Require authentication for clients

[geek]

• Authentication mode is now enabled
• Replica members now use a keyfile for authentication
• Added script.sh file for easy _env creation
• Update to latest MongoDB release

[yosifkit]

A few comments on the mongodb setup script.

[yosifkit]

This should probably be mongod --fork --bind_ip 127.0.0.1 --logpath /dev/stdout --config /etc/mongod.conf to ensure that it runs with only local access, has the same config as the real instance, and when it returns will be ready for access and so we won't need the while ! nc .... The reason for the bind_ip is to prevent external services from getting a connection followed by a rejection (since auth is on and no user created), and instead just prevent connections altogether.

Not sure if a --port is necessary, since the default is 27017.

(Similar discussion on the official image docker-library/mongo#53)

[yosifkit]

Assuming this overwrote itself (setup_mongo.sh), this would only work on restarts of the current container, but would not prevent a second user creation when a user reuses an old data directory (like docker-compose when run on non-triton). In looking to add similar functionality to the mongo official image (docker-library/mongo#53 (comment)), we didn't yet have a way to detect that this was an already initialized database directory to prevent trying to create the user a second time.

[geek]

I am not sure how to solve this either.

[tgross]

mkdir an empty dir into a well-known location in the data directory. If the mkdir fails (which it will if it already exists), we can just bail out there.

[yosifkit]

Might want to have a set -e here so that failures of individual lines will cause the script to stop.

[geek]

Updated

[tianon]

FYI, I've filed docker-library/mongo#145 upstream to get a general solution to the initialization/user creation problem.

[tgross]

(no-op comment to get this old PR off my pulls page 😀 )