@Madchatthew still a great catch.
mongodb replica set
-
Recently, ansible was used to automatically deploy the mongodb docker service, including replica sets. In version 7.0, TLS support is required to support replica sets. TLS signing is a problem for me.
-
Docker provides the basis for one-click installation. I also optimized the docker network. The default configuration is to bypass the ufw firewall. Now the port is open to the outside world through routing and forwarding. Now I can automatically increase the replica set according to the number of servers.
-
mongodump mongorestore mongod mongosh The subtle configuration differences make me uncomfortable, but I tried them one by one. I want to try the sharding function of mongodb when I have time.
The service deployment speed has been greatly increased after using docker, although it will lose some performance. Now all my services have been converted to docker. One-click deployment is very advantageous for frequent service provider changes.
-
@veronikya Not sure I follow completely in relation to the purpose of this topic - I know you mention
The subtle configuration differences make me uncomfortable
However, could you provide clarity around exactly what you want to do, and the steps you’ve taken so far? I also do not understand the need to expose ports to the internet when it should only be
localhost
? -
mongodb tree struct
📦mongodb ┣ 📂conf ┃ ┗ 📜mongod.conf ┣ 📂data ┣ 📂dump ┣ 📂script ┃ ┣ 📂docker ┃ ┃ ┣ 📜01-register-admin-subject.sh ┃ ┃ ┗ 📜02-init-mongo-rs.sh ┃ ┗ 📜container-init.sh ┣ 📂tls ┃ ┣ 📜ca.crt ┃ ┣ 📜mongodb-rs0.pem ┃ ┗ 📜root.pem ┣ 📜.env ┣ 📜docker-compose.yml
This is my mongodb.conf configuration file
{{ inventory_hostname }} 运行主机的hostname
mongod.confreplication: replSetName: "rs0" net: bindIp: 0.0.0.0 port: {{ Container_PORT }} tls: mode: "requireTLS" CAFile: "/etc/tls/ca.crt" certificateKeyFile: "/etc/tls/{{ inventory_hostname }}.pem" # clusterFile: /etc/tls/root.pem allowInvalidCertificates: true security: clusterAuthMode: "x509" authorization: "enabled"
openssl generates tls ca and client pem
openssl req -passout pass:<you passwd> -new -x509 -keyout ca.key -out ca.crt -subj "/C=US/ST=California/L=SanFrancisco/O=Ponpomu/OU=server/CN=veronikya" openssl req -nodes -newkey rsa:4096 -keyout mongodb-rs0.key -out mongodb-rs0.csr -subj "/C=US/ST=California/L=SanFrancisco/O=Percona/OU=server/CN=mongodb-rs0" openssl x509 -req -in mongodb-rs0.csr -signkey mongodb-rs0.key -CA ca.crt -CAkey ca.key -set_serial 01 -out mongodb-rs0.crt cat mongodb-rs0.crt mongodb-rs0.key >mongodb-rs0.pem openssl req -nodes -newkey rsa:4096 -keyout mongodb-rs1.key -out mongodb-rs1.csr -subj "/C=US/ST=California/L=SanFrancisco/O=Percona/OU=server/CN=mongodb-rs1" openssl x509 -req -in mongodb-rs1.csr -signkey mongodb-rs1.key -CA ca.crt -CAkey ca.key -set_serial 01 -out mongodb-rs1.crt cat mongodb-rs1.crt mongodb-rs1.key >mongodb-rs1.pem openssl req -nodes -newkey rsa:4096 -keyout mongodb-rs2.key -out mongodb-rs2.csr -subj "/C=US/ST=California/L=SanFrancisco/O=Percona/OU=server/CN=mongodb-rs2" openssl x509 -req -in mongodb-rs2.csr -signkey mongodb-rs2.key -CA ca.crt -CAkey ca.key -set_serial 01 -out mongodb-rs2.crt cat mongodb-rs2.crt mongodb-rs2.key >mongodb-rs2.pem openssl req -newkey rsa:4096 -nodes -out root.csr -keyout root.key -subj '/CN=root/OU=client/O=supsersb/L=tm/ST=tm/C=CN' openssl x509 -passin pass:<you passwd>-req -in root.csr -signkey root.key -CA ca.crt -CAkey ca.key -CAcreateserial -out root.crt cat root.crt root.key >root.pem
-
@phenomlab In a cluster, the database does not need to be exposed to the outside world, and communication between multiple servers is established according to firewall policies.
Now I have a host vps that is very strange. Docker in the host cannot access the hosts set by the host, but Docker in the other two can access them. These are the hosts of three different servers.
-
This is the ufw rule I reconfigured to support access to the Internet within docker and the development server through port forwarding, because docker does not pass the ufw firewall by default, which is dangerous
# /etc/ufw/after.rules # BEGIN UFW AND DOCKER *filter :ufw-user-forward - [0:0] :DOCKER-USER - [0:0] -A DOCKER-USER -j RETURN -s 10.0.0.0/8 -A DOCKER-USER -j RETURN -s 172.16.0.0/12 -A DOCKER-USER -j RETURN -s 192.168.0.0/16 -A DOCKER-USER -p udp -m udp --sport 53 --dport 1024:65535 -j RETURN -A DOCKER-USER -j ufw-user-forward -A DOCKER-USER -j DROP -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -d 192.168.0.0/16 -A DOCKER-USER -j DROP -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -d 10.0.0.0/8 -A DOCKER-USER -j DROP -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -d 172.16.0.0/12 -A DOCKER-USER -j DROP -p udp -m udp --dport 0:32767 -d 192.168.0.0/16 -A DOCKER-USER -j DROP -p udp -m udp --dport 0:32767 -d 10.0.0.0/8 -A DOCKER-USER -j DROP -p udp -m udp --dport 0:32767 -d 172.16.0.0/12 -A DOCKER-USER -j RETURN COMMIT # END UFW AND DOCKER#
-
@phenomlab The topic is opened to share some problems, configuration modifications of deploying replica sets. I spent a lot of time to achieve this, and may introduce the system later. Including sharing my replica set ansible deployment script
-
The host’s local dns resolution is not configured. The problem of the host’s hosts being unable to be resolved in docker has been solved. Surprisingly
Solution:
Edit the /etc/resovel.conf file
Add 127.0.0.53 -
@veronikya said in mongodb replica set:
In a cluster, the database does not need to be exposed to the outside world
Actually, they should NEVER be exposed to the outside world. The cluster should communicate on it’s own internal network only.
-
-
@veronikya said in mongodb replica set:
The host’s local dns resolution is not configured. The problem of the host’s hosts being unable to be resolved in docker has been solved. Surprisingly
Solution:
Edit the /etc/resovel.conf file
Add 127.0.0.53One immediate issue I can think of here is that editing
resolv.conf
directly is no longer supported and not recommended (because the changes do not survive a reboot) - unless you install theresolvconf
package?
Related Topics
-
-
-
-
Email Server Settings
Solved Configure -
-
-
Mongodb Authorisation.
Solved General -