mongodb replica set
-
Docker provides the basis for one-click installation. I also optimized the docker network. The default configuration is to bypass the ufw firewall. Now the port is open to the outside world through routing and forwarding. Now I can automatically increase the replica set according to the number of servers.
-
mongodump mongorestore mongod mongosh The subtle configuration differences make me uncomfortable, but I tried them one by one. I want to try the sharding function of mongodb when I have time.
The service deployment speed has been greatly increased after using docker, although it will lose some performance. Now all my services have been converted to docker. One-click deployment is very advantageous for frequent service provider changes.
-
mongodump mongorestore mongod mongosh The subtle configuration differences make me uncomfortable, but I tried them one by one. I want to try the sharding function of mongodb when I have time.
The service deployment speed has been greatly increased after using docker, although it will lose some performance. Now all my services have been converted to docker. One-click deployment is very advantageous for frequent service provider changes.
@veronikya Not sure I follow completely in relation to the purpose of this topic - I know you mention
The subtle configuration differences make me uncomfortable
However, could you provide clarity around exactly what you want to do, and the steps you’ve taken so far? I also do not understand the need to expose ports to the internet when it should only be
localhost? -
mongodb tree struct
📦mongodb ┣ 📂conf ┃ ┗ 📜mongod.conf ┣ 📂data ┣ 📂dump ┣ 📂script ┃ ┣ 📂docker ┃ ┃ ┣ 📜01-register-admin-subject.sh ┃ ┃ ┗ 📜02-init-mongo-rs.sh ┃ ┗ 📜container-init.sh ┣ 📂tls ┃ ┣ 📜ca.crt ┃ ┣ 📜mongodb-rs0.pem ┃ ┗ 📜root.pem ┣ 📜.env ┣ 📜docker-compose.yml This is my mongodb.conf configuration file
{{ inventory_hostname }} 运行主机的hostname
mongod.confreplication: replSetName: "rs0" net: bindIp: 0.0.0.0 port: {{ Container_PORT }} tls: mode: "requireTLS" CAFile: "/etc/tls/ca.crt" certificateKeyFile: "/etc/tls/{{ inventory_hostname }}.pem" # clusterFile: /etc/tls/root.pem allowInvalidCertificates: true security: clusterAuthMode: "x509" authorization: "enabled" openssl generates tls ca and client pem
openssl req -passout pass:<you passwd> -new -x509 -keyout ca.key -out ca.crt -subj "/C=US/ST=California/L=SanFrancisco/O=Ponpomu/OU=server/CN=veronikya" openssl req -nodes -newkey rsa:4096 -keyout mongodb-rs0.key -out mongodb-rs0.csr -subj "/C=US/ST=California/L=SanFrancisco/O=Percona/OU=server/CN=mongodb-rs0" openssl x509 -req -in mongodb-rs0.csr -signkey mongodb-rs0.key -CA ca.crt -CAkey ca.key -set_serial 01 -out mongodb-rs0.crt cat mongodb-rs0.crt mongodb-rs0.key >mongodb-rs0.pem openssl req -nodes -newkey rsa:4096 -keyout mongodb-rs1.key -out mongodb-rs1.csr -subj "/C=US/ST=California/L=SanFrancisco/O=Percona/OU=server/CN=mongodb-rs1" openssl x509 -req -in mongodb-rs1.csr -signkey mongodb-rs1.key -CA ca.crt -CAkey ca.key -set_serial 01 -out mongodb-rs1.crt cat mongodb-rs1.crt mongodb-rs1.key >mongodb-rs1.pem openssl req -nodes -newkey rsa:4096 -keyout mongodb-rs2.key -out mongodb-rs2.csr -subj "/C=US/ST=California/L=SanFrancisco/O=Percona/OU=server/CN=mongodb-rs2" openssl x509 -req -in mongodb-rs2.csr -signkey mongodb-rs2.key -CA ca.crt -CAkey ca.key -set_serial 01 -out mongodb-rs2.crt cat mongodb-rs2.crt mongodb-rs2.key >mongodb-rs2.pem openssl req -newkey rsa:4096 -nodes -out root.csr -keyout root.key -subj '/CN=root/OU=client/O=supsersb/L=tm/ST=tm/C=CN' openssl x509 -passin pass:<you passwd>-req -in root.csr -signkey root.key -CA ca.crt -CAkey ca.key -CAcreateserial -out root.crt cat root.crt root.key >root.pem -
@veronikya Not sure I follow completely in relation to the purpose of this topic - I know you mention
The subtle configuration differences make me uncomfortable
However, could you provide clarity around exactly what you want to do, and the steps you’ve taken so far? I also do not understand the need to expose ports to the internet when it should only be
localhost?@phenomlab In a cluster, the database does not need to be exposed to the outside world, and communication between multiple servers is established according to firewall policies.
