Bug 1365828 - mongo log spam

John Meinel john at arbash-meinel.com
Tue Sep 9 08:53:38 UTC 2014 

On Tue, Sep 9, 2014 at 12:27 PM, Andrew Wilkins <
andrew.wilkins at canonical.com> wrote:

> On Tue, Sep 9, 2014 at 4:14 PM, John Meinel <john at arbash-meinel.com>
> wrote:
>
>> I don't think these are from authentication between mongo instances.
>>
>
> Agreed, looks like the machine-0 jujud connecting over and over again.
> Perhaps the agent is unhappy and is bouncing.
>

It is possible, but its also possible that the new session copying means we
just have multiple connections (conn11) to the database, and each one is
going to be authenticated.


>
>
>> This looks more like a Mongo 2.4 vs 2.6 difference. We added stuff like
>> "clusterAdmin" to priviledges that we give because of 2.6 support (I
>> thought).. But if 2.4 doesn't know anything about "clusterAdmin" then
>> whenever we log in, it goes through the list of roles and noisily ignores
>> some of them.
>>
>
> clusterAdmin is for replica sets, and is applicable to 2.4. In particular,
> in grants replSetInitiate. I went through and removed the extraneous stuff
> when I did the 2.6 support updates.
> See http://docs.mongodb.org/v2.4/reference/user-privileges/
>

Digging into it a bit more, it is only complaining about not having those
roles on the "juju" and "presence" databases, they are probably present on
the "admin" database.

Looking at the code, the only place I see RoleClusterAdmin is while
connected to the Admin database.
"clusterAdmin
<http://docs.mongodb.org/manual/reference/built-in-roles/#clusterAdmin> is
only applicable on the admin database, and does not confer any access to
the local or config databases."

I wonder if this is either:
1) Mongo just being overly verbose in warnings that aren't actually
warnings. (You logged in with a user that has clusterAdmin, but that
doesn't apply to this other database you are accessing.)
2) We somehow created a User on the Juju/Presence databases and then also
gave it "clusterAdmin" rights there.

The only place I see any of this is via the mongo.SetAdminMongoPassword
call, though, and that does appear to forcibly only do the UpsertUser
rights on "admin".
So I'm *guessing* we are running into (1). We are connecting directly to
the "juju" database, and we are connecting as a user that has clusterAdmin
but it just doesn't do anything in this context and mongo warns about it.
An idea is that we always connect to "admin" and then switch databases once
connected? I think that's how I've done it for connecting when using
"mongo" the CLI client.

John
=:->




> Presumably the real fix is to only give roles that are 2.6 specific when
>> we know we're running against 2.6 ?
>>
>> (I could be wrong on this, but I thought we had earlier bugs that we
>> couldn't do the cluster reconfiguration on 2.6 because we had to add the
>> "clusterAdmin" role.)
>>
>> John
>> =:->
>>
>>
>> On Tue, Sep 9, 2014 at 11:22 AM, Ian Booth <ian.booth at canonical.com>
>> wrote:
>>
>>> https://bugs.launchpad.net/juju-core/+bug/1365828
>>>
>>> Hi mongo experts
>>>
>>> Mongo is filling up syslog with lots of spam.
>>> eg, as reported by a customer, https://clbin.com/XZ63i
>>>
>>> I have reduced this a little by tweaking the roles used to log in to the
>>> "juju"
>>> and "presence" databases, so the warnings are gone. But the spam remains.
>>>
>>> It seems to me these Mongo bugs might be relevant:
>>>
>>> https://jira.mongodb.org/browse/SERVER-5847
>>> https://jira.mongodb.org/browse/SERVER-5952
>>>
>>> I can't see from a brief look what Juju might be doing to directly cause
>>> the
>>> spam, nor what we can do to remove it.
>>>
>>> Does anyone with more Mongo knowledge have any insight as to what we can
>>> do to
>>> address this problem?
>>>
>>>
>>> --
>>> Juju-dev mailing list
>>> Juju-dev at lists.ubuntu.com
>>> Modify settings or unsubscribe at:
>>> https://lists.ubuntu.com/mailman/listinfo/juju-dev
>>>
>>
>>
>> --
>> Juju-dev mailing list
>> Juju-dev at lists.ubuntu.com
>> Modify settings or unsubscribe at:
>> https://lists.ubuntu.com/mailman/listinfo/juju-dev
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/juju-dev/attachments/20140909/e39fab1c/attachment.html>

More information about the Juju-dev mailing list