redis.conf翻译与配置(三)【redis6.0.6】

本文涉及的产品
Redis 开源版,标准版 2GB
推荐场景:
搭建游戏排行榜
云数据库 Tair(兼容Redis),内存型 2GB
日志服务 SLS,月写入数据量 50GB 1个月
简介:
学习redis的途中,碰上了redis.conf,突发奇想,想着来进行一波翻译输出。
源码之前,了无秘密。
在这里插入图片描述

@[toc]

安全

原文

################################## SECURITY ###################################

# Warning: since Redis is pretty fast an outside user can try up to
# 1 million passwords per second against a modern box. This means that you
# should use very strong passwords, otherwise they will be very easy to break.
# Note that because the password is really a shared secret between the client
# and the server, and should not be memorized by any human, the password
# can be easily a long string from /dev/urandom or whatever, so by using a
# long and unguessable password no brute force attack will be possible.

# Redis ACL users are defined in the following format:
#
#   user <username> ... acl rules ...
#
# For example:
#
#   user worker +@list +@connection ~jobs:* on >ffa9203c493aa99
#
# The special username "default" is used for new connections. If this user
# has the "nopass" rule, then new connections will be immediately authenticated
# as the "default" user without the need of any password provided via the
# AUTH command. Otherwise if the "default" user is not flagged with "nopass"
# the connections will start in not authenticated state, and will require
# AUTH (or the HELLO command AUTH option) in order to be authenticated and
# start to work.
#
# The ACL rules that describe what an user can do are the following:
#
#  on           Enable the user: it is possible to authenticate as this user.
#  off          Disable the user: it's no longer possible to authenticate
#               with this user, however the already authenticated connections
#               will still work.
#  +<command>   Allow the execution of that command
#  -<command>   Disallow the execution of that command
#  +@<category> Allow the execution of all the commands in such category
#               with valid categories are like @admin, @set, @sortedset, ...
#               and so forth, see the full list in the server.c file where
#               the Redis command table is described and defined.
#               The special category @all means all the commands, but currently
#               present in the server, and that will be loaded in the future
#               via modules.
#  +<command>|subcommand    Allow a specific subcommand of an otherwise
#                           disabled command. Note that this form is not
#                           allowed as negative like -DEBUG|SEGFAULT, but
#                           only additive starting with "+".
#  allcommands  Alias for +@all. Note that it implies the ability to execute
#               all the future commands loaded via the modules system.
#  nocommands   Alias for -@all.
#  ~<pattern>   Add a pattern of keys that can be mentioned as part of
#               commands. For instance ~* allows all the keys. The pattern
#               is a glob-style pattern like the one of KEYS.
#               It is possible to specify multiple patterns.
#  allkeys      Alias for ~*
#  resetkeys    Flush the list of allowed keys patterns.
#  ><password>  Add this passowrd to the list of valid password for the user.
#               For example >mypass will add "mypass" to the list.
#               This directive clears the "nopass" flag (see later).
#  <<password>  Remove this password from the list of valid passwords.
#  nopass       All the set passwords of the user are removed, and the user
#               is flagged as requiring no password: it means that every
#               password will work against this user. If this directive is
#               used for the default user, every new connection will be
#               immediately authenticated with the default user without
#               any explicit AUTH command required. Note that the "resetpass"
#               directive will clear this condition.
#  resetpass    Flush the list of allowed passwords. Moreover removes the
#               "nopass" status. After "resetpass" the user has no associated
#               passwords and there is no way to authenticate without adding
#               some password (or setting it as "nopass" later).
#  reset        Performs the following actions: resetpass, resetkeys, off,
#               -@all. The user returns to the same state it has immediately
#               after its creation.
#
# ACL rules can be specified in any order: for instance you can start with
# passwords, then flags, or key patterns. However note that the additive
# and subtractive rules will CHANGE MEANING depending on the ordering.
# For instance see the following example:
#
#   user alice on +@all -DEBUG ~* >somepassword
#
# This will allow "alice" to use all the commands with the exception of the
# DEBUG command, since +@all added all the commands to the set of the commands
# alice can use, and later DEBUG was removed. However if we invert the order
# of two ACL rules the result will be different:
#
#   user alice on -DEBUG +@all ~* >somepassword
#
# Now DEBUG was removed when alice had yet no commands in the set of allowed
# commands, later all the commands are added, so the user will be able to
# execute everything.
#
# Basically ACL rules are processed left-to-right.
#
# For more information about ACL configuration please refer to
# the Redis web site at https://redis.io/topics/acl

