Shulou(Shulou.com)06/03 Report--

For an interesting discussion, take a look at this docker-compose configuration script:

Version: '2'services: redis: image:' redis:5.0.3-stretch' restart: always command: redis-server-- requirepass redis environment: # ALLOW_EMPTY_PASSWORD is recommended only for development. -ALLOW_EMPTY_PASSWORD=yes-REDIS_DISABLE_COMMANDS=FLUSHDB,FLUSHALL ports:-'6379 volumes: -' redis_data:/bitnami/redis/data'volumes: redis_data: driver: local

Let's first explain the background of such a script, because it always started with the bitnami version, because it supports secret-free configuration and has a great advantage in configuring the development environment. Later, for the sake of security, we used the official image file redis:5.0.3-stretch, and then there was such a strange configuration script, including both requirepass and ALLOW_EMPTY_PASSWORD=yes.

In this configuration, passwd:redis is configured in commend, but allow_empty_password=yes is configured in enviroment, so does this configuration require a password or not? What is the reason?

To solve this problem, first know that the problem is definitely not on the docker-compose, this thing is at best a script parser, usually, run the specified parameter priority over the environment variable, the environment variable is larger than the configuration file, but is this really the case? Then we need to read the redis source code. If you are interested, you can read the redis source code yourself.

It is written in src/config.c that if the command requirepass is used, the contents of password will be written into sds, but it still does not seem to explain the impact of environment on the redis configuration file, or even the call to the variable environment is not introduced in the whole config file, so it can be inferred that developers should not consider using environment

To verify this guess, because you don't want to find the source code by looking for a needle in a haystack, take a look at the official introduction to config.

Passing arguments via the command line

Since Redis 2.6 it is possible to also pass Redis configuration parameters using the command line directly. This is very useful for testing purposes. The following is an example that starts a new Redis instance using port 6380 as a slave of the instance running at 127.0.0.1 port 6379.

. / redis-server-- port 6380-- slaveof 127.0.0.1 6379

The format of the arguments passed via the command line is exactly the same as the one used in the redis.conf file, with the exception that the keyword is prefixed with.

Note that internally this generates an in-memory temporary config file (possibly concatenating the config file passed by the user if any) where arguments are translated into the format of redis.conf.

Changing Redis configuration while the server is running

It is possible to reconfigure Redis on the fly without stopping and restarting the service, or querying the current configuration programmatically using the special commands CONFIG SET and CONFIG GET

Not all the configuration directives are supported in this way, but most are supported as expected. Please refer to the CONFIG SET and CONFIG GET pages for more information.

Note that modifying the configuration on the fly has no effects on the redis.conf file so at the next restart of Redis the old configuration will be used instead.

Make sure to also modify the redis.conf file accordingly to the configuration you set using CONFIG SET. You can do it manually, or starting with Redis 2.8, you can just use CONFIG REWRITE, which will automatically scan your redis.conf file and update the fields which don't match the current configuration value. Fields non existing but set to the default value are not added. Comments inside your configuration file are retained.

Through the introduction, we can know that there are two ways to configure redis:

Through the command line, this method is configured through the commend instruction, belongs to the initialization configuration, and will be written to the redis.conf file during the running process. This method is configured while the redis is running, belongs to temporary configuration, and will not be written to the redis.conf. When the service is restarted, the original configuration becomes invalid, and the instruction config set xxx needs to be re-entered.

So far, we know that environment is not valid for genuine redis, so why does the bitnami version have this effect? At this point, we need to see how this guy designed it.

First take a look at other people's docker-compose.yml, is indeed allowed secret-free access, this is good, their own small play can be OK, encounter team assistance or be sprayed minute by minute in the production environment

Version: '2'services: redis: image:' bitnami/redis:5.0-centos-7' environment: # ALLOW_EMPTY_PASSWORD is recommended only for development. -ALLOW_EMPTY_PASSWORD=yes-REDIS_DISABLE_COMMANDS=FLUSHDB,FLUSHALL ports:-'6379 volumes: -' redis_data:/bitnami/redis/data'volumes: redis_data: driver: local

After that, we analyze his dockerfile. There is really nothing to see in front of the package, mainly looking at the last two steps ENTRYPOINT ["/ entrypoint.sh"] & & CMD ["/ run.sh"], which is the key to allowing secret-free configuration. Let's continue to explore the source code.

