Skip to content
Sudonix

mongodb replica set

Configure
  • veronikyaundefined

    Recently, ansible was used to automatically deploy the mongodb docker service, including replica sets. In version 7.0, TLS support is required to support replica sets. TLS signing is a problem for me.

    0
  • veronikyaundefined

    Docker provides the basis for one-click installation. I also optimized the docker network. The default configuration is to bypass the ufw firewall. Now the port is open to the outside world through routing and forwarding. Now I can automatically increase the replica set according to the number of servers.

    0
  • veronikyaundefined

    mongodump mongorestore mongod mongosh The subtle configuration differences make me uncomfortable, but I tried them one by one. I want to try the sharding function of mongodb when I have time.

    The service deployment speed has been greatly increased after using docker, although it will lose some performance. Now all my services have been converted to docker. One-click deployment is very advantageous for frequent service provider changes.

    0
  • phenomlabundefined

    @veronikya Not sure I follow completely in relation to the purpose of this topic - I know you mention

    The subtle configuration differences make me uncomfortable

    However, could you provide clarity around exactly what you want to do, and the steps you’ve taken so far? I also do not understand the need to expose ports to the internet when it should only be localhost?

    Author of OGProxy, Swatch, Threaded, Card, and most of Sudonix's bugs…

    veronikyaundefined 2 Replies
    0
  • veronikyaundefined

    mongodb tree struct

    📦mongodb
 ┣ 📂conf
 ┃ ┗ 📜mongod.conf
 ┣ 📂data
 ┣ 📂dump
 ┣ 📂script
 ┃ ┣ 📂docker
 ┃ ┃ ┣ 📜01-register-admin-subject.sh
 ┃ ┃ ┗ 📜02-init-mongo-rs.sh
 ┃ ┗ 📜container-init.sh
 ┣ 📂tls
 ┃ ┣ 📜ca.crt
 ┃ ┣ 📜mongodb-rs0.pem
 ┃ ┗ 📜root.pem
 ┣ 📜.env
 ┣ 📜docker-compose.yml

    This is my mongodb.conf configuration file

    {{ inventory_hostname }} 运行主机的hostname
    mongod.conf

    replication:
   replSetName: "rs0"
net:
   bindIp: 0.0.0.0
   port: {{ Container_PORT }}
   tls:
      mode: "requireTLS"
      CAFile: "/etc/tls/ca.crt"
      certificateKeyFile: "/etc/tls/{{ inventory_hostname }}.pem"
      # clusterFile: /etc/tls/root.pem
      allowInvalidCertificates: true
security:
  clusterAuthMode: "x509"
  authorization: "enabled"

    openssl generates tls ca and client pem

    openssl req -passout pass:<you passwd> -new -x509 -keyout ca.key -out ca.crt -subj "/C=US/ST=California/L=SanFrancisco/O=Ponpomu/OU=server/CN=veronikya"

openssl req -nodes -newkey rsa:4096 -keyout mongodb-rs0.key -out mongodb-rs0.csr -subj "/C=US/ST=California/L=SanFrancisco/O=Percona/OU=server/CN=mongodb-rs0"
openssl x509 -req -in mongodb-rs0.csr -signkey mongodb-rs0.key -CA ca.crt -CAkey ca.key -set_serial 01 -out mongodb-rs0.crt
cat mongodb-rs0.crt mongodb-rs0.key >mongodb-rs0.pem

openssl req -nodes -newkey rsa:4096 -keyout mongodb-rs1.key -out mongodb-rs1.csr -subj "/C=US/ST=California/L=SanFrancisco/O=Percona/OU=server/CN=mongodb-rs1"
openssl x509 -req -in mongodb-rs1.csr -signkey mongodb-rs1.key -CA ca.crt -CAkey ca.key -set_serial 01 -out mongodb-rs1.crt
cat mongodb-rs1.crt mongodb-rs1.key >mongodb-rs1.pem

openssl req -nodes -newkey rsa:4096 -keyout mongodb-rs2.key -out mongodb-rs2.csr -subj "/C=US/ST=California/L=SanFrancisco/O=Percona/OU=server/CN=mongodb-rs2"
openssl x509 -req -in mongodb-rs2.csr -signkey mongodb-rs2.key -CA ca.crt -CAkey ca.key -set_serial 01 -out mongodb-rs2.crt
cat mongodb-rs2.crt mongodb-rs2.key >mongodb-rs2.pem

openssl req -newkey rsa:4096 -nodes -out root.csr -keyout root.key -subj '/CN=root/OU=client/O=supsersb/L=tm/ST=tm/C=CN'
openssl x509 -passin pass:<you passwd>-req -in root.csr -signkey root.key -CA ca.crt -CAkey ca.key -CAcreateserial -out root.crt
cat root.crt root.key >root.pem
    0
  • veronikyaundefined

    @phenomlab In a cluster, the database does not need to be exposed to the outside world, and communication between multiple servers is established according to firewall policies.

    Now I have a host vps that is very strange. Docker in the host cannot access the hosts set by the host, but Docker in the other two can access them. These are the hosts of three different servers.

    veronikyaundefined phenomlabundefined 2 Replies
    0
  • veronikyaundefined

    This is the ufw rule I reconfigured to support access to the Internet within docker and the development server through port forwarding, because docker does not pass the ufw firewall by default, which is dangerous

    # /etc/ufw/after.rules

# BEGIN UFW AND DOCKER
*filter
:ufw-user-forward - [0:0]
:DOCKER-USER - [0:0]
-A DOCKER-USER -j RETURN -s 10.0.0.0/8
-A DOCKER-USER -j RETURN -s 172.16.0.0/12
-A DOCKER-USER -j RETURN -s 192.168.0.0/16

-A DOCKER-USER -p udp -m udp --sport 53 --dport 1024:65535 -j RETURN

-A DOCKER-USER -j ufw-user-forward

-A DOCKER-USER -j DROP -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -d 192.168.0.0/16
-A DOCKER-USER -j DROP -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -d 10.0.0.0/8
-A DOCKER-USER -j DROP -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -d 172.16.0.0/12
-A DOCKER-USER -j DROP -p udp -m udp --dport 0:32767 -d 192.168.0.0/16
-A DOCKER-USER -j DROP -p udp -m udp --dport 0:32767 -d 10.0.0.0/8
-A DOCKER-USER -j DROP -p udp -m udp --dport 0:32767 -d 172.16.0.0/12

-A DOCKER-USER -j RETURN
COMMIT
# END UFW AND DOCKER#
    0
  • veronikyaundefined

    @phenomlab The topic is opened to share some problems, configuration modifications of deploying replica sets. I spent a lot of time to achieve this, and may introduce the system later. Including sharing my replica set ansible deployment script

    0
  • veronikyaundefined

    The host’s local dns resolution is not configured. The problem of the host’s hosts being unable to be resolved in docker has been solved. Surprisingly
    Solution:
    Edit the /etc/resovel.conf file
    Add 127.0.0.53

    phenomlabundefined 1 Reply
    1
  • phenomlabundefined

    @veronikya said in mongodb replica set:

    In a cluster, the database does not need to be exposed to the outside world

    Actually, they should NEVER be exposed to the outside world. The cluster should communicate on it’s own internal network only.

    Author of OGProxy, Swatch, Threaded, Card, and most of Sudonix's bugs…

    1
  • phenomlabundefined phenomlab marked this topic as a regular topic on
  • phenomlabundefined

    @veronikya said in mongodb replica set:

    The host’s local dns resolution is not configured. The problem of the host’s hosts being unable to be resolved in docker has been solved. Surprisingly
    Solution:
    Edit the /etc/resovel.conf file
    Add 127.0.0.53

    One immediate issue I can think of here is that editing resolv.conf directly is no longer supported and not recommended (because the changes do not survive a reboot) - unless you install the resolvconf package?

    Author of OGProxy, Swatch, Threaded, Card, and most of Sudonix's bugs…

    0