From 529c6e804b32bde14ff24aa8387435e718ddfe4c Mon Sep 17 00:00:00 2001 From: geek Date: Tue, 7 Mar 2017 09:37:15 -0600 Subject: [PATCH 1/5] Add create user script --- Dockerfile | 7 ++++--- bin/setup_user.sh | 15 +++++++++++++++ 2 files changed, 19 insertions(+), 3 deletions(-) create mode 100755 bin/setup_user.sh diff --git a/Dockerfile b/Dockerfile index 6e05ce8..1a25a96 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM mongo:3.2 +FROM mongo:3.4 RUN apt-get update \ && apt-get install -y \ @@ -6,6 +6,7 @@ RUN apt-get update \ python-dev \ gcc \ curl \ + netcat \ libffi-dev \ libssl-dev \ && rm -rf /var/lib/apt/lists/* @@ -44,6 +45,6 @@ ENTRYPOINT [] CMD [ \ "containerpilot", \ "mongod", \ - "--replSet=joyent" \ + "--replSet=joyent", \ + "--auth" \ ] - diff --git a/bin/setup_user.sh b/bin/setup_user.sh new file mode 100755 index 0000000..a93e1ae --- /dev/null +++ b/bin/setup_user.sh @@ -0,0 +1,15 @@ +#!/bin/bash + +echo "Start MongoDB without access control." +mongod --port 27017 & +while ! nc -vz localhost 27017; do sleep 1; done + + +echo "Create the user administrator." +mongo admin --eval "db.createUser({ user: '${MONGO_USERNAME}', pwd: '${MONGO_PASSWORD}', roles: [ { role: 'dbAdminAnyDatabase', db: 'admin' } ] });" + + +echo "Shutdown the MongoDB service." +mongod --shutdown + +echo "#!/bin/bash" > ./setup_user.sh From 53b4491344152b8c467e25cabe78deb9cfd18506 Mon Sep 17 00:00:00 2001 From: geek Date: Tue, 7 Mar 2017 13:12:38 -0600 Subject: [PATCH 2/5] Require auth --- bin/manage.py | 30 +++++-- bin/setup_user.sh | 4 +- etc/containerpilot.json | 2 +- local-compose.yml | 1 - setup.sh | 192 ++++++++++++++++++++++++++++++++++++++++ 5 files changed, 218 insertions(+), 11 deletions(-) create mode 100755 setup.sh diff --git a/bin/manage.py b/bin/manage.py index f86896e..eaa1433 100644 --- a/bin/manage.py +++ b/bin/manage.py @@ -10,6 +10,7 @@ import time from functools import wraps +from urllib import quote_plus import consul as pyconsul #import manta @@ -65,6 +66,9 @@ def get_environ(key, default): SESSION_NAME = get_environ('SESSION_NAME', 'mongodb-replica-set-lock') SESSION_TTL = int(get_environ('SESSION_TTL', 60)) +MONGO_USER = get_environ('MONGO_USER', 'admin') +MONGO_PASSWORD = get_environ('MONGO_PASSWORD', 'admin') + # consts for node state PRIMARY = 'mongodb-replicaset' #SECONDARY = 'mongodb-secondary' @@ -99,8 +103,7 @@ def pre_stop(): because we are about to be shut down """ - ip = get_ip() - local_mongo = MongoClient(ip, connect=False) + local_mongo = get_local_mongo() # since we are shutting down, it is ok to stop if mongo is already non-responsive if not is_mongo_up(local_mongo): @@ -142,7 +145,7 @@ def pre_stop(): return False timeout += 1 # use a replica client so that we get "primary" data - mongo_client = MongoClient(ip, connect=False, replicaset=repl_status['set'], serverSelectionTimeoutMS=500) + mongo_client = MongoClient(get_local_mongo_uri(), connect=False, replicaset=repl_status['set'], serverSelectionTimeoutMS=500) # is_mongo_up will sleep on failure, so we don't need a "time.sleep(1)" if is_mongo_up(mongo_client, 1): primary = mongo_client.primary @@ -162,8 +165,7 @@ def health(): # TODO periodic mongodumps to Manta hostname = socket.gethostname() - ip = get_ip() - local_mongo = MongoClient(ip, connect=False) + local_mongo = get_local_mongo() # check that mongo is responsive if not is_mongo_up(local_mongo): @@ -212,7 +214,7 @@ def on_change(): ''' hostname = socket.gethostname() ip = get_ip() - local_mongo = MongoClient(ip, connect=False) + local_mongo = get_local_mongo() try: repl_status = local_mongo.admin.command('replSetGetStatus') @@ -313,7 +315,8 @@ def mongo_update_replset_config(local_mongo, hostname): for new_mongo in new_mongos: new_id = max(ids) + 1 ids.append(new_id) - members.append({'_id': new_id, 'host': new_mongo}) + host = "mongodb://%s:%s@%s" % (quote_plus(MONGO_USER), quote_plus(MONGO_PASSWORD), new_mongo) + members.append({'_id': new_id, 'host': host}) # TODO voting membership # https://docs.mongodb.com/manual/core/replica-set-architectures/#maximum-number-of-voting-members @@ -332,6 +335,19 @@ def mongo_update_replset_config(local_mongo, hostname): log.exception(e) sys.exit(1) + +def get_local_mongo_uri(): + ip = get_ip() + uri = "mongodb://%s:%s@%s" % (quote_plus(MONGO_USER), quote_plus(MONGO_PASSWORD), ip) + + return uri + +def get_local_mongo(): + local_mongo = MongoClient(get_local_mongo_uri(), connect=False) + + return local_mongo + + def consul_to_mongo_hostname(service): # if name.startswith(SECONDARY + '-'): # prefix = SECONDARY + '-' diff --git a/bin/setup_user.sh b/bin/setup_user.sh index a93e1ae..8593569 100755 --- a/bin/setup_user.sh +++ b/bin/setup_user.sh @@ -2,11 +2,11 @@ echo "Start MongoDB without access control." mongod --port 27017 & -while ! nc -vz localhost 27017; do sleep 1; done +while ! nc -z 127.0.0.1 27017; do sleep 1; done echo "Create the user administrator." -mongo admin --eval "db.createUser({ user: '${MONGO_USERNAME}', pwd: '${MONGO_PASSWORD}', roles: [ { role: 'dbAdminAnyDatabase', db: 'admin' } ] });" +mongo admin --eval "db.createUser({ user: '${MONGO_USER}', pwd: '${MONGO_PASSWORD}', roles: [ { role: 'dbAdminAnyDatabase', db: 'admin' } ] });" echo "Shutdown the MongoDB service." diff --git a/etc/containerpilot.json b/etc/containerpilot.json index 5764b03..7dd312a 100644 --- a/etc/containerpilot.json +++ b/etc/containerpilot.json @@ -1,6 +1,6 @@ { "consul": "{{ if .CONSUL }}{{ .CONSUL }}{{ else }}consul{{ end }}:8500", - "preStart": "python /usr/local/bin/manage.py", + "preStart": "./usr/local/bin/setup_user.sh && python /usr/local/bin/manage.py", "preStop": "python /usr/local/bin/manage.py pre_stop", "services": [ { diff --git a/local-compose.yml b/local-compose.yml index 9e4a505..425ecc9 100644 --- a/local-compose.yml +++ b/local-compose.yml @@ -24,4 +24,3 @@ services: - 8302 - 8400 - 8500 - diff --git a/setup.sh b/setup.sh new file mode 100755 index 0000000..9c194a6 --- /dev/null +++ b/setup.sh @@ -0,0 +1,192 @@ +#!/bin/bash +set -e -o pipefail + +help() { + echo + echo 'Usage ./setup.sh ~/path/to/MANTA_PRIVATE_KEY' + echo + echo 'Checks that your Triton and Docker environment is sane and configures' + echo 'an environment file to use.' + echo + echo 'MANTA_PRIVATE_KEY is the filesystem path to an SSH private key' + echo 'used to connect to Manta for the database backups.' + echo + echo 'Additional details must be configured in the _env file, but this script will properly' + echo 'encode the SSH key details for use with this MongoDB image.' + echo +} + + +# populated by `check` function whenever we're using Triton +TRITON_USER= +TRITON_DC= +TRITON_ACCOUNT= + +# --------------------------------------------------- +# Top-level commands + +# Check for correct configuration and setup _env file +envcheck() { + + if [ -z "$1" ]; then + tput rev # reverse + tput bold # bold + echo 'Please provide a path to a SSH private key to access Manta.' + tput sgr0 # clear + + help + exit 1 + fi + + if [ ! -f "$1" ]; then + tput rev # reverse + tput bold # bold + echo 'SSH private key for Manta is unreadable.' + tput sgr0 # clear + + help + exit 1 + fi + + # Assign args to named vars + MANTA_PRIVATE_KEY_PATH=$1 + + command -v docker >/dev/null 2>&1 || { + echo + tput rev # reverse + tput bold # bold + echo 'Docker is required, but does not appear to be installed.' + tput sgr0 # clear + echo 'See https://docs.joyent.com/public-cloud/api-access/docker' + exit 1 + } + command -v json >/dev/null 2>&1 || { + echo + tput rev # reverse + tput bold # bold + echo 'Error! JSON CLI tool is required, but does not appear to be installed.' + tput sgr0 # clear + echo 'See https://apidocs.joyent.com/cloudapi/#getting-started' + exit 1 + } + + command -v triton >/dev/null 2>&1 || { + echo + tput rev # reverse + tput bold # bold + echo 'Error! Joyent Triton CLI is required, but does not appear to be installed.' + tput sgr0 # clear + echo 'See https://www.joyent.com/blog/introducing-the-triton-command-line-tool' + exit 1 + } + + # make sure Docker client is pointed to the same place as the Triton client + local docker_user=$(docker info 2>&1 | awk -F": " '/SDCAccount:/{print $2}') + local docker_dc=$(echo $DOCKER_HOST | awk -F"/" '{print $3}' | awk -F'.' '{print $1}') + TRITON_USER=$(triton profile get | awk -F": " '/account:/{print $2}') + TRITON_DC=$(triton profile get | awk -F"/" '/url:/{print $3}' | awk -F'.' '{print $1}') + TRITON_ACCOUNT=$(triton account get | awk -F": " '/id:/{print $2}') + if [ ! "$docker_user" = "$TRITON_USER" ] || [ ! "$docker_dc" = "$TRITON_DC" ]; then + echo + tput rev # reverse + tput bold # bold + echo 'Error! The Triton CLI configuration does not match the Docker CLI configuration.' + tput sgr0 # clear + echo + echo "Docker user: ${docker_user}" + echo "Triton user: ${TRITON_USER}" + echo "Docker data center: ${docker_dc}" + echo "Triton data center: ${TRITON_DC}" + exit 1 + fi + + local triton_cns_enabled=$(triton account get | awk -F": " '/cns/{print $2}') + if [ ! "true" == "$triton_cns_enabled" ]; then + echo + tput rev # reverse + tput bold # bold + echo 'Error! Triton CNS is required and not enabled.' + tput sgr0 # clear + echo + exit 1 + fi + + # setup environment file + if [ ! -f "_env" ]; then + echo '# Environment variables for MongoDB service' > _env + echo 'MONGO_USER=dbuser' >> _env + echo 'MONGO_PASSWORD='$(cat /dev/urandom | LC_ALL=C tr -dc 'A-Za-z0-9' | head -c 7) >> _env + echo >> _env + + echo '# Environment variables for backups to Manta' >> _env + echo 'MANTA_URL=https://us-east.manta.joyent.com' >> _env + echo 'MANTA_BUCKET= # an existing Manta bucket' >> _env + echo 'MANTA_USER= # a user with access to that bucket' >> _env + echo 'MANTA_SUBUSER=' >> _env + echo 'MANTA_ROLE=' >> _env + + # MANTA_KEY_ID must be the md5 formatted key fingerprint. A SHA256 will result in errors. + set +o pipefail + # The -E option was added to ssh-keygen recently; if it doesn't work, then + # assume we're using an older version of ssh-keygen that only outputs MD5 fingerprints + ssh-keygen -yl -E md5 -f ${MANTA_PRIVATE_KEY_PATH} > /dev/null 2>&1 + if [ $? -eq 0 ]; then + echo MANTA_KEY_ID=$(ssh-keygen -yl -E md5 -f ${MANTA_PRIVATE_KEY_PATH} | awk '{print substr($2,5)}') >> _env + else + echo MANTA_KEY_ID=$(ssh-keygen -yl -f ${MANTA_PRIVATE_KEY_PATH} | awk '{print $2}') >> _env + fi + set -o pipefail + + # munge the private key so that we can pass it into an env var sanely + # and then unmunge it in our startup script + echo MANTA_PRIVATE_KEY=$(cat ${MANTA_PRIVATE_KEY_PATH} | tr '\n' '#') >> _env + echo >> _env + + echo '# Consul discovery via Triton CNS' >> _env + echo CONSUL=mongodb-consul.svc.