Commit Graph

270 Commits

Author SHA1 Message Date
antirez
fe5aea38c3 Simplify PR #6551 implementation. 2019-11-19 11:56:02 +01:00
Patrick Valsecchi
9593ffde2e
Redis sentinel kill pubsub client connections as well
When a redis instance becomes a slave, sentinel also kills pubsub
clients.

Closes #6545
2019-11-07 08:49:19 +01:00
Yossi Gottlieb
0132189007 Fix compile warnings when BUILD_TLS=no. 2019-10-15 15:24:32 +03:00
Yossi Gottlieb
61733ded14 TLS: Configuration options.
Add configuration options for TLS protocol versions, ciphers/cipher
suites selection, etc.
2019-10-07 21:07:27 +03:00
Yossi Gottlieb
b087dd1db6 TLS: Connections refactoring and TLS support.
* Introduce a connection abstraction layer for all socket operations and
integrate it across the code base.
* Provide an optional TLS connections implementation based on OpenSSL.
* Pull a newer version of hiredis with TLS support.
* Tests, redis-cli updates for TLS support.
2019-10-07 21:06:13 +03:00
vattezhang
9d632230b6 fix: fix sentinel command table and new flags format 2019-02-27 21:35:58 +08:00
antirez
c8391388c2 ACL: remove server.requirepass + some refactoring. 2019-01-18 11:49:30 +01:00
antirez
4f0860cbfd RESP3: initial implementation of the HELLO command. 2019-01-09 17:00:29 +01:00
antirez
3fd78f41e8 RESP3: restore the concept of null array for RESP2 compat. 2019-01-09 17:00:29 +01:00
antirez
9705c12d85 RESP3: sentinel.c updated. 2019-01-09 17:00:29 +01:00
antirez
fa675256c1 Add support for Sentinel authentication.
So far it was not possible to setup Sentinel with authentication
enabled. This commit introduces this feature: every Sentinel will try to
authenticate with other sentinels using the same password it is
configured to accept clients with.

So for instance if a Sentinel has a "requirepass" configuration
statemnet set to "foo", it will use the "foo" password to authenticate
with every other Sentinel it connects to. So basically to add the
"requirepass" to all the Sentinels configurations is enough in order to
make sure that:

1) Clients will require the password to access the Sentinels instances.
2) Each Sentinel will use the same password to connect and authenticate
   with every other Sentinel in the group.

Related to #3279 and #3329.
2018-10-31 12:56:47 +01:00
antirez
666b3437e6 Disable protected mode in Sentinel mode.
Sentinel must be exposed, so protected mode is just an issue for users
in case Redis was started in Sentinel mode.

Related to #3279 and #3329.
2018-10-31 12:37:48 +01:00
antirez
ca6aed02f8 Slave removal: replace very few things in Sentinel.
SENTINEL REPLICAS was added as an alias, in the configuration rewriting
now it uses known-replica, however all the rest is basically at API
level of logged events and messages having to do with the protocol, so
there is very little to do here compared to the Redis core itself, to
preserve compatibility.
2018-09-11 15:32:28 +02:00
Chris Lamb
132be8aed5 Correct "did not received" -> "did not receive" typos/grammar. 2018-08-26 14:45:39 +02:00
Jack Drogon
93238575f7 Fix typo 2018-07-03 18:19:46 +02:00
Salvatore Sanfilippo
f03ad96236
Merge pull request #5068 from shenlongxing/fix-rename-command
fix empty string for sentinel rename-command
2018-07-02 18:40:35 +02:00
zhaozhao.zz
1fcf2737a6 fix some compile warnings 2018-06-28 17:22:59 +08:00
shenlongxing
3c27db1cd9 fix empty string for sentinel rename-command 2018-06-28 01:08:55 +08:00
antirez
3cf8dd2c84 Sentinel: fix SENTINEL SET error reporting.
Thanks to @shenlongxing for reporting the problem.
Related to #5062.
2018-06-26 09:17:38 +02:00
antirez
fc0c9c8097 Sentinel: drop the renamed-command entry in a more natural way.
Instead of telling the user to set the renamed command to "" to remove
the renaming, to the obvious thing when a command is renamed to itself.

