[core] Support encrypted redis connection. #28628
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
fishbone
force-pushed
the
rediss-support
branch
from
e625292 to
977abdd
Compare
fishbone
force-pushed
the
rediss-support
branch
2 times, most recently
from
9fbbec2 to
1afb5a9
Compare
|
hmmm, it seems the building of redis has some issues. I'm looking into this. |
I need to change the bazel rule to build redis. |
scv119
reviewed
Sep 21, 2022
| @@ -655,6 +655,16 @@ RAY_CONFIG(std::string, TLS_SERVER_CERT, "") | |||
| RAY_CONFIG(std::string, TLS_SERVER_KEY, "") | |||
| RAY_CONFIG(std::string, TLS_CA_CERT, "") | |||
|
|
|||
| /// Location of Redis TLS credentials | |||
| /// https://github.com/redis/hiredis/blob/c78d0926bf169670d15cfc1214e4f5d21673396b/README.md#hiredis-openssl-wrappers | |||
| RAY_CONFIG(bool, REDIS_ENABLE_SSL, false) | |||
scv119
reviewed
Sep 21, 2022
| } | ||
| } | ||
|
|
||
|
|
There was a problem hiding this comment.
should we call redisFreeSSLContext here in the destructor?
scv119
added
the
@author-action-required
simon-mo
previously approved these changes
Sep 21, 2022
There was a problem hiding this comment.
I'm a little bit confused by this PR. What's the workflow for:
- use SSL with the redis bundled/started by Ray (I assume this is supported by the
services.py:_start_redis_instancechange. Do users need to supply all the CERTs parameters? - Which env var does the user use to connect to hosted redis (e.g. aws memorystore https://docs.aws.amazon.com/memorydb/latest/devguide/getting-startedclusters.connecttonode.html)
bazel/ray_deps_setup.bzl
Outdated
Comment on lines
103
to
105
| # patches = [ | ||
| # "@com_github_ray_project_ray//thirdparty/patches:redis-quiet.patch", | ||
| # ], |
There was a problem hiding this comment.
do we still need this patch?
simon-mo
dismissed
their stale review
didn't mean to approve, this PR needs documentation change as well
|
@scv119 ah,, I forget to include the unit test. I actually have one but forgot to add. |
|
@simon-mo the services change is only for testing. Ray will not start redis for the user anymore. Ideally, the Redis change should be moved from the service.py to test.py.
It's the user's responsibility to bring a redis. How to setup the cert it depends on the Redis doc.
I'm not quite sure about AWS's use case. I think here it's more related to the Redis client itself. Everything is based on Redis protocol. |
@simon-mo right now, all the GCS Fault Tolerance features are only to support ray serve and the only place where ray serves can be HA will be in KubeRay Ray Service Operator. The users can't simply use these features by themselves. I think we should just add the flags into the kuberay's doc. So it shouldn't be in this one. I'll add it once it's merged. |
fishbone
force-pushed
the
rediss-support
branch
from
952f959 to
7adaf08
Compare
fishbone
force-pushed
the
rediss-support
branch
from
f5b383b to
7d578a7
Compare
ijrsvt
reviewed
Sep 27, 2022
bazel/ray_deps_setup.bzl
Outdated
| @@ -98,8 +98,8 @@ def ray_deps_setup(): | |||
| auto_http_archive( | |||
| name = "com_github_antirez_redis", | |||
| build_file = "@com_github_ray_project_ray//bazel:BUILD.redis", | |||
| url = "https://github.com/redis/redis/archive/6.0.10.tar.gz", | |||
| sha256 = "900cb82227bac58242c9b7668e7113cd952253b256fe04bbdab1b78979cf255a", | |||
| url = "https://github.com/redis/redis/archive/refs/tags/7.0.4.tar.gz", | |||
There was a problem hiding this comment.
Can we switch to 7.0.5 for Security Fixes?
7 tasks
simon-mo
approved these changes
Sep 27, 2022
|
@simon-mo updated to rediss:// |
…anch Signed-off-by: Yi Cheng <74173148+iycheng@users.noreply.github.com>
Signed-off-by: Yi Cheng <74173148+iycheng@users.noreply.github.com>
fishbone
force-pushed
the
rediss-support
branch
from
b01a624 to
ec7d467
Compare
Signed-off-by: Yi Cheng <74173148+iycheng@users.noreply.github.com>
Signed-off-by: Yi Cheng <74173148+iycheng@users.noreply.github.com>
Signed-off-by: Yi Cheng <74173148+iycheng@users.noreply.github.com>
|
test failure not related. |
rkooo567
added a commit
to rkooo567/ray
that referenced
this pull request
Oct 3, 2022
This reverts commit 7167f9c.
rkooo567
added a commit
that referenced
this pull request
Oct 3, 2022
Reverts #28628 Looks like this fails the build in the master. I verified it works after reverting this PR ``` ERROR: /Users/sangbincho/work/ray/BUILD.bazel:2764:18 Executing genrule //:cp_redis failed: (Exit 64): bash failed: error executing command (cd /private/var/tmp/_bazel_sangbincho/f7d6f25d281df169000c577629db7adf/sandbox/darwin-sandbox/1985/execroot/com_github_ray_project_ray && \ exec env - \ PATH=/Users/sangbincho/google-cloud-sdk/bin:/Users/sangbincho/anaconda3/envs/core/bin:/Users/sangbincho/anaconda3/condabin:/Users/sangbincho/.nvm/versions/node/v14.19.2/bin:/Library/Frameworks/Python.framework/Versions/3.8/bin:/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/go/bin:/Users/sangbincho/.cargo/bin:/Users/sangbincho/bin \ /bin/bash -c 'source external/bazel_tools/tools/genrule/genrule-setup.sh; mkdir tmp-redis-bin cp bazel-out/darwin-opt/bin/external/com_github_antirez_redis/copy_redis/redis bazel-out/darwin-opt/bin/external/com_github_antirez_redis/redis/bin/redis-cli bazel-out/darwin-opt/bin/external/com_github_antirez_redis/redis/bin/redis-server bazel-out/darwin-opt/bin/external/com_github_antirez_redis/redis/include ./tmp-redis-bin/ -rf cp tmp-redis-bin/redis-server bazel-out/darwin-opt/bin/external/com_github_antirez_redis/redis-server chmod +x bazel-out/darwin-opt/bin/external/com_github_antirez_redis/redis-server cp tmp-redis-bin/redis-cli bazel-out/darwin-opt/bin/external/com_github_antirez_redis/redis-cli chmod +x bazel-out/darwin-opt/bin/external/com_github_antirez_redis/redis-cli rm -rf tmp-redis-bin ') Execution platform: @local_config_platform//:host ```
WeichenXu123
pushed a commit
to WeichenXu123/ray
that referenced
this pull request
Dec 19, 2022
This PR supports the encrypted redis connection. If the address starts with rediss://, it'll start the redis in SSL mode. To support better ssl, redis is also upgraded. It's not supposed to impact ray because it's the user's responsibility to provide a redis. Right now all flags are provided by the os envs. It's not ideal and we should design a better format when we refactor the db layer. Besides, right now gRPC is using OS envs for the encrypted connection in ray, just follow this pattern for now. Signed-off-by: Weichen Xu <weichen.xu@databricks.com>
WeichenXu123
pushed a commit
to WeichenXu123/ray
that referenced
this pull request
Dec 19, 2022
Reverts ray-project#28628 Looks like this fails the build in the master. I verified it works after reverting this PR ``` ERROR: /Users/sangbincho/work/ray/BUILD.bazel:2764:18 Executing genrule //:cp_redis failed: (Exit 64): bash failed: error executing command (cd /private/var/tmp/_bazel_sangbincho/f7d6f25d281df169000c577629db7adf/sandbox/darwin-sandbox/1985/execroot/com_github_ray_project_ray && \ exec env - \ PATH=/Users/sangbincho/google-cloud-sdk/bin:/Users/sangbincho/anaconda3/envs/core/bin:/Users/sangbincho/anaconda3/condabin:/Users/sangbincho/.nvm/versions/node/v14.19.2/bin:/Library/Frameworks/Python.framework/Versions/3.8/bin:/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/go/bin:/Users/sangbincho/.cargo/bin:/Users/sangbincho/bin \ /bin/bash -c 'source external/bazel_tools/tools/genrule/genrule-setup.sh; mkdir tmp-redis-bin cp bazel-out/darwin-opt/bin/external/com_github_antirez_redis/copy_redis/redis bazel-out/darwin-opt/bin/external/com_github_antirez_redis/redis/bin/redis-cli bazel-out/darwin-opt/bin/external/com_github_antirez_redis/redis/bin/redis-server bazel-out/darwin-opt/bin/external/com_github_antirez_redis/redis/include ./tmp-redis-bin/ -rf cp tmp-redis-bin/redis-server bazel-out/darwin-opt/bin/external/com_github_antirez_redis/redis-server chmod +x bazel-out/darwin-opt/bin/external/com_github_antirez_redis/redis-server cp tmp-redis-bin/redis-cli bazel-out/darwin-opt/bin/external/com_github_antirez_redis/redis-cli chmod +x bazel-out/darwin-opt/bin/external/com_github_antirez_redis/redis-cli rm -rf tmp-redis-bin ') Execution platform: @local_config_platform//:host ``` Signed-off-by: Weichen Xu <weichen.xu@databricks.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Why are these changes needed?
This PR support encrypted redis connection. If the address starts with
rediss://, it'll start the redis in SSL mode.To support better ssl, redis is also upgraded. It's not supposed to impact ray because it's the user's responsibility to provide a redis.
Right now all flags are provided by the os envs. It's not ideal and we should design a better format when we refactor the db layer.
Besides, right now gRPC is using OS envs for the encrypted connection in ray, just follow this pattern for now.
Related issue number
Closes #27371
Checks
git commit -s) in this PR.scripts/format.shto lint the changes in this PR.