${TRITON_ACCOUNT}.${TRITON_DC}.cns.joyent.com >> _env + echo >> _env + + echo 'Edit the _env file with your desired MONGO_* and MANTA_* config' + else + echo 'Existing _env file found, exiting' + exit + fi +} + +get_root_password() { + echo $(docker logs ${COMPOSE_PROJECT_NAME:-mongodb}_mongodb_1 2>&1 | \ + awk '/Generated root password/{print $NF}' | \ + awk '{$1=$1};1' + ) | pbcopy +} + + + +# --------------------------------------------------- +# parse arguments + +# Get function list +funcs=($(declare -F -p | cut -d " " -f 3)) + +until + if [ ! -z "$1" ]; then + # check if the first arg is a function in this file, or use a default + if [[ " ${funcs[@]} " =~ " $1 " ]]; then + cmd=$1 + shift 1 + else + cmd="envcheck" + fi + + $cmd "$@" + if [ $? == 127 ]; then + help + fi + + exit + else + help + fi +do + echo +done From 6808a0baf550095ff29c1ada999eba861f6db98e Mon Sep 17 00:00:00 2001 From: geek Date: Tue, 7 Mar 2017 14:50:04 -0600 Subject: [PATCH 3/5] Add MONGO_KEY option --- Dockerfile | 4 ++-- README.md | 6 +++++- bin/manage.py | 4 ++-- bin/{setup_user.sh => setup_mongo.sh} | 8 +++++++- etc/containerpilot.json | 2 +- etc/mongod.conf | 6 ++++++ local-compose.yml | 2 ++ setup.sh | 27 ++++++++++++++++++++++++++- 8 files changed, 51 insertions(+), 8 deletions(-) rename bin/{setup_user.sh => setup_mongo.sh} (63%) create mode 100644 etc/mongod.conf diff --git a/Dockerfile b/Dockerfile index 1a25a96..ae00e40 100644 --- a/Dockerfile +++ b/Dockerfile @@ -45,6 +45,6 @@ ENTRYPOINT [] CMD [ \ "containerpilot", \ "mongod", \ - "--replSet=joyent", \ - "--auth" \ + "--config", \ + "/etc/mongod.conf" \ ] diff --git a/README.md b/README.md index edae3ec..f234705 100644 --- a/README.md +++ b/README.md @@ -6,9 +6,10 @@ A running cluster includes the following components: - [ContainerPilot](https://www.joyent.com/containerpilot): included in our MongoDB containers to orchestrate bootstrap behavior and coordinate replica joining using keys and checks stored in Consul in the `health`, and `onChange` handlers -- [MongoDB](https://www.mongodb.com/community): we're using MongoDB 3.2 and setting up a [replica set](https://docs.mongodb.com/manual/replication/) +- [MongoDB](https://www.mongodb.com/community): we're using MongoDB 3.4 and setting up a [replica set](https://docs.mongodb.com/manual/replication/) - [Consul](https://www.consul.io/): used to coordinate replication and failover + ## Running the cluster Starting a new cluster is easy once you have [your `_env` file set with the configuration details](#configuration) @@ -25,6 +26,9 @@ In a few moments you'll have a running MongoDB ready for a replica set. Both the Pass these variables via an `_env` file. - `LOG_LEVEL`: control the amount of logging from ContainerPilot +- `MONGO_USER`: the user that will be created as the default admin user +- `MONGO_PASSWORD`: password to use for the admin user +- `MONGO_KEY`: secret key contents to use for replica member authentication - when the primary node is sent a `SIGTERM` it will [step down](https://docs.mongodb.com/manual/reference/command/replSetStepDown/) as primary; the following control those timeouts - `MONGO_SECONDARY_CATCHUP_PERIOD`: the number of seconds that the mongod will wait for an electable secondary to catch up to the primary - `MONGO_STEPDOWN_TIME`: the number of seconds to step down the