What does the --bindip configuration option in mongodb do?

Question

Here is the mongodb documentation https://docs.mongodb.com/manual/reference/configuration-options/ it specifies that

The IP address that mongos or mongod binds to in order to listen for connections from applications. You may attach mongos or mongod to any interface. When attaching mongos or mongod to a publicly accessible interface, ensure that you have implemented proper authentication and firewall restrictions to protect the integrity of your database.

To bind to multiple IP addresses, enter a list of comma separated values.

and that

127.0.0.1. is the default configuration

I'm clueless when it comes to networking so I wanted to know if someone could explain to me what this means in a more comprehensive way. Also, what would it mean if I were to change this? Why would I want to bind multiple IPs? and finally if anyone has a clue, why is 127.0.0.1 the default option?

Edit:

(You can skip this edit part)

Some of the motivation behind this question lies in getting these warnings while trying to run mongodb on docker:

2016-05-22T05:36:12.478+0000 I CONTROL  [initandlisten] ** WARNING: Insecure configuration, access control is not enabled and no --bind_ip has been specified.
2016-05-22T05:36:12.478+0000 I CONTROL  [initandlisten] **          Read and write access to data and configuration is unrestricted,
2016-05-22T05:36:12.478+0000 I CONTROL  [initandlisten] **          and the server listens on all available network interfaces.

and also some issues where I'd get this error

2016-05-20T01:04:18.012+0000 I NETWORK  [thread1] trying reconnect to 127.0.0.1:27017 (127.0.0.1) failed
2016-05-20T01:04:18.018+0000 I NETWORK  [thread1] reconnect 127.0.0.1:27017 (127.0.0.1) ok

(more on that here if you are curious https://dba.stackexchange.com/questions/139075/replica-set-in-mongodb-using-docker-primary-has-error-and-stops-being-primary-w/139145#139145 but this issue is not the topic of this post!)

Answer 1

On bindIp

127.0.0.1 by convention is the IP address of localhost and is bound to the loopback interface, which is only accessible from the same machine.

Using this address as default is best practice, since doing so makes it impossible to accidentally expose a service to the public. You have to make the conscious choice to change the bind IP to make your service publicly available. Which you should only do after you made sure that you took proper security measures.

Note This is very simplified, skipping advanced topics

Typically, a machine has the loopback interface and one or more "real" network interfaces.

Say you have one network interface which is "internal" (only accessible by your application servers, since you put them into the same network) and you have one network interface which is "external" (reachable via the public internet for maintenance purposes). Now, if you would bind your MongoDB instance to all interfaces (you would use the IP address 0.0.0.0 to do that), your MongoDB instance would be accessible from the public internet – hardly a desired situation. Attackers could try to brute force your passwords and may eventually get access to your MongoDB instance. Better to prevent any access from the public internet at all.

What you would rather want to have that your MongoDB instance is accessible for your application servers and from the machine it runs on. So you would bind MongoDB to both the loopback interface's IP (127.0.0.1) and the IP of the private network, which in general would be one of

• the range from 10.0.0.0 to 10.255.255.255
• the range from 172.16.0.0 to 172.31.255.255
• the range from 192.168.0.0 to 192.168.255.255

Let us take our example and say both the application servers and the MongoDB instance are in a private network in the range 192.168.X.X and you have given the MongoDB instance the IP address 192.168.0.1. So you would want to have your MongoDB instance be accessible via 192.168.0.1 so that the application servers can talk to it and via 127.0.0.1 to use the administration tools from the machine MongoDB runs on effortlessly.

So with the YAML configuration syntax, you would pass multiple IPs

NOTE do not add space between commas on multiple IPs

# WARNING!!! WARNING!!! WARNING!!!
# DO NOT DO THIS UNLESS YOU HAVE CLIENT AUTHENTICATION ENABLED
# (or you really, really, really know what you are doing)
net:
  bindIp: 127.0.0.1,192.168.0.1

On the warnings

In short, this is MongoDBs way of saying:

Mate, you have two problems: you have not configured security yet and your MongoDB instance is only accessible from the local machine. The former is not as severe because of the latter. But you really should configure security before you bind the MongoDB instance to other IPs than "localhost"!

There is sort of an implied "Unless you really know what you are doing!", because iirc, the warning vanishes if you either activate client authentication or change the bindIp.

Answer 2

In my case i change bindIp to 0.0.0.0 in /etc/mongod.conf

sudo nano /etc/mongod.conf

# network interfaces
net:
  port: 27017
  bindIp: 0.0.0.0