Redis Made Easy: A Step-by-Step Guide to Installing Redis on AlmaLinux 9

Redis is a popular and open-source in-memory key-value data store. It supports different data structures such as Hash, Lists, Sets, Strings, and many more. Redis is designed to be running in the trusted environment only, it can be used as a database, cache, and message broker. Redis is extensively known for its broad support, high performance, high availability, and flexibility.

You can install Redis as a standalone for small deployment. For large deployment, they provide additional components such as Redis Sentinel for high availability and Redis Cluster for partitioning data across multiple Redis node servers.

This tutorial will show you how to install and configure Redis on the AlmaLinux 9 server. In addition, we will also show you how to secure Redis via Redis ACLs (Access Control Lists) and Firewalld.

Prerequisites

To complete this tutorial, you must have the following:

• An AlmaLinux server 9 – This example uses the AlmaLinux server with hostname ‘alma-linux‘ and IP address ‘192.168.5.21′.
• A non-root user with sudo/root administrator privileges.
• A firewalld configured, up, and running.

Now, let’s dive in.

Installing Redis

Redis is a high-performance, open-source data store that can be used as a database, cache, message broker, and streaming engine. Redis is available on most Linux distributions, including AlmaLinux. It can be installed via the default distribution repository.

Before installing Redis, run the following command to rebuild the package cache and get the latest version of package information.

sudo dnf makecache

<img alt="refresh package index" data-ezsrc="https://kirelos.com/wp-content/uploads/2023/04/echo/1-refresh-package-index.png6446c1a8b7064.jpg" ezimgfmt="rs rscb5 src ng ngcb5" height="90" loading="lazy" src="data:image/svg xml,” width=”750″>

Now, run the dnf command below to install Redis. Input y when prompted, then press ENTER to proceed.

sudo dnf install redis

<img alt="install redis" data-ezsrc="https://kirelos.com/wp-content/uploads/2023/04/echo/2-installing-redis.png6446c1a903017.jpg" ezimgfmt="rs rscb5 src ng ngcb5" height="167" loading="lazy" src="data:image/svg xml,” width=”750″>

When Redis is installed, run the following systemctl commands to start and enable Redis service.

sudo systemctl start redis

sudo systemctl enable redis

<img alt="start enable redis" data-ezsrc="https://kirelos.com/wp-content/uploads/2023/04/echo/3-start-verify-redis.png6446c1a9250eb.jpg" ezimgfmt="rs rscb5 src ng ngcb5" height="93" loading="lazy" src="data:image/svg xml,” width=”750″>

Lastly, verify the Redis service status using the command below.

sudo systemctl is-enabled redis

sudo systemctl status redis

The following output confirms that Redis is running and enabled, which means it will be run automatically upon the system startup.

<img alt="verify redis" data-ezsrc="https://kirelos.com/wp-content/uploads/2023/04/echo/4-verify-redis.png6446c1a93bf66.jpg" ezimgfmt="rs rscb5 src ng ngcb5" height="290" loading="lazy" src="data:image/svg xml,” width=”750″>

Securing Redis with Firewalld

In this section, you will set up firewalld to secure the Redis installation. And the best way to achieve this is by creating zones on firewalld and allowing specific networks/subnets to the service.

Run the following command to create a new firewalld zone called ‘svcs‘, then add the internal network interface into it. In this example, the Redis will be run on an internal IP address under the interface ‘enp0s8‘, you must add your interface to the zone ‘svcs‘.

sudo firewall-cmd --new-zone=svcs --permanent

sudo firewall-cmd --zone=svcs --add-interface=enp0s8 --permanent

Now, run the following command to allow the network ‘192.168.5.1/24‘ for accessing ports on the zone ‘svcs‘.

sudo firewall-cmd --zone=svcs --add-source=192.168.5.1/24

After that, add the Redis port ‘6379/tcp‘ to the zone ‘svcs‘, then apply the changes to the firewalld.

sudo firewall-cmd --zone=svcs --add-port=6379/tcp

sudo firewall-cmd --runtime-to-permanent

<img alt="configure firewalld" data-ezsrc="https://kirelos.com/wp-content/uploads/2023/04/echo/5-configuring-firewalld.png6446c1a96c674.jpg" ezimgfmt="rs rscb5 src ng ngcb5" height="295" loading="lazy" src="data:image/svg xml,” width=”750″>