primary, during which time the stepdown member is ineligible for becoming primary diff --git a/bin/manage.py b/bin/manage.py index eaa1433..a9ff733 100644 --- a/bin/manage.py +++ b/bin/manage.py @@ -315,8 +315,8 @@ def mongo_update_replset_config(local_mongo, hostname): for new_mongo in new_mongos: new_id = max(ids) + 1 ids.append(new_id) - host = "mongodb://%s:%s@%s" % (quote_plus(MONGO_USER), quote_plus(MONGO_PASSWORD), new_mongo) - members.append({'_id': new_id, 'host': host}) + + members.append({'_id': new_id, 'host': new_mongo}) # TODO voting membership # https://docs.mongodb.com/manual/core/replica-set-architectures/#maximum-number-of-voting-members diff --git a/bin/setup_user.sh b/bin/setup_mongo.sh similarity index 63% rename from bin/setup_user.sh rename to bin/setup_mongo.sh index 8593569..a08efb8 100755 --- a/bin/setup_user.sh +++ b/bin/setup_mongo.sh @@ -6,10 +6,16 @@ while ! nc -z 127.0.0.1 27017; do sleep 1; done echo "Create the user administrator." -mongo admin --eval "db.createUser({ user: '${MONGO_USER}', pwd: '${MONGO_PASSWORD}', roles: [ { role: 'dbAdminAnyDatabase', db: 'admin' } ] });" +mongo admin --eval "db.createUser({ user: '${MONGO_USER}', pwd: '${MONGO_PASSWORD}', roles: [ { role: 'dbAdminAnyDatabase', db: 'admin' }, { role: 'clusterAdmin', db: 'admin' } ] });" echo "Shutdown the MongoDB service." mongod --shutdown + +echo "Creating keyFile for replication." +echo -e ${MONGO_KEY} > /etc/mongod.key +chmod 400 /etc/mongod.key + +echo "Overwrite setup_mongo.sh so that this is a one-time setup" echo "#!/bin/bash" > ./setup_user.sh diff --git a/etc/containerpilot.json b/etc/containerpilot.json index 7dd312a..4af3cfe 100644 --- a/etc/containerpilot.json +++ b/etc/containerpilot.json @@ -1,6 +1,6 @@ { "consul": "{{ if .CONSUL }}{{ .CONSUL }}{{ else }}consul{{ end }}:8500", - "preStart": "./usr/local/bin/setup_user.sh && python /usr/local/bin/manage.py", + "preStart": "./usr/local/bin/setup_mongo.sh && python /usr/local/bin/manage.py", "preStop": "python /usr/local/bin/manage.py pre_stop", "services": [ { diff --git a/etc/mongod.conf b/etc/mongod.conf new file mode 100644 index 0000000..6edc1f3 --- /dev/null +++ b/etc/mongod.conf @@ -0,0 +1,6 @@ +replication: + replSetName: "joyent" + +security: + keyFile: "/etc/mongod.key" + authorization: "enabled" diff --git a/local-compose.yml b/local-compose.yml index 425ecc9..ac95d2d 100644 --- a/local-compose.yml +++ b/local-compose.yml @@ -7,6 +7,8 @@ services: mem_limit: 512m build: . env_file: _env + environment: + - CONSUL=consul ports: - 27017 diff --git a/setup.sh b/setup.sh index 9c194a6..a540b5c 100755 --- a/setup.sh +++ b/setup.sh @@ -3,7 +3,7 @@ set -e -o pipefail help() { echo - echo 'Usage ./setup.sh ~/path/to/MANTA_PRIVATE_KEY' + echo 'Usage ./setup.sh ~/path/to/MANTA_PRIVATE_KEY ~/path/to/MONGO_KEYFILE' echo echo 'Checks that your Triton and Docker environment is sane and configures' echo 'an environment file to use.' @@ -11,6 +11,9 @@ help() { echo 'MANTA_PRIVATE_KEY is the filesystem path to an SSH private key' echo 'used to connect to Manta for the database backups.' echo + echo 'MONGO_KEYFILE is the filesystem path to a file that contains a secret' + echo 'value between 6 and 1024 characters for authenticating replica members' + echo echo 'Additional details must be configured in the _env file, but this script will properly' echo 'encode the SSH key details for use with this MongoDB image.' echo @@ -48,8 +51,29 @@ envcheck() { exit 1 fi + if [ -z "$2" ]; then + tput