Now I have a host vps that is very strange. Docker in the host cannot access the hosts set by the host, but Docker in the other two can access them. These are the hosts of three different servers.
-
This is the ufw rule I reconfigured to support access to the Internet within docker and the development server through port forwarding, because docker does not pass the ufw firewall by default, which is dangerous
# /etc/ufw/after.rules # BEGIN UFW AND DOCKER *filter :ufw-user-forward - [0:0] :DOCKER-USER - [0:0] -A DOCKER-USER -j RETURN -s 10.0.0.0/8 -A DOCKER-USER -j RETURN -s 172.16.0.0/12 -A DOCKER-USER -j RETURN -s 192.168.0.0/16 -A DOCKER-USER -p udp -m udp --sport 53 --dport 1024:65535 -j RETURN -A DOCKER-USER -j ufw-user-forward -A DOCKER-USER -j DROP -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -d 192.168.0.0/16 -A DOCKER-USER -j DROP -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -d 10.0.0.0/8 -A DOCKER-USER -j DROP -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -d 172.16.0.0/12 -A DOCKER-USER -j DROP -p udp -m udp --dport 0:32767 -d 192.168.0.0/16 -A DOCKER-USER -j DROP -p udp -m udp --dport 0:32767 -d 10.0.0.0/8 -A DOCKER-USER -j DROP -p udp -m udp --dport 0:32767 -d 172.16.0.0/12 -A DOCKER-USER -j RETURN COMMIT # END UFW AND DOCKER# -
@veronikya Not sure I follow completely in relation to the purpose of this topic - I know you mention
The subtle configuration differences make me uncomfortable
However, could you provide clarity around exactly what you want to do, and the steps you’ve taken so far? I also do not understand the need to expose ports to the internet when it should only be
localhost?@phenomlab The topic is opened to share some problems, configuration modifications of deploying replica sets. I spent a lot of time to achieve this, and may introduce the system later. Including sharing my replica set ansible deployment script
-
@phenomlab In a cluster, the database does not need to be exposed to the outside world, and communication between multiple servers is established according to firewall policies.
Now I have a host vps that is very strange. Docker in the host cannot access the hosts set by the host, but Docker in the other two can access them. These are the hosts of three different servers.
The host’s local dns resolution is not configured. The problem of the host’s hosts being unable to be resolved in docker has been solved. Surprisingly
Solution:
Edit the /etc/resovel.conf file
Add 127.0.0.53 -
@phenomlab In a cluster, the database does not need to be exposed to the outside world, and communication between multiple servers is established according to firewall policies.
Now I have a host vps that is very strange. Docker in the host cannot access the hosts set by the host, but Docker in the other two can access them. These are the hosts of three different servers.
@veronikya said in mongodb replica set:
In a cluster, the database does not need to be exposed to the outside world
Actually, they should NEVER be exposed to the outside world. The cluster should communicate on it’s own internal network only.
-
undefined phenomlab marked this topic as a regular topic on 23 Nov 2023, 12:01
-
The host’s local dns resolution is not configured. The problem of the host’s hosts being unable to be resolved in docker has been solved. Surprisingly
Solution:
Edit the /etc/resovel.conf file
Add 127.0.0.53@veronikya said in mongodb replica set:
The host’s local dns resolution is not configured. The problem of the host’s hosts being unable to be resolved in docker has been solved. Surprisingly
Solution:
Edit the /etc/resovel.conf file
Add 127.0.0.53One immediate issue I can think of here is that editing
resolv.confdirectly is no longer supported and not recommended (because the changes do not survive a reboot) - unless you install theresolvconfpackage?
Hello! It looks like you're interested in this conversation, but you don't have an account yet.
Getting fed up of having to scroll through the same posts each visit? When you register for an account, you'll always come back to exactly where you were before, and choose to be notified of new replies (ether email, or push notification). You'll also be able to save bookmarks, use reactions, and upvote to show your appreciation to other community members.
With your input, this post could be even better 💗
RegisterLog in
