Add protected mode. #1190
Add protected mode. #1190
Conversation
There was a problem hiding this comment.
Pull Request Overview
This PR introduces support for a "protected mode" configuration similar to Redis, allowing Garnet to bind to localhost by default unless overridden. Key changes include updating the test configuration to disable protected mode, adding a new CommandLineBooleanOption for protected mode, and updating the address parser and Dockerfiles to factor in this new setting.
Reviewed Changes
Copilot reviewed 14 out of 14 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| test/Garnet.test/redis.conf | Updated protected mode setting (changed from yes to no) while leaving an inconsistent comment. |
| test/Garnet.test/GarnetServerConfigTests.cs | Added test assertion for the protected mode flag. |
| libs/host/defaults.conf | Added a default protected mode setting ("yes") for non-Docker scenarios. |
| libs/host/Configuration/TypeConverters.cs | Enhanced type conversion to support CommandLineBooleanOption. |
| libs/host/Configuration/Redis/RedisOptions.cs | Introduced a new Redis option for protected mode. |
| libs/host/Configuration/Options.cs | Added option validation and integrated protected mode flag into configuration. |
| libs/host/Configuration/CommandLineTypes.cs | Defined the CommandLineBooleanOption enum with aliases for true/false. |
| libs/common/Format.cs | Updated TryParseAddressList to handle the new protected mode parameter. |
| Dockerfiles (various) | Modified ENTRYPOINTs to force disable protected mode in Docker builds. |
Comments suppressed due to low confidence (1)
test/Garnet.test/redis.conf:108
- The comment indicates that protected mode is enabled by default, but the configuration immediately below sets it to 'no'. Please update the comment to accurately reflect the intended default behavior for this test configuration.
# By default protected mode is enabled. You should disable it only if
| @@ -533,6 +533,10 @@ internal sealed class Options | |||
| [Option("enable-debug-command", Required = false, HelpText = "Enable DEBUG command for 'no', 'local' or 'all' connections")] | |||
| public ConnectionProtectionOption EnableDebugCommand { get; set; } | |||
|
|
|||
| [OptionValidation] | |||
| [Option("protected-mode", Required = false, HelpText = "Enable protected mode.")] | |||
| public CommandLineBooleanOption ProtectedMode { get; set; } | |||
There was a problem hiding this comment.
Do we need Garnet's version of options to be CommandLineBooleanOption instead of a simple bool. RedisOptions makes sense for compatibility with redis.conf.
There was a problem hiding this comment.
I think CommandLineBooleanOption may be fine here, leaving the comment for discussion and input from others.
There was a problem hiding this comment.
The reason was to allow CommandLine.Core to parse 'yes' as true, so '--protected-mode yes/no' parsers as true/false respectively. I couldn't find any nicer way of enhancing the parser.
If we don't care for that compatibility, I can switch to a bool and switch the docker definition to '--protected-mode false'. Let's see what others say...
Redis starts by default in 'protected mode' - binds to localhost only unless auth is specified. This PR adds the same to Garnet, except we don't check for auth - the user can explicitly bind elsewhere, and this override protected mode binding.
Docker builds automatically disable protected mode and so bind by default to 0.0.0.0.
Note: CommandLineBooleanOption is added to get compatibility with redis's yes/no parsing.