Warning on mongo instance startup

[tonyespy]

While starting the mongo instance from inside my edgexfoundry-core snap on an Ubuntu 16.04 desktop system, I see the following warnings output in syslog:

Jan 27 10:38:49 tex1 edgexfoundry-core.mongod[19510]: 2018-01-27T10:38:49.832-0500 I STORAGE [initandlisten] ** WARNING: Using the XFS filesystem is strongly recommended with the WiredTiger storage engine
Jan 27 10:38:49 tex1 edgexfoundry-core.mongod[19510]: 2018-01-27T10:38:49.832-0500 I STORAGE [initandlisten] ** See http://dochub.mongodb.org/core/prodnotes-filesystem
Jan 27 10:38:49 tex1 edgexfoundry-core.mongod[19510]: 2018-01-27T10:38:49.976-0500 W STORAGE [initandlisten] Detected configuration for non-active storage engine mmapv1 when current storage engine is wiredTiger
[initandlisten] ** WARNING: Access control is not enabled for the database.
Jan 27 10:38:49 tex1 edgexfoundry-core.mongod[19510]: 2018-01-27T10:38:49.976-0500 I CONTROL [initandlisten] ** Read and write access to data and configuration is unrestricted.

I haven't yet verified that the same warnings are produced when running mongo inside a docker container on the same OS, but would be surprised if the same warnings weren't seen there as well.

Note, my core snap is currently building all of the services using the Barcelona release, and I'm using my own version of the launch-mongo script:

https://github.com/tonyespy/edgex-core-snap/blob/service-ordering-test/bin/start-mongo.sh

[difince]

[initandlisten] ** WARNING: Access control is not enabled for the database.
Jan 27 10:38:49 tex1 edgexfoundry-core.mongod[19510]: 2018-01-27T10:38:49.976-0500 I CONTROL [initandlisten] ** Read and write access to data and configuration is unrestricted.

These warning have been removed with PR #81 - that enforce authentication

[difince]

The current log a year later of the issue opening date is :

2020-03-02T10:29:32.801+0000 I  STORAGE  [initandlisten] Detected data files in /data/db created by the 'wiredTiger' storage engine, so setting the active storage engine to 'wiredTiger'.
2020-03-02T10:29:32.801+0000 I  STORAGE  [initandlisten] 
2020-03-02T10:29:32.801+0000 I  STORAGE  [initandlisten] ** WARNING: Using the XFS filesystem is strongly recommended with the WiredTiger storage engine
2020-03-02T10:29:32.801+0000 I  STORAGE  [initandlisten] **          See http://dochub.mongodb.org/core/prodnotes-filesystem
2020-03-02T10:29:32.801+0000 I  STORAGE  [initandlisten] wiredtiger_open config: create,cache_size=7433M,cache_overflow=(file_max=0M),session_max=33000,eviction=(threads_min=4,threads_max=4),config_base=false,statistics=(fast),log=(enabled=true,archive=true,path=journal,compressor=snappy),file_manager=(close_idle_time=100000),statistics_log=(wait=0),verbose=[recovery_progress,checkpoint_progress],
2020-03-02T10:29:33.305+0000 I  STORAGE  [initandlisten] WiredTiger message [1583144973:305141][158:0x7f6d7e680b00], txn-recover: Recovering log 2 through 3
2020-03-02T10:29:33.337+0000 I  STORAGE  [initandlisten] WiredTiger message [1583144973:337971][158:0x7f6d7e680b00], txn-recover: Recovering log 3 through 3
2020-03-02T10:29:33.393+0000 I  STORAGE  [initandlisten] WiredTiger message [1583144973:393654][158:0x7f6d7e680b00], txn-recover: Main recovery loop: starting at 2/12160 to 3/256
2020-03-02T10:29:33.462+0000 I  STORAGE  [initandlisten] WiredTiger message [1583144973:462857][158:0x7f6d7e680b00], txn-recover: Recovering log 2 through 3
2020-03-02T10:29:33.518+0000 I  STORAGE  [initandlisten] WiredTiger message [1583144973:518371][158:0x7f6d7e680b00], txn-recover: Recovering log 3 through 3
2020-03-02T10:29:33.552+0000 I  STORAGE  [initandlisten] WiredTiger message [1583144973:552767][158:0x7f6d7e680b00], txn-recover: Set global recovery timestamp: (0,0)
2020-03-02T10:29:33.568+0000 I  RECOVERY [initandlisten] WiredTiger recoveryTimestamp. Ts: Timestamp(0, 0)
2020-03-02T10:29:33.603+0000 I  STORAGE  [initandlisten] Timestamp monitor starting
2020-03-02T10:29:33.605+0000 I  CONTROL  [initandlisten] ** WARNING: You are running this process as the root user, which is not recommended.
2020-03-02T10:29:33.605+0000 I  CONTROL  [initandlisten] 
 