# ACL LOG
#
# The ACL Log tracks failed commands and authentication events associated
# with ACLs. The ACL Log is useful to troubleshoot failed commands blocked 
# by ACLs. The ACL Log is stored in memory. You can reclaim memory with 
# ACL LOG RESET. Define the maximum entry length of the ACL Log below.
acllog-max-len 128

# Using an external ACL file
#
# Instead of configuring users here in this file, it is possible to use
# a stand-alone file just listing users. The two methods cannot be mixed:
# if you configure users here and at the same time you activate the exteranl
# ACL file, the server will refuse to start.
#
# The format of the external ACL user file is exactly the same as the
# format that is used inside redis.conf to describe users.
#
# aclfile /etc/redis/users.acl

# IMPORTANT NOTE: starting with Redis 6 "requirepass" is just a compatiblity
# layer on top of the new ACL system. The option effect will be just setting
# the password for the default user. Clients will still authenticate using
# AUTH <password> as usually, or more explicitly with AUTH default <password>
# if they follow the new protocol: both will work.
#
# requirepass foobared

# Command renaming (DEPRECATED).
#
# ------------------------------------------------------------------------
# WARNING: avoid using this option if possible. Instead use ACLs to remove
# commands from the default user, and put them only in some admin user you
# create for administrative purposes.
# ------------------------------------------------------------------------
#
# It is possible to change the name of dangerous commands in a shared
# environment. For instance the CONFIG command may be renamed into something
# hard to guess so that it will still be available for internal-use tools
# but not available for general clients.
#
# Example:
#
# rename-command CONFIG b840fc02d524045429941cc15f59e41cb7be6c52
#
# It is also possible to completely kill a command by renaming it into
# an empty string:
#
# rename-command CONFIG ""
#
# Please note that changing the name of commands that are logged into the
# AOF file or transmitted to replicas may cause problems.

译文

警告:由于Redis非常快,外部用户可以用外部应用去尝试高达每秒100万个密码。这意味着您应该使用非常强的密码,否则它们将非常容易被破解。
注意,因为密码是客户端和服务器之间的秘密,不应该被任何人记住。密码可以是来自/dev/urandom的很长的字符串,所以通过使用长且无法猜测的密码,暴力破解将是不可能的。


Redis ACL用户定义如下格式:

user <username> ... acl rules ...

示例:

user worker +@list +@connection ~jobs:* on >ffa9203c493aa99

描述用户可以做什么的ACL规则如下:

on:启用用户:可以作为该用户进行身份验证。
off:禁用该用户:不再可能对该用户进行身份验证,但是已经通过身份验证的连接仍然可以工作。
+<command>   允许执行该命令
-<command>   不允许执行该命令

+@<category>    允许在此类类别中执行有效类别的所有命令,如@admin, @set, @sortedset,…等等,在server.c文件中可以看到完整的列表,其中描述和定义了Redis命令表。
特殊类别@all表示所有命令,但当前存在于服务器中,将来将通过模块加载。

+<command>|subcommand    允许其他禁用命令的特定子命令。注意,这种形式不允许作为负数,如-DEBUG|SEGFAULT,只允许以“+”开头。
allcommands        + @all别名。注意,这意味着可以执行通过模块系统加载的所有未来命令。
nocommands      - @all别名。

~<pattern>        添加可以作为命令的一部分提及的键模式。例如~*允许所有的键。该模式是一个全局样式的模式,类似于密钥样式。
                可以指定多个模式。
allkeys          ~* 别名
resetkeys        刷新允许的键模式列表。

