Database: Redis
The Redis database runs as a Podman rootfull container, bound to TCP port 6379.
General
Redis is not used only as a database:
- it exchanges messages among agents and the API server
- it helps modules to discover information about the core and other modules
- it provides a signaling bus based on its PUB/SUB feature
- it stores (a copy of) the system and modules configuration
- it is an authentication backend for the management UI and the agents
Get the Redis service status:
systemctl status redis
If any change occurs in the Redis database, it is persisted on the disk within 5 seconds. The following command prints the database path:
podman volume inspect redis-data | jq -r .[].Mountpoint
Access Redis with one of the following commands:
redis-cli PING
-
The
redis-clicommand is faster when invoked by the root user, because it runs a command in the existingredisrootfull container. For non-root users a temporary container is created and destroyed. -
The
redis-clicommand attempts to connect with the higher available Redis privileges, by readingagent.envfiles.
A Python-based helper script, redis-exec is available and it better
suits Bash action scripts as it does not start any container. This client
is synchronous as it waits for the server response:
runagent redis-exec PING
Note that the runagent wrapper is needed because redis-exec is
designed to run inside an “agent environment”.
An alternative, synchronous invocation relies on the nc command,
provided by the nmap-ncat RPM (good for development environments):
nc 127.0.0.1 6379 <<EOF
PING
EOF
For completeness here is a pure Bash invocation that does not wait the server response:
cat >/dev/tcp/127.0.0.1/6379 <<EOF
PING
EOF
Redis is a key/value database. Some key naming rules are enforced because access rights are based on key name patterns. Both admin UI users and agents have their own Redis credentials for authentication and authorization.
Some key rule examples:
-
module/{module_id}/environmentThe key type is HASH. It stores a copy of environment variables of the module module_id. -
node/{node_id}/vpnThe key type is HASH. It stores the cluster VPN configuration applied by the node agent node_id -
cluster/node_sequenceThe key value is an integer. As the name suggests it is used to generate a node ID, when a new node is added to the cluster.
Redis provides blocking pop operations on lists. The BRPOP command is used
by agents to wait on a queue for incoming tasks. Task queues keys look
like module/{module_id}/tasks.
Redis provides PUB/SUB operations on channels. Channels are used to implement the observer pattern, for instance in the following situations:
-
An agent wants to notify the UI about the progress of a running task. The channel name in this case looks like
progress/module/{module_id}/task/{uuid}. -
An agent wants to communicate to other agents that a particular event occurred (e.g. a TLS certificate was automatically renewed). The channel name in this case could be like
module/{module_id}/event/{event_name}
Schema
The complete Redis schema is frequently updated.
Legend:
/logical key namespace separator.hash field
cluster
| key | type | description |
|---|---|---|
| cluster/network | CIDR | WireGuard VPN network, default: 10.5.4.0/24 |
| cluster/default_instance/{image} | STRING | a module ID for the given image ID |
| cluster/node_sequence | INTEGER | generate node IDs, default: 0 |
| cluster/module_sequence/{image} | INTEGER | module sequence to generate instances of image ID, default: 0 |
| cluster/tasks | QUEUE | see Task queue item |
| cluster/{id}/task/{id}/context | STRING | JSON representation of the queued task |
| cluster/task/{id}/error | STRING | stderr data generated by the action execution |
| cluster/task/{id}/output | STRING | output JSON data |
| cluster/task/{id}/exit_code | INTEGER | action exit code |
| cluster/roles/{role} | SET | glob patterns matching the actions that {role} can run. {role} is one of “owner”, “reader”… |
| cluster/environment | HASH | Cluster environment variables |
| cluster/ui_name | STRING | UI label for the cluster |
smarthost provider
| key | type | description |
|---|---|---|
| cluster/smarthost | HASH | Settings and credentials of a SMTP smarthost provider |
| cluster/smarthost.port | INTEGER | Public TCP port of the smtp server |
| cluster/smarthost.enabled | 0|1 | (0 disabled, 1 enabled) enable the smarthost provider |
| cluster/smarthost.tls | 0|1 | (0 disabled, 1 enabled) enable STARTTLS |
| cluster/smarthost.tls_verify | 0|1 | (0 disabled, 1 enabled) verify if the certificate is valid and if the hostname is associated to the certificate |
| cluster/smarthost.username | STRING | username for smtp credentials |
| cluster/smarthost.password | STRING | password for smtp credentials |
software repositories
| key | type | description |
|---|---|---|
| cluster/repository/{repo} | HASH | A software {repo} |
| cluster/repository/{repo} url | STRING | HTTPS URL of repository |
| cluster/repository/{repo} status | 0|1 | (0 disabled, 1 enabled) |
| cluster/repository/{repo} testing | 0|1 | (0 disabled, 1 enabled) |
| cluster/repository_cache/{repo} | HASH | Cache of remote repo metadata, with a TTL |
| cluster/repository_cache/{repo} data | STRING | It contains a JSON string from repodata.json |
| cluster/repository_cache/{repo} updates | STRING | Most recent modification date and time of remote repodata.json |
backup
| key | type | description |
|---|---|---|
| cluster/backup_repository/{repo} | HASH | A backup repository UUID |
| cluster/backup_repository/{repo} url | STRING | Restic URL of repository, eg. b2:<bucket>, s3:s3.amazonaws.com/<bucket> |
| cluster/backup_repository/{repo} password | STRING | Restic encrypt password |
| cluster/backup_repository/{repo} name | STRING | Custom repository name |
| cluster/backup_repository/{repo} provider | STRING | Provider name, can be: backblaze, aws |
| cluster/backup_repository/{repo} b2_account_id | STRING | Backblaze B2 account ID, present only if provider is backblaze |
| cluster/backup_repository/{repo} b2_account_key | STRING | Backblaze B2 account KEY, present only if provider is backblaze |
| cluster/backup_repository/{repo} aws_access_key_id | STRING | AWS S3 access key, present only if provider is aws |
| cluster/backup_repository/{repo} aws_secret_access_key | STRING | AWS S3 secret key, present only if provider is aws |
| cluster/backup_repository/{repo} aws_access_key_id | STRING | AWS S3 region, present only if provider is aws |
| cluster/backup/{id} | HASH | A backup repository numeric ID |
| cluster/backup/{id} name | STRING | Backup name |
| cluster/backup/{id} enabled | 0|1 | (0 disabled, 1 enabled) |
| cluster/backup/{id} repository | STRING | UUID of backup_repository |
| cluster/backup/{id} retention | INTEGER | Number of snapshots to keep |
| cluster/backup/{id} schedule | STRING | Schedule time using onCalendar systemd syntax |
| cluster/backup/{id} schedule_hint | STRING | Schedule in JSON format for the UI |
domains
| key | type | description |
|---|---|---|
| cluster/user_domain/ldap/{domain}/conf | HASH | An external LDAP domain |
| cluster/user_domain/ldap/{domain}/conf schema | STRING | It can be ad or rfc2307 |
| cluster/user_domain/ldap/{domain}/conf bindnd | STRING | LDAP bind DN |
| cluster/user_domain/ldap/{domain}/conf bind_password | STRING | LDAP bind password |
| cluster/user_domain/ldap/{domain}/conf base_dn | STRING | LDAP base DN |
| cluster/user_domain/ldap/{domain}/conf tls | STRING | Can be on or off |
| cluster/user_domain/ldap/{domain}/conf tls_verify | STRING | Can be on or off |
| cluster/user_domain/ldap/{domain}/providers | LIST | List of domain provider hosts |
| cluster/user_domain/ldap/{domain}/ui_names | HASH | UI labels for domain providers. The key is the provider name, eg ldap.ns.test:389 => mylabel |
| cluster/counters_cache/users/{domain} | INT | Cached number of users in the domain, updated by list APIs |
| cluster/counters_cache/groups/{domain} | INT | Cached number of groups in the domain, updated by list APIs |
node
| key | type | description |
|---|---|---|
| node/{id}/vpn | HASH | |
| node/{id}/vpn ip_address | STRING | IP address in cluster/network |
| node/{id}/vpn public_key | STRING | Public WireGuard VPN key |
| node/{id}/vpn destinations | STRING | List of networks in CIDR notation, routed through the VPN |
| node/{id}/vpn endpoint | STRING | Public IP or host name of the VPN endpoint with :port suffix |
| node/{id}/vpn listen_port | INTEGER | Public UDP port of the VPN endpoint, default: 55820 |
| node/{id}/vpn hub_id | INTEGER | node ID (for nodes without a public endpoint address) |
| node/{id}/flags | SET | FlagS to mark a node. Supported flags: nomodules, the node can’t run any module |
| node/{id}/tasks | QUEUE | see Task queue item |
| node/{id}/task/{id}/context | STRING | JSON representation of the queued task |
| node/{id}/task/{id}/error | STRING | stderr data generated by the action execution |
| node/{id}/task/{id}/output | STRING | output JSON data |
| node/{id}/task/{id}/exit_code | INTEGER | action exit code |
| node/{id}/roles/{role} | SET | glob patterns matching the actions that {role} can run. {role} is one of “owner”, “reader”… |
| node/{id}/tcp_ports_sequence | INTEGER | Lower boundary for the next TCP_PORTS_RANGE allocation, default: 2000 |
| node/{id}/default_instance/{image} | STRING | A module ID for the given image ID |
| node/{id}/environment | HASH | Node environment variables |
| node/{id}/ui_name | STRING | UI label for the node |
module
| key | type | description |
|---|---|---|
| module/{id}/environment | HASH | |
| module/{id}/tasks | QUEUE | see Task queue item |
| module/{id}/task/{id}/context | STRING | JSON representation of the queued task |
| module/{id}/task/{id}/error | STRING | stderr data generated by the action execution |
| module/{id}/task/{id}/output | STRING | output JSON data |
| module/{id}/task/{id}/exit_code | INTEGER | action exit code |
| module/{id}/roles/{role} | SET | glob patterns matching the actions that {role} can run. {role} is one of “owner”, “reader”… |
| module/{id}/backups | SET | List of backup numeric IDs |
| module/{id}/flags | SET | Images flags copied from org.nethserver.flags image label |
| module/{id}/srv/{transport}/{service} | HASH | Service discovery information for other modules. See Service providers |
task queue item
| key | type | description |
|---|---|---|
| .id | STRING | UUID generated by the API server |
| .action | STRING | e.g. list-users, install, create-domain… |
| .data | DATA | in any text or binary form e.g. a JSON STRING |
task progress
| key | type | description |
|---|---|---|
| progress/{agent_id}/task/{id} | CHANNEL NAME |
events
| key | type | description |
|---|---|---|
| {agent_id}/event/{id} | CHANNEL NAME | e.g. module/traefik1/event/certificate-updated |
user
| key | type | description |
|---|---|---|
| user/{username} | HASH | |
| user/{username} display_name | STRING | Name and surname |
| user/{username} email | STRING | Mail address |
roles
| key | type | description |
|---|---|---|
| roles/{username} | HASH | |
| roles/{username} {prefix} | STRING | Name of the role - {prefix} is module/mail1, cluster… |
traefik
| key | type | description |
|---|---|---|
| module/traefik{X}/certificate/{name} | HASH | |
| module/traefik{X}/certificate/{name} key | STRING | Base64 key of a x509 certificate |
| module/traefik{X}/certificate/{name} cert | STRING | Base64 x509 certificate |