IdeaArmour > Redis Enterprise Software > Release notes > 7.2.4 releases > 7.2.4-52 (August 2023)

Redis Enterprise Software release notes 7.2.4-52 (August 2023)

Redis Enterprise Software version 7.2.4 is now available!

Highlights

This version offers:

Redis 7.0 and 7.2 features
Auto Tiering (enhanced successor to Redis on Flash)
RESP3 support
Sharded pub/sub
A preview of the new Cluster Manager UI (admin console)
Redis Stack 7.2 features
Three Redis database versions: 7.2, 6.2, 6.0
License file structure updates
Redis ACL selectors and enhanced key-based permissions
New INFO fields
Log rotation enhancements
Multi-OS upgrade support for clusters with modules

New in this release

New features

Redis 7.0 features

The following Redis 7.0 features are now supported:

Redis functions
In Redis Enterprise Software, FUNCTION STATS returns an extra parameter, an array called all_running_scripts, to reflect multiple functions running at the same time.
Multipart AOF (append-only files)
New commands
Sharded PUBSUB (see Sharded pub/sub for details)

Redis 7.2 features

The following Redis 7.2 features are now supported:

Various performance improvements
CONFIG SET for locale
Connection layer modularization
Encoding improvements: listpack for sets and lists
Observability: authentication metrics (exposed by INFO command)
Stream consumer group improvements
Commands: ZRANK, ZREVRANK new WITHSCORE option
Shard IDs in cluster shards topology
Introduce shard ID to Redis cluster
Support CLIENT NO-TOUCH command
WAIT AOF

Auto Tiering - Redis on Flash evolution doubles throughput and reduces latency

Redis Enterprise version 7.2 introduces Auto Tiering as an enhanced successor to Redis on Flash, which allows you to provision larger databases at a lower cost by extending the RAM with flash drives.

Redis Enterprise Auto Tiering replaces RocksDB with Speedb as its storage engine, doubling the throughput and reducing latencies, achieved using the same infrastructure resources. For example, a 1 TB database with 50K ops/sec can now serve 100K ops/sec based on the same infrastructure.

To switch existing databases to use Speedb for Auto Tiering and improve performance:

Upgrade the cluster to Redis Enterprise Software version 7.2.4.
Upgrade each database with Auto Tiering enabled to Redis database version 7.2.

For more information about Auto Tiering, see:

RESP3 support

Support for RESP3 and the HELLO command was added in Redis Enterprise 7.2.

To use RESP3 with Redis Enterprise:

Upgrade Redis servers to version 7.2 or later.
For Active-Active and Replica Of databases:
1. Upgrade all participating clusters to Redis Enterprise version 7.2.x or later.
2. Upgrade all databases to version 7.x or later.
Enable RESP3 support for your database (enabled by default):
```
rladmin tune db db:<ID> resp3 enabled
```

If you run Redis Stack commands with Redis clients Go-Redis version 9 or Lettuce versions 6 and later, see client prerequisites before you upgrade to Redis 7.2 to learn how to prevent potential application issues due to RESP3 breaking changes.

Sharded pub/sub

Sharded pub/sub is now supported.

You cannot use sharded pub/sub if you deactivate RESP3 support.

New Cluster Manager UI preview

A preview of the new Cluster Manager UI (admin console) is available in Redis Enterprise Software version 7.2.4.

To try out the new UI:

On the sign-in screen:
1. Enter your credentials.
2. Select Sign in the new interface.
Sign in directly from the new UI’s sign-in screen at https://<hostname or IP address>:8443/new
If you are currently signed in to the legacy UI:
1. Select Switch to the new Admin Console to expand the banner at the top of the screen.
2. Click the Try it now button to open the new UI in another tab.

New UI benefits

User-driven design
Provides full functionality to complete tasks entirely in the UI
New attributes and improved feature visibility
Provides configuration flexibility while highlighting the recommended path
Addresses the needs of different personas and use cases
Quicker troubleshooting and easier maintenance

New UI highlights

More configurable database attributes, including replica high availability, shards placement, and proxy policy.
Nodes indicate whether it’s a primary or secondary node.
Modules show the databases that are using them.
Certificates show expiration and validity, and you can upload and copy certificates.
Cluster license displays the number of shards that are used out of the number of shards that are licensed to the cluster. The new UI allows you to paste or upload a new license.
Role-based access control (RBAC) has explanations to improve clarity.
Access Control List (ACLs) now support defining ACLs for modules.
The databases screen has more information per database for faster troubleshooting. It also allows you to filter databases and compare database metrics.
The cluster name, user, and user role are shown in the upper right for quickly identifying the cluster from any screen. You can also Change user password from the dropdown menu.
Auto Tiering licensing and a toggle for the storage engine used in Auto Tiering enabled databases (available only in the new UI).
Input validations.

New UI limitations

The following features are not supported in this preview but will be added in future releases. Until then, temporarily switch to the legacy UI to do the following:

Provision and configure Active-Active databases (viewing is available).
Search and export the event log.
Remove a node from the UI.

Additional limitations:

Although Redis supports memcached databases, the new UI only allows view and delete. Memcached users are advised to migrate to Redis to enjoy the full benefits of Redis and its UI.

To open the legacy admin console when signed in to the new UI, select your username, then select Switch to legacy Admin Console from the list:

Select switch to legacy admin console from the dropdown.

