Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[core] Support encrypted redis connection. #28628

Merged
merged 9 commits into from
Oct 3, 2022
Merged

[core] Support encrypted redis connection. #28628

merged 9 commits into from
Oct 3, 2022

Conversation

fishbone
Copy link
Contributor

@fishbone fishbone commented Sep 19, 2022
edited
Loading

Why are these changes needed?

This PR support encrypted redis connection. If the address starts with rediss:https://, it'll start the redis in SSL mode.

To support better ssl, redis is also upgraded. It's not supposed to impact ray because it's the user's responsibility to provide a redis.

Right now all flags are provided by the os envs. It's not ideal and we should design a better format when we refactor the db layer.

Besides, right now gRPC is using OS envs for the encrypted connection in ray, just follow this pattern for now.

Related issue number

Closes #27371

Checks

  • I've signed off every commit(by using the -s flag, i.e., git commit -s) in this PR.
  • I've run scripts/format.sh to lint the changes in this PR.
  • I've included any doc changes needed for https://docs.ray.io/en/master/.
  • I've made sure the tests are passing. Note that there might be a few flaky tests, see the recent failures at https://flakey-tests.ray.io/
  • Testing Strategy
    • Unit tests
    • Release tests
    • This PR is not tested :(

@fishbone fishbone marked this pull request as ready for review September 20, 2022 23:59
@fishbone fishbone force-pushed the rediss-support branch 2 times, most recently from 9fbbec2 to 1afb5a9 Compare September 21, 2022 00:21
@fishbone
Copy link
Contributor Author

hmmm, it seems the building of redis has some issues. I'm looking into this.

@fishbone
Copy link
Contributor Author 

sentinel.c:34:10: fatal error: openssl/ssl.h: No such file or directory
   34 | #include "openssl/ssl.h"
      |          ^~~~~~~~~~~~~~~

I need to change the bazel rule to build redis.

scv119
scv119 reviewed Sep 21, 2022
View reviewed changes
src/ray/common/ray_config_def.h
@@ -655,6 +655,16 @@ RAY_CONFIG(std::string, TLS_SERVER_CERT, "")
RAY_CONFIG(std::string, TLS_SERVER_KEY, "")
RAY_CONFIG(std::string, TLS_CA_CERT, "")

/// Location of Redis TLS credentials
/// https://github.com/redis/hiredis/blob/c78d0926bf169670d15cfc1214e4f5d21673396b/README.md#hiredis-openssl-wrappers
RAY_CONFIG(bool, REDIS_ENABLE_SSL, false)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

hmm why upper case?

scv119
scv119 reviewed Sep 21, 2022
View reviewed changes
Copy link
Contributor

@scv119 scv119 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

also, is it possible to add a test to show it works e2e?

src/ray/gcs/redis_context.cc
}
}


Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should we call redisFreeSSLContext here in the destructor?

@scv119 scv119 added the @author-action-required The PR author is responsible for the next step. Remove tag to send back to the reviewer. label Sep 21, 2022
simon-mo
simon-mo previously approved these changes Sep 21, 2022
View reviewed changes
Copy link
Contributor

@simon-mo simon-mo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm a little bit confused by this PR. What's the workflow for:

bazel/ray_deps_setup.bzl Outdated
Comment on lines 103 to 105
# patches = [
# "@com_github_ray_project_ray//thirdparty/patches:redis-quiet.patch",
# ],
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

do we still need this patch?

@simon-mo simon-mo self-requested a review September 21, 2022 20:08
@simon-mo simon-mo dismissed their stale review September 21, 2022 20:08

didn't mean to approve, this PR needs documentation change as well

@fishbone
Copy link
Contributor Author

@scv119 ah,, I forget to include the unit test. I actually have one but forgot to add.

@fishbone
Copy link
Contributor Author

@simon-mo the services change is only for testing. Ray will not start redis for the user anymore. Ideally, the Redis change should be moved from the service.py to test.py.
So:

use SSL with the redis bundled/started by Ray (I assume this is supported by the services.py:_start_redis_instance change. Do users need to supply all the CERTs parameters?

It's the user's responsibility to bring a redis. How to setup the cert it depends on the Redis doc.

Which env var does the user use to connect to hosted redis (e.g. aws memorystore https://docs.aws.amazon.com/memorydb/latest/devguide/getting-startedclusters.connecttonode.html)

I'm not quite sure about AWS's use case. I think here it's more related to the Redis client itself. Everything is based on Redis protocol.

@fishbone
Copy link
Contributor Author

didn't mean to approve, this PR needs documentation change as well

@simon-mo right now, all the GCS Fault Tolerance features are only to support ray serve and the only place where ray serves can be HA will be in KubeRay Ray Service Operator. The users can't simply use these features by themselves.

I think we should just add the flags into the kuberay's doc. So it shouldn't be in this one. I'll add it once it's merged.

@fishbone
reset
7d578a7 
Signed-off-by: Yi Cheng <[email protected]>
@fishbone
stash
37250da 
Signed-off-by: Yi Cheng <[email protected]>
ijrsvt
ijrsvt reviewed Sep 27, 2022
View reviewed changes
bazel/ray_deps_setup.bzl Outdated
@@ -98,8 +98,8 @@ def ray_deps_setup():
auto_http_archive(
name = "com_github_antirez_redis",
build_file = "@com_github_ray_project_ray//bazel:BUILD.redis",
url = "https://github.com/redis/redis/archive/6.0.10.tar.gz",
sha256 = "900cb82227bac58242c9b7668e7113cd952253b256fe04bbdab1b78979cf255a",
url = "https://github.com/redis/redis/archive/refs/tags/7.0.4.tar.gz",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we switch to 7.0.5 for Security Fixes?

@ijrsvt ijrsvt mentioned this pull request Sep 27, 2022
Closed
7 tasks
simon-mo
simon-mo approved these changes Sep 27, 2022
View reviewed changes
Copy link
Contributor

@simon-mo simon-mo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can we consider a better API like RAY_REDIS_ADDRESS=rediss:https://...?

@fishbone
Copy link
Contributor Author

@simon-mo updated to rediss:https://

@fishbone
fix comment
fe3839e 
Signed-off-by: Yi Cheng <[email protected]>
@fishbone
[rebuild_base] rebuild base
f4c3c55 
Signed-off-by: Yi Cheng <[email protected]>
@fishbone
fix
30e782a 
Signed-off-by: Yi Cheng <[email protected]>
@fishbone
fix lint
be816ef 
Signed-off-by: Yi Cheng <[email protected]>
@fishbone
fix win build
03a8443 
Signed-off-by: Yi Cheng <[email protected]>
@fishbone
Copy link
Contributor Author

fishbone commented Oct 3, 2022

test failure not related.

@fishbone fishbone merged commit 7167f9c into ray-project:master Oct 3, 2022
@fishbone fishbone deleted the rediss-support branch October 3, 2022 05:28
rkooo567 added a commit that referenced this pull request Oct 3, 2022
@rkooo567
Revert "[core] Support encrypted redis connection. (#28628)"
e71d0d6 
This reverts commit 7167f9c.
@rkooo567 rkooo567 mentioned this pull request Oct 3, 2022
Merged
rkooo567 added a commit to rkooo567/ray that referenced this pull request Oct 3, 2022
@rkooo567
Revert "[core] Support encrypted redis connection. (ray-project#28628)"
5d7be34 
This reverts commit 7167f9c.
rkooo567 added a commit to rkooo567/ray that referenced this pull request Oct 3, 2022
@rkooo567
Revert "Revert "[core] Support encrypted redis connection. (ray-proje…
b3f6587 
…ct#28628)""

This reverts commit 5d7be34.
rkooo567 added a commit that referenced this pull request Oct 3, 2022
@rkooo567
Revert "[core] Support encrypted redis connection." (#28991)
d48e06b 
Reverts #28628