FROM bitnami/centos-extras-base:7-r269LABEL maintainer "Bitnami" ENV BITNAMI_PKG_CHMOD= "- R g+rwX"\ HOME= "/"\ OS_ARCH= "x86x64"\ OS_FLAVOUR= "centos-7"\ OS_NAME= "linux" # Install required system packages and dependenciesRUN install_packages glibcRUN. . / libcomponent.sh & & component_unpack "redis"5.0.7-0"-- checksum 0046ebee1870e41fe422f646d504a8ec84efb85152189ee434d8f4c9ad2917c7COPY rootfs / RUN / postunpack.shENV BITNAMI_APP_NAME= "redis"\ BITNAMI_IMAGE_VERSION= "5.0.7-centos-7-r59"\ NAMI_PREFIX= "/ .nami"\ PATH= "/ opt/bitnami/redis/bin:$PATH" EXPOSE 6379USER 1001ENTRYPOINT ["/ entrypoint.sh"] CMD ["/ run.sh"]

In fact, what is more important is the entrypoint.sh file, because run.sh is actually used for startup initialization. Interested readers can go in and read the source code. I will not repeat it here. We might as well take a look at the source code of entrypoint.sh.

#! / bin/bashset-o errexitset-o nounsetset-o pipefail#set-o xtrace# shellcheck disable=SC1091# Load libraries. / libbitnami.sh. / libredis.sh# Load Redis environment variableseval "$(redis_env)" print_welcome_pageif [["$*" = * "/ run.sh" *]; then info "* * Starting Redis setup * *" / setup.sh info "* * Redis setup finished! *" fiecho "exec" $@ "

We know from the code that the program will first execute libbitnami.sh,libredis.sh to complete the work of configuring the dependent library, then use the eval function to extract the data, and then start redis through the script run.sh. The answer to that question is getting closer and closer:), read this code first when you find libredis.sh.

In this code, we can determine whether there is by searching the keyword ALLOW_EMPTY_PASSWORD, we want to configure the script, and in fact we have found it.

It is this function that realizes the effect of secret-free registration of redis.

Redis_validate () {debug "Validating settings in REDIS_* env vars.." Local error_code=0 # Auxiliary functions print_validation_error () {error "$1" error_code=1} empty_password_enabled_warn () {warn "You set the environment variable ALLOW_EMPTY_PASSWORD=$ {ALLOW_EMPTY_PASSWORD}. For safety reasons, do not use this flag in a production environment. "} empty_password_error () {print_validation_error" The $1 environment variable is empty or not set. Set the environment variable ALLOW_EMPTY_PASSWORD=yes to allow the container to be started with blank passwords. This is recommended only for development. "} if is_boolean_yes" $ALLOW_EMPTY_PASSWORD "; then empty_password_enabled_warn else [[- z" $REDIS_PASSWORD "]] & & empty_password_error REDIS_PASSWORD fi if [[- n" $REDIS_REPLICATION_MODE "]]; then if [[" $REDIS_REPLICATION_MODE "= ~ ^ (slave | replica) $] Then if [[- n "$REDIS_MASTER_PORT_NUMBER"]]; then if! Err=$ (validate_port "$REDIS_MASTER_PORT_NUMBER"); then print_validation_error "An invalid port was specified in the environment variable REDIS_MASTER_PORT_NUMBER: $err" fi fi if! Is_boolean_yes "$ALLOW_EMPTY_PASSWORD" & & [[- z "$REDIS_MASTER_PASSWORD"]]; then empty_password_error REDIS_MASTER_PASSWORD fi elif [["$REDIS_REPLICATION_MODE"! = "master"]]; then print_validation_error "Invalid replication mode. Available options are 'master/replica' "fi fi [[" $error_code "- eq 0]] | | exit" $error_code "}

It's really interesting to explore the source code, let's get to the bottom of it, face the source, and know the adverse consequences of random copying without thinking about borrowlism. In the original docker-compose configuration, after using this version of 5.0.3-stretch, the text environment is actually invalid. This is the end of the story, and the problem is solved.

Reference:

Redis official introduction to config, https://redis.io/topics/configredis source code, https://github.com/antirez/redis/docker-compose redis:bitnami, https://github.com/bitnami/bitnami-docker-redis

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.