Future UI enhancements

Configure default database settings and database upgrade settings
Security preferences related to password and login management
LDAP improvements
IPv6 support
ACL improvements, such as ACLv2 smart validations
And more

Note:

With the release of the new Cluster Manager UI, the legacy UI is considered deprecated and will eventually be phased out. New functionality will only be implemented in the new Cluster Manager UI, and the old UI will no longer be maintained except for critical bug fixes.

Redis Stack 7.2 features

Redis Enterprise Software version 7.2.4 supports features included in Redis Stack version 7.2.

The following sections include a few highlights. For more details, see the Redis Stack 7.2 release notes.

Search and query

Introduces Geo Polygon Search. Geo range queries now accept the GEOSHAPE field type, which supports polygon shapes using WKT notation. GEOSHAPE supports POLYGON and POINT as shape formats and polygon operations.
Performance improvements for SORT BY operations using FT.SEARCH and FT.AGGREGATE.
New FORMAT for improved readability and future support for better error handling responses on FT.SEARCH and FT.AGGREGATE in RESP3 only.

JSON

JSON introduces two new commands:

JSON.MERGE merges a given JSON value into matching paths to update, delete, or expand the JSON values at the matching paths.
JSON.MSET sets or updates one or more JSON values according to specified key-path-value triplets.

Triggers and functions preview

A preview of triggers and functions is available.

Triggers and functions provide support for running JavaScript functions inside the Redis process. These functions can be executed on-demand, by an event-driven trigger, or by a stream processing trigger.

Try it out with the triggers and functions quick start.

Note:

The preview version of triggers and functions is not intended for production use since the API might change in the future and potentially cause application issues when upgrading to a later version.
During preview, triggers and functions are not supported for databases with Auto Tiering enabled (previously known as Redis on Flash).

Module versions

Redis Enterprise Software version 7.2.4 includes the following Redis Stack modules:

See Upgrade modules to learn how to upgrade a module for a database.

Enhancements

Three Redis database versions

Redis Enterprise Software version 6.x includes two Redis database versions: 6.0 and 6.2. As of version 7.2, Redis Enterprise Software includes three Redis database versions: 6.0, 6.2, and 7.2.

To view available Redis database versions:

In the Cluster Manager UI, see Redis database versions on the Cluster > Configuration screen.
Send a GET /nodes REST API request and see supported_database_versions in the response.

The default Redis database version, which is used when you upgrade an existing database or create a new one, differs between Redis Enterprise releases as follows:

Redis Enterprise	Bundled Redis DB versions	Default DB version (upgraded/new databases)
7.2	6.0, 6.2, 7.2	7.2
6.4.2	6.0, 6.2	6.2
6.2.x	6.0, 6.2	6.0

For Redis Enterprise Software version 7.2.4, default_redis_version is 7.2 for both major and latest upgrade policies.

Updated Redis Enterprise license format

Redis Enterprise Software version 7.2.4 includes updates to its license format, which add separate shard limits for RAM and flash shards used for Auto Tiering.

For more information, see Cluster license keys.

Redis ACL selectors and key-based permissions

Redis ACLs in Redis Enterprise version 7.2 support key permissions and selectors.

Key permissions:

%R~<pattern>: Grants read access to keys that match the given pattern.
%W~<pattern>: Grants write access to keys that match the given pattern.
%RW~<pattern>: Alias for ~<pattern>. Grants read and write access to keys that match the given pattern.
See key permissions for more information.

Selectors let you define multiple sets of rules in a single Redis ACL (only supported for databases with Redis version 7.2 or later). A command is allowed if it matches the base rule or any selector in the Redis ACL. See selectors for more information.

(<rule list>): Creates a new selector.
clearselectors: Deletes all existing selectors for a user. This action does not delete the base ACL rule.

Redis ACLs have the following differences in Redis Enterprise Software:

Nested selectors are not supported.
For example, the following selectors are not valid in Redis Enterprise: +GET ~key1 (+SET (+SET ~key2) ~key3)
Key and pub/sub patterns do not allow the following characters: '(', ')'
The following password syntax is not supported: '>', '<', '#!', 'resetpass'
To change passwords in Redis Enterprise Software, use one of the following methods:
- Cluster Manager UI (admin console)
- rladmin cluster reset_password:
```
rladmin cluster reset_password <user email>
```
- REST API PUT /v1/users request and provide password
The ACL builder does not support selectors and key permissions. Use Free text command to manually define them instead.

New INFO fields

The INFO command includes new fields:

Under the STATS section:
- current_eviction_exceeded_time - Redis Enterprise reply is always “0”
- total_eviction_exceeded_time - Redis Enterprise reply is always “0”
- current_active_defrag_time - Redis Enterprise reply is always “0”
- total_active_defrag_time - Redis Enterprise reply is always “0”
Under the MEMORY section:
- maxmemory_policy - The value of the maxmemory-policy configuration directive

The INFO command can now accept multiple section arguments (requires Redis database version 7 or later).

Log rotation enhancements

The logrotate tool rotates logs that exceed 200 MB.
logrotate runs every five minutes instead of once a day.
The job scheduler runs logrotate instead of the OS.
Every cluster upgrade overwrites the log rotation configuration.
You can edit the log rotation configuration at $pkgconfdir/logrotate.conf (pkgconfdir is /opt/redislabs/config by default, but can be changed in a custom installation). Note that the configuration file moved since last version.
You can change how often the logrotate tool runs using the job scheduler REST API request PUT /v1/job_scheduler.

Multi-OS upgrade support for clusters with modules

Starting from Redis Enterprise version 7.2, all future 7.2.x upgrades are supported for clusters containing databases with modules in combination with Operating System (OS) upgrades.

