My thoughts on Slackware, life and everything

HOWTO: install MongoDB on Slackware

Today I am going to show you how to install MongoDB, create a database admin account and enforce basic security.

Why MongoDB when Slackware already has MariaDB? Well, the two are not comparable. MariaDB is a SQL database server, whereas MongoDB is a “NoSQL” database server, aka “Not only SQL“, and its queries – just like its object storage format – are in JSON. The two types of databases have entirely different usage targets.

MongoDB is a ‘general-purpose, document-based database server‘. It has use-cases where it is more powerful than the traditional row/column model of a relational database management system. NoSQL databases, in particular MongoDB, are preferred over RDBMS in Cloud services, Big Data environments and for high-volume web based data processing services. These are typically environments where flexibility is required to handle big amounts of unstructured data and constantly varying schemas. A distributed cluster of MongoDB servers excels at “map-reduce“, the framework invented by Google for condensing large volumes of data into useful aggregated results – the very paradigm that catapulted Google Search into the number one position of search engines shortly after the turn of the millennium.

Again, why then MongoDB? Who cares?
The above preamble is no sales pitch, rather it is meant to give you some background first. This article is actually meant to bridge a previous and a future article here on the blog. In a previous article I wrote about un-googling your browser experience and promised that I would share with you a solution that allows you to sync your browser’s online passwords and bookmarks (and hopefully soon also your browsing history) to an online server that is fully under your control.
In a future article I will document how to setup that sync service, but to that end I need a working MongoDB server first. Creating a ‘mongodb’ package that I was satisfied with, and that is also usable on Slackware 14.2, proved a bit more time-consuming than I expected, but here it is and here we go.

Caveat: since MongoDB 3.4, the developers dropped support for 32-bit platforms. Current version is 4.4.4 and therefore the packages for MongoDB that I provide are for 64-bit Slackware 14.2 and -current only.

  1. Download and install a ‘mongodb’ package for your Slackware: http://www.slackware.com/~alien/slackbuilds/mongodb
    The installation of that package will create a “mongo” user and a “mongo” group on your computer, it will also install a RC script “/etc/rc.d/rc.mongodb” and add a couple of lines to your “/etc/rc.d/rc.local” so that the MongoDB server will be started automatically every time  your computer boots, as long as the “/etc/rc.d/rc.mongodb” script is executable (which it is by default). Also installed is a default configuration file “/etc/mongodb.conf” which is used by the RC script:

    processManagement:
      fork: true
      pidFilePath: "/var/run/mongodb/mongod.pid"
    net:
      bindIp: localhost
      port: 27017
    storage:
      dbPath: /var/lib/mongodb
      journal:
        enabled: true
    systemLog:
      destination: file
      path: "/var/log/mongodb/mongod.log"
      logAppend: true
    cloud:
      monitoring:
        free:
          state: off
    security:
      authorization: disabled
    

    This configures MongoDB to be accessible only at the “127.0.0.1” loopback interface, listen at the MongoDB default TCP port “27017”, and store its databases in “/var/lib/mongodb/”. This MongoDB configuration for Slackware comes out of the box without any form of access control and no authentication. We will fix that below.

  2. Increase the maximum number of open files (1024 by default) by un-commenting the following line in “/etc/login.defs”:
    ULIMIT 2097152
    If you omit this, every connection you make to the server will warn you about it.
  3. Then start the MongoDB server, the first time manually, but next time you boot the computer this will be done automatically. As root, run (‘#’ is the root prompt of course… don’t try to type it):
    # /etc/rc.d/rc.mongodb start
  4. After we have validated that the server is running using the “/etc/rc.d/rc.mongodb status” command, we are now going to enable access control and authentication. The documentation for that, as well as more recommendations on how to secure your database server, is available at: https://docs.mongodb.com/manual/administration/security-checklist/ . Based on that documentation we take the following steps to enable access control and enforce authentication:
    1. Add an administrative account to MongoDB. In this example I will use the name “slackadmin” with a password “slackpass” – change these to something you like better.
      Remember that the server runs without authentication or access control out of the box, so connecting to it will be quite easy, You can start the “mongo” client from any user account, for instance your own regular login account (‘$’ is the Bash shell’s user prompt of course… don’t try to type it). By default, the “mongo” client program will connect to a server on the “localhost” address at port 27017 and since the Slackware package uses these defaults, no commandline parameters are required:
      $ mongo
      connecting to: mongodb://127.0.0.1:27017/?compressors=disabled&gssapiServiceName=mongodb
      Implicit session: session { "id" : UUID("12345678-1234-1234-1234-123456789012") }
      MongoDB server version: 4.4.4
      Welcome to the MongoDB shell.
      For interactive help, type "help".
      For more comprehensive documentation, see
      https://docs.mongodb.com/
      Questions? Try the MongoDB Developer Community Forums
      https://community.mongodb.com
      >

