环境准备
- 安装docker,安装docker-compose
- 生产环境最好是将不同的节点部署在不同的服务器上,但限于实际情况可能只能在单台服务器上部署,以下是将副本集部署在同一台服务器上。
生成keyFile
- MongoDB使用keyfile认证,副本集中的每个mongod实例使用keyfile内容作为认证其他成员的共享密码。mongod实例只有拥有正确的keyfile才可以加入副本集。
- keyFile的内容必须是6到1024个字符的长度,且副本集所有成员的keyFile内容必须相同。
- 有一点要注意是的:在UNIX系统中,keyFile必须没有组权限或完全权限(也就是权限要设置成X00的形式)。Windows系统中,keyFile权限没有被检查。
- 可以使用任意方法生成keyFile。例如,如下操作使用
openssl
生成复杂的随机的1024个字符串。然后使用chmod修改文件权限,只给文件拥有者提供读权限。
这是MongoDB官方推荐keyFile的生成方式:
# 400权限是要保证安全性,否则mongod启动会报错
openssl rand -base64 756 > mongodb.key
chmod 400 mongodb.key
- 每一个副本集成员都要使用相同的keyFile文件
配置文件
docker-compose.yml
文件
version: '3.1'
services:
mongodb1:
image: mongo
restart: always
container_name: mongo1
volumes:
- ./data/db/mongo1:/data/db
- ./mongodb.key:/data/mongodb.key
ports:
- 27017:27017
environment:
MONGO_INITDB_ROOT_USERNAME: ${
MONGO_INITDB_ROOT_USERNAME}
MONGO_INITDB_ROOT_PASSWORD: ${
MONGO_INITDB_ROOT_PASSWORD}
networks:
- mongoNet
command: mongod --replSet mongos --keyFile /data/mongodb.key
entrypoint:
- bash
- -c
- |
chmod 400 /data/mongodb.key
chown 999:999 /data/mongodb.key
exec docker-entrypoint.sh $$@
mongodb2:
image: mongo
restart: always
container_name: mongo2
volumes:
- ./data/db/mongo2:/data/db
- ./mongodb.key:/data/mongodb.key
ports:
- 27018:27017
environment:
MONGO_INITDB_ROOT_USERNAME: ${
MONGO_INITDB_ROOT_USERNAME}
MONGO_INITDB_ROOT_PASSWORD: ${
MONGO_INITDB_ROOT_PASSWORD}
networks:
- mongoNet
command: mongod --replSet mongos --keyFile /data/mongodb.key
entrypoint:
- bash
- -c
- |
chmod 400 /data/mongodb.key
chown 999:999 /data/mongodb.key
exec docker-entrypoint.sh $$@
mongodb3:
image: mongo
restart: always
container_name: mongo3
volumes:
- ./data/db/mongo3:/data/db
- ./mongodb.key:/data/mongodb.key
ports:
- 27019:27017
environment:
MONGO_INITDB_ROOT_USERNAME: ${
MONGO_INITDB_ROOT_USERNAME}
MONGO_INITDB_ROOT_PASSWORD: ${
MONGO_INITDB_ROOT_PASSWORD}
networks:
- mongoNet
command: mongod --replSet mongos --keyFile /data/mongodb.key
entrypoint:
- bash
- -c
- |
chmod 400 /data/mongodb.key
chown 999:999 /data/mongodb.key
exec docker-entrypoint.sh $$@
networks:
mongoNet:
driver: bridge
.env
文件,主要作用是初始化数据库账密
MONGO_INITDB_ROOT_USERNAME=root
MONGO_INITDB_ROOT_PASSWORD=admin
mongodb.key
文件,用于副本集之间授权验证
6iB3VOV1eUQKodAhMyqdQQxdVvvaL5dBr7k/TIYf0csRGpLX0NyvL3f3M3G6kuI0
yRXiLlPJBzZ0GqmLNeo8jZ0rso/938qK5rU7pv9GmyEMGbAs75edl3OpfQCxjKUX
iq/+qgYN4R+Slw9klfMOaiFepAdeKHpCY66AqoM9YsjEW04evF9K0SlRzez3rfdA
HOqoovkOqWjhi6wDNan2JjYCb1jgjx6wDnwrq/GOoFIoqUIUMF9xdFXavlRO+jVc
sAow0U2+svvSbSiokCR023CqL618N5jYiq8/v4ztkHjFQ797TTJR6O69VHQ9hyMp
jUzjyA2+NXdXUbnMMoVfVRq104G4ux75nwsjnIAW2lpUKNPGbEQtYpWiCn0Ey2J9
3Zo2MF/SKgY4rj5FHdztP0d30SvFWsoCThwgEs3z1SwR2KJEDTu+UOQy3icEAPoJ
F0ya0C4J398a2gqVnDh+HxT/lhI3OVp1T846LlhRPnLpLbUvUR3kpGvXerGVryyZ
mzxG0cxEHM/Ede26iqWGXRQA7BgYhDx/1SFYWhqrvt3gNI9WR0jDe2B4m4r0TrPK
qyjbgXrb4E3P8HigDbgvm54DBnbkkbCd3+sONuNOpwpg2RPiVK5fVkJPxoNR+dzi
CCsixN6CvY5yRBquow10eCCLHRgYcJ8axyB1e772uHQFlyo4tJTm3kXsPaHg1KVA
rP/v1H4FW8RjQDVUHs1n5V3RAZwVEC6cprKqo6t2ygwiMMgRHVuYiMJRaN+yd1ap
QFnfQnw+iGgaKcl6Cgr3sFYEeO3FOTwLBPs24lk/pimIJn7rzyQ8T+/APMJBsMog
2oLZ/rTzbFbfOxccrfZQpc2/ozvnjvLSUPnePEDE3bfHREmOAJwPBMI7BQQgNZS9
y1NHWGR3v0qkmcnu3O0nmutxdS/TraOLpQYImLPQ++8axQKVjcRkoKCTPcWdjwDw
+mR0XL/H/UR9obDcTZLb1MCKD+tBw2UC07WP6LzmcNREk40/
文件详解
chown 999:999 /data/mongodb.key
999用户是容器中的mongod用户,通过chown修改文件用户权限mongod --replSet mongos --keyFile /data/mongodb.key
启动命令,--replSet mongos
以副本集形式启动并将副本集名字命名为mongos
,--keyFile /data/mongodb.key
设置keyFile,用于副本集通信,文件通过volumes
映射到容器内networks
创建容器在同一局域网下,容器之间通信
配置副本集
- 切换到
docker-compose.yml
所在目录,执行命令docker-compose up -d
启动数据库,-d
表示后台启动并运行所有的容器。 - 通过命令
docker exec -it mongo1 /bin/bash
进入容器进行配置 - 进入容器之后,通过
mongo
命令行进入数据库,因为在docker-compose
配置文件中设置了数据库账密,不输入账密会无法进行设置,查看副本集配置时会提示无权限。
biao@centos:~$ docker exec -it mongo1 /bin/bash
root@00aee3c527c3:/# mongo
MongoDB shell version v4.0.10
connecting to: mongodb://127.0.0.1:27017/?gssapiServiceName=mongodb
Implicit session: session {
"id" : UUID("6f8c9ba7-ef16-4caf-8582-a3d1f19c341e") }
MongoDB server version: 4.0.10
Welcome to the MongoDB shell.
For interactive help, type "help".
For more comprehensive documentation, see
http://docs.mongodb.org/
Questions? Try the support group
http://groups.google.com/group/mongodb-user
> rs.status()
{
"ok" : 0,
"errmsg" : "command replSetGetStatus requires authentication",
"code" : 13,
"codeName" : "Unauthorized"
}
- 输入正确的数据库账密之后,会显示以下信息:
root@00aee3c527c3:/# mongo -u root -p admin
MongoDB shell version v4.0.10
connecting to: mongodb://127.0.0.1:27017/?gssapiServiceName=mongodb
Implicit session: session {
"id" : UUID("02d0d226-f23e-41c2-af9f-c34610d93797") }
MongoDB server version: 4.0.10
Server has startup warnings:
2019-07-14T05:58:43.055+0000 I STORAGE [initandlisten]
2019-07-14T05:58:43.055+0000 I STORAGE [initandlisten] ** WARNING: Using the XFS filesystem is strongly recommended with the WiredTiger storage engine
2019-07-14T05:58:43.055+0000 I STORAGE [initandlisten] ** See http://dochub.mongodb.org/core/prodnotes-filesystem
---
Enable MongoDB's free cloud-based monitoring service, which will then receive and display
metrics about your deployment (disk utilization, CPU, operation statistics, etc).
The monitoring data will be available on a MongoDB website with a unique URL accessible to you
a