So if I want to remove the renaming of PING, I just rename it to PING
again.
2018-06-25 17:50:46 +02:00
antirez
2358de6816 Sentinel command renaming: use case sensitive hashing for the dict. 2018-06-25 17:31:57 +02:00
antirez
a9c5008895 Sentinel command renaming: fix CONFIG SET event logging. 2018-06-25 17:24:04 +02:00
antirez
b72cecd7c8 Sentinel command renaming: fix CONFIG SET after refactoring. 2018-06-25 17:23:32 +02:00
antirez
91a384a5cd Sentinel command renaming: implement SENTINEL SET. 2018-06-25 17:13:20 +02:00
antirez
903582dd7b Sentinel: make SENTINEL SET able to handle different arities. 2018-06-25 17:12:39 +02:00
antirez
c303e768bf Sentinel command renaming: config rewriting. 2018-06-25 16:55:01 +02:00
antirez
60df7dbea1 Sentinel command renaming: rename-command option parsing. 2018-06-25 16:47:50 +02:00
antirez
72e8a33b35 Sentinel command renaming: base machanism implemented. 2018-06-25 14:06:05 +02:00
antirez
6a66b93b18 Sentinel: add an option to deny online script reconfiguration.
The ability of "SENTINEL SET" to change the reconfiguration script at
runtime is a problem even in the security model of Redis: any client
inside the network may set any executable to be ran once a failover is
triggered.

This option adds protection for this problem: by default the two
SENTINEL SET subcommands modifying scripts paths are denied. However the
user is still able to rever that using the Sentinel configuration file
in order to allow such a feature.
2018-06-14 18:57:58 +02:00
antirez
8631e64779 Sentinel: fix delay in detecting ODOWN.
See issue #2819 for details. The gist is that when we want to send INFO
because we are over the time, we used to send only INFO commands, no
longer sending PING commands. However if a master fails exactly when we
are about to send an INFO command, the PING times will result zero
because the PONG reply was already received, and we'll fail to send more
PINGs, since we try only to send INFO commands: the failure detector
will delay until the connection is closed and re-opened for "long
timeout".

This commit changes the logic so that we can send the three kind of
messages regardless of the fact we sent another one already in the same
code path. It could happen that we go over the message limit for the
link by a few messages, but this is not significant. However now we'll
not introduce delays in sending commands just because there was
something else to send at the same time.
2018-05-23 17:13:44 +02:00
antirez
adeed29a99 Use SipHash hash function to mitigate HashDos attempts.
This change attempts to switch to an hash function which mitigates
the effects of the HashDoS attack (denial of service attack trying
to force data structures to worst case behavior) while at the same time
providing Redis with an hash function that does not expect the input
data to be word aligned, a condition no longer true now that sds.c
strings have a varialbe length header.

Note that it is possible sometimes that even using an hash function
for which collisions cannot be generated without knowing the seed,
special implementation details or the exposure of the seed in an
indirect way (for example the ability to add elements to a Set and
check the return in which Redis returns them with SMEMBERS) may
make the attacker's life simpler in the process of trying to guess
the correct seed, however the next step would be to switch to a
log(N) data structure when too many items in a single bucket are
detected: this seems like an overkill in the case of Redis.

SPEED REGRESION TESTS:

In order to verify that switching from MurmurHash to SipHash had
no impact on speed, a set of benchmarks involving fast insertion
of 5 million of keys were performed.

The result shows Redis with SipHash in high pipelining conditions
to be about 4% slower compared to using the previous hash function.
However this could partially be related to the fact that the current
implementation does not attempt to hash whole words at a time but
reads single bytes, in order to have an output which is endian-netural
and at the same time working on systems where unaligned memory accesses
are a problem.

Further X86 specific optimizations should be tested, the function
may easily get at the same level of MurMurHash2 if a few optimizations
are performed.
2017-02-20 17:29:17 +01:00
antirez
041ab04419 Trim comment to 80 cols. 2016-09-14 16:41:05 +02:00
oranagra
68bf45fa1e Optimize repeated keyname hashing.
(Change cherry-picked and modified by @antirez from a larger commit
provided by @oranagra in PR #3223).
2016-09-12 13:19:05 +02:00
antirez
3e9ce38b0a Sentinel: check Slave INFO state more often when disconnected.
During the initial handshake with the master a slave will report to have
a very high disconnection time from its master (since technically it was
disconnected since forever, so the current UNIX time in seconds is
reported).

However when the slave is connected again the Sentinel may re-scan the
INFO output again only after 10 seconds, which is a long time. During
this time Sentinels will consider this instance unable to failover, so
a useless delay is introduced.

Actaully this hardly happened in the practice because when a slave's
master is down, the INFO period for slaves changes to 1 second. However
when a manual failover is attempted immediately after adding slaves
(like in the case of the Sentinel unit test), this problem may happen.

This commit changes the INFO period to 1 second even in the case the
slave's master is not down, but the slave reported to be disconnected
from the master (by publishing, last time we checked, a master
disconnection time field in INFO).

