Clean Premium Redis runtime on NiceOS Base β a purpose-built container OS. bitnami alternative.
523
How this image differs from the vanilla Docker Hub image and Bitnami.
NiceOS libraries baked in. The image ships with the NiceOS runtime libraries (logging, filesystem, OS/user helpers, validations, networking). These small, focused utilities power safer entrypoints, graceful shutdowns, permission fixes, health probes, and configuration edits without re-implementing ad-hoc shell fragments in every script.
Strict idempotency and verifiable configuration.
Defaults are copied without overwriting user files; updates to redis.conf are done via explicit, line-level operations rather than blind rewrites. On each start, the same inputs lead to the same outputsβmaking behavior predictable in CI/CD and easy to audit during incident reviews.
Enterprise-grade logging by default. Structured logging (plain and JSON), leveled output (ERROR/WARN/INFO/DEBUG/TRACE), rate-limiting of duplicate messages, optional color, and consistent module tags give you readable container logs locally and machine-parsable logs in production. This reduces noise and speeds up troubleshooting.
Production-first posture (not just dev convenience).
The image runs as a non-root user, honors secret files (*_FILE) to avoid leaking credentials, supports TLS/ACL configuration with validation, and keeps Redis in the foreground for clean PID 1 semantics and graceful termination. Quick-start commands are available, but the defaults and documentation assume real deployments, not only demos.
π¦ Idempotent configuration management Default configs are copied into place without overwriting user-provided files. Every container start is predictable and audit-friendly.
π Clear separation: Setup vs Run
The setup script fine-tunes redis.conf Bitnami-style (safe defaults, security hardening). The run script always launches Redis in foreground mode with --daemonize no, ensuring clean PID 1 behavior in containers.
π§βπ» Runs as non-root by default Redis starts as UID:GID 10001:10001, with safe directory ownership checks and permission fixes. No privileged user required.
π Secret management via *_FILE
Passwords, certificates, and sensitive data are mounted as filesβnot plain env varsβso they never leak in docker inspect or ps.
π Built-in TLS and ACL support with validations TLS is first-class: certs, keys, CA, DH params are validated before start. ACL files are supported out-of-the-box for fine-grained access control.
π Enterprise-grade logging Structured JSON and colorful human logs, deduplication of repeated messages, module tags, and consistent levels (ERROR/WARN/INFO/DEBUG/TRACE). Tail logs comfortably or parse them automatically.
π·πΊ Russian localization available
When LANG=ru_RU.UTF-8, all helper scripts switch to Russian messages and log outputβhelpful for operators in domestic environments.
The NiceOS Redis container comes with sane defaults, but you can start small or go production-ready in just a few lines.
docker run --rm -it \
--name redis-dev \
-e ALLOW_EMPTY_PASSWORD=yes \
niceos/redis:8.2.1
π Runs Redis without a password. Use only for local testing.
docker run -d \
--name redis \
-e REDIS_PASSWORD=supersecret \
-v /my/redis-data:/app/data \
niceos/redis:8.2.1
π Starts Redis with authentication enabled and data persisted in /my/redis-data.
The image ships with a built-in HEALTHCHECK. You can verify it manually:
docker exec redis \
/usr/bin/redis-cli -a supersecret ping
Expected response:
PONG
For TLS deployments, use:
docker exec redis \
/usr/bin/redis-cli --tls --cert /path/redis.crt --key /path/redis.key --cacert /path/ca.crt ping
There are multiple ways to obtain the NiceOS Redis image, depending on your workflow.
Always use a versioned tag for reproducibility:
docker pull niceos/redis:8.2.1
π This ensures you always get the same Redis version, not a moving latest.
Define Redis as a service in your docker-compose.yml:
version: "3.9"
services:
redis:
image: niceos/redis:8.2.1
container_name: redis
restart: unless-stopped
environment:
- REDIS_PASSWORD=supersecret
volumes:
- ./redis-data:/app/data
ports:
- "6379:6379"
Then start everything with:
docker-compose up -d
Your app can now connect to Redis at localhost:6379 with the configured password.
NiceOS Redis is designed with security as a first-class concern. While you can spin up a quick development container without a password, production deployments should always apply secure defaults.
*_FILE support)Every sensitive environment variable supports a *_FILE counterpart.
Instead of:
-e REDIS_PASSWORD=supersecret
you can mount a Docker secret or Kubernetes Secret:
-e REDIS_PASSWORD_FILE=/run/secrets/redis_pass
π This prevents your password from leaking into docker inspect, logs, or process arguments.
ALLOW_EMPTY_PASSWORD is for development onlyYou can bypass password enforcement by setting:
-e ALLOW_EMPTY_PASSWORD=yes
This is acceptable in quick demos or local tests, but extremely unsafe in production. In production, always provide REDIS_PASSWORD or REDIS_PASSWORD_FILE.
ACL: You can provide an ACLFILE to define fine-grained users, commands, and key patterns:
-e REDIS_ACLFILE=/app/mounted-etc/users.acl
-v ./users.acl:/app/mounted-etc/users.acl
Disabled commands: By default, unsafe commands such as FLUSHALL, FLUSHDB, CONFIG, DEBUG, SHUTDOWN, and CLUSTER are disabled during setup unless you explicitly override REDIS_DISABLE_COMMANDS.
This prevents accidents like flushing production databases.
