How do I enable access control for my MongoDB server?
This line shows up in the log:
CONTROL [initandlisten] ** WARNING: Access control is not enabled for
the database. I CONTROL [initandlisten] ** Read and write access to
data and configuration is unrestricted.
I use Plesk to start MongoDB and I have read their manual about it
but it doesn't tell me how to enable access control since I can only add environment variables and volume mapping via the Plesk control panel such as /data/db and /data/configdb.
I'm able to use a terminal to login without credentials to create a superadmin and all the roles, but that doesn't solve the unrestricted access.
I can also access files within the container with this:
docker exec -it mongo /bin/bash
And I see this directory: docker-entrypoint-initdb.d
but I don't know what to put there. Also packages that I installed inside the container like vim don't persist and are lost after a restart.
Furthermore I have no idea where Plesk is storing the docker-compose.yml file. Is this a file that only belongs inside a image file?
If I change the /etc/mongod.conf and add this:
security: authorization: enabled
nothing happens after restart, could I get some help with this?
system information:
Plesk Onyx 17.8.11 Update 25
Host: CentOS 7.5.1804
Container: Ubuntu 16.04
Docker version 18.06.1-ce, build e68fc7a
You should read the library/mongo image documentation : https://hub.docker.com/_/mongo/
If you want to use your own mongo configuration file, put it somewhere like /etc/mongo/mongod.conf in your container (with volume or COPY).
After that you have to tell to mongo to use it as configuration file :
$ docker run --config /etc/mongo/mongod.conf
Or in docker-compose :
services:
mongo:
image: mongo
command: --config /etc/mongo/mongod.conf
I can't help you for the location of Plesk docker-compose.yml, try to use find command.
I hope it will help you.
Related
I have just installed mongodb on my remote ubuntu server for using it with an angular and nodejs project. I created a user using the db.createUser command along with password and roles in the mongo shell.
Then when i try to start the mongodb instance with access control using the command:
mongod --auth --port 27017 --dbpath /var/lib/mongodb
its displaying the error:
IllegalOperation: Attempted to create a lock file on a read-only directory MongoDB
First of all, have you checked the permissions of the folder /var/lib/mongodb (ls -l /var/lib)?
The folder and its contents should be assigned to the mongod user. You could also check the ACL permissions (getfacl), if that's installed in your system.
If permissions seem correct, please continue reading to know how I solved the same error in a different environment.
This happened to me in CentOS 8 after a wrong reinstallation of MongoDB and the data folder /var/lib/mongo had to be created manually. In my case, the problem was that the security context of SELinux (https://www.redhat.com/en/topics/linux/what-is-selinux) had to be updated to give mongod access the folder.
The command below solved my problem (note the path to the data folder in my configuration is slightly different, just update it for your case):
chcon -Rv --type=mongod_var_lib_t /var/lib/mongo
It basically tells SELinux that the context used by MongoDB to access the files should be associated with the target folder.
You can have more information about chcon here: https://www.man7.org/linux/man-pages/man1/chcon.1.html
I have created user with read permissions in Mongodb. I have done the same process here
but still user was not restricted with permissions.User can create the collection and insert the document but user have only read permissions.
When I opened mongo.exe, it was showing some warnings.
ongoDB shell version v4.0.0
connecting to: mongodb://127.0.0.1:27017
MongoDB server version: 4.0.0
Server has startup warnings:
2018-09-17T01:11:07.042-0400 I CONTROL [initandlisten]
**2018-09-17T01:11:07.042-0400 I CONTROL [initandlisten] ** WARNING: Access control is not enabled for the database.
2018-09-17T01:11:07.042-0400 I CONTROL [initandlisten] ** Read and write access to data and configuration is unrestricted.******
2018-09-17T01:11:07.042-0400 I CONTROL [initandlisten]
---
So how can i restrict the user in MongoDB?
So, you are missing few things in configure section.
you need to activate in the mongod configuration file.
it will be located in /etc/mongod.conf if you are using Linux.
you need to change/uncomment/add this section below:
security:
authorization: "enabled"
and after that you need to restart mongod service.
in my case service name is mongod .
so i did sudo systemctl restart mongod .
and as you already having role. and authentication enabled just now.
you have to login now.
>> mongo --port <YOUR_MONGO_PORT>
> use admin
> db.auth("username","password")
it should login now.
all steps:
Create Users with needed Roles.
