Skip to content

Instantly share code, notes, and snippets.

@shutej

shutej/dvara.conf

Last active August 29, 2015 14:13
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save shutej/0fe01b131d3a9868b232 to your computer and use it in GitHub Desktop.
Save shutej/0fe01b131d3a9868b232 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
dvara.conf
start on runlevel [2345]
respawn
script
/dvara/dvara \
--port_start=28000 \
--port_end=28020 \
--addrs=127.0.0.1:27000 \
--key_file=$(ls -1 /dvara/*.key) \
--cert_file=$(ls -1 /dvara/*.crt) \
--username=dvara \
--password=$(cat /dvara/password.txt) \
>> /dvara/stdout.txt \
2>> /dvara/stderr.txt
end script
Raw
fabfile.py
# -*- python -*-
import glob
from fabric.api import *
__author__ = "Jeremy Shute <shutej@gmail.com>"
"""This sets up Dvara (a MongoDB proxy capable of supporting TLS) on MMS hosts.
Your AWS Security Group should differ from those suggested by MMS. The
unsecured port(s) should only be accessible from the instances in your security
group, and external traffic should be routed to the proxied ports 28000 - 28020
which will be proxied through to your Mongo ports via the private network.
SSH TCP 22 0.0.0.0/0
Custom TCP Rule TCP 27000 - 27020 sg-deadbeef (your-mms-mongodb-security-group)
Custom TCP Rule TCP 28000 - 28020 0.0.0.0/0
Dvara will SSL-encrypting traffic for you. You "install" and "start" it once.
Thereafter, Upstart will restart the daemon on reboot. You will also have to
point DNS records to your MMS nodes running Dvara. Each proxy will discover
(and connect to) the remaining replicas via their port 27000 interface.
Your local directory should resemble the following. Note the permissions!
-rw-r--r-- 1 j staff 345 Jan 17 14:47 dvara.conf
-rw-r--r-- 1 j staff 2937 Jan 17 15:41 fabfile.py
-r--------@ 1 j staff 1679 Jan 16 13:02 mms_key.pem
-r--------@ 1 j staff 29 Jan 17 11:56 password.txt
-r--------@ 1 j staff 1834 Jan 17 11:33 ssl.crt
-r--------@ 1 j staff 1675 Jan 17 11:33 ssl.key
The mms_key.pem file is the AWS SSH key used to connect to the instances MMS is
controlling. It can be found under the MMS interface under "Administration"
and "AWS Settings".
The password.txt file is the MongoDB password given to the "dvara" user. When
configuring MMS, turn on "Authentication & Users" and add a "dvara@admin" user.
Inherit permissions from the "clusterMonitor@admin" account. This account is
used by Dvara to connect to your cluster and determine where all the other
replicas are in the replica set.
Finally, when you invoke Fabric, pass a comma-separated list of hosts via the --hosts flag:
fab --hosts=$(echo mms-mongodb-{1,2,3}.mygroup.9999.mongodbdns.com | tr ' ' ',') install
The MMS management console should continue to work as normal and external Mongo
drivers will simply act as if they're connecting to an SSL-enabled instance.
"""
env.user = "mms-user"
env.key_filename = "mms_key.pem"
_DVARA_URL = "https://drone.io/github.com/shutej/dvara/files/dist/linux_amd64/dvara"
_PATHS = ["password.txt", "dvara.conf"]
_PATHS.extend(glob.glob("*.crt"))
_PATHS.extend(glob.glob("*.key"))
def install():
run("mkdir -p dvara")
run("curl -L %r > dvara/dvara && chmod 750 dvara/dvara" % _DVARA_URL)
for path in _PATHS:
put(local_path=path, remote_path="dvara/", mirror_local_mode=True)
sudo("chown -R root:root dvara && rm -rf /dvara && mv dvara /dvara && mv /{dvara,etc/init}/dvara.conf")
def start():
sudo("start dvara")
def stop():
sudo("stop dvara")
def status():
sudo("status dvara")
def restart():
sudo("restart dvara")
def logs():
run("tail /dvara/stderr.txt")
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment