-
Type: Task
-
Resolution: Fixed
-
Priority: Major - P3
-
Affects Version/s: None
-
Component/s: Server
-
Labels:
In the documentation section that talks about configuring MongoDB for Kerberos authentication on Linux we have the following suggestion:
If you installed MongoDB Enterprise using one of the official .deb or .rpm packages, and you use the included init/upstart scripts to control the mongod instance, you can set the KR5_KTNAME variable in the default environment settings file instead of setting the variable each time.
For .rpm packages, the default environment settings file is /etc/sysconfig/mongod.
For .deb packages, the file is /etc/default/mongodb.
This is rather outdated suggestion since most of the modern Linux distros (Ubuntu 16, RHEL 7) have switched from init/upstart scripts to systemd unit files. Our packages that we ship for these distros deploy the appropriate unit files. The highlighted recommendation cannot be applied there.
In order to preserve the value of the KRB5_KTNAME environment variable on such hosts the user should modify the unit files. We should update our documentation so it would explain how it can be done:
- To find the location of the unit file (and to view its content)
$ sudo systemctl cat <service_name>
- Sample unit file (with KRB5_KTNAME added):
[Unit] Description=High-performance, schema-free document-oriented database After=network.target Documentation=https://docs.mongodb.org/manual [Service] User=mongodb Group=mongodb ExecStart=/usr/bin/mongod --config /etc/mongod.conf Environment="KRB5_KTNAME=/etc/mongod.keytab" PIDFile=/var/run/mongodb/mongod.pid # file size LimitFSIZE=infinity # cpu time LimitCPU=infinity # virtual memory size LimitAS=infinity # open files LimitNOFILE=64000 # processes/threads LimitNPROC=64000 # locked memory LimitMEMLOCK=infinity # total threads (user+kernel) TasksMax=infinity TasksAccounting=false # Recommended limits for for mongod as specified in # http://docs.mongodb.org/manual/reference/ulimit/#recommended-settings [Install] WantedBy=multi-user.target
- Once the unit file is modified, it should be re-loaded as:
sudo systemctl daemon-reload
- Then the service needs to be restarted for the change to take effect