Even better support for Redis

ansible / awx

AWX provides a web-based user interface, REST API, and task engine built on top of Ansible. It is one of the upstream projects for Red Hat Ansible Automation Platform.

Other

14.08k stars 3.43k forks source link

Even better support for Redis #7310

Open roman-vynar opened 4 years ago

roman-vynar commented 4 years ago

Recently 🐰 mq and memcached were replaced with Redis and it is a good choice. However, AWX is using Redis via hardcoded unix socket.

Please add a support for the minimal configuration options such as REDIS_HOST, REDIS_PORT and REDIS_PASSWORD.

Thanks!

ryanpetrello commented 4 years ago

@roman-vynar we've had some conversations about this elsewhere, and this comment captures my gut reaction:

https://github.com/ansible/awx/pull/7247#pullrequestreview-424590540

My feeling is that at some point, our installer might grow support for pointing at redis listening on something other than a unix socket, but that it's probably going to be a "you broke it, you own the pieces" sort of setup, because dealing with the security implications of redis over TLS and guaranteeing secure defaults across all of awx's deployment topologies is a lot of effort.

roman-vynar commented 4 years ago

Thanks, just read it.

Couple of things:

we run Redis HA heavily in production behind haproxy with TLS
you can run Redis 6 with native TLS or behind haproxy (overhead is minimal)
we run a local redis docker container on 127.0.0.1:6379 on many instances and they all have passwords (again due to security reasons)

The main concern is I can't set a password. But I am sure more people will come and request network addr:port support because of "everything is cloud" :)

Also talking deeper about security redis.conf.j2 has this:

unixsocket /var/run/redis/redis.sock
unixsocketperm 777

The password support will be an easy fix for this casino magic number :)

ryanpetrello commented 4 years ago

unixsocketperm 777

🤦 that's a good find - I'll address it now. Thanks for pointing out this oversight.

ryanpetrello commented 4 years ago

addressed via https://github.com/ansible/awx/pull/7315

rromanchuk commented 4 years ago

i already have a redis running on the host, can i just purge the container and let it connect by its defaults, or is it a little more complex of a problem?

Seb0042 commented 4 years ago

@roman-vynar we've had some conversations about this elsewhere, and this comment captures my gut reaction:

#7247 (review)

My feeling is that at some point, our installer might grow support for pointing at redis listening on something other than a unix socket, but that it's probably going to be a "you broke it, you own the pieces" sort of setup, because dealing with the security implications of redis over TLS and guaranteeing secure defaults across all of awx's deployment topologies is a lot of effort.

Hello, could be fine for us as we already have other applications using redis on our k8s cluster. It will also give us the possibility to have a smaller awx pod (our worker nodes have only 2 cpu).

Bak3y commented 3 years ago

Requesting a priority bump - we'd like to point AWX to a completely external redis URL/port (Elasticache)

swathit0319 commented 3 years ago

Hi, I am using AWX-v15 with local Redis image. I have used docker-compose way to install AWX. I would like to know if there is support for external Redis for this kind of installation. And if it supports may I know what changes needs to be done to the existing docker-compose and inventory files.

pluzun commented 1 year ago

Hello, any update about this issue? Restrict the AWX's Redis configuration seems to really limit the product scalability. It would be a really good start to work on this AWX limitation: https://github.com/ansible/awx/issues/12326