Redis Support disabling persistence - Nineya|java/go/python

This is important when using redis as a cache for sensitive information, like credit card information.

Specifically with PCI compliance, you have to guarantee that the credit card information is never written to disk.

Backstory: http://dojo4.com/blog/using-redis-with-sensitive-information

Comment From: mattsta

Here's a first attempt at adding global disable persist options: https://github.com/mattsta/redis/commit/e13b83d3a48e51885a55efe5b2f787973b0fddec

New configuration options (can be set at start only, no live changes): - disable-replication - removes SYNC, SLAVEOF, MIGRATE commands and also adds guards to write functions making sure they can't be forced to run. Disables CONFIG REWRITE so people can't try to change configuration options to hold data then save it to disk. Disables SHUTDOWN SAVE. - disable-all-persistence - removes MIGRATE, REPLCONF, SYNC, PSYNC, SLAVEOF, CLUSTER commands and also adds guards to replication functions to make sure they can't be circumvented through other means. This config option has a long name and includes an annoying-to-type word like "persistence" to hopefully stop people from enabling it by mistake.

disable-all-persistence automatically enables disable-replication because a.) we don't want replicas to persist our data and b.) replication requires serializing the DB to disk to send to the replica.

If you're on Linux, disable-all-persistence also attempts to lock all memory into RAM to stop anything from entering your swap space. That can only happen if you either run as root or have explicit capability CAP_IPC_LOCK.

The implementation is very paranoid. It disables commands then, in the commands themselves, each potential write command aborts if nopersist is set, then in the functions performing writes or network connections, the function immediately returns if nopersist (or noreplication) is set.

The reason for the multi-layered approach is: some operations like saving an RDB have multiple entry points (SAVE, the save config option, SHUTDOWN SAVE, ...) and I wanted to make sure all potential entry points were disabled. It'll make security audit people happier having multi-layered denies. (Also, I didn't think to just delete commands until the end, so the disable guards are still in each command function.)

Comment From: milesmatthias

:thumbsup: awesome!

Comment From: yossigo

This is an old issue, it is now possible to disable persistence as well as rely on diskless replication both at the master and replica side - closing.