Skip to content

Configuring MongoDB

Jump to bottom
Thomas Schaffter edited this page Jul 27, 2019 · 17 revisions

Overview

This section describes how to configure an instance of mongo that hosts the data of the portal.

Running MongoDB

The easiest way to run a local instance of mongo is to use docker run -p 27017:27017 --name afs-mongo -d mongo.

In production environment, it is recommended to configure mongo to

  • enable authentication
  • enable SSL

Here are additional security specifications that are implemented:

  • Set admin username and password
  • Create a database for the app (the portal) and create a user with limited privileges that can read/write into the app database.
  • Make sure that the mongo service is not run as root. This is already taken care of by the mongo docker image where the service are run by default by the mongodb user.

Enabling authentication

Enabling authentication on mongo requires the client to provide a username and password.

First, we set a username and password for the admin user. This is achieved by specifying the environment variables MONGO_INITDB_ROOT_USERNAME and MONGO_INITDB_ROOT_PASSWORD to the mongo docker image.

The next step is to create an app account that has read/write access to the app database. To create this user, we have created a new docker image that extends the mongo image. The Dockerfile for this image is available in the folder mongo. The app user is then created by specifying the following environment variables:

  • MONGO_INITDB_DATABASE
  • MONGO_USERNAME
  • MONGO_PASSWORD

The portal must then be provided with the following environment variables:

  • MONGODB_URI: E.g., mongodb://mongo-dev:27017/phccp-dev, where
    • mongo-dev is the name of the service specified in docker-compose.dev.yml
    • phccp-dev must be set to the value of MONGO_INITDB_DATABASE
  • MONGODB_USER: Must be set to the value of MONGO_USERNAME
  • MONGODB_PASSWORD: Must be set to the value of MONGO_USERNAME

Enabling SSL

First, a pem file that includes both the key and cert must be provided when running mongo. The server key and certificate used to run the portal over HTTPS can be reused. Otherwise, a new key and certificate can be generated using:

openssl req -nodes -new -x509 -keyout server.key -out server.cert

This command generates the pem file:

cat server.key server.cert > mongodb.pem

To run mongo with SSL enabled:

export MONGODB_PEM_FILE=/home/tschaffter/dev/PHCCollaborationPortal/certs/mongodb.pem
docker run -p 27017:27017 --name afs-mongo -d -v $MONGODB_PEM_FILE:/etc/ssl/mongodb.pem \
  mongo --sslMode requireSSL --sslPEMKeyFile /etc/ssl/mongodb.pem

Configuring the portal

General

The following environment variable can be specified to the portal.

export MONGODB_URI=mongodb://localhost:27017/phccp-dev

Here phccp-dev specifies to mongo to create the database phccp-dev that will be used by the portal.

Note: We are currently investigating how to properly enable authentication. As we will probably need two databases (admin and app), specifying phccp-dev in MONGODB_URI may no longer work. In this case, the solution would be to use the mongoose option dbName (see https://mongoosejs.com/docs/connections.html#options).

Enabling SSL

The following variables must be specified to enable SSL communication between mongo and the portal.

export MONGODB_SSL=1
export MONGODB_SSL_VALIDATE=false
export MONGODB_SSL_CA=
export MONGODB_SSL_KEY=`cat /home/tschaffter/dev/PHCCollaborationPortal/certs/server.key`
export MONGODB_SSL_CERT=`cat /home/tschaffter/dev/PHCCollaborationPortal/certs/server.cert`

Note: When using a self-signed certificate, export MONGODB_SSL_VALIDATE=false and MONGODB_SSL_CA=. Otherwise, set MONGODB_SSL_VALIDATE=false and MONGODB_SSL_CA to the content of the CA's certificate (and not the path to the file).

Enabling authentication

export MONGODB_USER=adminUser
export MONGODB_PASS=adminPassword

Tips for development

Enabling authentication

Run the following command to start the mongo service with admin username and password set:

docker run -e MONGO_INITDB_ROOT_USERNAME=admin \
  -e MONGO_INITDB_ROOT_PASSWORD=password \
  -p 27017:27017 --name afs-mongo -d mongo

To connect to this instance using the MongoDB shell:

mongo admin --host localhost -u admin -p password
MongoDB shell version v4.0.10
connecting to: mongodb://localhost:27017/?gssapiServiceName=mongodb
Implicit session: session { "id" : UUID("ec7d84a9-5b07-4486-8917-7bb5220badfc") }
MongoDB server version: 4.0.10
Welcome to the MongoDB shell.
For interactive help, type "help".
For more comprehensive documentation, see
	http://docs.mongodb.org/
Questions? Try the support group
	http://groups.google.com/group/mongodb-user
Server has startup warnings: 
2019-07-09T17:11:13.923+0000 I STORAGE  [initandlisten] 
2019-07-09T17:11:13.923+0000 I STORAGE  [initandlisten] ** WARNING: Using the XFS filesystem is strongly recommended with the WiredTiger storage engine
2019-07-09T17:11:13.923+0000 I STORAGE  [initandlisten] **          See http://dochub.mongodb.org/core/prodnotes-filesystem
---
Enable MongoDB's free cloud-based monitoring service, which will then receive and display
metrics about your deployment (disk utilization, CPU, operation statistics, etc).