rev # reverse + tput bold # bold + echo 'Please provide a path to a key file for MongoDB replica members.' + tput sgr0 # clear + + help + exit 1 + fi + + if [ ! -f "$2" ]; then + tput rev # reverse + tput bold # bold + echo 'MongoDB replica key file is unreadable.' + tput sgr0 # clear + + help + exit 1 + fi + # Assign args to named vars MANTA_PRIVATE_KEY_PATH=$1 + MONGO_KEYFILE_PATH=$2 command -v docker >/dev/null 2>&1 || { echo @@ -116,6 +140,7 @@ envcheck() { echo '# Environment variables for MongoDB service' > _env echo 'MONGO_USER=dbuser' >> _env echo 'MONGO_PASSWORD='$(cat /dev/urandom | LC_ALL=C tr -dc 'A-Za-z0-9' | head -c 7) >> _env + echo MONGO_KEY=$(cat ${MONGO_KEYFILE_PATH} | tr '\n' '#') >> _env echo >> _env echo '# Environment variables for backups to Manta' >> _env From 9de28a87d49742e554cb646bc73f612ade9a31e7 Mon Sep 17 00:00:00 2001 From: geek Date: Tue, 14 Mar 2017 14:46:21 -0500 Subject: [PATCH 4/5] Updates after feedback --- bin/setup_mongo.sh | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/bin/setup_mongo.sh b/bin/setup_mongo.sh index a08efb8..86a63b0 100755 --- a/bin/setup_mongo.sh +++ b/bin/setup_mongo.sh @@ -1,11 +1,12 @@ #!/bin/bash -echo "Start MongoDB without access control." -mongod --port 27017 & -while ! nc -z 127.0.0.1 27017; do sleep 1; done +set -e +echo "Start MongoDB without access control and only for local connections" +mongod --fork --bind_ip 127.0.0.1 --logpath /dev/stdout echo "Create the user administrator." +# The createUser will error if the user already exists. mongo admin --eval "db.createUser({ user: '${MONGO_USER}', pwd: '${MONGO_PASSWORD}', roles: [ { role: 'dbAdminAnyDatabase', db: 'admin' }, { role: 'clusterAdmin', db: 'admin' } ] });" From 74c3ddf69a1f0a777b79d51497871e7440ef453b Mon Sep 17 00:00:00 2001 From: geek Date: Wed, 15 Mar 2017 13:12:41 -0500 Subject: [PATCH 5/5] Use folder placeholder for detecting run --- Dockerfile | 1 - bin/setup_mongo.sh | 10 ++++++++-- setup.sh | 2 +- 3 files changed, 9 insertions(+), 4 deletions(-) diff --git a/Dockerfile b/Dockerfile index db35c19..4aca4a0 100644 --- a/Dockerfile +++ b/Dockerfile @@ -6,7 +6,6 @@ RUN apt-get update \ python-dev \ gcc \ curl \ - netcat \ libffi-dev \ libssl-dev \ unzip \ diff --git a/bin/setup_mongo.sh b/bin/setup_mongo.sh index 86a63b0..8652bac 100755 --- a/bin/setup_mongo.sh +++ b/bin/setup_mongo.sh @@ -2,6 +2,12 @@ set -e + +if [ -d "/data/db/_mongosetup" ]; then + echo "/data/db/_mongosetup exists, mongo already setup, exiting" + exit 0 +fi + echo "Start MongoDB without access control and only for local connections" mongod --fork --bind_ip 127.0.0.1 --logpath /dev/stdout @@ -18,5 +24,5 @@ echo "Creating keyFile for replication." echo -e ${MONGO_KEY} > /etc/mongod.key chmod 400 /etc/mongod.key -echo "Overwrite setup_mongo.sh so that this is a one-time setup" -echo "#!/bin/bash" > ./setup_user.sh +echo "Create directory to designate that setup is complete." +mkdir -p /data/db/_mongosetup diff --git a/setup.sh b/setup.sh index a540b5c..656d7d5 100755 --- a/setup.sh +++ b/setup.sh @@ -140,7 +140,7 @@ envcheck() { echo '# Environment variables for MongoDB service' > _env echo 'MONGO_USER=dbuser' >> _env echo 'MONGO_PASSWORD='$(cat /dev/urandom | LC_ALL=C tr -dc 'A-Za-z0-9' | head -c 7) >> _env - echo MONGO_KEY=$(cat ${MONGO_KEYFILE_PATH} | tr '\n' '#') >> _env + echo MONGO_KEY=$(cut -c1-100 ${MONGO_KEYFILE_PATH} | tr '\n' '1' | tr '-' '1') >> _env echo >> _env echo '# Environment variables for backups to Manta' >> _env