Loading...

XML

Word

Printable

JSON

Type: Bug
Resolution: Duplicate
Priority: Major - P3
Fix Version/s: None
Affects Version/s: 4.4.0
Component/s: Replication, Shell
Labels:
- KP44

Assigned Teams:

Replication
Operating System:
ALL
Steps To Reproduce:

Hide

1. docker-compose.yml
version: '2.4'

services:
mongo:
image: mongo:4.4
command: ["mongod", "--config", "/etc/mongo/mongod.conf"]
volumes:
- './mongod.conf:/etc/mongo/mongod.conf'
- './mongo.pem:/etc/mongo/mongo.pem'
ports:
- '27017:27017'

2. mongod.conf
net:
tls:
mode: requireTLS
certificateKeyFile: /etc/mongo/mongo.pem
replication:
replSetName: horizons

3. Create certs:
bin/openssl req -new -x509 -newkey rsa:2048 -keyout mongo.key -nodes -out mongo.crt -subj "/CN=mongo" -addext "subjectAltName=DNS:mongo,DNS:localhost,IP:127.0.0.1"
cat mongo.crt mongo.key > mongo.pem

4. Run in mongo shell (mongo --tls --tlsCAFile mongo.crt):
rs.initiate({
_id: "horizons",
members: [
{_id: 0, host: "mongo", horizons: {"localhost": "localhost"}}
],
{color:#d4d4d4}})

5. Try to connect with: mongo --tls --tlsCAFile mongo.crt mongodb://localhost/?replicaSet=horizons

You can add --verbose to mongo to see the log of course.

Show
1. docker-compose.yml version : '2.4' services : mongo : image : mongo:4.4 command : [ "mongod" , "--config" , "/etc/mongo/mongod.conf" ] volumes : - './mongod.conf:/etc/mongo/mongod.conf' - './mongo.pem:/etc/mongo/mongo.pem' ports : - '27017:27017' 2. mongod.conf net : tls : mode : requireTLS certificateKeyFile : /etc/mongo/mongo.pem replication : replSetName : horizons 3. Create certs: bin/openssl req -new -x509 -newkey rsa:2048 -keyout mongo.key -nodes -out mongo.crt -subj "/CN=mongo" -addext "subjectAltName=DNS:mongo,DNS:localhost,IP:127.0.0.1" cat mongo.crt mongo.key > mongo.pem 4. Run in mongo shell ( mongo --tls --tlsCAFile mongo.crt ): rs . initiate ({ _id : "horizons" , members : [ { _id : 0 , host : "mongo" , horizons : { "localhost" : "localhost" }} ], {color:#d4d4d4}}) 5. Try to connect with: mongo --tls --tlsCAFile mongo.crt mongodb://localhost/?replicaSet=horizons You can add --verbose to mongo to see the log of course.

I'm trying to evaluate the split horizons feature using just a basic:

replicaSetHorizons:
  - "localhost": "localhost:<nodePort>"

With minikube. It doesn't seem to work with mongo shell:

mongo --tls --tlsCAFile mongo.crt --verbose "mongodb://localhost/?replicaSet=horizons"

I was curious on the implementation, so tried to isolate this further, it looks to me that this works using an undocumented property of the replicaset members named horizons, so I tried setting it myself using a single Mongo in Docker:

rs.initiate({    
    _id: "horizons",
    members: [        
        {_id: 0, host: "mongo", horizons: {"localhost": "localhost"}} 
    ],
}))

And got the same result. Looking at the log of the mongo shell and trying out the isMaster command for myself, it looks like the first response does indeed respent the horizons setting, but then subsequent isMaster responses from the same connection then fail to respect the horizons config (They don't persist the SNI name for awaitable/exhaust isMaster? Whatever is used today)

Using mongo from the mongo:4.4 official Docker image on Docker 19.03.12 on mac.

- - Sort By Name
  - Sort By Date
  - Ascending
  - Descending
  - Thumbnails
  - List
  - Download All

log.txt
Aug 20 2020 10:56:23 PM UTC
31 kB
Someone Somebody

duplicates

SERVER-50736 Make OpenSSL explicitly accept SNIs presented in ClientHello

Closed

Assignee:: [DO NOT USE] Backlog - Replication Team

Reporter:: Someone Somebody

Participants:: [DO NOT USE] Backlog - Replication Team, Someone Somebody, Steven Vannelli

Votes:: 0 Vote for this issue

Watchers:: 10 Start watching this issue

Created:: Aug 20 2020 11:06:22 PM UTC

Updated:: Dec 06 2022 02:11:36 AM UTC

Resolved:: Sep 08 2020 06:34:46 PM UTC

Details

Description

Attachments

Attachments

Issue Links

Activity

People

Dates