最近由於項目中設計中有使用mongodb,具體mongodb的優點我就不多說。這篇文章主要是分享下我通過docker-compose搭建mongodb分片集羣,並實現安全身份認證訪問(mongodb安裝後默認是不需要用戶名和密碼訪問的)。
下面是我配置的docker-compose.yml文件:
version: '2'
services:
shard_server01:
container_name: shard_server01
image: mongo:3.6
networks:
mongo:
ipv4_address: 192.168.1.11
ports:
- 27018:27018
volumes:
- /data/docker/mongos/data/shard_server01/data/db:/data/db
- /data/docker/mongos/data/shard_server01/data/configdb:/data/configdb
- /data/docker/mongos/data/shard_server01/data/backup:/data/backup
- /data/docker/mongos/data/mongod.conf:/etc/mongod.conf
- /data/docker/mongos/data/key.file:/etc/key.file
command: --shardsvr --bind_ip_all
restart: always
depends_on:
- rs_config_server01
- rs_config_server02
ulimits:
nofile:
soft: 300000
hard: 300000
shard_server02:
container_name: shard_server02
image: mongo:3.6
networks:
mongo:
ipv4_address: 192.168.1.12
ports:
- 27028:27018
volumes:
- /data/docker/mongos/data/shard_server02/data/db:/data/db
- /data/docker/mongos/data/shard_server02/data/configdb:/data/configdb
- /data/docker/mongos/data/shard_server02/data/backup:/data/backup
- /data/docker/mongos/data/mongod.conf:/etc/mongod.conf
- /data/docker/mongos/data/key.file:/etc/key.file
command: --shardsvr --keyFile "/etc/key.file" --bind_ip_all --auth
restart: always
depends_on:
- rs_config_server01
- rs_config_server02
# 配置服務器集羣兩個節點(mongodb3.4之後的版本需要兩個config_server)
rs_config_server01:
container_name: rs_config_server01
image: mongo:3.6
networks:
mongo:
ipv4_address: 192.168.1.13
ports:
- 27019:27019
volumes:
- /data/docker/mongos/data/rs_config_server01/data/db:/data/db
- /data/docker/mongos/data/rs_config_server01/data/configdb:/data/configdb
- /data/docker/mongos/data/rs_config_server01/data/backup:/data/backup
- /data/docker/mongos/data/mongod.conf:/etc/mongod.conf
- /data/docker/mongos/data/key.file:/etc/key.file
command: --configsvr --replSet "rs_config_server" --bind_ip_all
restart: always
rs_config_server02:
container_name: rs_config_server02
image: mongo:3.6
networks:
mongo:
ipv4_address: 192.168.1.14
ports:
- 27029:27019
volumes:
- /data/docker/mongos/data/rs_config_server02/data/db:/data/db
- /data/docker/mongos/data/rs_config_server02/data/configdb:/data/configdb
- /data/docker/mongos/data/rs_config_server02/data/backup:/data/backup
- /data/docker/mongos/data/mongod.conf:/etc/mongod.conf
- /data/docker/mongos/data/key.file:/etc/key.file
command: --configsvr --replSet "rs_config_server" --bind_ip_all
restart: always
# 路由節點mongos
mongos:
container_name: mongos
networks:
mongo:
ipv4_address: 192.168.1.15
image: mongo:3.6
ports:
- 27017:27017
volumes:
- /data/docker/mongos/data/data/db:/data/db
- /data/docker/mongos/data/data/configdb:/data/configdb
- /data/docker/mongos/data/data/backup:/data/backup
- /data/docker/mongos/data/mongod.conf:/etc/mongod.conf
- /data/docker/mongos/data/key.file:/etc/key.file
entrypoint: mongos
command: --configdb rs_config_server/192.168.1.13:27019,192.168.1.14:27019 --bind_ip_all
depends_on:
- shard_server01
- shard_server02
networks:
mongo:
driver: bridge
ipam:
config:
- subnet: 192.168.1.10/24
注意:目前是沒有增加安全身份認證的。
使用docker-compose啓動mongo集羣
docker-compose up -d
配置服務器設置(config_server)
docker exec -it rs_config_server01 /bin/bash
mongo --host localhost --port 27019
rs.initiate({
_id: "rs_config_server",
configsvr: true,
members: [
{ _id : 0, host : "192.168.1.13:27019" },
{ _id : 1, host : "192.168.1.14:27019" }
]
});
配置路由mongos服務
docker exec -it mongos /bin/bash
mongo --port 27017
將分片集羣添加到mongos中
sh.addShard("192.168.1.11:27018")
sh.addShard("192.168.1.12:27018")
到目前爲止,mongodb分片集羣已經搭建完畢。但是mongdb默認是無需賬戶即可直接訪問。故,若是需要增加賬號和密碼,並強制需要輸入正確的賬戶和密碼才能登陸的話,看下文。
