redis莫名丢key

[TOC]

故障上报

  • 2024.03.08,收到开发反馈,redis中所有的key莫名都没了,经确认,这个 redis 没有配置密码,且java日志提到了 READONLY You can't write against a read only replica.,但这个redis明明是一个单实例,且 redis.conf 已配置 slave-read-only no
12:42:50.099 ERROR o.s.s.s.TaskUtils$LoggingErrorHandler - Unexpected error occurred in scheduled task org.springframework.data.redis.RedisSystemException: 
Error in execution; nested exception is io.lettuce.core.RedisCommandExecutionException: READONLY You can't write against a read only replica.
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
    at java.lang.Thread.run(Thread.java:748)

Caused by: io.lettuce.core.RedisCommandExecutionException: READONLY You can't write against a read only replica.
    at io.lettuce.core.ExceptionFactory.createExecutionException(ExceptionFactory.java:135)
    at io.lettuce.core.ExceptionFactory.createExecutionException(ExceptionFactory.java:108)

分析过程

通常,redis丢失键值一般分为如下几种情况:

  • key设置了过期时间导致被自动清理
  • 达到 maxmemory 导致redis自动清理部分key以节省内存
  • redis实例发生重启,且无持久化策略,导致key丢失
  • 代码中有删除key的操作

基于以上经验,下面开始排障:

  • 第1步,确认 redis 确实没有任何 key
[root@11.107 ~]# redis-cli 
127.0.0.1:6379> info keyspace
  • 第2步,确认 maxmemory + 淘汰策略,示例 volatile-lru 优先保留最近访问过的数据,且程序使用的 key大小远远未达到 maxmemory 限制
[root@11.107 ~]# cat /data/redis_6379/redis_6379.conf | grep maxmemory
maxmemory 6662692864
maxmemory-policy volatile-lru
  • 第3步,既然java日志有提示 replica,那就检查 redis.log,搜索 REPLICAOF,结果发现如下日志,原因终于找到,被攻击啦
[root@11.107 ~]# cat /data/redis_6379/log/redis.log | grep REPLICAOF
22478:S 07 Mar 2024 21:57:02.413 * REPLICAOF 138.197.95.202:60146 enabled (user request from 'id=831 addr=8.222.170.38:35578 laddr=172.19.11.107:6379 fd=35 name= age=1 idle=0 flags=N db=0 sub=0 psub=0 ssub=0 multi=-1 qbuf=30 qbuf-free=20444 argv-mem=26 multi-mem=0 rbs=1024 rbp=155 obl=0 oll=0 omem=0 tot-mem=22322 events=r cmd=slaveof user=default redir=-1 resp=2')

[root@11.107 ~]# cat /data/redis_6379/log/redis.log | grep SECURITY
23580:M 05 Mar 2024 13:06:22.148 # Possible SECURITY ATTACK detected. It looks like somebody is sending POST or Host: commands to Redis. This is likely due to an attacker attempting to use Cross Protocol Scripting to compromise your Redis instance. Connection aborted.

发生原因

  • 在 2024-03-07 21:57 时刻,本地 redis(172.19.11.107:6379)被配置成了攻击者(138.197.95.202:60146)的从库,然后主从初始化 Flushing old data 将本地redis中的key给清除了,后面定期的持久化之后,本地数据彻底丢失。

解决方案

知道是被攻击的,解决方案就明确了:

  • 修改 redis.conf 启用强密码
  • 配置防火墙,严格控制redis端口访问
Copyright © www.sqlfans.cn 2023 All Right Reserved更新时间: 2024-03-08 17:15:00

results matching ""

    No results matching ""