Ops Tools
-
MongoDB Agent (Automation Module): don't attempt to auth with `net.tls.clusterFile` / `net.tls.certificateKeyFile` and use Agent X.509 cert
Problem Statement,
What is the problem? MongoDB Agent (Automation Module) attempts to auth withnet.tls.clusterFile
/net.tls.certificateKeyFile
X.509 certificate first, pretending it is a Replica Set member.Why is this a problem? MongoDB Server process logs are flooded by unnecessary noise from such MongoDB Agent (Automation Module) auth attempts pretending it is Replica Set member. MongoDB Server will always log Replica Set member auth certificate usage outside of internal MongoDB Server client (https://github.com/mongodb/mongo/blob/6212e50e73dd032b448a514fe6893c6490a28a9f/src/mongo/db/commands/authentication_commands.cpp#L294-L300),
Example,
{"t":{"$date":"2021-05-10T11:08:03.110+0000"},"s":"W", "c":"ACCESS", "id":20430, "ctx":"conn116","msg":"Client isn't a mongod or mongos, but is connecting with a certificate with cluster membership"}Proposal,
* Don't attempt to auth…9 votes -
Configure MongoDB Automation Agent collecting stats on some collection to not trigger alerts
We just had a support case about some alerts being raised on our cluster because the MongoDB Automation Agent collecting stats on some collection doing queries without index triggers "Scanned Objects / Returned" ratio has went over 1000.
It would be really nice to at least not raise alerts when it's the mongodb automation agent that triggered it. Were monitoring our alerts a lot and these are false positive we can't do anything about it seems other than create all the indexes it needs, which might change over time. We have no guarantee of which index it needs.
Another alternative…
9 votes -
Provide mechanism for internal password rotation of the automation user
Ops Manager automation currently uses an mms-automation user for node management, but the password for that user is set once and stays forever unless it is updated via the Ops Manager API.
This feature would provide a mechanism that allows this password to be re-generated via the UI or an API call and have it automatically updated on the managed mongod instances as well.
9 votes -
SAML support in Ops Manager API
SAML is available as an authentication mechanism and we're currently using it with keycloack (centralized identity provider).
It works well with Ops Manager but there seems to be no support whatsoever in Ops Manager 4.4 API to programmatically add / update / delete SAML groups on Organizations or Projects.
The official API documentation doesn't even recognize that SAML is available.
Mongo support has confirmed that and it's a target feature in their internal backlog.
This idea will hopefully speed up things.8 votes -
Ops Manager
In Ops Manager ,Whenever we do changes in the configuration the deployed mongodb instnaces ,GUI prompt for Review & Deploy ,If we have a provision for schduling the deployment in later time would fullfil the real Automation.
- Do the changes at convenient time
- Do deploy thru a schedulers
7 votes -
Add ability to transition WiredTiger encryption-at-rest from local keyfile encryption (LKE) to KMIP
If you are using local key file encryption and backing up your MongoDB deployment using Ops Manager, backups won't work correctly if you upgrade to MongoDB 4.2. The correct solution is to switch your encryption to KMIP. But if you try doing that, automation will get stuck!
5 votes -
Automation should handle multiple hostname aliases for each server
In order to separate replication, client and administrative traffic, servers may have multiple network interfaces using different IP and hostname aliases associated with them.
According to the requirements described on https://docs.opsmanager.mongodb.com/current/tutorial/provisioning-prep/#server-networking-access Automation currently can use only the server hostname defined as
hostname -f
and cannot use any of the other aliases matching to other IP addresses for the other machine host aliases.Please add some way to customize which host alias Automation should use as a configuration parameter for the Agent.
5 votes -
Make the option of "security.TransitionToAuth" available through Ops Manager Advanced Configuration Options
Currently the option of "security.TransitionToAuth" is not available in Ops Manager as "transitionToAuth" is automatically added to each node in a rolling fashion by the Automation agent and then ultimately removed when authentication is finally turned on for all nodes.
Allowing this option through Ops Manager will enable the mongod to accept and create authenticated and non-authenticated connections to and from the connected clients. Thus the clients can use this feature to avoid downtime at their end while the connection settings are updated to use the appropriate user to connect to mongod.
5 votes -
Install Managed MongoDB Processes as Services in Linux
In Windows, managed MongoDB processes are installed as services. In Linux, they are not. It would be great if managed processes were installed as services so that system administrators would have better control over startup and shutdown behavior, among other things.
