-
Notifications
You must be signed in to change notification settings - Fork 0
/
mongodb_install_without_selinux.sh
105 lines (83 loc) · 2.54 KB
/
mongodb_install_without_selinux.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
#!/bin/bash
set -eo pipefail
#解压mongodb:
tar -zxvf mongodb-linux-x86_64-rhel80-7.0.12.tgz
chmod +x mongodb-linux-x86_64-rhel80-7.0.12/bin/*
cp mongodb-linux-x86_64-rhel80-7.0.12/bin/* /usr/local/bin/
#解压mongosh:
tar -zxvf mongosh-2.2.15-linux-x64.tgz
chmod +x mongosh-2.2.15-linux-x64/bin/mongosh
cp mongosh-2.2.15-linux-x64/bin/mongosh /usr/local/bin/
cp mongosh-2.2.15-linux-x64/bin/mongosh_crypt_v1.so /usr/local/lib/
# mongo运行前准备
mkdir -p /data/mongodb/data
mkdir -p /data/mongodb/log
touch /data/mongodb/log/mongod.log
groupadd mongod
useradd -M -s /bin/false -g mongod mongod
chown -R mongod:mongod /data/mongodb
# 允许访问 cgroup
cat > mongodb_cgroup_memory.te <<EOF
module mongodb_cgroup_memory 1.0;
require {
type cgroup_t;
type mongod_t;
class dir search;
class file { getattr open read };
}
#============= mongod_t ==============
allow mongod_t cgroup_t:dir search;
allow mongod_t cgroup_t:file { getattr open read };
EOF
checkmodule -M -m -o mongodb_cgroup_memory.mod mongodb_cgroup_memory.te
semodule_package -o mongodb_cgroup_memory.pp -m mongodb_cgroup_memory.mod
semodule -i mongodb_cgroup_memory.pp
# 允许访问 netstat 以支持 FTDC
cat > mongodb_proc_net.te <<EOF
module mongodb_proc_net 1.0;
require {
type cgroup_t;
type configfs_t;
type file_type;
type mongod_t;
type proc_net_t;
type sysctl_fs_t;
type var_lib_nfs_t;
class dir { search getattr };
class file { getattr open read };
}
#============= mongod_t ==============
allow mongod_t cgroup_t:dir { search getattr } ;
allow mongod_t cgroup_t:file { getattr open read };
allow mongod_t configfs_t:dir getattr;
allow mongod_t file_type:dir { getattr search };
allow mongod_t file_type:file getattr;
allow mongod_t proc_net_t:file { open read };
allow mongod_t sysctl_fs_t:dir search;
allow mongod_t var_lib_nfs_t:dir search;
EOF
checkmodule -M -m -o mongodb_proc_net.mod mongodb_proc_net.te
semodule_package -o mongodb_proc_net.pp -m mongodb_proc_net.mod
semodule -i mongodb_proc_net.pp
cp mongod.conf /etc/mongod.conf
cat > /etc/systemd/system/mongod.service <<EOF
[Unit]
Description=MongoDB Database Server
Documentation=https://docs.mongodb.org/manual
After=network.target
[Service]
User=mongod
Group=mongod
ExecStart=/usr/local/bin/mongod --config /etc/mongod.conf
ExecReload=/bin/kill -HUP $MAINPID
Restart=always
PIDFile=/var/run/mongodb/mongod.pid
TimeoutSec=30
RemainAfterExit=yes
PrivateTmp=true
[Install]
WantedBy=multi-user.target
EOF
systemctl daemon-reload
systemctl enable mongod
systemctl start mongod