summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorZakhar Kleyman <zakhar.kleyman@mongodb.com>2019-07-26 11:45:32 -0400
committerZakhar Kleyman <zakhar.kleyman@mongodb.com>2019-07-29 15:58:08 -0400
commit3820d3b1d6b93d15e13ddcfdc1511b7eda5727c4 (patch)
tree7b1535952719bcf269326c3919c27869a30c593a
parentbd5e8b54d4877e0d858eb14cd7f7c9f2267608cb (diff)
downloadmongo-3820d3b1d6b93d15e13ddcfdc1511b7eda5727c4.tar.gz
SERVER-41232 Update man pages
-rw-r--r--debian/bsondump.114
-rw-r--r--debian/mongo.1702
-rw-r--r--debian/mongod.11728
-rw-r--r--debian/mongodump.1643
-rw-r--r--debian/mongoexport.1721
-rw-r--r--debian/mongofiles.1299
-rw-r--r--debian/mongoimport.137
-rw-r--r--debian/mongorestore.1663
-rw-r--r--debian/mongos.11298
-rw-r--r--debian/mongostat.1326
-rw-r--r--debian/mongotop.1472
11 files changed, 5345 insertions, 1558 deletions
diff --git a/debian/bsondump.1 b/debian/bsondump.1
index 74f091ea918..46b2d0dd02d 100644
--- a/debian/bsondump.1
+++ b/debian/bsondump.1
@@ -1,6 +1,6 @@
.\" Man page generated from reStructuredText.
.
-.TH "BSONDUMP" "1" "Jun 21, 2018" "4.0" "mongodb-manual"
+.TH "BSONDUMP" "1" "Jul 25, 2019" "4.2" "mongodb-manual"
.SH NAME
bsondump \- MongoDB BSON Utility
.
@@ -37,13 +37,13 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
.IP \(bu 2
\fI\%Options\fP
.IP \(bu 2
-\fI\%Use\fP
+\fI\%Examples\fP
.UNINDENT
.INDENT 0.0
.INDENT 3.5
-.IP "Mac OSX Sierra and Go 1.6 Incompatibility"
+.IP "macOS Sierra and Go 1.6 Incompatibility"
.sp
-Users running on Mac OSX Sierra require the 3.2.10 or newer version
+Users running on macOS Sierra require the 3.2.10 or newer version
of \fI\%bsondump\fP\&.
.UNINDENT
.UNINDENT
@@ -118,7 +118,7 @@ For objects with a high degree of sub\-document nesting,
.TP
.B \-\-type <=json|=debug>
Changes the operation of \fBbsondump\fP from outputting
-“JSON” (the default) to a debugging format.
+"JSON" (the default) to a debugging format.
.UNINDENT
.INDENT 0.0
.TP
@@ -157,7 +157,7 @@ its output JSON data.
.sp
By default, \fBbsondump\fP writes to standard output.
.UNINDENT
-.SH USE
+.SH EXAMPLES
.sp
Changed in version 3.4.
@@ -191,6 +191,6 @@ bsondump \-\-type=debug collection.bson
.SH AUTHOR
MongoDB Documentation Project
.SH COPYRIGHT
-2008-2018
+2008-2019
.\" Generated by docutils manpage writer.
.
diff --git a/debian/mongo.1 b/debian/mongo.1
index 3d2e876cbfb..e06ce6b7020 100644
--- a/debian/mongo.1
+++ b/debian/mongo.1
@@ -1,6 +1,6 @@
.\" Man page generated from reStructuredText.
.
-.TH "MONGO" "1" "Jun 21, 2018" "4.0" "mongodb-manual"
+.TH "MONGO" "1" "Jul 25, 2019" "4.2" "mongodb-manual"
.SH NAME
mongo \- MongoDB Shell
.
@@ -35,6 +35,8 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
.IP \(bu 2
\fI\%Description\fP
.IP \(bu 2
+\fI\%Syntax\fP
+.IP \(bu 2
\fI\%Options\fP
.IP \(bu 2
\fI\%Files\fP
@@ -48,12 +50,11 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
.SH DESCRIPTION
.sp
\fI\%mongo\fP is an interactive JavaScript shell interface to
-MongoDB, which provides a powerful interface for systems
+MongoDB, which provides a powerful interface for system
administrators as well as a way for developers to test queries and
operations directly with the database. \fI\%mongo\fP also provides
-a fully functional JavaScript environment for use with a MongoDB. This
-document addresses the basic invocation of the \fI\%mongo\fP shell
-and an overview of its usage.
+a fully functional JavaScript environment for use with a MongoDB.
+The \fI\%mongo\fP shell is part of the \fI\%MongoDB distributions\fP\&.
.sp
\fBNOTE:\fP
.INDENT 0.0
@@ -63,7 +64,83 @@ encryption on systems where TLS 1.1+ is available. For
more details, see 4.0\-disable\-tls\&.
.UNINDENT
.UNINDENT
+.SH SYNTAX
+.INDENT 0.0
+.IP \(bu 2
+You can run \fI\%mongo\fP shell without any command\-line
+options use the default settings:
+.INDENT 2.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+mongo
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.IP \(bu 2
+You can run \fI\%mongo\fP shell with a connection string that specifies the host and port and
+other connection options. For example, the following includes the
+\fBtls\fP:
+.INDENT 2.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+mongo "mongodb://mongodb0.example.com:27017/testdb?tls=true"
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+The \fBtls\fP option is available starting in MongoDB 4.2. In
+earlier version, use the \fBssl\fP option.
+.sp
+To connect \fI\%mongo\fP shell to a replica set, you can
+specify in the connection string the replica set members and name:
+.INDENT 2.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+mongo "mongodb://mongodb0.example.com.local:27017,mongodb1.example.com.local:27017,mongodb2.example.com.local:27017/?replicaSet=replA"
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+For more information on the connection string options, see
+/reference/connection\-string\&.
+.IP \(bu 2
+You can run \fI\%mongo\fP shell with various command\-line
+options. For example:
+.INDENT 2.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+mongo \-\-host mongodb0.example.com:27017 [additional options]
+
+mongo \-\-host mongodb0.example.com \-\-port 27017 [additional options]
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+For more information on the options available, see \fI\%Options\fP\&.
+.UNINDENT
.SH OPTIONS
+.INDENT 0.0
+.INDENT 3.5
+.IP "Starting in version 4.2"
+.INDENT 0.0
+.IP \(bu 2
+MongoDB deprecates the SSL options and insteads adds new
+corresponding TLS options.
+.UNINDENT
+.UNINDENT
+.UNINDENT
.SS Core Options
.INDENT 0.0
.TP
@@ -105,9 +182,11 @@ Specifies the name of the host machine where the
\fBmongod\fP or \fBmongos\fP is running. If this is not specified,
\fBmongo\fP attempts to connect to a MongoDB process running on
the localhost.
-.sp
-To connect to a replica set, specify the \fBreplica set name\fP and a seed list of set members. Use the
-following form:
+.INDENT 7.0
+.TP
+.B To connect to a replica set,
+Specify the \fBreplica set name\fP
+and a seed list of set members. Use the following form:
.INDENT 7.0
.INDENT 3.5
.sp
@@ -118,20 +197,30 @@ following form:
.fi
.UNINDENT
.UNINDENT
-.sp
-For TLS/SSL connections (\fB\-\-ssl\fP), \fBmongo\fP verifies that the
-hostname of the \fBmongod\fP or \fBmongos\fP to which you are connecting matches
-the CN or SAN of the \fBmongod\fP or \fBmongos\fP’s \fB\-\-sslPEMKeyFile\fP certificate.
-If the hostname does not match the CN/SAN, \fBmongo\fP will fail to
+.TP
+.B For TLS/SSL connections (\fB\-\-ssl\fP),
+The \fI\%mongo\fP shell verifies that the hostname (specified
+in \fI\%\-\-host\fP option or the connection string)
+matches the \fBSAN\fP (or, if \fBSAN\fP is not present, the \fBCN\fP) in
+the certificate presented by the \fBmongod\fP or
+\fBmongos\fP\&. If \fBSAN\fP is present, \fI\%mongo\fP
+does not match against the \fBCN\fP\&. If the hostname does not match
+the \fBSAN\fP (or \fBCN\fP), the \fI\%mongo\fP shell will fail to
connect.
.sp
-For \fI\%DNS seedlist connections\fP, specify the connection protocol as
-\fBmongodb+srv\fP, followed by the DNS SRV hostname record and any
-options. The \fBauthSource\fP and \fBreplicaSet\fP options, if included in
-the connection string, will override any corresponding DNS\-configured options
-set in the TXT record. Use of the \fBmongodb+srv:\fP connection string implicitly
-enables TLS/SSL (normally set with \fBssl=true\fP) for the client connection. The
-TLS/SSL option can be turned off by setting \fBssl=false\fP in the query string.
+Starting in MongoDB 4.2, when performing comparison of SAN, MongoDB
+supports comparison of DNS names or IP addresses. In previous versions,
+MongoDB only supports comparisons of DNS names.
+.TP
+.B For \fI\%DNS seedlist connections\fP,
+Specify the connection protocol as \fBmongodb+srv\fP, followed by
+the DNS SRV hostname record and any options. The \fBauthSource\fP
+and \fBreplicaSet\fP options, if included in the connection string,
+will override any corresponding DNS\-configured options set in the
+TXT record. Use of the \fBmongodb+srv:\fP connection string
+implicitly enables TLS/SSL (normally set with \fBssl=true\fP) for
+the client connection. The TLS/SSL option can be turned off by
+setting \fBssl=false\fP in the query string.
.sp
Example:
.INDENT 7.0
@@ -148,6 +237,7 @@ mongodb+srv://server.example.com/?connectionTimeout=3000ms
New in version 3.6.
.UNINDENT
+.UNINDENT
.INDENT 0.0
.TP
.B \-\-eval <javascript>
@@ -159,8 +249,8 @@ As a result many options of the shell environment are not available.
.TP
.B \-\-username <username>, \-u <username>
Specifies a username with which to authenticate to a MongoDB database
-that uses authentication. Use in conjunction with the \fB\-\-password\fP and
-\fB\-\-authenticationDatabase\fP options.
+that uses authentication. Use in conjunction with the \fI\%\-\-password\fP and
+\fI\%\-\-authenticationDatabase\fP options.
.UNINDENT
.INDENT 0.0
.TP
@@ -193,14 +283,6 @@ process.
New in version 3.4.
.sp
-.INDENT 7.0
-Changed in version 3.6: .IP \(bu 2
-Add support for zlib compressor.
-.IP \(bu 2
-Enabled by default. To disable, set to \fBdisabled\fP\&.
-.UNINDENT
-
-.sp
Enables network compression for communication between this
\fBmongo\fP shell and:
.INDENT 7.0
@@ -210,6 +292,16 @@ a \fBmongod\fP instance
a \fBmongos\fP instance.
.UNINDENT
.sp
+You can specify the following compressors:
+.INDENT 7.0
+.IP \(bu 2
+snappy
+.IP \(bu 2
+zlib (Available starting in MongoDB 3.6)
+.IP \(bu 2
+zstd (Available starting in MongoDB 4.2)
+.UNINDENT
+.sp
\fBIMPORTANT:\fP
.INDENT 7.0
.INDENT 3.5
@@ -219,14 +311,6 @@ uncompressed.
.UNINDENT
.UNINDENT
.sp
-You can specify the following compressors:
-.INDENT 7.0
-.IP \(bu 2
-snappy (Default)
-.IP \(bu 2
-zlib
-.UNINDENT
-.sp
If you specify multiple compressors, then the order in which you list
the compressors matter as well as the communication initiator. For
example, if a \fI\%mongo\fP shell specifies the following network
@@ -243,12 +327,18 @@ between \fI\%mongo\fP shell and \fBmongod\fP are not compressed.
.INDENT 0.0
.TP
.B \-\-ipv6
-\fIRemoved in version 3.0.\fP
+Enables IPv6 support. \fBmongo\fP disables IPv6 by default.
.sp
-Enables IPv6 support and allows \fBmongo\fP to connect to the
-MongoDB instance using an IPv6 network. Prior to MongoDB 3.0, you
-had to specify \fI\%\-\-ipv6\fP to use IPv6. In MongoDB 3.0 and later, IPv6
-is always enabled.
+To connect to a MongoDB cluster via IPv6, you must specify
+both \fI\%\-\-ipv6\fP \fIand\fP
+\fI\%\-\-host <mongod/mongos IPv6 address>\fP
+when starting the \fBmongo\fP shell.
+.sp
+\fBmongod\fP and \fBmongos\fP disable IPv6 support
+by default. Specifying \fI\%\-\-ipv6\fP when connecting to a
+\fBmongod/mongos\fP does not enable IPv6 support on the
+\fBmongod/mongos\fP\&. For documentation on enabling IPv6 support
+on the \fBmongod/mongos\fP, see \fBnet.ipv6\fP\&.
.UNINDENT
.INDENT 0.0
.TP
@@ -295,15 +385,15 @@ use \fI\%\-\-host\fP or \fI\%\-\-port\fP\&.
New in version 4.0.
.sp
-Enable the JavaScript engine’s JIT compiler.
+Enable the JavaScript engine\(aqs JIT compiler.
.UNINDENT
.INDENT 0.0
.TP
.B \-\-disableJavaScriptJIT
-Changed in version 4.0: The JavaScript engine’s JIT compiler is now disabled by default.
+Changed in version 4.0: The JavaScript engine\(aqs JIT compiler is now disabled by default.
.sp
-Disables the JavaScript engine’s JIT compiler.
+Disables the JavaScript engine\(aqs JIT compiler.
.UNINDENT
.INDENT 0.0
.TP
@@ -400,7 +490,7 @@ finishes running.
.INDENT 0.0
.TP
.B \-\-authenticationDatabase <dbname>
-Specifies the database in which the user is created.
+Specifies the authentication database where the specified \fI\%\-\-username\fP has been created.
See user\-authentication\-database\&.
.sp
If you do not specify a value for \fI\%\-\-authenticationDatabase\fP, \fBmongo\fP uses the database
@@ -496,24 +586,324 @@ default name of \fBmongodb\fP\&.
.sp
This option is available only in MongoDB Enterprise.
.UNINDENT
-.SS TLS/SSL Options
+.SS TLS Options
+.INDENT 0.0
+.INDENT 3.5
+.SS See
+.sp
+/tutorial/configure\-ssl for full
+documentation of MongoDB\(aqs support.
+.UNINDENT
+.UNINDENT
+.INDENT 0.0
+.TP
+.B \-\-tls
+New in version 4.2.
+
+.sp
+Enables connection to a \fBmongod\fP or \fBmongos\fP that has
+TLS/SSL support enabled.
+.sp
+Starting in version 3.2.6, if \fB\-\-tlsCAFile\fP or \fBnet.tls.CAFile\fP
+(or their aliases \fB\-\-sslCAFile\fP or \fBssl.CAFile\fP) is not
+specified, the system\-wide CA certificate store will be used when
+connecting to an TLS/SSL\-enabled server. In previous versions of
+MongoDB, the \fI\%mongo\fP shell exited with an error that it
+could not validate the certificate.
+.sp
+To use x.509 authentication, \fB\-\-tlsCAFile\fP or \fBnet.tls.CAFile\fP
+must be specified unless using \fB\-\-tlsCertificateSelector\fP or
+\fB\-\-net.tls.certificateSelector\fP\&. Or if using the \fBssl\fP aliases,
+\fB\-\-sslCAFile\fP or \fBnet.ssl.CAFile\fP must be specified unless using
+\fB\-\-sslCertificateSelector\fP or \fBnet.ssl.certificateSelector\fP\&.
+.sp
+For more information about TLS/SSL and MongoDB, see
+/tutorial/configure\-ssl and
+/tutorial/configure\-ssl\-clients .
+.UNINDENT
+.INDENT 0.0
+.TP
+.B \-\-tlsCertificateKeyFile <filename>
+New in version 4.2.
+
+.sp
+Specifies the \fB\&.pem\fP file that contains both the TLS/SSL
+certificate and key for the \fI\%mongo\fP shell. Specify the
+file name of the \fB\&.pem\fP file using relative or absolute paths.
+.sp
+This option is required when using the \fI\%\-\-tls\fP
+option to connect to a \fBmongod\fP or \fBmongos\fP
+instance that requires client certificates\&. That is, the
+\fI\%mongo\fP shell present this certificate to the server.
+.sp
+For more information about TLS/SSL and MongoDB, see
+/tutorial/configure\-ssl and
+/tutorial/configure\-ssl\-clients .
+.UNINDENT
+.INDENT 0.0
+.TP
+.B \-\-tlsCertificateKeyFilePassword <value>
+New in version 4.2.
+
+.sp
+Specifies the password to de\-crypt the certificate\-key file (i.e.
+\fI\%\-\-tlsCertificateKeyFile\fP).
+.sp
+Use the \fI\%\-\-tlsCertificateKeyFilePassword\fP option only if the
+certificate\-key file is encrypted. In all cases, the \fBmongo\fP will
+redact the password from all logging and reporting output.
+.sp
+If the private key in the PEM file is encrypted and you do not
+specify the \fI\%\-\-tlsCertificateKeyFilePassword\fP option, the \fBmongo\fP will prompt for a
+passphrase. See ssl\-certificate\-password\&.
+.sp
+For more information about TLS/SSL and MongoDB, see
+/tutorial/configure\-ssl and
+/tutorial/configure\-ssl\-clients .
+.UNINDENT
+.INDENT 0.0
+.TP
+.B \-\-tlsCAFile <filename>
+New in version 4.2.
+
+.sp
+Specifies the \fB\&.pem\fP file that contains the root certificate
+chain from the Certificate Authority. This file is used to validate
+the certificate presented by the
+\fBmongod\fP/\fBmongos\fP instance.
+.sp
+Specify the file name of the \fB\&.pem\fP file using relative or
+absolute paths.
+.sp
+Starting in version 3.2.6, if \fB\-\-tlsCAFile\fP or \fBnet.tls.CAFile\fP
+(or their aliases \fB\-\-sslCAFile\fP or \fBssl.CAFile\fP) is not
+specified, the system\-wide CA certificate store will be used when
+connecting to an TLS/SSL\-enabled server. In previous versions of
+MongoDB, the \fI\%mongo\fP shell exited with an error that it
+could not validate the certificate.
+.sp
+To use x.509 authentication, \fB\-\-tlsCAFile\fP or \fBnet.tls.CAFile\fP
+must be specified unless using \fB\-\-tlsCertificateSelector\fP or
+\fB\-\-net.tls.certificateSelector\fP\&. Or if using the \fBssl\fP aliases,
+\fB\-\-sslCAFile\fP or \fBnet.ssl.CAFile\fP must be specified unless using
+\fB\-\-sslCertificateSelector\fP or \fBnet.ssl.certificateSelector\fP\&.
+.sp
+For more information about TLS/SSL and MongoDB, see
+/tutorial/configure\-ssl and
+/tutorial/configure\-ssl\-clients .
+.UNINDENT
+.INDENT 0.0
+.TP
+.B \-\-tlsCRLFile <filename>
+New in version 4.2.
+
+.sp
+Specifies the \fB\&.pem\fP file that contains the Certificate Revocation
+List. Specify the file name of the \fB\&.pem\fP file using relative or
+absolute paths.
+.sp
+For more information about TLS/SSL and MongoDB, see
+/tutorial/configure\-ssl and
+/tutorial/configure\-ssl\-clients .
+.UNINDENT
+.INDENT 0.0
+.TP
+.B \-\-tlsAllowInvalidHostnames
+New in version 4.2.
+
+.sp
+Disables the validation of the hostnames in the certificate presented
+by the \fBmongod\fP/\fBmongos\fP instance. Allows
+\fBmongo\fP to connect to MongoDB instances even if the hostname in
+the server certificates do not match the server\(aqs host.
+.sp
+For more information about TLS/SSL and MongoDB, see
+/tutorial/configure\-ssl and
+/tutorial/configure\-ssl\-clients .
+.UNINDENT
+.INDENT 0.0
+.TP
+.B \-\-tlsAllowInvalidCertificates
+New in version 4.2.
+
+.sp
+Bypasses the validation checks for the certificates presented by the
+\fBmongod\fP/\fBmongos\fP instance and allows
+connections to servers that present invalid certificates.
+.sp
+\fBNOTE:\fP
+.INDENT 7.0
+.INDENT 3.5
+Starting in MongoDB 4.0, if you specify
+\fB\-\-sslAllowInvalidCertificates\fP or
+\fBnet.ssl.allowInvalidCertificates: true\fP (or in MongoDB 4.2, the
+alias \fB\-\-tlsAllowInvalidateCertificates\fP or
+\fBnet.tls.allowInvalidCertificates: true\fP) when using x.509
+authentication, an invalid certificate is only sufficient to
+establish a TLS/SSL connection but is \fIinsufficient\fP for
+authentication.
+.UNINDENT
+.UNINDENT
+.sp
+# We created a separate blurb for tls in the ssl\-clients page.
+.sp
+\fBWARNING:\fP
+.INDENT 7.0
+.INDENT 3.5
+Although available, avoid using the
+\fB\-\-sslAllowInvalidCertificates\fP option if possible. If the use of
+\fB\-\-sslAllowInvalidCertificates\fP is necessary, only use the option
+on systems where intrusion is not possible.
+.sp
+If the \fI\%mongo\fP shell (and other
+mongodb\-tools\-support\-ssl) runs with the
+\fB\-\-sslAllowInvalidCertificates\fP option, the
+\fI\%mongo\fP shell (and other
+mongodb\-tools\-support\-ssl) will not attempt to validate
+the server certificates. This creates a vulnerability to expired
+\fBmongod\fP and \fBmongos\fP certificates as
+well as to foreign processes posing as valid
+\fBmongod\fP or \fBmongos\fP instances. If you
+only need to disable the validation of the hostname in the
+TLS/SSL certificates, see \fB\-\-sslAllowInvalidHostnames\fP\&.
+.UNINDENT
+.UNINDENT
+.sp
+When using the \fBallowInvalidCertificates\fP setting,
+MongoDB logs as a warning the use of the invalid certificate.
+.sp
+For more information about TLS/SSL and MongoDB, see
+/tutorial/configure\-ssl and
+/tutorial/configure\-ssl\-clients .
+.UNINDENT
+.INDENT 0.0
+.TP
+.B \-\-tlsFIPSMode
+New in version 4.2.
+
+.sp
+Directs the \fBmongo\fP to use the FIPS mode of the TLS/SSL
+library. Your system must have a FIPS compliant library to use
+the \fI\%\-\-tlsFIPSMode\fP option.
+.sp
+\fBNOTE:\fP
+.INDENT 7.0
+.INDENT 3.5
+FIPS\-compatible TLS/SSL is
+available only in \fI\%MongoDB Enterprise\fP\&. See
+/tutorial/configure\-fips for more information.
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.INDENT 0.0
+.TP
+.B \-\-tlsCertificateSelector <parameter>=<value>
+New in version 4.2: Available on Windows and macOS as an alternative to \fI\%\-\-tlsCertificateKeyFile\fP\&.
+.sp
+The \fI\%\-\-tlsCertificateKeyFile\fP and \fI\%\-\-tlsCertificateSelector\fP options are mutually exclusive. You can only
+specify one.
+
+.sp
+Specifies a certificate property in order to select a matching
+certificate from the operating system\(aqs certificate store.
+.sp
+\fI\%\-\-tlsCertificateSelector\fP accepts an argument of the format \fB<property>=<value>\fP
+where the property can be one of the following:
+.TS
+center;
+|l|l|l|.
+_
+T{
+Property
+T} T{
+Value type
+T} T{
+Description
+T}
+_
+T{
+\fBsubject\fP
+T} T{
+ASCII string
+T} T{
+Subject name or common name on certificate
+T}
+_
+T{
+\fBthumbprint\fP
+T} T{
+hex string
+T} T{
+A sequence of bytes, expressed as hexadecimal, used to
+identify a public key by its SHA\-1 digest.
+.sp
+The \fBthumbprint\fP is sometimes referred to as a
+\fBfingerprint\fP\&.
+T}
+_
+.TE
+.sp
+When using the system SSL certificate store, OCSP (Online
+Certificate Status Protocol) is used to validate the revocation
+status of certificates.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B \-\-tlsDisabledProtocols <string>
+New in version 4.2.
+
+.sp
+Disables the specified TLS protocols. The option recognizes the
+following protocols: \fBTLS1_0\fP, \fBTLS1_1\fP, \fBTLS1_2\fP, and
+starting in version 4.0.4 (and 3.6.9), \fBTLS1_3\fP\&.
+.INDENT 7.0
+.IP \(bu 2
+On macOS, you cannot disable \fBTLS1_1\fP and leave both \fBTLS1_0\fP and
+\fBTLS1_2\fP enabled. You must also disable at least one of the other
+two; for example, \fBTLS1_0,TLS1_1\fP\&.
+.IP \(bu 2
+To list multiple protocols, specify as a comma separated list of
+protocols. For example \fBTLS1_0,TLS1_1\fP\&.
+.IP \(bu 2
+The specified disabled protocols overrides any default disabled
+protocols.
+.UNINDENT
+.sp
+Starting in version 4.0, MongoDB disables the use of TLS 1.0 if TLS
+1.1+ is available on the system. To enable the
+disabled TLS 1.0, specify \fBnone\fP to \fI\%\-\-tlsDisabledProtocols\fP\&. See 4.0\-disable\-tls\&.
+.UNINDENT
+.SS SSL Options (Deprecated)
+.sp
+\fBIMPORTANT:\fP
+.INDENT 0.0
+.INDENT 3.5
+Starting in version 4.2, the SSL options are deprecated. Use the TLS
+counterparts instead. The SSL protocol is deprecated and MongoDB
+supports TLS 1.0 and later.
+.UNINDENT
+.UNINDENT
.INDENT 0.0
.TP
.B \-\-ssl
-Changed in version 3.2.6.
+Deprecated since version 4.2: Use \fI\%\-\-tls\fP instead.
.sp
Enables connection to a \fBmongod\fP or \fBmongos\fP that has
TLS/SSL support enabled.
.sp
-Starting in version 3.2.6, if \fB\-\-sslCAFile\fP or \fBssl.CAFile\fP is
-not specified, the system\-wide CA certificate store will be used
-when connecting to an TLS/SSL\-enabled server. In previous versions
-of MongoDB, the \fI\%mongo\fP shell exited with an error that
-it could not validate the certificate.
+Starting in version 3.2.6, if \fB\-\-tlsCAFile\fP or \fBnet.tls.CAFile\fP
+(or their aliases \fB\-\-sslCAFile\fP or \fBssl.CAFile\fP) is not
+specified, the system\-wide CA certificate store will be used when
+connecting to an TLS/SSL\-enabled server. In previous versions of
+MongoDB, the \fI\%mongo\fP shell exited with an error that it
+could not validate the certificate.
.sp
-If using x.509 authentication, \fB\-\-sslCAFile\fP or \fBssl.CAFile\fP
-must be specified.
+To use x.509 authentication, \fB\-\-tlsCAFile\fP or \fBnet.tls.CAFile\fP
+must be specified unless using \fB\-\-tlsCertificateSelector\fP or
+\fB\-\-net.tls.certificateSelector\fP\&. Or if using the \fBssl\fP aliases,
+\fB\-\-sslCAFile\fP or \fBnet.ssl.CAFile\fP must be specified unless using
+\fB\-\-sslCertificateSelector\fP or \fBnet.ssl.certificateSelector\fP\&.
.sp
For more information about TLS/SSL and MongoDB, see
/tutorial/configure\-ssl and
@@ -522,6 +912,9 @@ For more information about TLS/SSL and MongoDB, see
.INDENT 0.0
.TP
.B \-\-sslPEMKeyFile <filename>
+Deprecated since version 4.2: Use \fI\%\-\-tlsCertificateKeyFile\fP instead.
+
+.sp
Specifies the \fB\&.pem\fP file that contains both the TLS/SSL certificate
and key. Specify the file name of the \fB\&.pem\fP file using relative
or absolute paths.
@@ -538,6 +931,9 @@ For more information about TLS/SSL and MongoDB, see
.INDENT 0.0
.TP
.B \-\-sslPEMKeyPassword <value>
+Deprecated since version 4.2: Use \fI\%\-\-tlsCertificateKeyFilePassword\fP instead.
+
+.sp
Specifies the password to de\-crypt the certificate\-key file (i.e.
\fB\-\-sslPEMKeyFile\fP). Use the \fI\%\-\-sslPEMKeyPassword\fP option only if the
certificate\-key file is encrypted. In all cases, the \fBmongo\fP will
@@ -554,18 +950,25 @@ For more information about TLS/SSL and MongoDB, see
.INDENT 0.0
.TP
.B \-\-sslCAFile <filename>
+Deprecated since version 4.2: Use \fI\%\-\-tlsCAFile\fP instead.
+
+.sp
Specifies the \fB\&.pem\fP file that contains the root certificate chain
from the Certificate Authority. Specify the file name of the
\fB\&.pem\fP file using relative or absolute paths.
.sp
-Starting in version 3.2.6, if \fB\-\-sslCAFile\fP or \fBssl.CAFile\fP is
-not specified, the system\-wide CA certificate store will be used
-when connecting to an TLS/SSL\-enabled server. In previous versions
-of MongoDB, the \fI\%mongo\fP shell exited with an error that
-it could not validate the certificate.
+Starting in version 3.2.6, if \fB\-\-tlsCAFile\fP or \fBnet.tls.CAFile\fP
+(or their aliases \fB\-\-sslCAFile\fP or \fBssl.CAFile\fP) is not
+specified, the system\-wide CA certificate store will be used when
+connecting to an TLS/SSL\-enabled server. In previous versions of
+MongoDB, the \fI\%mongo\fP shell exited with an error that it
+could not validate the certificate.
.sp
-If using x.509 authentication, \fB\-\-sslCAFile\fP or \fBssl.CAFile\fP
-must be specified.
+To use x.509 authentication, \fB\-\-tlsCAFile\fP or \fBnet.tls.CAFile\fP
+must be specified unless using \fB\-\-tlsCertificateSelector\fP or
+\fB\-\-net.tls.certificateSelector\fP\&. Or if using the \fBssl\fP aliases,
+\fB\-\-sslCAFile\fP or \fBnet.ssl.CAFile\fP must be specified unless using
+\fB\-\-sslCertificateSelector\fP or \fBnet.ssl.certificateSelector\fP\&.
.sp
For more information about TLS/SSL and MongoDB, see
/tutorial/configure\-ssl and
@@ -573,7 +976,65 @@ For more information about TLS/SSL and MongoDB, see
.UNINDENT
.INDENT 0.0
.TP
+.B \-\-sslCertificateSelector <parameter>=<value>
+Deprecated since version 4.2: Use \fI\%\-\-tlsCertificateSelector\fP instead.
+
+.sp
+New in version 4.0: Available on Windows and macOS as an alternative to \fI\%\-\-tlsCertificateKeyFile\fP\&.
+.sp
+\fI\%\-\-tlsCertificateKeyFile\fP and \fI\%\-\-sslCertificateSelector\fP options are mutually exclusive. You can only
+specify one.
+
+.sp
+Specifies a certificate property in order to select a matching
+certificate from the operating system\(aqs certificate store.
+.sp
+\fI\%\-\-sslCertificateSelector\fP accepts an argument of the format \fB<property>=<value>\fP
+where the property can be one of the following:
+.TS
+center;
+|l|l|l|.
+_
+T{
+Property
+T} T{
+Value type
+T} T{
+Description
+T}
+_
+T{
+\fBsubject\fP
+T} T{
+ASCII string
+T} T{
+Subject name or common name on certificate
+T}
+_
+T{
+\fBthumbprint\fP
+T} T{
+hex string
+T} T{
+A sequence of bytes, expressed as hexadecimal, used to
+identify a public key by its SHA\-1 digest.
+.sp
+The \fBthumbprint\fP is sometimes referred to as a
+\fBfingerprint\fP\&.
+T}
+_
+.TE
+.sp
+When using the system SSL certificate store, OCSP (Online
+Certificate Status Protocol) is used to validate the revocation
+status of certificates.
+.UNINDENT
+.INDENT 0.0
+.TP
.B \-\-sslCRLFile <filename>
+Deprecated since version 4.2: Use \fI\%\-\-tlsCRLFile\fP instead.
+
+.sp
Specifies the \fB\&.pem\fP file that contains the Certificate Revocation
List. Specify the file name of the \fB\&.pem\fP file using relative or
absolute paths.
@@ -585,11 +1046,11 @@ For more information about TLS/SSL and MongoDB, see
.INDENT 0.0
.TP
.B \-\-sslFIPSMode
-New in version 2.6.
+Deprecated since version 4.2: Use \fI\%\-\-tlsFIPSMode\fP instead.
.sp
-Directs the \fBmongo\fP to use the FIPS mode of the installed OpenSSL
-library. Your system must have a FIPS compliant OpenSSL library to use
+Directs the \fBmongo\fP to use the FIPS mode of the TLS/SSL
+library. Your system must have a FIPS compliant library to use
the \fI\%\-\-sslFIPSMode\fP option.
.sp
\fBNOTE:\fP
@@ -604,6 +1065,9 @@ available only in \fI\%MongoDB Enterprise\fP\&. See
.INDENT 0.0
.TP
.B \-\-sslAllowInvalidCertificates
+Deprecated since version 4.2: Use \fI\%\-\-tlsAllowInvalidCertificates\fP instead.
+
+.sp
Bypasses the validation checks for server certificates and allows
the use of invalid certificates to connect.
.sp
@@ -611,21 +1075,25 @@ the use of invalid certificates to connect.
.INDENT 7.0
.INDENT 3.5
Starting in MongoDB 4.0, if you specify
-\fB\-\-sslAllowInvalidCertificates\fP or \fBssl.allowInvalidCertificates:
-true\fP when using x.509 authentication, an invalid certificate is
-only sufficient to establish a TLS/SSL connection but is
-\fIinsufficient\fP for authentication.
+\fB\-\-sslAllowInvalidCertificates\fP or
+\fBnet.ssl.allowInvalidCertificates: true\fP (or in MongoDB 4.2, the
+alias \fB\-\-tlsAllowInvalidateCertificates\fP or
+\fBnet.tls.allowInvalidCertificates: true\fP) when using x.509
+authentication, an invalid certificate is only sufficient to
+establish a TLS/SSL connection but is \fIinsufficient\fP for
+authentication.
.UNINDENT
.UNINDENT
.sp
+# We created a separate blurb for tls in the ssl\-clients page.
+.sp
\fBWARNING:\fP
.INDENT 7.0
.INDENT 3.5
-For TLS/SSL connections to \fBmongod\fP and
-\fBmongos\fP, avoid using
-\fB\-\-sslAllowInvalidCertificates\fP if possible and only use
-\fB\-\-sslAllowInvalidCertificates\fP on systems where intrusion is
-not possible.
+Although available, avoid using the
+\fB\-\-sslAllowInvalidCertificates\fP option if possible. If the use of
+\fB\-\-sslAllowInvalidCertificates\fP is necessary, only use the option
+on systems where intrusion is not possible.
.sp
If the \fI\%mongo\fP shell (and other
mongodb\-tools\-support\-ssl) runs with the
@@ -635,7 +1103,9 @@ mongodb\-tools\-support\-ssl) will not attempt to validate
the server certificates. This creates a vulnerability to expired
\fBmongod\fP and \fBmongos\fP certificates as
well as to foreign processes posing as valid
-\fBmongod\fP or \fBmongos\fP instances.
+\fBmongod\fP or \fBmongos\fP instances. If you
+only need to disable the validation of the hostname in the
+TLS/SSL certificates, see \fB\-\-sslAllowInvalidHostnames\fP\&.
.UNINDENT
.UNINDENT
.sp
@@ -649,7 +1119,7 @@ For more information about TLS/SSL and MongoDB, see
.INDENT 0.0
.TP
.B \-\-sslAllowInvalidHostnames
-New in version 3.0.
+Deprecated since version 4.2: Use \fI\%\-\-tlsAllowInvalidHostnames\fP instead.
.sp
Disables the validation of the hostnames in TLS/SSL certificates. Allows
@@ -663,8 +1133,12 @@ For more information about TLS/SSL and MongoDB, see
.INDENT 0.0
.TP
.B \-\-sslDisabledProtocols <string>
+Deprecated since version 4.2: Use \fI\%\-\-tlsDisabledProtocols\fP instead.
+
+.sp
Disables the specified TLS protocols. The option recognizes the
-following protocols: \fBTLS1_0\fP, \fBTLS1_1\fP, and \fBTLS1_2\fP:
+following protocols: \fBTLS1_0\fP, \fBTLS1_1\fP, \fBTLS1_2\fP, and
+starting in version 4.0.4 (and 3.6.9), \fBTLS1_3\fP\&.
.INDENT 7.0
.IP \(bu 2
On macOS, you cannot disable \fBTLS1_1\fP and leave both \fBTLS1_0\fP and
@@ -736,11 +1210,11 @@ Global \fBmongorc.js\fP file which the \fI\%mongo\fP shell
evaluates upon start\-up. If a user also has a \fB\&.mongorc.js\fP
file located in the \fI\%HOME\fP directory, the \fI\%mongo\fP
shell evaluates the global \fB/etc/mongorc.js\fP file \fIbefore\fP
-evaluating the user’s \fB\&.mongorc.js\fP file.
+evaluating the user\(aqs \fB\&.mongorc.js\fP file.
.sp
\fB/etc/mongorc.js\fP must have read permission for the user
running the shell. The \fI\%\-\-norc\fP option for \fI\%mongo\fP
-suppresses only the user’s \fB\&.mongorc.js\fP file.
+suppresses only the user\(aqs \fB\&.mongorc.js\fP file.
.sp
On Windows, the global \fBmongorc.js </etc/mongorc.js>\fP exists
in the \fB%ProgramData%\eMongoDB\fP directory.
@@ -1066,6 +1540,7 @@ keybindings.
Typically users invoke the shell with the \fI\%mongo\fP command at
the system prompt. Consider the following examples for other
scenarios.
+.SS Connect to a \fBmongod\fP Instance with Access Control
.sp
To connect to a database on a remote host using authentication and a
non\-standard port, use the following form:
@@ -1074,7 +1549,7 @@ non\-standard port, use the following form:
.sp
.nf
.ft C
-mongo \-\-username <user> \-\-password <pass> \-\-host <host> \-\-port 28015
+mongo \-\-username <user> \-\-password \-\-host <host> \-\-port 28015
.ft P
.fi
.UNINDENT
@@ -1086,15 +1561,69 @@ Alternatively, consider the following short form:
.sp
.nf
.ft C
-mongo \-u <user> \-p <pass> \-\-host <host> \-\-port 28015
+mongo \-u <user> \-p \-\-host <host> \-\-port 28015
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+Replace \fB<user>\fP and \fB<host>\fP with the appropriate values for your
+situation and substitute or omit the \fI\%\-\-port\fP as
+needed.
+.sp
+If you do not specify the password to the \fI\%\-\-password\fP or \fI\%\-p\fP command\-line option, the
+\fI\%mongo\fP shell prompts for the password.
+.SS Connect to a Replica Set Using the DNS Seedlist Connection Format
+.sp
+New in version 3.6.
+
+.sp
+To connect to a replica set described using the
+connections\-dns\-seedlist, use the \fI\%\-\-host\fP option
+to specify the connection string to the \fI\%mongo\fP shell. In
+the following example, the DNS configuration resembles:
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+Record TTL Class Priority Weight Port Target
+_mongodb._tcp.server.example.com. 86400 IN SRV 0 5 27317 mongodb1.example.com.
+_mongodb._tcp.server.example.com. 86400 IN SRV 0 5 27017 mongodb2.example.com.
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+The TXT record for the DNS entry includes the \fBreplicaSet\fP and \fBauthSource\fP options:
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+Record TTL Class Text
+server.example.com. 86400 IN TXT "replicaSet=rs0&authSource=admin"
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+The following command then connects the \fI\%mongo\fP shell to
+the replica set:
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+mongo \-\-host "mongodb+srv://server.example.com/?username=allison"
.ft P
.fi
.UNINDENT
.UNINDENT
.sp
-Replace \fB<user>\fP, \fB<pass>\fP, and \fB<host>\fP with the appropriate
-values for your situation and substitute or omit the \fI\%\-\-port\fP
-as needed.
+The \fI\%mongo\fP shell will automatically prompt you to provide
+the password for the user specified in the \fBusername\fP option.
+.SS Execute JavaScript Against the \fI\%mongo\fP Shell
.sp
To execute a JavaScript file without evaluating the \fB~/.mongorc.js\fP
file before starting a shell session, use the following form:
@@ -1121,6 +1650,7 @@ mongo script\-file.js \-u <user> \-p
.fi
.UNINDENT
.UNINDENT
+.SS Use \fI\%\-\-eval\fP to Print Query Results as JSON
.sp
To print return a query as JSON, from the system prompt using
the \fI\%\-\-eval\fP option, use the following form:
@@ -1154,6 +1684,6 @@ the additional JavaScript required to generate this output.
.SH AUTHOR
MongoDB Documentation Project
.SH COPYRIGHT
-2008-2018
+2008-2019
.\" Generated by docutils manpage writer.
.
diff --git a/debian/mongod.1 b/debian/mongod.1
index 8e3df2f97f1..5da79eb7515 100644
--- a/debian/mongod.1
+++ b/debian/mongod.1
@@ -1,6 +1,6 @@
.\" Man page generated from reStructuredText.
.
-.TH "MONGOD" "1" "Jun 21, 2018" "4.0" "mongodb-manual"
+.TH "MONGOD" "1" "Jul 25, 2019" "4.2" "mongodb-manual"
.SH NAME
mongod \- MongoDB Server
.
@@ -52,7 +52,9 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
.IP \(bu 2
\fI\%Sharded Cluster Options\fP
.IP \(bu 2
-\fI\%TLS/SSL Options\fP
+\fI\%TLS Options\fP
+.IP \(bu 2
+\fI\%SSL Options (Deprecated)\fP
.IP \(bu 2
\fI\%Profiler Options\fP
.IP \(bu 2
@@ -63,8 +65,6 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
\fI\%inMemory Options\fP
.IP \(bu 2
\fI\%Encryption Key Management Options\fP
-.IP \(bu 2
-\fI\%Text Search Options\fP
.UNINDENT
.UNINDENT
.SH SYNOPSIS
@@ -79,6 +79,13 @@ for testing: In common operation, use the configuration file
options to control the behavior of
your database.
.sp
+\fBSEE ALSO:\fP
+.INDENT 0.0
+.INDENT 3.5
+conf\-file\-command\-line\-mapping
+.UNINDENT
+.UNINDENT
+.sp
\fBNOTE:\fP
.INDENT 0.0
.INDENT 3.5
@@ -88,6 +95,20 @@ more details, see 4.0\-disable\-tls\&.
.UNINDENT
.UNINDENT
.SH OPTIONS
+.INDENT 0.0
+.INDENT 3.5
+.IP "Starting in version 4.2"
+.INDENT 0.0
+.IP \(bu 2
+MongoDB deprecates the SSL options and insteads adds new
+corresponding TLS options.
+.IP \(bu 2
+MongoDB adds
+\fI\%\-\-tlsClusterCAFile\fP/\fBnet.tls.clusterCAFile\fP\&. (Also availalbe
+in 3.4.18+, 3.6.9+, 4.0.3+)
+.UNINDENT
+.UNINDENT
+.UNINDENT
.SS Core Options
.INDENT 0.0
.TP
@@ -114,10 +135,75 @@ including UTF\-8.
.UNINDENT
.INDENT 0.0
.TP
+.B \-\-configExpand <none|rest|exec>
+\fIDefault\fP: none
+.sp
+New in version 4.2.
+
+.sp
+Enables using Expansion Directives
+in configuration files. Expansion directives allow you to set
+externally sourced values for configuration file options.
+.sp
+\fI\%\-\-configExpand\fP supports the following expansion directives:
+.TS
+center;
+|l|l|.
+_
+T{
+Value
+T} T{
+Description
+T}
+_
+T{
+\fBnone\fP
+T} T{
+Default. \fBmongod\fP does not expand expansion directives.
+\fBmongod\fP fails to start if any configuration file settings
+use expansion directives.
+T}
+_
+T{
+\fBrest\fP
+T} T{
+\fBmongod\fP expands \fB__rest\fP expansion directives when
+parsing the configuration file.
+T}
+_
+T{
+\fBexec\fP
+T} T{
+\fBmongod\fP expands \fB__exec\fP expansion directives when
+parsing the configuration file.
+T}
+_
+.TE
+.sp
+You can specify multiple expansion directives as a comma\-separated
+list, e.g. \fBrest, exec\fP\&. If the configuration file contains
+expansion directives not specified to \fI\%\-\-configExpand\fP, the \fBmongod\fP
+returns an error and terminates.
+.sp
+See externally\-sourced\-values for configuration files
+for more information on expansion directives.
+.UNINDENT
+.INDENT 0.0
+.TP
.B \-\-verbose, \-v
Increases the amount of internal reporting returned on standard output
or in log files. Increase the verbosity with the \fB\-v\fP form by
including the option multiple times, (e.g. \fB\-vvvvv\fP\&.)
+.sp
+\fBNOTE:\fP
+.INDENT 7.0
+.INDENT 3.5
+Starting in version 4.2, MongoDB includes the Debug verbosity level
+(1\-5) in the log messages\&. For example,
+if the verbosity level is 2, MongoDB logs \fBD2\fP\&. In previous
+versions, MongoDB log messages only specified \fBD\fP for Debug level.
+.UNINDENT
+.UNINDENT
.UNINDENT
.INDENT 0.0
.TP
@@ -140,28 +226,36 @@ connection closed events
.INDENT 0.0
.TP
.B \-\-port <port>
-\fIDefault\fP: 27017
+\fIDefault\fP:
+.INDENT 7.0
+.IP \(bu 2
+27017 if \fI\%mongod\fP is not a shard member or a config server member
+.IP \(bu 2
+27018 if \fI\%mongod\fP is a \fI\%shard member\fP
+.IP \(bu 2
+27019 if \fI\%mongod\fP is a \fI\%config server member\fP
+.UNINDENT
.sp
-Specifies the TCP port on which the MongoDB instance listens for
+The TCP port on which the MongoDB instance listens for
client connections.
.UNINDENT
.INDENT 0.0
.TP
-.B \-\-bind_ip <ip address>
+.B \-\-bind_ip <hostnames|ipaddresses|Unix domain socket paths>
\fIDefault\fP: localhost
.sp
\fBNOTE:\fP
.INDENT 7.0
.INDENT 3.5
Starting in MongoDB 3.6, \fBmongod\fP bind to localhost
-(\fB127.0.0.1\fP) by default. See 3.6\-bind\-to\-localhost\&.
+by default. See 3.6\-bind\-to\-localhost\&.
.UNINDENT
.UNINDENT
.sp
-The IP addresses and/or full Unix domain socket paths on which
-\fBmongod\fP should listen for client connections. You may attach
-\fBmongod\fP to any interface. To bind to multiple addresses, enter a
-list of comma\-separated values.
+The hostnames and/or IP addresses and/or full Unix domain socket
+paths on which \fBmongod\fP should listen for client connections. You
+may attach \fBmongod\fP to any interface. To bind to multiple
+addresses, enter a list of comma\-separated values.
.INDENT 7.0
.INDENT 3.5
.SS Example
@@ -170,26 +264,83 @@ list of comma\-separated values.
.UNINDENT
.UNINDENT
.sp
+You can specify both IPv4 and IPv6 addresses, or hostnames that
+resolve to an IPv4 or IPv6 address.
