open-contracting · RobHooper · Oct 28, 2025 · Oct 28, 2025 · Dec 1, 2025 · Dec 1, 2025
diff --git a/pillar/cove.sls b/pillar/cove.sls
@@ -2,7 +2,6 @@ x-volumes: &volumes
   - db
   - media
   - redis/data
-  - redis/tmp
 
 x-env: &env
   DJANGO_PROXY: True

diff --git a/pillar/digitalbuying.sls b/pillar/digitalbuying.sls
@@ -21,7 +21,6 @@ docker_apps:
     volumes:
       - media
       - redis/data
-      - redis/tmp
     env:
       DJANGO_PROXY: True
       ALLOWED_HOSTS: digitalbuying.open-contracting.org

diff --git a/pillar/dreambi.sls b/pillar/dreambi.sls
@@ -47,7 +47,6 @@ docker_apps:
     site: bi.dream.gov.ua
     volumes:
       - redis/data
-      - redis/tmp
     env:
       # Must end with a "/".
       QLIK_PROXY_SERVICE: https://ocp15.open-contracting.org:4243/qps/prod/
diff --git a/pillar/registry.sls b/pillar/registry.sls
@@ -181,7 +181,6 @@ docker_apps:
       - media
       - tmp
       - redis/data
-      - redis/tmp
     env:
       DJANGO_PROXY: True
       ALLOWED_HOSTS: flatten.open-contracting.org

diff --git a/salt/docker_apps/files/conf/redis.conf b/salt/docker_apps/files/conf/redis.conf
@@ -0,0 +1,101 @@
+# Network
+bind 0.0.0.0 ::
+protected-mode no
+
+# TLS/SSL
+port 6379
+tcp-backlog 511
+timeout 0
+tcp-keepalive 300
+
+# General
+daemonize yes
+pidfile /tmp/redis.pid
+loglevel notice
+logfile ""
+databases 16
+always-show-logo no
+set-proc-title yes
+proc-title-template "{title} {listen-addr} {server-mode}"
+
+# Snapshotting
+stop-writes-on-bgsave-error yes
+rdbcompression yes
+rdbchecksum yes
+dbfilename dump.rdb
+rdb-del-sync-files no
+dir /data
+save ""
+
+# Replication
+replica-serve-stale-data yes
+replica-read-only yes
+repl-diskless-sync no
+repl-diskless-sync-delay 5
+repl-diskless-load disabled
+repl-disable-tcp-nodelay no
+replica-priority 100
+
+# Security
+acllog-max-len 128
+
+# Lazy Freeing
+lazyfree-lazy-eviction no
+lazyfree-lazy-expire no
+lazyfree-lazy-server-del no
+replica-lazy-flush no
+lazyfree-lazy-user-del no
+lazyfree-lazy-user-flush no
+
+# Kernel OOM Control
+oom-score-adj no
+oom-score-adj-values 0 200 800
+
+# Kernel transparent huge page Control
+disable-thp yes
+
+# Append Only Mode
+appendonly yes
+appendfilename "appendonly.aof"
+appendfsync everysec
+no-appendfsync-on-rewrite no
+auto-aof-rewrite-percentage 100
+auto-aof-rewrite-min-size 64mb
+aof-load-truncated yes
+aof-use-rdb-preamble yes
+
+# Non-Deterministic Long Blocking Commands
+lua-time-limit 5000
+
+#  Slow Log
+slowlog-log-slower-than 10000
+slowlog-max-len 128
+
+# Latency Monitor
+latency-monitor-threshold 0
+
+# Event Notification
+notify-keyspace-events ""
+
+# Advanced Config
+hash-max-ziplist-entries 512
+hash-max-ziplist-value 64
+list-max-ziplist-size -2
+list-compress-depth 0
+set-max-intset-entries 512
+zset-max-ziplist-entries 128
+zset-max-ziplist-value 64
+hll-sparse-max-bytes 3000
+stream-node-max-bytes 4096
+stream-node-max-entries 100
+activerehashing yes
+client-output-buffer-limit normal 0 0 0
+client-output-buffer-limit replica 256mb 64mb 60
+client-output-buffer-limit pubsub 32mb 8mb 60
+hz 10
+dynamic-hz yes
+aof-rewrite-incremental-fsync yes
+rdb-save-incremental-fsync yes
+
+# Active Defragmentation
+jemalloc-bg-thread yes
diff --git a/salt/docker_apps/files/cove.yaml b/salt/docker_apps/files/cove.yaml
@@ -21,18 +21,18 @@ x-django: &django
 services:
 {%- if 'REDIS_URL' in entry.env %}
   redis:
-    image: bitnamilegacy/redis:6.2
+    image: rapidfort/redis-official:6.2-bookworm
+    command: ["redis-server", "/redis.conf"]
+    user: "{{ pillar.docker.uid }}:{{ pillar.docker.uid }}"
     restart: always
-    environment:
-      ALLOW_EMPTY_PASSWORD: "yes"
     healthcheck:
       test: redis-cli -h 127.0.0.1 ping | grep -q PONG
       interval: 10s
       timeout: 5s
       retries: 5
     volumes:
       - {{ directory }}/redis/data:/bitnami/redis/data
-      - {{ directory }}/redis/tmp:/opt/bitnami/redis/tmp
+      - {{ directory }}/redis/redis.conf:/redis.conf
 {%- endif %}
   web:
     <<: *django

