b/t/venom/test_suites/wireless_dot1x_eap_peap/50_check_radius_audit_log.yml @@ -8,15 +8,6 @@ testcases: steps: - type: pfcron_flush_radius_audit_log -- name: get_time - steps: - - type: exec - script: "date '+%Y-%m-%d %H:%M:%S' --date='2 minutes ago'" - vars: - two_minutes_ago: - from: result.systemout - -# only latest search entry since two minutes that matches # auth_status equals Accept (to avoid Disconnect) # mac equals {{.wireless01_wlan1_mac_address}}" # connection type of test suite connection profile @@ -26,6 +17,12 @@ testcases: method: POST url: '{{.pfserver_webadmin_url}}/api/v1/radius_audit_logs/search' ignore_verify_ssl: true + retry: 35 + retry_if: + - result.statuscode ShouldNotEqual 404 + delay: 3 + assertions: + - result.statuscode ShouldEqual 200 body: >- { "cursor": 0, @@ -68,16 +65,6 @@ testcases: "value": "{{.wireless_dot1x_eap_peap.profiles.wireless.filters.connection_type}}" } ] - }, - { - "op": "or", - "values": [ - { - "field": "created_at", - "op": "greater_than", - "value": "{{.get_time.two_minutes_ago}}" - } - ] } ] } diff --git a/t/venom/test_suites/wireless_mac_auth/22_sleep_some_time.yml b/t/venom/test_suites/wireless_mac_auth/22_sleep_some_time.yml deleted file mode 100644 index d85895d1579d..000000000000 --- a/t/venom/test_suites/wireless_mac_auth/22_sleep_some_time.yml +++ /dev/null @@ -1,6 +0,0 @@ -name: Sleep some time -testcases: -- name: sleep_some_time - steps: - - type: exec - script: sleep 20 diff --git a/t/venom/test_suites/wireless_mac_auth/25_check_radius_audit_log.yml b/t/venom/test_suites/wireless_mac_auth/25_check_radius_audit_log.yml index 3cbde45e4ca1..7d1871c4627b 100644 --- a/t/venom/test_suites/wireless_mac_auth/25_check_radius_audit_log.yml +++ b/t/venom/test_suites/wireless_mac_auth/25_check_radius_audit_log.yml @@ -8,15 +8,6 @@ testcases: steps: - type: pfcron_flush_radius_audit_log -- name: get_time - steps: - - type: exec - script: "date '+%Y-%m-%d %H:%M:%S' --date='2 minutes ago'" - vars: - two_minutes_ago: - from: result.systemout - -# only latest search entry since two minutes that matches # auth_status equals Accept (to avoid Disconnect) # mac equals {{.node01_ens7_mac_address}}" # connection type of test suite connection profile @@ -26,6 +17,12 @@ testcases: method: POST url: '{{.pfserver_webadmin_url}}/api/v1/radius_audit_logs/search' ignore_verify_ssl: true + retry: 35 + retry_if: + - result.statuscode ShouldNotEqual 404 + delay: 3 + assertions: + - result.statuscode ShouldEqual 200 body: >- { "cursor": 0, @@ -68,16 +65,6 @@ testcases: "value": "{{.wireless_mac_auth.profiles.wireless.filters.connection_type}}" } ] - }, - { - "op": "or", - "values": [ - { - "field": "created_at", - "op": "greater_than", - "value": "{{.get_time.two_minutes_ago}}" - } - ] } ] } diff --git a/t/venom/utils/sanitize-venom-logs.sh b/t/venom/utils/sanitize-venom-logs.sh index 5ad196b5b837..8937e473fd2a 100755 --- a/t/venom/utils/sanitize-venom-logs.sh +++ b/t/venom/utils/sanitize-venom-logs.sh @@ -48,4 +48,6 @@ if check_psono_vars; then else echo "No secrets to remove" fi -create_archive ${venom_result_dir} +if [[ -d ${venom_result_dir} ]] || [[ -f ${venom_result_dir} ]]; then + create_archive ${venom_result_dir} +fi