I have setup mongodb on a Google cloud compute instance and am trying to connect to it remotely. My mongod.conf file looks like this:
# mongod.conf
# for documentation of all options, see:
# http://docs.mongodb.org/manual/reference/configuration-options/
# Where and how to store data.
storage:
dbPath: /var/lib/mongodb
journal:
enabled: true
# engine:
# mmapv1:
# wiredTiger:
# where to write logging data.
systemLog:
destination: file
logAppend: true
path: /var/log/mongodb/mongod.log
# network interfaces
net:
port: 27017
bindIp: 0.0.0.0
#processManagement:
security:
authorization: 'enabled'
I have setup a firewall rule in my Google Cloud console that tags the instance and opens tcp:27017 for ip ranges 0.0.0.0/0.
Checking on the port 27017 it looks like mongo is listening:
sudo netstat -tulpn | grep 27017
tcp 0 0 0.0.0.0:27017 0.0.0.0:* LISTEN 3781/mongod
Overall it also seems like port 27017 is open:
netstat --listen
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 *:27017 *:* LISTEN
...
On the instance I setup an admin database with admin user:
>use admin
>db.createUser(
{
user: 'admin',
pwd: 'somepass',
roles: [{ role: "userAdminAnyDatabase", db: "admin" }]
}
)
I also setup a user for a test database:
>use test
>db.createUser(
{
user: 'tester',
pwd: 'apassword',
roles: [{ role: "readWrite", db: "test" },
{ role: "read", db: "reporting" }]
}
)
This user works locally:
>use test
>db.auth('tester', 'apassword')
1
However when I try to connect remotely it fails:
$ mongo -u tester -p apassword 12.345.67.890/test
MongoDB shell version v3.4.1
connecting to: mongodb://12.345.67.890/test
2017-11-14T12:47:07.369-0700 W NETWORK [main] Failed to connect to 12.345.67.890:27017 after 5000ms milliseconds, giving up.
2017-11-14T12:47:07.370-0700 E QUERY [main] Error: couldn't connect to server 12.345.67.890:27017, connection attempt failed :
connect#src/mongo/shell/mongo.js:234:13
#(connect):1:6
exception: connect failed
I'm not a networking expert so I've pretty much exhausted my knowledge at this point and don't know how to proceed.
Am I missing something in mongod.conf? Did i setup the firewall incorrectly? Any help is appreciated.
I came up with a solution for this, but I'm unclear why it works and not my original approach.
My instance has http/https enabled. This uses the firewall rules default-allow-http and default-allow-https. These rules enable connections from anywhere (0.0.0.0/0) through tcp ports 80 and 443 respectively. I edited the http rule and added tcp port 27017.
Now I can connect to the server.
As a test, I reset the http rule and added another rule applied to all instances opening up tcp:27017 to 0.0.0.0/0. Essentially everything is the same as the http rule save for the name and the target tags. With this change I cannot connect to the server.
It seems rather strange and it doesn't feel like an intended behavior, unless my understanding of the firewall rules in incomplete.
In the end it looks like either setting up mongo to use one of the http/https ports or adding port 27017 to those rules is the way to go.
Related
Started mongo server using
mongod --port 27018 --dbpath "/usr/local/var/mongodb/data/db0" --replSet rs0 --bind_ip "locahost,0.0.0.0"
And connected to the instance using
mongosh mongodb://127.0.0.1:27018/vndr
Tried to initiate a replica set using rs.initiate()
Then got the error
---
> rs.initiate()
{
"ok" : 0,
"errmsg" : "No host described in new configuration with {version: 1, term: 0} for replica set rs0 maps to this node",
"code" : 93,
"codeName" : "InvalidReplicaSetConfig"
}
On the server log noticed these lines saying ""Nnadozies-MacBook-Pro.local" not known
{"t":{"$date":"2022-08-18T14:52:20.861+01:00"},"s":"W", "c":"NETWORK", "id":21207, "ctx":"conn1","msg":"getaddrinfo() failed","attr":{"host":"Nnadozies-MacBook-Pro.local","error":"nodename nor servname provided, or not known"}}
{"t":{"$date":"2022-08-18T14:52:25.866+01:00"},"s":"I", "c":"NETWORK", "id":4834700, "ctx":"conn1","msg":"isSelf could not connect via connectSocketOnly","attr":{"hostAndPort":"Nnadozies-MacBook-Pro.local:27018","error":{"code":6,"codeName":"HostUnreachable","errmsg":"couldn't connect to server Nnadozies-MacBook-Pro.local:27018, connection attempt failed: HostNotFound: Could not find address for Nnadozies-MacBook-Pro.local:27018: SocketException: Host not found (authoritative)"}}}
{"t":{"$date":"2022-08-18T14:52:25.867+01:00"},"s":"E", "c":"REPL", "id":21425, "ctx":"conn1","msg":"replSetInitiate error while validating config","attr":{"error":{"code":74,"codeName":"NodeNotFound","errmsg":"No host described in new configuration with {version: 1, term: 0} for replica set rs0 maps to this node"},"config":{"_id":"rs0","version":1,"members":[{"_id":0,"host":"Nnadozies-MacBook-Pro.local:27018"}]}}}
Followed response in this similar question and added the line 127.0.0.1 Nnadozies-MacBook-Pro.local to my /etc/hosts file to fix this.
##
# Host Database
#
# localhost is used to configure the loopback interface
# when the system is booting. Do not change this entry.
##
127.0.0.1 localhost
255.255.255.255 broadcasthost
::1 localhost
# Added by Docker Desktop
# To allow the same kube context to work on the host and the container:
127.0.0.1 kubernetes.docker.internal
# End of section
127.0.0.1 figmadaemon.com
127.0.0.1 Nnadozies-MacBook-Pro.local
Posting this because the similar question wasn't really clear on how to solve the problem. I think this makes it clearer that the hostname mongodb was looking at could not be resolved to an IP address because it wasn't in /etc/hosts
Tip on editing /etc/hosts: use sudo permissions for write access
Other than that please I'm curious what other way I can run mongodb instances so they use known hostnames.
I reproduce MongoDB Cluster replica-set and added user like admin with Non-SSL following below link.
Link : https://github.com/arun2pratap/mongodbClusterForWindowsOneClick
Environment :
OS : Windows 2019 server ( set all instance in one windows server)
1 mongos ( port : 26000 )
2 shards ( port : sh01 : 27011 ~ 27013 / sh02 : 27021 ~ 27023 )
1 conf servers ( port : csrs : 26001 ~ 26003 )
After reproduce Cluster with Non-SSL, I tried to upgrade Cluster to use SSL following MongoDB Manual for 4.5 and other links but I couldn't found clear answer or guide.
Below are my refer links.
https://www.mongodb.com/docs/v4.4/tutorial/upgrade-cluster-to-ssl/
https://www.mongodb.com/docs/v4.4/tutorial/deploy-replica-set-with-keyfile-access-control/
https://www.mongodb.com/community/forums/t/cannot-start-mongodb-service-after-configuring-tls/2802
MongoDB Shell connection errors using test self signed certificates
https://www.mongodb.com/community/forums/t/creating-openssl-server-certificates-for-testing-failed/109058
I just configured conf files like sh011.conf following manuals, guides and started. but server seems only started csrs instances. because, I couldn't found other instance's port numbers.