4 votes -
Automation - Improve import for automation when keyfile doesn't match
Starting with MongoDB 4.2 we are able to rotate the internal authentication keyfiles in a rolling fashion with the procedure described here:
https://docs.mongodb.com/manual/tutorial/rotate-key-sharded-cluster/Currently when you import for automation a cluster that is using a different keyfile than the one in the automation config a bouncerestart is triggered. We can avoid it by doing a rolling rotation of the keyfile.
The old keyfile should be kept and the new one appended to it in a rolling fashion. We may have already this implemented for the "Rotate keyfile" feature present in the Security tab page.
4 votes -
Ability to stop/start/restart BI Connector in Ops Manager
Currently, Ops Manager does not support stop/start/restart BI Connector that is managed by Ops Manager Automation. There is only a Terminate option available.
4 votes -
Incorrect Agent version Alert/Banner
If someone upgrades from Ops Manager v4.2 -> v4.4 and then downgrades by reinstalling Ops Manager v4.2, there is no Alert or Banner that the Agent is incompatible.
Attempts to modify deployments with this incompatible Agent displays "Initializing Automation for your Deployment" but never actually does anything. It is only after reviewing the Ops Manager logs that you see "Unrecognized field".
It would be helpful if there was a validation check that displays an Alert or Banner that indicates that the version of the Agent is unknown/incompatible. Perhaps something similar to what is displayed after upgrading Ops Manager that will…
3 votes -
3 votes
-
Provide AWS CloudFormation template starter
It would make things easier for our users if they had at least a starter/example AWS CloudFormation template to use for provisioning AWS resources required for an Ops Manager deployment.
2 votes -
update monitoring & backup agent credentials via automationConfig API instead of separate API calls
Right now if you want to change the credentials for the monitoring agent or the backup agent, you've got to make separate API calls. Why not make it so that you can specify everything at once in the same automationConfig API PUT?
2 votes -
Warn if deploying changes would require rolling restart
When reviewing changes in automation, warn if deploying changes will require a rolling restart.
As an example, look at the documentation for server parameters: https://docs.mongodb.com/manual/reference/parameters/
Many parameters include the description "You can only set THIS during start-up", but a warning that setting this parameter implies restarting MongoDB is missing from Ops Manager (or Cloud Manager).
2 votes -
2 votes
-
Logging: attr.error field type conflicts
Hey!
We are using fluent-bit to push MongoDB logs to Elasticsearch. When there are already logs in the elastic index, where attr.error is an object, then it does not accept log lines in which this field is a string:
“error”:{“type”:“mapperparsingexception”,“reason”:“object mapping for [attr.error] tried to parse field [error] as object, but found a concrete value”}
There is log with string attr.error:
{“t”:{"$date":“2022-05-13T15:16:31.203+00:00”},“s”:“I”, “c”:“CONNPOOL”, “id”:22572, “ctx”:“MirrorMaestro”,“msg”:“Dropping all pooled connections”,“attr”:{“hostAndPort”:“mongodb-1.mongodb-headless.mongodb.svc.cluster.local:27017”,“error”:“ShutdownInProgress: Pool for mongodb-1.mongodb-headless.mongodb.svc.cluster.local:27017 has expired.”}}
There is log with object attr.error:
{“t”:{"$date":“2022-05-13T15:20:56.857+00:00”},“s”:“I”, “c”:“REPL_HB”, “id”:23974, “ctx”:“ReplCoord-680”,“msg”:“Heartbeat failed after max retries”,“attr”:{“target”:“alerta-mongodb-arbiter-0.alerta-mongodb-arbiter-headless.monitoring. svc.cluster.local:27017”,“maxHeartbeatRetries”:2,“error”:{“code”:93,“codeName”:“InvalidReplicaSetConfig”,“errmsg”:“replica set IDs do not match, ours: 61ea35f29cfd494fef169571; remote node’s: 61eef8589d065c56e61d6e52”}}}…
1 vote -
Ops Manager help with index compliance across cluster
One of the problems is that we found some nodes would have indexes and others don't. Is there anything in Ops Manager to make sure that indexes are applied (in compliance) across all the nodes?
1 vote -
mongocli - allow to enable/disable agent modules
As of mongocli version 1.17.0 there is no way to enable monitoring and backup modules for a cloud manager or ops manager project.
You can only query the agents and the modules enabled.
This won't allow you to use mongocli to setup a new project from scratch and will require to use the Cloud Manager or Ops Manager API updating the automation config manually for this purpose.
1 vote
- Don't see your idea?