Now, reload the firewalld using the following command to ensure that new changes are applied to the firewalld.

sudo firewall-cmd --reload

Lastly, run the following command to check the list of active zones on firewalld. And you should see the zone ‘svcs‘ is active.

sudo firewall-cmd --get-active-zones

You can now verify the list of rules that are available in the ‘svcs’ zone. When successful, you should see the Redis port ‘6379/tcp‘ on the Ports section and the subnet ‘192.168.5.1/24‘ on the Source.

sudo firewall-cmd --list-all --zone=svcs

<img alt="firewalld verify" data-ezsrc="https://kirelos.com/wp-content/uploads/2023/04/echo/6-checking-firewalld.png6446c1a98d82b.jpg" ezimgfmt="rs rscb5 src ng ngcb5" height="370" loading="lazy" src="data:image/svg xml,” width=”642″>

Configuring Redis

In this section, you will configure the Redis installation by modifying the default Redis configuration ‘/etc/redis/redis.conf‘.

Open the Redis configuration file ‘/etc/redis/redis.conf‘ using the nano editor command below.

sudo nano /etc/redis/redis.conf

Change the value on the ‘bind‘ parameters with the server’s internal IP address. In his example, Redis will be running on a local IP address ‘192.168.5.21‘.

bind 192.168.5.21

<img alt="setup bind address" data-ezsrc="https://kirelos.com/wp-content/uploads/2023/04/echo/7-bind-address.png6446c1a9bff88.jpg" ezimgfmt="rs rscb5 src ng ngcb5" height="118" loading="lazy" src="data:image/svg xml,” width=”697″>

Now, disable the ‘protected-mode‘ by changing the value of the parameter to ‘no‘. To allow remote connections from your application to the Redis server, you must disable the ‘protected-mode’.

protected-mode no

<img alt="disable protected mode" data-ezsrc="https://kirelos.com/wp-content/uploads/2023/04/echo/8-disable-protected-mode.png6446c1a9e40b7.jpg" ezimgfmt="rs rscb5 src ng ngcb5" height="130" loading="lazy" src="data:image/svg xml,” width=”703″>

On AlmaLinux, the default service manager is ‘systemd’. Uncomment the ‘supervised‘ parameter and change the default value to ‘systemd‘ to enable the integration of Redis with systemd.

supervised systemd

<img alt="systemd integration" data-ezsrc="https://kirelos.com/wp-content/uploads/2023/04/echo/9-systemd-integration.png6446c1aa44cf5.jpg" ezimgfmt="rs rscb5 src ng ngcb5" height="359" loading="lazy" src="data:image/svg xml,” width=”738″>

Lastly, uncomment the ‘aclfile‘ parameter to enable the ACLs (Access Control Lists) of Redis via file. Since Redis v6, using ACLs is a recommended way for securing Redis, and Redis supports different methods for using ACLs, you can create ACLs via Redis shell or defined ACLs file. This example will be used ACLs via file.

aclfile /etc/redis/users.acl

<img alt="enable acl" data-ezsrc="https://kirelos.com/wp-content/uploads/2023/04/echo/10-setup-acl.png6446c1aa7bc0a.jpg" ezimgfmt="rs rscb5 src ng ngcb5" height="246" loading="lazy" src="data:image/svg xml,” width=”717″>

Save and close the file when finished.

Now, run the following command to create the ACLs file ‘/etc/redis/users.acl’.

touch /etc/redis/users.acl

After that, run the command below to restart the Redis service and apply the changes that you have made.

sudo systemctl restart redis

With this, redis will be up and running with new configurations. The next step you will do is verify your Redis configuration via Redis CLI.

Connect to the Redis server using the ‘redis-cli’ command below. In this example, you will specify the IP address for the Redis server.

redis-cli -h 192.168.5.21

Once logged in, run the following command to ensure that the connection is successful. You should expect to see the output ‘test redis‘ when the connection is successful.