This change is required as a result of an unrelated change in the
replication code that adds a small delay in the master-slave first
synchronization.
2016-07-22 10:51:25 +02:00
antirez
c383be3b0f Sentinel: fix cross-master Sentinel address update.
This commit both fixes the crash reported with issue #3364 and
also properly closes the old links after the Sentinel address for the
other masters gets updated.

The two problems where:

1. The Sentinel that switched address may not monitor all the masters,
   it is possible that there is no match, and the 'match' variable is
   NULL. Now we check for no match and 'continue' to the next master.

2. By ispecting the code because of issue "1" I noticed that there was a
   problem in the code that disconnects the link of the Sentinel that
   needs the address update. Basically link->disconnected is non-zero
   even if just *a single link* (cc -- command link or pc -- pubsub
   link) are disconnected, so to check with if (link->disconnected)
   in order to close the links risks to leave one link connected.

I was able to manually reproduce the crash at "1" and verify that the
commit resolves the issue.

Close #3364.
2016-07-04 18:45:24 +02:00
antirez
f7351f4c07 Fix Sentinel pending commands counting.
This bug most experienced effect was an inability of Redis to
reconfigure back old masters to slaves after they are reachable again
after a failover. This was due to failing to reset the count of the
pending commands properly, so the master appeared fovever down.

Was introduced in Redis 3.2 new Sentinel connection sharing feature
which is a lot more complex than the 3.0 code, but more scalable.

Many thanks to people reporting the issue, and especially to
@sskorgal for investigating the issue in depth.

Hopefully closes #3285.
2016-06-16 19:27:24 +02:00
Salvatore Sanfilippo
5d83f6cfde Merge pull request #3274 from MOON-CLJ/fix_promoted_slave
Sentinel: fix check when can't send the command to the promoted slave
2016-06-15 17:24:11 +02:00
andyli
93a09877fe fix comment "b>a" to "a > b" 2016-06-10 09:15:26 +02:00
antirez
2a57ad5d90 Fixed typo in Sentinel compareSlavesForPromotion() comment. 2016-06-10 09:15:01 +02:00
MOON_CLJ
aa578446ba fix check when can't send the command to the promoted slave 2016-05-26 13:10:12 +08:00
Salvatore Sanfilippo
f5ff91f675 Merge pull request #2998 from danielhtshih/unstable
Fix a possible race condition of sdown event detection if sentinel's connection to master/slave/sentinel became disconnected just after the last PONG and before the next PING.
2016-05-05 17:16:58 +02:00
antirez
751b5666fb Sentinel: improve handling of known Sentinel instances.
1. Bug #3035 is fixed (NULL pointer access). This was happening with the
   folling set of conditions:

* For some reason one of the Sentinels, let's call it Sentinel_A, changed ID (reconfigured from scratch), but is as the same address at which it used to be.

* Sentinel_A performs a failover and/or has a newer configuration compared to another Sentinel, that we call, Sentinel_B.

* Sentinel_B receives an HELLO message from Sentinel_A, where the address and/or ID is mismatched, but it is reporting a newer configuration for the master they are both monitoring.

2. Sentinels now must have an ID otherwise they are not loaded nor persisted in the configuration. This allows to have conflicting Sentinels with the same address since now the master->sentinels dictionary is indexed by Sentinel ID.

3. The code now detects if a Sentinel is annoucing itself with an IP/port pair already busy (of another Sentinel). The old Sentinel that had the same port/pair is set as having port 0, that means, the address is invalid. We may discover the right address later via HELLO messages.
2016-01-27 16:27:49 +01:00
Daniel Shih
e6d970534b Fix a possible race condition of sdown detection if the
connection to master/slave/sentinel decames disconnected just after the last PONG and before the next PING.
2016-01-12 17:06:47 +08:00
antirez
33769f840c Sentinel: command arity check added where missing. 2015-09-08 09:27:43 +02:00
Salvatore Sanfilippo
0c62d95538 Merge pull request #2695 from rogerlz/unstable
redis-sentinel crash if ckquorum command is executed without args
2015-09-08 09:24:45 +02:00
antirez
6233d210cd Sentinel: add more commonly useful sections to INFO.
Debugging is hard without those when there are problems like the one
investigated in issue #2700.
2015-07-29 12:29:12 +02:00
antirez
32f80e2f1b RDMF: More consistent define names. 2015-07-27 14:37:58 +02:00
antirez
40eb548a80 RDMF: REDIS_OK REDIS_ERR -> C_OK C_ERR. 2015-07-26 23:17:55 +02:00
antirez
2d9e3eb107 RDMF: redisAssert -> serverAssert. 2015-07-26 15:29:53 +02:00
antirez
554bd0e7bd RDMF: use client instead of redisClient, like Disque. 2015-07-26 15:20:52 +02:00