diff --git a/salt/docker_apps/files/digitalbuying.yaml b/salt/docker_apps/files/digitalbuying.yaml
@@ -16,18 +16,18 @@ x-django: &django
 
 services:
   redis:
-    image: bitnamilegacy/redis:6.2
+    image: rapidfort/redis-official:6.2-bookworm
+    command: ["redis-server", "/redis.conf"]
+    user: "{{ pillar.docker.uid }}:{{ pillar.docker.uid }}"
     restart: always
-    environment:
-      ALLOW_EMPTY_PASSWORD: "yes"
     healthcheck:
       test: redis-cli -h 127.0.0.1 ping | grep -q PONG
       interval: 10s
       timeout: 5s
       retries: 5
     volumes:
-      - {{ directory }}/redis/data:/bitnami/redis/data
-      - {{ directory }}/redis/tmp:/opt/bitnami/redis/tmp
+      - {{ directory }}/redis/data:/data
+      - {{ directory }}/redis/redis.conf:/redis.conf
   web:
     <<: *django
     ports:

diff --git a/salt/docker_apps/files/qlikauth.yaml b/salt/docker_apps/files/qlikauth.yaml
@@ -5,18 +5,18 @@ x-shared: &shared
 
 services:
   redis:
-    image: bitnamilegacy/redis:6.2
+    image: rapidfort/redis-official:6.2-bookworm
+    command: ["redis-server", "/redis.conf"]
+    user: "{{ pillar.docker.uid }}:{{ pillar.docker.uid }}"
     restart: always
-    environment:
-      ALLOW_EMPTY_PASSWORD: "yes"
     healthcheck:
       test: redis-cli -h 127.0.0.1 ping | grep -q PONG
       interval: 10s
       timeout: 5s
       retries: 5
     volumes:
       - {{ directory }}/redis/data:/bitnami/redis/data
-      - {{ directory }}/redis/tmp:/opt/bitnami/redis/tmp
+      - {{ directory }}/redis/redis.conf:/redis.conf
   web:
     <<: *shared
     image: "ghcr.io/open-contracting/bi.dream.gov.ua-qlikauth:latest"

diff --git a/salt/docker_apps/files/spoonbill.yaml b/salt/docker_apps/files/spoonbill.yaml
@@ -20,18 +20,18 @@ x-django: &django
 
 services:
   redis:
-    image: bitnamilegacy/redis:6.2
+    image: rapidfort/redis-official:6.2-bookworm
+    command: ["redis-server", "/redis.conf"]
+    user: "{{ pillar.docker.uid }}:{{ pillar.docker.uid }}"
     restart: always
-    environment:
-      ALLOW_EMPTY_PASSWORD: "yes"
     healthcheck:
       test: redis-cli -h 127.0.0.1 ping | grep -q PONG
       interval: 10s
       timeout: 5s
       retries: 5
     volumes:
       - {{ entry.host_dir }}/redis/data:/bitnami/redis/data
-      - {{ entry.host_dir }}/redis/tmp:/opt/bitnami/redis/tmp
+      - {{ directory }}/redis/redis.conf:/redis.conf
   web:
     <<: *django
     ports:

diff --git a/salt/docker_apps/init.sls b/salt/docker_apps/init.sls
@@ -41,16 +41,23 @@ include:
       - user: {{ pillar.docker.user }}_user_exists
 
 {% for volume in entry.volumes|default([]) %}
-# "NOTE: As this is a non-root container, the mounted files and directories must have the proper permissions for the UID 1001."
-# https://github.com/bitnami/containers/blob/main/bitnami/redis/README.md#persisting-your-database
-{% set volume_user_group = 1001 if volume.startswith('redis/') else pillar.docker.user %}
-
 {{ entry.host_dir|default(directory) }}/{{ volume }}:
   file.directory:
-    - user: {{ volume_user_group }}
-    - group: {{ volume_user_group }}
+    - user: {{ pillar.docker.user }}
+    - group: {{ pillar.docker.user }}
     - makedirs: True
     - require:
       - user: {{ pillar.docker.user }}_user_exists
 {% endfor %}
+
+{% if 'redis' in entry.volumes|join(' ') %}
+{{ directory }}/redis/redis.conf:
+  file.managed:
+    - source: salt://docker_apps/files/conf/redis.conf
+    - user: {{ pillar.docker.user }}
+    - group: {{ pillar.docker.user }}
+    - makedirs: True
+    - require:
+      - user: {{ pillar.docker.user }}_user_exists
+{% endif %}
 {% endfor %}