      At the mongo shell prompt, enter these lines to create the administrative account. Note that in MongoDB, the “admin” database is the default database in which user accounts are created and user access control to the other databases is defined:

      use admin
      db.createUser(
        {
          user: "slackadmin",
          pwd: "slackpass", // or use passwordPrompt(),
          roles: [ { role: "userAdminAnyDatabase", db: "admin" }, "readWriteAnyDatabase" ]
        }
      )
      quit()
      
    2. Now that we have added a user to the ‘admin’ database who has full access, we can stop the server and change its configuration to enforce authentication. As root:
      # /etc/rc.d/rc.mongodb stop

      … and then change “authorization: disabled” to “authorization: enabled” in the file “/etc/mongod.conf”. After that change, start MongoDB again with the RC script and if you then attempt to run the “mongo” client just like that and try to run a command that needs privileges, you’ll get an error:

      $ mongo
      > show roles
      uncaught exception: Error: command rolesInfo requires authentication :

      We will have to login to the server now, in order to do meaningful things. Since we have only one user still, we use that. Note that you will be asked to enter the user’s password after pressing ENTER, and this time we will get better feedback for our “show roles” command:

      $ mongo -u slackadmin -p
      > show roles
      {
      	"role" : "dbAdmin",
      	"db" : "test",
      	"isBuiltin" : true,
      	"roles" : [ ],
      	"inheritedRoles" : [ ]
      }
      {
      	"role" : "dbOwner",
      ... 

      In case you forgot to authenticate when starting the mongo client , i.e. you just executed “mongo“, don’t worry. You can authenticate from within the mongo client shell also:

      $ mongo
      > use admin
      > db.auth("slackadmin", passwordPrompt()) 

      What you do with the database is now up to you. In any case, I will expect that you have a running and pre-configured MongoDB database instance, next time when I write an article about browser sync. Don’t let that limit you! There will probably be other good uses for this article, you just need to go find them now.

Good luck! Eric

7 Comments

  1. Andrew Patrzalek

    Thanks for the intro

  2. Dariusz Brzezinski

    Hi Eric,

    thanks for the interesting introduction. I have noticed that the mongodb package requires python-cheetah3 – but I couldn’t find it in the repository.

    • alienbob

      Hi Dariusz – I forgot to add the packages, but I fixed that and they’ll be coming to the repository soon.
      By the way, python-cheetah3 is only needed when you compile mongodb; it is not needed during run-time.

  3. Dariusz Brzezinski

    Unfortunately after the system reboot the directory /var/run/mongodb does not exist anymore, and the database server refuses to start. So I add some lines to the /etc/rc.d/rc.mongodb script to fix it:

    # Create the pid directory if not exists:
    if [ ! -d /var/run/mongo ]; then
    mkdir -p /var/run/mongodb
    chown ${USR} /var/run/mongodb
    chmod 750 /var/run/mongodb
    fi

    • alienbob

      Yes that’s unfortunate. Adding to the rc script fixes this, but I would do it like this to make it more generic:

      if [ ! -d $(dirname ${PID}) ]; then
      mkdir -p $(dirname ${PID})
      chown ${USR} $(dirname ${PID})
      chmod 750 $(dirname ${PID})
      fi

  4. wirelessmc on LQ

    installing the “mongodb-4.4.4-x86_64-2alien” package did *not* create the user and group “mongo” as your article states. So when I went to start the server immediately indicated it would not because there was no “mongo” user account. I can of course create these myself but not sure why the install didn’t. Is there a recommended user and group id recommended?

    Also my /etc/login.defs had no entry for ULIMIT. I manually added it and gave it the value you stated.

    • alienbob

      Did you already have a user account with UserID of 285 and/or a group with GroupID 285? Then the mongo account will not be created, since the package’s doinst.sh script wants to use that userid:groupid combination. I follow the custom uid/gid agreements as laid out on https://slackbuilds.org/uid_gid.txt .

      ULIMIT is not present in Slackware-current’s PAM-based login.defs. You can indeed simply add it.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

© 2024 Alien Pastures

Theme by Anders NorenUp ↑