skip to Main Content

The latest version of Redis Docker has introduced TLS/ SSL features. But I am not able to figure out how to enable it for Redis Docker of the latest version.

Further, I would also like to know, how to modify the number of IO threads, for multithreading, also introduced in Redis 6, for a Docker environment?

2

Answers


  1. BUILD_TLS is enabled for Docker’s Redis v6 image.

    Configuring the Redis server in the container is done by:

    1. Create a config file on the host, e.g. /my/redis.conf
    2. Mount the file and give as an argument when launching the container: docker -v /my/redis.conf:/redis.conf ... redis:6.0 /redis.conf
    Login or Signup to reply.
  2. 2023 update

    If you just want a Docker container that has redis on it with SSL enabled here is what you need

    Dockerfile

    # https://www.appsloveworld.com/docker/100/19/how-to-set-up-a-docker-redis-container-with-ssl
    # https://redis.io/docs/management/security/encryption/
    # https://spin.atomicobject.com/2021/08/05/configuring-redis-tls/
    # Plain redis-cli command will not work
    # redis-cli --tls --cert tests/tls/redis.crt --key tests/tls/redis.key --cacert tests/tls/ca.crt
    
    FROM redis:7 as base
    RUN apt-get update && apt-get install openssl
    USER redis
    COPY --chown=redis:redis ./.docker/dev/redis/generate_certificates.sh ./
    RUN chmod +x ./generate_certificates.sh
    RUN ./generate_certificates.sh
    CMD ["redis-server", "--tls-port", "6379", "--port", "0", "--tls-cert-file", "tests/tls/redis.crt", "--tls-key-file", "tests/tls/redis.key", "--tls-ca-cert-file", "tests/tls/ca.crt"]
    

    The generate_certificates.sh file simply uses openssl to generate all the required crt and key files

    generate_certificates.sh

    #!/bin/bash
    
    # https://github.com/redis/redis/blob/unstable/utils/gen-test-certs.sh
    # Generate some test certificates which are used by the regression test suite:
    #
    #   tests/tls/ca.{crt,key}          Self signed CA certificate.
    #   tests/tls/redis.{crt,key}       A certificate with no key usage/policy restrictions.
    #   tests/tls/client.{crt,key}      A certificate restricted for SSL client usage.
    #   tests/tls/server.{crt,key}      A certificate restricted for SSL server usage.
    #   tests/tls/redis.dh              DH Params file.
    
    generate_cert() {
        local name=$1
        local cn="$2"
        local opts="$3"
    
        local keyfile=tests/tls/${name}.key
        local certfile=tests/tls/${name}.crt
    
        [ -f $keyfile ] || openssl genrsa -out $keyfile 2048
        openssl req 
            -new -sha256 
            -subj "/O=Redis Test/CN=$cn" 
            -key $keyfile | 
            openssl x509 
                -req -sha256 
                -CA tests/tls/ca.crt 
                -CAkey tests/tls/ca.key 
                -CAserial tests/tls/ca.txt 
                -CAcreateserial 
                -days 365 
                $opts 
                -out $certfile
    }
    
    mkdir -p tests/tls
    [ -f tests/tls/ca.key ] || openssl genrsa -out tests/tls/ca.key 4096
    openssl req 
        -x509 -new -nodes -sha256 
        -key tests/tls/ca.key 
        -days 3650 
        -subj '/O=Redis Test/CN=Certificate Authority' 
        -out tests/tls/ca.crt
    
    cat > tests/tls/openssl.cnf <<_END_
    [ server_cert ]
    keyUsage = digitalSignature, keyEncipherment
    nsCertType = server
    [ client_cert ]
    keyUsage = digitalSignature, keyEncipherment
    nsCertType = client
    _END_
    
    generate_cert server "Server-only" "-extfile tests/tls/openssl.cnf -extensions server_cert"
    generate_cert client "Client-only" "-extfile tests/tls/openssl.cnf -extensions client_cert"
    generate_cert redis "Generic-cert"
    
    [ -f tests/tls/redis.dh ] || openssl dhparam -out tests/tls/redis.dh 2048
    

    To run it just do

    docker build -t ssl_redis_image -f ...Dockerfile .
    docker run -p 6379:6379 --name ssl_redis_container ssl_redis_image
    docker exec -it ssl_redis_container sh
    

    Once you are inside the shell of the redis container
    you can try redis-cli and enter a simple command like

    SET val 1
    

    It ll immediately give you an error
    You will need to run redis-cli with the certificates as

    redis-cli --tls --cert tests/tls/redis.crt --key tests/tls/redis.key --cacert tests/tls/ca.crt
    

    And try setting a value again and you should be able to get it to work now

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search