X.509 인증서를 사용하여 내부 인증이 활성화된 자체 복제 세트를 시작해야 했지만 실패했습니다. 어떤 조언이라도 환영합니다.
데비안 8.2 x64의 MongoDB 3.2 x64.
MongoDB 대학 강좌 "M310: MongoDB Security"에서 나온 문제입니다.
강사:
인증 옵션을 사용하여 서버 구성원을 불러온 다음 rs.initiate를 사용하고 사용자를 생성할 수 있습니다.
다음과 같은 폴더 구조가 있습니다.
~
`-- shared
`-- certs
|-- ca.pem
|-- client.pem
`-- server.pem
내 복제본 세트를 설정하는 다음 bash 스크립트를 만들었습니다.
#!/bin/bash
course="M310"
exercise="HW-1.3"
workingDir="$HOME/${course}-${exercise}"
dbDir="$workingDir/db"
logName="mongodb.log"
ports=(31130 31131 31132)
replSetName="rs1"
host=`hostname -f`
initiateStr="rs.initiate({
_id: '$replSetName',
version: 1,
members: [
{ _id: 0, host: '$host:${ports[0]}' },
{ _id: 1, host: '$host:${ports[1]}' },
{ _id: 2, host: '$host:${ports[2]}' }
]
})"
# create working folder
mkdir -p "$workingDir/"{r0,r1,r2}
# launch mongod's
for ((i=0; i < ${#ports[@]}; i++))
do
mongod --dbpath "$workingDir/r$i" --logpath "$workingDir/r$i/$logName" --port ${ports[$i]} --replSet $replSetName --fork --sslMode requireSSL --sslPEMKeyFile ~/shared/certs/server.pem --sslCAFile ~/shared/certs/ca.pem --auth
sleep 3
done
echo "Initiate replSet"
mongo --port ${ports[0]} --ssl --sslPEMKeyFile ~/shared/certs/client.pem --sslCAFile ~/shared/certs/ca.pem --host $host --eval "$initiateStr"
마지막 명령은 다음 오류를 반환합니다.
MongoDB shell version: 3.2.11
connecting to: database.m310.mongodb.university:31130/test
{
"ok" : 0,
"errmsg" : "replSetInitiate quorum check failed because not all proposed set members responded affirmatively: database.m310.mongodb.university:31131 failed with not authorized on admin to execute command { replSetHeartbeat: \"rs1\", pv: 1, v: 1, from: \"database.m310.mongodb.university:31130\", fromId: 0, checkEmpty: true }, database.m310.mongodb.university:31132 failed with not authorized on admin to execute command { replSetHeartbeat: \"rs1\", pv: 1, v: 1, from: \"database.m310.mongodb.university:31130\", fromId: 0, checkEmpty: true }",
"code" : 74
}
이것은 r0 인스턴스의 mongodb.log 파일입니다.
2017-01-18T15:48:08.498+0300 I CONTROL [initandlisten] MongoDB starting : pid=6091 port=31130 dbpath=/home/enabokov/M310-HW-1.3/r0 64-bit host=database.m310.mongodb.university
2017-01-18T15:48:08.498+0300 I CONTROL [initandlisten] db version v3.2.11
2017-01-18T15:48:08.498+0300 I CONTROL [initandlisten] git version: 009580ad490190ba33d1c6253ebd8d91808923e4
2017-01-18T15:48:08.498+0300 I CONTROL [initandlisten] OpenSSL version: OpenSSL 1.0.1k 8 Jan 2015
2017-01-18T15:48:08.498+0300 I CONTROL [initandlisten] allocator: tcmalloc
2017-01-18T15:48:08.498+0300 I CONTROL [initandlisten] modules: none
2017-01-18T15:48:08.498+0300 I CONTROL [initandlisten] build environment:
2017-01-18T15:48:08.498+0300 I CONTROL [initandlisten] distmod: debian71
2017-01-18T15:48:08.498+0300 I CONTROL [initandlisten] distarch: x86_64
2017-01-18T15:48:08.498+0300 I CONTROL [initandlisten] target_arch: x86_64
2017-01-18T15:48:08.498+0300 I CONTROL [initandlisten] options: { net: { port: 31130, ssl: { CAFile: "/home/enabokov/shared/certs/ca.pem", PEMKeyFile: "/home/enabokov/shared/certs/server.pem", mode: "requireSSL" } }, processManagement: { fork: true }, replication: { replSet: "rs1" }, security: { authorization: "enabled" }, storage: { dbPath: "/home/enabokov/M310-HW-1.3/r0" }, systemLog: { destination: "file", path: "/home/enabokov/M310-HW-1.3/r0/mongodb.log" } }
2017-01-18T15:48:08.536+0300 I STORAGE [initandlisten] wiredtiger_open config: create,cache_size=1G,session_max=20000,eviction=(threads_max=4),config_base=false,statistics=(fast),log=(enabled=true,archive=true,path=journal,compressor=snappy),file_manager=(close_idle_time=100000),checkpoint=(wait=60,log_size=2GB),statistics_log=(wait=0),
2017-01-18T15:48:09.958+0300 I CONTROL [initandlisten]
2017-01-18T15:48:09.958+0300 I CONTROL [initandlisten] ** WARNING: /sys/kernel/mm/transparent_hugepage/defrag is 'always'.