><password>        将此passowrd添加到该用户的有效密码列表中。
                例如,>mypass将添加“mypass”到列表中。
                这个指令清除“nopass”标志(稍后见)。
<<password>      将此密码从队列中移出
nopass           删除该用户的所有设置密码,并将该用户标记为不需要密码:这意味着每个密码都将针对该用户工作。如果该指令用于默认用户,则每个新连接都将立即与默认用户进行身份验证,而不需要任何显式的AUTH命令。注意,“resetpass”指令将清除这个效果。
resetpass        刷新允许的密码列表。此外,删除“nopass”状态。在“resetpass”之后,用户没有相关的密码,并且没有办法在不添加一些密码(或稍后将其设置为“nopass”)的情况下进行身份验证。

reset              执行以下操作:resetpass, resetkeys, off, -@all。用户立即返回到创建后的相同状态。

ACL规则可以按照任何顺序指定:例如,可以从密码开始,然后是标志或密钥模式。但是请注意,加法规则和减法规则将根据顺序改变含义。
例如:

user alice on +@all -DEBUG ~* >somepassword

这将允许“alice”使用除调试命令之外的所有命令,因为+@all将所有命令添加到alice可以使用的命令集中,随后的调试被删除。但是,如果我们倒转两个ACL规则的顺序,结果将不同:

user alice on -DEBUG +@all ~* >somepassword

现在,当alice在允许的命令集中还没有命令时,调试被删除,之后所有的命令都被添加,这样用户就可以执行所有的命令了。
更多关于ACL配置的信息,请参考Redis网站https://redis.io/topics/acl


ACL日志
ACL日志跟踪与ACL关联的失败命令和身份验证事件。ACL日志对于排除ACL阻塞的失败命令非常有用。ACL日志存储在内存中。您可以通过ACL日志重置收回内存。定义ACL日志的最大入口长度:

acllog-max-len 128

使用外部ACL文件
不需要在此文件中配置用户,可以使用一个仅列出用户的独立文件。这两种方法不能混合使用:
如果您在这里配置用户,同时激活exteranl ACL文件,服务器将拒绝启动。

外部ACL用户文件的格式与在redis.conf中用于描述用户的格式完全相同。

aclfile /etc/redis/users.acl

重要提示:从Redis 6开始,“requirepass”只是在新的ACL系统之上的一个兼容性层。选项效果将只是设置默认用户的密码。客户端仍然会像往常一样使用AUTH进行身份验证,或者更明确地使用AUTH默认值,如果它们遵循新的协议:两者都可以工作。


命令重命名(不赞成)。
警告:尽可能避免使用此选项。相反,使用acl从默认用户中删除命令,并将它们仅放在为管理目的而创建的某个管理用户中。

在共享环境中可以更改危险命令的名称。例如,CONFIG命令可能会被重命名为一些难以猜测的东西,这样它仍然可以用于内部使用的工具,但不能用于一般的客户端。
就像:rename-command CONFIG b840fc02d524045429941cc15f59e41cb7be6c52

也可以通过将一个命令重命名为空字符串来完全杀死它:rename-command CONFIG " ”

请注意,更改登录到AOF文件或传输到副本的命令的名称可能会导致问题。


客户端

原文

################################### CLIENTS ####################################

# Set the max number of connected clients at the same time. By default
# this limit is set to 10000 clients, however if the Redis server is not
# able to configure the process file limit to allow for the specified limit
# the max number of allowed clients is set to the current file limit
# minus 32 (as Redis reserves a few file descriptors for internal uses).
#
# Once the limit is reached Redis will close all the new connections sending
# an error 'max number of clients reached'.
#
# IMPORTANT: When Redis Cluster is used, the max number of connections is also
# shared with the cluster bus: every node in the cluster will use two
# connections, one incoming and another outgoing. It is important to size the
# limit accordingly in case of very large clusters.
#
# maxclients 10000

译文

同时设置连接的客户端的最大数量。默认情况下这个限制设置为10000个客户,但是,如果Redis服务器不能配置进程文件限制,以允许指定的限制,最大数量的允许客户被设置为当前文件限制减32(作为Redis保留一些文件描述符内部使用)。
一旦达到限制,Redis将关闭所有新连接发送一个错误'最大数量的客户端达到'。

重要提示:当使用Redis集群时,最大连接数也会与集群总线共享:集群中的每个节点将使用两个连接,一个传入,另一个传出。对于非常大的集群,相应地调整限制的大小是很重要的。


