@veronikya said in mongodb replica set:
The host’s local dns resolution is not configured. The problem of the host’s hosts being unable to be resolved in docker has been solved. Surprisingly
Solution:
Edit the /etc/resovel.conf file
Add 127.0.0.53
One immediate issue I can think of here is that editing resolv.conf directly is no longer supported and not recommended (because the changes do not survive a reboot) - unless you install the resolvconf package?
@veronikya said in mongodb replica set:
In a cluster, the database does not need to be exposed to the outside world
Actually, they should NEVER be exposed to the outside world. The cluster should communicate on it’s own internal network only.
@phenomlab The topic is opened to share some problems, configuration modifications of deploying replica sets. I spent a lot of time to achieve this, and may introduce the system later. Including sharing my replica set ansible deployment script
This is the ufw rule I reconfigured to support access to the Internet within docker and the development server through port forwarding, because docker does not pass the ufw firewall by default, which is dangerous
# /etc/ufw/after.rules
# BEGIN UFW AND DOCKER
*filter
:ufw-user-forward - [0:0]
:DOCKER-USER - [0:0]
-A DOCKER-USER -j RETURN -s 10.0.0.0/8
-A DOCKER-USER -j RETURN -s 172.16.0.0/12
-A DOCKER-USER -j RETURN -s 192.168.0.0/16
-A DOCKER-USER -p udp -m udp --sport 53 --dport 1024:65535 -j RETURN
-A DOCKER-USER -j ufw-user-forward
-A DOCKER-USER -j DROP -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -d 192.168.0.0/16
-A DOCKER-USER -j DROP -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -d 10.0.0.0/8
-A DOCKER-USER -j DROP -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -d 172.16.0.0/12
-A DOCKER-USER -j DROP -p udp -m udp --dport 0:32767 -d 192.168.0.0/16
-A DOCKER-USER -j DROP -p udp -m udp --dport 0:32767 -d 10.0.0.0/8
-A DOCKER-USER -j DROP -p udp -m udp --dport 0:32767 -d 172.16.0.0/12
-A DOCKER-USER -j RETURN
COMMIT
# END UFW AND DOCKER#
@phenomlab In a cluster, the database does not need to be exposed to the outside world, and communication between multiple servers is established according to firewall policies.
Now I have a host vps that is very strange. Docker in the host cannot access the hosts set by the host, but Docker in the other two can access them. These are the hosts of three different servers.
mongodb tree struct
📦mongodb
┣ 📂conf
┃ ┗ 📜mongod.conf
┣ 📂data
┣ 📂dump
┣ 📂script
┃ ┣ 📂docker
┃ ┃ ┣ 📜01-register-admin-subject.sh
┃ ┃ ┗ 📜02-init-mongo-rs.sh
┃ ┗ 📜container-init.sh
┣ 📂tls
┃ ┣ 📜ca.crt
┃ ┣ 📜mongodb-rs0.pem
┃ ┗ 📜root.pem
┣ 📜.env
┣ 📜docker-compose.yml
This is my mongodb.conf configuration file
{{ inventory_hostname }} 运行主机的hostname
mongod.conf
replication:
replSetName: "rs0"
net:
bindIp: 0.0.0.0
port: {{ Container_PORT }}
tls:
mode: "requireTLS"
CAFile: "/etc/tls/ca.crt"
certificateKeyFile: "/etc/tls/{{ inventory_hostname }}.pem"
# clusterFile: /etc/tls/root.pem
allowInvalidCertificates: true
security:
clusterAuthMode: "x509"
authorization: "enabled"
openssl generates tls ca and client pem
openssl req -passout pass:<you passwd> -new -x509 -keyout ca.key -out ca.crt -subj "/C=US/ST=California/L=SanFrancisco/O=Ponpomu/OU=server/CN=veronikya"
openssl req -nodes -newkey rsa:4096 -keyout mongodb-rs0.key -out mongodb-rs0.csr -subj "/C=US/ST=California/L=SanFrancisco/O=Percona/OU=server/CN=mongodb-rs0"
openssl x509 -req -in mongodb-rs0.csr -signkey mongodb-rs0.key -CA ca.crt -CAkey ca.key -set_serial 01 -out mongodb-rs0.crt
cat mongodb-rs0.crt mongodb-rs0.key >mongodb-rs0.pem
openssl req -nodes -newkey rsa:4096 -keyout mongodb-rs1.key -out mongodb-rs1.csr -subj "/C=US/ST=California/L=SanFrancisco/O=Percona/OU=server/CN=mongodb-rs1"
openssl x509 -req -in mongodb-rs1.csr -signkey mongodb-rs1.key -CA ca.crt -CAkey ca.key -set_serial 01 -out mongodb-rs1.crt
cat mongodb-rs1.crt mongodb-rs1.key >mongodb-rs1.pem
openssl req -nodes -newkey rsa:4096 -keyout mongodb-rs2.key -out mongodb-rs2.csr -subj "/C=US/ST=California/L=SanFrancisco/O=Percona/OU=server/CN=mongodb-rs2"
openssl x509 -req -in mongodb-rs2.csr -signkey mongodb-rs2.key -CA ca.crt -CAkey ca.key -set_serial 01 -out mongodb-rs2.crt
cat mongodb-rs2.crt mongodb-rs2.key >mongodb-rs2.pem
openssl req -newkey rsa:4096 -nodes -out root.csr -keyout root.key -subj '/CN=root/OU=client/O=supsersb/L=tm/ST=tm/C=CN'
openssl x509 -passin pass:<you passwd>-req -in root.csr -signkey root.key -CA ca.crt -CAkey ca.key -CAcreateserial -out root.crt
cat root.crt root.key >root.pem
@veronikya Not sure I follow completely in relation to the purpose of this topic - I know you mention
The subtle configuration differences make me uncomfortable
However, could you provide clarity around exactly what you want to do, and the steps you’ve taken so far? I also do not understand the need to expose ports to the internet when it should only be localhost?
mongodump mongorestore mongod mongosh The subtle configuration differences make me uncomfortable, but I tried them one by one. I want to try the sharding function of mongodb when I have time.
The service deployment speed has been greatly increased after using docker, although it will lose some performance. Now all my services have been converted to docker. One-click deployment is very advantageous for frequent service provider changes.
Docker provides the basis for one-click installation. I also optimized the docker network. The default configuration is to bypass the ufw firewall. Now the port is open to the outside world through routing and forwarding. Now I can automatically increase the replica set according to the number of servers.
