MongoDB One-Click Application

MongoDB is a highly-scalable NoSQL database with a document-based data model and an expressive query language. DigitalOcean’s MongoDB One-Click application lets you create a Droplet with MongoDB pre-installed to help get your application off the ground quickly.

Components

Component Version
Linux Ubuntu 18.04.1
MongoDB Latest official mongodb-org

In addition to the package installation, the One-Click also:

  • Enables the UFW firewall to allow only SSH (port 22, rate limited), HTTP (port 80), and HTTPS (port 443) access.

Quickstart

After the MongoDB One-Click Droplet is created:

  • The MongoDB instance is available at 127.0.0.1:27017 and is bound to localhost by default. Note that UFW does not allow 27017 by default.

  • MongoDB’s configuration details are in /etc/mongod.conf.

In addition, there are a few customized setup steps that we recommend you take.

Fix MongoDB Startup Warnings

Once the Droplet is created, you can SSH to the server as root. Make sure to substitute the Droplet’s IP address.

ssh root@use_your_droplet_ip

Then you can connect to the test database with the MongoDB shell.

mongo

When you connect, you’ll see several startup warnings before you receive the MongoDB shell prompt:

Server has startup warnings:
2018-09-12T19:10:18.867+0000 I STORAGE  [initandlisten]
2018-09-12T19:10:18.867+0000 I STORAGE  [initandlisten] ** WARNING: Using the XFS filesystem is strongly recommended with the WiredTiger storage engine
2018-09-12T19:10:18.867+0000 I STORAGE  [initandlisten] **          See http://dochub.mongodb.org/core/prodnotes-filesystem
2018-09-12T19:10:19.637+0000 I CONTROL  [initandlisten]
2018-09-12T19:10:19.637+0000 I CONTROL  [initandlisten] ** WARNING: Access control is not enabled for the database.
2018-09-12T19:10:19.637+0000 I CONTROL  [initandlisten] **          Read and write access to data and configuration is unrestricted.
2018-09-12T19:10:19.637+0000 I CONTROL  [initandlisten]

To resolve the STORAGE warning, you can set the storage engine to WiredTiger. WiredTiger is the default storage engine in modern versions of MongoDB (3.2+).

The CONTROL warning about unrestricted read/write access to the database and configuration means that any user logged into the Droplet will have access to the database and configuration until you set up access controls. However, remote access is blocked in two ways: MongoDB is bound to the local interface, so it doesn’t listen to requests from outside the local machine, and UFW is additionally configured to block port 27017, which MongoDB binds to.

Set Up Remote or Internet-Based Access

You can also access your MongoDB instance remotely via an SSH tunnel using:

ssh -L 4321:localhost:27017 use_your_username@use_your_droplet_ip -f -N
mongo --port 4321

This opens an SSH connection which allows you to access port 27017 of the remote server locally on port 4321. This can be useful for securely accessing your MongoDB instance without opening it up to accept connections via the wider internet.

In order to enable access over the internet, you need to modify the value of bind_ip in /etc/mongod.conf. However, before doing so, make sure to review the security checklist from the MongoDB documentation. In addition to enabling one of the forms of authentication supported by MongoDB, if you open a port to allow connection from the internet, you should also configure the firewall so that it only allows remote connections from specific IP addresses.

API Creation

In addition to creating a Droplet from the MongoDB One-Click application via the control panel, you can also use the DigitalOcean API.

You can list all One-Click application images using the API. As an example, to create a 4GB MongoDB Droplet in the SFO2 region, you can use the following curl command. You’ll need to either save your API access token to an environment variable or substitute it into the command below.

curl -X POST -H 'Content-Type: application/json' \
    -H 'Authorization: Bearer '$TOKEN'' -d \
    '{"name":"choose_a_name","region":"sfo2","size":"4gb","image":"mongodb-18-04"}' \
    "https://api.digitalocean.com/v2/droplets"

Next Steps

To run MongoDB in production, there are several additional steps you should take, including:

  • Enabling access control and enforcing authentication
  • Configuring role-based access control
  • Encrypting client-server communication with SSL
  • Encrypting the data at rest or on each host