There are two warning :

• about the files system
• that the service is run as a root user.

Running service as a root user is a common wide problem for EdgeX. It was pointed pointed out by the Security WG. It needs to be solved elsewhere. Edgex-Mongo as all other services need to be run by user different than root. This user should be granted with permissions to be able to read the secrets inside Vault. I suggest this problem to be addressed in a separate issue.

About the FileSystem warning message.
Here it is what Mongos documentation says about it:

MongoDB on Linux
Kernel and File Systems
When running MongoDB in production on Linux, you should use Linux kernel version 2.6.36 or later, with either the XFS or EXT4 filesystem. If possible, use XFS as it generally performs better with MongoDB.

With the WiredTiger storage engine, using XFS is strongly recommended for data bearing nodes to avoid performance issues that may occur when using EXT4 with WiredTiger.

In general, if you use the XFS file system, use at least version 2.6.25 of the Linux Kernel.
If you use the EXT4 file system, use at least version 2.6.28 of the Linux Kernel.
On Red Hat Enterprise Linux and CentOS, use at least version 2.6.18-194 of the Linux kernel.

(more info)

On my setup I use ext4 filesystem:

df -Th
/dev/nvme0n1p2 ext4     468G   44G  401G  10% /data/db

uname -h
5.3.0-40-generic

As I understand It depends what will be the users filesystem. I guess we need to add note about that in the documentation.

It looks that additional database improvements could be achieved if recommended configuration is followed in production
https://docs.mongodb.com/manual/administration/production-notes/#recommended-configuration

@bnevis-i @tingyuz @tonyespy

[bnevis-i]

The issue for running containers as non-root users is https://github.com/edgexfoundry/edgex-go/issues/1955.

Also, security-secretstore-setup now supports the secrets-token.json having a non-root owner, group, and custom file permissions. This container I believe was changed a while back to run as root because of the resp-init.json dependency. Since there is no longer a resp-init.json dependency, this change should be revisited. However, it will require pre-agreement on the numerical UID/GID for the file.

[difince]

O, let me check what have been done with the other services

[bnevis-i]

Most of the other services run as root as well. Vault starts as root and then deprivileges itself (same strategy could be used here as well.)

[bnevis-i]

On the note on XFS, I noticed the following on the RedHat site.

"Another way to characterize this is that the Ext4 file system variants tend to perform better on systems that have limited I/O capability. Ext3 and Ext4 perform better on limited bandwidth (< 200MB/s) and up to ~1,000 IOPS capability. For anything with higher capability, XFS tends to be faster." https://access.redhat.com/articles/3129891

I have also read that Fedora desktop defaults to extX, and defaults to XFS for server.

It appears that file system choice may be workload-dependent, and that a switch to XFS may not be appropriate for a resource-constrained device. In any case, Docker configuration cannot change the file system type of a volume.

[difince]

Closing the issue because part of the warning messages are already addressed:

[initandlisten] ** WARNING: Access control is not enabled for the database.
Jan 27 10:38:49 tex1 edgexfoundry-core.mongod[19510]: 2018-01-27T10:38:49.976-0500 I CONTROL [initandlisten] ** Read and write access to data and configuration is unrestricted.

The above warning messages have been removed with PR #81 - that enforce authentication

Two warning messages that are still present :

• about the files system - * WARNING: Using the XFS filesystem is strongly recommended with the WiredTiger storage engine
• that the service is run as a root user - ** WARNING: You are running this process as the root user, which is not recommended.

Running the service as none-root user will be implemented as follow-up issue on edgexfoundry/edgex-go#1955.
About the file system warning msg - using XFS is recommended with Wired Tiger storage Engine, but it depend also on device resource constraint (see the comments above).