Securing Mongo when in Docker Container

Question

Currently looking at deploying mongo in a container. So far my file looks like,

############################################################
# Dockerfile to build Mongo Containers
# Based on Ubuntu
############################################################

# Set the base image to Ubuntu
FROM ubuntu:14.04

# File Author / Maintainer
MAINTAINER Maintaner felix001

# Create repo file
RUN apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv 7F0CEB10
RUN echo "deb http://repo.mongodb.org/apt/ubuntu "$(lsb_release -sc)"/mongodb-org/3.0 multiverse" | tee /etc/apt/sources.list.d/mongodb-org-3.0.list

# Update the default application repository sources list
RUN apt-get update && apt-get install -y \
    mongodb-org \
    vim

# Create the MongoDB data directory
RUN mkdir -p /data/db

# Expose port 27017 from the container to the host
EXPOSE 27017

# Set usr/bin/mongod as the dockerized entry-point application
ENTRYPOINT ["/usr/bin/mongod"]

However I need to lockdown mongo so you need a password to perform any admin actions and also create a database/user. So my question is 2 fold,

1. What is the best method for securing ? So far I have,

   vim /etc/mongod.conf
   + auth = true
   
   use admin
   db.createUser({ user:"admin", pwd:"secretpassword", roles: ["dbAdminAnyDatabase","clusterAdmin"]})
   
   use example
   db.createUser({ user:"user1", pwd:"abc123", roles:["readWrite"] })
   

2. What is the best method for adding this to a Dockerfile ?

Thanks,

Answer 1

I would not recommend "baking" credentials into your image. Every database you create will then have the same password.

For an example take a look at the tutum mongodb image, where the container runs a script set the password on startup:

• https://hub.docker.com/r/tutum/mongodb/
• https://github.com/tutumcloud/mongodb/tree/master/3.0

Finally, I refer you to a related question concerning the use of environment variables for passwords:

• Specifying superuser PostgreSQL password for a Docker Container

Answer 2

Here is how I secured my MongoDB docker container.
Following step-by-step process will guide you to implement the security.

Solution-1 : Using Environment Variable

A simple solution is to use environment variables when docker run command

$ docker run -d -p 27017:27017 --name mongodb -v /var/docker/mongo/data:/data/db \
-e MONGO_INITDB_ROOT_USERNAME=superuser \
-e MONGO_INITDB_ROOT_PASSWORD=Strong_Password \
mongo:4.4.2

When you would try to access using MongoDB client like MongoDB-Compass, then you would have to supply the username and password to access the database.

Solution-2 : Create User in MongoDB Database (Recommended approach)

• Create docker container using auth option

$ docker run --name <container_name> --restart=always -d -p 27017:27017 mongo mongod --auth

• Bash into the container

$ sudo docker exec -it <container_name> bash

• Connect to local mongo instance
  # mongo

• Create the first admin user

> use admin
> db.createUser({
    user: 'user',
    pwd: 'StrongPassword',
    roles: [{ role: 'dbOwner', db:'admin'}]
})

• Exit the mongo shell
  > exit

• Exit the container
  # exit

Now you can connect with the username and password. Remember to use --authenticationDatabase "admin"

mongo -u "user" -p "StrongPassword" YOURHOSTIP --authenticationDatabase "admin"

You can also connect to mongo container via MongoDB-Compass. I connected using the following connection string. Check your string carefully if you couldn't connect

mongodb://user:*****@IP:27017/?authSource=admin&compressors=zlib&readPreference=primary&gssapiServiceName=mongodb&appname=MongoDB%20Compass&ssl=false

Ref: https://gist.github.com/davideicardi/f2094c4c3f3e00fbd490#file-mongo-docker-bash-L23