MongoDB 3.4 + Sharding/ConfigServer/Security Functionality

.gitignore

@@ -0,0 +1 @@
+help.1

.gitmodules

@@ -1,3 +1,6 @@
 [submodule "common"]
 	path = common
 	url = https://github.com/sclorg/container-common-scripts.git
+[submodule "examples/container-quickstarts"]
+	path = examples/container-quickstarts
+	url = https://github.com/redhat-cop/containers-quickstarts.git

3.4-tar/Dockerfile

@@ -0,0 +1,96 @@
+FROM centos:centos7
+
+ENV CONTAINER="docker" \
+    LANG="en_US.UTF-8" \
+    TERM="xterm" \
+    HOME="/var/lib/mongodb" \
+    MONGODB_MAJOR="3" \
+    MONGODB_MINOR="4" \
+    MONGODB_PATCH="6" \
+    CONTAINER_SCRIPTS_PATH="/usr/share/container-scripts/mongodb" \
+    NAMESPACE="rh" \
+    MONGODB_SRC="https://fastdl.mongodb.org/linux" \
+    NSS_SRC="https://dl.fedoraproject.org/pub/epel/7/x86_64/n" \
+    NSS_RPM="nss_wrapper-1.1.3-1.el7.x86_64.rpm"
+
+ENV SUMMARY="MongoDB NoSQL database server" \
+    DESCRIPTION="MongoDB (from humongous) is a free and open-source \
+    cross-platform document-oriented database program. Classified as a NoSQL \
+    database program, MongoDB uses JSON-like documents with schemas. This \
+    container image contains programs to run mongod server." \
+    MONGODB_HOME="/opt/$NAMESPACE/mongodb$MONGODB_MAJOR$MONGODB_MINOR" \
+    MONGODB_VERSION="$MONGODB_MAJOR.$MONGODB_MINOR" \
+# Incantations to enable Software Collections on `bash` and `sh -i`
+    ENABLED_COLLECTIONS="$NAMESPACE-mongodb$MONGODB_MAJOR$MONGODB_MINOR" \
+    BASH_ENV="$CONTAINER_SCRIPTS_PATH/scl_enable" \
+    ENV="$CONTAINER_SCRIPTS_PATH/scl_enable" \
+    PROMPT_COMMAND=". $CONTAINER_SCRIPTS_PATH/scl_enable" \
+    MONGODB_ARCHIVE="mongodb-linux-x86_64-rhel70-$MONGODB_MAJOR.$MONGODB_MINOR.$MONGODB_PATCH.tgz"
+
+LABEL summary="$SUMMARY" \
+      io.k8s.description="$DESCRIPTION" \
+      io.k8s.display-name="MongoDB $MONGODB_VERSION" \
+      io.openshift.expose-services="27017:tcp" \
+      io.openshift.tags="mongodb" \
+      com.redhat.component="$ENABLED_COLLECTIONS-docker" \
+      name="centos/mongodb-$MONGODB_MAJOR$MONGODB_MINOR-centos7" \
+      version="$MONGODB_VERSION" \
+      release="$MONGODB_PATCH" \
+      maintainer="SoftwareCollections.org <sclorg@redhat.com>"
+
+# Install MongoDB dependencies
+RUN yum -y install --setopt=tsflags=nodocs \
+                   bind-utils              \
+                   cyrus-sasl              \
+                   cyrus-sasl-gssapi       \
+                   cyrus-sasl-plain        \
+                   gettext                 \
+                   lm_sensors-libs         \
+                   net-snmp                \
+                   net-snmp-agent-libs     \
+                   openssl                 \
+                   tcp_wrappers-libs       \
+# Support arbitrary UIDs - `cmake` and `nss_wrapper` via EPEL
+                   cmake                   \
+&& rpm -ihv $NSS_SRC/$NSS_RPM              \
+&& yum -y clean all \
+# Install MongoDB archive
+&& mkdir -p $MONGODB_HOME \
+&& curl -L $MONGODB_SRC/$MONGODB_ARCHIVE \
+| tar -xzf - -C $MONGODB_HOME --strip 1 \
+# Remove systemd boot targets - improves container init performance
+&& (cd /lib/systemd/system/sysinit.target.wants \
+&& for i in *; do [ $i = systemd-tmpfiles-setup.service ] || rm -vf $i; done) \
+&& rm -rf /lib/systemd/system/multi-user.target.wants/*      \
+          /etc/systemd/system/*.wants/*                      \
+          /lib/systemd/system/local-fs.target.wants/*        \
+          /lib/systemd/system/sockets.target.wants/*udev*    \
+          /lib/systemd/system/sockets.target.wants/*initctl* \
+          /lib/systemd/system/basic.target.wants/*           \
+          /lib/systemd/system/anaconda.target.wants/*
+
+EXPOSE 27017
+
+ENTRYPOINT ["container-entrypoint"]
+
+COPY root /
+
+# Create files and directory locations
+RUN touch /etc/mongod.conf \
+&& mkdir -p /var/lib/mongodb/data /var/lib/mongodb/log /var/lib/mongodb/run   \
+&& /usr/libexec/fix-permissions $CONTAINER_SCRIPTS_PATH/template              \
+                                /etc/mongod.conf                              \
+                                /var/lib/mongodb                              \
+                                /var/lib/mongodb/data                         \
+                                /var/lib/mongodb/log                          \
+                                /var/lib/mongodb/run                          \
+                                $MONGODB_HOME                                 \
+&& ln -s $MONGODB_HOME/bin/* /usr/bin
+
+VOLUME ["/var/lib/mongodb/data"]
+
+WORKDIR /var/lib/mongodb
+
+USER 184
+
+CMD ["run-mongod"]

