0

I believe this question is somewhat answred here: MISCONF Redis is configured to save RDB snapshots.

I am currently running a Redis docker container, which from time to time returns the following error:

MISCONF Redis is configured to save RDB snapshots, but it is currently not able to persist on disk. Commands that may modify the data set are disabled, because this instance is configured to report errors during writes if RDB snapshotting fails (stop-writes-on-bgsave-error option). Please check the Redis logs for details about the RDB error.

In combination with:

redis_1        | 4410:C 06 Feb 2020 23:50:57.045 # Failed opening the RDB file crontab (in server root dir /etc) for saving: Permission denied

Is this because redis is running out of room? Is there something I can do to clean-up redis? I am only using redis as the messaging broker layer, so the data is not really needed to be persisted ...

I also see the following WARNINGS coming up from the redis container:

# WARNING: The TCP backlog setting of 511 cannot be enforced because /proc/sys/net/core/somaxconn is set to the lower value of 128.

WARNING overcommit_memory is set to 0! Background save may fail under low memory condition. To fix this issue add 'vm.overcommit_memory = 1' to /etc/sysctl.conf and then reboot or run the command 'sysctl vm.overcommit_memory=1' for this to take effect.

WARNING you have Transparent Huge Pages (THP) support enabled in your kernel. This will create latency and memory usage issues with Redis. To fix this issue run the command 'echo never > /sys/kernel/mm/transparent_hugepage/enabled' as root, and add it to your /etc/rc.local in order to retain the setting after a reboot. Redis must be restarted after THP is disabled.

I feel like maybe this question is the perfect opportunity to ask redis/devops experts to maybe outline the best way to configure redis with docker-compose, I currently have:

  redis:
    build:
      context: ./redis
      dockerfile: Dockerfile
    ports:
      - '6379:6379'
    volumes:
        - ./redis.conf:/usr/local/etc/redis/redis.conf
    sysctls:
      net.core.somaxcomm: '511'
    restart: on-failure

If there is anything better that can be done that would be amazing and appreciated.

Micheal J. Roberts
  • 3,735
  • 4
  • 37
  • 76
  • 1
    Something is messed up if redis thinks its RDB file should be named `/etc/crontab`. – hobbs Feb 07 '20 at 09:23
  • I'm sure it is messed up, but how - it's just a standard redis setup in docker-compose? – Micheal J. Roberts Feb 07 '20 at 09:27
  • 2
    Well, going out on a limb here, but I'd say you've left your redis open to the internet, and someone is connecting to it and trying to use it to compromise the server it's running on, by writing to the crontab. It looks like they *probably* failed, but you've still got some security issues to deal with. – hobbs Feb 07 '20 at 09:29
  • It's just a docker-compose setup tho, as given in hundreds of tutorials? – Micheal J. Roberts Feb 07 '20 at 09:30
  • Would be nice to have someone of your reputation, if this is your subject of choice, to maybe outline how you can correctly configure a redis instance... – Micheal J. Roberts Feb 07 '20 at 09:31
  • Instance / container – Micheal J. Roberts Feb 07 '20 at 09:39
  • I started up a redis container with docker and it automatically bypassed my firewall and exposed itself on port 6379. Within 15 minutes, I was hacked. No idea how often people port scan, but I guess it is a common attack vector. They managed to write some cron files to my data directory which caused these errors. Lucky I was only in a docker sandbox or my whole system could have been compromised. Very dangerous to run an open redis service. Thanks hobbs. – Phil Feb 02 '21 at 22:32

1 Answers1

3

UPDATE: Use expose instead of ports so the service is only available to linked services

Expose ports without publishing them to the host machine - they’ll only be accessible to linked services. Only the internal port can be specified. 

expose
 - 6379

original answer: Your redis instance is probably open to the internet. You can use redis.conf to bind 127.0.0.1 to only allow local connections.

See detailed answer here

itaintme
  • 1,575
  • 8
  • 22