Why Choose Redis on CentOS Stream 9?
When migrating systems from CentOS 7 (now EOL) to CentOS Stream 9, I’ve noticed a common mistake. Many developers still install Redis using a “quick-and-dirty” approach: install it, open the port, and let it run. This works for a lab environment. However, in a strict production environment like RHEL/CentOS, you will immediately hit the security barriers of SELinux and Firewalld.
Redis (Remote Dictionary Server) is the top choice for cache servers due to its extremely low latency, often under 1ms. To make it run smoothly on CentOS Stream 9, we need a more professional approach. The goal isn’t just to make it “work,” but to make it “run securely.”
Deployment Method Comparison
Before typing any commands, let’s look at three approaches I’ve gathered from various real-world projects:
1. Installing from Source Code
- Pros: Get the latest Redis 7.2+ immediately, deep customization of compilation parameters.
- Cons: A nightmare for managing updates and lacks automatic systemd integration.
2. Deploying via Docker
- Pros: Excellent environment isolation, deploys in a heartbeat.
- Cons: Network overhead of about 5-10% depending on configuration. Managing a Redis Cluster via Docker is also more complex.
3. Installing from AppStream (Recommended)
- Pros: Extremely stable, optimized by Red Hat. Easy updates via
dnfand comes with built-in SELinux policies. - Cons: Versions are typically a few months behind the upstream release.
My Choice: Prioritize AppStream for systems requiring long-term stability. It makes future maintenance much easier.
Production-Grade Redis Deployment Steps
Step 1: Install from the Official Repo
On CentOS Stream 9, Redis is available in the default repository. Simply run:
sudo dnf makecache
sudo dnf install redis -yOnce installed, check the version. You will typically get Redis 6.2 or 7.0 depending on the current repo update:
redis-server --versionStep 2: Optimizing Configuration and Security
Open the configuration file at /etc/redis/redis.conf. Don’t stick with the defaults; modify the following parameters:
sudo vi /etc/redis/redis.conf- Access Security: If you need to call Redis from another App Server, change
bind 127.0.0.1to the server’s Private IP. Never leave this blank without a Firewall. - Set a Password: Find the
requirepassline. Set a password longer than 32 characters. Redis can handle 150,000 requests/second, so short passwords are highly vulnerable to brute-force attacks. - RAM Limitations: Prevent Redis from consuming all resources and causing a system hang (OOM).
maxmemory 2gb # Depending on your server's RAM maxmemory-policy allkeys-lru
Step 3: Taming SELinux
Don’t just type setenforce 0. Disabling SELinux is an irresponsible way to handle system security. If you change the default port (e.g., to 6380), you must inform SELinux:
# Install management tools if not already present
sudo dnf install policycoreutils-python-utils -y
sudo semanage port -a -t redis_port_t -p tcp 6380If you change the RDB dump file path, update the context for the new directory:
sudo chcon -Rt svirt_sandbox_file_t /var/lib/redis_customStep 4: Structured Firewalld Setup
By default, CentOS Stream 9 blocks all incoming connections. Don’t leave the port wide open to the world. Only allow access from the Application Server’s IP using rich-rules:
sudo firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="10.0.0.50" port protocol="tcp" port="6379" accept'
sudo firewall-cmd --reloadThis ensures that even if your password is leaked, hackers cannot connect to the Redis port from the outside.
Real-world Issue: Handling “Transparent Huge Pages” and Overcommit
When checking Redis logs (journalctl -u redis), you might see warnings about THP. This Linux kernel feature helps manage large memory chunks but causes severe latency spikes for Redis.
Create a service to disable THP permanently on boot:
sudo vi /etc/systemd/system/disable-thp.serviceFile content:
[Unit]
Description=Disable Transparent Huge Pages (THP)
[Service]
Type=oneshot
ExecStart=/bin/sh -c 'echo never > /sys/kernel/mm/transparent_hugepage/enabled'
[Install]
WantedBy=multi-user.targetAdditionally, add vm.overcommit_memory = 1 to /etc/sysctl.conf so Redis can fork processes to save data to disk without virtual memory errors.
Activation and Verification
Now it’s time to enjoy the results:
sudo systemctl enable --now redis disable-thp.service
sudo redis-cli -a Your_Password pingA result of PONG means your system is ready to serve tens of thousands of requests per second.
Practical Conclusion
Deploying Redis on CentOS Stream 9 isn’t hard. The challenge is making it survive securely in an enterprise environment. Adhering to SELinux and Firewalld might take an extra 10 minutes of configuration, but it will protect your data from unnecessary risks. Good luck optimizing your system!
