環境:Cent OS 7.0 Redis 3.2.1
Redis的安裝與啟動
這裡我把Redis放在/home/xuliugen/software/下,所以在該目錄下執行下列命令:
[code]$ wgethttp://download.redis.io/releases/redis-3.2.1.tar.gz $ tar xzf redis-3.2.1.tar.gz
$ cd redis-3.2.1
$ make
至此Redis已經安裝完成,首先試一下能不能把啟動:
啟動命令(在/home/xuliugen/software/redis-3.2.1目錄下執行):
[code][root@localhost redis-3.2.1]# ./src/redis-server ../redis.conf
如下:
常見問題及解決方法
根據上圖中的警告信息,下邊是具體的解決方法
1、啟動的時候沒有設置配置文件
這個版本的時候需要指定,如果不指定的話,在後期修改了配置文件不會起到對應的效果[code]11292:C 25 Jul 13:13:58.034 # Warning: no config file specified, using the default config. In order to specify a config file use ./redis-server /path/to/redis.conf
這個說的是在啟動的時候要制定配置文件,如果沒有指定的話就會按照默認的配置,因此我們要制定具體的位置,具體命令為:
[code][root@localhost src]# ./redis-server ../redis.conf
2、啟動時報錯及解決方法
[code]1、WARNING overcommit_memory is set to 0! Background save may fail under low memory condition. To fix this issue add 'vm.overcommit_memory = 1' to /etc/sysctl.conf and then reboot or run the command 'sysctl vm.overcommit_memory=1' for this to take effect.
2、WARNING: The TCP backlog setting of 511 cannot be enforced because /proc/sys/net/core/somaxconn is set to the lower value of 128.
解決方法其實按照上邊的說明就可以解決
第一個警告兩個方式解決(overcommit_memory)
[code]echo "vm.overcommit_memory=1" > /etc/sysctl.conf 或 vi /etcsysctl.conf
然後reboot重啟機器,重啟之後執行下邊的內容
[code]echo 1 > /proc/sys/vm/overcommit_memory 不需要啟機器就生效
第二個警告解決
[code]echo 511 > /proc/sys/net/core/somaxconn
其實在報錯信息的時候已經給出了解決的方法,按照給定的具體的方法解決即可。
3、在上述 2 中的解決方法的一些參數說明
(1)overcommit_memory參數說明:
設置內存分配策略(可選,根據服務器的實際情況進行設置)
/proc/sys/vm/overcommit_memory
可選值:0、1、2。
[code]0, 表示內核將檢查是否有足夠的可用內存供應用進程使用;如果有足夠的可用內存,內存申請允許;否則,內存申請失敗,並把錯誤返回給應用進程。
1, 表示內核允許分配所有的物理內存,而不管當前的內存狀態如何。
2, 表示內核允許分配超過所有物理內存和交換空間總和的內存
注意:redis在dump數據的時候,會fork出一個子進程,理論上child進程所占用的內存和parent是一樣的,比如parent占用 的內存為8G,這個時候也要同樣分配8G的內存給child,如果內存無法負擔,往往會造成redis服務器的down機或者IO負載過高,效率下降。所 以這裡比較優化的內存分配策略應該設置為 1(表示內核允許分配所有的物理內存,而不管當前的內存狀態如何)。
(2)這裡又涉及到Overcommit和OOM。
什麼是Overcommit和OOM,在Unix中,當一個用戶進程使用malloc()函數申請內存時,假如返回值是NULL,則這個進程知道當前沒有可用內存空間,就會做相應的處理工作。許多進程會打印錯誤信息並退出。
Linux使用另外一種處理方式,它對大部分申請內存的請求都回復”yes”,以便能跑更多更大的程序。因為申請內存後,並不會馬上使用內存。這種技術叫做Overcommit。
當內存不足時,會發生OOM killer(OOM=out-of-memory)。它會選擇殺死一些進程(用戶態進程,不是內核線程),以便釋放內存。
(3)Overcommit的策略
Linux下overcommit有三種策略(Documentation/vm/overcommit-accounting):
啟發式策略。合理的overcommit會被接受,不合理的overcommit會被拒絕。
任何overcommit都會被接受。
當系統分配的內存超過swap+N%*物理RAM(N%由vm.overcommit_ratio決定)時,會拒絕commit。
overcommit的策略通過vm.overcommit_memory設置。
overcommit的百分比由vm.overcommit_ratio設置。
[code]echo 2 > /proc/sys/vm/overcommit_memory
echo 80 > /proc/sys/vm/overcommit_ratio
當oom-killer發生時,linux會選擇殺死哪些進程選擇進程的函數是oom_badness函數(在mm/oom_kill.c中),該函數會計算每個進程的點數(0~1000)。點數越高,這個進程越有可能被殺死。每個進程的點數跟oom_score_adj有關,而且oom_score_adj可以被設置(-1000最低,1000最高)。
設置Redis外網可訪問
值得注意的是在3.2.0以後的新版本中引入了一種
proteced mode
模式,詳見:http://redis.io/topics/security
在不修改配置文件任何內容的情況下,有以下幾個默認的配置:
[code]# By default, if no "bind" configuration directive is specified, Redis listens
