Redis 3.2 + Sentinel with Protected Mode
I had a little trouble while testing Redis 3.2 with Sentinel earlier today.
Below is a sample configuration from sentinel.conf.sample
#port 26379 #sentinel announce-ip #sentinel announce-port #dir /tmp #sentinel monitor mymaster 127.0.0.1 6379 2 #sentinel auth-pass mymaster MySUPER--secret-0123passw0rd #sentinel down-after-milliseconds mymaster 30000 #sentinel parallel-syncs mymaster 1 #sentinel failover-timeout mymaster 180000 #sentinel notification-script mymaster /var/redis/notify.sh #sentinel client-reconfig-script mymaster /var/redis/reconfig.sh
Below is the actual configuration.
port 5001 sentinel monitor mymaster 192.168.56.192 6379 2 sentinel down-after-milliseconds mymaster 1000 sentinel failover-timeout mymaster 10000
It kept on showing that the sentinel on my slave is down:
+sdown sentinel 3d41cb53869c640d95a9a0bcf7e3d4000ee1e272 192.168.56.193 5003 @ mymaster 192.168.56.192 6379
When I try to telnet in, I noticed the following error:
root@redis1:~ # telnet 192.168.56.193 5003 Trying 192.168.56.193... Connected to 192.168.56.193. Escape character is '^]'. -DENIED Redis is running in protected mode because protected mode is enabled, no bind address was specified, no authentication password is requested to clients. In this mode connections are only accepted from the loopback interface. If you want to connect from external computers to Redis you may adopt one of the following solutions: 1) Just disable protected mode sending the command 'CONFIG SET protected-mode no' from the loopback interface by connecting to Redis from the same host the server is running, however MAKE SURE Redis is not publicly accessible from internet if you do so. Use CONFIG REWRITE to make this change permanent. 2) Alternatively you can just disable the protected mode by editing the Redis configuration file, and setting the protected mode option to 'no', and then restarting the server. 3) If you started the server manually just for testing, restart it with the '--protected-mode no' option. 4) Setup a bind address or an authentication password. NOTE: You only need to do one of the above things in order for the server to start accepting connections from the outside. Connection closed by foreign host.
In Redis 3.2, it adds a “protected-mode” parameter to prevent stupid DBA from exposing Redis by not binding Redis instance to a specific interface. It was documented in redis.conf.sample file. However, this was not documented for sentinel.conf at all. Or at least, I couldn’t find it anywhere.
After disabling protected-mode in the sentinel.conf, it works fine 🙂