Looks like this fails the build in the master. I verified it works after reverting this PR

```
ERROR: /Users/sangbincho/work/ray/BUILD.bazel:2764:18 Executing genrule //:cp_redis failed: (Exit 64): bash failed: error executing command 
  (cd /private/var/tmp/_bazel_sangbincho/f7d6f25d281df169000c577629db7adf/sandbox/darwin-sandbox/1985/execroot/com_github_ray_project_ray && \
  exec env - \
    PATH=/Users/sangbincho/google-cloud-sdk/bin:/Users/sangbincho/anaconda3/envs/core/bin:/Users/sangbincho/anaconda3/condabin:/Users/sangbincho/.nvm/versions/node/v14.19.2/bin:/Library/Frameworks/Python.framework/Versions/3.8/bin:/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/go/bin:/Users/sangbincho/.cargo/bin:/Users/sangbincho/bin \
  /bin/bash -c 'source external/bazel_tools/tools/genrule/genrule-setup.sh; 
    mkdir tmp-redis-bin
    cp bazel-out/darwin-opt/bin/external/com_github_antirez_redis/copy_redis/redis bazel-out/darwin-opt/bin/external/com_github_antirez_redis/redis/bin/redis-cli bazel-out/darwin-opt/bin/external/com_github_antirez_redis/redis/bin/redis-server bazel-out/darwin-opt/bin/external/com_github_antirez_redis/redis/include ./tmp-redis-bin/ -rf
    cp tmp-redis-bin/redis-server bazel-out/darwin-opt/bin/external/com_github_antirez_redis/redis-server
    chmod +x bazel-out/darwin-opt/bin/external/com_github_antirez_redis/redis-server
    cp tmp-redis-bin/redis-cli bazel-out/darwin-opt/bin/external/com_github_antirez_redis/redis-cli
    chmod +x bazel-out/darwin-opt/bin/external/com_github_antirez_redis/redis-cli
    rm -rf tmp-redis-bin
    ')
Execution platform: @local_config_platform//:host
```
WeichenXu123 pushed a commit to WeichenXu123/ray that referenced this pull request Dec 19, 2022
@fishbone @WeichenXu123
[core] Support encrypted redis connection. (ray-project#28628)
e85749b 
This PR supports the encrypted redis connection. If the address starts with rediss:https://, it'll start the redis in SSL mode.

To support better ssl, redis is also upgraded. It's not supposed to impact ray because it's the user's responsibility to provide a redis.

Right now all flags are provided by the os envs. It's not ideal and we should design a better format when we refactor the db layer.

Besides, right now gRPC is using OS envs for the encrypted connection in ray, just follow this pattern for now.

Signed-off-by: Weichen Xu <[email protected]>
WeichenXu123 pushed a commit to WeichenXu123/ray that referenced this pull request Dec 19, 2022
@rkooo567 @WeichenXu123
Revert "[core] Support encrypted redis connection." (ray-project#28991)
f79460b 
Reverts ray-project#28628

Looks like this fails the build in the master. I verified it works after reverting this PR

```
ERROR: /Users/sangbincho/work/ray/BUILD.bazel:2764:18 Executing genrule //:cp_redis failed: (Exit 64): bash failed: error executing command
  (cd /private/var/tmp/_bazel_sangbincho/f7d6f25d281df169000c577629db7adf/sandbox/darwin-sandbox/1985/execroot/com_github_ray_project_ray && \
  exec env - \
    PATH=/Users/sangbincho/google-cloud-sdk/bin:/Users/sangbincho/anaconda3/envs/core/bin:/Users/sangbincho/anaconda3/condabin:/Users/sangbincho/.nvm/versions/node/v14.19.2/bin:/Library/Frameworks/Python.framework/Versions/3.8/bin:/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/go/bin:/Users/sangbincho/.cargo/bin:/Users/sangbincho/bin \
  /bin/bash -c 'source external/bazel_tools/tools/genrule/genrule-setup.sh;
    mkdir tmp-redis-bin
    cp bazel-out/darwin-opt/bin/external/com_github_antirez_redis/copy_redis/redis bazel-out/darwin-opt/bin/external/com_github_antirez_redis/redis/bin/redis-cli bazel-out/darwin-opt/bin/external/com_github_antirez_redis/redis/bin/redis-server bazel-out/darwin-opt/bin/external/com_github_antirez_redis/redis/include ./tmp-redis-bin/ -rf
    cp tmp-redis-bin/redis-server bazel-out/darwin-opt/bin/external/com_github_antirez_redis/redis-server
    chmod +x bazel-out/darwin-opt/bin/external/com_github_antirez_redis/redis-server
    cp tmp-redis-bin/redis-cli bazel-out/darwin-opt/bin/external/com_github_antirez_redis/redis-cli
    chmod +x bazel-out/darwin-opt/bin/external/com_github_antirez_redis/redis-cli
    rm -rf tmp-redis-bin
    ')
Execution platform: @local_config_platform//:host
```

Signed-off-by: Weichen Xu <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@scv119 scv119 scv119 left review comments

@ijrsvt ijrsvt ijrsvt left review comments

@simon-mo simon-mo simon-mo approved these changes

Assignees

@scv119 scv119

@rkooo567 rkooo567

@simon-mo simon-mo

Labels
@author-action-required The PR author is responsible for the next step. Remove tag to send back to the reviewer.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[Core] Support rediss:https:// - TCP protected external Redis instances
5 participants
@fishbone @scv119 @simon-mo @ijrsvt @rkooo567