redis 3.2 protected mode

[bryanlarsen]

Has anybody successfully used ioredis with redis-sentinel v3.2 rc3?

I was successfully using ioredis with redis-sentinel 3.0, but on upgrading to 3.2 it silently doesn't work, the callbacks aren't called. It works if I directly connect to the master, bypassing the sentinel.

It appears that I've got my sentinel configured correctly:

127.0.0.1:26379> SENTINEL get-master-addr-by-name mymaster
1) "127.0.0.1"
2) "6379"

[luin]

I haven't tried redis-sentinel v3.2. However, the Redis release notes says "Redis 3.0 is mostly a strict subset of 3.", so it should not have any trouble connecting to sentinels.

Could you run your app in the debug mode (DEBUG=ioredis:* node yourapp.js) to see the detail logs?

[bryanlarsen]

Thanks for the hint. I get this error: ioredis:SentinelConnector failed to connect to sentinel vagrant:6379 because ReplyError: DENIED Redis is running in protected mode because protected mode is enabled, no bind address was specified, no authentication password is requested to clients. In this mode connections are only accepted from the loopback interface. If you want to connect from external computers to Redis you may adopt one of the following solutions: 1) Just disable protected mode sending the command 'CONFIG SET protected-mode no' from the loopback interface by connecting to Redis from the same host the server is running, however MAKE SURE Redis is not publicly accessible from internet if you do so. Use CONFIG REWRITE to make this change permanent. 2) Alternatively you can just disable the protected mode by editing the Redis configuration file, and setting the protected mode option to 'no', and then restarting the server. 3) If you started the server manually just for testing, restart it with the '--protected-mode no' option. 4) Setup a bind address or an authentication password. NOTE: You only need to do one of the above things in order for the server to start accepting connections from the outside.

which gives me lots of options on how to fix things. Feel free to close the bug, although I do recommend you surface this bug to the user in non-debug mode because this is a change from 3.0 to 3.2. It's in the redis changelog, but I didn't notice it earlier.

[luin]

Aha, you're right. Protected mode is a new feature in Redis 3.2. I noticed it on https://www.reddit.com/r/redis/comments/3zv85m/new_security_feature_redis_protected_mode/ three months ago. We should definitely handle this error (by printing a warning message maybe) on the library.

[zeroone001]

(error) ERR unknown command 'sentinel'

[luin]

@zeroone001 The sentinel command is only supported by Redis Sentinel.

[zeroone001]

@luin I know that i've got redis-cli instead of redis-sentinel

[fvoroshilin]

Actually, protected mode affects on sentinel and has to be added into sentinel config as well. In my case, failover did not happen due to the above error message reported by bryanlarsen.

protected-mode no

My setup is a cluster with two masters and two slaves on four servers with sentinel installed on each server.

[luin]

@Deathle55 protected-mode is very useful to protect your sentinel servers. You may avoid the errors by using bind directive to bind the redis/sentinel to only several specified interfaces.

[fvoroshilin]

@luin, I agree with you. The redis is configured on particular interface in order to communicate with other redis. The issue was that I did not know why Sentinel did not start failover, there were not any logs in its logs. I just did not know that Sentinel should have been configured with the same option becuase there is no protected-mode setting in default config of sentinel. You know sentinel runs on 0.0.0.0 and I did not expect kind of this issue.

Initially, I removed 127.0.0.1 interface from redis configs and disabled protected-mode.

BTW, there is no bind setting in default config of sentinel as well. There is just port setting with value 26379.

Actually, my failover did not happen, after a few minutes I got this error: "-failover-abort-slave-timeout master" and I have not found a description this state. I hope to figure it out anyway or will try earlier version of redis.