PING "test redis"

<img alt="connect to redis" data-ezsrc="https://kirelos.com/wp-content/uploads/2023/04/echo/11-connect-redis.png6446c1aaaaad8.jpg" ezimgfmt="rs rscb5 src ng ngcb5" height="135" loading="lazy" src="data:image/svg xml,” width=”465″>

Next, run the following queries to get the current Redis configurations. In this example, you will check the ‘bind‘, ‘supervised‘, and protected-mode‘ settings.

CONFIG GET bind

CONFIG GET supervised

CONFIG GET protected-mode

When successful, you should get the configuration matched with the settings that you’ve made before.

<img alt="check configuration" data-ezsrc="https://kirelos.com/wp-content/uploads/2023/04/echo/12-check-configuration.png6446c1aad3fe7.jpg" ezimgfmt="rs rscb5 src ng ngcb5" height="282" loading="lazy" src="data:image/svg xml,” width=”450″>

Lastly, run the following ACL query below to get the list of available ACLs on Redis.

ACL LIST

You should expect to see the output like this – The default Redis installation comes with ACL user ‘default‘, the authentication is ‘nopass‘ or log in without a password, and the permission ‘[email protected]‘, which allows the ‘default‘ user to execute any Redis queries.

<img alt="list acls" data-ezsrc="https://kirelos.com/wp-content/uploads/2023/04/echo/13-default-acls.png6446c1ab02dd4.jpg" ezimgfmt="rs rscb5 src ng ngcb5" height="118" loading="lazy" src="data:image/svg xml,” width=”412″>

At this point, you have now finished the basic configuration of Redis. In the next step, you dive into the configuration of Redis ACLs (Access Control Lists) for securing Redis installation.

Securing Redis with ACLs (Access Control Lists)

Since Redis 6.x, the best way to secure Redis is by implementing ACLs (Access Control Lists). This allows you to set up user and permissions on the Redis server, and this can obsolete the ‘requirepass’ and ‘rename-command’ parameters on the old Redis version.

You can set up ACLs on Redis with two different methods:

• Setting up ACLs via ACL command
• Setting up ACLs via external ACL file

With the Redis server that you’ve configured, you will set up Redis ACLs via an external ACL file.

First, open the ACL file ‘/etc/redis/users.acl’ using the following nano editor command.

sudo nano /etc/redis/users.acl

Insert the following configurations to create two users for Redis.

user alice on -DEBUG [email protected] ~* >AliceP4ssw0rd

user bob on [email protected] [email protected] ~* >BobP4ssw0rd

Save the file and exit the editor when finished.

<img alt="create acls user" data-ezsrc="https://kirelos.com/wp-content/uploads/2023/04/echo/14-setup-acls.png6446c1ab22057.jpg" ezimgfmt="rs rscb5 src ng ngcb5" height="104" loading="lazy" src="data:image/svg xml,” width=”477″>

With this configuration, you will create two users:

• User alice with password ‘AliceP4ssw0rd‘ and allowed to execute all queries ‘[email protected]‘ except DEBUG ‘-DEBUG‘, and also allowed to run queries against all available key-values ‘~*‘ that available.
• A user bob with password ‘BobP4ssw0rd‘ and allowed user bob to execute all queries ‘[email protected]‘ except ‘[email protected]‘. The command category ‘[email protected]‘ includes FLUSHALL, MIGRATE, RESTORE, SORT, KEYS, CLIENT, DEBUG, INFO, CONFIG, SAVE, REPLICAOF, and many more. Also, this user is allowed to make queries to all available key values on the Redis server.

Get the full list of command categories on Redis.

Now, run the following systemctl command to restart the Redis service and apply the changes.

sudo systemctl restart redis

Once Redis restarted, connect to the Redis server using the following redis-cli command below.

redis-cli -h 192.168.5.21

Once logged in, run the following ACL query to check the list of available users on Redis.

ACL LIST

At this point, you should expect to see three users alice, bob, and default.

<img alt="list users" data-ezsrc="https://kirelos.com/wp-content/uploads/2023/04/echo/15-list-acls.png6446c1ab53624.jpg" ezimgfmt="rs rscb5 src ng ngcb5" height="147" loading="lazy" src="data:image/svg xml,” width=”750″>

You can also verify the detailed user on Redis using the following query.