1、創建mongdb的賬戶和密碼
進入mongos路由服務
docker exec -it mongos /bin/bash
mongo --port 27017
切換到admin庫,創建用戶root
use admin
db.createUser(
{
user:"root",
pwd:"123456",
roles:[{role:"root",db:"admin"}]
}
)
2、生成mongo節點之前通訊認證文件(key.file)
openssl rand -base64 741 > key.file
chmod 600 key.file
chown 999 key.file
3、將key.file掛載docker容器裏面,啓動命令指定key.file,並增加需要認證(--auth)
增加安全認證之後的docker-compose .yml文件如下
version: '2'
services:
shard_server01:
container_name: shard_server01
image: mongo:3.6
networks:
mongo:
ipv4_address: 192.168.1.11
ports:
- 27018:27018
volumes:
- /data/docker/mongos/data/shard_server01/data/db:/data/db
- /data/docker/mongos/data/shard_server01/data/configdb:/data/configdb
- /data/docker/mongos/data/shard_server01/data/backup:/data/backup
- /data/docker/mongos/data/mongod.conf:/etc/mongod.conf
- /data/docker/mongos/data/key.file:/etc/key.file
command: --shardsvr --keyFile "/etc/key.file" --bind_ip_all --auth
restart: always
depends_on:
- rs_config_server01
- rs_config_server02
ulimits:
nofile:
soft: 300000
hard: 300000
shard_server02:
container_name: shard_server02
image: mongo:3.6
networks:
mongo:
ipv4_address: 192.168.1.12
ports:
- 27028:27018
volumes:
- /data/docker/mongos/data/shard_server02/data/db:/data/db
- /data/docker/mongos/data/shard_server02/data/configdb:/data/configdb
- /data/docker/mongos/data/shard_server02/data/backup:/data/backup
- /data/docker/mongos/data/mongod.conf:/etc/mongod.conf
- /data/docker/mongos/data/key.file:/etc/key.file
command: --shardsvr --keyFile "/etc/key.file" --bind_ip_all --auth
restart: always
depends_on:
- rs_config_server01
- rs_config_server02
# 配置服務器集羣兩個節點(mongodb3.4之後的版本需要兩個config_server)
rs_config_server01:
container_name: rs_config_server01
image: mongo:3.6
networks:
mongo:
ipv4_address: 192.168.1.13
ports:
- 27019:27019
volumes:
- /data/docker/mongos/data/rs_config_server01/data/db:/data/db
- /data/docker/mongos/data/rs_config_server01/data/configdb:/data/configdb
- /data/docker/mongos/data/rs_config_server01/data/backup:/data/backup
- /data/docker/mongos/data/mongod.conf:/etc/mongod.conf
- /data/docker/mongos/data/key.file:/etc/key.file
command: --configsvr --keyFile "/etc/key.file" --replSet "rs_config_server" --bind_ip_all --auth
restart: always
rs_config_server02:
container_name: rs_config_server02
image: mongo:3.6
networks:
mongo:
ipv4_address: 192.168.1.14
ports:
- 27029:27019
volumes:
- /data/docker/mongos/data/rs_config_server02/data/db:/data/db
- /data/docker/mongos/data/rs_config_server02/data/configdb:/data/configdb
- /data/docker/mongos/data/rs_config_server02/data/backup:/data/backup
- /data/docker/mongos/data/mongod.conf:/etc/mongod.conf
- /data/docker/mongos/data/key.file:/etc/key.file
command: --configsvr --keyFile "/etc/key.file" --replSet "rs_config_server" --bind_ip_all --auth
restart: always
# 路由節點mongos
mongos:
container_name: mongos
networks:
mongo:
ipv4_address: 192.168.1.15
image: mongo:3.6
ports:
- 27017:27017
volumes:
- /data/docker/mongos/data/data/db:/data/db
- /data/docker/mongos/data/data/configdb:/data/configdb
- /data/docker/mongos/data/data/backup:/data/backup
- /data/docker/mongos/data/mongod.conf:/etc/mongod.conf
- /data/docker/mongos/data/key.file:/etc/key.file
entrypoint: mongos
command: --configdb rs_config_server/192.168.1.13:27019,192.168.1.14:27019 --keyFile "/etc/key.file" --bind_ip_all --auth
depends_on:
- shard_server01
- shard_server02
networks:
mongo:
driver: bridge
ipam:
config:
- subnet: 192.168.1.10/24
4、重啓docker-compose
docker-compose down
docker-compose up -d
到此,增加安全登錄已經配置完畢。若不使用賬號和密碼訪問結果如下:
使用賬號和密碼訪問結果如下:
總結:搭建整個mongodb集羣花費時間還是比較大的,這裏總結一下,希望能對大家有幫助。有疑問歡迎留言。若是幫助到您了,別忘記點個贊哈哈~