内存管理

原文

############################## MEMORY MANAGEMENT ################################

# Set a memory usage limit to the specified amount of bytes.
# When the memory limit is reached Redis will try to remove keys
# according to the eviction policy selected (see maxmemory-policy).
#
# If Redis can't remove keys according to the policy, or if the policy is
# set to 'noeviction', Redis will start to reply with errors to commands
# that would use more memory, like SET, LPUSH, and so on, and will continue
# to reply to read-only commands like GET.
#
# This option is usually useful when using Redis as an LRU or LFU cache, or to
# set a hard memory limit for an instance (using the 'noeviction' policy).
#
# WARNING: If you have replicas attached to an instance with maxmemory on,
# the size of the output buffers needed to feed the replicas are subtracted
# from the used memory count, so that network problems / resyncs will
# not trigger a loop where keys are evicted, and in turn the output
# buffer of replicas is full with DELs of keys evicted triggering the deletion
# of more keys, and so forth until the database is completely emptied.
#
# In short... if you have replicas attached it is suggested that you set a lower
# limit for maxmemory so that there is some free RAM on the system for replica
# output buffers (but this is not needed if the policy is 'noeviction').
#
# maxmemory <bytes>

# MAXMEMORY POLICY: how Redis will select what to remove when maxmemory
# is reached. You can select one from the following behaviors:
#
# volatile-lru -> Evict using approximated LRU, only keys with an expire set.
# allkeys-lru -> Evict any key using approximated LRU.
# volatile-lfu -> Evict using approximated LFU, only keys with an expire set.
# allkeys-lfu -> Evict any key using approximated LFU.
# volatile-random -> Remove a random key having an expire set.
# allkeys-random -> Remove a random key, any key.
# volatile-ttl -> Remove the key with the nearest expire time (minor TTL)
# noeviction -> Don't evict anything, just return an error on write operations.
#
# LRU means Least Recently Used
# LFU means Least Frequently Used
#
# Both LRU, LFU and volatile-ttl are implemented using approximated
# randomized algorithms.
#
# Note: with any of the above policies, Redis will return an error on write
#       operations, when there are no suitable keys for eviction.
#
#       At the date of writing these commands are: set setnx setex append
#       incr decr rpush lpush rpushx lpushx linsert lset rpoplpush sadd
#       sinter sinterstore sunion sunionstore sdiff sdiffstore zadd zincrby
#       zunionstore zinterstore hset hsetnx hmset hincrby incrby decrby
#       getset mset msetnx exec sort
#
# The default is:
#
# maxmemory-policy noeviction

# LRU, LFU and minimal TTL algorithms are not precise algorithms but approximated
# algorithms (in order to save memory), so you can tune it for speed or
# accuracy. For default Redis will check five keys and pick the one that was
# used less recently, you can change the sample size using the following
# configuration directive.
#
# The default of 5 produces good enough results. 10 Approximates very closely
# true LRU but costs more CPU. 3 is faster but not very accurate.
#
# maxmemory-samples 5

# Starting from Redis 5, by default a replica will ignore its maxmemory setting
# (unless it is promoted to master after a failover or manually). It means
# that the eviction of keys will be just handled by the master, sending the
# DEL commands to the replica as keys evict in the master side.
#
# This behavior ensures that masters and replicas stay consistent, and is usually
# what you want, however if your replica is writable, or you want the replica
# to have a different memory setting, and you are sure all the writes performed
# to the replica are idempotent, then you may change this default (but be sure
# to understand what you are doing).
#
# Note that since the replica by default does not evict, it may end using more
# memory than the one set via maxmemory (there are certain buffers that may
# be larger on the replica, or data structures may sometimes take more memory
# and so forth). So make sure you monitor your replicas and make sure they
# have enough memory to never hit a real out-of-memory condition before the
# master hits the configured maxmemory setting.
#
# replica-ignore-maxmemory yes

# Redis reclaims expired keys in two ways: upon access when those keys are
# found to be expired, and also in background, in what is called the
# "active expire key". The key space is slowly and interactively scanned
# looking for expired keys to reclaim, so that it is possible to free memory
# of keys that are expired and will never be accessed again in a short time.
#
# The default effort of the expire cycle will try to avoid having more than
# ten percent of expired keys still in memory, and will try to avoid consuming
# more than 25% of total memory and to add latency to the system. However
# it is possible to increase the expire "effort" that is normally set to
# "1", to a greater value, up to the value "10". At its maximum value the
# system will use more CPU, longer cycles (and technically may introduce
# more latency), and will tollerate less already expired keys still present
# in the system. It's a tradeoff betweeen memory, CPU and latecy.
#
# active-expire-effort 1

