Ops Tools
26 results found
-
Provide mechanism for internal password rotation of the automation user
Ops Manager automation currently uses an mms-automation user for node management, but the password for that user is set once and stays forever unless it is updated via the Ops Manager API.
This feature would provide a mechanism that allows this password to be re-generated via the UI or an API call and have it automatically updated on the managed mongod instances as well.
10 votes -
MongoDB Agent (Automation Module): don't attempt to auth with `net.tls.clusterFile` / `net.tls.certificateKeyFile` and use Agent X.509 cert
Problem Statement,
What is the problem? MongoDB Agent (Automation Module) attempts to auth withnet.tls.clusterFile/net.tls.certificateKeyFileX.509 certificate first, pretending it is a Replica Set member.Why is this a problem? MongoDB Server process logs are flooded by unnecessary noise from such MongoDB Agent (Automation Module) auth attempts pretending it is Replica Set member. MongoDB Server will always log Replica Set member auth certificate usage outside of internal MongoDB Server client (https://github.com/mongodb/mongo/blob/6212e50e73dd032b448a514fe6893c6490a28a9f/src/mongo/db/commands/authentication_commands.cpp#L294-L300),
Example,
{"t":{"$date":"2021-05-10T11:08:03.110+0000"},"s":"W", "c":"ACCESS", "id":20430, "ctx":"conn116","msg":"Client isn't a mongod or mongos, but is connecting with a certificate with cluster membership"}Proposal,
* Don't attempt to auth…9 votes -
SAML support in Ops Manager API
SAML is available as an authentication mechanism and we're currently using it with keycloack (centralized identity provider).
It works well with Ops Manager but there seems to be no support whatsoever in Ops Manager 4.4 API to programmatically add / update / delete SAML groups on Organizations or Projects.
The official API documentation doesn't even recognize that SAML is available.
Mongo support has confirmed that and it's a target feature in their internal backlog.
This idea will hopefully speed up things.9 votes -
Configure MongoDB Automation Agent collecting stats on some collection to not trigger alerts
We just had a support case about some alerts being raised on our cluster because the MongoDB Automation Agent collecting stats on some collection doing queries without index triggers "Scanned Objects / Returned" ratio has went over 1000.
It would be really nice to at least not raise alerts when it's the mongodb automation agent that triggered it. Were monitoring our alerts a lot and these are false positive we can't do anything about it seems other than create all the indexes it needs, which might change over time. We have no guarantee of which index it needs.
Another alternative…
9 votes -
Ops Manager
In Ops Manager ,Whenever we do changes in the configuration the deployed mongodb instnaces ,GUI prompt for Review & Deploy ,If we have a provision for schduling the deployment in later time would fullfil the real Automation.
- Do the changes at convenient time
- Do deploy thru a schedulers
7 votes -
Add ability to transition WiredTiger encryption-at-rest from local keyfile encryption (LKE) to KMIP
If you are using local key file encryption and backing up your MongoDB deployment using Ops Manager, backups won't work correctly if you upgrade to MongoDB 4.2. The correct solution is to switch your encryption to KMIP. But if you try doing that, automation will get stuck!
5 votes -
Automation should handle multiple hostname aliases for each server
In order to separate replication, client and administrative traffic, servers may have multiple network interfaces using different IP and hostname aliases associated with them.
According to the requirements described on https://docs.opsmanager.mongodb.com/current/tutorial/provisioning-prep/#server-networking-access Automation currently can use only the server hostname defined as
hostname -fand cannot use any of the other aliases matching to other IP addresses for the other machine host aliases.Please add some way to customize which host alias Automation should use as a configuration parameter for the Agent.
5 votes -
Make the option of "security.TransitionToAuth" available through Ops Manager Advanced Configuration Options
Currently the option of "security.TransitionToAuth" is not available in Ops Manager as "transitionToAuth" is automatically added to each node in a rolling fashion by the Automation agent and then ultimately removed when authentication is finally turned on for all nodes.
Allowing this option through Ops Manager will enable the mongod to accept and create authenticated and non-authenticated connections to and from the connected clients. Thus the clients can use this feature to avoid downtime at their end while the connection settings are updated to use the appropriate user to connect to mongod.
