0

I created a mongo docker container with an additional js script:

ADD graylog.js /docker-entrypoint-initdb.d/graylog.js

The script creates two users:

root = db.getSiblingDB('root');
root.createUser(
  {
    user: "root",
    pwd: "pass",
    roles: [
      { role: "dbOwner", db: "admin" }
    ]
  }
);

graylog = db.getSiblingDB('graylog');
graylog.createUser(
  {
    user: "graylog",
    pwd: "vWGzncmBe9",
    roles: [
      { role: "dbOwner", db: "graylog" }
    ]
  }
);

Unfortunately, even with just one user (the first one), connecting the db and listing the available databases doesn't work:

client = MongoClient('mongodb://root:pass@localhost:27017/')
client.list_database_names()

Authentication failed

And indeed in the mongo server logs, I see that root could not log in. graylog doesn't either with graylog server.

I did this with a brand new/clean volume, and I can confirm that setting MONGO_INITDB_ROOT_USERNAME/MONGO_INITDB_ROOT_PASSWORD does allow listing the databases.

The documentation on how to do this is not very clear. mongoldb 3 could allow bth environment variables and a script, but now, only one of them works, and only if mongo is not initialized.

So how can I set users from this script?

Edit:

Adding the mongo starting logs:

2019-03-13T20:01:03.891+0000 I SHARDING [initandlisten] Marking collection local.system.replset as collection version: <unsharded>
2019-03-13T20:01:03.892+0000 I SHARDING [initandlisten] Marking collection admin.system.roles as collection version: <unsharded>
2019-03-13T20:01:03.892+0000 I SHARDING [initandlisten] Marking collection admin.system.version as collection version: <unsharded>
2019-03-13T20:01:03.893+0000 I SHARDING [initandlisten] Marking collection local.startup_log as collection version: <unsharded>
2019-03-13T20:01:03.893+0000 I FTDC     [initandlisten] Initializing full-time diagnostic data capture with directory '/data/db/diagnostic.data'
2019-03-13T20:01:03.894+0000 I SHARDING [initandlisten] Marking collection admin.system.users as collection version: <unsharded>
2019-03-13T20:01:03.894+0000 I SHARDING [initandlisten] Marking collection config.system.sessions as collection version: <unsharded>

No indication of the additional users :( I wonder if I should do these manually afterwards!

Matthieu Brucher
  • 21,634
  • 7
  • 38
  • 62
  • Please refer to the following answer, I have written instructions with example on how to create a database with a non-root user, which eventually you can use it to do other operations on mongodb container once you run it, if there is anything that was not clear let me know about it: https://stackoverflow.com/a/54967645/2336650 – Mostafa Hussein Mar 12 '19 at 23:07
  • @MostafaHussein In 4.1, you can't set `MONGO_INITDB_ROOT_USERNAME` and use a script, so how can I run the script? (https://github.com/docker-library/mongo/blob/master/4.1/docker-entrypoint.sh#L200 indicates that the scripts are only scanned if the two variables are not set). – Matthieu Brucher Mar 12 '19 at 23:18
  • Sorry, i didn't get it. You mean you cannot use `MONGO_INITDB_ROOT_USERNAME` for you own reasons? That's why you use a script to create the root and so on ? if that's the case i guess overriding the entrypoint with a modified one would be better, what do you think ? – Mostafa Hussein Mar 12 '19 at 23:21
  • No, if you set the variable, then you can't use a user script. Anyway, even if it did work because I misunderstood the entry point script, I still don't have the new user created (the one from the js script). So even if your solution worked for the question you answered, it doesn't solve my problem because `graylog` was not created (db or user). – Matthieu Brucher Mar 12 '19 at 23:24
  • Well my point was setting these variables `MONGO_INITDB_ROOT_USERNAME` and `MONGO_INITDB_ROOT_PASSWORD` which will enable db authentication during the container creation and startup process. Then defining **3 custom environment variables** for example `GRAYLOG_DB`, `GRAYLOG_DB_USER` and `GRAYLOG_DB_PASSWORD` these variables will be used in the init script to create a database and username with password assigned to it which means i can use to create a graylog db with user and password – Mostafa Hussein Mar 12 '19 at 23:28
  • If I set these variables, I don't get the created user or the db (`graylog`). I don't know how I could be clearer. – Matthieu Brucher Mar 12 '19 at 23:30
  • I guess you missed this part in the init script in my answer: `mongo admin -u $MONGO_INITDB_ROOT_USERNAME -p $MONGO_INITDB_ROOT_PASSWORD --eval` here we used the variables to authenticate then we can create graylog db and user. I have not tried with JS but i guess same concept can be applied – Mostafa Hussein Mar 12 '19 at 23:32
  • Let me work on an example and i will get back to you after i finish it to make things clearer – Mostafa Hussein Mar 12 '19 at 23:34
  • Tried this as well (bash), but no db named graylog. – Matthieu Brucher Mar 12 '19 at 23:41
  • Unfortunately, mongo shell does not handle environment variable in a straight way however there is a workaround that can be done https://stackoverflow.com/a/55001111/2336650 but i am not familiar enough with the mongo shell to make it work, but i would suggest you to test the bash solution i have working example in here: https://gist.github.com/mostafahussein/83550cd16722101f81c3c2191f3767b2 – Mostafa Hussein Mar 13 '19 at 01:03
  • Thanks I will try this. Is tehre a way in the logs to see that the script was executed? Because I more or less did this, but still no graylog database when I do list_database_names() with root. – Matthieu Brucher Mar 13 '19 at 09:33
  • 1
    Yes the docker logs always print the progress and the docker-compose example already works as expected, i am not sure what is the problem that happen in your case but if the example didn't work for you then update the question with mongodb logs and ensure to delete any exist data as the init script works one time only as far as i know – Mostafa Hussein Mar 13 '19 at 09:37
  • OK, so that must be my clue then, I don't see on the logs the fact that it executes the sh or the js file, despite them being in the init.d folder. I'll update the question tonight. Thanks a lot for the help. – Matthieu Brucher Mar 13 '19 at 09:56
  • Interesting, if I run the entry point manually (`docker-entrypoint.sh mongod`), then I see that the entry point is run... – Matthieu Brucher Mar 13 '19 at 20:31

0 Answers0