译文

将内存使用限制设置为指定的字节数。当达到内存限制时,Redis会根据所选的驱逐策略(参见maxmemory-policy)尝试删除键。
如果Redis不能根据策略删除键,或者如果策略被设置为“noeviction”,Redis将开始回复会占用更多内存的命令错误,如set、LPUSH等,并将继续回复只读命令,如GET。
这个选项通常在使用Redis作为LRU或LFU缓存时有用,或者为实例设置硬内存限制(使用'noeviction'策略)。

警告:如果你有副本附加到一个实例与maxmemory,输出缓冲区的大小需要喂副本使用内存数相减时,这网络问题/同步不会触发一个键被驱逐的循环,进而副本的输出缓冲区满del键驱逐触发的删除键,直到完全清空数据库等等。

总之……如果您附加了副本,建议您为maxmemory设置一个下限,以便在系统上有一些空闲RAM用于副本输出缓冲区(但如果策略是‘noeviction’,则不需要这样做)。


MAXMEMORY策略:当达到MAXMEMORY时,Redis将如何选择删除什么。你可以从以下行为中选择一个:

volatile-lru ->退出使用近似的LRU,仅使用设置了过期值的键。
allkeys-lru ->使用近似的LRU驱逐任何密钥。
volatile-lfu ->使用近似的LFU逐出,仅使用具有过期集的键。
allkeys-lfu ->使用近似的LFU驱逐任何密钥。
volatile-random ->删除一个具有过期设置的随机键。
allkeys-random ->删除一个随机键,任意键。
volatile-ttl ->删除最近过期时间的密钥(较小的TTL)
noeviction ->不驱逐任何东西,只是在写操作时返回一个错误。

LRU表示最近最少使用
LFU表示使用频率最低
LRU、LFU和volatile-ttl都是使用近似随机算法实现的。

注意:使用上述任何策略,当没有合适的键用于驱逐时,Redis会在写操作时返回一个错误。


LRU、LFU和最小TTL算法不是精确算法,而是近似算法(为了节省内存),因此您可以调整它以提高速度或精度。对于默认Redis将检查五个键,并选择一个最近使用较少,你可以改变样本大小使用以下配置指令。
默认为5会产生足够好的结果。10非常接近真实的LRU,但需要更多的CPU。3更快,但不是很准确。

# maxmemory-samples 5

从redis5开始,默认情况下副本会忽略它的maxmemory设置(除非它在故障转移后被提升为master或手动)。这意味着键的回收将由主服务器处理,在主服务器端键被回收时将DEL命令发送给副本。
这种行为保持一致,确保是你想要的,但是如果你的复制品是可写的,或者你想要复制不同的内存设置,和你确定都将执行写入副本是等幂的,然后你可能会改变这种默认(但一定要了解你在做什么)。

注意,由于副本在默认情况下不会驱逐,因此它最终使用的内存可能比通过maxmemory设置的一组内存更多(副本上的某些缓冲区可能更大,或者数据结构有时可能占用更多内存等等)。因此,请确保您监视您的副本,并确保它们有足够的内存,在主服务器达到配置的maxmemory设置之前,不会出现真正的内存不足情况。

Redis以两种方式回收过期的密钥:在访问时发现过期的密钥,以及在后台,在所谓的“活动过期密钥”。密钥空间被缓慢而交互式地扫描,以寻找要回收的过期密钥,这样就可以释放过期且在短时间内再也不会被访问的密钥的内存。

过期周期的默认努力将试图避免在内存中仍然有超过10%的过期密钥,并试图避免消耗总内存的25%以上,并增加系统的延迟。但是,可以将通常设置为“1”的过期“努力”增加到更大的值,直到值“10”。在它的最大值,系统将使用更多的CPU,更长的周期(技术上可能引入更多的延迟),并将减少系统中仍然存在的已经过期的密钥。这是内存、CPU和内存之间的权衡。


