Last active
August 29, 2015 14:13
-
-
Save shutej/0fe01b131d3a9868b232 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
start on runlevel [2345] | |
respawn | |
script | |
/dvara/dvara \ | |
--port_start=28000 \ | |
--port_end=28020 \ | |
--addrs=127.0.0.1:27000 \ | |
--key_file=$(ls -1 /dvara/*.key) \ | |
--cert_file=$(ls -1 /dvara/*.crt) \ | |
--username=dvara \ | |
--password=$(cat /dvara/password.txt) \ | |
>> /dvara/stdout.txt \ | |
2>> /dvara/stderr.txt | |
end script |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# -*- python -*- | |
import glob | |
from fabric.api import * | |
__author__ = "Jeremy Shute <shutej@gmail.com>" | |
"""This sets up Dvara (a MongoDB proxy capable of supporting TLS) on MMS hosts. | |
Your AWS Security Group should differ from those suggested by MMS. The | |
unsecured port(s) should only be accessible from the instances in your security | |
group, and external traffic should be routed to the proxied ports 28000 - 28020 | |
which will be proxied through to your Mongo ports via the private network. | |
SSH TCP 22 0.0.0.0/0 | |
Custom TCP Rule TCP 27000 - 27020 sg-deadbeef (your-mms-mongodb-security-group) | |
Custom TCP Rule TCP 28000 - 28020 0.0.0.0/0 | |
Dvara will SSL-encrypting traffic for you. You "install" and "start" it once. | |
Thereafter, Upstart will restart the daemon on reboot. You will also have to | |
point DNS records to your MMS nodes running Dvara. Each proxy will discover | |
(and connect to) the remaining replicas via their port 27000 interface. | |
Your local directory should resemble the following. Note the permissions! | |
-rw-r--r-- 1 j staff 345 Jan 17 14:47 dvara.conf | |
-rw-r--r-- 1 j staff 2937 Jan 17 15:41 fabfile.py | |
-r--------@ 1 j staff 1679 Jan 16 13:02 mms_key.pem | |
-r--------@ 1 j staff 29 Jan 17 11:56 password.txt | |
-r--------@ 1 j staff 1834 Jan 17 11:33 ssl.crt | |
-r--------@ 1 j staff 1675 Jan 17 11:33 ssl.key | |
The mms_key.pem file is the AWS SSH key used to connect to the instances MMS is | |
controlling. It can be found under the MMS interface under "Administration" | |
and "AWS Settings". | |
The password.txt file is the MongoDB password given to the "dvara" user. When | |
configuring MMS, turn on "Authentication & Users" and add a "dvara@admin" user. | |
Inherit permissions from the "clusterMonitor@admin" account. This account is | |
used by Dvara to connect to your cluster and determine where all the other | |
replicas are in the replica set. | |
Finally, when you invoke Fabric, pass a comma-separated list of hosts via the --hosts flag: | |
fab --hosts=$(echo mms-mongodb-{1,2,3}.mygroup.9999.mongodbdns.com | tr ' ' ',') install | |
The MMS management console should continue to work as normal and external Mongo | |
drivers will simply act as if they're connecting to an SSL-enabled instance. | |
""" | |
env.user = "mms-user" | |
env.key_filename = "mms_key.pem" | |
_DVARA_URL = "https://drone.io/github.com/shutej/dvara/files/dist/linux_amd64/dvara" | |
_PATHS = ["password.txt", "dvara.conf"] | |
_PATHS.extend(glob.glob("*.crt")) | |
_PATHS.extend(glob.glob("*.key")) | |
def install(): | |
run("mkdir -p dvara") | |
run("curl -L %r > dvara/dvara && chmod 750 dvara/dvara" % _DVARA_URL) | |
for path in _PATHS: | |
put(local_path=path, remote_path="dvara/", mirror_local_mode=True) | |
sudo("chown -R root:root dvara && rm -rf /dvara && mv dvara /dvara && mv /{dvara,etc/init}/dvara.conf") | |
def start(): | |
sudo("start dvara") | |
def stop(): | |
sudo("stop dvara") | |
def status(): | |
sudo("status dvara") | |
def restart(): | |
sudo("restart dvara") | |
def logs(): | |
run("tail /dvara/stderr.txt") |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment