I have a MongoDB replica set that recently got hacked and hackers deleted my database. I don't want this to happen again. What I would like is, only a handful of programs like my MongoDB replica set members, node.js program, and my terminal should be the only one that can communicate with the database and no other program. How should I go about it?
For starters, I have set bind_ip property in my mongod.conf to be [127.0.0.1,ip_1,ip_2,ip_3], one of the IP is it's own IP. Is this enough?
First I identified it is possible to securely connect all my servers. I found the answer with this article on setting up ufw on my ubuntu 16.04. Then I established mongo replica set connection between them. Now the challenge came in establishing Keyfile access control in existing replica set
which I found to be difficult Because of this issue on Github in mongoose.
Using SSL/TLS is easy on the native driver than it is on the mongoose. Plus native driver is much faster than any ORM. So in a phase wise manner I replaced mongoose with mongodb native driver and introduced key file access. Maybe in later versions of mongoose, they might introduce this access.
Related
Sorry i'm new to MongoDB so I'm so confused between
mongodb+srv://username:<password>#cluster0.accdl.mongodb.net/website?retryWrites=true&w=majority
and
mongodb://[port]:27017/[database_name]
what's difference and how is it impact our code?
well, as mongodb.com in https://www.mongodb.com/developer/article/srv-connection-strings/ said :
What is this mongodb+srv syntax?
Well, in MongoDB 3.6 we introduced the concept of a seed list that is specified using DNS records, specifically SRV and TXT records. You will recall from using replica sets with MongoDB that the client must specify at least one replica set member (and may specify several of them) when connecting. This allows a client to connect to a replica set even if one of the nodes that the client specifies is unavailable.
and :
Note that without the SRV record configuration we must list several nodes (in the case of Atlas we always include all the cluster members, though this is not required). We also have to specify the ssl and replicaSet options.
then in short words , mongodb +srv syntax , is way to connect to mongodb database , released starting from mongodb 3.6 , and allows you connect to the whole replicaset including all nodes , instead of mention a specific node in the traditional connection way .
I think mongodb+srv is used when you are using cluster and one instance of db
both of them will work for one instance but I think mongodb is work only for one instance
I am using Robomongo tool to connect to various mongo instances. One blocker I faced was that Robomongo do not allow setting readpreference for the particular connection. However, I saw that we can specify Robomongo to load .mongorc.js file at start up. So I added the line rs.slaveOk() to it and now I can connect to slave instances as well.
But this also means that readpreference will be set to secondary even when I am connecting to master instances. I would like to know if there are any disadvantages of keeping this on for all connections. I am sure there is some reason behind Robomongo developers not allowing this as default setting (although setting connection preference for each connection would have been the best solution)
It could be because of stale read issue mentioned here -
[http://docs.mongodb.org/manual/core/read-preference/#edge-cases-2-primaries]
It requires awareness of your replication strategy and 'staleness' of data. The link above is a great read regardless.
edit: answer lacked a brief summary from MongoDB docs linked above ( as mentioned by user 200-ok) "Exercise care when specifying read preferences: Modes other than primary may return stale data because with asynchronous replication, data in the secondary may not reflect the most recent write operations"
One of our clients have a server running a MongoDB instance and we have to build an analytical application using the data stored in their MongoDB database which changes frequently.
Clients requirements are:
That we do not connect to their MongoDB instance directly or run another instance of MongoDB on their server but just somehow run our own MongoDB instance on our machine in our office using their MongoDB database directory with read only access remotely.
We've suggested deploying a REST application, getting a copy of their database dump but they did not want that. They just want us to run our own MongoDB intance which is hooked up with the MongoDB instance directory. Is this even possible ?
I've been searching for a solution for the past two days and we have to submit a solution by Monday. I really need some help.
I think this is normal request because analytical queries could cause too much load on the production server. It is pretty normal to separate production and analytical databases.
The easiest option is to use MongoDB replication. Set up MongoDB replica set with production database instance as primary and analytical database instance as secondary, also configure the analytical instance to never become primary.
If it is not possible to use replication - for example client doesn't want this, the servers could not connect directly to each other... - there is another option. You can read oplog from remote database and apply operations to your database instance. This is exactly the low level mechanism how replica set works, but you can do it manually too. For example MMS (Mongo Monitoring Sevice) Backup uses reading oplog for online backups of MongoDB.
Update: mongooplog could be the right tool for real-time application of replication oplog pulled from remote server on local server.
I don't think that running two databases that points to the same database files is possible or even recommended.
You could use mongorestore to restore from their data files directly, but this will only work if their mongod instance is not running (because mongorestore will need to lock the directory).
Another solution will be to do file system snapshots and then restore to your local database.
The downside to this backup/restore solutions is that your data will not be synced all the time.
Probably the best solution will be to use replica sets with hidden members.
You can create a replica set with just two members:
Primary - this will be the client server.
Secondary - hidden, with votes and priority set to 0. This will be your local instance.
Their server will always be primary (because hidden members cannot become primaries). Clients cannot see hidden members so for all intents and purposes your server will be read only.
Another upside to this is that the MongoDB replication will do all the "heavy" work of syncing the data between servers and your instance will always have the latest data.
Assume I have N servers, each operating as a web server and a mongodb member of a replica set.
I'd like the slaveOk reads to be satisfied first by the local mongodb instance, rather than a remote machine across the network.
The documentation says slaveOk reads are satisfied by an arbitrary member. Is it possible to override that?
Mongodb 1.8, C-sharp driver 1.2.
The documentation says slaveOk reads are satisfied by an arbitrary member. Is it possible to override that?
Not without changing the C# driver. You'd probably have to look somewhere in this file to make those changes.
Assume I have N servers, each operating as a web server and a mongodb member of a replica set.
As a note, this is generally not the expected usage for MongoDB. Implemented in this way, your web server will be competing for RAM with MongoDB. If a server gets overloaded the web server will starve the mongod process which will cause connections to back up and exacerbate the issue.
It sounds like you're trying to use MongoDB as a local cache and there are far better tools for this job.
The closest you could come to what you are describing is for each web application to open a separate direct connection (not in replica set mode) to the local mongodb and use that separate connection for reads.
I have used NORM driver in production. New year holidays - it is pretty cool, so my project get high loading and i want to set up a replication set, but have a problem - Norm does not support replication set :( . as far as i understand sharding too?
Help me :) Who did use mongodb csharp or official 10gen driver with replset? Is there any problem on production? If i choose another driver I'll have to rewrite the repository, but I do not want it to be in vain. Is there some issues?
Sharding should not depend on driver-specific support. When you shard, you connect to a router application mongos and this router behaves exactly like mongod.
So you should be able to shard. But you will probably need to change the "connection string". The suggested setup is to have one mongos per application server (instead of your current single mongod).