# for connections from all the network interfaces available on the server.
# It is possible to listen to just one or multiple selected interfaces using
# the "bind" configuration directive, followed by one or more IP addresses.
#
# Examples:
#
# bind 192.168.1.100 10.0.0.1
# bind 127.0.0.1 ::1
#
# ~~~ WARNING ~~~ If the computer running Redis is directly exposed to the
# internet, binding to all the interfaces is dangerous and will expose the
# instance to everybody on the internet. So by default we uncomment the
# following bind directive, that will force Redis to listen only into
# the IPv4 lookback interface address (this means Redis will be able to
# accept connections only from clients running into the same computer it
# is running).
#
# IF YOU ARE SURE YOU WANT YOUR INSTANCE TO LISTEN TO ALL THE INTERFACES
# JUST COMMENT THE FOLLOWING LINE.
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
bind 127.0.0.1
# By default protected mode is enabled. You should disable it only if
# you are sure you want clients from other hosts to connect to Redis
# even if no authentication is configured, nor a specific set of interfaces
# are explicitly listed using the "bind" directive.
protected-mode yes
# Require clients to issue AUTH <PASSWORD> before processing any other
# commands. This might be useful in environments in which you do not trust
# others with access to the host running redis-server.
#
# This should stay commented out for backward compatibility and because most
# people do not need auth (e.g. they run their own servers).
#
# Warning: since Redis is pretty fast an outside user can try up to
# 150k passwords per second against a good box. This means that you should
# use a very strong password otherwise it will be very easy to break.
#
# requirepass foobared
簡單的就是:
[code]bind 127.0.0.1
protected-mode yes
# requirepass foobared
默認綁定的是127.0.01,默認開啟了:protected-mode模式,按照官方的說法,如果默認開啟了protected-mode模式在沒有配置綁定IP和密碼的情況下,是只允許回環地址進行訪問的,就只允許127.0.0.1進行訪問,那我們就在默認的配置下進行啟動,通過SSH工具在其他機器上進行訪問,看看運行的效果:
[code][root@localhost redis-3.2.1]# ./src/redis-server ../redis.conf
很顯然是沒有辦法訪問到,在3.2.0以前的版本中可以將綁定的IP進行修改為本機IP,例如我運行Redis的服務器IP為192.168.1.149,那我的配置為
0.0.0.0
,順便指定Redis的密碼,# requirepass foobared 將這一行去掉注釋,選擇自己喜歡的密碼,重啟服務即可正常訪問。
DENIED Redis is running in protected mode because protected mode is enabled
[code](error) DENIED Redis is running in protected mode because protected mode is enabled, no bind address was specified, no authentication password is requested to clients. In this mode connections are only accepted from the lookback interface. If you want to connect from external computers to Redis you may adopt one of the following solutions: 1) Just disable protected mode sending the command 'CONFIG SET protected-mode no' from the loopback interface by connecting to Redis from the same host the server is running, however MAKE SURE Redis is not publicly accessible from internet if you do so. Use CONFIG REWRITE to make this change permanent. 2) Alternatively you can just disable the protected mode by editing the Redis configuration file, and setting the protected mode option to 'no', and then restarting the server. 3) If you started the server manually just for testing, restart it with the --portected-mode no option. 4) Setup a bind address or an authentication password. NOTE: You only need to do one of the above things in order for the server to start accepting connections from the outside.
通過外網訪問Redis可能會遇到這個問題,Redis protected-mode 是3.2 之後加入的新特性,在redis.conf的注釋中,我們可以了解到,他的具體作用和啟用條件:
[code]# Protected mode is a layer of security protection, in order to avoid that
# Redis instances left open on the internet are accessed and exploited.
#
# When protected mode is on and if:
#
# 1) The server is not binding explicitly to a set of addresses using the
# "bind" directive.
# 2) No password is configured.
#
# The server only accepts connections from clients connecting from the
# IPv4 and IPv6 loopback addresses 127.0.0.1 and ::1, and from Unix domain
# sockets.
#
# By default protected mode is enabled. You should disable it only if
# you are sure you want clients from other hosts to connect to Redis
# even if no authentication is configured, nor a specific set of interfaces
# are explicitly listed using the "bind" directive.
protected-mode yes
可以看到 protected-mode 是為了禁止公網訪問redis cache,加強redis安全的。它啟用的條件,有兩個:
1) 沒有bind IP
2) 沒有設置訪問密碼
如果啟用了,則只能夠通過lookback ip(127.0.0.1)訪問Redis cache,如果從外網訪問,則會返回相應的錯誤信息,就是上圖中的信息。
因此在新的版本中,應該配置綁定IP和訪問密碼,這樣的話才不會報錯誤,在Redis的一個論壇中,老外也探討了這個問題,可以參考:https://www.reddit.com/r/redis/comments/3zv85m/new_security_feature_redis_protected_mode/
Redis常用命令
1、啟動Redis,這裡指定具體的配置文件
[code][root@localhost redis-3.2.1]# ./redis-server ../redis.conf
2、查看Redis服務和進程
[code][root@localhost redis-3.2.1]# ps -ef | grep redis
[root@localhost redis-3.2.1]# netstat -ano | grep 6379
3、訪問客戶端Cli
[code][root@localhost redis-3.2.1]# ./src/redis-cli
如果設置密碼,用參數 -a指定密碼
[code][root@localhost redis-3.2.1]# ./src/redis-cli -a yourpassword
注意:上述的操作過程中,始終是關閉了防火牆的,關閉的命令如下:
[code]centos 7:
systemctl stop firewalld.service #停止
systemctl disable firewalld.service #禁用
centos 7之前的版本:
service iptables stop #停止
chkconfig iptables off #禁用
如果只是想開啟某一個端口,例如:6379的話,可以搜索一下具體的配置過程,這裡不再累述。