5 votes -
Ability to stop/start/restart BI Connector in Ops Manager
Currently, Ops Manager does not support stop/start/restart BI Connector that is managed by Ops Manager Automation. There is only a Terminate option available.
5 votes -
Install Managed MongoDB Processes as Services in Linux
In Windows, managed MongoDB processes are installed as services. In Linux, they are not. It would be great if managed processes were installed as services so that system administrators would have better control over startup and shutdown behavior, among other things.
4 votes -
Automation - Improve import for automation when keyfile doesn't match
Starting with MongoDB 4.2 we are able to rotate the internal authentication keyfiles in a rolling fashion with the procedure described here:
https://docs.mongodb.com/manual/tutorial/rotate-key-sharded-cluster/Currently when you import for automation a cluster that is using a different keyfile than the one in the automation config a bouncerestart is triggered. We can avoid it by doing a rolling rotation of the keyfile.
The old keyfile should be kept and the new one appended to it in a rolling fashion. We may have already this implemented for the "Rotate keyfile" feature present in the Security tab page.
4 votes -
4 votes
-
Incorrect Agent version Alert/Banner
If someone upgrades from Ops Manager v4.2 -> v4.4 and then downgrades by reinstalling Ops Manager v4.2, there is no Alert or Banner that the Agent is incompatible.
Attempts to modify deployments with this incompatible Agent displays "Initializing Automation for your Deployment" but never actually does anything. It is only after reviewing the Ops Manager logs that you see "Unrecognized field".
It would be helpful if there was a validation check that displays an Alert or Banner that indicates that the version of the Agent is unknown/incompatible. Perhaps something similar to what is displayed after upgrading Ops Manager that will…
3 votes -
3 votes
-
Provide AWS CloudFormation template starter
It would make things easier for our users if they had at least a starter/example AWS CloudFormation template to use for provisioning AWS resources required for an Ops Manager deployment.
2 votes -
update monitoring & backup agent credentials via automationConfig API instead of separate API calls
Right now if you want to change the credentials for the monitoring agent or the backup agent, you've got to make separate API calls. Why not make it so that you can specify everything at once in the same automationConfig API PUT?
2 votes -
Warn if deploying changes will require a rolling restart
When reviewing changes in automation, warn if deploying changes will require a rolling restart.
As an example, look at the documentation for server parameters. Many parameters include the description "You can only set THIS during start-up", but the the warning that setting this parameter necessitates a restart is missing from Ops Manager (or Cloud Manager).
2 votes -
Automation web UI - Validate the TLS/SSL settings passed in the UI
It is possible to make all agents in a project fail by setting a wrong CA file value.
For example a customer set in the CA file field a directory instead of a file, and it caused Agents to stop reporting to OM.
Eg. the montioring module logged:
{code}
Error starting new module : <Monitoring Module Manager> [15:25:38.817] Error starting Monitoring module : error parsing settings:map[logFile:/var/log/mongodb-mms-automation/monitoring-agent.log maxLogFileDurationHrs:24 maxLogFileSizeBytes:1048576000 maxProcs:0 mmsApiKey:*** mmsBaseUrl:https://api-agents.mongodb.com mmsGroupId:yyyy sslTrustedServerCertificates:/opt/mongodb/db1/pki version:10.19.2.6597]. Monitoring unable to start. Error: SSL trusted server certificates file/etc/ssl/pkican not be read. Err: read /etc/ssl/pki: is a directory
{code}Similar errors…
2 votes -
Documentation: API equivalents for each action on OpsManager
In the documentation, for each action on OpsManager it should be explained how to achieve the same result using the OpsManager API (or an equivalent mongocli command, if it exists).
For example, in the pages describing how to configure Backup stores in the OpsManager UI, it should also be explained which APIs to use (admin/backup).1 vote -
Authentication support for OpenID connect (OIDC)
I would like to connect to MongoDB as part of a Terraform IaC project from bitbucket pipelines. Currently this is possible only through API keys.
It would be great if there was support for OIDC as it provides rotated keys and solid support of various pipelines (GitHub actions, Bitbucket pipelines, ...). Also with OIDC the client is not exposed to any credentials, so this would allow for a "zero-trust" approach when it comes to IaC (Infrastructure as Code).
1 vote
- Don't see your idea?