Insecure on the wire 🔗︎
By default, MongoDB transmits data in clear-text. That might be OK in your own network environment, but it’s not so great for the cloud. If you want your traffic secure, it’s up to you.
Fortunately, recent MongoDB releases can use connections protected by SSL. Unfortunately, SSL is not compiled into the publicly available binary downloads from 10gen. Nor is it available in the binary packages for Debian, Ubuntu or Redhat.
If you want MongoDB with SSL, you’ve got two choices. Get the Subscriber Edition or compile it yourself.
Subscribers only 🔗︎
If you want a nicely packaged MongoDB with SSL from 10gen, then you need a MongoDB Gold Subscription. It’s a full package – you get nearly unlimited, 24x7 technical support, you get emergency patches, and you get your SSL-compiled Subscriber Edition.
It also costs $4000 per server. Per year. Ouch!
Don’t get me wrong – if you can afford it, 10gen ties it all up with a nice bow and gives you support on top. Take it!
But if that’s beyond your budget, then you only have one choice left.
Rocking open source 🔗︎
MongoDB is open source. You can get the source and do what you want with it. So you can compile SSL support into it yourself.
Even better, 10gen includes their Linux distribution packaging tools along with the rest of the source. That’s awesome! So you can compile MongoDB and package it up to easily install it everywhere you need it.
Or can you?
Almost.
The packaging tool is a bit too customized for 10gen. So before you can use it, you have to fix it. The biggest problem is that it packages compiled binaries downloaded from 10gen’s web site, so you have to patch it to use binaries you’ve compiled yourself instead. There are a couple other minor tweaks that I’ll explain later.
Building your own package requires these three steps:
- Compiling the binaries with SSL
- Patching the packaging tool
- Building the packages
I’ll walk you through how I did it.
Compiling! 🔗︎
First step, compiling the binaries. Apparently you need to be on a Debian/Ubuntu machine for the packaging to work, so I used an Ubuntu laptop I had lying around.
I cloned the MongoDB repository from git://github.com/mongodb/mongo.git and created a branch based on the version 2.2.0 release tag (“r2.2.0”).
Next, I installed all the prerequisites listed in docs/building.md (scons, build-essential, libboost-filesystem-dev, libboost-program-options-dev, libboost-system-dev, libboost-thread-dev) plus libssl and libssl-dev.
Then I built the binaries, and installed them into a temporary directory.
$ scons install -j 9 --64 --ssl --prefix=/tmp/mongodb-linux-2.2.0-x86_64
Patching! 🔗︎
I then patched the buildscripts and support files to make these changes:
- Grab tarballs locally rather than downloading
- Change gpg key and maintainer IDs
- Detect library dependencies dynamically instead of having them hardcoded (Debian/Ubuntu only)
- Added a logrotate script based on this one (Debian/Ubuntu only)
- Change where repository files are output
- Disabled all builds except 64 bit
For the dependency and logrotate changes, I mostly cargo-cult-copied how I saw the existing Debian (not 10gen) packages were doing it.
Here’s the diff, with lots of explanatory comments: https://gist.github.com/3927817
If you do this yourself, you’ll need to customize it for you instead of me:
- Change my name to yours
- Specify your gpg key instead of mine
- Change the TARBALLDIR and REPOPATH for your home directory instead of mine
Packaging 🔗︎
Before packaging, I tarred up the temporary install directory as mongodb-linux-2.2.0-x86_64.tar.gz and copied it to same directory as TARDIR in the packaging script.
Then I changed to the buildscripts directory and ran python packager.py.
I was prompted for my gpg passprhase several times and then the resulting binary packages wound up in REPOPATH.
Give it a try 🔗︎
I’m not a Linux packaging expert. I don’t even know Python. But 10gen made all the pieces open source and I just kept hacking around until it worked.