Skip to content
Sudonix

mongodb replica set

Configure
  • veronikyaundefined

    Recently, ansible was used to automatically deploy the mongodb docker service, including replica sets. In version 7.0, TLS support is required to support replica sets. TLS signing is a problem for me.

    0
  • veronikyaundefined

    Docker provides the basis for one-click installation. I also optimized the docker network. The default configuration is to bypass the ufw firewall. Now the port is open to the outside world through routing and forwarding. Now I can automatically increase the replica set according to the number of servers.

    0
  • veronikyaundefined

    mongodump mongorestore mongod mongosh The subtle configuration differences make me uncomfortable, but I tried them one by one. I want to try the sharding function of mongodb when I have time.

    The service deployment speed has been greatly increased after using docker, although it will lose some performance. Now all my services have been converted to docker. One-click deployment is very advantageous for frequent service provider changes.

    0
  • phenomlabundefined

    @veronikya Not sure I follow completely in relation to the purpose of this topic - I know you mention

    The subtle configuration differences make me uncomfortable

    However, could you provide clarity around exactly what you want to do, and the steps you’ve taken so far? I also do not understand the need to expose ports to the internet when it should only be localhost?

    Author of OGProxy, Swatch, Threaded, Card, and most of Sudonix's bugs…

    veronikyaundefined 2 Replies
    0
  • veronikyaundefined

    mongodb tree struct

    📦mongodb
 ┣ 📂conf
 ┃ ┗ 📜mongod.conf
 ┣ 📂data
 ┣ 📂dump
 ┣ 📂script
 ┃ ┣ 📂docker
 ┃ ┃ ┣ 📜01-register-admin-subject.sh
 ┃ ┃ ┗ 📜02-init-mongo-rs.sh
 ┃ ┗ 📜container-init.sh
 ┣ 📂tls
 ┃ ┣ 📜ca.crt
 ┃ ┣ 📜mongodb-rs0.pem
 ┃ ┗ 📜root.pem
 ┣ 📜.env
 ┣ 📜docker-compose.yml

    This is my mongodb.conf configuration file

    {{ inventory_hostname }} 运行主机的hostname
    mongod.conf

    replication:
   replSetName: "rs0"
net:
   bindIp: 0.0.0.0
   port: {{ Container_PORT }}
   tls:
      mode: "requireTLS"
      CAFile: "/etc/tls/ca.crt"
      certificateKeyFile: "/etc/tls/{{ inventory_hostname }}.pem"
      # clusterFile: /etc/tls/root.pem
      allowInvalidCertificates: true
security:
  clusterAuthMode: "x509"
  authorization: "enabled"

    openssl generates tls ca and client pem

    openssl req -passout pass:<you passwd> -new -x509 -keyout ca.key -out ca.crt -subj "/C=US/ST=California/L=SanFrancisco/O=Ponpomu/OU=server/CN=veronikya"

openssl req -nodes -newkey rsa:4096 -keyout mongodb-rs0.key -out mongodb-rs0.csr -subj "/C=US/ST=California/L=SanFrancisco/O=Percona/OU=server/CN=mongodb-rs0"
openssl x509 -req -in mongodb-rs0.csr -signkey mongodb-rs0.key -CA ca.crt -CAkey ca.key -set_serial 01 -out mongodb-rs0.crt
cat mongodb-rs0.crt mongodb-rs0.key >mongodb-rs0.pem

openssl req -nodes -newkey rsa:4096 -keyout mongodb-rs1.key -out mongodb-rs1.csr -subj "/C=US/ST=California/L=SanFrancisco/O=Percona/OU=server/CN=mongodb-rs1"
openssl x509 -req -in mongodb-rs1.csr -signkey mongodb-rs1.key -CA ca.crt -CAkey ca.key -set_serial 01 -out mongodb-rs1.crt
cat mongodb-rs1.crt mongodb-rs1.key >mongodb-rs1.pem

openssl req -nodes -newkey rsa:4096 -keyout mongodb-rs2.key -out mongodb-rs2.csr -subj "/C=US/ST=California/L=SanFrancisco/O=Percona/OU=server/CN=mongodb-rs2"
openssl x509 -req -in mongodb-rs2.csr -signkey mongodb-rs2.key -CA ca.crt -CAkey ca.key -set_serial 01 -out mongodb-rs2.crt
cat mongodb-rs2.crt mongodb-rs2.key >mongodb-rs2.pem

openssl req -newkey rsa:4096 -nodes -out root.csr -keyout root.key -subj '/CN=root/OU=client/O=supsersb/L=tm/ST=tm/C=CN'
openssl x509 -passin pass:<you passwd>-req -in root.csr -signkey root.key -CA ca.crt -CAkey ca.key -CAcreateserial -out root.crt
cat root.crt root.key >root.pem
    0
  • veronikyaundefined

    @phenomlab In a cluster, the database does not need to be exposed to the outside world, and communication between multiple servers is established according to firewall policies.

