/munetakaJupyterHub/Computer/MongoDB/Replicattion/.ipynb

&sect;2023-08-03

Machine	IP	OS	mongod Version	Replication Set	momgosh Avialbale	Saharding
orgpi5Arch.yushei.net	192.168.48.241	Orange Pi 5 Plus, 16G mem, PCIeSSD 256G Archlinux	7.0.0-rc8	MuneTakaHome:27999	1.10.1 no ssl	No
orgpi5Jammy.yushei.net	192.168.48.247	Orange Pi 5 Plus, 8G mem, PCIeSSD 256G Ubuntu Jammy	7.0.0-rc8	MuneTakaHome:27999	1.10.1 no ssl	No
hc4MnMin.yushei.net	192.168.48.239	odroid-hc4, ManJaro	7.0.0-rc8	MuneTakaHome:27999	1.1.0 no ssl	No

since hc4MnMin has some problems, I replcaed it hc4Bookworm. 2023-08-05

| hc4Jammy.yushei.net | 192.168.48.243 | Odroid-hc4 Ubuntu Jammy | 7.0.0-rc8 | MuneTakaHome:27999| 1.10.1 no ssl | No | | h2nas01.yushei.net | 192.168.2.252 | odroid-h2, Archlinux | 7.0.0-rc8 | MuneTakaHome:27999 | 1.10.1 libcrypto.so.3 | No |
| h2Jammy.yushei.net | 59.126.118.193/192.168.11.248 | odroid-h2, Ubuntu Jammy | 7.0.0-rc8 | MuneTakaHome:27999 | 1.10.1 libcrypto.so.3 | No |
| n2Mnjaro.yushei.net | 192.168.48.245 | odroid-n2+, ManJaro | 7.0.0-rc8 | MuneTakaHome:27999 | 1.1.0 no ssl | No|

$ mongosh "mongodb://orgpi5arch.yushei.net:27999,orgpi5jammy.yushei.net:27999,hc4mnmin.yushei.net.yushei.net:27999/?tls=true&tlsCertificateKeyFile=/opt/xfs/mongodb/x.509/orgpi5arch.yushei.net.pem&tlsCAFile=/opt/xfs/mongodb/x.509/mongoCA.crt"

§ Step 1,

We are going to setup orgpi5arch, orgpi5jammy and hc4MnMin.yushei.net in replicationSet of MuneTakaHome, running on port 27999.

¶Steps

rs.init()
login into primary and add siteRootAdmin in admin database
security.authorization: enabled

$ mongosh "mongodb://orgpi5arch.yushei.net:27999/?tls=true&tlsCertificateKeyFile=/opt/xfs/mongodb/x.509/orgpi5arch.yushei.net.pem&tlsCAFile=/opt/xfs/mongodb/x.509/mongoCA.crt"
Current Mongosh Log ID: 64cb66a089ec55ca42fedcdb
Connecting to:          mongodb://orgpi5arch.yushei.net:27999/?tls=true&tlsCertificateKeyFile=%2Fopt%2Fxfs%2Fmongodb%2Fx.509%2Forgpi5arch.yushei.net.pem&tlsCAFile=%2Fopt%2Fxfs%2Fmongodb%2Fx.509%2FmongoCA.crt&directConnection=true&appName=mongosh+1.10.1
Using MongoDB:          7.0.0-rc8
Using Mongosh:          1.10.1

For mongosh info see: https://docs.mongodb.com/mongodb-shell/

------
   The server generated these startup warnings when booting
   2023-08-03T15:59:01.750+08:00: Access control is not enabled for the database. Read and write access to data and configuration is unrestricted
------
test >

rs.initiate( {
   _id : "MuneTakaHome",
   members: [
      { _id: 0, host: "orgpi5arch.yushei.net:27999" },
      { _id: 1, host: "orgpi5jammy.yushei.net:27999" },
      { _id: 2, host: "hc4mnmin.yushei.net:27999" }
   ]
});


- MongoServerError: replSetInitiate quorum check failed because not all proposed set members responded affirmatively: hc4mnmin.yushei.net:27999 failed with futurize :: caused by :: stream truncated, orgpi5jammy.yushei.net:27999 failed with Command replSetHeartbeat requires authentication
test> 

- MongoServerError: replSetInitiate quorum check failed because not all proposed set members responded affirmatively: hc4mnmin.yushei.net:27999 failed with onInvoke :: caused by :: stream truncated

- try

rs.initiate( {
   _id : "MuneTakaHome",
   members: [
      { _id: 0, host: "orgpi5arch.yushei.net:27999" },
      { _id: 1, host: "orgpi5jammy.yushei.net:27999" },
      { _id: 2, host: "hc4jammy.yushei.net:27999" }
   ]
});

MongoServerError: replSetInitiate quorum check failed because not all proposed set members responded affirmatively: hc4mnmin.yushei.net:27999 failed with onInvoke :: caused by :: stream truncated

rs.initiate( {
   _id : "MuneTakaHome",
   members: [
      { _id: 0, host: "orgpi5arch.yushei.net:27999" },
      { _id: 2, host: "hc4jammy.yushei.net:27999" }
   ]
});

MongoServerError: replSetInitiate quorum check failed because not all proposed set members responded affirmatively: hc4jammy.yushei.net:27999 failed with Error connecting to hc4jammy.yushei.net:27999 (192.168.48.243:27999) :: caused by :: SSL peer certificate validation failed: self-signed certificate in certificate chain

rs.initiate( {
   _id : "MuneTakaHome",
   members: [
      { _id: 0, host: "orgpi5arch.yushei.net:27999" },
      { _id: 1, host: "orgpi5jammy.yushei.net:27999" },
      { _id: 2, host: "n2mnjaro.yushei.net:27999" }
   ]
});

{ ok: 1 }

> The problem seems to be in hc4Jammy.yushei.net, it happened in using version 6.0.8 or 7.0.0-rc8

rs.initiate( {
   _id : "MuneTakaHome",
   members: [
      { _id: 0, host: "hc4mnmin.yushei.net:27999"},
      { _id: 1, host: "n2Mnjaro.yushei.net:27999"}
   ]
});


 

- take hc4MnMin,yushei.net out
- then add it in?? Why

rs.initiate( {
   _id : "MuneTakaHome",
   members: [
      { _id: 0, host: "orgpi5arch.yushei.net:27999" },
      { _id: 1, host: "orgpi5jammy.yushei.net:27999" }
   ]
});

{
  ok: 1,
  '$clusterTime': {
    clusterTime: Timestamp({ t: 1691057376, i: 1 }),
    signature: {
      hash: Binary(Buffer.from("0000000000000000000000000000000000000000", "hex"), 0),
      keyId: Long("0")
    }
  },
  operationTime: Timestamp({ t: 1691057376, i: 1 })
}

rs.add("hc4MnMin.yushei.net:27999");



MuneTakaHome [direct: primary] test> rs.add("hc4MnMin.yushei.net:27999");
{
  ok: 1,
  '$clusterTime': {
    clusterTime: Timestamp({ t: 1691057819, i: 1 }),
    signature: {
      hash: Binary(Buffer.from("0000000000000000000000000000000000000000", "hex"), 0),
      keyId: Long("0")
    }
  },
  operationTime: Timestamp({ t: 1691057819, i: 1 })
}
MuneTakaHome [direct: primary] test> rs.conf()
{
  _id: 'MuneTakaHome',
  version: 2,
  term: 1,
  members: [
    {
      _id: 0,
      host: 'orgpi5arch.yushei.net:27999',
      arbiterOnly: false,
      buildIndexes: true,
      hidden: false,
      priority: 1,
      tags: {},
      secondaryDelaySecs: Long("0"),
      votes: 1
    },
    {
      _id: 1,
      host: 'orgpi5jammy.yushei.net:27999',
      arbiterOnly: false,
      buildIndexes: true,
      hidden: false,
      priority: 1,
      tags: {},
      secondaryDelaySecs: Long("0"),
      votes: 1
    },
    {
      _id: 2,
      host: 'hc4MnMin.yushei.net:27999',
      arbiterOnly: false,
      buildIndexes: true,
      hidden: false,
      priority: 1,
      tags: {},
      secondaryDelaySecs: Long("0"),
      votes: 1
    }
  ],
  protocolVersion: Long("1"),
  writeConcernMajorityJournalDefault: true,
  settings: {
    chainingAllowed: true,
    heartbeatIntervalMillis: 2000,
    heartbeatTimeoutSecs: 10,
    electionTimeoutMillis: 10000,
    catchUpTimeoutMillis: -1,
    catchUpTakeoverDelayMillis: 30000,
    getLastErrorModes: {},
    getLastErrorDefaults: { w: 1, wtimeout: 0 },
    replicaSetId: ObjectId("64cb7ce031202fb3da1e9109")
  }
}
MuneTakaHome [direct: primary] test> 