1. sh011.conf
sharding:
clusterRole: shardsvr
replication:
replSetName: sh01
net:
bindIpAll: true
port: 27011
tls:
mode: requireTLS
certificateKeyFile: C:\database\MongoDB\Server\4.4\bin\certifications\test-server1.pem
CAFile: C:\database\MongoDB\Server\4.4\bin\certifications\test-ca.pem
systemLog:
destination: file
path: sh01/sh011/log/sh011.log
logAppend: true
storage:
dbPath: sh01/sh011/db/
2. mongos.conf
sharding:
configDB: csrs/WIN-BKEV4AO0KED:26001,WIN-BKEV4AO0KED:26002,WIN-BKEV4AO0KED:26003
net:
bindIpAll: true
port: 26000
tls:
mode: requireTLS
certificateKeyFile: C:\database\MongoDB\Server\4.4\bin\certifications\test-server1.pem
CAFile: C:\database\MongoDB\Server\4.4\bin\certifications\test-ca.pem
systemLog:
destination: file
path: router/log/mongos.log
logAppend: true
security:
authorization: enabled
clusterAuthMode: x509
3. "netstat -an" output
C:\database\MongoDB\Server\4.4\bin>netstat -an
Active Connections
Proto Local Address Foreign Address State
TCP 0.0.0.0:22 0.0.0.0:0 LISTENING
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
TCP 0.0.0.0:5357 0.0.0.0:0 LISTENING
TCP 0.0.0.0:5432 0.0.0.0:0 LISTENING
TCP 0.0.0.0:5985 0.0.0.0:0 LISTENING
TCP 0.0.0.0:26001 0.0.0.0:0 LISTENING
TCP 0.0.0.0:26002 0.0.0.0:0 LISTENING
TCP 0.0.0.0:26003 0.0.0.0:0 LISTENING
TCP 0.0.0.0:47001 0.0.0.0:0 LISTENING
When I checked log files, each shard nodes occurred SSL error like below
{"t":{"$date":"2022-05-09T14:34:54.933+09:00"},"s":"I", "c":"NETWORK", "id":4712102, "ctx":"ReplicaSetMonitor-TaskExecutor","msg":"Host failed in replica set","attr":{"replicaSet":"csrs","host":"WIN-BKEV4AO0KED:26001","error":{"code":6,"codeName":"HostUnreachable","errmsg":"Error connecting to WIN-BKEV4AO0KED:26001 (192.168.100.202:26001) :: caused by :: SSL peer certificate validation failed: (80096004)The signature of the certificate cannot be verified."},"action":{"dropConnections":true,"requestImmediateCheck":false,"outcome":{"host":":26001","success":false}}}}
{"t":{"$date":"2022-05-09T14:34:55.164+09:00"},"s":"I", "c":"-", "id":4333222, "ctx":"ReplicaSetMonitor-TaskExecutor","msg":"RSM received failed isMaster","attr":{"host":"WIN-BKEV4AO0KED:26003","error":"HostUnreachable: Error connecting to WIN-BKEV4AO0KED:26003 (192.168.100.202:26003) :: caused by :: SSL peer certificate validation failed: (80096004)The signature of the certificate cannot be verified.","replicaSet":"csrs","isMasterReply":"{}"}}
I thought, that issues cause is relate host names so, I configured hosts file.
Then, re-created certification files for CA, Server, Client following manual.
1. openssl-test-server.conf
[ alt_names ]
DNS.1 = WIN-BKEV4AO0KED
IP.1 = 192.168.100.202
[ req_dn ]
countryName = Country Name (2 letter code)
countryName_default = AA
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = City
stateOrProvinceName_max = 64
localityName = Locality Name (eg, city)
localityName_default = City
localityName_max = 64
organizationName = Organization Name (eg, company)
organizationName_default = DevCompany
organizationName_max = 64
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default = Dev
organizationalUnitName_max = 64
commonName = Common Name (eg, YOUR name)
commonName_default = WIN-BKEV4AO0KED
commonName_max = 64
But, still mongos and other instances are not started.
Finally, I think some configuration is wrong. I want know what I missed or wrong for SSL.
Finally, I found what is cause of issue and How to start MongoDB Cluster with SSL Myself.
1st, Root cause is that I couldn't start MongoDB instances like mongos, mongod with SSL enable and missed some parameters while starting like below :
before start command
$ mongod -f csrs1.conf
modified start command
$ mongod -f csrs1.conf --tlsMode requireTLS --tlsCertificateKeyFile test-server1.pem --tlsCAFile test-ca.pem
Note : I was not set MongoDB as service and just control through prompt
When I generated certification base on default setting and start each MongoDB with new command, that was working fine.
And I tried modify START.bat file for convenience like above new command.
But, that was not working. So, I opened prompt for each nodes and executed start command manually.
I hope this information will help.
I want to allow specific IP addres to comunicate with the mongoDB that I have in a server. In order to do that, I opened mongod.conf and edited as follows:
net :
port: 27017
bindIp: localhost,<IpAdres>
security:
authorization: enable
I tried with authorization 'enable' but the only wait it works is as the initial configuration:
net :
port: 27017
bindIp: localhost
#security:
# authorization: enable
Also If I set
net :
port: 27017, <IpAdress>
bindIp: localhost
#security:
# authorization: enable
The error I got is:
Job for mongod.service failed because the control process exited with error code. See "systemctl status mongod.service" and "journalctl -xe" for details.
