Discussion:
MongoDB always binding to public ip
(too old to reply)
ved
2018-10-28 18:50:37 UTC
Permalink
Hello all,

I'm having a strange issue (that admittedly may or not be related with
mongodb) which I'll try to break down as much as I can below.
If anybody needs any more info please just ask.

My goal is to have mongodb bind on localhost and a vpn inteface that uses
zeroconf. The issue is that mongod seems to always also bind to the public
ip.

*Setup:*
Debian 9.5 (fully updated, network managed with systemd)
MongoDB 4.0.3 (official from repo.mongodb.org with fully default config
except for changing bindIp)

*Network:*
lo -> localhost
ens3 -> public interface with public ip assigned by the hosting company
vpn -> Tinc vpn interface with zeroconf ip (169.254.x.y) assigned by
systemd-networkd and that gets resolved by systemd-resolved as
hostname.local

All of the above is an updated setup (from scratch) of an older machine
that was doing the exact same function but using debian 8, mongo 3.4,
ifupdown scripts (instead of systemd-networkd) and Avahi (instead of
systemd-resolved)
The old machine has the correct behavior so I'm assuming that the issue is
with the updated network setup or mongodb.

*The issue:*
Below are the different behaviors according to what I set on net.bindIp in
/etc/mongod.conf

bindIp: 127.0.0.1
Works as expected

bindIp: 127.0.0.1,169.254.x.y
This works correctly and binds only to those ips but it's not useful
because zeroconf is a dynamic ip

bindIp: 127.0.0.1,hostname.local
Binds to localhost, the vpn ip (169.254.x.y) but also binds to my public ip
which is the main issue here.
This is what I need and how it's setup and running correctly on the
previous machine.

bindIp: hostname.local
Binds to the vpn ip (169.254.x.y) and again also binds on public ip.

As you can see, it appears as whenever I use hostname.local, mongo also
binds to the public ip.
From the console running "ping hostname.local" correctly resolves to the
zeroconf ip. Setting the assigned zeroconf ip directly on bindIp also seems
to work and doesn't bind to the public ip, although it's not what I need.
I've tried increasing mongod's log verbosity to try and detect if anything
was being outputted in relation to the network but couldn't find anything
helpful.

So, although this issue is being manifested on mongo, it's still possible
that it's some network configuration issue that's the real culprit.

Nevertheless, if anybody has any ideas on why this may be happening or any
kind of suggestions about what to try I'd be greatly appreciated.

Cheers.
--
You received this message because you are subscribed to the Google Groups "mongodb-user"
group.

For other MongoDB technical support options, see: https://docs.mongodb.com/manual/support/
---
You received this message because you are subscribed to the Google Groups "mongodb-user" group.
To unsubscribe from this group and stop receiving emails from it, send an email to mongodb-user+***@googlegroups.com.
To post to this group, send email to mongodb-***@googlegroups.com.
Visit this group at https://groups.google.com/group/mongodb-user.
To view this discussion on the web visit https://groups.google.com/d/msgid/mongodb-user/27407de4-2f63-4296-a49e-1c9dec41642a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
ved
2018-10-28 18:54:57 UTC
Permalink
Hello all,

I'm having a strange issue (that admittedly may or not be related with
mongodb) which I'll try to break down as much as I can below.
If anybody needs any more info please just ask.

My goal is to have mongodb bind on localhost and a vpn inteface that uses
zeroconf. The issue is that mongod seems to always also bind to the public
ip.

*Setup:*
Debian 9.5 (fully updated, network managed with systemd)
MongoDB 4.0.3 (official from repo.mongodb.org with fully default config
except for changing bindIp)

*Network:*
lo -> localhost
ens3 -> public interface with public ip assigned by the hosting company
vpn -> Tinc vpn interface with zeroconf ip (169.254.x.y) assigned by
systemd-networkd and that gets resolved by systemd-resolved as
hostname.local

All of the above is an updated setup (from scratch) of an older machine
that was doing the exact same function but using debian 8, mongo 3.4,
ifupdown scripts (instead of systemd-networkd) and Avahi (instead of
systemd-resolved)
The old machine has the correct behavior so I'm assuming that the issue is
with the updated network setup or mongodb.

*The issue:*

Below are the different behaviors according to what I set on net.bindIp in
/etc/mongod.conf

bindIp: 127.0.0.1
Works as expected

bindIp: 127.0.0.1,169.254.x.y
This works correctly and binds only to those ips but it's not useful
because zeroconf is a dynamic ip

bindIp: 127.0.0.1,hostname.local
Binds to localhost, the vpn ip (169.254.x.y) but also binds to my public ip
which is the main issue here.
This is what I need and how it's setup and running correctly on the
previous machine.

bindIp: hostname.local
Binds to the vpn ip (169.254.x.y) and again also binds on public ip.


