Redis Enterprise 软件发行说明 6.2.4(2021 年 8 月)

节点间加密。Nginx 替换为 envoy。新的升级策略/行为。

Redis 企业软件

Redis 企业软件版本 6.2.4 现已推出!

此版本提供:

  • 加密集群节点内的所有通信
  • 安全性增强
  • Bug 修复
  • 与最新版本的开源 Redis 6.2.3 兼容

版本变更

先决条件和说明

您可以从 Redis Enterprise Software v6.0 及更高版本升级到 v6.2.4

请记住以下几点:

  • 不支持从 v6.0 之前的版本升级

  • 新的节点间加密功能要求在集群中的所有计算机上打开端口 3342。

  • 在 v6.0.20 中,Redis Enterprise Software 将 Nginx 替换为 envoy,以改善内部安全性和通信性。自 v6.2.4 起,Nginx 不再随 Redis 企业软件一起提供。

数据库升级默认更改

默认行为upgrade db命令已更改。它现在由新的群集策略 (redis_upgrade_policy),该策略定义用于创建新数据库和升级现有数据库的策略。该策略支持以下值:

  • 当设置为major,该策略允许创建数据库或将数据库更新为与开源 Redis 主要版本兼容的 Redis 版本。这通过支持跨多个 Redis Enterprise Software 版本的 Redis 版本来延长升级周期。

    这是 Redis Enterprise Software 的默认值。

  • 当设置为latest,该策略会创建新数据库并升级现有数据库,以与开源 Redis 的最新(最新)版本兼容,这是早期版本的 Redis Enterprise Software 的默认行为。这不再是默认行为。

    将升级策略设置为latest确保最新的 Redis 功能可用于新数据库和已升级的数据库。它还需要更频繁的升级,因为开源 Redis 的更新频率高于 Redis Enterprise Software。

Redis 企业软件 6.2.4 软件包包括与最新的主要 Redis 版本 (v6.0) 和 Redis 的最新(最新)更新 (v6.2.3) 的兼容性。

默认情况下,将安装与 v6.0 的兼容性。要更改此设置,请使用rladmin设置升级策略和默认 Redis 版本:

$ rladmin tune cluster redis_upgrade_policy latest
$ rladmin tune cluster default_redis_version 6.2

To learn more, see the upgrade instructions.

Product lifecycle updates

Redis Enterprise Software v5.6.0 will reach end of life (EOF) on October 31, 2021.

To learn more, see the Redis Enterprise Software product lifecycle, which details the release number and the end-of-life schedule for Redis Enterprise Software.

Redis Enterprise modules have individual release numbers and lifecycles.

Deprecation notices

  • In v6.0.20, the SASL-based LDAP mechanism was deprecated in favor of a new RBAC-based approach. As of v6.2.12, support for the older mechanism has been removed.

    For help migrating to the LDAP-based mechanism, see Migrate to role-based LDAP.

  • OpenStack Object Storage ("Swift") has reached end-of-life. Consequently, you can no longer use ObjectStack Swift as a target for database backup or export operations.

Features and enhancements

Internode encryption

Internode encryption (INE) encrypts all communication between nodes in a cluster; it is available for the control plane and the data plane. 

Control plane internode encryption

Control plane internode encryption encrypts all management communication within a cluster. It is enabled by default for all new clusters and upgraded clusters.

Data plane internode encryption

Data plane internode encryption encrypts communication between nodes within a cluster, such as database replication between nodes.

Data plane internode encryption is available for new or fully upgraded clusters. It is not enabled by default.

You can enable data plane internode encryption by:

  • Setting the cluster policy to enable data plane internode encryption by default for new databases

    rladmin tune cluster data_internode_encryption enabled

  • Enabling it for individual existing databases

    rladmin tune db <db:id | name> data_internode_encryption enabled

Internal certificate management

Internode encryption relies on internal certificates signed by a unique, private CA certificate created for your deployment. The private CA generates and signs leaf certificates for internode encryption only. It's generated when you install or upgrade to Redis Enterprise 6.2.4. It's used only within the cluster and is not exposed outside of the cluster.

The leaf certificates expire regularly; they're automatically rotated before expiration and alerts are issued as needed.

Open source Redis compatibility

Redis 6.2 introduced new commands, feature improvements, and security fixes; it addresses many customer requests.