My goal is to only allow a specific set of IP ADDRES to comunicate with the mongo on my server (comunicate = make consults)
Version: 4.0.18 Running on RedHat 7.8
netstat looks like this
Proto | Recv-Q |Send-Q | Local Address | Foreign Address | State | PID/Program name
tcp | 0 | 0 |127.0.0.1:27017 | 0.0.0.0:* | LISTEN | -
You don´t need enable authentication:
net:
port: 27017
bindIp: localhost, <YOUR_IP>
It is correct, probably you have another communication issue, check your ip/port allows traffic.
Command 'netstat -tulnp' can help you.
https://docs.mongodb.com/manual/reference/configuration-options/
Anyway, the error could be caused by other third reason, go to /run/mongodb folder and deleted the file called mongod.pid. Then try to restart the mongo using:
sudo service mongod restart
My current MongoDB configuration,
options: { config: "/etc/mongod.conf", net: { bindIp: "127.0.0.1,192.168.0.204", port: 27017 }, processManagement: { fork: true, pidFilePath: "/var/run/mongodb/mongod.pid", timeZoneInfo: "/usr/share/zoneinfo" }, storage: { dbPath: "/var/lib/mongo", journal: { enabled: true } }, systemLog: { destination: "file", logAppend: true, path: "/var/log/mongodb/mongod.log" } }
Here's the issue I am having,
2018-02-02T19:16:32.017+0800 E STORAGE [initandlisten] Failed to set up listener: SocketException: Cannot assign requested address
2018-02-02T19:16:32.017+0800 I CONTROL [initandlisten] now exiting
2018-02-02T19:16:32.017+0800 I CONTROL [initandlisten] shutting down with code:48
First solution on *nix:
You could bind_ip = 0.0.0.0 and use a firewall to block all incoming connections to port 27017, unless coming from local ip adress.
Second solution
Restart mongo:
> service mongod restart
Go to to /var/logs/mongodb and give the information from logs.
Let try to test mongo, is it running localy with default options?
> service mongod status
That tells you the status of mongo.
If it disactive, go to logs, in my case it /var/logs/mongodb
get info from log.
Then, lets try to start mongo without remote IP option.
goto /etc/mongod.conf
and set up option only on local ip, bindIp 127.0.0.1
then
service mongod restart
and
service mongod status
Is it running? If everything is fine, You need determine what your's local lan ip addres.
in my case it was command, other commands link
LANG=c ifconfig | grep -B1 "inet addr" |awk '{ if ( $1 == "inet" ) {
print $2 } else if ( $2 == "Link" ) { printf "%s:" ,$1 } }' |awk -F:
'{ print $1 ": " $3 }'
After that add it ip addres to mongo conf with comma separated option.
like:
bindIp 127.0.0.1, 192.168.1.66
than save config and simply restart mongo
service mongod restart
The bind_ip is for “local interface only”, put 192.168.162.129 (Server A private ip) is enough for clients (like Server B) on the same LAN to access.
Use these step it will work:
sudo vim /etc/mongodb.conf
bind_ip = 127.0.0.1, 172.31.29.201
Note that 172.31.29.201 is private IP not public IP. Please use private IP here
sudo service mongodb restart
sudo service mongodb status - To check mongodb services are running or not
Enjoy
Some information:
The port is indeed open(i can bind it to apache2, for example, and access it externally)
I've tried setting the bind_up parameter to 0.0.0.0, to my localip, etc
I can access it through my local IP(192.167.10.xxx)
I didn't isntall mongo with apt-get, just downloaded it and ran mongod
I've spent a lot of time searching and trying different things, anyone has a idea on what could be causing it?
Mongo runnning
edit:
Mongo options: [initandlisten] options: { config: "config.conf", net: { bindIp: "0.0.0.0", port: 8008 }, security: { authorization: "enabled" }, storage: { dbPath: "/home/defense/mongo/data" } }
When i try to connect:
[thread1] Failed to connect to 146.164.x.xxx:8008, in(checking socket for error after poll), reason: Connection refused
Port check(also I used to connect to MySql using that same port):
Port 8008 is open on 146.164.x.xxx.
Any ideas?