I've ran into this super annoying issue today.
Basically, I have setup a MongoDB database using the GCP Marketplace offering. It sets up a primary node, secondary, and an arbiter. Which is super cool.
What it doesn't do is security. Like, at all. So only natural I had to set it up myself. Well, now 20 hours later and a few good punches to my own face I am still struggling to get it running.
Basically, this is my partial config:
security:
authorization: enabled
keyFile: '/etc/mongodKey'
If I comment out the keyFile
the instance runs. But it cannot connect to any other nodes, because of the security being enabled. And no, I cannot disable it, are you mad?
The thing about the keyFile though... As I understand, mongod
cannot open it, so it won't start. I suppose /etc
is not a good place to put it in? I tried other folders, but to no avail. Nothing works.
And I need to have that security measure, since the database needs to be connected to by my colleagues using Robo 3T. So dropping the external IP address is out of the question.
What me do wrong? Please help as I'm pulling my own hair out.
This is the output of sudo service mongod status
:
● mongod.service - MongoDB Database Server
Loaded: loaded (/lib/systemd/system/mongod.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Wed 2019-08-21 15:28:08 UTC; 4min 29s ago
Docs: https://docs.mongodb.org/manual
Process: 1024 ExecStart=/usr/bin/mongod --config /etc/mongod.conf (code=exited, status=1/FAILURE)
Main PID: 1024 (code=exited, status=1/FAILURE)
Aug 21 15:28:08 m-vm-0 systemd[1]: Started MongoDB Database Server.
Aug 21 15:28:08 m-vm-0 systemd[1]: mongod.service: Main process exited, code=exited, status=1/F
Aug 21 15:28:08 m-vm-0 systemd[1]: mongod.service: Unit entered failed state.
Aug 21 15:28:08 m-0 systemd[1]: mongod.service: Failed with result 'exit-code'.
Edit:
I checked the mongod.log
. Yes it is a permission issue. And I cannot solve it.
I tried doing sudo chmod 400 /etc/mongodKey
but it doesn't do anything.
Please, someone, where do I put the key file so it is readable by mongodb? This is very important!
Answer
If you use the GCP MongoDB marketplace deployment named "MongoDB", that allows you to setup replication, know the following:
They do not setup the security in the initial configuration, thus there are 2 options:
- Turn off the External IP
- Enable authorization in the
mongod.conf
If you go for the first solution, you won't be able to easily connect to the database from any other external sources.
If you go for the second solution, you'll need to do the following:
Generate a key, the whole process can be found here: https://docs.mongodb.com/manual/tutorial/enforce-keyfile-access-control-in-existing-replica-set/
Copy the file contents
- SSH into all of your Compute Engine instances
- Choose a directory
sudo touch
sudo nano
- Paste the key you generated on your computer and save
sudo chmod 600
sudo chown mongodb:
- Update your
mongod.conf
which is found under/etc/mongod.conf
- Uncomment
security
,authorization
,keyFile
- Provide the path under key
keyFile
to your keyfile - Stop all instances and start them again
Now MongoDB has access to the keyfile.
What as nightmare. And chmod 400
didn't work for me as specified in the documentation. I had to set it to chmod 600
.
No comments:
Post a Comment