Resolved issues

RS54131 - +OK reply not received on TLS-enabled database
RS101525 - Cluster provides wrong number of database connections on Grafana
RS104028 - Fix the self-signed certificate script: error generating certificates with multiple FQDNs
RS87920 - Proxy log is full of the warning message “Failed to check status of running child syncer process 0 : No child processes“
RS99916 - Fixed the UI log to include the names of LDAP users at login
RS84273 - When an LDAP user with a Redis admin role viewed the log in the UI, they received db_viewer permissions instead of admin, which limited log visibility
RS62552 - Fixed database authentication failures for LDAP users when the password contains the % character

Version changes

Breaking changes

Differences when using the UNWATCH command within a MULTI command sequence:
- Redis Enterprise: UNWATCH is not allowed within a MULTI command sequence and returns an error.
- OSS: UNWATCH is allowed within a MULTI sequence but has no effect.
When sending a PUBSUB SHARDNUMSUB command in OSS Cluster mode in Redis Enterprise, Redis Enterprise checks the hash slots of the requested channels. Redis Enterprise responds with a CROSSSLOT error if the channels don’t hash to the same slot, or a MOVED error if the channels hash to a different node.

Redis 7.2 breaking changes

When new major versions of open source Redis change existing commands, upgrading your database to a new version can potentially break some functionality. Before you upgrade, make sure to read the provided list of breaking changes that affect Redis Enterprise and update any applications that connect to your database to handle these changes.

Confirm your Redis database version (redis_version) using the admin console or run the following INFO command via redis-cli:

$ redis-cli -p <port> INFO
"# Server
redis_version:7.0.8
..."

Breaking changes from version 6.2

Upgrading to open source Redis version 7.2 from version 6.2 introduces the following potentially breaking changes to Redis Enterprise.

Programmability

Lua scripts no longer have access to the print() function (#10651) - The print function was removed from Lua because it can potentially cause the Redis processes to get stuck (if no one reads from stdout). Users should use redis.log. An alternative is to override the print implementation and print the message to the log file.
Block PFCOUNT and PUBLISH in read-only scripts (*_RO commands, no-writes) (#10744) - Consider PFCOUNT and PUBLISH as write commands in scripts, in addition to EVAL; meaning:
- They can never be used in scripts with shebang (#!) and no no-writes flag
- They are blocked in EVAL_RO and _RO variants, (even in scripts without shebang (#!) flags)
- Allow no-write scripts in EVAL (not just in EVAL_RO), even during CLIENT PAUSE WRITE
Hide the may_replicate flag from the COMMAND command response (#10744) - As part of the change to treat may_replicate commands PFCOUNT and PUBLISH as write commands in scripts, in addition to EVAL, the may_replicate flag has been removed from the COMMAND response.
Time sampling is now frozen during command execution and scripts (#10300). While a command or script is running, the keys used by the command or script will not expire. This breaks any script that uses a loop to wait for a key to expire.
Blocked commands in scripts now work the same way as when they are used in transactions (#11568).

Error handling

Rephrased some error responses about invalid commands or arguments (#10612) -
- Error response for unknown command introduced a case change (Unknown to unknown)
- Errors for module commands extended to cover subcommands, updated syntax to match Redis Server syntax
- Arity errors for module commands introduce a case change (Wrong to wrong); will consider full command name

Corrected error codes returned from EVAL scripts (#10218, #10329).

These examples show changes in behavior:

  1: config set maxmemory 1
  2: +OK
  3: eval "return redis.call('set','x','y')" 0
- 4: -ERR Error running script (call to 71e6319f97b0fe8bdfa1c5df3ce4489946dda479): @user_script:1: @user_script: 1: -OOM command not allowed when used memory > 'maxmemory'.
+ 4: -ERR Error running script (call to 71e6319f97b0fe8bdfa1c5df3ce4489946dda479): @user_script:1: OOM command not allowed when used memory > 'maxmemory'.
  5: eval "return redis.pcall('set','x','y')" 0
- 6: -@user_script: 1: -OOM command not allowed when used memory > 'maxmemory'.
+ 6: -OOM command not allowed when used memory > 'maxmemory'.
  7: eval "return redis.call('select',99)" 0
  8: -ERR Error running script (call to 4ad5abfc50bbccb484223905f9a16f09cd043ba8): @user_script:1: ERR DB index is out of range
  9: eval "return redis.pcall('select',99)" 0
 10: -ERR DB index is out of range
 11: eval_ro "return redis.call('set','x','y')" 0
-12: -ERR Error running script (call to 71e6319f97b0fe8bdfa1c5df3ce4489946dda479): @user_script:1: @user_script: 1: Write commands are not allowed from read-only scripts.
+12: -ERR Error running script (call to 71e6319f97b0fe8bdfa1c5df3ce4489946dda479): @user_script:1: ERR Write commands are not allowed from read-only scripts.
 13: eval_ro "return redis.pcall('set','x','y')" 0
-14: -@user_script: 1: Write commands are not allowed from read-only scripts.
+14: -ERR Write commands are not allowed from read-only scripts.

ZPOPMIN/ZPOPMAX used to produce wrong replies when count is 0 with non-zset #9711):

ZPOPMIN/ZPOPMAX used to produce an (empty array) when key was not a sorted set and the optional count argument was set to 0 and now produces a WRONGTYPE error response instead.
The optional count argument must be positive. A negative value produces a value is out of range error.

