Databases / DevOps / Guides / Long post / MongoDB / OS / Server

Remote MongoDB + AWS LightSail + CentoOS 7 + SupervisorD ( + FirewallD + Basic Authentication)

djangokatyaLeave a comment

At this point I feel like the most badass devops in my village.

Contents:

  1. Creating AWS Lightsail Instance
  2. Setting Up AWS Lighsail Instance
    1. Firewall
    2. Static IP
  3. Setting Up MongoDB
  4. FirewallD
  5. Supervisor
  6. Debugging
  7. Basic Authentication
  8. References

1. Creating AWS Lightsail Instance

Make an instance.

For Region, take into account the fact that you will need a Static IP.

If you are new to AWS Lightsail, it is all fine. But if not, choose the region where you have not reached the Static IP limit – it is typically set by AWS to 2. To new accounts there may be a limit for instances in the same region – I believe it is too by default set to 2 instances.

Some of the regions are more expensive than others, like Mumbai. These regions make sense if you work with other AWS products, like access withing the same region, but personally I don’t make use of it.

For OS, I choose CentOS 7. The reason for that is that the original tutorial I found on AWS Lightsail + MongoDB used CentOS 7 and I complied. In this industry you want to follow the instructions.

CentOS 7

For instance plan, for a rather big yet simple project I am using 8GB RAM option – as MongoDB does not work well on swap, as people say. But 1GB RAM options is fine too.

2. Setting Up AWS Lightsail Instance

Firewall

The most important thing in this tutorial. It is possible you came across my blog looking for this very tip. I don’t think I have ever seen anybody talking about it. AWS Lightsail Firewall.

Click on the name of your instance.

Go to tab Networking.

In IPv4 Firewall section click Add rule.

Set the port to 27017 – standard MongoDB port.

You can choose to accept connection from any IP or you can restrict to your own local IP or to your server’s IP.

Click Create.

Open port 27017 in AWS LightSail

Static IP

In the tab Networking -> IPv4 networking under the Private IP click on Attach static IP. Then Create static IP. Then Create. And click back on the name of the instance.

Good. Now go to tab Connect and click Connect using SSH.

3. Setting Up MongoDB

Then execute these command. If you need to do your own things, keep in mind – you are not root, you are centos user – use sudo.

Change this file:

sudo vi /etc/yum.repos.d/mongodb-enterprise.repo

Press i to Insert and insert this text:

[mongodb-enterprise]
name=MongoDB Enterprise Repository
baseurl=https://repo.mongodb.com/yum/redhat/$releasever/mongodb-enterprise/4.0/$basearch/
gpgcheck=1
enabled=1
gpgkey=https://www.mongodb.org/static/pgp/server-4.0.asc

Then install mongodb with this command. You will need to press y twice.

sudo yum install mongodb-enterprise

Then create some repos. Without this Supervisor won’t work even though manual mongod command will.

sudo mkdir mongodb
chmod -R 777 mongodb
sudo touch mongodb/log

sudo mkdir /mongodb
sudo touch /mongodb/log

Then in the file:

sudo vi /etc/mongod.conf

Comment this line:

# bindIp: 127.0.0.1

Great. You can go and test this with a command:

/usr/bin/mongod --dbpath mongodb --port 27017 --logpath mongodb/log --logappend --bind_ip_all --fork

If it doesn’t work, go to mongodb/log and check what’s wrong.

sudo tail mongodb/log

If you decided to test at this point, you will need to shut Mongodb down. The easiest way is to list processes with mongod:

ps -aux|grep mongo

And then kill the process that has mongod –dbpath mongodb –port… in it:

sudo kill -9 <PID>

In order to test authentication and overall play with MongoDB like you can with PostgreSQL using PgAdmin, use Robo 3T.

Or on your server or computer use this command:

 nc -zv <HOST> 27017

If it works, you will see:

Connection to <HOST> 27017 port [tcp/*] succeeded!

4. FirewallD

Install it:

sudo yum install firewalld
sudo systemctl start firewalld
sudo systemctl status firewalld -l

Then add your <IP_ADDRESS>:

sudo firewall-cmd --permanent --zone=public --add-rich-rule='
  rule family="ipv4"
  source address="<IP_ADDRESS>"
  port protocol="tcp" port="27017" accept'

And reload:

sudo firewall-cmd --reload

5. Supervisor

Now to the crazy part. You will need to press y once:

sudo yum update -y
sudo yum install epel-release

And update again (press y twice)

sudo yum update

Then install:

sudo yum -y install supervisor

Run and check it:

sudo systemctl start supervisord
sudo systemctl enable supervisord

sudo systemctl status supervisord

Good. Now let’s add mongod program to the bottom of /etc/supervisord.conf file:

sudo vi /etc/supervisord.conf

Press i to go to insert mode:

[program:mongod]
command=/usr/bin/mongod --dbpath mongodb --port 27017 --logpath mongodb/log --logappend --bind_ip_all
autorestart=true
startsecs=3
startretries=3
user=root
stdout_logfile = /home/mongod.log

See, it is not ideal in 2 ways. I don’t deny it and I encourage you to do better. Maybe I will come back and do better myself. But right now? I am so tired of this. Just be careful:

1) Don’t use root as your user;

2) The log file /home/mongod.log is too not pretty.

Now let’s reload supervisor:

sudo systemctl stop supervisord
sudo systemctl start supervisord

And see how mongod is doing:

sudo supervisorctl status mongod

You must see:

mongod                           RUNNING   pid 12852, uptime 0:00:35

If you do, congrats.

6. Debugging

If something is wrong, go check out logs:

Supervisor logs:

sudo tail /var/log/supervisor/supervisord.log

Or mongod program logs:

sudo tail /home/mda.log

Or mongodb logs:

sudo tail mongodb/log

These will help you 100%. Or go and check if you forgot to do something I described in the tutorial.

7. Basic Authentication

At this point we have 2 firewalls securing your data – AWS Lightsail and FirewallD in CentOS.

If you want to use Basic authentication too, follow this section.

Connect to mongodb from a machine that can connect to your remote MongoDB server.

mongo --host <HOST> --port 27017

Then go to admin database:

use admin

And create a user. Please change the password:

db.createUser(
  {
    user: "superuser",
    pwd: "CHANGE_THIS!!!!!!!!!!!!!!",
    roles: [ "root" ],
    mechanisms:[  
        "SCRAM-SHA-1"
    ]
  }
)

If show users shows your new users, it all is fine.

Now go back to your LightSail instance and modify the Supervisor configuration file:

[program:mongod]
command=/usr/bin/mongod --dbpath mongodb --port 27017 --logpath mongodb/log --logappend --bind_ip_all --auth
autorestart=true
startsecs=3
startretries=3
user=root
stdout_logfile = /home/mda.log

Just –auth to the command.

Don’t forget to reload supervisor and see if mongod still runs:

sudo systemctl stop supervisord
sudo systemctl start supervisord

sudo supervisorctl status mongod

Now you can only do things with your MongodB with a username/password. You still can connect to the server on 27017 port, but you can’t do things.

8. References

https://stackoverflow.com/a/66292131
https://kb.objectrocket.com/mongo-db/how-to-install-mongodb-on-aws-lightsail-part-1-317
https://kb.objectrocket.com/mongo-db/how-to-install-mongodb-on-aws-lightsail-part-2-319
https://docs.mongodb.com/guides/server/auth/
https://stackoverflow.com/a/23848209
https://cloudwafer.com/blog/how-to-install-and-configure-supervisor-on-centos-7/

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.