Redis 3.2 + Sentinel with Protected Mode

Redis 3.2 + Sentinel with Protected Mode

I had a little trouble while testing Redis 3.2 with Sentinel earlier today.

Below is a sample configuration from sentinel.conf.sample

#port 26379
#sentinel announce-ip 
#sentinel announce-port 
#dir /tmp
#sentinel monitor mymaster 6379 2
#sentinel auth-pass mymaster MySUPER--secret-0123passw0rd
#sentinel down-after-milliseconds mymaster 30000
#sentinel parallel-syncs mymaster 1
#sentinel failover-timeout mymaster 180000
#sentinel notification-script mymaster /var/redis/
#sentinel client-reconfig-script mymaster /var/redis/

Below is the actual configuration.

port 5001
sentinel monitor mymaster 6379 2
sentinel down-after-milliseconds mymaster 1000
sentinel failover-timeout mymaster 10000

It kept on showing that the sentinel on my slave is down:

+sdown sentinel 3d41cb53869c640d95a9a0bcf7e3d4000ee1e272 5003 @ mymaster 6379

When I try to telnet in, I noticed the following error:

root@redis1:~ # telnet 5003
Connected to
Escape character is '^]'.

-DENIED Redis is running in protected mode because protected mode is enabled, no bind address was specified, no authentication password is requested to clients. 
In this mode connections are only accepted from the loopback interface. If you want to connect from external computers to Redis you may adopt one of the following solutions: 
1) Just disable protected mode sending the command 'CONFIG SET protected-mode no' from the loopback interface by connecting to Redis from the same host the server is running, however MAKE SURE Redis is not publicly accessible from internet if you do so. 
Use CONFIG REWRITE to make this change permanent. 
2) Alternatively you can just disable the protected mode by editing the Redis configuration file, and setting the protected mode option to 'no', and then restarting the server. 
3) If you started the server manually just for testing, restart it with the '--protected-mode no' option. 
4) Setup a bind address or an authentication password. NOTE: You only need to do one of the above things in order for the server to start accepting connections from the outside.
Connection closed by foreign host.

In Redis 3.2, it adds a “protected-mode” parameter to prevent stupid DBA from exposing Redis by not binding Redis instance to a specific interface. It was documented in redis.conf.sample file. However, this was not documented for sentinel.conf at all. Or at least, I couldn’t find it anywhere.

After disabling protected-mode in the sentinel.conf, it works fine 🙂

Wei Shan


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s