These examples show changes in behavior:

  1: zadd myzset 1 "one"
  2: (integer) 1
  3: zadd myzset 2 "two"
  4: (integer) 1
  5: zadd myzset 3 "three"
  6: (integer) 1
  7: zpopmin myzset -1
- 8: (empty array)
+ 8: (error) ERR value is out of range, must be positive
  9: 127.0.0.1:6379> set foo bar
 10: OK
 11: zpopmin foo 0
-12: (empty array)
+12: (error) WRONGTYPE Operation against a key holding the wrong kind of value

LPOP/RPOP with count against a nonexistent list returns a null array instead of (nil)(#10095). This change was backported to 6.2.
LPOP/RPOP used to produce (nil) when count is 0, now produces a null array (#9692). This change was backported to 6.2.
XCLAIM/XAUTOCLAIM skips deleted entries instead of replying with nil and deletes them from the pending entry list (#10227) - XCLAIM/XAUTOCLAIM now behaves in the following way:
- If you try to claim a deleted entry, it is deleted from the pending entry list (PEL) where it is found (as well as the group PEL). Therefore, such an entry is not claimed, just cleared from PEL (because it doesn’t exist in the stream anyway).
- Because deleted entries are not claimed, X[AUTO]CLAIM does not return “nil” instead of an entry.
- Added an array of all the deleted stream IDs to XAUTOCLAIM response.
A blocked stream command that is released when a key no longer exists returns a different error code (#11012).
- For newly unblocked streams, lists, and zsets, the old implementation returned UNBLOCKED when the stream key was deleted or overwritten with a different type. Now, errors will be the same as if the command was processed after the effect.
ACL errors have been unified across Redis. (#11160)
- When using RedisModule_Call module API function, ACL errors return -NOPERM instead of -ERR
XREADGROUP and XAUTOCLAIM create a consumer regardless of whether it was able to perform reading or claiming (#11012).
Any float that is Not a Number will return nan (#11597).

ACLs

ACL GETUSER reply now uses ACL syntax for keys and channels (#9974). ACL GETUSER now uses the ACL DSL (Domain Specific Language) for keys and channels.

These examples show changes in behavior:

  1: acl setuser foo off resetchannels &channel1 -@all +get
  2: OK
  3: acl getuser foo
  4: 1) "flags"
  5: 2) 1) "off"
  6: 3) "passwords"
  7: 4) (empty array)
  8: 5) "commands"
  9: 6) "-@all +get"
 10: 7) "keys"
-11: 8) (empty array)
+11: 8) ""
 12: 9)"channels"
-13 10) 1) "channel1"
+13 10) "&channel1"

SORT/SORT_RO commands reject key access patterns in GET and BY if the ACL doesn’t grant the command full keyspace access (#10340) - The sort and sort_ro commands can access external keys via GET and BY. In order to make sure the user cannot violate the authorization ACL rules, Redis 7 will reject external keys access patterns unless ACL allows SORT full access to all keys. For backwards compatibility, SORT with GET/BY keeps working, but if ACL has restrictions to certain keys, the use of these features will result in a permission denied error.
These examples show changes in behavior:
```
USER FOO (+sort ~* ~mylist) 
#FOO> sort mylist by w* get v*  - is O.K since ~* provides full key access
```
```
USER FOO (+sort %R~* ~mylist) 
#FOO> sort mylist by w* get v*  - is O.K since %R~* provides full key READ access**
```
```
USER FOO (+sort %W~* ~mylist)
#FOO> sort mylist by w* get v*  - will now fail since $W~* only provides full key WRITE access
```
```
USER FOO (+sort ~v* ~mylist)
#FOO> sort mylist by w* get v*  - will now fail since ~v* only provides partial key access
```
Fix ACL category for SELECT, WAIT, ROLE, LASTSAVE, READONLY, READWRITE, ASKING (#9208):
- SELECT and WAIT have been recategorized from @keyspace to @connection
- ROLE, LASTSAVE have been categorized as @admin and @dangerous
- ASKING, READONLY, READWRITE have also been assigned the @connection category and removed from @keyspace
- Command categories are explained in ACL documentation
- When a blocked client is being unblocked, checks for ACLs and OOM condition checks are now re-evaluated (#11012).
  - If the ACL rules have changed since the command was executed, the command might fail after the client is unblocked.

Command introspection, stats, and configuration

COMMAND reply drops random and sort-for-scripts flags, which are now part of command tips (#10104) - The random flag was replaced with the nondeterministic_output tip; the sort-for-scripts flag was replaced by the nondeterministic_output_order tip

INFO commandstats now shows the stats per sub-command (#9504) For example, while previous versions would provide a single entry for all command usage, in Redis 7, each sub command is reported separately:

Redis 6.2:

cmdstat_acl:calls=4,usec=279,usec_per_call=69.75,rejected_calls=0,failed_calls=2

Redis 7:

cmdstat_acl|list:calls=1,usec=4994,usec_per_call=4994.00,rejected_calls=0,failed_calls=0
cmdstat_acl|setuser:calls=2,usec=16409,usec_per_call=8204.50,rejected_calls=0,failed_calls=0
cmdstat_acl|deluser:calls=1,usec=774,usec_per_call=774.00,rejected_calls=0,failed_calls=0
cmdstat_acl|getuser:calls=1,usec=6044,usec_per_call=6044.00,rejected_calls=0,failed_calls=0

CONFIG REWRITE, CONFIG RESETSTAT, and most CONFIG SET commands are now allowed during loading (#9878)
When running XINFO CONSUMERS, the idle time now shows the number of milliseconds that have passed since the last attempted interaction, and the inactive time shows the number of milliseconds since the last successful interaction (#11099)
- Previously, idle time showed the number of milliseconds that passed since the last successful interaction and there was no inactive time.
Command stats are only updated when the command executes (#11012).
- Previously, the command stats were updated even if a command was blocked. The command stats are now updated only if and when the command is executed.

Client prerequisites for Redis 7.2 upgrade

The Redis clients Go-Redis version 9 and Lettuce versions 6 and later use RESP3 by default. If you use either client to run Redis Stack commands, you should set the client’s protocol version to RESP2 before upgrading your database to Redis version 7.2 to prevent potential application issues due to RESP3 breaking changes.

For applications using Go-Redis v9.0.5 or later, set the protocol version to RESP2:

client := redis.NewClient(&redis.Options{
    Addr:     "<database_endpoint>",
    Protocol: 2, // Pin the protocol version
})

To set the protocol version to RESP2 with Lettuce v6 or later:

import io.lettuce.core.*;
import io.lettuce.core.api.*;
import io.lettuce.core.protocol.ProtocolVersion;

// ...
RedisClient client = RedisClient.create("<database_endpoint>");
client.setOptions(ClientOptions.builder()
        .protocolVersion(ProtocolVersion.RESP2) // Pin the protocol version 	
        .build());
// ...

If you are using LettuceMod, you need to upgrade to v3.6.0.

Deprecations

Command deprecations

CLUSTER SLOTS is deprecated as of Redis 7.0
JSON.RESP is deprecated as of Redis Stack 7.2.
QUIT is deprecated as of Redis 7.2

API deprecations

Fields deprecated as of Redis Enterprise v4.3.3:

smtp_use_tls (replaced with smtp_tls_mode)
dns_address_master
endpoint_node
endpoint_ip
public_addr (replaced with external_addr)

Fields deprecated as of Redis Enterprise v4.4.2:

default_shards_overbooking (replaced with shards_overbooking)

Fields deprecated as of Redis Enterprise v6.4.2:

use_ipv6 (replaced with use_external_ipv6)
redis_cleanup_job_settings (replaced with persistence_cleanup_scan_interval)

Fields deprecated as of Redis Enterprise v5.0.1:

bdb_high_syncer_lag (replaced with replica_src_high_syncer_lag and crdt_src_high_syncer_lag)
bdb_syncer_connection_error
bdb_syncer_general_error
sync_sources (replaced with replica_sources and crdt_sources)
sync (replaced with replica_sync and crdt_sync)
ssl (replaced with tls_mode)

Fields deprecated as of Redis Enterprise v7.2.4:

node.bigstore_driver (replaced with cluster.bigstore_driver)
auth_method
authentication_redis_pass (replaced with multiple passwords feature in version 6.0.X)
slave_ha cluster policy

Other deprecated fields:

import/rdb_url (deprecated as of Redis Enterprise v4.X)
logrotate_dir (to be replaced with logrotate_config or removed)

Deprecated CLI commands:

rlutil change_master (deprecated as of Redis Enterprise v6.2.18, replaced with rladmin change_master)
rlutil reserved_ports (deprecated as of Redis Enterprise v7.2, replaced with rladmin cluster config reserved_ports)

REST API requests deprecated as of Redis Enterprise v7.2:

POST /v1/modules (replaced with POST /v2/modules)
DELETE /v1/modules (replaced with DELETE /v2/modules)

Access control deprecations

The following predefined roles and Redis ACLs are no longer available for new Redis Enterprise Software version 7.2.4 clusters:
- Custom roles (not management roles): Cluster Member, Cluster Viewer, DB Member, DB Viewer, None.
- Redis ACLs: Not Dangerous and Read Only.
In upcoming maintenance releases, the deprecated roles and ACLs will be removed automatically when you upgrade to Redis Enterprise Software version 7.2.4, unless they are associated with any users or databases in the cluster.
A deprecation notice for SASL-based LDAP was included in previous Redis Enterprise Software release notes. When you upgrade to Redis Enterprise Software version 7.2.4, all existing “external” users (previously used to support SASL-based LDAP) will be removed.

Legacy UI

RedisGraph

Redis has announced the end of life for RedisGraph. Redis will continue to support all RedisGraph customers, including releasing patch versions until January 31, 2025.

See the RedisGraph end-of-life announcement for more details.

RHEL and CentOS 7.0-7.9

Support for RHEL and CentOS 7.0-7.9 is considered deprecated and will be removed in a future release.

Oracle Linux 7

Oracle Linux 7 support is considered deprecated and will be removed in a future release.

Amazon Linux 1

Amazon Linux 1 support is considered deprecated and will be removed in a future release.

Ubuntu 16.04

The deprecation of Ubuntu 16.04 was announced in the Redis Enterprise Software 6.4.2 release notes. As of Redis Enterprise Software 7.2.4, Ubuntu 16.04 is no longer supported.

RC4 encryption cipher

The RC4 encryption cipher is considered deprecated in favor of stronger ciphers. Support for RC4 by the discovery service will be removed in a future release.

3DES encryption cipher

The 3DES encryption cipher is considered deprecated in favor of stronger ciphers like AES. Please verify that all clients, apps, and connections support the AES cipher. Support for 3DES will be removed in a future release. Certain operating systems, such as RHEL 8, have already removed support for 3DES. Redis Enterprise Software cannot support cipher suites that are not supported by the underlying operating system.

TLS 1.0 and TLS 1.1

TLS 1.0 and TLS 1.1 connections are considered deprecated in favor of TLS 1.2 or later. Please verify that all clients, apps, and connections support TLS 1.2. Support for the earlier protocols will be removed in a future release. Certain operating systems, such as RHEL 8, have already removed support for the earlier protocols. Redis Enterprise Software cannot support connection protocols that are not supported by the underlying operating system.

Upcoming changes

Prepare for restrictive pub/sub permissions

Redis database version 6.2 introduced pub/sub ACL rules that determine which pub/sub channels a user can access.

The configuration option acl-pubsub-default, added in Redis Enterprise Software version 6.4.2, determines the cluster-wide default level of access for all pub/sub channels. Redis Enterprise Software uses the following pub/sub permissions by default:

For versions 6.4.2 and 7.2, acl-pubsub-default is permissive (allchannels or &*) by default to accommodate earlier Redis versions.
In future versions, acl-pubsub-default will change to restrictive (resetchannels). Restrictive permissions block all pub/sub channels by default, unless explicitly permitted by an ACL rule.

If you use ACLs and pub/sub channels, you should review your databases and ACL settings and plan to transition your cluster to restrictive pub/sub permissions in preparation for future Redis Enterprise Software releases.

When you change the cluster’s default pub/sub permissions to restrictive, &* is added to the Full Access ACL. Before you make this change, consider the following:

Because pub/sub ACL syntax was added in Redis 6.2, you can’t associate the Full Access ACL with database versions 6.0 or lower after this change.
The Full Access ACL is not reverted if you change acl-pubsub-default to permissive again.
Every database with the default user enabled uses the Full Access ACL.

To secure pub/sub channels and prepare your cluster for future Redis Enterprise Software releases that default to restrictive pub/sub permissions:

Upgrade Redis databases:
- For Redis Enterprise Software version 6.4.2, upgrade all databases in the cluster to Redis DB version 6.2.
- For Redis Enterprise Software version 7.2.4, upgrade all databases in the cluster to Redis DB version 7.2 or 6.2.
Create or update ACLs with permissions for specific channels using the resetchannels &channel format.
Associate the ACLs with relevant databases.
Set default pub/sub permissions (acl-pubsub-default) to restrictive. See Change default pub/sub permissions for details.
If any issues occur, you can temporarily change the default pub/sub setting back to permissive. Resolve any problematic ACLs before making pub/sub permissions restrictive again.

Upcoming command request and reponse changes

Open source Redis version 7.2 changes the request and response policies for several commands. Because the GA release of Redis Enterprise version 7.2 does not include these policy changes, commands might behave differently from open source Redis. However, these changes will be included in a future Redis Enterprise maintenance release:

RANDOMKEY and SCAN will change from no response policy to a SPECIAL response policy.
MSETNX currently has a MULTI_SHARD request policy and AGG_MIN response policy. Both will change to no policy.

For more information about request and response policies, see Redis command tips.

Supported platforms

The following table provides a snapshot of supported platforms as of this Redis Enterprise Software release. See the supported platforms reference for more details about operating system compatibility.

✅ Supported – The platform is supported for this version of Redis Enterprise Software.

⚠️ Deprecated – The platform is still supported for this version of Redis Enterprise Software, but support will be removed in a future release.

❌ End of life – Platform support ended in this version of Redis Enterprise Software.

Redis Enterprise	7.2.4	6.4.2	6.2.18	6.2.12	6.2.10	6.2.8	6.2.4
Ubuntu¹
20.04	✅	✅⁶	–	–	–	–	–
18.04	⚠️	✅	✅	✅	✅	✅	✅
16.04	❌	⚠️	✅	✅	✅	✅	✅
RHEL & CentOS²
8.8	✅	–	–	–	–	–	–
8.7	✅	✅	–	–	–	–	–
8.5-8.6	✅	✅	✅	✅	✅	–	–
8.0-8.4	✅	✅	✅	✅	✅	✅	–
7.0-7.9	⚠️	✅	✅	✅	✅	✅	✅
Oracle Linux³
8	✅	✅	✅	✅	✅	–	–
7	⚠️	✅	✅	✅	✅	✅	✅
Rocky Linux³
8	✅	✅	✅	–	–	–	–
Amazon Linux
2	✅	✅⁷	–	–	–	–	–
1	⚠️	✅	✅	✅	✅	✅	✅
Docker⁴	✅	✅	✅	✅	✅	✅	✅
Kubernetes⁵	✅	✅	✅	✅	✅	✅	✅

The server version of Ubuntu is recommended for production installations. The desktop version is only recommended for development deployments.
RHEL and CentOS deployments require OpenSSL 1.0.2 and firewall configuration.
Based on the corresponding RHEL version.
Docker images of Redis Enterprise Software are certified for development and testing only.
See the Redis Enterprise for Kubernetes documentation.
Ubuntu 20.04 support was added in Redis Enterprise Software 6.4.2-43.
A release candidate for Amazon Linux 2 support was added in Redis Enterprise Software 6.4.2-61. Official support for Amazon Linux 2 was added in Redis Enterprise Software 6.4.2-69.

Downloads

The following table shows the MD5 checksums for the available packages:

Package	MD5 checksum (7.2.4-52 August release)
Ubuntu 18	7c7e465c8e129a03ee9f585137b2a1d9
Ubuntu 20	631f27311b19806955fde012953ff9c9
RedHat Enterprise Linux (RHEL) 7 Oracle Enterprise Linux (OL) 7	ae76798b1b7243313b4f4cba6ede88d7
RedHat Enterprise Linux (RHEL) 8 Oracle Enterprise Linux (OL) 8 Rocky Enterprise Linux	48936b25aefa2921d38aea84ad06134d
Amazon Linux 2	3e8180d7a9ebc3784ab6080234edefd5

Known issues

Legacy UI known issues

When using the legacy UI, you cannot update and save your changes on the settings > preferences tab even though these settings are visible. This issue will be fixed in the next maintenance release.

As a workaround, use the new Cluster Manager UI to update these settings from the Cluster > Security > Preferences tab.

Pub/sub channel ACL limitations

In Redis Enterprise Software version 6.4.2, you could use &channel syntax in Redis ACL rules to allow access to specific pub/sub channels even when default pub/sub permissions were permissive (&allchannels or &*), allowing all channels by default. However, &allchannels &channel is not valid syntax.

As of Redis Enterprise Software version 7.2.4, you cannot create Redis ACLs with this combination of rules. You can only use &channel to allow access to specific channels if the default pub/sub permissions are restrictive (resetchannels).

Associating an ACL that contains the invalid syntax &allchannels &channel (created before version 7.2) with a user and database might leave the database in a pending state, unable to function.

To prevent this issue:

Review all existing ACL rules.
For each rule containing &channel, either:
- Add the resetchannels prefix to restrict access to all channels by default.
- Delete the rule if not needed.

Known limitations

Command limitations

CLIENT NO-TOUCH might not run correctly in the following cases:
- The Redis database version is earlier than 7.2.0.
- The CLIENT NO-TOUCH command is forbidden by ACL rules.
Before sending this command, clients should verify the database version is 7.2.0 or later and that using this command is allowed.
You cannot use SUNSUBSCRIBE to unsubscribe from a shard channel if the regex changed while subscribed.
Using XREADGROUP BLOCK with > to return all new streams will cause the Redis database to freeze until the shard is restarted. (#12031)
Because a rejected command does not record the duration for command stats, an error will appear after it is reprocessed that will cause the Redis database to freeze until the shard is restarted. (#12247)

Modules cannot load in Oracle Linux 7 & 8

Databases hosted on Oracle Linux 7 & 8 cannot load modules.

As a temporary workaround, you can change the node’s os_name in the Cluster Configuration Store (CCS):

ccs-cli hset node:<ID> os_name rhel

Cluster recovery with manually uploaded modules

For clusters containing databases with manually uploaded modules, cluster recovery requires an extra step.

After installing Redis Enterprise Software on the cluster nodes, upload compatible modules to modulesdir (/opt/redislabs/lib/modules) before continuing the recovery process.

This limitation will be removed in a future maintenance release.

Security

Open source Redis security fixes compatibility

As part of Redis’s commitment to security, Redis Enterprise Software implements the latest security fixes available with open source Redis. Redis Enterprise has already included the fixes for the relevant CVEs.

Some CVEs announced for open source Redis do not affect Redis Enterprise due to different or additional functionality available in Redis Enterprise that is not available in open source Redis.

Redis Enterprise 7.2.4-52 supports open source Redis 7.2, 6.2, and 6.0. Below is the list of open source Redis CVEs fixed by version.

Redis 7.2.0 includes all of the CVE fixes from previous versions.

Redis 7.0.x:

(CVE-2023-36824) Extracting key names from a command and a list of arguments may, in some cases, trigger a heap overflow and result in reading random heap memory, heap corruption, and potentially remote code execution. Specifically: using COMMAND GETKEYS* and validation of key names in ACL rules. (Redis 7.0.12)
(CVE-2023-28856) Authenticated users can use the HINCRBYFLOAT command to create an invalid hash field that will crash Redis on access. (Redis 7.0.11)
(CVE-2023-28425) Specially crafted MSETNX command can lead to assertion and denial-of-service. (Redis 7.0.10)
(CVE-2023-25155) Specially crafted SRANDMEMBER, ZRANDMEMBER, and HRANDFIELD commands can trigger an integer overflow, resulting in a runtime assertion and termination of the Redis server process. (Redis 7.0.9)
(CVE-2023-22458) Integer overflow in the Redis HRANDFIELD and ZRANDMEMBER commands can lead to denial-of-service. (Redis 7.0.8)
(CVE-2022-36021) String matching commands (like SCAN or KEYS) with a specially crafted pattern to trigger a denial-of-service attack on Redis, causing it to hang and consume 100% CPU time. (Redis 7.0.9)
(CVE-2022-35977) Integer overflow in the Redis SETRANGE and SORT/SORT_RO commands can drive Redis to OOM panic. (Redis 7.0.8)
(CVE-2022-35951) Executing an XAUTOCLAIM command on a stream key in a specific state, with a specially crafted COUNT argument, may cause an integer overflow, a subsequent heap overflow, and potentially lead to remote code execution. The problem affects Redis versions 7.0.0 or newer. (Redis 7.0.5)
(CVE-2022-31144) A specially crafted XAUTOCLAIM command on a stream key in a specific state may result in heap overflow and potentially remote code execution. The problem affects Redis versions 7.0.0 or newer. (Redis 7.0.4)
(CVE-2022-24834) A specially crafted Lua script executing in Redis can trigger a heap overflow in the cjson and cmsgpack libraries, and result in heap corruption and potentially remote code execution. The problem exists in all versions of Redis with Lua scripting support, starting from 2.6, and affects only authenticated and authorized users. (Redis 7.0.12)
(CVE-2022-24736) An attacker attempting to load a specially crafted Lua script can cause NULL pointer dereference which will result in a crash of the redis-server process. This issue affects all versions of Redis. (Redis 7.0.0)
(CVE-2022-24735) By exploiting weaknesses in the Lua script execution environment, an attacker with access to Redis can inject Lua code that will execute with the (potentially higher) privileges of another Redis user. (Redis 7.0.0)

Redis 6.2.x:

(CVE-2023-28856) Authenticated users can use the HINCRBYFLOAT command to create an invalid hash field that will crash Redis on access. (Redis 6.2.12)
(CVE-2023-25155) Specially crafted SRANDMEMBER, ZRANDMEMBER, and HRANDFIELD commands can trigger an integer overflow, resulting in a runtime assertion and termination of the Redis server process. (Redis 6.2.11)
(CVE-2023-22458) Integer overflow in the Redis HRANDFIELD and ZRANDMEMBER commands can lead to denial-of-service. (Redis 6.2.9)
(CVE-2022-36021) String matching commands (like SCAN or KEYS) with a specially crafted pattern to trigger a denial-of-service attack on Redis, causing it to hang and consume 100% CPU time. (Redis 6.2.11)
(CVE-2022-35977) Integer overflow in the Redis SETRANGE and SORT/SORT_RO commands can drive Redis to OOM panic. (Redis 6.2.9)
(CVE-2022-24834) A specially crafted Lua script executing in Redis can trigger a heap overflow in the cjson and cmsgpack libraries, and result in heap corruption and potentially remote code execution. The problem exists in all versions of Redis with Lua scripting support, starting from 2.6, and affects only authenticated and authorized users. (Redis 6.2.13)
(CVE-2022-24736) An attacker attempting to load a specially crafted Lua script can cause NULL pointer dereference which will result in a crash of the redis-server process. This issue affects all versions of Redis. (Redis 6.2.7)
(CVE-2022-24735) By exploiting weaknesses in the Lua script execution environment, an attacker with access to Redis can inject Lua code that will execute with the (potentially higher) privileges of another Redis user. (Redis 6.2.7)
(CVE-2021-41099) Integer to heap buffer overflow handling certain string commands and network payloads, when proto-max-bulk-len is manually configured to a non-default, very large value. (Redis 6.2.6)
(CVE-2021-32762) Integer to heap buffer overflow issue in redis-cli and redis-sentinel parsing large multi-bulk replies on some older and less common platforms. (Redis 6.2.6)
(CVE-2021-32761) An integer overflow bug in Redis version 2.2 or newer can be exploited using the BITFIELD command to corrupt the heap and potentially result with remote code execution. (Redis 6.2.5)
(CVE-2021-32687) Integer to heap buffer overflow with intsets, when set-max-intset-entries is manually configured to a non-default, very large value. (Redis 6.2.6)
(CVE-2021-32675) Denial Of Service when processing RESP request payloads with a large number of elements on many connections. (Redis 6.2.6)
(CVE-2021-32672) Random heap reading issue with Lua Debugger. (Redis 6.2.6)
(CVE-2021-32628) Integer to heap buffer overflow handling ziplist-encoded data types, when configuring a large, non-default value for hash-max-ziplist-entries, hash-max-ziplist-value, zset-max-ziplist-entries or zset-max-ziplist-value. (Redis 6.2.6)
(CVE-2021-32627) Integer to heap buffer overflow issue with streams, when configuring a non-default, large value for proto-max-bulk-len and client-query-buffer-limit. (Redis 6.2.6)
(CVE-2021-32626) Specially crafted Lua scripts may result with Heap buffer overflow. (Redis 6.2.6)
(CVE-2021-32625) An integer overflow bug in Redis version 6.0 or newer can be exploited using the STRALGO LCS command to corrupt the heap and potentially result with remote code execution. This is a result of an incomplete fix by CVE-2021-29477. (Redis 6.2.4)
(CVE-2021-29478) An integer overflow bug in Redis 6.2 could be exploited to corrupt the heap and potentially result with remote code execution. The vulnerability involves changing the default set-max-intset-entries configuration value, creating a large set key that consists of integer values and using the COPY command to duplicate it. The integer overflow bug exists in all versions of Redis starting with 2.6, where it could result with a corrupted RDB or DUMP payload, but not exploited through COPY (which did not exist before 6.2). (Redis 6.2.3)
(CVE-2021-29477) An integer overflow bug in Redis version 6.0 or newer could be exploited using the STRALGO LCS command to corrupt the heap and potentially result in remote code execution. The integer overflow bug exists in all versions of Redis starting with 6.0. (Redis 6.2.3)

Redis 6.0.x:

(CVE-2022-24834) A specially crafted Lua script executing in Redis can trigger a heap overflow in the cjson and cmsgpack libraries, and result in heap corruption and potentially remote code execution. The problem exists in all versions of Redis with Lua scripting support, starting from 2.6, and affects only authenticated and authorized users. (Redis 6.0.20)
(CVE-2023-28856) Authenticated users can use the HINCRBYFLOAT command to create an invalid hash field that will crash Redis on access. (Redis 6.0.19)
(CVE-2023-25155) Specially crafted SRANDMEMBER, ZRANDMEMBER, and HRANDFIELD commands can trigger an integer overflow, resulting in a runtime assertion and termination of the Redis server process. (Redis 6.0.18)
(CVE-2022-36021) String matching commands (like SCAN or KEYS) with a specially crafted pattern to trigger a denial-of-service attack on Redis, causing it to hang and consume 100% CPU time. (Redis 6.0.18)
(CVE-2022-35977) Integer overflow in the Redis SETRANGE and SORT/SORT_RO commands can drive Redis to OOM panic. (Redis 6.0.17)

Edit on GitHub

Updated: September 17, 2024

Top