I am trying to get MongoDB authentication working on my AWS Linux server. I have run authentication using MongoDB running on windows with no issues,
>mongod --auth
On my AWS server I am trying to run MongoDB using the service command,
$ sudo service mongod start
However, mogod does not start. I believe the problem is with my /etc/mongod.conf file. Here is the /etc/mongod.conf with authentication enabled,
# mongod.conf
# for documentation of all options, see:
# http://docs.mongodb.org/manual/reference/configuration-options/
# where to write logging data.
systemLog:
destination: file
logAppend: true
path: /var/log/mongodb/mongod.log
# Where and how to store data.
storage:
dbPath: /var/lib/mongo
journal:
enabled: true
# engine:
# mmapv1:
# wiredTiger:
# how the process runs
processManagement:
fork: true # fork and run in background
pidFilePath: /var/run/mongodb/mongod.pid # location of pidfile
# network interfaces
net:
port: 27017
# bindIp: 127.0.0.1 # Listen to local interface only, comment to listen on all interfaces.
security:
authorization: enabled
#operationProfiling:
#replication:
#sharding:
## Enterprise-Only Options
#auditLog:
#snmp:
The problem is with the security tag.
security:
authorization: enabled
If I include it, MongoDB will not start. If I take it out, MongoDB starts fine but has no security. What I am doing wrong?
Ok, my bad...The file is of type YAML. I originally entered,
security:
authorization: enabled
Because it's YAML, I needed a couple of spaces. The correct entry is,
security:
authorization: enabled
Works fine now.
By the way, If you are using MongoDB and have a public IP/port exposed I would highly recommend that you enable security. I got an email last week from AWS saying that if you are using MongoDB that has a port that is publicly available you should implement security. I am still in development so I ignored the AWS recommendation. Well, 3 days later, someone accessed my databases, copied them, deleted them, and left me a ransomware note in a new database. They wanted one bitcoin for the return of my existing databases. I did not pay the ransom. Fortunately, this was not a problem for me. All of the data was limited test data. To avoid potential malware bombs, I deleted the AWS instance, created a new instance and installed a fresh MongoDB release with authorization enabled.
This episode could have been a disaster with real customer data. If you are using MongoDB with public access make sure you enable authorization.
Related
I installed MongoDB using homebrew on my mac.
And I created admin account on my local mongodb.
Then, I added below code to my 'mongod.conf' to use authentication mode.
The code is 'security: authorization: enabled'.
systemLog:
destination: file
path: /usr/local/var/log/mongodb/mongo.log
logAppend: true
storage:
dbPath: /usr/local/var/mongodb
net:
bindIp: 127.0.0.1
security:
authorization: enabled
And I restarted MongoDB. 'brew services restart mongodb'
But whenever I start mongo shell, it still print
WARNING: Access control is not enabled for the database.
Read and write access to data and configuration is unrestricted.
And naturally it can be used without user connection.
How can I resolve this problem?
If I type
db.auth("username", "password")
It print '1'. <- authenticated.
Is it impossible to authenticate mongoDB if I use homebrew?
I don't know what I have to do anymore.
Please, Help me.
Thank you.
+ It's full log
MongoDB shell version v4.0.3
connecting to: mongodb://127.0.0.1:27017
Implicit session: session { "id" : UUID("573560e4-0a3a-472e-a94a-79b1cecab4fd") }
MongoDB server version: 4.0.3
Server has startup warnings:
2019-08-27T19:02:40.847+0900 I CONTROL [initandlisten]
2019-08-27T19:02:40.847+0900 I CONTROL [initandlisten] ** WARNING: Access control is not enabled for the database.
2019-08-27T19:02:40.847+0900 I CONTROL [initandlisten] ** Read and write access to data and configuration is unrestricted.
2019-08-27T19:02:40.847+0900 I CONTROL [initandlisten]
---
Enable MongoDB's free cloud-based monitoring service, which will then receive and display
metrics about your deployment (disk utilization, CPU, operation statistics, etc).
The monitoring data will be available on a MongoDB website with a unique URL accessible to you
and anyone you share the URL with. MongoDB may use this information to make product
improvements and to suggest MongoDB products and deployment options to you.
To enable free monitoring, run the following command: db.enableFreeMonitoring()
To permanently disable this reminder, run the following command: db.disableFreeMonitoring()
try removing the current service
enable authorization first in the config file and then run mongod daemon for the very first time.
mongo allows "localhost exception". Read about it in the documentation
then create first account with required privileges on the admin database. Make sure to include privileges of creating other users.
restart mongod daemon.
check if error goes away..
point is to enable authorization before creating any user, even before admin.
I don't see you have specified the Authentication Mechanism in config file. Please add it to your mongod config file
security:
authorization: enabled
setParameter:
authenticationMechanisms: SCRAM-SHA-1
Once the above is done, restart your mongo instance and that should work
I am working with Mongo DB and I am a newbie to it. I am about to install it on a server specifically for Mongo.
I would like to create 2 instances of it - 1 to support a QA environment, the other to support a Staging Environment.
I am more familiar with SQL Server where I can create multiple instances.
Is it possible to do the same with Mongo DB and if so, how?
The aforementioned answer is not a recommended way to run multiple instances (especially when the servers might be running at the same time) as it will lead to usage of the same config parameters like for example logpath and pidfilepath which in most cases is not what you want.
Please, consider creating dedicated mongod configuration files like mongod-QA.conf and mongod-STAGE.conf. In these files you may want to provide dbpath, logpath folders, bind_ip, port and pidfilepath specific to each mongod instance and that will not affect each other.
After these steps you are good to trigger two instances as follows
mongod --config <path-to>/mongod-QA.conf
mongod --config <path-to>/mongod-STAGE.conf
You can find more details on mongodb docs page
You just need to create another folder(ex: mongodb2) dbpath for the second instance, and run it in a different port(ex: 27018)
mongod --dbpath /usr/local/var/mongodb2 --port 27018
Here is how I start 4 mongod's on the same pc to emulate production environment in development environment.
To start mongod you should use separate config for each mongod. Take 4 configs and start mongods using them:
start C:\mongodb\bin\mongod.exe --config C:\net2\dev1-pc\configs\mongod-primary1.cfg
start C:\mongodb\bin\mongod.exe --config C:\net2\dev1-pc\configs\mongod-secondary1.cfg --rest
start C:\mongodb\bin\mongod.exe --config C:\net2\dev1-pc\configs\mongod-secondary2.cfg
start C:\mongodb\bin\mongod.exe --config C:\net2\dev1-pc\configs\mongod-secondary3.cfg
Configs look like this:
mongod-primary1.cfg file contents
systemLog:
destination: file
path: c:\net2\primary1-pc\data\log\mongod.log
storage:
dbPath: c:\net2\primary1-pc\data\db
net:
port: 27018
replication:
replSetName: repl1
mongod-secondary1.cfg file contents
systemLog:
destination: file
path: c:\net2\secondary1-pc\data\log\mongod.log
storage:
dbPath: c:\net2\secondary1-pc\data\db
net:
port: 27019
replication:
replSetName: repl1
mongod-secondary2.cfg file contents
systemLog:
destination: file
path: c:\net2\secondary2-pc\data\log\mongod.log
storage:
dbPath: c:\net2\secondary2-pc\data\db
net:
port: 27020
replication:
replSetName: repl1
mongod-secondary3.cfg file contents
systemLog:
destination: file
path: c:\net2\secondary3-pc\data\log\mongod.log
storage:
dbPath: c:\net2\secondary3-pc\data\db
net:
port: 27021
replication:
replSetName: repl1
It's possible - you would give each one its own port to listen on, and its own --dbpath directory to put its files in, but I wouldn't recommend this because they will both be competing for the same resources - RAM, i/o bandwidth, etc.
If you have multiple disks on this server you can place their data files on separate devices but you're still risking your QA instance reducing availability of the production instances, possibly at the worst possible time.
I would put QA instance on a random machine that's doing something unimportant before I would colocate it with my production instance.
I'm using MongoDB v3.0.0 with the following configuration file:
storage:
dbPath: "/home/vagrant/backend/mongodata"
engine: wiredTiger
systemLog:
destination: file
path: "/home/vagrant/backend/log/mongo.log"
logAppend: true
net:
port: 27017
# Enable the HTTP interface (Defaults to port 28017).
http:
enabled: false
ssl:
mode: requireSSL
PEMKeyFile: /home/vagrant/backend/keys/privKeys.pem
security:
authorization: 'enabled'
But when I start it up, I get the following error:
Unrecognized option: net.ssl.PEMKeyFile
try '/home/vagrant/backend/mongo/bin/mongod --help' for more information
It looks like I have it set up pretty much exactly like they recommend in the docs: https://docs.mongodb.com/manual/tutorial/configure-ssl/ . The docs say this is new in mongo 3.0, so it should support this option. It does say certain distributions still don't support it (bizarrely), so I should include that I installed mongo via this: https://fastdl.mongodb.org/linux/mongodb-linux-x86_64-3.0.0.tgz . The closest info I could find is the MongoDB Download Center saying version 3.0.14 for linux "has been compiled with SSL enabled and dynamically linked. This requires that SSL libraries be installed seperately. See here for more information on installing OpenSSL."
Any idea what might be going wrong here?
For me its looks like spacing issue in configuration you may need to check the spacing only two spaces are allowed with list members ssl become underneath of net so when declaring ssl ensure the spaces
here are my working configurations.
net:
port: 28017
bindIp: 127.0.0.1
ssl:
mode: requireSSL
PEMKeyFile: /etc/ssl/mongodb/mongodb-server.pem
CAFile: /etc/ssl/mongodb/mongodb-client.pem
PEMKeyPassword: abc123+
Since MongoDB v3.0.x most MongoDB distributions include support for SSL, but not all. As you have figured out, most likely the distribution that you have does not support SSL.
If you're starting a new MongoDB deployment, I would recommend to install the latest stable release, currently at MongoDB v3.4.x which have more (if not all) distributions supporting SSL. See Release Notes for MongoDB 3.4
Worked for me Mongo version 4.2.8 :
Ignore the message and check the Mongo logs, I found that the path configured for the PEM file was incorrect and should be the fully qualified path. Even after configuring it right, there was this SSL warning that was still present but worked.
ssl:
mode: requireSSL
PEMKeyFile: /data/users/mongodb/mongodb.pem
PEMKeyPassword: YOUR_PASS
I've noticed an anomaly after performing a mongorestore from a 2.6.11 dump (from another system) to a 3.2.5 system. In a nutshell, the names of the collection files on the new system (in /var/lib/mongodb) are named differently and follow this format:
collection-55--6670716476518949126.wt
index-1--6670716476518949126.wt
Whereas on the old system, the collections were in /home/mongodb and followed this naming convention:
collection_name.0
collection_name.1
collection_name.ns
Strangely, everything seems to be "working" though, even though the ~150MB collection file sizes on the old system aren't represented in the new collection file sizes (which are ~150kb).
I was following the answer in:
How to migrate MongoDB 2.6 to 3.0 with WiredTiger
Which basically suggests:
Perform mongodump.
Stop mongod
Upgrade MongoDB version
Convert the old config file at /etc/mongod.conf to the new YAML format.
Restart mongod
Perform the mongorestore on the dump.
As I am doing a mongorestore to a fresh MongoDB 3.2.5 install, however, I already have a config file in the YAML format (see below).
So the only step it seems I need to do is the mongorestore - which I have done and resulted in the anomalies noted above.
My questions are:
01) Are there any other steps I should have performed?
02) Are these file naming 'anomalies' expected?
03) Why is there such a large discrepancy in collection file sizes?
I ask in order to avoid any problems that may arise later due to missing an important step.
/etc/mongod.conf
# mongod.conf
# for documentation of all options, see:
# http://docs.mongodb.org/manual/reference/configuration-options/
# Where and how to store data.
storage:
dbPath: /var/lib/mongodb
journal:
enabled: true
# engine:
# mmapv1:
# wiredTiger:
# where to write logging data.
systemLog:
destination: file
logAppend: true
path: /var/log/mongodb/mongod.log
# network interfaces
net:
port: 27017
bindIp: 127.0.0.1
#processManagement:
#security:
#operationProfiling:
#replication:
#sharding:
## Enterprise-Only Options:
#auditLog:
#snmp:
the file names are correct as mongoDb uses now wired tiger as default storage engine.
The size associated can be different as WT uses different approach when storing documents in file
see more here
I am trying to set up MongoDB on Windows, and the online docs seem far from accurate.
Under "Configure a Windows Service" part, step 1 mentions to create a config file. Then it mentions to fill in the file with a line in the format logpath="X:\path\mongo.log". However, following the link, the config file is said to be in YAML format, which renders the previous line unreadable in YAML.
I have created a basic mongodb.cfg(.cfg or .conf??) file:
systemLog:
destination: file
path: "P:\\Servers\\MongoDB\\logs\\mongodb.log"
quiet: true
logAppend: true
storage:
dbPath: "P:\\Servers\\MongoDB\\data"
journal:
enabled: true
net:
bindIp: 127.0.0.1
port: 27017
However when I start mongod --config P:\Servers\MongoDB\mongodb.cfg, the service just won't give any output at all, and just hangs.
If I remove the dbPath line, it will just close itself with no message at all.
I have also tried to leave the mongodb.cfg file just like this:
logpath="P:\Servers\MongoDB\logs\mongodb.log"
dbpath="P:\Servers\MongoDB\data"
But execution aborts complaining about any of the 2 paths, even tho they exist. Tried with single backslashes and with escaped backslashes (\\) with no success.
The only way the service works and listens for connections is to manually pass --dbpath only, and ignore any config file and logpath at all. Obviously this is not serious, as I need to keep track of the logs and also might need to change config parameters at some later point.
This is nuts... Am I missing something very basic or this docs are a real mess?
Here is my simple test MongoDB Config file for Windows. Note that I had to have 2 spaces before each property, e.g., path. When I had 3 spaces I got an error at startup.
I start the server with: mongod --config c:\tools\mongodb\db\mongod.cfg
systemLog:
destination: file
path: "C:\\tools\\mongodb\\db\\log\\mongo.log"
logAppend: true
storage:
dbPath: "C:\\tools\\mongodb\\db\\data"
security:
authorization: enabled
Here's an example of a mongodb.config file for Windows.
##store data here
dbpath=C:\mongodb\data\db
##all output go here
logpath=C:\mongodb\data\log\mongo.log
##log read and write operations
diaglog=3
For those who installed via *.msi installer and wondering where is .conf file located. Run 'services.msc' and check properties of mongodb service runnable file.
Bit late but I had the exact same issue today. If you use forward slashes for your paths within the config file it works fine.
systemLog:
destination: file
logAppend: true
path: "e:/mongo_data/3.6/mongo.log"
storage:
dbPath: "e:/mongo_data/3.6/db"
engine: "wiredTiger"
check if you have any file in data\db path. Please remove all those files and try to restart. I exactly used your config file and able to start the service successfully with bindip and port
You can find logs with reasons why it's not working in log file. In your case, read P:\Servers\MongoDB\logs\mongodb.log file.