Redis runs as user app (UID 10001) by default.
/app/data, /app/logs, /app/run) are created if missing and ownership is fixed automatically.Redis traffic can be encrypted end-to-end. Enable TLS with:
-e REDIS_TLS_ENABLED=yes \
-e REDIS_TLS_CERT_FILE=/app/certs/redis.crt \
-e REDIS_TLS_KEY_FILE=/app/certs/redis.key \
-e REDIS_TLS_CA_FILE=/app/certs/ca.crt \
-v ./certs:/app/certs
REDIS_TLS_AUTH_CLIENTS=yes) for mutual TLS.When running replicas, use REDIS_MASTER_PASSWORD to authenticate against the master:
# Master
docker run -d --name redis-master \
-e REDIS_REPLICATION_MODE=master \
-e REDIS_PASSWORD=masterpass \
niceos/redis:8.2
# Replica
docker run -d --name redis-replica \
-e REDIS_REPLICATION_MODE=replica \
-e REDIS_MASTER_HOST=redis-master \
-e REDIS_MASTER_PORT_NUMBER=6379 \
-e REDIS_MASTER_PASSWORD=masterpass \
-e REDIS_PASSWORD=replicapass \
niceos/redis:8.2
π Replicas will refuse to start if REDIS_MASTER_PASSWORD is missing (unless ALLOW_EMPTY_PASSWORD=yes is set for development).
Summary: With file-backed secrets, strict defaults, disabled unsafe commands, enforced non-root execution, TLS validation, and authenticated replication, the NiceOS Redis image is built to be production-safe out of the box.
The NiceOS Redis image offers multiple, predictable ways to configure Redis, from mounting your own redis.conf to using lightweight overrides. All approaches are idempotent: the same input always produces the same result.
redis.conf (mounted-etc)If you mount a full redis.conf into the container at:
/app/mounted-etc/redis.conf
the setup logic will copy it into place and skip auto-tuning. Example:
-v ./redis.conf:/app/mounted-etc/redis.conf
π In this mode, the image treats your config as authoritative and does not generate or patch defaults.
overrides.confIf you only want to override a few settings, mount a file at:
/app/mounted-etc/overrides.conf
The entrypoint ensures that this file is included at the end of the active redis.conf via an include directive.
This lets you apply small adjustments (like changing memory limits or maxclients) without maintaining a full config file.
AOF (Append Only File) is enabled by default (REDIS_AOF_ENABLED=yes). It fsyncs every second (appendfsync everysec) for a safe performance balance.
RDB snapshots are disabled by default in the setup flow (save ""). You can re-enable them by:
-e REDIS_RDB_POLICY="900#1 300#10"
-e REDIS_RDB_POLICY_DISABLED=no
which produces lines like:
save 900 1
save 300 10
On startup, the entrypoint copies files from:
/app/etc.default/ β /app/etc/
using rsync --ignore-existing or cp -rnp.
redis.conf exists, one is seeded from /app/etc.default/redis.conf or, as a last resort, from /etc/redis.conf.
This guarantees that a working config is always present, but your changes are preserved.setup-redis.sh)The setup phase is optional and runs when explicitly requested (NICEOS_REDIS_RUN_SETUP=yes or legacy run path). It:
Validates environment variables (passwords, TLS, ports).
Creates and fixes ownership of data/log/tmp directories.
Ensures redis.conf is readable and group-safe (if configured).
Applies Bitnami-style tuning idempotently to the existing redis.conf:
FLUSHALL),What it does not do:
redis.conf from scratch.β Result: the configuration layer in NiceOS Redis is transparent, reproducible, and safeβwhether you prefer to bring your own config, override a few lines, or rely on environment-driven tuning.
The lifecycle of the container is split into clear phases:
The container always starts with entrypoint.sh.
The entrypoint decides whether to run the setup script:
NICEOS_REDIS_RUN_SETUP=yes (default in this image)./run.sh, Bitnami compatibility).setup-redis.sh validates env vars, applies defaults, fixes permissions, and tunes redis.conf idempotently.
run-redis.sh)The actual Redis process is launched by run-redis.sh, which guarantees:
--daemonize no is always enforced for clean PID 1 behavior.--logfile "") unless you override it.REDIS_EXTRA_FLAGS and any user arguments.Standalone (no persistence, dev mode):
docker run --rm -it \
--name redis-dev \
-e ALLOW_EMPTY_PASSWORD=yes \
niceos/redis:8.2
With persistent data volume:
docker run -d \
--name redis \
-e REDIS_PASSWORD=supersecret \
-v ./redis-data:/app/data \
niceos/redis:8.2
With additional flags (REDIS_EXTRA_FLAGS):
docker run -d \
--name redis \
-e REDIS_PASSWORD=supersecret \
-e REDIS_EXTRA_FLAGS="--maxmemory 256mb --maxmemory-policy allkeys-lru" \
niceos/redis:8.2
π Flags are merged at the end, so they override defaults where supported.
Redis is always launched as user UID:GID 10001:10001 (app:app).
/app/data, /app/logs, and /app/run is adjusted during setup.β With this design, you get predictable startup, secure defaults, and full control over Redis arguments without breaking container best practices.
Content type
Image
Digest
sha256:df7fe5dafβ¦
Size
42.7 MB
Last updated
10 months ago
docker pull niceos/redis