Uploaded image for project: 'Documentation'
  1. Documentation
  2. DOCS-11500

Add suggestion on how to preserve KRB5_KTNAME on systemd-based Linux distros

XMLWordPrintableJSON

      In the documentation section that talks about configuring MongoDB for Kerberos authentication on Linux we have the following suggestion:

      If you installed MongoDB Enterprise using one of the official .deb or .rpm packages, and you use the included init/upstart scripts to control the mongod instance, you can set the KR5_KTNAME variable in the default environment settings file instead of setting the variable each time.

      For .rpm packages, the default environment settings file is /etc/sysconfig/mongod.

      For .deb packages, the file is /etc/default/mongodb.

      This is rather outdated suggestion since most of the modern Linux distros (Ubuntu 16, RHEL 7) have switched from init/upstart scripts to systemd unit files. Our packages that we ship for these distros deploy the appropriate unit files. The highlighted recommendation cannot be applied there.

      In order to preserve the value of the KRB5_KTNAME environment variable on such hosts the user should modify the unit files. We should update our documentation so it would explain how it can be done:

      1. To find the location of the unit file (and to view its content) 
        $ sudo systemctl cat <service_name>
      2. Sample unit file (with KRB5_KTNAME added): 
        [Unit]
Description=High-performance, schema-free document-oriented database
After=network.target
Documentation=https://docs.mongodb.org/manual

[Service]
User=mongodb
Group=mongodb
ExecStart=/usr/bin/mongod --config /etc/mongod.conf
Environment="KRB5_KTNAME=/etc/mongod.keytab"
PIDFile=/var/run/mongodb/mongod.pid
# file size
LimitFSIZE=infinity
# cpu time
LimitCPU=infinity
# virtual memory size
LimitAS=infinity
# open files
LimitNOFILE=64000
# processes/threads
LimitNPROC=64000
# locked memory
LimitMEMLOCK=infinity
# total threads (user+kernel)
TasksMax=infinity
TasksAccounting=false

# Recommended limits for for mongod as specified in
# http://docs.mongodb.org/manual/reference/ulimit/#recommended-settings

[Install]
WantedBy=multi-user.target
      3. Once the unit file is modified, it should be re-loaded as: 
        sudo systemctl daemon-reload
      4. Then the service needs to be restarted for the change to take effect

            Assignee:
            dave.cuthbert@mongodb.com Dave Cuthbert (Inactive)
            Reporter:
            dmitry.ryabtsev@mongodb.com Dmitry Ryabtsev
            Votes:
            1 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved:
              1 year, 33 weeks, 1 day ago