-- add super user before I turn on security.authorization: enabled
> use admin

db.createUser( {
user: "siteRootAdmin",
pwd: "b23258585",
roles: [ { role: "root", db: "admin" } ]
});


MuneTakaHome [direct: primary] test> use admin
switched to db admin
MuneTakaHome [direct: primary] admin> db.createUser( {
... user: "siteRootAdmin",
... pwd: "b2nnnnnnn",
... roles: [ { role: "root", db: "admin" } ]
... });
{
  ok: 1,
  '$clusterTime': {
    clusterTime: Timestamp({ t: 1691060670, i: 4 }),
    signature: {
      hash: Binary(Buffer.from("0000000000000000000000000000000000000000", "hex"), 0),
      keyId: Long("0")
    }
  },
  operationTime: Timestamp({ t: 1691060670, i: 4 })
}
MuneTakaHome [direct: primary] admin> db.changeUserPassword("sitRootAdmin", "bnnnnnnnn")
MongoServerError: User sitRootAdmin@admin not found
MuneTakaHome [direct: primary] admin> db.changeUserPassword("siteRootAdmin", "bnnnnnnnn")
{
  ok: 1,
  '$clusterTime': {
    clusterTime: Timestamp({ t: 1691060818, i: 1 }),
    signature: {
      hash: Binary(Buffer.from("0000000000000000000000000000000000000000", "hex"), 0),
      keyId: Long("0")
    }
  },
 
  operationTime: Timestamp({ t: 1691060818, i: 1 })
}
MuneTakaHome [direct: primary

- after the `siteRootAdmin` has been set up, turn on the security,


- In MongoDB, when you enable both access control (authorization) and TLS/SSL encryption for a replica set, you are required to use a keyfile for internal authentication. The keyfile is used to authenticate the members of the replica set to each other.

```bash
[alexlai@orpi5Arch x.509]$ openssl rand -base64 756 > MuneTakaHomeKey 
[alexlai@orpi5Arch x.509]$ sudo cp -v MuneTakaHomeKey /opt/xfs/mongodb/x.509/
[sudo] password for alexlai: 
'MuneTakaHomeKey' -> '/opt/xfs/mongodb/x.509/MuneTakaHomeKey'
[alexlai@orpi5Arch x.509]$ sudo chown mongodb:mongodb /opt/xfs/mongodb/x.509/MuneTakaHomeKey 
[alexlai@orpi5Arch x.509]$ sudo chmod 0400 /opt/xfs/mongodb/x.509/MuneTakaHomeKey    <-- has to be 0400

[alexlai@orpi5Arch ~]$ mongosh "mongodb://orgpi5arch.yushei.net:27999,orgpi5jammy.yushei.net:27999,n2mnjaro.yushei.net.yushei.net:27999/?tls=true&tlsCertificateKeyFile=/opt/xfs/mongodb/x.509/orgpi5arch.yushei.net.pem&tlsCAFile=/opt/xfs/mongodb/x.509/mongoCA.crt"
Current Mongosh Log ID: 64cb94fc84752d8080956128
Connecting to:          mongodb://orgpi5arch.yushei.net:27999,orgpi5jammy.yushei.net:27999,hc4mnmin.yushei.net.yushei.net:27999/?tls=true&tlsCertificateKeyFile=%2Fopt%2Fxfs%2Fmongodb%2Fx.509%2Forgpi5arch.yushei.net.pem&tlsCAFile=%2Fopt%2Fxfs%2Fmongodb%2Fx.509%2FmongoCA.crt&appName=mongosh+1.10.1
Using MongoDB:          7.0.0-rc8
Using Mongosh:          1.10.1

For mongosh info see: https://docs.mongodb.com/mongodb-shell/

MuneTakaHome [primary] test> use admin
switched to db admin
MuneTakaHome [primary] admin> db.auth("siteRootAdmin", "b23258585")
{ ok: 1 }
MuneTakaHome [primary] admin>

going to turn on Security