As you can see, it appears as whenever I use hostname.local, mongo also
binds to the public ip.
From the console running "ping hostname.local" correctly resolves to the
zeroconf 169.254 ip. Setting the assigned zeroconf ip directly on bindIp
also seems to work and doesn't bind to the public ip, although it's not
what I need.
I've tried increasing mongod's log verbosity to try and detect if anything
was being outputted in relation to the network but couldn't find anything
helpful.

So, although this issue is being manifested on mongo, it's still possible
that it's some network configuration issue that's the real culprit.

Nevertheless, if anybody has any ideas on why this may be happening or any
kind of suggestions about what to try I'd be greatly appreciated.

Cheers.
--
You received this message because you are subscribed to the Google Groups "mongodb-user"
group.

For other MongoDB technical support options, see: https://docs.mongodb.com/manual/support/
---
You received this message because you are subscribed to the Google Groups "mongodb-user" group.
To unsubscribe from this group and stop receiving emails from it, send an email to mongodb-user+***@googlegroups.com.
To post to this group, send email to mongodb-***@googlegroups.com.
Visit this group at https://groups.google.com/group/mongodb-user.
To view this discussion on the web visit https://groups.google.com/d/msgid/mongodb-user/3669690f-7297-4a7b-9320-b3e43caf4422%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
'Kevin Adistambha' via mongodb-user
2018-11-05 03:57:14 UTC
Permalink
This post might be inappropriate. Click to display it.
ved
2018-11-05 10:58:28 UTC
Permalink
Hi Kevin,

Thanks for replying. And no, I still haven't figured out what's the issue
exactly.
In the meantime I've closed mongo's port on the public inteface at the
firewall level as a kind of workaround for it binding to the public ip.

To reply to your questions:

I installed mongodb through mongodb.org's debian repositories
(repo.mongodb.org) using "apt-get install mongodb-org"

Output of db.serverCmdLineOpts():

db.serverCmdLineOpts()
{
"argv" : [
"/usr/bin/mongod",
"--config",
"/etc/mongod.conf"
],
"parsed" : {
"config" : "/etc/mongod.conf",
"net" : {
"bindIp" : "127.0.0.1,app.local",
"port" : 27017
},
"processManagement" : {
"timeZoneInfo" : "/usr/share/zoneinfo"
},
"storage" : {
"dbPath" : "/var/lib/mongodb",
"journal" : {
"enabled" : true
}
},
"systemLog" : {
"destination" : "file",
"logAppend" : true,
"path" : "/var/log/mongodb/mongod.log"
}
},
"ok" : 1
}

The content of /etc/mongod.conf:

# mongod.conf


# for documentation of all options, see:
# http://docs.mongodb.org/manual/reference/configuration-options/


# Where and how to store data.
storage:
dbPath: /var/lib/mongodb
journal:
enabled: true
# engine:
# mmapv1:
# wiredTiger:


# where to write logging data.
systemLog:
destination: file
logAppend: true
path: /var/log/mongodb/mongod.log


# network interfaces
net:
port: 27017
bindIp: 127.0.0.1,app.local




# how the process runs
processManagement:
timeZoneInfo: /usr/share/zoneinfo


#security:


#operationProfiling:


#replication:


#sharding:


## Enterprise-Only Options:


#auditLog:


#snmp:

Output of /etc/hosts: (masked ip and domain name, but format is as follows)

127.0.0.1 localhost
a.b.c.d app.mydomain.com app

With all the above configuration I get the following from netstat: (public
ip masked as a.b.c.d)

tcp 0 0 a.b.c.d:27017 0.0.0.0:* LISTEN
tcp 0 0 169.254.69.130:27017 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:27017 0.0.0.0:* LISTEN

Running mongod from the command line as per your example yields the exact
same results on netstat.

Any hints or suggestions on what else to try will be greatly appreciated.

Cheers and thanks again.




​
--
You received this message because you are subscribed to the Google Groups "mongodb-user"
group.

For other MongoDB technical support options, see: https://docs.mongodb.com/manual/support/
---
You received this message because you are subscribed to the Google Groups "mongodb-user" group.
To unsubscribe from this group and stop receiving emails from it, send an email to mongodb-user+***@googlegroups.com.
To post to this group, send email to mongodb-***@googlegroups.com.
Visit this group at https://groups.google.com/group/mongodb-user.
To view this discussion on the web visit https://groups.google.com/d/msgid/mongodb-user/e6a643e7-4d46-4fc3-852c-286b766e148a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
'Kevin Adistambha' via mongodb-user
2018-11-06 04:41:53 UTC
Permalink
Hi,

First of all please note that from what you described, this is a network
setup issue and not a MongoDB issue.

