[SERVER-6837] Persist mongod server options in dbpath for sanity checking across reboots Created: 23/Aug/12  Updated: 06/Dec/22  Resolved: 06/Mar/19

Status: Closed
Project: Core Server
Component/s: Usability
Affects Version/s: None
Fix Version/s: None

Type: New Feature Priority: Major - P3
Reporter: Richard Kreuter (Inactive) Assignee: Backlog - Storage Execution Team
Resolution: Won't Fix Votes: 1
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Assigned Teams:
Storage Execution
Participants:

 Description   

mongod should store its startup options in a file in the dbpath, so that we can check on startup whether our current options are different from our previous options in a possibly dangerous way. Here's why: for some server options, toggling them across mongod reboots can lead to badness that it'd probably be worthwhile to try to detect, at least so we can warn about the settings change at startup, if not more. For example:

--directoryperdb toggling this across mongod reboots without also moving files around causes the mongod to start up with an empty set of databases, which can be construed as a data loss situation.
 
--replSet toggling this per se isn't a problem, but frobbing other flags when restarting a process that was previously a replica set member can create problems. Occasionally people rebuild their data files after a crash by starting with --repair, which, due of the nature of --repair, can lead to data skew among replica set members. And changing --bind_ip or --port on a mongod that was a replica set member will cause that process to operate independent of the replica set.
 
--auth/--noauth toggling auth will either break people's programs or invalidate people's security.

There are probably other combinations I'm not remembering. The ways these server flags tend to get toggled across reboots have included situations where config files got garbled into a deployment (e.g., the operator used a customized config file, but something replaced the config file by the time the mongod got rebooted), and cases where, during an emergency or operational transition scenario, an operator starts up a mongod with manually specified flags, possibly the wrong ones).

Relatedly, in the mongos, changing the configdb parameter (especially from 3 configsvrs to 1) could be very bad. Unfortunately the mongos doesn't have a dbpath, so preserving old options isn't obviously easy.


Generated at Thu Feb 08 03:12:50 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.