Uploaded image for project: 'eZ Publish / Platform'
  1. eZ Publish / Platform
  2. EZP-27032

Memcached: the listen setting "must" be open to all the necessary servers

    Details

      Description

      Following EZP-26972, the system is updated to the latest version of PHP 7 and memcached and, when the user is unable to login.

      A message similar to the one below can be seen in the log files:

      [Fri Feb 10 10:44:05.351933 2017] [:error] [pid 12447] [client 192.168.2.109:45252] PHP Warning: SessionHandler::read(): Failed to write session lock: CONNECTION FAILURE in /var/www/html/ezplatform/app/cache/prod/classes.php on line 416, referer: http://ezdfs1.ezp/ez

      Such behavior happens because memcached is bind to the localhost address, preventing network accesses.

      To confirm it, check the /etc/memcached.conf file and confirm the excerpt below is present

      # Specify which IP address to listen on. The default is to listen on all IP addresses
      # This parameter is one of the only security measures that memcached has, so make sure
      # it's listening on a firewalled interface.
      -l 127.0.0.1

      For development environments, a simple tweak is to change the address to 0.0.0.0

      -l 0.0.0.0

      For production environments, a more secure approach should be take as explained in the man file:

      -l <addr>
      Listen on <addr>; default to INADDR_ANY. <addr> may be specified as host:port. If you don't specify a port number, the value you specified with -p or -U is used. You may specify multiple addresses separated by comma or by using -l multiple times.

      This is an important option to consider as there is no other way to secure the installation. Binding to an internal or firewalled network interface is suggested.

      IMPORTANT
      That said, it's important to add a warning in the memcached configuration pages to remember the user that memcached must not be bind to the local address if clusters are in use, of the user logins will fail.

        Activity

        Show
        Dominika Kurek added a comment - Added warning under https://doc.ez.no/display/DEVELOPER/Clustering#Clustering-Configuration
        Hide
        André Rømcke added a comment -

        Dominika Kurek Afaik I think this should be labled as relevant for PHP 7.x version of php-memcached.
        As far as I understood it it has nothing to do with 1.8. [~eduardo.fernandes@ez.no]?

        Show
        André Rømcke added a comment - Dominika Kurek Afaik I think this should be labled as relevant for PHP 7.x version of php-memcached. As far as I understood it it has nothing to do with 1.8. [~eduardo.fernandes@ez.no] ?
        Hide
        Eduardo Fernandes (Inactive) added a comment -

        Imo, it should not be related to any specific version of eZP.
        It's related to the memcached server and the version of memcached you are running.

        I tried to find in the memcached release notes when this behavior — bind to the 127.0.0.1 address — was implemented, but couldn't find any mention to it.

        In any case, even if it's not the default behavior of memecached to be bind to the 127.0.0.1 address, if a sys admin sets it that way, no matter the version of PHP, eZP will fail.

        So it's a safe warning to be left to any eZP/PHP version.

        Show
        Eduardo Fernandes (Inactive) added a comment - Imo, it should not be related to any specific version of eZP. It's related to the memcached server and the version of memcached you are running. I tried to find in the memcached release notes when this behavior — bind to the 127.0.0.1 address — was implemented, but couldn't find any mention to it. In any case, even if it's not the default behavior of memecached to be bind to the 127.0.0.1 address, if a sys admin sets it that way, no matter the version of PHP, eZP will fail. So it's a safe warning to be left to any eZP/PHP version.
        Hide
        Dominika Kurek added a comment -

        OK, removed the version tag then.

        Show
        Dominika Kurek added a comment - OK, removed the version tag then.
        Hide
        Eduardo Fernandes (Inactive) added a comment -

        QA Tested

        Show
        Eduardo Fernandes (Inactive) added a comment - QA Tested
        Hide
        André Rømcke added a comment -

        Recommendation on requritments page is now updated to reflect that Memcached is certified while Redis is not: https://doc.ez.no/pages/viewpage.action?pageId=31429536

        Show
        André Rømcke added a comment - Recommendation on requritments page is now updated to reflect that Memcached is certified while Redis is not: https://doc.ez.no/pages/viewpage.action?pageId=31429536

          People

          • Assignee:
            Unassigned
            Reporter:
            Eduardo Fernandes (Inactive)
          • Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: