MongoDB Replica Set and OpLog on the same server

An example of setting up MongoDB with private access via the Internet. This article provides an example of deploying three Replica Set and activating OpLog on one server. OpLog is needed for "reactive" applications that monitor ( listen for) changes in MongoDB, for example for Meteor-based applications ( to disable long-polling ).

Despite the fact that the example below is focused on working within one server, in order to ensure stability, we recommend deploying each Replica Set member on a separate server. To do this, you need to change the addresses of members of the Replica Set passed to the rs.initiate({/*...*/}) method.

In the configuration of the Replica Set members, wiredTiger is used as the database engine, you can read about the benefits of this engine in release notes .

Definitions:

• admin user - A user with full access rights ( root ) to all MongoDB functions and commands;
• appUser - A user with limited read and write rights ( readWrite ) only for the application database;
• appDB - the database used for the application;
• User oplogger - User with read permissions ( read ) DB local , the base in which OpLog is stored;
• oplogger role - The read permission role ( read ) of the local database;
• <password> - This placeholder must be replaced with a password. Always quoted in double quotes .

Examples are given for MongoDB> = 3.1, and Debian> = 7

1. Follow the steps in the installation instructions . During the installation, the system user mongodb will be automatically created, consisting of the mongodb group mongodb
2. Create and specify permissions for the database file directories:
   

    $ mkdir -p /data/mongos/one /data/mongos/two /data/mongos/three $ chmod 755 /data $ chown -R mongodb:mongodb /data/mongos 

3. Create and specify permissions for the MongoDB log directories ( logs ):
   

    $ mkdir -p /var/log/mongodb/one /var/log/mongodb/two /var/log/mongodb/three $ chown -R mongodb:mongodb /var/log/mongodb 

4. Remove the mongod service:
   

    $ rm /etc/init.d/mongod 

5. Create a MongoDB configuration file for the first member of the Replica Set ( nano /etc/mongod-one.conf ):
   

    storage: dbPath: /data/mongos/one journal: enabled: true engine: wiredTiger systemLog: verbosity: 0 traceAllExceptions: false destination: file logAppend: true path: /var/log/mongodb/one/mongod.log net: port: 27017 bindIp: 0.0.0.0 operationProfiling: slowOpThresholdMs: 2100 mode: off replication: replSetName: rs0 

6. Create the MongoDB configuration file for the second member Replica Set ( nano /etc/mongod-two.conf ):
   

    storage: dbPath: /data/mongos/two journal: enabled: true engine: wiredTiger systemLog: verbosity: 0 traceAllExceptions: false destination: file logAppend: true path: /var/log/mongodb/two/mongod.log net: port: 27018 bindIp: 0.0.0.0 operationProfiling: slowOpThresholdMs: 2100 mode: off replication: replSetName: rs0 

7. Create a MongoDB configuration file for the third member Replica Set ( nano /etc/mongod-three.conf ):
   

    storage: dbPath: /data/mongos/three journal: enabled: true engine: wiredTiger systemLog: verbosity: 0 traceAllExceptions: false destination: file logAppend: true path: /var/log/mongodb/three/mongod.log net: port: 27019 bindIp: 0.0.0.0 operationProfiling: slowOpThresholdMs: 2100 mode: off replication: replSetName: rs0 

8. Create and specify permissions for the file with the authentication shared key; this key will be used by the Replica Set members to communicate with each other:
   

    $ openssl rand -base64 741 > /data/mongos/key $ chown mongodb:mongodb /data/mongos/key $ chmod 400 /data/mongos/key 

9. Create a Cron file to run MongoDB as mongodb user ( crontab -u mongodb -e ):
   

    @reboot /usr/bin/mongod --config /etc/mongod-one.conf --fork @reboot /usr/bin/mongod --config /etc/mongod-two.conf --fork @reboot /usr/bin/mongod --config /etc/mongod-three.conf --fork 

10. Reboot the machine ( server )
11. Specify the configuration for the Replica Set, and initiate the RS:
    

     // Mongo Shell: $ mongo var conf = { "_id" : "rs0", "members" : [ { "_id" : 0, "host" : "127.0.0.1:27017" }, { "_id" : 1, "host" : "127.0.0.1:27018" }, { "_id" : 2, "host" : "127.0.0.1:27019" } ] } rs.initiate(conf) 

12. Create an admin user with root rights (make sure you enter commands on the PRIMARY member of the Replica Set):
    

     // Mongo Shell: $ mongo --port 27017 use admin db.createUser({user:"admin", pwd:<password>, roles:[{role:"root", db:"admin"}]}) 

13. Update the Cron file to run MongoDB with the --auth flag ( crontab -u mongodb -e ) this will close MongoDB from unauthorized access (read the MongoDB security article for reliable protection):
    

     @reboot /usr/bin/mongod --config /etc/mongod-one.conf --auth --fork @reboot /usr/bin/mongod --config /etc/mongod-two.conf --auth --fork @reboot /usr/bin/mongod --config /etc/mongod-three.conf --auth --fork 

14. Specify the path to the shared authentication key for each member of the Replica Set:
    

     # nano /etc/mongod-one.conf # nano /etc/mongod-two.conf # nano /etc/mongod-three.conf security: keyFile: /data/mongos/key 

15. Reboot the machine ( server )
16. Create a user with read and write readWrite to readWrite for the application database ( use this user to access MongoDB, in the code of your application ):
    

     // Mongo Shell: $ mongo -u "admin" -p <password> --authenticationDatabase "admin" use admin db.createUser({user:"appUser", pwd:<password>, roles:[{role:"readWrite", db:"appDB"}]}) 

17. Create an oplogger role:
    

     // Mongo Shell: $ mongo -u "admin" -p <password> --authenticationDatabase "admin" use admin db.runCommand({createRole:"oplogger", privileges:[{resource: {db:"local", collection:"system.replset"}, actions: ["find"]}], roles:[{role:"read", db:"local"}]}) 

18. Create an oplogger user, and assign the oplogger role to oplogger :
    

     // Mongo Shell: $ mongo -u "admin" -p <password> --authenticationDatabase "admin" use admin //  MongoDB 2.4 db.createUser({user:"oplogger", pwd:<password>, roles:[], otherDBRoles:{local:["read"]}}) //  MongoDB >= 2.6 db.createUser({user:"oplogger", pwd:<password>, roles:[{role: "read", db: "local"}]}) db.runCommand({grantRolesToUser:"oplogger", roles:["oplogger"]}) 

19. Make sure all users are created correctly:
    

     // Mongo Shell: $ mongo -u "admin" -p <password> --authenticationDatabase "admin" use admin show users 

From now on, MongoDB is available at the public IP address of the server ( machine ), as well as on the loopback and localhost.

Connection Strings:

• For application:
  

   mongodb://appUser:<password>@<PUBLIC_IP>:27017,<PUBLIC_IP>:27018,<PUBLIC_IP>:27019/appDB?authSource=admin&replicaSet=rs0 

• For OpLog:
  

   mongodb://oplogger:<password>@<PUBLIC_IP>:27017,<PUBLIC_IP>:27018,<PUBLIC_IP>:27019/local?authSource=admin&replicaSet=rs0 

Update:

Starting from mongodb@2.2.0 ( driver ), you must use the same IP address / domain name both in the connection string and in the Replica Set configuration, see: bug # NODE-746 .

These innovations in the driver entail errors: no valid replicaset members found and no primary found in replicaset .

To meet the new requirements - assign the domain name to the host ( server ) where the MongoDB is located, the sub-domain will also work. Imagine that we chose the domain mongo.example.com .

On the MongoDB server, do:

 // Mongo Shell: $ mongo var rsconf = rs.conf(); rsconf.members[0].host = 'mongo.example.com:27017'; rsconf.members[1].host = 'mongo.example.com:27018'; rsconf.members[2].host = 'mongo.example.com:27019'; rs.reconfig(rsconf); 

Update database connection strings:

• For application:
  

   mongodb://appUser:<password>@mongo.example.com:27017,mongo.example.com:27018,mongo.example.com:27019/appDB?authSource=admin&replicaSet=rs0 

• For OpLog:
  

   mongodb://oplogger:<password>@mongo.example.com:27017,mongo.example.com:27018,mongo.example.com:27019/local?authSource=admin&replicaSet=rs0 

English version