Enable Authetication in DB config level.
Dont forget to Restart The Database service.
Try To login. You are Good to Go.
You can look into this medium post as well here.
I`m trying to connect to mongodb in docker container from a host ( for dev purposes solely) without any luck.
I have following docker-compose file.
version: '2.2'
services:
mongo:
image: mongo
ports:
- "27017:21017"
And when i try to connect to it i'm getting following error:
C:\Program Files\MongoDB\Server\3.4\bin>mongo
MongoDB shell version v3.4.9
connecting to: mongodb://127.0.0.1:27017
2017-10-25T03:48:53.331+0300 E QUERY [thread1] Error: network error while attempting to run command 'isMaster' on host '127.0.0.1:27017' :
connect#src/mongo/shell/mongo.js:237:13
#(connect):1:6
exception: connect failed
But if i launch it without compose directly e.g.
docker run --name my_mongox6 -d -p 27017:27017 mongo
Which should be equivalent of the docker-compose file above.
And it works perfectly fine
C:\Program Files\MongoDB\Server\3.4\bin>mongo
MongoDB shell version v3.4.9
connecting to: mongodb://127.0.0.1:27017
MongoDB server version: 3.4.9
Server has startup warnings:
2017-10-25T00:49:58.983+0000 I STORAGE [initandlisten]
2017-10-25T00:49:58.983+0000 I STORAGE [initandlisten] ** WARNING: Using the XFS filesystem is strongly recommended with the WiredTiger storage engine
2017-10-25T00:49:58.983+0000 I STORAGE [initandlisten] ** See http://dochub.mongodb.org/core/prodnotes-filesystem
2017-10-25T00:49:59.076+0000 I CONTROL [initandlisten]
2017-10-25T00:49:59.076+0000 I CONTROL [initandlisten] ** WARNING: Access control is not enabled for the database.
2017-10-25T00:49:59.076+0000 I CONTROL [initandlisten] ** Read and write access to data and configuration is unrestricted.
2017-10-25T00:49:59.076+0000 I CONTROL [initandlisten]
Versions
c:\Program Files\MongoDB\Server\3.4\bin>docker --version
Docker version 17.09.0-ce, build afdb6d4
c:\Program Files\MongoDB\Server\3.4\bin>docker-compose --version
docker-compose version 1.16.1, build 6d1ac219
I'm using docker for windows that is run via hyper-v.
Whats wrong with my compose file and why it works via docker run but doesn't work via docker-compose. I'm scratching my head and googling without any luck for hours
Other port sharing via docker-compose ( e.g. nginx, postgresql) works perfectly fine.
UPDATE
Asked friend on ubuntu to try. Same behaviour. So its reproducible and its not specific to windows at all.. Works via docker, doesnt work via docker-compose. Even when i try to connect via telnet mongo logs show connect attempts when running via docker, but nothing shown when run via compose.
Also I see a difference in docker ps when run via compose vs when run via docker.
Ports on compose listed as
( 27017/tcp, 0.0.0.0:27017->21017/tcp )
vs
(0.0.0.0:27017->21017/tcp )
on docker itself.
It missed first 27017/tcp part which might be the issue, but no idea why.
Ok, the problem is super stupid and simple.
ports: - "27017:21017"
second port 21017 instead of 27017. How to waste full day due to typo
If you are on linux it works fine. When you run container in windows you need to do port farwarding.
netsh interface portproxy add v4tov4 listenport=27017 listenaddress=localhost connectport=27017 connectaddress=192.168.99.100(IP of the Docker)
Whatever the call comming to loopback it will get redirected to container with the docker host.
Here is the helping discussion on port farwarding in windows with docker Solution for Windows hosts
This lines I'm using docker for windows that is run via hyper-v., say that you ae on Windows and docker will not be the loopback(127.0.0.1), you have to forward the port.
I want to use docker run a vm mongodb, at the same time, the mongo configure file use my own defined configure file to archive replication and open authentication.
Scanning some files but don't resolve the problem.
Any ideas?
The docker mongo image has a docker-entrypoint.sh it calls in the Dockerfile
Check if you can:
create your own image which would create the right user and restart mongo with authentication on: see "umputun/mongo-auth" and its init.sh script
or mount a createUser.js script in docker-entrypoint-initdb.d.
