💾 Archived View for chirale.org › 2015-09-04_1263.gmi captured on 2024-09-29 at 00:00:48. Gemini links have been rewritten to link to archived content
⬅️ Previous capture (2024-05-12)
-=-=-=-=-=-=-
Memcached is a service to speed up page caching by saving them not on file or database tables but on volatile memory.
This howto cover three configurations: memcached for use on localhost (A) and memcached for local and remote use (AB).
A: configuration for host for Memcache server.
B: configuration for client host that will use the memcached service.AB: configuration for host for the server machine AND for host that will use the memcache service (e.g. via loopback) client and server on the same machine.
I will tag the steps with these symbols to allow to do the right steps if you want an A or an AB configuration. Any of these steps has to run as root user.
Apply to: AB, A
Install memcached daemon, start it and set it to boot on system restart (enable):
yum install memcached nano systemctl start memcached systemctl enable memcached
And allow memcache to be contacted by the webserver if needed:
setsebool -P httpd_can_network_memcache 1
Install libraries for Memcache client
Apply to: AB, B
Install libraries needed to consume the memcached service by applications. The fundamental library is libmemcached, a very efficient library written in C and then wrapped by libraries in other languages like pylibmc.
yum install memcached python-memcached gcc python-pip libmemcached libmemcached-devel zlib-devel pip install pylibmc
Check the configuration
Apply to: A, AB
Check if service is running:
systemctl status memcached -l
You’ll get something like:
memcached.service – Memcached
Loaded: loaded (/usr/lib/systemd/system/memcached.service; enabled)
Active: active (running) since gio 2015-09-03 09:36:18 CEST; 23h ago
Main PID: 25149 (memcached)
CGroup: /system.slice/memcached.service
└─25149 /usr/bin/memcached -u memcached -p 11211 -m 64 -c 1024
set 03 09:36:18 myhostnamehere systemd\[1\]: Started Memcached.
Check again via netstat:
netstat -tulpn | grep memcached
And look at the stats:
memcached-tool 1 stats
The default setting for memcache is to run as TCP service. If you want to use memcache as UNIX socket to remove the TCP overhead, you can.
If you are are in AB configuration and you want to use Memcache only on the same server via TCP on loopback, you’ve done. If you are on A configuration and you want to serve memcache on other machine of the same network skip the next step.
Serve Memcache on UNIX socket
Apply to: AB (optional, skip if you want Memcached to be served as regular TCP service)**
nano /etc/sysconfig/memcached
change:
OPTIONS=""
to:
OPTIONS="-s '/var/run/memcached/memcached.sock' -a 0766"
Restart the service:
systemctl restart memcached
it should fail due to write permission. Check the SELinux rule that is blocking the socket writing:
cat /var/log/audit/audit.log | grep memcached | audit2allow
You should get something like:
#============= memcached_t ============== allow memcached_t tmp_t:dir write; allow memcached_t var_run_t:file getattr; allow memcached_t var_run_t:sock_file create;
Apply the rule:
cat /var/log/audit/audit.log | grep memcached | audit2allow -M mymemcached semodule -i mymemcached.pp
And then restart the service again:
systemctl restart memcached
Now the TCP service is not running anymore:
netstat -tulpn | grep memcached
And to check the Memcached stats you have to ask to the socket instead of IP:
memcached-tool /var/run/memcached/memcached.sock stats
Serving memcache via TCP on different host on the same network
Apply to: A
You have to run memcache not on 1 but on the private address of the current machine. To do this, you have to get the address of the current machine and to bind memcache on it.
nano /etc/sysconfig/memcached
change:
OPTIONS=""
to:
OPTIONS="-l xxx.yyy"
Where xxx.yyy is the private address of your Memcache server host. To check what argument get -l you have to check using the ifconfig command. You get something like:
interfacenamehere: flags=0000 mtu 1500
inet xxx.yyy netmask 0 broadcast zzz.zzz
inet6 xxx::xxx:xxx:xxx:xxx prefixlen 00 scopeid 0x00
ether xx:xx:xx:xx:xx:xx txqueuelen 1000 (Ethernet)
RX packets 1657561 bytes 482287070 (9 MiB)
RX errors 0 dropped 6355 overruns 0 frame 0
TX packets 1492103 bytes 349546801 (3 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
Now if you are on the B server and you ask for the 11211 port on the xxx.yyy, you can’t connect.
You have to add a rule to the firewall on memcache server (A) to allow connections on local network.
Serving memcache via TCP on different host: create a memcached service for firewalld
Now you have to add a service to identify memcache
python
Then type the rows without the initial hashtag \#. To avoid conflicts with future services I use memcached_chirale as service name:
# @see http://forums.fedoraforum.org/showpost.php?s=ff16ee76b348a3a4af5fb9c35c6c42a1&p=1730933&postcount=5 import firewall.core.io.service as ios #Creates a service object s=ios.Service() #A short description s.short = 'Memcached chirale' #this defines the name of the xml file s.name = 'memcached_chirale' #A list of ports s.ports = [('11211', 'tcp'), ('11211', 'udp')] ios.service_writer(s, '/etc/firewalld/services')
Ctrl+D and or exit() and the configuration file is written:
less /etc/firewalld/services/memcached_chirale.xml
You can see all the configuration just written.
firewall-cmd --reload
to apply and then
firewall-cmd --get-services | grep memcached_chirale
will highlight the new service.
Serving memcache via TCP on different host: allow connection from the B server
Apply to: A
On the B host, run ifconfig to get the private address of the machine as before.
Then go to the A server and whitelist the B machine address on the firewall on the internal zone where bbb.bbb is the B host private address.
firewall-cmd --permanent --zone=internal --add-service=memcached_chirale firewall-cmd --permanent --zone=internal --add-source=bbb.bbb firewall-cmd --reload
You will receive success messages if everything is ok.
You can check the rules on the file /etc/firewalld/zones/internal.xml or using:
firewall-cmd --zone=internal --list-all
Check the service on bbb.bbb (B host)
Use telnet to connect to 11211 port on A host:
telnet
After the connection establishment just type:
stats
And you’ll get values like:
STAT pid 55555 STAT uptime...
Then, Ctrl+D and you’re done. You can use the same command you use via memcached-tool but remember
A note about the firewalld zone
Note: I used the internal zone because it match my need. The internal zone is described like this:
For use on internal networks. You mostly trust the other computers on the networks to not harm your computer. Only selected incoming connections are accepted.
The very last sentence is important, since only IPs added via add-source on the zone are allowed to connect to the service. Use this and other rules with caution and don’t be too permissive. This howto can be very shorter avoiding firewall and selinux but disabling these tools will open to malicious attacks your systems.
Acknowledgements
Here some of the sources I’ve used to make this thing happen. Thank you for helping the community to spare time writing useful howtos!
Photo by Memcache
https://web.archive.org/web/20150904000000*/http://memcached.org/
https://web.archive.org/web/20150904000000*/http://stackoverflow.com/a/632024/892951
https://web.archive.org/web/20150904000000*/https://tag1consulting.com/blog/stop-disabling-selinux
https://web.archive.org/web/20150904000000*/http://stackoverflow.com/a/24830777/892951