Setup Redis 6 on Ubuntu 20.04
Installing
export REDIS_VERSION=$(curl -s http://download.redis.io/releases/ | grep redis-6. | sed -e '{$!d;}' | awk '{print $2}' | sed -E "s/(^.*gz>)//" | sed "s#</a>##") && \
wget http://download.redis.io/releases/$REDIS_VERSION && \
apt install -y tcl build-essential pkg-config libssl-dev && \
tar xzf $REDIS_VERSION && \
cd $(echo $REDIS_VERSION | sed 's/.tar.gz//' ) && \
make BUILD_TLS=yes MALLOC=libc install && \
cd ~ && \
rm -rf $(echo $REDIS_VERSION | sed 's/.tar.gz//' ) && \
rm $REDIS_VERSION
Version when testing was 6.2.5
Setup Redis files and directories
sudo adduser --system --group --no-create-home redis && \
usermod -L redis && \
mkdir -p /var/lib/redis && \
sudo chown redis:redis /var/lib/redis && \
sudo chmod ug+rwX /var/lib/redis && \
mkdir -p /var/run/redis && \
sudo chown redis:redis /var/run/redis && \
sudo chmod ug+rwX /var/run/redis && \
mkdir -p /var/log/redis && \
sudo chown redis:redis /var/log/redis && \
sudo chmod ug+rwX /var/log/redis && \
mkdir -p /etc/redis/ && \
touch /etc/redis/redis.conf && \
chown -R redis:redis /etc/redis/ && \
touch /etc/default/redis && \
echo 'ULIMIT=65536' > /etc/default/redis
Setup SSL Certificates
cd ~ && \
export IP_ADDRESS=$(hostname -I) && \
export DNS_ADDRESS=$(hostname) && \
# Root CA CN b
openssl genrsa -out rootCA.key 4096 && \
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -subj "/C=US/ST=CA/O=MyOrg, Inc./CN=${DNS_ADDRESS} CA" -out rootCA.crt && \
echo 'Done generating Root CA' && \
openssl genrsa -out server.key 4096 && \
openssl req -new -sha256 -key server.key -subj "/C=US/ST=CA/O=MyOrg, Inc./CN=${DNS_ADDRESS}" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "\n[SAN]\nsubjectAltName=DNS:${DNS_ADDRESS},IP:${IP_ADDRESS}")) -out server.csr && \
openssl x509 -req -in server.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out server.crt -extfile <(printf "\n[SAN]\nsubjectAltName=DNS:${DNS_ADDRESS},IP:${IP_ADDRESS}") -days 500 -sha256 -ext SAN -extensions SAN && \
echo 'Done generating CRT' && \
# 4096 for prod
openssl dhparam -out dhparam.pem 2048 && \
echo 'Done generating DH Param' && \
mv server.crt /etc/redis/ && \
mv server.key /etc/redis/ && \
mv dhparam.pem /etc/redis/ && \
echo 'Done moving files' && \
cp rootCA.crt /etc/redis/ && \
chown -R redis:redis /etc/redis && \
rm server.csr
Redis config file
touch /etc/redis/redis.conf && \
export REDIS_PASSWORD=$(openssl rand 60 | openssl base64 -A) && \
cat <<EOT > /etc/redis/redis.conf
tls-cert-file /etc/redis/server.crt
tls-key-file /etc/redis/server.key
tls-ca-cert-file /etc/redis/rootCA.crt
tls-dh-params-file /etc/redis/dhparam.pem
tls-auth-clients no
port 0
tls-port 6379
protected-mode yes
tcp-backlog 511
timeout 0
tcp-keepalive 300
daemonize yes
supervised no
bind 127.0.0.1 ::1
pidfile /var/run/redis/redis.pid
always-show-logo yes
dir /var/lib/redis
stop-writes-on-bgsave-error yes
rdbcompression yes
rdbchecksum yes
dbfilename dump.rdb
requirepass $REDIS_PASSWORD
rename-command FLUSHDB ""
rename-command FLUSHALL ""
rename-command DEBUG ""
rename-command SHUTDOWN SHUTDOWN_MENOT
rename-command CONFIG ASC12_CONFIG
logfile /var/log/redis/redis-server.log
loglevel notice
aclfile /etc/redis/users.acl
EOT
Create Redis ACL users files
touch /etc/redis/users.acl && \
export REDIS_PASSWORD=$(openssl rand 60 | openssl base64 -A) && \
cat <<EOT > /etc/redis/users.acl
user root +@all ~* on >$REDIS_PASSWORD
EOT
Setup Systemd service for Redis
cat <<EOT > /etc/systemd/system/redis.service
[Unit]
Description=Advanced key-value store
After=network.target
Documentation=http://redis.io/documentation, man:redis-server(1)
[Service]
ExecStartPre=/bin/mkdir -p /var/run/redis/
ExecStartPre=/bin/chmod ug+rwX /var/run/redis/
ExecStartPre=/bin/chown redis:redis /var/run/redis/
ExecStart=/usr/local/bin/redis-server /etc/redis/redis.conf
ExecStop=/bin/kill -s TERM $MAINPID
EnvironmentFile=/etc/default/redis
TimeoutStopSec=infinity
TimeoutStartSec=infinity
Restart=always
User=redis
Group=redis
RuntimeDirectory=redis
RuntimeDirectoryMode=2755
WorkingDirectory=/var/lib/redis
UMask=007
PrivateTmp=yes
LimitNOFILE=65535
PrivateDevices=yes
ProtectHome=yes
ReadOnlyDirectories=/
ReadWriteDirectories=-/var/lib/redis
ReadWriteDirectories=-/var/log/redis
ReadWriteDirectories=-/var/run/redis
Type=forking
NoNewPrivileges=true
CapabilityBoundingSet=CAP_SETGID CAP_SETUID CAP_SYS_RESOURCE
MemoryDenyWriteExecute=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectControlGroups=true
RestrictRealtime=true
RestrictNamespaces=true
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
ProtectSystem=full
ReadWriteDirectories=-/etc/redis
[Install]
WantedBy=multi-user.target
Alias=redis.service
EOT
systemctl start redis && \
systemctl status redis && \
systemctl enable redis
Add RedisTimeSeries to redis server
git clone --recursive https://github.com/RedisTimeSeries/RedisTimeSeries.git && \
cd RedisTimeSeries && \
make setup && \
make build && \
cp bin/linux-x64-release/redistimeseries.so /etc/redis/ && \
cat <<EOT >> /etc/redis/redis.conf
loadmodule /etc/redis/redistimeseries.so
EOT
systemctl restart redis && \
systemctl status redis
Connecting to Redis
export REDISCLI_AUTH=`cat /etc/redis/users.acl | grep root | awk '{print $6}' | sed 's/>//'` && \
redis-cli --tls --cert /etc/redis/server.crt --key /etc/redis/server.key --cacert /etc/redis/rootCA.crt --user root
TS.CREATE temperature:3:11 RETENTION 60 LABELS sensor_id 2 area_id 32
TS.ADD temperature:3:11 1548149181 18
TS.ADD temperature:3:11 1548149191 24
TS.RANGE temperature:3:11 1548149180 1548149210 AGGREGATION avg 5
References
- https://redis.io/download
- https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-redis-on-ubuntu-16-04
- https://gist.github.com/fntlnz/cf14feb5a46b2eda428e000157447309
- https://redis.io/topics/encryption
- https://www.digitalocean.com/community/tutorials/how-to-install-and-secure-redis-on-ubuntu-18-04
- https://github.com/RedisTimeSeries/RedisTimeSeries
- https://redis.io/topics/acl
Category
Server
Tags
- Server
- Ubuntu
- Redis