In Part I, we set up the basics of bringing the server online, including it’s IP address, DNS, logging, and ntp.  In Part II, we will set up a HDS (Hardware Detection System), a drive for our Mongo data, and do our initial Mongo installation.  Let’s get started!

Adding a Drive

Let’s start with new drive since it is probably a good idea to run the HDS on the Mongo data mount point.  First, when we type fdisk -l, there should be an extra drive like below:

adding_drive_1

Since the new drive is /dev/vdb, at the console, we type “fdisk /dev/vdb” to start the setup of the drive.  You should see something similar to below:

adding_drive2.PNG

Notice the “p” typed in here.  This displays the current partitions on the drive should they exist.  Always check to see if something is there before proceeding otherwise you WILL destroy all your data.  Once you know it’s empty, type “n” for new and hit enter:

adding_drive3

Several questions will then be asked.  These include the partition type, partition number, and last sector.  In this case, this is the first disk, so selecting “p” or primary partition is appropriate.  Defaults can be selected for the rest.  This will be converted to an LVM disk momentarily:

adding_drive4

You may notice the drive switched from the first few screenshots.  This is because the KVM system with WOK did not allow a qcow2 drive to be added from the web interface.  If yours displays /dev/vdb1, then you should not worry, you have done everything correctly.

Now, press “t” to toggle the partition type and select “8e” for LVM.  Once selected, you should see something close to the below screenshot:

adding_drive5

The last step is to type “w” to write out the configuration.  You can now use LVM commands to create an extendable drive for your Mongo data.  Let’s start with the physical segmentation:

adding_drive6

As the screenshot above suggests, just type “pvcreate {drive}” and you will have a nice shiny set of physical segments in LVM.  Next, we need to create a Volume Group to combine physical segments into one drive (this is where expansion plays an important role by letting you add space to the volume group and then extending the volumes).  All that is needed to add the physical segments is the command “vgcreate {name of volume group} {physical segment}”  You will need a space between the two sets of curly brackets similar to the screenshot below:

adding_drive7

The next step is to create a logical volume.  To do this, we need the following command:  “lvcreate -L24G -nlvData vgData”  Let’s break this command down.  The first part is the lvcreate command.  With this command, you will create a logical volume to hold the data.  The logical volume allows for space extensions so that as the data grows, so can the drive.  The second part of the command “-L24G” tells lvcreate to create a drive 24 gigabytes in size.  The size can be determnied by using the command “vgdisplay” and looking for the volume group we created earlier.  It will tell you the size you need.  The third part of the command specifies the name.  The “-n” is name with name following it.  The name in this case is “lvData.”  Finally, the volume group name must be listed so it knows where to get the space.  The below screenshot shows the process:

adding_drive8

The two steps in preparing the drive are formatting the disk and mounting it.  First, the command “lvdisplay” will show the proper path to be used for the next two steps.  In this case the path will be “/dev/vgData/lvData.”:

adding_drive9

Even though xfs would be a better for Mongo, we are going to use ext4 to stay consistent with the rest of the servers in the environment.  The command “mkfs.ext4 {logical volume path}” will format and prepare the drive:

adding_drive10

The final step is to create a directory that will be your mount point (“mkdir /mongodata”) and then add a line to “/etc/fstab” to ensure automatic mounting of the new volume.  The line in the screen shot was added to fstab.  You should notice the first part is the logical volume path, the second part is the directory you created, the third part is the file system type you created, the fourth just sets the defaults and doesn’t worry about options, and the last two numbers simply mean that the drive can be dumped and should be checked after the root volumes:

adding_drive11.PNG

Once you save your fstab modifications, type “mount -a” and then “df -h” to check whether the volume mounted properly.  If everything is done correctly, you should see something like:

adding_drive12

HIDS

The next step requires the installation of a Hardware Intrusion Detection System or HIDS.  A HIDS tells an administrator whether a system has been altered and can even send emails to that effect to the administrator.  There are many systems out there, but for simplicity, Tripwire will be the choice used for this server.  Let’s start with the basics and run

yum install ocaml tripwire

Before you run the next command, note that you will setting up a local and site keyphrase.  You will want something complex because Tripwire is a front-line defense for your system.  When you are ready, type

tripwire-setup-keyfiles

tripwire_setup1

The twpol.txt file is the template for the directories and files that are scanned by Tripwire.  Normally, you would modify this file before starting the tripwire setup, but, because this article is a demonstration, we did not bother.  If you are following this for a production server, you can use the “twadmin” command to alter the policy created and generate a new signed policy after the changes are made.  Tripwire can be molded to suit your needs.

After the keyfile generation is complete, type:

tripwire-init

This will set up the database and creates a cryptographic hash to protect its contents.  NOTE:  Don’t lose the passphrase(s) you created earlier.  You will need them anytime you do anything with Tripwire.

tripwire_setup2

When the installation indicates that the database was successfully generated, run tripwire –check

just to run over the OS one time and see how long a complete check takes.  The final step in setting up  Tripwire is to modify the daily cron job to email its report.  The file, located at /etc/cron.daily/tripwire-check looks like this in its default configuration:

tripwire_setup3

It will be necessary to add a similar line to this in two places in the file:

| /usr/bin/mail -s “Tripwire report for `uname -n`” lazyitdude@litg.prv

The first character is the pipe character and be sure to change my email address out for your own.  It should look similar to the below screenshot:

tripwire_setup4

As a final step, and to ensure the integrity of this basic HIDS setup, it is highly recommended to hide the twpol.txt and twcfg.txt files and copy them off the system (do not destroy them!).  If there is already a file in the place you want to copy the file, simply keep the newest one.

Optional Step

If this is to be a production system, it is always a good idea to remove root ssh access.  To accomplish this, you will only need to change the following two lines in /etc/ssh/sshd_config and restart the service:

Coment out –

PermitRootLogin  yes

MaxAuthTries  6

and change them to…

PermitRootLogin  no

MaxAuthTries  3

Mongo Installation

This article will go into a base Mongo installation.  However, a future article will delve into converting this stand-alone server into a sharded, replicated server.  If you are looking to see replication and sharding, keep your eyes out on this blog for it.

To get started, we are going to perform an install through Centos.  This will install version 2.6.  It is true that version 3.6 is available as of this writing, but later blogs will go into detail about getting the two versions to work together.  For now, we want the vesion supported by the OS as it is the easiest way of updating (through yum):

yum install mongodb mongodb-server

Now that Mongo is installed and we created a beautiful, brand-new volme to hold its data, it’s time to take advantage of it:

vi /etc/mongod.conf

The default configuration below needs changed:

mongodb_setup1

The following lines should be changed:

bind_ip = 127.0.0.1

#port = 27017

dbpath = /var/lib/mongodb

#verbose = v

Change them to:

bind_ip = {your not local IP}

port = 27017

dbpath = {whereever you set the mongo data mountpoint}

verbose = vv

For the purposes of this document, we are not setting SSL, or any of the other options.  There are many available and some will be discussed in upcoming blog posts.  Here is an example of the completed changes:

mongodb_setup2

In Part I, the firewall port (27017) was already opened and ready.  Before we start everything up, Mongo needs rights to the volume we created earlier.  Simply type:

chown mongodb:root {your volume here}

All that needs done now is to start the mongod service:

systemctl start mongod.service

If everything went well, a “systemctl status mongod” should reveal the following:

mongodb_setup3

In Part III, we will create a collection and add documents to the server before moving on to create a second Mongo server and see how to set up replication and sharding between the two.  See you next time!