ACL GETUSER alice

ACL GETUSER bob

You should see that the user alice is allowed to execute all available commands on Redis, with the command group ‘[email protected]‘.

<img alt="get user details alice" data-ezsrc="https://kirelos.com/wp-content/uploads/2023/04/echo/19-get-details-user-alice.png6446c1ab8f89f.jpg" ezimgfmt="rs rscb5 src ng ngcb5" height="346" loading="lazy" src="data:image/svg xml,” width=”702″>

As for the user bob, you can see the allowed command ‘[email protected]‘, but also the command group ‘dangerous‘ disabled.

<img alt="get user details bob" data-ezsrc="https://kirelos.com/wp-content/uploads/2023/04/echo/20-get-users-bob.png6446c1abbe027.jpg" ezimgfmt="rs rscb5 src ng ngcb5" height="306" loading="lazy" src="data:image/svg xml,” width=”697″>

Disable default Redis User

With the new user alice and bob is created, you must disable the ‘default‘ user using the following query.

ACL SETUSER default OFF

Then, check again the list of available users on Redis using the command below.

ACL LIST

You should expect the user ‘default‘ with the status off or disabled like this:

<img alt="disable default user" data-ezsrc="https://kirelos.com/wp-content/uploads/2023/04/echo/16-disable-default.png6446c1abe6807.jpg" ezimgfmt="rs rscb5 src ng ngcb5" height="152" loading="lazy" src="data:image/svg xml,” width=”750″>

Press Ctrl d to exit from the Redis shell.

After that, login again to Redis using the following command.

redis-cli -h 192.168.5.21

Then, input the following PING query to verify the current connection.

PING

With the Redis “default” user disabled, you should get an error like the following – You need must be authenticated user to run queries.

<img alt="disable default user" data-ezsrc="https://kirelos.com/wp-content/uploads/2023/04/echo/17-disabled-default-acl.png6446c1ac28c1f.jpg" ezimgfmt="rs rscb5 src ng ngcb5" height="159" loading="lazy" src="data:image/svg xml,” width=”500″>

Verify User alice

Next, you will verify the new Redis user alice and bob that you’ve created.

Run the following command to authenticate as user ‘alice’. If successful, you should get an output ‘OK’.

AUTH alice AliceP4ssw0rd

Now run the following queries to ensure that you’re authenticated to Redis via user alice.

PING

ACL WHOAMI

You should expect to see the message PONG and authenticated as user alice.

Now, run the following queries to ensure that the user alice can execute all available queries, including related Redis management.

CONFIG GET bind

CONFIG GET supervised

When successful, you should get an output of the current Redis configuration for parameter bind and supervised.

<img alt="test user alice" data-ezsrc="https://kirelos.com/wp-content/uploads/2023/04/echo/18-test-user-alice.png6446c1ac5834e.jpg" ezimgfmt="rs rscb5 src ng ngcb5" height="325" loading="lazy" src="data:image/svg xml,” width=”426″>

Verify User bob

Run the following query to log in and authenticate as user bob.

AUTH bob BobP4ssw0rd

After authentication, run the PING query below. If successful, you should get the message PONG.

PING

Next, within the Redis ACL file, the user bob the command category ‘[email protected]‘, which prevents this user to execute some dangerous commands such as FLUSHALL, CONFIG, and many more on the Redis server.

If you run the following queries as user bob, you should get an output such as ‘NOPERM’, which means the user bob has no permission to execute the command.

FLUSHALL

CONFIG GET bind

SAVE

<img alt="test user bob" data-ezsrc="https://kirelos.com/wp-content/uploads/2023/04/echo/21-test-user-bob.png6446c1ac805f2.jpg" ezimgfmt="rs rscb5 src ng ngcb5" height="269" loading="lazy" src="data:image/svg xml,” width=”750″>

With this, you have now successfully secured Redis with ACLs (Access Control Lists) via ACL file.

Conclusion

Congratulations! You have now successfully installed Redis on AlmaLinux 9. You have also learned how to set up ACLs (Access Control Lists) via ACL file to secure Redis installation. In addition to that, you have also secured Redis with firewalld by creating a specific zone for Redis service.