Redis Enterprise Software supports all new commands, except RESET and [FAILOVER](/commands/failover/. (Redis Enterprise takes a different approach to connectivity; it also separates control plane operations from data plane operations.)

To learn more, see Redis Enterprise Software compatibility with open source.

Redis modules

Redis Enterprise Software v6.2.4 includes the following Redis modules:

Internode encryption for modules

To utilize data plane encryption for existing databases with modules, update the module to the latest version prior to enabling data plane encryption.

For help, see Upgrade the module for a database.

Added the capability to update current module arguments for an existing database. In earlier versions, you could do this only when upgrading a module. To learn more, see rladmin upgrade.

Resolved issues

  • RS39954 - Changed the UI status indication for the default user from Active/Inactive to Enabled/Disabled

  • RS42626 - Increased the max length for modules commands from 23 characters to 64 characters

  • RS54732 - Fixed incorrect reporting of number database connections, which caused the number of connections to be reported as a 20 digit number

  • RS52265 - Fixed excessive log lines reporting when an Active-Active database is on featureset 0. Upgrade the featureset version to the latest.

  • RS56122 - Fixed a bug that was causing AOF files to grow when the replicas of two Active-Active databases became disconnected during full synchronization

  • RS58184 - Fixed a bug when trying to create an Active-Active database with expired syncer certificates; participating clusters were creating replicas even though the create operation failed.

  • RS48988 - Add the username description in the log upon an unauthorized REST API request

Known limitations

Installation limitations

Several Redis Enterprise Software installation reference files are installed to the directory /etc/opt/redislabs/ even if you use custom installation directories.

As a workaround to install Redis Enterprise Software without using any root directories, do the following before installing Redis Enterprise Software:

  1. Create all custom, non-root directories you want to use with Redis Enterprise Software.

  2. Mount /etc/opt/redislabs to one of the custom, non-root directories.

Known issues

  • A new command was added as part of Redis 6.2: XAUTOCLAIM. When used in an Active-Active configuration, this command may cause Redis shards to crash, potentially resulting in data loss. The issue is fixed in Redis Enterprise Software version 6.2.12. Additionally, we recommend enabling AOF persistence for all Active-Active configurations.

  • The ZRANGESTORE command, with a special zset-max-ziplist-entries configuration can crash Redis 6.2. See Redis repository 10767 for more details.

  • RS81463 - A shard may crash when resharding an Active-Active database with Auto Tiering . Specifically, the shard will crash when volatile keys or Active-Active tombstone keys reside in Flash memory.

  • RS40641 - API requests are redirected to an internal IP in case the request arrives from a node which is not the master. To avoid this issue, use rladmin cluster config to configure handle_redirects or handle_metrics_redirects.

Security

  • The following Open Source Redis CVE's do not affect Redis Enterprise:

    • CVE-2021-32625 - Redis Enterprise is not impacted by the CVE that was found and fixed in open source Redis since Redis Enterprise does not implement LCS. Additional information about the open source Redis fix is on the Redis GitHub page (Redis 6.2.4, Redis 6.0.14)

    • CVE-2021-32672 - Redis Enterprise is not impacted by the CVE that was found and fixed in open source Redis because the LUA debugger is unsupported in Redis Enterprise. Additional information about the open source Redis fix is on the Redis GitHub page (Redis 6.2.6, Redis 6.0.16)

    • CVE-2021-32675 - Redis Enterprise is not impacted by the CVE that was found and fixed in open source Redis because the proxy in Redis Enterprise does not forward unauthenticated requests. Additional information about the open source Redis fix is on the Redis GitHub page (Redis 6.2.6, Redis 6.0.16)

    • CVE-2021-32762 - Redis Enterprise is not impacted by the CVE that was found and fixed in open source Redis because the memory allocator used in Redis Enterprise is not vulnerable. Additional information about the open source Redis fix is on the Redis GitHub page (Redis 6.2.6, Redis 6.0.16)

    • CVE-2021-41099 - Redis Enterprise is not impacted by the CVE that was found and fixed in open source Redis because the proto-max-bulk-len CONFIG is blocked in Redis Enterprise. Additional information about the open source Redis fix is on the Redis GitHub page (Redis 6.2.6, Redis 6.0.16)

RATE THIS PAGE
Back to top ↑