-
Notifications
You must be signed in to change notification settings - Fork 242
MongoDB Provisioning
On August 13th, 2019, OpenFarm switched off of our previous MongoDB vendor (Compose) and began self-hosting the database. This was in response to Compose deprecating their MongoDB Heroku addon.
Below are notes for future developers that must perform database maintenance.
- Create an Ubuntu droplet in Digital Ocean
- Using Digital Ocean's firewall service, block all ports except SSH (port 22) and MongoDB (port 3001). We will use the non-standard TCP port of 3001 instead of the MongoDB default.
Start with a fresh Ubuntu 18.04 installation. Run the following commands:
apt-get update
apt-get install -y mongodb
snap install micro --classic # Micro4LyfeVerify Mongo installation:
mongo --eval 'db.runCommand({ connectionStatus: 1 })'
Ensure you see "OK": 1 in the terminal output.
First, the admin account:
use admin
db.createUser({
user: "admin",
pwd: "password123", // Use a real password, please
roles: [{ role: "userAdminAnyDatabase", db: "admin" }]
});Then an account for the Rails app:
use openfarm_production
db.createUser({
user: "openfarm_production",
pwd: "password123", // Use a real password, please
roles: [{ role: "readWrite", db: "openfarm_production" }]
});We need to disallow anonymous database access. We also need to allow the Rails server to connect to the database node.
Overwrite /etc/mongodb.conf with this:
dbpath=/var/lib/mongodb
logpath=/var/log/mongodb/mongodb.log
logappend=true
port=3001
journal=true
auth=true
bind_ip=0.0.0.0
Ubuntu uses Systemd to keep MongoDB running at all times. We need to change some of those configs. Do a google search for "Systemd unit files" if you are unfamiliar with systemd.
We must add an --auth flag to the ExecStart entry of the MongoDB unit file, usually found at /lib/systemd/system/mongodb.service. Replace the existing ExecStart line with this:
ExecStart=/usr/bin/mongod --auth --unixSocketPrefix=${SOCKETPATH} --config ${CONF} $DAEMON_OPTS
systemctl daemon-reload # Because we changed the unit file
service mongodb restartEnsure you are able to log in with credentials. Run the following commands from a remote machine:
mongo --port 3001 -u "openfarm_admin" -p "password123" --authenticationDatabase "admin"
mongo --port 3001 -u "openfarm_production" -p "password123" --authenticationDatabase "openfarm_production"
Ensure you can't log in without credentials:
# You should not be able to do stuff with this account.
# Commands like `db.foo.insert({bar: "baz"})` should fail.
mongo --port 3001If we are migrating between database nodes, we need to backup the old database. This requires downtime, otherwise records created during the backup will be lost forever and consistency will be lost.
Use the "Maintenance Mode" toggle in Heroku's settings tab to bring the application offline while performing the next steps.
mongodump \
--authenticationDatabase DATABASE_HERE \
-d DATABASE_HERE_TOO \
-h my.database.com:1234 \
-u admin456 \
-p password123 \
--out path/to/latest_dumpmongorestore \
-d database567 \
-h localhost:3001 \
-u admin456 \
-p password123 \
path/to/latest_dump/fooYou will want to create database dumps regularly for emergency planning.
mongodump \
--authenticationDatabase DATABASE_HERE \
-d openfarm_production \
-h my.database.com:1234 \
-u admin456 \
-p password123 \
--out path/to/latest_dumpUse automated tools to find vulns in the instance, such as MongoAudit.
About OpenFarm
Development
- How to Contribute to OpenFarm
- Code of Conduct
- How to Install & Run OpenFarm on an OS X system and on an Ubuntu System
- Troubleshooting Common Issues
- How to Set Up an Amazon S3 Bucket for Use with OpenFarm
- Modular CSS
- The OpenFarm API and API Documentation
- How to Use Docker and Fig
Deployment
Reference