M103: MongoDB Cluster Administration: The Mongod

MongoDB M103 Course Notes Chapter 1 of 3

2021-06-12

Chapter 0: Introduction & Setup

Topics

  • Mongod
  • Authentication
  • Database Logs
  • High Availability(by replicating)
  • Scalability(sharding)

Chapter 1: The Mongod

The Mongod

Clinet <-> Mongod(Deamon) mongod listens on port 27017
database files are stored in the directory /data/db/

Start MongoDB

$ nohup mongod -f etc/mongod.conf &

mongod.conf

dbpath = ./data
logpath = ./log/mongod.log

To create a new collection

db.createCollection("employees")

kill mongod by mongo shell

use admin
db.shutdownServer()

dbpath

$ mongod --dbpath <directory path>

auth

$ mongod --auth

Configuration File

YAML conf file

Launch mongod using default configuration:

mongod

Launch mongod with specified –dbpath and –logpath:

mongod --dbpath /data/db --logpath /data/log/mongod.log

Launch mongod and fork the process:

mongod --dbpath /data/db --logpath /data/log/mongod.log --fork

Launch mongod with many configuration options:

Note that all “ssl” options have been edited to use “tls” instead. As of MongoDB 4.2, options using “ssl” have been deprecated.

mongod --dbpath /data/db --logpath /data/log/mongod.log --fork --replSet "M103" --keyFile /data/keyfile --bind_ip "127.0.0.1,192.168.103.100" --tlsMode requireTLS --tlsCAFile "/etc/tls/TLSCA.pem" --tlsCertificateKeyFile "/etc/tls/tls.pem"

Example configuration file, with the same configuration options as above:

storage:
  dbPath: "/data/db"
systemLog:
  path: "/data/log/mongod.log"
  destination: "file"
replication:
  replSetName: M103
net:
  bindIp : "127.0.0.1,192.168.103.100"
tls:
  mode: "requireTLS"
  certificateKeyFile: "/etc/tls/tls.pem"
  CAFile: "/etc/tls/TLSCA.pem"
security:
  keyFile: "/data/keyfile"
  authorization: enabled
processManagement:
  fork: true

mongod --config "etc/mongod.conf"
mongod -f "etc/mongod.conf"

Lab: Configuration File

conf

net:
  port: 27000
security:
  authorization: "enabled"

start server

mongod -f mongod.conf

create an admin user

mongo admin --host localhost:27000 --eval '
  db.createUser({
    user: "m103-admin",
    pwd: "m103-pass",
    roles: [
      {role: "root", db: "admin"}
    ]
  })
'

File Structure

Don’t modify the files in the db data directory.

  • WiredTiger.lock is the process lock file.
  • *.wt are the collections files.
  • diagnostic.data(used by MongoDB support engineers)
  • journal: recovering data from journal files

List socket file:ls /tmp/mongodb-27017.sock

Basic Commands

Basic Helper Groups

db.<method>() # interact with db
db.collection.<method>()
rs.<method>() # control replica set deployment and management.
sh.<method>() # control sharded deployment and management.

User management


db.createUser()
db.dropUser()

Collection management commands:


db.<collection>.renameCollection()
db.<collection>.createIndex()
db.<collection>.drop()

Database management commands:

db.dropDatabase()
db.createCollection()

Database status command:

db.serverStatus()

Creating index with Database Command:

db.runCommand(
  { "createIndexes": <collection> },
  { "indexes": [
    {
      "key": { "product": 1 }
    },
    { "name": "name_index" }
    ]
  }
)

Creating index with Shell Helper:

db.<collection>.createIndex(
  { "product": 1 },
  { "name": "name_index" }
)

Introspect a Shell Helper:

db.<collection>.createIndex

db.runCommand({<command>})
db.commandHelp("<command>")

Get the logging components:

mongo admin --host 192.168.103.100:27000 -u m103-admin -p m103-pass --eval '
  db.getLogComponents()
'

Change the logging level:

mongo admin --host 192.168.103.100:27000 -u m103-admin -p m103-pass --eval '
  db.setLogLevel(0, "index")
'

View the logs through the Mongo shell:

db.adminCommand({ "getLog": "global" })

View the logs through the command line:

tail -f /data/db/mongod.log

Update a document:

mongo admin --host 192.168.103.100:27000 -u m103-admin -p m103-pass --eval '
  db.products.update( { "sku" : 6902667 }, { $set : { "salePrice" : 39.99} } )
'

Look for instructions in the log file with grep:

grep -i 'update' /data/db/mongod.log

Profiling the Database

Profiling is used to optmize queries. Debugging query.

The database profiler collects detailed information about Database Commands executed against a running mongod instance. This includes CRUD operations as well as configuration and administration commands. The profiler writes all the data it collects to a system.profile collection, a capped collection in each profiled database.