2017-01-18T15:48:09.958+0300 I CONTROL [initandlisten] ** We suggest setting it to 'never'
2017-01-18T15:48:09.958+0300 I CONTROL [initandlisten]
2017-01-18T15:48:09.958+0300 I CONTROL [initandlisten] ** WARNING: soft rlimits too low. rlimits set to 7948 processes, 65536 files. Number of processes should be at least 32768 : 0.5 times number of files.
2017-01-18T15:48:09.958+0300 I CONTROL [initandlisten]
2017-01-18T15:48:10.833+0300 I REPL [initandlisten] Did not find local voted for document at startup; NoMatchingDocument: Did not find replica set lastVote document in local.replset.election
2017-01-18T15:48:10.833+0300 I REPL [initandlisten] Did not find local replica set configuration document at startup; NoMatchingDocument: Did not find replica set configuration document in local.system.replset
2017-01-18T15:48:10.834+0300 I FTDC [initandlisten] Initializing full-time diagnostic data capture with directory '/home/enabokov/M310-HW-1.3/r0/diagnostic.data'
2017-01-18T15:48:10.834+0300 I NETWORK [HostnameCanonicalizationWorker] Starting hostname canonicalization worker
2017-01-18T15:48:11.188+0300 I NETWORK [initandlisten] waiting for connections on port 31130 ssl
2017-01-18T15:48:21.914+0300 I NETWORK [initandlisten] connection accepted from 127.0.0.1:56026 #1 (1 connection now open)
2017-01-18T15:48:21.922+0300 I ACCESS [conn1] note: no users configured in admin.system.users, allowing localhost access
2017-01-18T15:48:21.927+0300 I REPL [conn1] replSetInitiate admin command received from client
2017-01-18T15:48:21.947+0300 I REPL [conn1] replSetInitiate config object with 3 members parses ok
2017-01-18T15:48:21.947+0300 I ASIO [NetworkInterfaceASIO-Replication-0] Connecting to database.m310.mongodb.university:31131
2017-01-18T15:48:21.948+0300 I ASIO [NetworkInterfaceASIO-Replication-0] Connecting to database.m310.mongodb.university:31132
2017-01-18T15:48:21.965+0300 I ASIO [NetworkInterfaceASIO-Replication-0] Successfully connected to database.m310.mongodb.university:31131
2017-01-18T15:48:21.966+0300 W REPL [ReplicationExecutor] Got error (Unauthorized: not authorized on admin to execute command { replSetHeartbeat: "rs1", pv: 1, v: 1, from: "database.m310.mongodb.university:31130", fromId: 0, checkEmpty: true }) response on heartbeat request to database.m310.mongodb.university:31131; { ok: 1.0, hbmsg: "" }
2017-01-18T15:48:21.966+0300 I ASIO [NetworkInterfaceASIO-Replication-0] Successfully connected to database.m310.mongodb.university:31132
2017-01-18T15:48:21.967+0300 W REPL [ReplicationExecutor] Got error (Unauthorized: not authorized on admin to execute command { replSetHeartbeat: "rs1", pv: 1, v: 1, from: "database.m310.mongodb.university:31130", fromId: 0, checkEmpty: true }) response on heartbeat request to database.m310.mongodb.university:31132; { ok: 1.0, hbmsg: "" }
2017-01-18T15:48:21.967+0300 E REPL [conn1] replSetInitiate failed; NodeNotFound: replSetInitiate quorum check failed because not all proposed set members responded affirmatively: database.m310.mongodb.university:31131 failed with not authorized on admin to execute command { replSetHeartbeat: "rs1", pv: 1, v: 1, from: "database.m310.mongodb.university:31130", fromId: 0, checkEmpty: true }, database.m310.mongodb.university:31132 failed with not authorized on admin to execute command { replSetHeartbeat: "rs1", pv: 1, v: 1, from: "database.m310.mongodb.university:31130", fromId: 0, checkEmpty: true }
2017-01-18T15:48:21.969+0300 I NETWORK [conn1] end connection 127.0.0.1:56026 (0 connections now open)
--auth 매개변수가 없으면 복제 세트가 성공적으로 시작되지만 문제를 해결하려면 x509 인증을 켜야 합니다.
답변1
replSetHeartbeatMongo 노드는 복제본 세트를 구성하기 위해 연결하려는 노드의 하트비트( )를 얻을 수 없습니다 . 이는 클러스터에서 액세스 제어를 활성화했기 때문입니다.
Mongo 액세스 제어를 활성화할 때 복제본 세트의 노드 간에 내부 인증을 구성해야 합니다.
있다두 개의 다른이를 수행하는 방법:
- 키 파일 사용
- x509 인증 사용(필요에 따라)
위에서 언급한 공식 문서를 따라야 합니다.