The monitoring data will be available on a MongoDB website with a unique URL accessible to you
and anyone you share the URL with. MongoDB may use this information to make product
improvements and to suggest MongoDB products and deployment options to you.

To enable free monitoring, run the following command: db.enableFreeMonitoring()
To permanently disable this reminder, run the following command: db.disableFreeMonitoring()
---

>

MONGO_INITDB_DATABASE

This environment variable can be specified when starting the mongo service, however:

MONGO_INITDB_DATABASE is only used if you have scripts in /docker-entrypoint-initdb.d/ since there is no CREATE DATABASE x like in SQL land; you can just use a database and it will exist.

Source: https://github.com/docker-library/mongo/issues/174#issuecomment-297538188

Starting phccp-mongo locally

  1. source envvars-dev
  2. docker login docker.synapse.org
  3. Start phccp-mongo 
docker run -e MONGO_INITDB_ROOT_USERNAME=${MONGO_INITDB_ROOT_USERNAME} \
  -e MONGO_INITDB_ROOT_PASSWORD=${MONGO_INITDB_ROOT_PASSWORD} \
  -e MONGO_INITDB_DATABASE=${MONGO_INITDB_DATABASE} \
  -e MONGO_USERNAME=${MONGO_USERNAME} \
  -e MONGO_PASSWORD=${MONGO_PASSWORD} \
  -v `pwd`/certs/mongodb.pem:/etc/ssl/mongodb.pem:ro \
  -p ${MONGODB_PORT}:${MONGO_PORT} --name phccp-mongo -d docker.synapse.org/syn18489221/phccp-mongo \
  mongod --port ${MONGO_PORT} --sslMode requireSSL --sslPEMKeyFile /etc/ssl/mongodb.pem

Dumping notes

Enabl

MongoDB is used by the portal to store data. The following command deploys the official docker image mongo and configures it to run over SSL. Here we assume that the environment variable MONGO_PORT is set (see Section https://github.com/Sage-Bionetworks/PHCCollaborationPortal/wiki/Deploying-the-portal#setting-the-environment-variables).

docker run -p ${MONGO_PORT}:${MONGO_PORT} --name afs-mongo -d -v `pwd`/certs/mongodb.pem:/etc/ssl/mongodb.pem \
  mongo --sslMode requireSSL --sslPEMKeyFile /etc/ssl/mongodb.pem

To test that MongoDB is properly running over SSL, let's connect to the DB using the mongo client:

# DEV ENVIRONMENT ONLY
mongo --ssl --sslAllowInvalidHostnames --sslAllowInvalidCertificates  
MongoDB shell version v4.0.10
connecting to: mongodb://127.0.0.1:27017/?gssapiServiceName=mongodb
2019-07-27T17:40:10.126+0000 W NETWORK  [js] SSL peer certificate validation failed: self signed certificate
Implicit session: session { "id" : UUID("5e3ea5c4-d8ab-4672-84a8-b70a0c80d378") }
MongoDB server version: 4.0.10
Server has startup warnings: 
2019-07-27T17:36:54.058+0000 I STORAGE  [initandlisten] 
2019-07-27T17:36:54.058+0000 I STORAGE  [initandlisten] ** WARNING: Using the XFS filesystem is strongly recommended with the WiredTiger storage engine
2019-07-27T17:36:54.058+0000 I STORAGE  [initandlisten] **          See http://dochub.mongodb.org/core/prodnotes-filesystem
2019-07-27T17:36:54.886+0000 I CONTROL  [initandlisten] 
2019-07-27T17:36:54.886+0000 I CONTROL  [initandlisten] ** WARNING: Access control is not enabled for the database.
2019-07-27T17:36:54.886+0000 I CONTROL  [initandlisten] **          Read and write access to data and configuration is unrestricted.
2019-07-27T17:36:54.886+0000 I CONTROL  [initandlisten] 
---
Enable MongoDB's free cloud-based monitoring service, which will then receive and display
metrics about your deployment (disk utilization, CPU, operation statistics, etc).

The monitoring data will be available on a MongoDB website with a unique URL accessible to you
and anyone you share the URL with. MongoDB may use this information to make product
improvements and to suggest MongoDB products and deployment options to you.

To enable free monitoring, run the following command: db.enableFreeMonitoring()
To permanently disable this reminder, run the following command: db.disableFreeMonitoring()
---

> exit
bye
Clone this wiki locally