To list all of the collection names you can run this command:

db.runCommand({listCollections: 1})

Get profiling level:

mongo newDB --host 192.168.103.100:27000 -u m103-admin -p m103-pass --authenticationDatabase admin --eval '
  db.getProfilingLevel()
'

Set profiling level:

db.setProfilingLevel(1)

Show collections:

db.getCollectionNames()

Set slowms to 0:

db.setProfilingLevel( 1, { slowms: 0 } )

Insert one document into a new collection:

db.new_collection.insert( { "a": 1 } )

Get profiling data from system.profile:

db.system.profile.find().pretty()

Basic Security: Part 1

Authentication: Who you are? Identify.
Authorization: What you can do? Verify the privileges of a user.

Authentication Mechanisms

  • SCRAM(default)
  • X.509(certificate)

MongoDB Enterprise Only

  • LDAP
  • Kerberos

Cluster Authentication

Course: M310: MongoDB Security

Authorization: Role Based Access Control

  • Each user has one or more roles

  • Each role has one or more privileges

  • A privilege represents a group of Actions and the Resources those actions apply to

  • Administrator(create user/index)

  • Developter(read and write data)

  • Data Scientist(read data only)

Create a admin first Always! Create new user with the root role (also, named root):

use admin

db.createUser({
  user: "root",
  pwd: "root123",
  roles : [ "root" ]
})

Connect to mongod and authenticate as root:

mongo --username root --password root123 --authenticationDatabase admin

db.stats()

Bob@inventory and Bob@sales, which are two different users.

Built-in Roles

  • Database User
  • Database Administrator
  • Cluster Administrator
  • Backup/Restore
  • Super User

Built-In Roles: Part 2

Authenticate as root user:

mongo admin -u root -p root123

Create security officer:

db.createUser(
  { user: "security_officer",
    pwd: "h3ll0th3r3",
    roles: [ { db: "admin", role: "userAdmin" } ]
  }
)

Create database administrator:

db.createUser(
  { user: "dba",
    pwd: "c1lynd3rs",
    roles: [ { db: "admin", role: "dbAdmin" } ]
  }
)

Grant role to user:

db.grantRolesToUser( "dba",  [ { db: "playground", role: "dbOwner"  } ] )

Show role privileges:

db.runCommand( { rolesInfo: { role: "dbOwner", db: "playground" }, showPrivileges: true} )

Lab: Creating First Application User

Problem:

Create a new user for an application that has the readWrite role:

  1. Connect to a mongod instance that is already running in the background on port 27000. You can find the options used to launch mongod in the configuration file in your file editor. The m103-admin user has also already been created for you with password m103-pass.

  2. Use the db.createUser() command to create a user for a CRUD application. The requirements for this new user are:

    • Role: readWrite on applicationData database
    • Authentication source: admin
    • Username: m103-application-user
    • Password: m103-application-pass

  3. Click “Run Tests” to run a suite of tests that will check the configuration of m103-application-user. The results of these tests will let you know which steps you’ve yet to complete.

answer:

mongo --port 27000 admin -u m103-admin -p m103-pass
> use admin
> db.createUser(
    { user: "m103-application-user",
      pwd: "m103-application-pass",
      roles: [ { db: "applicationData", role: "readWrite" } ]
    }
  )

Server Tools Overview

  • mongostat
  • mongodump
  • mongorestore
  • mongoexport
  • mongoimport
ls bin/mongo*

mongostat --port 30000
// or
./bin/mongostat --authenticationDatabase "admin"  -u root -p root123

Create new dbpath and launch mongod:

mkdir -p ~/first_mongod
mongod --port 30000 --dbpath ~/first_mongod --logpath ~/first_mongod/mongodb.log --fork

Use mongostat to get stats on a running mongod process:

mongostat --help
mongostat --port 30000

Use mongodump to get a BSON dump of a MongoDB collection:

mongodump --help
mongodump --port 30000 --db applicationData --collection products
ls dump/applicationData/
cat dump/applicationData/products.metadata.json

Use mongorestore to restore a MongoDB collection from a BSON dump:

mongorestore --drop --port 30000 dump/

Use mongoexport to export a MongoDB collection to JSON or CSV (or stdout!):

mongoexport --help
mongoexport --port 30000 --db applicationData --collection products
mongoexport --port 30000 --db applicationData --collection products -o products.json

Tail the exported JSON file:

tail products.json

Use mongoimport to create a MongoDB collection from a JSON or CSV file:

mongoimport --port 30000 products.json

Lab: Importing a Dataset

Problem:

Import a dataset into MongoDB using mongoimport:

  1. Run a mongoimport command on a MongoDB instance running in the background. The requirements for this command are:
    • connect to a mongod process running on port 27000 import the data from /dataset/products.json
    • import the data to applicationData.products
    • use m103-application-user to authenticate to the database - this user has already been created for you on the admin database with password m103-application-pass
  2. Click “Run Tests” to run a test that will check applicationData.products for the new data. The results of these tests will let you know which steps you’ve yet to complete.

answer

$ mongoimport --authenticationDatabase admin \\
-u "m103-application-user" -p "m103-application-pass" \\
--port 27000 --db applicationData --collection products \\
--file /dataset/products.json