Before starting any mongodb administration job, we need to know very well about the system, where MongoDB is going to deploy. For this article I choose very common linux OS Ubuntu. Target readers should not be only for mongodb dba, but also for newcomers in linux, this article may be very basic for linux/Ubuntu SME’s.
Linux Directory Structure
Linux files are ordered in a tree structure, after login do cd / (change directory) this is the root directory which contains other directory and files on the system. This directory is the top of the tree structure, hence it is called root. In this directory you can run another list file command in most human readable output i.e. ls -lh it will bring total directory structure like this.
| Directory | Purpose |
| /etc | Holds system configuration file for the host, you need to be extra cautious while editing around this directory. |
| /home | Contains personal data of user or owner. |
| /var | Files whose value is changing continuously by system operation, called variable file need to store here. |
| /opt | Park your optional software packages. |
| /usr | Directory containing user programs. |
| /tmp | Directory containing temporary files. |
| /root | The root user’s home directory. |
| /media | This directory contains subdirectories where and removable devices are automounted. |
| /usr/bin | This directory contains the essential user binaries (programs) |
| /usr/lib | directory contains libraries needed by the essential binaries |
User and Group
Before starting it, we need to know What is ‘sudo’? Its stand for ‘Superuser do‘, means when you running a command with sudo, actually that command run with root privilege’s. For mongodb deployments, its very important to start mongod or mongos process with mongodb user and group only, using sudo or root is not recommended. Now showing you how to create user and group and verify those stuff after creating it.
sudo adduser mongodb //adding user mongodb needs only sudo permission, this command automatically add an user and group called mongodb
--------------It will return -------
Adding user `mongodb' ...
Adding new group `mongodb' (1003) ...
Adding new user `mongodb' (1003) with group `mongodb' ...
Creating home directory `/home/mongodb' ...
// It will promted for password for the user, complete the full processCheck the newly created user and group
cat /etc/passwd
//this will show newly crated user info
-------This will return like this.------
mongodb:x:1003:1003:,,,:/home/mongod
b:/bin/bash
> cat /etc/group // This will show newly created group
--------this will return like this-------
mongodb:x:1003:
# In this case both user and group has created and both are id 1003
Now you can log in with the new user (mongodb), after login enter id
> id // it wiill return something like this
uid=1003(mongodb) gid=1003(mongodb) groups=1003(mongodb)
User :A user has an account must belong to one primary group. Typically the the user’s primary group is also named after the user account name.
Primary Group :The primary group is created at the same time the user account is created and the user is automatically added to it. File created by the user automatically belongs to the user group. The primary user’s group is stored in the /etc/passwd file and the supplementary groups, if any, are listed in the /etc/group file.
Permission
Mongodb binary files should be given read, write, execute permission over mongodb user name. Here we just get deeper understanding over permission. Permission can be changed with chmod command.
// login with mongodb user name with out sudo
chmod 400 <path-to-the-file>You noticed that 3 digits after chmod 400, now we can explain it, what does it stands for.
The three digits of the chmod code set permissions for these groups in this order:
- Owner (you)
- Group (a group of other users that you set up)
- World (anyone else browsing around on the file system)
Each digit of this code sets permissions for one of these groups as follows. Read is 4. Write is 2. Execute is 1.
The sums of these numbers give combinations of these permissions:
- 0 = no permissions; this user cannot read, write, or execute the file
- 1 = execute only
- 2 = write only
- 3 = write and execute (1+2)
- 4 = read only
- 5 = read and execute (4+1)
- 6 = read and write (4+2)
- 7 = read and write and execute (4+2+1)
| Command | Purpose |
| chmod 700 mongod.yml | Only you can read, write and execute mongod.yml |
| chmod 777 mongod.yml | Everybody can read, write to, or execute mongod.yml |
| chmod 744 mongod.yml | Only you can read, write to, or execute mongod.yml Everybody can read mongod.yml; |
| chmod 444 mongod.yml | You can only read mongod.yml, as everyone else. |
Now you can run
ls -l mongod.yml
-rwxr--r-- 1 mongodb mongodb 84 Sep 14 10:25 mongod.yml-rwxr–r– => Segregate this line 1) – 2) rwx 3)r– 4) r– and explained below.
| – | Denotes, It’s a regular file. |
| rwx | Denotes, owner has read, write, and execute permissions. |
| r- – | Denotes, group permissions are read only. |
| r- – | Denotes, world permissions are read only. |
The first character shows the file type. In our example, the first character is - which indicates a regular file. Values for other file types are as follows:
-– Regular fileb– Block special filec– Character special filed– Directoryl– Symbolic linkn– Network filep– FIFOs– Socke
The permission character can take the following value:
r– Permission to read the filew– Permission to write to the filex– Permission to execute the files– setgid bitt– sticky bit
Ownership
Every file is owned by a specific user and a specific group in Linux. Ownership can be changed using the chown command. We can explain chown command in below mention way.
chown [OPTIONS] USER[:GROUP] FILE(s)
- USER is the user name or user ID of the new owner. GROUP is the name of the new group or the group ID. FILE(s) is the name of one or couple of files, directories or links.
- USER – If only the user is specified, the specified user will become the owner of the given files, the group ownership is not changed.
- USER: – When the username is followed by a colon :, and the group name is not given, the user will become the owner of the files, and the files group ownership is changed to user’s login group.
- USER:GROUP – If both the user and the group are specified (with no space left between them), the user ownership of the files is changed to the given user and the group ownership is changed to the given group.
- :GROUP – If the User is omitted and the group is prefixed with a colon :, only the group ownership of the files is changed to the given group.
- : If only a colon : is given, without specifying the user and the group, no change is made.
By default, on success, chown doesn’t produce any output and returns zero.
// after login to mongodb user you can cange ownership like this
chown mongodb:mongodb mongod.yml // may required sudo and its password if the file is previously owned by root or other user or group
chmod 744 mongod.yml // then giving the permission, user can read write and execute, other ready only
ls -lh // will bring the following out put-rwxr--r-- 1 mongodb mongodb 382 Sep 4 17:33 mongod.yml
| | |
| | |
read,wr,ex -->User ----> GroupRecursively Change the File Ownership and Permission (-R)
We need recursive flag, because of change whole lot of file permission and ownership inside a directory in a single command is necessary. So we can do this followings.
// Changing Ownership with recursive flag, may or may not required sudo, depending upon situation
chown -R USER:GROUP DIRECTORY
// Changing Permission with recursive flag
chmod -R 744 mongod.yml
If the directory contains symbolic link the pass -h option
chown -hR mongodb: /var/www/htmlConclusion
Here, I am using mongod.yml file as an example, please do not relate with any deployments. It is recommended that all mongodb related binaries should have mongodb user and group owned, and 744 permission should be given. For key file authentication use 400 permission, for configuration file use 600 permission for safer side.
Suggestions