I want to spin-up a docker for mongodb:latest
but allow only certain user(s) to access certain db(s) (i.e. enable --auth
). No one else should access mongodb whatsoever! How should I do this as part of the docker initiation?
BTW, data directory
sits on the host by utilising the following command during initiation: -v /my/own/datadir:/data/db
.
For connecting to your local MongoDB instance from a Container you must first allow to accept connections from the Docker bridge gateway. To do so, simply add the respective gateway IP in the MongoDB config file /etc/mongod. conf under bindIp in the network interface section.
an mongousradmin user is created. the mongousradmin password is set to mongopassadmin.
If you take a look at:
you will notice that there are two variables used in the docker-entrypoint.sh
:
You can use them to setup root user. For example you can use following docker-compose.yml
file:
mongo-container: image: mongo:3.4.2 environment: # provide your credentials here - MONGO_INITDB_ROOT_USERNAME=root - MONGO_INITDB_ROOT_PASSWORD=rootPassXXX ports: - "27017:27017" volumes: # if you wish to setup additional user accounts specific per DB or with different roles you can use following entry point - "$PWD/mongo-entrypoint/:/docker-entrypoint-initdb.d/" # no --auth is needed here as presence of username and password add this option automatically command: mongod
Now when starting the container by docker-compose up
you should notice following entries:
... I CONTROL [initandlisten] options: { net: { bindIp: "127.0.0.1" }, processManagement: { fork: true }, security: { authorization: "enabled" }, systemLog: { destination: "file", path: "/proc/1/fd/1" } } ... I ACCESS [conn1] note: no users configured in admin.system.users, allowing localhost access ... Successfully added user: { "user" : "root", "roles" : [ { "role" : "root", "db" : "admin" } ] }
To add custom users apart of root use the entrypoint exectuable script (placed under $PWD/mongo-entrypoint dir as it is mounted in docker-compose
to entrypoint):
#!/usr/bin/env bash echo "Creating mongo users..." mongo admin --host localhost -u USER_PREVIOUSLY_DEFINED -p PASS_YOU_PREVIOUSLY_DEFINED --eval "db.createUser({user: 'ANOTHER_USER', pwd: 'PASS', roles: [{role: 'readWrite', db: 'xxx'}]}); db.createUser({user: 'admin', pwd: 'PASS', roles: [{role: 'userAdminAnyDatabase', db: 'admin'}]});" echo "Mongo users created."
Entrypoint script will be executed and additional users will be created.
a. You can use environment variables via terminal:
$ docker run -d --name container_name \ -e MONGO_INITDB_ROOT_USERNAME=admin \ -e MONGO_INITDB_ROOT_PASSWORD=password \ mongo
If you like to test if everything works:
// ssh into the running container // Change container name if necessary $ docker exec -it mongo /bin/bash // Enter into mongo shell $ mongo // Caret will change when you enter successfully // Switch to admin database $> use admin $> db.auth("admin", passwordPrompt()) // Show available databases $> show dbs
If you like to instantiate a database on first run, check option b.
b. You can use environment variables in your docker stack deploy file or compose file for versions 3.4 through 4.1.
As it is explained on the quick reference section of the official mongo image set MONGO_INITDB_ROOT_USERNAME
and MONGO_INITDB_ROOT_PASSWORD
in your yaml file:
mongo: image: mongo environment: MONGO_INITDB_ROOT_USERNAME: admin MONGO_INITDB_ROOT_PASSWORD: password
docker-entrypoint.sh file in mongo image checks for the existence of these two variables and sets --auth
flag accordingly.
c. You can also use docker secrets.
MONGO_INITDB_ROOT_USERNAME
and MONGO_INITDB_ROOT_PASSWORD
is set indirectly by docker-entrypoint.sh from MONGO_INITDB_ROOT_USERNAME_FILE
and MONGO_INITDB_ROOT_PASSWORD_FILE
variables:
mongo: image: mongo environment: - MONGO_INITDB_ROOT_USERNAME_FILE=/run/secrets/db_root_username - MONGO_INITDB_ROOT_PASSWORD_FILE=/run/secrets/db_root_password secrets: - db_root_username - db_root_password
docker-entrypoint.sh converts MONGO_INITDB_ROOT_USERNAME_FILE
and MONGO_INITDB_ROOT_PASSWORD_FILE
to MONGO_INITDB_ROOT_USERNAME
and MONGO_INITDB_ROOT_PASSWORD
.
You can use MONGO_INITDB_ROOT_USERNAME
and MONGO_INITDB_ROOT_PASSWORD
in your .sh
or .js
scripts in docker-entrypoint-initdb.d
folder while initializing database instance.
When a container is started for the first time it will execute files with extensions .sh
and .js
that are found in /docker-entrypoint-initdb.d
. Files will be executed in alphabetical order. .js
files will be executed by mongo using the database specified by the MONGO_INITDB_DATABASE
variable, if it is present, or test otherwise. You may also switch databases within the .js
script.
This last method is not in the reference docs, so it may not survive an update.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With