Mirroristas/bigchaindb
2
0
Fork 0
mirror of https://github.com/bigchaindb/bigchaindb.git synced 2024-10-13 13:34:05 +00:00
Code Issues Packages Projects Releases Wiki Activity
bigchaindb/k8s/mongodb/container/README.md
Krish b6ec3e5f5c Mongodb TLS (#1456) 
* Support for secure TLS communication in MongoDB, MongoDB Monitoring
Agent and MongoDB Backup Agent
- Move from Golang to Bash for entrypoint program
- Update image tag to 2.0 for Backup and Monitoring Agents and to
3.4.4 for MongoDB
- Add documentation

* changed title & rewrote Step 1 of workflow.rst

* copy-edited ca-installation.rst

* copy-edited & modified structure of workflow.rst

* moved repeated Easy-RSA install & config docs to new page

* edited the sentences describing the Easy-RSA dirs

* copy-edited the page about generating server certificate

* copy-edited the page about generating client certificate

* renamed page to 'How to Set Up a Self-Signed Certificate Authority'

* copy-edited page about how to revoke a certificate

* Comments on how to uniquely name all instances in the cluster

* Added comments about the other questions when setting up a CA

* Added note about one Agent Api Key per Cloud Manager backup

* docs: clarified instructions for generating server CSR

* docs: added back 'from your PKI infrastructure'

* docs: fixed step & added step re/ FQDNs & certs in workflow.rst

* docs: added note re/ the Distinguished Name

* Update docs for env vars setup

* docs: added tip: how to get help with the easyrsa command
2017-05-19 11:18:44 +02:00

2.9 KiB
Raw Blame History

Custom MongoDB container for BigchainDB Backend

Need

  • MongoDB needs the hostname provided in the rs.initiate() command to be resolvable through the hosts file locally.
  • In the future, with the introduction of TLS for inter-cluster MongoDB communications, we will need a way to specify detailed configuration.
  • We also need a way to overwrite certain parameters to suit our use case.

Step 1: Build the Latest Container

docker build -t bigchaindb/mongodb:3.4.4 . from the root of this project.

Step 2: Run the Container

docker run \
  --cap-add=FOWNER \
  --name=mdb1 \
  --publish=<mongo port number for external connections>:<corresponding host port> \
  --rm=true \
  --volume=<host dir for mongodb data files>:/data/db \
  --volume=<host dir for mongodb config data files>:/data/configdb \
  --volume=<host dir with the required TLS certificates>:/mongo-ssl:ro \
  bigchaindb/mongodb:3.4.4 \
  --mongodb-port <mongod port number for external connections> \
  --mongodb-key-file-path /mongo-ssl/<private key file name>.pem \
  --mongodb-key-file-password <password for the private key file> \
  --mongodb-ca-file-path /mongo-ssl/<ca certificate file name>.crt \
  --mongodb-crl-file-path /mongo-ssl/<crl certificate file name>.pem \
  --replica-set-name <replica set name> \
  --mongodb-fqdn <fully qualified domain name of this instance> \
  --mongodb-ip <ip address of the mongodb container>

Step 3: Initialize the Replica Set

Login to one of the MongoDB containers, say mdb1:

docker exec -it mongodb bash

Since we need TLS certificates to use the mongo shell now, copy them using:

docker cp bdb-instance-0.pem mongodb:/
docker cp ca.crt mongodb:/

Start the mongo shell:

mongo --host mdb1-fqdn --port mdb1-port --verbose --ssl \
  --sslCAFile /ca.crt \
  --sslPEMKeyFile /bdb-instance-0.pem \
  --sslPEMKeyPassword password

Run the rs.initiate() command:

rs.initiate({ 
  _id : "<replica-set-name", members: [
  { 
    _id : 0,
    host : "<fqdn of this instance>:<port number>"
  } ]
})

For example:

rs.initiate({ _id : "test-repl-set", members: [ { _id : 0, host :
"mdb-instance-0.westeurope.cloudapp.azure.com:27017" } ] })

You should also see changes in the mongo shell prompt from > to test-repl-set:OTHER> to test-repl-set:SECONDARY> to finally test-repl-set:PRIMARY>. If this instance is not the primary, you can use the rs.status() command to find out who is the primary.

Step 4: Add members to the Replica Set

We can only add members to a replica set from the PRIMARY instance. Login to the PRIMARY and open a mongo shell.

Run the rs.add() command with the ip and port number of the other containers/instances:

rs.add("<fqdn>:<port>")

For example:

Add mdb2 to replica set from mdb1:

rs.add("bdb-cluster-1.northeurope.cloudapp.azure.com:27017")

Add mdb3 to replica set from mdb1:

rs.add("bdb-cluster-2.northeurope.cloudapp.azure.com:27017")