0

I'm learning flow tutorials and running into a security issue that the package "redis" used by flow is listening to the whole internet.

See https://redis.io/topics/security

The solution is to bind redis to 127.0.0.1 in redis.conf listed in above link. However it seems like flow is calling redis from ray, and I'm not sure how this works in flow.

Is there a fast solution to fix this?

Thanks!

lccycc
  • 11

1 Answers1

0

I'm answering this question here but future questions should be directed to the group slack for quicker answers! Sorry for the confusion; we've amended our website to point people there. https://join.slack.com/t/flow-users/shared_invite/enQtODQ0NDYxMTQyNDY2LTY1ZDVjZTljM2U0ODIxNTY5NTQ2MmUxMzYzNzc5NzU4ZTlmNGI2ZjFmNGU4YjVhNzE3NjcwZTBjNzIxYTg5ZmY

Answer here: You need to give ray a specific port to bind to. In your command line run: ray start --redis-port XXXX and then do ray.init(address)

iOSPractice
  • 61
  • 3
  • I've also contacted the Ray team to make this a feature that can be run directly via ray.init() – iOSPractice Feb 13 '20 at 00:43
  • Open PR is here: https://github.com/ray-project/ray/pull/7145#issuecomment-585529575 – iOSPractice Feb 13 '20 at 03:18
  • Hi thanks for quick reply! I run "conda activate flow" and then "ray start --redis-port 127.0.0.1" under ~/flow/ directory, and got this error: Exception: If --head is not passed in, --redis-port is not allowed – lccycc Feb 13 '20 at 22:31
  • btw by looking at this question: https://stackoverflow.com/questions/25416007/what-does-the-bind-parameter-do-in-redis my understanding is that we need to ask redis to listen to only requests from 127.0.0.1, not a port. The code change only set redis to a fixed port, which didn't solve the problem (previously it is a random port) – lccycc Feb 13 '20 at 22:46
  • So I guess I shall run ray.init(num_cpus=N_CPUS, address="127.0.0.1")? Let me test – lccycc Feb 13 '20 at 22:58
  • No, ray.init(address=xxx) is used to connect to existing cluster. To start a new redis node with binding, this code needs to be modifed: https://github.com/ray-project/ray/blob/b81b93a9c0b6be15f21744d6be10b29618afd5b5/python/ray/node.py#L385 Currently it is using an empty string as hostname. According to https://docs.python.org/2/library/socket.html, he empty string represents INADDR_ANY, and "INADDR_ANY is used when you don't need to bind a socket to a specific IP. When you use this value as the address when calling bind() , the socket accepts connections to all the IPs of the machine" – lccycc Feb 13 '20 at 23:23