This tutorial guides thorough the steps needed to implement an Ubuntu 20.04 OpenStack instance running a MongoDB server. The resulting server is opened only to hosts inside the infrastructure, and is optionally accessible from the outside using ssh. The data of the database are hosted in a single OpenStack volume, data replication is not covered here.
The steps are the following:
- creation of the compute instance
- creation of the volume
- linking the volume to the instance
- install mongodb
- configure the access to the database
- configure the firewall for improved security
The parameters for this step are largely dictated by the required performance.
Before proceeding with the creation of the instance, create a new Security Group in the Network sub-menu of the OpenStack dashboard. The security group enables port 22 (SSH) from any CIDR address (0.0.0.0), and port range 27017-9 (MongoDB) from the security group containing the client application. In this way the MongoDB server is securely jailed inside the OpenStack infrastructure.
Next launch a new instance from the OpenStack dashboard (Launch Instance) from the Instances sub-menu of the Compute menu. This tutorial uses an Ubuntu 20.04 server image running on an instance with m1.small flavor (1VCPU, 2GB RAM) which is useful for development and testing. The instance is associated with the Security Group defined in the previous step. In the Key Pair step load in the new instance a public key of the machine that you will use to configure and access the instance.
You are now ready to launch the instance.
In the menu that appears clicking the down-arrow near the create snapshot button for the new instance, select Associate floating IP and click the + corresponding to Select an IP address. Mark the Floating-ip pool, define a reference name for the floating IP and annotate the floating IP that appears in the IP address box, since will be useful in the next steps.
In the Volumes sub-menu of the OpenStack dashboard select Create Volume. Give a Name to your volume and set the desired Size as required by your project.
In the Instances sub-menu of the Compute menu of the dashboard, click the down-arrow near the Create snapshot button in the box of the new instance and select Attach volume. In the scroll-down list select the new volume.
Next open a terminal in the instance using the ssh command and the floating IP of the new instance:
$ ssh ubuntu@<floating IP>
Locate the external volume inside the new instance:
$ sudo fdisk -l
Here we assume that the new volume is available on /dev/vdb. Use the fidsk command to create a single Linux partition:
$ sudo fdisk /dev/vdb
(The sequence, please check, is n-p-1-<cr>-<cr>-w)
Format as an ext4 filesystem:
$ sudo mkfs.ext4 /dev/vdb1
Prepare the directory path for the MongoDB data
$ sudo -u mongodb -g mongodb mkdir -p /var/lib/mongodb/
Now discover and copy in the clipboard the UUID of the volume (in the form aaaaaaaa-bbbb-cccc-cccc-dddddddddddd and make it mounted at boot:
$ lsblk -f | grep vdb1
$ sudo vi /etc/fstab
and add a row in the form
UUID="aaaaaaaa-bbbb-cccc-cccc-dddddddddddd" /var/lib/mongodb ext4 defaults 0 0
The volume is successfully linked to the instance. Restart the machine and check that the volume is there with:
$ df | grep mongodb
For this you can safely follow the guide you find here, which turns out to run the following commands:
$ curl -fsSL https://www.mongodb.org/static/pgp/server-4.4.asc | sudo apt-key add -
$ echo "deb [ arch=amd64,arm64 ] https://repo.mongodb.org/apt/ubuntu focal/mongodb-org/4.4 multiverse" | sudo tee /etc/apt/sources.list.d/mongodb-org-4.4.list
$ sudo apt update
$ sudo apt install mongodb-org
You may need to upgrade the whole system, in case the last command fails. In that case:
$ sudo apt upgrade
which takes some time to complete.
Open a ssh terminal in the instance and use the following command to launch the server and create a shell client with the server:
$ sudo systemctl start mongod.service
$ mongo
Create an admin user for your server. Fill the fileds in brackets at your taste:
> use admin
> db.createUser({user: "<AdminUsername>",pwd:"<AdminPassword>",roles: [ { role: "userAdminAnyDatabase", db: "admin" } ]})
> exit
Next, open the /etc/mongod.conf file with an editor:
$ sudo vi /etc/mongod.conf
Ensure that the file contains the following:
security:
authorization: enabled
Then find in the dashboard the internal IP of the instance (it showld be in the form 192.168.xxx.yyy, not the floating IP) and copy it in the ''net'' clause like this:
# network interfaces
net:
port: 27017
bindIp: 127.0.0.1,192.168.xxx.yyy
Now enable the automatic start of the server at boot
$ sudo systemctl enable mongod.service
Reboot the instance and check the presence of the server
$ sudo systemctl status mongod.service
and its accessibility (type the password at prompt):
$ mongo 'mongodb://<AdminUsername>@127.0.0.1/?authSource=admin'
The following is useful to restrict the access to the database only to the server that uses its data. Consider that the privileged host has internal IP 192.168.aaa.bbb:
$ sudo ufw allow from 192.168.aaa.bbb to any port 27017
$ sudo ufw allow from 192.168.aaa.bbb to any port 27018
$ sudo ufw allow from 192.168.aaa.bbb to any port 27019
Do not forget to allow access from port 22, or you will be locked out:
sudo ufw allow 22/tcp
and permanently enable the ubutu firewall:
sudo ufw enable
Congratulations: your server is now ready for use.
Optionally, you can add the public key of a privileged instance in the .ssh/authorized_keys, and remove the floating IP: this will further protect your instance, which will be accessible only from within the infrastructure. But consider that, if you remove the instance with privileged access, you will lose ssh access to the database instance, which may be impractical.
From your PC, open a shell on the privileged machine:
ssh ubuntu@<floating IP>
and try to access the server:
mongo 'mongodb://<AdminUsername>@192.168.xxx.yyy/?authSource=admin
and add a new user:
> db.createUser({user:"DatabaseUserUsername",pwd:"databaseUserPassword", roles: [{role: "readWrite", db:"databaseName"}]})
etc.