3.4-tar/README.md

@@ -0,0 +1 @@
+root/usr/share/container-scripts/mongodb/README.md

3.4-tar/cccp.yml

@@ -0,0 +1 @@
+job-id: mongodb-34-tar-centos7

3.4-tar/root/usr/bin/cgroup-limits

@@ -0,0 +1,92 @@
+#!/usr/bin/python
+
+"""
+Script for parsing cgroup information
+
+This script will read some limits from the cgroup system and parse
+them, printing out "VARIABLE=VALUE" on each line for every limit that is
+successfully read. Output of this script can be directly fed into
+bash's export command. Recommended usage from a bash script:
+
+    set -o errexit
+    export_vars=$(cgroup-limits) ; export $export_vars
+
+Variables currently supported:
+    MAX_MEMORY_LIMIT_IN_BYTES
+        Maximum possible limit MEMORY_LIMIT_IN_BYTES can have. This is
+        currently constant value of 9223372036854775807.
+    MEMORY_LIMIT_IN_BYTES
+        Maximum amount of user memory in bytes. If this value is set
+        to the same value as MAX_MEMORY_LIMIT_IN_BYTES, it means that
+        there is no limit set. The value is taken from
+        /sys/fs/cgroup/memory/memory.limit_in_bytes
+    NUMBER_OF_CORES
+        Number of detected CPU cores that can be used. This value is
+        calculated from /sys/fs/cgroup/cpuset/cpuset.cpus
+    NO_MEMORY_LIMIT
+        Set to "true" if MEMORY_LIMIT_IN_BYTES is so high that the caller
+        can act as if no memory limit was set. Undefined otherwise.
+"""
+
+from __future__ import print_function
+import sys
+
+
+def _read_file(path):
+    try:
+        with open(path, 'r') as f:
+            return f.read().strip()
+    except IOError:
+        return None
+
+
+def get_memory_limit():
+    """
+    Read memory limit, in bytes.
+    """
+
+    limit = _read_file('/sys/fs/cgroup/memory/memory.limit_in_bytes')
+    if limit is None or not limit.isdigit():
+        print("Warning: Can't detect memory limit from cgroups",
+              file=sys.stderr)
+        return None
+    return int(limit)
+
+
+def get_number_of_cores():
+    """
+    Read number of CPU cores.
+    """
+
+    core_count = 0
+
+    line = _read_file('/sys/fs/cgroup/cpuset/cpuset.cpus')
+    if line is None:
+        print("Warning: Can't detect number of CPU cores from cgroups",
+              file=sys.stderr)
+        return None
+
+    for group in line.split(','):
+        core_ids = list(map(int, group.split('-')))
+        if len(core_ids) == 2:
+            core_count += core_ids[1] - core_ids[0] + 1
+        else:
+            core_count += 1
+
+    return core_count
+
+
+if __name__ == "__main__":
+    env_vars = {
+        "MAX_MEMORY_LIMIT_IN_BYTES": 9223372036854775807,
+        "MEMORY_LIMIT_IN_BYTES": get_memory_limit(),
+        "NUMBER_OF_CORES": get_number_of_cores()
+    }
+
+    env_vars = {k: v for k, v in env_vars.items() if v is not None}
+
+    if env_vars.get("MEMORY_LIMIT_IN_BYTES", 0) >= 92233720368547:
+        env_vars["NO_MEMORY_LIMIT"] = "true"
+
+    for key, value in env_vars.items():
+        print("{0}={1}".format(key, value))

3.4-tar/root/usr/bin/container-entrypoint

@@ -0,0 +1,3 @@
+#!/bin/bash
+
+exec "$@"

3.4-tar/root/usr/bin/mongo-is-ready

@@ -0,0 +1,6 @@
+#!/bin/bash
+
+source ${CONTAINER_SCRIPTS_PATH:-}/environment
+source ${CONTAINER_SCRIPTS_PATH:-}/db/common.sh
+
+exit $(mongo_is_up) && stat /tmp/initialized

3.4-tar/root/usr/bin/run-configsvr

@@ -0,0 +1,62 @@
+#!/bin/bash
+
+#
+# This serves as a container entrypoint for running a MongoDB sharding configuration server. See the README for required ENV variables
+#
+
+set -o errexit
+set -o nounset
+set -o pipefail
+
+# shellcheck source=/dev/null
+source ${CONTAINER_SCRIPTS_PATH:-}/environment
+
+# shellcheck source=/dev/null
+source ${CONTAINER_SCRIPTS_PATH:-}/generate_container_user
+
+# shellcheck source=/dev/null
+source ${CONTAINER_SCRIPTS_PATH:-}/db/replset/configsvr/init-configsvr
+
+unset share_files share_file
+trap cleanup SIGINT SIGTERM
+
+log_info "Checking required env variables"
+check_repl_env_vars
+
+log_info "Checking data directory"
+check_data_dir
+
+log_info "Setting up storage cache"
+setup_wiredtiger_cache "${CONTAINER_SCRIPTS_PATH:-}/template/mongod.conf.template"
+
+log_info "Setting up config file"
+if [[ ! -s "$MONGODB_CONFIG_PATH" ]]; then
+	envsubst < "${CONTAINER_SCRIPTS_PATH:-}/template/mongod.conf.template" > "$MONGODB_CONFIG_PATH"
+fi
+
+log_info "Settings up keys"
+setup_keyfile
+
+if [[ "${ENABLE_TLS:-}" == "true" ]]; then
+	log_info "TLS enabled"
+	if [ ! -n "${SSL_CA_FILE:-}" ]; then
+		log_info "A certificate authority (SSL_CA_FILE) was not set. Assuming self-signed"
+	else
+		ca_opts="--sslCAFile ${SSL_CA_FILE}"
+	fi
+	setup_certificate
+	TLS="--sslMode requireSSL --sslPEMKeyFile ${MONGO_TLS_CERTIFICATE} ${ca_opts:-} ${ADDITIONAL_SSL_OPTS:-}"
+fi
+
+log_info "Starting mongo configuration server"
+$MONGOD --config "$MONGODB_CONFIG_PATH" --configsvr ${TLS:-} --keyFile $MONGODB_KEYFILE_PATH --replSet ${MONGODB_REPLICA_NAME:-} ${ADDITIONAL_STARTUP_OPTS:-} &
+
+log_info "Initializing.."
+configure_configsvr
+
+wait_for_mongo_up
+#Make sure environment variables don't propagate passed initialization
+unset_env_vars
+log_pass "Ready"
+tail_mongodb_log
+wait

3.4-tar/root/usr/bin/run-mongos

@@ -0,0 +1,56 @@
+#!/bin/bash
+
+#
+# This serves as a container entrypoint for running a MongoDB shard router. See the README for required ENV variables
+#
+
+set -o errexit
+set -o nounset
+set -o pipefail
+
+# shellcheck source=/dev/null
+source ${CONTAINER_SCRIPTS_PATH:-}/environment
+
+# shellcheck source=/dev/null
+source ${CONTAINER_SCRIPTS_PATH:-}/generate_container_user
+
+# shellcheck source=/dev/null
+source ${CONTAINER_SCRIPTS_PATH:-}/db/mongos/init-mongos
+
+unset share_files share_file
+trap cleanup SIGINT SIGTERM
+
+log_info "Checking required env variables"
+check_mongos_env_vars
+
+log_info "Setting up config file"
+if [[ ! -s "$MONGODB_CONFIG_PATH" ]]; then
+	envsubst < "${CONTAINER_SCRIPTS_PATH:-}/template/mongos.conf.template" > "$MONGODB_CONFIG_PATH"
+fi
+
+log_info "Settings up keys"
+setup_keyfile
+
+if [[ "${ENABLE_TLS:-}" == "true" ]]; then
+	log_info "TLS enabled"
+	if [ ! -n "${SSL_CA_FILE:-}" ]; then
+		log_info "A certificate authority (SSL_CA_FILE) was not set. Assuming self-signed"
+	else
+		ca_opts="--sslCAFile ${SSL_CA_FILE}"
+	fi
+	setup_certificate
+	TLS="--sslMode requireSSL --sslPEMKeyFile ${MONGO_TLS_CERTIFICATE} ${ca_opts:-} ${ADDITIONAL_SSL_OPTS:-}"
+fi
+
+$MONGOS --config "$MONGODB_CONFIG_PATH" --keyFile $MONGODB_KEYFILE_PATH ${TLS:-} --configdb "${CONFIG_REPLSET_NAME}/${CONFIG_REPLSET_SERVER}" ${ADDITIONAL_STARTUP_OPTS:-} &
+
+wait_for_mongo_up
+
+log_info "Initializing.."
+configure_mongos
+
+#Make sure environment variables don't propagate passed initialization
+unset_env_vars
+log_pass "Ready"
+tail_mongodb_log
+wait