    Now I have a host vps that is very strange. Docker in the host cannot access the hosts set by the host, but Docker in the other two can access them. These are the hosts of three different servers.

    veronikyaundefined phenomlabundefined 2 Replies
    0
  • veronikyaundefined

    This is the ufw rule I reconfigured to support access to the Internet within docker and the development server through port forwarding, because docker does not pass the ufw firewall by default, which is dangerous

    # /etc/ufw/after.rules

# BEGIN UFW AND DOCKER
*filter
:ufw-user-forward - [0:0]
:DOCKER-USER - [0:0]
-A DOCKER-USER -j RETURN -s 10.0.0.0/8
-A DOCKER-USER -j RETURN -s 172.16.0.0/12
-A DOCKER-USER -j RETURN -s 192.168.0.0/16

-A DOCKER-USER -p udp -m udp --sport 53 --dport 1024:65535 -j RETURN

-A DOCKER-USER -j ufw-user-forward

-A DOCKER-USER -j DROP -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -d 192.168.0.0/16
-A DOCKER-USER -j DROP -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -d 10.0.0.0/8
-A DOCKER-USER -j DROP -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -d 172.16.0.0/12
-A DOCKER-USER -j DROP -p udp -m udp --dport 0:32767 -d 192.168.0.0/16
-A DOCKER-USER -j DROP -p udp -m udp --dport 0:32767 -d 10.0.0.0/8
-A DOCKER-USER -j DROP -p udp -m udp --dport 0:32767 -d 172.16.0.0/12

-A DOCKER-USER -j RETURN
COMMIT
# END UFW AND DOCKER#
    0
  • veronikyaundefined

    @phenomlab The topic is opened to share some problems, configuration modifications of deploying replica sets. I spent a lot of time to achieve this, and may introduce the system later. Including sharing my replica set ansible deployment script

    0
  • veronikyaundefined

    The host’s local dns resolution is not configured. The problem of the host’s hosts being unable to be resolved in docker has been solved. Surprisingly
    Solution:
    Edit the /etc/resovel.conf file
    Add 127.0.0.53

    phenomlabundefined 1 Reply
    1
  • phenomlabundefined

    @veronikya said in mongodb replica set:

    In a cluster, the database does not need to be exposed to the outside world

    Actually, they should NEVER be exposed to the outside world. The cluster should communicate on it’s own internal network only.

    Author of OGProxy, Swatch, Threaded, Card, and most of Sudonix's bugs…

    1
  • phenomlabundefined phenomlab marked this topic as a regular topic on
  • phenomlabundefined

    @veronikya said in mongodb replica set:

    The host’s local dns resolution is not configured. The problem of the host’s hosts being unable to be resolved in docker has been solved. Surprisingly
    Solution:
    Edit the /etc/resovel.conf file
    Add 127.0.0.53

    One immediate issue I can think of here is that editing resolv.conf directly is no longer supported and not recommended (because the changes do not survive a reboot) - unless you install the resolvconf package?

    Author of OGProxy, Swatch, Threaded, Card, and most of Sudonix's bugs…

    0

Related Topics
  • ahmedundefined

    Is my Mongodb installation correct?

    Solved General
    27
    13 Votes
    27 Posts
    3k Views
    ahmedundefined

    yuuuuu.png

  • ahmedundefined

    mongodb backup problem

    Moved Configure
    3
    1 Votes
    3 Posts
    236 Views
    phenomlabundefined

    You might want to also review this post

    https://sudonix.org/topic/389/mongodb-backup-script

  • mventuresundefined

    Email set up on OVH Cloud

    Solved Configure
    21
    1 Votes
    21 Posts
    1k Views
    phenomlabundefined

    @mventures that’s not an issue provided there is a password to go with the username

  • Madchatthewundefined

    Email Server Settings

    Solved Configure
    23
    8 Votes
    23 Posts
    1k Views
    phenomlabundefined

    @Madchatthew mailgun would be my recommendation here. I think they also have a free plan if I’m not mistaken.

  • DownPWundefined

    Nodebb: failed to restore a mongo dump

    Solved Configure
    2
    1 Votes
    2 Posts
    211 Views
    DownPWundefined

    @phenomlab

    In fact I specified the sub rep and not the rep

    DON’T DO THIS:

    nodebb@nodebbpwclonedb:~/nodebb$ sudo mongorestore --username admin --password XXXXXXXXXXXXXX --nsInclude nodebb.objects --drop /home/nodebb/nodebb_DB_20230107/nodebb/

    BUT THIS :

    nodebb@nodebbpwclonedb:~/nodebb$ sudo mongorestore --username admin --password XXXXXXXXXXXXXX --nsInclude nodebb.objects --drop /home/nodebb/nodebb_DB_20230107/

    🙂

  • Sampo2910undefined

    Mongodb Authorisation.

    Solved General
    17
    2 Votes
    17 Posts
    754 Views
    phenomlabundefined

    @Sampo2910 I just saw this on the NodeBB community site and it seems very much in line with the issue you are experiencing. Worth a look I think

    https://community.nodebb.org/topic/16826/does-nodebb-work-with-mongodb-6-0

  • WesleyMouraundefined

    How to restrict external access to Redis instance installed in a docker image

    Solved Configure
    8
    4 Votes
    8 Posts
    1k Views
    WesleyMouraundefined

    @phenomlab
    Sorry to delay in responding, yes as i mentioned above, i had to remove my redis from docker and reinstall a new image with this command

    docker run --name=redis -p 127.0.0.1:6379:6379 -d -t redis:alpine

    and now when i test my ip and port on
    https://www.yougetsignal.com/tools/open-ports/

    the status of my redis port is closed. I think which to configure firewall in droplet digital ocean is a good idea too, and i will configure soon.
    Thanks for the help!

  • Hariundefined

    what is docker?

    Solved Linux
    3
    1 Votes
    3 Posts
    455 Views
    phenomlabundefined

    @Hari sort of, but not in the sense of a full blown system

    In simple terms, Docker is a software platform that simplifies the process of building, running, managing and distributing applications. It does this by virtualizing the operating system of the computer on which it is installed and running.