Version 7+ cannot handle non-localhost connections as protected mode is on and authentication is not supported

jordyvanvorselen commented 1 year ago

Environment

docker-redis-cluster version: From 7.x
redis-server version: From 7.x
git hash (If applicable):
CLI command used to build the container: docker run -d --network --name redis- -e MASTERS=3 -e SLAVES_PER_MASTER=1 -e INITIAL_PORT=7777 grokzen/redis-cluster:latest

Steps to Reproduce

Start up the docker container
Try to connect to the cluster from any other host than localhost from within the same network
You will get this error:

[redis://redis-:7777]: Unable to connect to [redis-/:7777]: DENIED Redis is running in protected mode because protected mode is enabled and no password is set for the default user. In this mode connections are only accepted from the loopback interface. If you want to connect from external computers to Redis you may adopt one of the following solutions: 1) Just disable protected mode sending the command 'CONFIG SET protected-mode no' from the loopback interface by connecting to Redis from the same host the server is running, however MAKE SURE Redis is not publicly accessible from internet if you do so. Use CONFIG REWRITE to make this change permanent. 2) Alternatively you can just disable the protected mode by editing the Redis configuration file, and setting the protected mode option to 'no', and then restarting the server. 3) If you started the server manually just for testing, restart it with the '--protected-mode no' option. 4) Setup a an authentication password for the default user. NOTE: You only need to do one of the above things in order for the server to start accepting connections from the outside.

Expected Behavior

This is expected, but there is currently no way to either:

set a password and authorize

OR

disable protected mode

I'd expect to be able to disable protected mode or authenticate.

Observed Behavior

There is no way to disable protected mode or authenticate.

Grokzen commented 1 year ago

@jordyvanvorselen The simplest solution right now is that either you go back to a 6.2.x image, or you clone the repo and you update the file redis-cluster.tmpl to remove protected mode for your own image you build and use.

The config parser is being rewritten, but no date on when that is done to enable easier config modifications rather then to build your own image

ceckhardt commented 1 year ago

Just curious, is there a reason why you wouldn't make the change to redis-cluster.tmpl in this repo? I believe this breaking change in 7.x is effectively the cause:

Modifying the bind parameter to a non-default value will no longer implicitly disable protected-mode (#9034)

So this project has been disabling protected-mode since redis version 3.2, and more depend on it being off than on.

ghShu commented 1 year ago

6.2.x image does not seem to work for me. The follow command does not start any container successfully, nor does it give any errors. Any idea why? docker run -d -e "IP=0.0.0.0" -p 7000-7005:7000-7005 grokzen/redis-cluster:6.2.10 --protected-mode no

The docker logs seems to suggest that there is no --protected-mode or I did not add the option in the right way. ❯ docker logs 235315420ba7 /docker-entrypoint.sh: 102: exec: --protected-mode: not found

Grokzen commented 1 year ago

@ghShu If you look at how all processes is started, you will see that the entrypoint that dockers starts is not redis-server command where your extra argument would be passed along into, but it starts a bash script and ignores any additional cli arguments that would otherwise be passed in to the running process by docker

kkoomen commented 1 year ago

Just curious, is there a reason why you wouldn't make the change to redis-cluster.tmpl in this repo? I believe this breaking change in 7.x is effectively the cause:
Modifying the bind parameter to a non-default value will no longer implicitly disable protected-mode (#9034)
So this project has been disabling protected-mode since redis version 3.2, and more depend on it being off than on.

I agree. @Grokzen even mentioned in the README that this is not a production container at all and is for quick use for demo/presentation/development, so we can safely enable this for this repository.

Now, having that said, @Grokzen can you add the protected-mode on in the redis.conf and publish a new release to fix this issue as a hotfix? Then you can make things configurable later on.

Grokzen commented 1 year ago

Resolved in d5a8e1221834318ce1a1e1283dc3c2840263de3d New images will be published shortly

kkoomen commented 1 year ago

Works! Thanks a lot @Grokzen!

jordyvanvorselen commented 10 months ago

Works well! Thanks @Grokzen, awesome 👍

Grokzen / docker-redis-cluster