Require authentication for clients#11
Conversation
geek
commented
Mar 7, 2017
geek
commented
- Authentication mode is now enabled
- Replica members now use a keyfile for authentication
- Added script.sh file for easy _env creation
- Update to latest MongoDB release
yosifkit
left a comment
yosifkit
left a comment
There was a problem hiding this comment.
A few comments on the mongodb setup script.
bin/setup_mongo.sh
Outdated
| #!/bin/bash | ||
|
|
||
| echo "Start MongoDB without access control." | ||
| mongod --port 27017 & |
There was a problem hiding this comment.
This should probably be mongod --fork --bind_ip 127.0.0.1 --logpath /dev/stdout --config /etc/mongod.conf to ensure that it runs with only local access, has the same config as the real instance, and when it returns will be ready for access and so we won't need the while ! nc .... The reason for the bind_ip is to prevent external services from getting a connection followed by a rejection (since auth is on and no user created), and instead just prevent connections altogether.
Not sure if a --port is necessary, since the default is 27017.
(Similar discussion on the official image docker-library/mongo#53)
bin/setup_mongo.sh
Outdated
| chmod 400 /etc/mongod.key | ||
|
|
||
| echo "Overwrite setup_mongo.sh so that this is a one-time setup" | ||
| echo "#!/bin/bash" > ./setup_user.sh |
There was a problem hiding this comment.
Assuming this overwrote itself (setup_mongo.sh), this would only work on restarts of the current container, but would not prevent a second user creation when a user reuses an old data directory (like docker-compose when run on non-triton). In looking to add similar functionality to the mongo official image (docker-library/mongo#53 (comment)), we didn't yet have a way to detect that this was an already initialized database directory to prevent trying to create the user a second time.
There was a problem hiding this comment.
I am not sure how to solve this either.
There was a problem hiding this comment.
mkdir an empty dir into a well-known location in the data directory. If the mkdir fails (which it will if it already exists), we can just bail out there.
| @@ -0,0 +1,21 @@ | |||
| #!/bin/bash | |||
|
|
|||
There was a problem hiding this comment.
Might want to have a set -e here so that failures of individual lines will cause the script to stop.
|
FYI, I've filed docker-library/mongo#145 upstream to get a general solution to the initialization/user creation problem. |
tgross
left a comment
tgross
left a comment
There was a problem hiding this comment.
(no-op comment to get this old PR off my pulls page 😀 )
4 participants