Having said that, I would presume that the unexpected binding you see is
due to the app.local name binding to the IP address you did not expect it
to. You can check if this is the case by trying to ping app.local from
itself, and see what IP address it resolves to.

Since a database server is primarily a static resource, it’s best to assign
a static IP address to important machines in your network (e.g. the machine
running mongod), and instruct mongod to bind to that static address. This
way, your application can just use the static address, aliased with a
readable name in their own /etc/hosts if so desired.

Another point for using a static IP is that MongoDB does not auto-refresh
the IP it’s binding to. So if for some reason the IP it binds to changes
(since you’re binding it to the name), then MongoDB would not be aware of
this and as a result needs to be restarted.

For the best response regarding network issues, I would recommend you to
ask a question in a network-related forum such as ServerFault
<https://serverfault.com/>.

Best regards,
Kevin
​
--
You received this message because you are subscribed to the Google Groups "mongodb-user"
group.

For other MongoDB technical support options, see: https://docs.mongodb.com/manual/support/
---
You received this message because you are subscribed to the Google Groups "mongodb-user" group.
To unsubscribe from this group and stop receiving emails from it, send an email to mongodb-user+***@googlegroups.com.
To post to this group, send email to mongodb-***@googlegroups.com.
Visit this group at https://groups.google.com/group/mongodb-user.
To view this discussion on the web visit https://groups.google.com/d/msgid/mongodb-user/88fd7bb0-4317-4d91-acb2-e9a2bb46ef93%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
ved
2018-11-06 10:33:45 UTC
Permalink
Hi again Kevin,

First of all please note that from what you described, this is a network
Post by 'Kevin Adistambha' via mongodb-user
setup issue and not a MongoDB issue.
Having said that, I would presume that the unexpected binding you see is
Post by 'Kevin Adistambha' via mongodb-user
due to the app.local name binding to the IP address you did not expect it
to. You can check if this is the case by trying to ping app.local from
itself, and see what IP address it resolves to.
.local resolution is achieved with multicast dns
<https://en.wikipedia.org/wiki/.local>. There is no wrong binding or
hardcoding of the ".local" part of the hostname anywhere. I'm assuming
mongodb isn't doing the exact equivalent to a "ping app.local" internally
because running "ping app.local" on the local machine (or any other machine
on that vpn) resolves to the correct ips and never the public interface ip.

Also, even with verbosity at maximum, mongodb barely logs anything network
related which does not help. Knowing how exactly mongodb resolves it's
hostnames would be greatly helpful since it appears as it's bypassing the
local nsswitch.conf file which is what I assume would have it correctly
resolve the .local hostnames.
Post by 'Kevin Adistambha' via mongodb-user
Since a database server is primarily a static resource, it’s best to
assign a static IP address to important machines in your network (e.g. the
machine running mongod), and instruct mongod to bind to that static
address. This way, your application can just use the static address,
aliased with a readable name in their own /etc/hosts if so desired.
Another point for using a static IP is that MongoDB does not auto-refresh
the IP it’s binding to. So if for some reason the IP it binds to changes
(since you’re binding it to the name), then MongoDB would not be aware of
this and as a result needs to be restarted.
This is always a good tip for people starting up or building apps in 1998.
But surely you can't be suggesting we hardcode ip's on N client nodes just
because mongod is resolving a name differently that all existing net tools
on an unix system?
Post by 'Kevin Adistambha' via mongodb-user
For the best response regarding network issues, I would recommend you to
ask a question in a network-related forum such as ServerFault
<https://serverfault.com/>.
Thanks for trying and for the suggestion.
​
--
You received this message because you are subscribed to the Google Groups "mongodb-user"
group.

For other MongoDB technical support options, see: https://docs.mongodb.com/manual/support/
---
You received this message because you are subscribed to the Google Groups "mongodb-user" group.
To unsubscribe from this group and stop receiving emails from it, send an email to mongodb-user+***@googlegroups.com.
To post to this group, send email to mongodb-***@googlegroups.com.
Visit this group at https://groups.google.com/group/mongodb-user.
To view this discussion on the web visit https://groups.google.com/d/msgid/mongodb-user/d34518e3-6cf5-4a30-9d71-ad954ed731ed%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Continue reading on narkive:
Loading...