Přeskočit na hlavní obsah
https://catalogartifact.azureedge.net/publicartifacts/lynxroute.valkey-90c11323-3769-42ce-9cf6-806707af0d2f/image1_Azureready.png

Valkey - Hardened Redis-Compatible Cache

Autor: Lynxroute

Valkey - CIS Level 1 hardened on Ubuntu 24.04 LTS with SBOM and CIS Conformance Report

What is Valkey

Valkey is an open-source, high-performance, Redis-compatible in-memory data store maintained by the Linux Foundation. It was forked from Redis OSS 7.2 in 2024 when Redis Inc. changed its license - Valkey stays BSD-3-Clause forever. Valkey supports the full Redis API and is compatible with all existing Redis clients across Java, Python, Node.js, Go, PHP, Ruby, and 100+ other languages and frameworks. Drop-in Redis replacement with no vendor lock-in.

Why self-host Valkey

Self-hosting Valkey gives you full control over your data with no external dependencies. Ideal for teams with data residency requirements, GDPR compliance needs, or organizations that cannot use managed Redis services due to cost, latency, or licensing constraints. Your cache data stays entirely within your own Azure infrastructure.

What this VM image adds

Security hardening:

  • Strong random password at first boot - no default or empty password
  • Binds to 127.0.0.1 only - not exposed to the network by default
  • FLUSHALL and FLUSHDB disabled - prevents accidental or malicious data wipes
  • CVE scan - every image is scanned for vulnerabilities with Trivy before release
  • UFW firewall - port 6379 blocked externally, SSH on 22 only
  • fail2ban - SSH brute-force protection
  • AppArmor - mandatory access control

OS hardening (CIS Level 1):

  • CIS Level 1 hardened - CIS Ubuntu 24.04 LTS Level 1 Benchmark via ansible-lockdown
  • auditd - system call auditing for critical paths
  • SSH hardening - PasswordAuthentication disabled, key-only access
  • Kernel hardening - SYN cookies, ASLR, rp_filter, TCP BBR
  • /tmp as tmpfs - nosuid, nodev, noexec
  • Azure IMDS endpoints - egress rules pre-configured (169.254.169.254, 168.63.129.16)

Compliance artifacts (inside the VM):

  • SBOM - CycloneDX 1.6 at /etc/lynxroute/sbom.json
  • CIS Conformance Report - OpenSCAP HTML at /etc/lynxroute/cis-report.html
  • Tailored CIS profile - /usr/share/doc/lynxroute/CIS_TAILORED_PROFILE.md
  • RDB persistence - data survives reboots

Quick Start

  1. Deploy VM from Azure Marketplace (Standard_B2s or larger recommended)
  2. SSH: ssh -i key.pem <username>@<PUBLIC_IP> (username set during VM creation, default: azureuser)
  3. Check status: MOTD shows Valkey version and service state on login
  4. Get password: sudo cat /root/valkey-credentials.txt
  5. Connect locally: valkey-cli -a <password> ping

Valkey binds to 127.0.0.1 by default. To allow access from application servers, edit /etc/valkey/valkey.conf (bind directive) and open port 6379 in your Network Security Group to trusted IPs only - never to 0.0.0.0/0.