11

I'd like to disable protected-mode on my production Redis. Regarding to the following error I got from my other Redis-Sentinel instance I could disable it live by connecting to Redis from the master machine it runs on.

DENIED Redis is running in protected mode because protected mode is enabled, no bind address was specified, no authentication password is requested to clients. In this mode connections are only accepted from the loopback interface. If you want to connect from external computers to Redis you may adopt one of the following solutions:

1) Just disable protected mode sending the command 'CONFIG SET protected-mode no' from the loopback interface by connecting to Redis from the same host the server is running, however MAKE SURE Redis is not publicly accessible from internet if you do so. Use CONFIG REWRITE to make this change permanent.

2) Alternatively you can just disable the protected mode by editing the Redis configuration file, and setting the protected mode option to 'no', and then restarting the server.

3) If you started the server manually just for testing, restart it with the '--protected-mode no' option.

4) Setup a bind address or an authentication password.

NOTE: You only need to do one of the above things in order for the server to start accepting connections from the outside.

But as I connect and try to disable it I get the Error (error) ERR Unsupported CONFIG parameter: protected-mode.

There's no auth configured or anything else - all security is managed by firewall rules. The redis.conf is almost default.

Demo

root@svim-redis03 /etc/redis # redis-cli

127.0.0.1:6379> CONFIG GET protected*
(empty list or set)
127.0.0.1:6379> CONFIG GET bind*
1) "bind"
2) "127.0.0.1"
127.0.0.1:6379> CONFIG SET protected-mode no
(error) ERR Unsupported CONFIG parameter: protected-mode
127.0.0.1:6379> exit

root@svim-redis03 /etc/redis # redis-server --version
Redis server v=3.2.9 sha=00000000:0 malloc=jemalloc-4.0.3 bits=64 build=86450d2ba8219c1e

Is there anything I need to check or change before? I couldn't find any hint in the documentation or in GitHub issues.

Update 01

It's not even possible to change the bind-address or any other config parameter. Do I need to enable config changes first?

127.0.0.1:6379> config set bind "127.0.0.1 11.12.13.14"
(error) ERR Unsupported CONFIG parameter: bind
Thomas Schwärzl
  • 323
  • 1
  • 5
  • 13

1 Answers1

7

Turns out that the current server running isn't the same version as the binary I've installed.

How to reproduce this?

Simply connect via redis-cli to your redis instance and type INFO server which returns a bunch of informations.

127.0.0.1:6379> INFO server
# Server
redis_version:3.0.7
redis_git_sha1:00000000
redis_git_dirty:0
redis_build_id:869e89100d5ea8c2
redis_mode:standalone
os:Linux 4.2.0-35-generic x86_64
arch_bits:64
multiplexing_api:epoll
gcc_version:4.8.4
process_id:26720
run_id:6645270dd2ac6a7f96caa054f9dbba9e66566755
tcp_port:6379
uptime_in_seconds:10971777
uptime_in_days:126
hz:10
lru_clock:6676576
config_file:/etc/redis/redis.conf

As you can see this redis-instance runs almost 127 days and uses redis_version:3.0.7.

How to fix this?

Restart your server and be sure that you realy restarted it! For example with most Linux distros you can do so by hitting the following commands.

root@svim-redis03 ~ # service redis-server stop
Stopping redis-server: redis-server.

Check if it's really offline by trying to connect with redis-cli. If you still can connect the instance is still running. Check this by searching for active redis processes.

root@svim-redis03 ~ # ps -efl |grep redis
1 S redis    12418     1  0  80   0 - 10673 ep_pol  2016 ?        05:33:17 /usr/bin/redis-server 127.0.0.1:6381
1 S redis    12442     1  0  80   0 - 11697 ep_pol  2016 ?        05:33:46 /usr/bin/redis-server 127.0.0.1:6382
1 S redis    12453     1  0  80   0 - 10673 ep_pol  2016 ?        05:40:17 /usr/bin/redis-server 127.0.0.1:6383
4 S root     16570 16386  0  80   0 -  2489 wait_w 10:42 pts/7    00:00:00 tail -f /var/log/redis/redis-server-6379.log
0 S root     17064 12637  0  80   0 -  3617 pipe_w 10:47 pts/1    00:00:00 grep --color=auto redis
1 S redis    26720     1  0  80   0 - 453041 ep_pol Mar07 ?       08:37:01 /usr/bin/redis-server 127.0.0.1:6379

As you can see there's still the instance (process id: 26720) running. Quit it with the following command.

kill 26720

After you've killed the process check again with ps -efl |grep redis if the instance is really down.

Finally start it again with

root@svim-redis03 ~ # service redis-server start
Starting redis-server: redis-server.

Now check if the instance is running with the correct version.

root@svim-redis03 ~ # redis-cli
127.0.0.1:6379> INFO server
# Server
redis_version:3.2.9
redis_git_sha1:00000000
redis_git_dirty:0
redis_build_id:86450d2ba8219c1e
redis_mode:standalone
os:Linux 4.2.0-35-generic x86_64
arch_bits:64
multiplexing_api:epoll
gcc_version:4.8.4
process_id:17135
run_id:40d6fa2e2b25e8f5b97a3c97ec1bddb8edda0014
tcp_port:6379
uptime_in_seconds:11
uptime_in_days:0
hz:10
lru_clock:6677102
executable:/usr/bin/redis-server
config_file:/etc/redis/redis.conf
Thomas Schwärzl
  • 323
  • 1
  • 5
  • 13
  • 1
    I can't believe it, but I had exactly the same issue: 2 different servers were running on the box. Mind blowing! Thank you for an answer... but why...why?! – Pavel Kovalev Feb 18 '19 at 06:26