Docs4dev
Docs
mongodb / v3.6 / reference / administration-configuration.html

Run-time Database Configuration

On this page

The command line and configuration file interfaces provide MongoDB administrators with a large number of options and settings for controlling the operation of the database system. This document provides an overview of common configurations and examples of best-practice configurations for common use cases.

While both interfaces provide access to the same collection of options and settings, this document primarily uses the configuration file interface. If you installed MongoDB with a package manager such as yum or apt on Linux, or brew on macOS, a default configuration file has been provided as part of your installation:

  • On Linux, a default /etc/mongod.conf configuration file is included when using a package manager to install MongoDB.
  • On Windows, a default <install directory>/bin/mongod.cfg configuration file is included during the installation.
  • On macOS, a default /usr/local/etc/mongod.conf configuration file is included when installing from MongoDB’s official Homebrew tap.

For package installations of MongoDB on Linux or macOS, an initialization script which uses this default configuration file is also provided. This initialization script can be used to start the mongod on these platforms in the following manner:

  • On Linux systems that use the systemd init system (the systemctl command):

    sudo systemctl start mongod

  • On Linux systems that use the SystemV init init system (the service command):

    sudo service mongod start

  • On macOS, using the brew package manger:

    brew services start mongodb-community@3.6

If you installed MongoDB using a TGZ or ZIP file, you will need to create your own configuration file. A basic example configuration can be found later in this document. Once you have created a configuration file, you can start a MongoDB instance with this configuration file by using either the --config or -f options to mongod:

mongod --config /etc/mongod.conf
mongod -f /etc/mongod.conf

Modify the values in the /etc/mongod.conf file on your system to control the configuration of your database instance.

Configure the Database

Consider the following basic configuration:

processManagement:
   fork: true
net:
   bindIp: 127.0.0.1
   port: 27017
storage:
   dbPath: /var/lib/mongo
systemLog:
   destination: file
   path: "/var/log/mongodb/mongod.log"
   logAppend: true
storage:
   journal:
      enabled: true

For most standalone servers, this is a sufficient base configuration. It makes several assumptions, but consider the following explanation:

  • fork is true, which enables a daemon mode for mongod, which detaches (i.e. “forks”) the MongoDB from the current session and allows you to run the database as a conventional server.

  • bindIp is 127.0.0.1, which forces the server to only listen for requests on the localhost IP. Only bind to secure interfaces that the application-level systems can access with access control provided by system network filtering (i.e. “firewall”).

  • port is 27017, which is the default MongoDB port for database instances. MongoDB can bind to any port. You can also filter access based on port using network filtering tools.

    Note

    UNIX-like systems require superuser privileges to attach processes to ports lower than 1024.

  • quiet is true. This disables all but the most critical entries in output/log file, and is not recommended for production systems. If you do set this option, you can use setParameter to modify this setting during run time.

  • dbPath is /var/lib/mongo, which specifies where MongoDB will store its data files.

    If you installed MongoDB on Linux using a package manager, such as yum or apt, the /etc/mongod.conf file provided with your MongoDB installation sets the following default dbPath, depending on your Linux distro:

    Platform Package Manager Default dbPath
    RHEL / CentOS and Amazon yum /var/lib/mongo
    SUSE zypper /var/lib/mongo
    Ubuntu and Debian apt /var/lib/mongodb
    macOS brew /usr/local/var/mongodb

    The user account that mongod runs under will need read and write access to this directory.

  • systemLog.path is /var/log/mongodb/mongod.log which is where mongod will write its output. If you do not set this value, mongod writes all output to standard output (e.g. stdout.)

  • logAppend is true, which ensures that mongod does not overwrite an existing log file following the server start operation.

  • storage.journal.enabled is true, which enables journaling. Journaling ensures single instance write-durability. 64-bit builds of mongod enable journaling by default. Thus, this setting may be redundant.

Given the default configuration, some of these values may be redundant. However, in many situations explicitly stating the configuration increases overall system intelligibility.

Security Considerations

The following configuration options are useful for limiting access to a mongod instance:

net:
   bindIp: 127.0.0.1,10.8.0.10,192.168.4.24,/tmp/mongod.sock
security:
   authorization: enabled
net.bindIp

This example provides four values to the bindIp option:

  • 127.0.0.1, the localhost interface;
  • 10.8.0.10, a private IP address typically used for local networks and VPN interfaces;
  • 192.168.4.24, a private network interface typically used for local networks; and
  • /tmp/mongod.sock, a Unix domain socket path.

Because production MongoDB instances need to be accessible from multiple database servers, it is important to bind MongoDB to multiple interfaces that are accessible from your application servers. At the same time it’s important to limit these interfaces to interfaces controlled and protected at the network layer.

security.authorization
Setting this option to true enables the authorization system within MongoDB. If enabled you will need to log in by connecting over the localhost interface for the first time to create user credentials.

See also

Security

Replication and Sharding Configuration

Replication Configuration

Replica set configuration is straightforward, and only requires that the replSetName have a value that is consistent among all members of the set. Consider the following:

replication:
   replSetName: set0

Use descriptive names for sets. Once configured, use the mongo shell to add hosts to the replica set.

To enable authentication for the replica set, add the following keyFile option:

security:
   keyFile: /srv/mongodb/keyfile

Setting keyFile enables authentication and specifies a key file for the replica set member use to when authenticating to each other. The content of the key file is arbitrary, but must be the same on all members of the replica set and mongos instances that connect to the set. The keyfil