MongoDB is fairly easy to install on Ubuntu so this guide will hit the essentials and provide links for more details.



I've installed my OS and /home on different partitions to make reinstalling the OS easier. So let's keep the config file and data/logs on the /home partition.

# in ~ or wherever you want to put mongodb's files
mkdir mongodb
cd mongodb
mkdir db log                  # Create data/log folders
# Create a copy of conf file
cp /etc/init/mongodb.conf .

We want to store the data and log dirs in a custom location so they aren't wiped in OS reinstall, so change mongodb.conf to the following:

auth = true


I'm going to skip a lot of important details, please read: MongoDB's Security and Authentication. The page lists default ports for services, basic firewall rules and other useful info.

Things to note

  • By default MongoDB assumes you have carefully set up your firewall/networking environment to restrict who can access the server(s).
    • "By default, security mode is off."
    • "By default, a mongod server will listen on all available IP addresses on a machine. You can restrict this to a single IP address with the 'bind_ip' configuration option for mongod."
  • Are passwords sent over the wire encrypted?
    • Yes. (Actually a nonce-based digest is passed.)
  • Are database operations, after authenticating, passed over the wire encrypted?
    • Not by default. See the SSL doc page for more information.

We enabled secure mode by setting auth = true in mongodb.conf above.

Create Users

Create admin user:

> // use admin db
$ mongo localhost/admin
> db.addUser("theadmin", "anadminpassword")
> // authenticate as admin
> db.auth("theadmin", "anadminpassword")

Create read/write user:

> use somedb
> db.addUser("joe", "passwordForJoe")

Create read user:

> use somedb
> db.addUser("guest", "passwordForGuest", true)

Secure Mode with Sharded Clusters and Replica Sets

From a client's perspective, communicating with a sharded cluster or replica set is identical to single-server authentication. However, servers use a key file to authenticate internal communication.

A key file must contain at least six Base64 characters and be no larger than 1KB (whitespace included). Whitespace characters are stripped.

Since the key file is stored in a file and not typed, I see no reason not to make it close to 1KB. A simple generation using mkpasswd

for i in `seq 0 N`; do mkpasswd -S <salt> -s $i >> key; done

where salt is 2 characters and N is the number of passwords to generate. I found N = ~70 to create key files close to 1KB. To include even more characters you can remove newlines as MongoDB will strip them anyway.

Make sure to set permissions restrictively on key, as MongoDB will exit immediately if the permissions are too open (on *nix up to 700 is allowed). Also note that MongoDb will complain if there's any "." in the key file, so replace them with some other characters.


Since we're placing the db data and mongodb.conf in custom locations we need to slightly customize how we run mongodb.

Shell script

You can use a simple shell script, like:

mongod --config /path/to/mongodb.conf --keyFile /path/to/key

As a service

This is the recommended method.

sudo service mongodb start


sudo /etc/init.d/mongodb start

Making these methods work using our customized install settings requires a few changes.

To modify the default service behavior edit /etc/init/mongodb.conf (spacing changed to improve readability):

# Original:
if [ "x$ENABLE_MONGODB" = "xyes" ]; then exec start-stop-daemon --start --quiet
       --chuid mongodb
       --exec  /usr/bin/mongod --
       --config /etc/mongodb.conf; fi
# I modified to:
if # same as before up to
       --chuid <custom_user>
       --exec  /usr/bin/mongod --
       --config /home/<user>/mongodb/mongodb.conf
       --keyFile /home/<user>/mongodb/key; fi

Running as the default mongodb user is probably a good idea unless you have a specific reason not to. Now using service to start/stop mongodb will use our custom settings.

blog comments powered by Disqus