我有一个简单的 mongodb docker 容器。我使用官方 docker 映像,但覆盖入口点以修复一些文件权限。
MONGO_INITDB_ROOT_USERNAMEMONGO_INITDB_ROOT_PASSWORD入口点脚本如下所示:
#!/bin/bash
set -eu
mounted_keyfile="/keyfile"
mongo_keyfile="/mongo-keyfile"
# Copy the mounted keyfile, since we don't want to change the file on the host
cp $mounted_keyfile $mongo_keyfile
# Ensure the keyfile is owned by root and has the correct permissions
chown root:root $mongo_keyfile
chmod 400 $mongo_keyfile
exec mongod --auth --replSet rs0 --keyFile $mongo_keyfile --bind_ip_all
docker compose 看起来像这样:
version: "3"
services:
mongo:
image: mongo:7.0.4
restart: on-failure
environment:
MONGO_INITDB_ROOT_USERNAME: "${DEVENV_MONGO_USER}"
MONGO_INITDB_ROOT_PASSWORD: "${DEVENV_MONGO_PASSWORD}"
ports:
- "${DEVENV_MONGO_PORT}:27017"
entrypoint: /entrypoint.sh
healthcheck:
test: test $(mongosh --quiet --eval "rs.status().ok") -eq 1
interval: 10s
volumes:
- ./mongo/keyfile:/keyfile:ro
- ./mongo/entrypoint.sh:/entrypoint.sh
- mongo_data:/data/db
volumes:
mongo_data:
DEVENV_MONGO_USERDEVENV_MONGO_PASSWORD当我尝试使用 mongosh 通过
做任何事情时docker exec mongo mongosh -u root -p rootpassword
我收到“身份验证失败”错误。
连接失败的mongod日志:
{"t":{"$date":"2024-04-18T07:32:16.562+00:00"},"s":"I", "c":"NETWORK", "id":22943, "ctx":"listener","msg":"Connection accepted","attr":{"remote":"127.0.0.1:39478","uuid":{"uuid":{"$uuid":"816fdbe1-80d5-4d58-83a2-1e32198a4d9f"}},"connectionId":5023,"connectionCount":1}}
{"t":{"$date":"2024-04-18T07:32:16.567+00:00"},"s":"I", "c":"NETWORK", "id":51800, "ctx":"conn5023","msg":"client metadata","attr":{"remote":"127.0.0.1:39478","client":"conn5023","doc":{"application":{"name":"mongosh 2.1.1"},"driver":{"name":"nodejs|mongosh","version":"6.3.0|2.1.1"},"platform":"Node.js v20.9.0, LE","os":{"name":"linux","architecture":"x64","version":"6.6.26-1-MANJARO","type":"Linux"}}}}
{"t":{"$date":"2024-04-18T07:32:16.570+00:00"},"s":"I", "c":"NETWORK", "id":22943, "ctx":"listener","msg":"Connection accepted","attr":{"remote":"127.0.0.1:39484","uuid":{"uuid":{"$uuid":"06465047-9444-4159-a92e-10c522d14373"}},"connectionId":5024,"connectionCount":2}}
{"t":{"$date":"2024-04-18T07:32:16.571+00:00"},"s":"I", "c":"NETWORK", "id":51800, "ctx":"conn5024","msg":"client metadata","attr":{"remote":"127.0.0.1:39484","client":"conn5024","doc":{"application":{"name":"mongosh 2.1.1"},"driver":{"name":"nodejs|mongosh","version":"6.3.0|2.1.1"},"platform":"Node.js v20.9.0, LE","os":{"name":"linux","architecture":"x64","version":"6.6.26-1-MANJARO","type":"Linux"}}}}
{"t":{"$date":"2024-04-18T07:32:16.572+00:00"},"s":"I", "c":"ACCESS", "id":20251, "ctx":"conn5024","msg":"Supported SASL mechanisms requested for unknown user","attr":{"user":{"user":"root","db":"admin"}}}
{"t":{"$date":"2024-04-18T07:32:16.572+00:00"},"s":"I", "c":"ACCESS", "id":6788604, "ctx":"conn5024","msg":"Auth metrics report","attr":{"metric":"acquireUser","micros":0}}
{"t":{"$date":"2024-04-18T07:32:16.572+00:00"},"s":"I", "c":"ACCESS", "id":5286307, "ctx":"conn5024","msg":"Failed to authenticate","attr":{"client":"127.0.0.1:39484","isSpeculative":true,"isClusterMember":false,"mechanism":"SCRAM-SHA-256","user":"root","db":"admin","error":"UserNotFound: Could not find user \"root\" for db \"admin\"","result":11,"metrics":{"conversation_duration":{"micros":66,"summary":{"0":{"step":1,"step_total":2,"duration_micros":50}}}},"extraInfo":{}}}
{"t":{"$date":"2024-04-18T07:32:16.573+00:00"},"s":"I", "c":"ACCESS", "id":6788604, "ctx":"conn5024","msg":"Auth metrics report","attr":{"metric":"acquireUser","micros":0}}
{"t":{"$date":"2024-04-18T07:32:16.573+00:00"},"s":"I", "c":"ACCESS", "id":5286307, "ctx":"conn5024","msg":"Failed to authenticate","attr":{"client":"127.0.0.1:39484","isSpeculative":false,"isClusterMember":false,"mechanism":"SCRAM-SHA-1","user":"root","db":"admin","error":"UserNotFound: Could not find user \"root\" for db \"admin\"","result":11,"metrics":{"conversation_duration":{"micros":297,"summary":{"0":{"step":1,"step_total":2,"duration_micros":284}}}},"extraInfo":{}}}
{"t":{"$date":"2024-04-18T07:32:16.575+00:00"},"s":"I", "c":"NETWORK", "id":22944, "ctx":"conn5023","msg":"Connection ended","attr":{"remote":"127.0.0.1:39478","uuid":{"uuid":{"$uuid":"816fdbe1-80d5-4d58-83a2-1e32198a4d9f"}},"connectionId":5023,"connectionCount":1}}
{"t":{"$date":"2024-04-18T07:32:16.579+00:00"},"s":"I", "c":"NETWORK", "id":22944, "ctx":"conn5024","msg":"Connection ended","attr":{"remote":"127.0.0.1:39484","uuid":{"uuid":{"$uuid":"06465047-9444-4159-a92e-10c522d14373"}},"connectionId":5024,"connectionCount":0}}
指定身份验证数据库并不能解决此问题。我还尝试使用其他用户名,以防与 linux root 用户冲突,但这也没有任何效果。
我认为它与副本集或密钥文件有关,但我在网上找不到任何有效的内容。
通过反复试验,我终于找到了问题所在。要么是 mongo docker 容器不应该以 root 身份运行,要么是文件权限有问题。
我最终创建了一个“init”容器来正确设置权限,然后以非 root 用户身份运行 mongo
1000我的 docker compose 现在看起来像这样:
version: "3"
services:
mongo-init:
image: busybox
command: /bin/sh -c 'cp /keyfile /mongo/my-keyfile && chmod 400 /mongo/my-keyfile && chown -R 1000:1000 /mongo'
volumes:
- ./mongo/keyfile:/keyfile:ro
- mongo_data:/mongo:rw
mongo:
image: mongo:7.0.4
restart: on-failure
user: "1000:1000"
depends_on:
mongo-init:
condition: "service_completed_successfully"
environment:
MONGO_INITDB_ROOT_USERNAME: "${DEVENV_MONGO_USER}"
MONGO_INITDB_ROOT_PASSWORD: "${DEVENV_MONGO_PASSWORD}"
ports:
- "${DEVENV_MONGO_PORT}:27017"
command: --auth --replSet rs0 --keyFile /data/db/my-keyfile
volumes:
- mongo_data:/data/db
volumes:
mongo_data:
我也可以完全放弃自定义的entrypoint.sh。
如果有人想添加答案来解释为什么现在有效,我会很乐意接受。现在我只是想添加我的工作设置,以防有人遇到同样的问题。