See "how to make a mongo docker container with auth"
I'm trying to run a docker-compose on my Windows machine spinning up a MongoDB instance and a data-only container which proxies an attached volume containing the database files.
mongodata:
image: mongo:2.6.8
volumes:
- ./data/db:/data/db
command: --break-mongo
mongo:
image: mongo:2.6.8
volumes_from:
- mongodata
ports:
- "27017:27017"
command: --smallfiles --rest
*p.s. the --break-mongo command is there on purpose as it just needs to create the volume
To my understanding, using a data-only volume pattern would handle permission issues but I can see the following error during the Mongo container startup:
[0m2016-01-26T00:23:52.340+0000 [initandlisten] info preallocateIsFaster couldn't run due to: couldn't open file /data/db/journal/tempLatencyTest for writing errno:1 Operation not permitted; returning false
[0m2016-01-26T00:23:52.341+0000 [initandlisten] Unable to remove temporary file due to: boost::filesystem::remove: Text file busy: "/data/db/journal/tempLatencyTest"
[0m2016-01-26T00:23:52.344+0000 [initandlisten] exception in initAndListen: 13516 couldn't open file /data/db/journal/j._0 for writing errno:1 Operation not permitted, terminating
Therefore I'm unable to use MongoDb with an attached volume from my local machine. Is there any way around this issue?
The documentation states
If you are using Docker Machine on Mac or Windows, your Docker daemon
has only limited access to your OS X or Windows filesystem. Docker
Machine tries to auto-share your /Users (OS X) or C:\Users (Windows)
directory. So, you can mount files or directories on OS X using.
docker run -v /Users/<path>:/<container path> ...
On Windows, mount directories using:
docker run -v /c/Users/<path>:/<container path> ...
All other paths come from your virtual machine’s filesystem. For example, if you are
using VirtualBox some other folder available for sharing, you need to
do additional work. In the case of VirtualBox you need to make the
host folder available as a shared folder in VirtualBox. Then, you can
mount it using the Docker -v flag.
Basically, either try to give a full path beginning from your C:\Users folder as shown above, or if you can't have that, make the host folder a shared folder in Virtualbox.
Update
No need to give a full path. docker-compose will handle that. You have to make sure that your docker-compose.yml is inside (somewhere down the line) of your Users folder. It can't be in some root folder. If you are already doing that, then you will have to adjust your permissions. Just give full permissions to that folder.
Update: Check out the latest Docker for Windows and MacOS X.
Faster and more reliable: no more VirtualBox! The Docker engine is
running in an Alpine Linux distribution on top of an xhyve Virtual
Machine on Mac OS X or on a Hyper-V VM on Windows, and that VM is
managed by the Docker application. You don’t need docker-machine to
run Docker for Mac and Windows.
Note: if Windows, you need Windows 10 Pro to make it work as Hyper-V is not included in other releases.
For Docker Toolbox previously, it seems there is no solution at all on Windows and OS X due to VirtualBox. The image documentation indeed states:
WARNING (Windows & OS X): The default Docker setup on Windows and OS X
uses a VirtualBox VM to host the Docker daemon. Unfortunately, the
mechanism VirtualBox uses to share folders between the host system and
the Docker container is not compatible with the memory mapped files
used by MongoDB (see vbox bug, docs.mongodb.org and related
jira.mongodb.org bug). This means that it is not possible to run a
MongoDB container with the data directory mapped to the host
As an workaround I just copy from a folder before mongo deamon starts. Also, in my case I don't care of journal files, so i only copy database files.
I've used this command on my docker-compose.yml
command: bash -c "(rm /data/db/*.lock && cd /prev && cp *.* /data/db) && mongod"
And everytime before stoping the container I use:
docker exec <container_name> bash -c 'cd /data/db && cp $(ls *.* | grep -v *.lock) /prev'
Note: /prev is set as a volume. path/to/your/prev:/prev
Another workaround is to use mongodump and mongorestore.
in docker-compose.yml: command: bash -c "(sleep 30; mongorestore
--quiet) & mongod"
in terminal: docker exec <container_name> mongodump
Note: I use sleep because I want to make sure that mongo started, and it takes a while.
I know this involves manual work etc, but I am happy that at least I got mongo with existing data running on my Windows 10 machine, and still can work on my Macbook when I want.
(croscopy https://stackoverflow.com/a/42044756/1894856)