Mongo SSL
常用操作
1、登录
#登录
mongo --ssl --sslCAFile /data/ssl/ca.pem --sslPEMKeyFile /data/ssl/server.pem --host localhost
#有账户
mongo --ssl --sslCAFile /data/ssl/ca.pem --sslPEMKeyFile /data/ssl/server.pem --host localhost -uadmin -p
2、创建用户
use admin;
db.createUser({user: 'admin', pwd: '123456', roles: [{role: 'root', db: 'admin'}]});#mongodb每个数据库独立,需要进入每个数据库中创建用户,即使用户相同
#普通用户
use admin;
db.createUser({user: 'safettice', pwd: '123456', roles: [{role: 'readWrite', db: ' db1'}, {role: 'readWrite', db: ' db2'}, {role: 'readWrite', db: ' db3'}]});
use db1;
db.createUser({user: 'safettice', pwd: '123456', roles: [{role: 'readWrite', db: ' db1'}, {role: 'readWrite', db: ' db2'}, {role: 'readWrite', db: ' db3'}]});
use db2;
db.createUser({user: 'safettice', pwd: '123456', roles: [{role: 'readWrite', db: ' db1'}, {role: 'readWrite', db: ' db2'}, {role: 'readWrite', db: ' db3'}]});
use db3;
db.createUser({user: 'safettice', pwd: '123456', roles: [{role: 'readWrite', db: ' db1'}, {role: 'readWrite', db: ' db2'}, {role: 'readWrite', db: ' db3'}]});
#只读账户
use db1;
db.createUser({user:"read",pwd:"read",roles: [{role: 'read', db: 'db1'}, {role: 'read', db: 'db2'}, {role: 'read', db: 'db3'}]})
3、导入导出
#导入
mongorestore --authenticationDatabase admin -uadmin -p123456 --ssl --sslCAFile /data/ssl/ca.pem --sslPEMKeyFile /data/ssl/server.pem --host localhost -d db1 dbDir
#导出
mongodump --authenticationDatabase admin -uadmin -p123456 --ssl --sslCAFile /data/ssl/ca.pem --sslPEMKeyFile /data/ssl/server.pem --host localhost
生成证书
1、带密码认证的
req.conf
[req]
default_bits = 2048
prompt = no
default_md = sha256
distinguished_name = dn
[dn]
C = CH
ST = CQ
L = CQ
O = safettice
OU = server
emailAddress = test.com
CN = mongo
server_v3.ext
(此处写localhost和127.0.0.1就可以了)
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
IP.1 = 10.96.12.102
IP.2 = 192.168.0.1
IP.3 = 127.0.0.1
DNS.1 = localhost
DNS.2 =
DNS.3 = database-mongo
生成ca.pem和server.pem
#1.生成 ca.pem
openssl req -out ca.pem -new -x509 -days 3650 -passout pass:123456 -subj "/C=CH/ST=CQ/L=CQ/O=safettice/OU=ca"
#2.生成server.pem(不能与ca证书信息完全一致,区分证书颁发者,否则报错error 18 at 0 depth lookup:self signed certificate,例如此处修改OU)
openssl genrsa -out server.key 2048
openssl req -new -nodes -out server.csr -keyout server.key -config req.conf
openssl x509 -req -in server.csr -CA ca.pem -CAkey privkey.pem -CAcreateserial -out server.crt -days 3650 -extfile server_v3.ext -passin pass:123456
cat server.key server.crt > server.pem
# 校验服务器端pem文件
openssl verify -CAfile ca.pem server.pem
#客户端证书可不需要,生成方式可与server一致
2、不带密码认证的
openssl genrsa -out privkey.pem 2048
openssl req -new -x509 -days 3650 -nodes -key privkey.pem -sha256 -out ca.pem -subj "/C=CH/ST=CQ/L=CQ/O=test/OU=ca"
openssl req -new -nodes -out server.csr -keyout server.key -config req.conf
openssl x509 -req -in server.csr -CA ca.pem -CAkey privkey.pem -CAcreateserial -out server.crt -days 3650 -extfile server_v3.ext
cat server.key server.crt > server.pem
部署
1、k8s容器部署
mongo.yaml
apiVersion: v1
data:
mongo-login: |-
db.createUser({user: 'admin', pwd: '123456', roles: [{role: 'root', db: 'admin'}]});
mongo --ssl --sslCAFile /data/ssl/ca.pem --sslPEMKeyFile /data/ssl/server.pem --host localhost
mongorestore -uadmin -p --ssl --sslCAFile /data/ssl/ca.pem --sslPEMKeyFile /data/ssl/server.pem --host 127.0.0.1 -d db1 dbdir --authenticationDatabase admin
kind: ConfigMap
metadata:
name: mongo-login
namespace: mongossl
---
#创建密钥
apiVersion: v1
data:
.dockerconfigjson: xxxxx=
kind: Secret
metadata:
creationTimestamp: null
name: harbor
namespace: mongossl
type: kubernetes.io/dockerconfigjson
---
#创建PVC
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: database-mongo-data-pvc # PVC Name
namespace: mongossl
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 20Gi # 数据存储需要的空间
storageClassName: rbd # k8s集群上配置的storage class
---
#创建statefulset
apiVersion: apps/v1
kind: StatefulSet
metadata:
labels:
app: mongo # Pod标签设置
name: database-mongo
namespace: mongossl
spec:
replicas: 1
selector:
matchLabels:
app: mongo # Pod标签设置
serviceName: database-mongo
template:
metadata:
labels:
app: mongo # Pod标签设置
spec:
imagePullSecrets:
- name: harbor
containers:
- command:
- "numactl"
- "--interleave=all"
- "mongod"
- "--wiredTigerCacheSizeGB"
- "0.1"
- "--bind_ip"
- "0.0.0.0"
- "--auth"
- "--sslMode=requireSSL"
- "--sslPEMKeyFile=/data/ssl/server.pem"
- "--sslCAFile=/data/ssl/ca.pem"
- "--sslClusterFile=/data/ssl/server.pem"
image: ges.harbor.in/tools/mongo.4.2.3
imagePullPolicy: Always
name: mongo
ports:
- containerPort: 27017
name: mongo
protocol: TCP
volumeMounts:
- mountPath: /data/db
name: mongo-data
- name: mongo-ssl-volumne
readOnly: true
mountPath: /data/ssl
- name: mongo-login
mountPath: ./
volumes:
- name: mongo-data
persistentVolumeClaim:
claimName: database-mongo-data-pvc #和上面创建的PVC名称一致
- name: mongo-login
configMap:
name: mongo-login
- name: mongo-ssl-volumne
secret:
secretName: mongo-ssl
defaultMode: 256
---
#创建Service
apiVersion: v1
kind: Service
metadata:
name: database-mongo-svc
namespace: mongossl
spec:
ports:
- name: mongo
nodePort: 33333 # 可以通过k8s node ip来访问的端口,根据实际开放端口配置
port: 27017
protocol: TCP
targetPort: 27017
selector:
app: mongo # 通过此标签来关联端口指向的Pod,参考上面的Deployment中的标签配置
type: NodePort # 表示该服务发现为NodePort类型,可以在集群外部通过Node IP访问
2、独立部署
即yum 或者二进制包安装
例:
cat > /etc/yum.repos.d/mongo.repo << EOF
[mongodb-org-4.0]
name=MongoDB Repository
baseurl=https://repo.mongodb.org/yum/redhat/$releasever/mongodb-org/4.0/x86_64/
gpgcheck=1
enabled=1
gpgkey=https://www.mongodb.org/static/pgp/server-4.0.asc
EOF
yum install -y mongodb-org
yum install -y mongodb-org-4.0.27 mongodb-org-server-4.0.27 mongodb-org-shell-4.0.27 mongodb-org-mongos-4.0.27 mongodb-org-tools-4.0.27
mkdir -p /var/lib/mongo
mkdir -p /var/log/mongodb
chown -R mongod:mongod /var/lib/mongo
chown -R mongod:mongod /var/log/mongodb
vi mongod.conf
net:
ssl:
mode: requireSSL
PEMKeyFile: /etc/server.pem
CAFile: /etc/ca.pem
allowInvalidHostnames: true
allowInvalidCertificates: true
运行
mongod -f /etc/mongod.conf