jme*_*mer 5 crash authentication mongodb kubernetes kubernetes-helm
我有一个在 OpenStack 上运行的 K8s 集群。我正在使用 helm 和 MongoDB helm chart 4.0.6 将我的应用程序与单节点 MongoDB 4.0.1 一起部署。MongoDB 似乎初始化并启动得很好。但是,启动后,所有身份验证都失败。一个奇怪的转折是它最初是有效的,但现在每次我尝试/重试时都失败了。
身份验证失败的 MongoDB 日志:
Welcome to the Bitnami mongodb container
Subscribe to project updates by watching https://github.com/bitnami/bitnami-docker-mongodb
Submit issues and feature requests at https://github.com/bitnami/bitnami-docker-mongodb/issues
nami INFO Initializing mongodb
mongodb INFO ==> Deploying MongoDB from scratch...
mongodb INFO ==> No injected configuration files found. Creating default config files...
mongodb INFO ==> Creating root user...
mongodb INFO ==> Creating ars user...
mongodb INFO ==> Enabling authentication...
mongodb INFO
mongodb INFO
mongodb INFO Installation parameters for mongodb:
mongodb INFO Root Password: **********
mongodb INFO Username: ars
mongodb INFO Password: **********
mongodb INFO Database: ars02
mongodb INFO (Passwords are not shown for security reasons)
mongodb INFO
mongodb INFO
nami INFO mongodb successfully initialized
INFO ==> Starting mongodb...
INFO ==> Starting mongod...
和
2018-10-11T17:44:39.192+0000 I ACCESS [conn231] SASL SCRAM-SHA-1 authentication failed for ars on ars02 from client 10.100.49.5:37116 ; UserNotFound: Could not find user ars@ars02
有时,我在启动序列中遇到断言失败:
2018-10-25T20:07:03.942+0000 F STORAGE [initandlisten] Unable to start up mongod due to missing featureCompatibilityVersion document.
2018-10-25T20:07:03.942+0000 F STORAGE [initandlisten] Please run with --repair to restore the document.
2018-10-25T20:07:03.942+0000 F - [initandlisten] Fatal Assertion 40652 at src/mongo/db/repair_database_and_check_version.cpp 579
2018-10-25T20:07:03.942+0000 F - [initandlisten]
docker镜像环境:
MONGODB_ROOT_PASSWORD=ThisIsTheMongoRootPassword MONGODB_PRIMARY_ROOT_USER=root MONGODB_PRIMARY_ROOT_PASSWORD= MONGODB_REPLICA_SET_MODE= MONGODB_ADVERTISED_HOSTNAME= MONGODB_PRIMARY_HOST= MONGODB_REPLICA_SET_NAME=副本集 MONGODB_DATABASE=ars02 MONGODB_PRIMARY_PORT_NUMBER=27017 MONGODB_EXTRA_FLAGS= MONGODB_PASSWORD=ars MONGODB_USERNAME=ars MONGODB_ENABLE_IPV6=是 MONGODB_REPLICA_SET_KEY=
尝试在 mongo shell 中进行身份验证:
$ mongo ars02 -u ars -p ars MongoDB 外壳版本 v4.0.1 连接到:mongodb://127.0.0.1:27017/ars02 MongoDB 服务器版本:4.0.1 2018-10-11T17:54:05.601+0000 E QUERY [js] 错误:身份验证失败。: DB.prototype._authOrThrow@src/mongo/shell/db.js:1679:20 @(认证):6:1 @(认证):1:2 异常:登录失败 $ mongo admin -u root -p ThisIsTheMongoRootPassword MongoDB 外壳版本 v4.0.1 连接到:mongodb://127.0.0.1:27017/ars02 MongoDB 服务器版本:4.0.1 2018-10-11T17:54:32.645+0000 E QUERY [js] 错误:身份验证失败。: DB.prototype._authOrThrow@src/mongo/shell/db.js:1679:20 @(认证):6:1 @(认证):1:2 异常:登录失败 $ mongo ars02 -u root -p ThisIsTheMongoRootPassword MongoDB 外壳版本 v4.0.1 连接到:mongodb://127.0.0.1:27017/admin MongoDB 服务器版本:4.0.1 2018-10-11T17:54:42.456+0000 E QUERY [js] 错误:身份验证失败。: DB.prototype._authOrThrow@src/mongo/shell/db.js:1679:20 @(认证):6:1 @(认证):1:2 异常:登录失败
相关访问日志:
2018-10-11T18:05:17.544+0000 I ACCESS [conn134] 支持未知用户“ars@ars02”请求的 SASL 机制 2018-10-11T18:05:17.544+0000 I ACCESS [conn134] 来自客户端 127.0.0 的 ars02 上的 ars 的 SASL SCRAM-SHA-1 身份验证失败。 2018-10-11T18:02:43.542+0000 I ACCESS [conn50] 支持未知用户“root@admin”请求的 SASL 机制 2018-10-11T18:02:43.543+0000 I ACCESS [conn50] SASL SCRAM-SHA-1 身份验证对于来自客户端 127.0.0.1:46832 的管理员的 root 身份验证失败;UserNotFound:找不到用户 root@admin 2018-10-11T18:04:11.144+0000 I ACCESS [conn100] 支持未知用户“root@ars02”请求的 SASL 机制 2018-10-11T18:04:11.144+0000 I ACCESS [conn100] SASL SCRAM-SHA-1 身份验证在来自客户端 127.0.0 的 ars02 上的 root 身份验证失败
我的松散理解是初始化是由 Kubernetes 设置的环境变量驱动的。在 bitnami 初始化脚本中引用了一个 mongo-inputs.json,它似乎验证了这一点:
$ cat mongodb-inputs.json
{
"advertisedHostname": "{{$global.env.MONGODB_ADVERTISED_HOSTNAME}}",
"database": "{{$global.env.MONGODB_DATABASE}}",
"enableIPv6": "{{$global.env.MONGODB_ENABLE_IPV6}}",
"password": "{{$global.env.MONGODB_PASSWORD}}",
"primaryHost": "{{$global.env.MONGODB_PRIMARY_HOST}}",
"primaryPort": "{{$global.env.MONGODB_PRIMARY_PORT_NUMBER}}",
"primaryRootPassword": "{{$global.env.MONGODB_PRIMARY_ROOT_PASSWORD}}",
"primaryRootUser": "{{$global.env.MONGODB_PRIMARY_ROOT_USER}}",
"replicaSetKey": "{{$global.env.MONGODB_REPLICA_SET_KEY}}",
"replicaSetMode": "{{$global.env.MONGODB_REPLICA_SET_MODE}}",
"replicaSetName": "{{$global.env.MONGODB_REPLICA_SET_NAME}}",
"rootPassword": "{{$global.env.MONGODB_ROOT_PASSWORD}}",
"username": "{{$global.env.MONGODB_USERNAME}}"
}
我的 MongoDB 部署是:
---
# Source: v/charts/mongodb/templates/deployment-standalone.yaml
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: v-test-mongodb
labels:
app: mongodb
chart: mongodb-4.0.6
release: "v-test"
heritage: "Tiller"
spec:
template:
metadata:
labels:
app: mongodb
release: "v-test"
chart: mongodb-4.0.6
spec:
securityContext:
fsGroup: 1001
runAsUser: 1001
containers:
- name: v-test-mongodb
image: docker.io/bitnami/mongodb:4.0.1-debian-9
imagePullPolicy: "Always"
env:
- name: MONGODB_ROOT_PASSWORD
value: "ThisIsTheMongoRootPassword"
- name: MONGODB_USERNAME
value: "ars"
- name: MONGODB_PASSWORD
value: "ars"
- name: MONGODB_DATABASE
value: "ars02"
- name: MONGODB_EXTRA_FLAGS
value:
ports:
- name: mongodb
containerPort: 27017
livenessProbe:
exec:
command:
- mongo
- --eval
- "db.adminCommand('ping')"
initialDelaySeconds: 30
periodSeconds: 10
timeoutSeconds: 5
successThreshold: 1
failureThreshold: 6
readinessProbe:
exec:
command:
- mongo
- --eval
- "db.adminCommand('ping')"
initialDelaySeconds: 5
periodSeconds: 10
timeoutSeconds: 5
successThreshold: 1
failureThreshold: 6
volumeMounts:
- name: data
mountPath: /bitnami/mongodb
resources:
limits:
cpu: 1
memory: 6Gi
requests:
cpu: 100m
memory: 1Gi
volumes:
- name: data
persistentVolumeClaim:
claimName: v-test-mongodb
---
我从使用 MONGODB_DATABASE / MONGODB_USERNAME / MONGODB_PASSWORD 切换到从 docker-entrypoint-initdb.d 目录运行初始化脚本。这似乎有帮助,但我有时仍然会看到 authn 和 assert 失败。当 authn 失败时,我的 init 脚本无法以 root 身份连接到 admin 数据库以创建用户/数据库。
有没有其他人看到部署 mongodb 的这些问题?
| 归档时间: |
|
| 查看次数: |
1690 次 |
| 最近记录: |