今天先到这儿吧。

相关实践学习
基于Redis实现在线游戏积分排行榜
本场景将介绍如何基于Redis数据库实现在线游戏中的游戏玩家积分排行榜功能。
云数据库 Redis 版使用教程
云数据库Redis版是兼容Redis协议标准的、提供持久化的内存数据库服务,基于高可靠双机热备架构及可无缝扩展的集群架构,满足高读写性能场景及容量需弹性变配的业务需求。 产品详情:https://www.aliyun.com/product/kvstore &nbsp; &nbsp; ------------------------------------------------------------------------- 阿里云数据库体验:数据库上云实战 开发者云会免费提供一台带自建MySQL的源数据库&nbsp;ECS 实例和一台目标数据库&nbsp;RDS实例。跟着指引,您可以一步步实现将ECS自建数据库迁移到目标数据库RDS。 点击下方链接,领取免费ECS&amp;RDS资源,30分钟完成数据库上云实战!https://developer.aliyun.com/adc/scenario/51eefbd1894e42f6bb9acacadd3f9121?spm=a2c6h.13788135.J_3257954370.9.4ba85f24utseFl
相关文章
|
17天前
|
存储 SQL 关系型数据库
2024Mysql And Redis基础与进阶操作系列(1)作者——LJS[含MySQL的下载、安装、配置详解步骤及报错对应解决方法]
Mysql And Redis基础与进阶操作系列(1)之[MySQL的下载、安装、配置详解步骤及报错对应解决方法]
|
28天前
|
存储 NoSQL Redis
Redis 配置
10月更文挑战第14天
24 1
|
1月前
|
存储 缓存 NoSQL
大数据-46 Redis 持久化 RDB AOF 配置参数 混合模式 具体原理 触发方式 优点与缺点
大数据-46 Redis 持久化 RDB AOF 配置参数 混合模式 具体原理 触发方式 优点与缺点
56 1
|
1月前
|
消息中间件 NoSQL Kafka
大数据-116 - Flink DataStream Sink 原理、概念、常见Sink类型 配置与使用 附带案例1:消费Kafka写到Redis
大数据-116 - Flink DataStream Sink 原理、概念、常见Sink类型 配置与使用 附带案例1:消费Kafka写到Redis
129 0
|
1月前
|
NoSQL Ubuntu Linux
redis的基本安装配置启动使用
redis的基本安装配置启动使用
34 0
|
1月前
|
缓存 NoSQL 数据处理
原生php实现redis缓存配置和使用方法
通过上述步骤,你可以在PHP项目中配置并使用Redis作为高性能的缓存解决方案。合理利用Redis的各种数据结构和特性,可以有效提升应用的响应速度和数据处理效率。记得在实际应用中根据具体需求选择合适的缓存策略,如设置合理的过期时间,以避免内存过度消耗。
50 0
|
3月前
|
NoSQL Redis 容器
【Azure Cache for Redis】Redis的导出页面无法配置Storage SAS时通过az cli来完成
【Azure Cache for Redis】Redis的导出页面无法配置Storage SAS时通过az cli来完成
|
1月前
|
消息中间件 缓存 NoSQL
Redis 是一个高性能的键值对存储系统,常用于缓存、消息队列和会话管理等场景。
【10月更文挑战第4天】Redis 是一个高性能的键值对存储系统,常用于缓存、消息队列和会话管理等场景。随着数据增长,有时需要将 Redis 数据导出以进行分析、备份或迁移。本文详细介绍几种导出方法:1)使用 Redis 命令与重定向;2)利用 Redis 的 RDB 和 AOF 持久化功能;3)借助第三方工具如 `redis-dump`。每种方法均附有示例代码,帮助你轻松完成数据导出任务。无论数据量大小,总有一款适合你。
74 6
|
6天前
|
缓存 NoSQL 关系型数据库
大厂面试高频:如何解决Redis缓存雪崩、缓存穿透、缓存并发等5大难题
本文详解缓存雪崩、缓存穿透、缓存并发及缓存预热等问题,提供高可用解决方案,帮助你在大厂面试和实际工作中应对这些常见并发场景。关注【mikechen的互联网架构】,10年+BAT架构经验倾囊相授。
大厂面试高频:如何解决Redis缓存雪崩、缓存穿透、缓存并发等5大难题