+.INDENT 7.0
+.INDENT 3.5
+.SS Example
+.sp
+\fBlocalhost, 2001:0DB8:e132:ba26:0d5c:2774:e7f9:d513\fP
+.UNINDENT
+.UNINDENT
+.sp
+\fBNOTE:\fP
+.INDENT 7.0
+.INDENT 3.5
+If specifying an IPv6 address \fIor\fP a hostname that resolves to an
+IPv6 address to \fI\%\-\-bind_ip\fP, you must start \fBmongod\fP with
+\fI\%\-\-ipv6\fP to enable IPv6 support. Specifying an IPv6 address
+to \fI\%\-\-bind_ip\fP does not enable IPv6 support.
+.UNINDENT
+.UNINDENT
+.sp
+If specifying a
+\fI\%link\-local IPv6 address\fP
+(\fBfe80::/10\fP), you must append the
+\fI\%zone index\fP
+to that address (i.e. \fBfe80::<address>%<adapter\-name>\fP).
+.INDENT 7.0
+.INDENT 3.5
+.SS Example
+.sp
+\fBlocalhost,fe80::a00:27ff:fee0:1fcf%enp0s3\fP
+.UNINDENT
+.UNINDENT
+.INDENT 7.0
+.INDENT 3.5
+.SS Tip
+.sp
+When possible, use a logical DNS hostname instead of an ip address,
+particularly when configuring replica set members or sharded cluster
+members. The use of logical DNS hostnames avoids configuration
+changes due to ip address changes.
+.UNINDENT
+.UNINDENT
+.sp
\fBWARNING:\fP
.INDENT 7.0
.INDENT 3.5
-Before you bind to other ip addresses, consider enabling
-access control and other security measures listed
-in /administration/security\-checklist to prevent unauthorized
-access.
+Before binding to a non\-localhost (e.g. publicly accessible)
+IP address, ensure you have secured your cluster from unauthorized
+access. For a complete list of security recommendations, see
+/administration/security\-checklist\&. At minimum, consider
+enabling authentication and
+hardening network infrastructure\&.
.UNINDENT
.UNINDENT
.sp
+For more information about IP Binding, refer to the
+/core/security\-mongodb\-configuration documentation.
+.sp
To bind to all IPv4 addresses, enter \fB0.0.0.0\fP\&.
.sp
-To bind to all IPv4 and IPv6 addresses, enter \fB0.0.0.0,::\fP
-or alternatively, use the \fBnet.bindIpAll\fP setting.
+To bind to all IPv4 and IPv6 addresses, enter \fB::,0.0.0.0\fP or
+starting in MongoDB 4.2, an asterisk \fB"*"\fP (enclose the asterisk in
+quotes to avoid filename pattern expansion). Alternatively, use the
+\fBnet.bindIpAll\fP setting.
.sp
\fBNOTE:\fP
.INDENT 7.0
.INDENT 3.5
-\fB\-\-bind_ip\fP and \fB\-\-bind_ip_all\fP are mutually exclusive. That
-is, you can specify one or the other, but not both.
+.INDENT 0.0
+.IP \(bu 2
+\fB\-\-bind_ip\fP and \fB\-\-bind_ip_all\fP are mutually exclusive.
+Specifying both options causes \fBmongod\fP to throw an error and
+terminate.
+.IP \(bu 2
+The command\-line option \fB\-\-bind\fP overrides the configuration
+file setting \fBnet.bindIp\fP\&.
+.UNINDENT
.UNINDENT
.UNINDENT
.UNINDENT
@@ -199,23 +350,32 @@ is, you can specify one or the other, but not both.
New in version 3.6.
.sp
-If specified, the \fBmongod\fP instance binds to all ip addresses. When
-attaching \fBmongod\fP to a publicly accessible interface, ensure
-that you have implemented proper authentication and firewall
-restrictions to protect the integrity of your database.
+If specified, the \fBmongod\fP instance binds to all IPv4
+addresses (i.e. \fB0.0.0.0\fP). If \fBmongod\fP starts with
+\fI\%\-\-ipv6\fP, \fI\%\-\-bind_ip_all\fP also binds to all IPv6 addresses
+(i.e. \fB::\fP).
+.sp
+\fBmongod\fP only supports IPv6 if started with \fI\%\-\-ipv6\fP\&. Specifying
+\fI\%\-\-bind_ip_all\fP alone does not enable IPv6 support.
.sp
\fBWARNING:\fP
.INDENT 7.0
.INDENT 3.5
-Before you bind to other ip addresses, consider enabling
-access control and other security measures listed
-in /administration/security\-checklist to prevent unauthorized
-access.
+Before binding to a non\-localhost (e.g. publicly accessible)
+IP address, ensure you have secured your cluster from unauthorized
+access. For a complete list of security recommendations, see
+/administration/security\-checklist\&. At minimum, consider
+enabling authentication and
+hardening network infrastructure\&.
.UNINDENT
.UNINDENT
.sp
-Alternatively, you can set the \fB\-\-bind_ip\fP option to
-\fB0.0.0.0,::\fP to bind to all IP addresses.
+For more information about IP Binding, refer to the
+/core/security\-mongodb\-configuration documentation.
+.sp
+Alternatively, you can set the \fB\-\-bind_ip\fP option to \fB::,0.0.0.0\fP
+or, starting in MongoDB 4.2, to an asterisk \fB"*"\fP (enclose the
+asterisk in quotes to avoid filename pattern expansion).
.sp
\fBNOTE:\fP
.INDENT 7.0
@@ -229,6 +389,17 @@ is, you can specify one or the other, but not both.
.TP
.B \-\-ipv6
Enables IPv6 support. \fBmongod\fP disables IPv6 support by default.
+.sp
+Setting \fI\%\-\-ipv6\fP does \fInot\fP direct the \fBmongod\fP to listen on any
+local IPv6 addresses or interfaces. To configure the \fBmongod\fP to
+listen on an IPv6 interface, you must either:
+.INDENT 7.0
+.IP \(bu 2
+Configure \fI\%\-\-bind_ip\fP with one or more IPv6 addresses or
+hostnames that resolve to IPv6 addresses, \fBor\fP
+.IP \(bu 2
+Set \fI\%\-\-bind_ip_all\fP to \fBtrue\fP\&.
+.UNINDENT
.UNINDENT
.INDENT 0.0
.TP
@@ -244,7 +415,7 @@ queue.
\fBWARNING:\fP
.INDENT 7.0
.INDENT 3.5
-Consult your local system’s documentation to understand the
+Consult your local system\(aqs documentation to understand the
limitations and configuration requirements before using this
parameter.
.UNINDENT
@@ -288,7 +459,7 @@ of connections which are forced into a backoff state.
.B \-\-maxConns <number>
The maximum number of simultaneous connections that \fBmongod\fP will
accept. This setting has no effect if it is higher than your operating
-system’s configured maximum connection tracking threshold.
+system\(aqs configured maximum connection tracking threshold.
.sp
Do not assign too low of a value to this option, or you will
encounter errors during normal application operation.
@@ -306,7 +477,7 @@ setting.
.TP
.B \-\-logpath <path>
Sends all diagnostic logging information to a log file instead of to
-standard output or to the host’s syslog system. MongoDB creates
+standard output or to the host\(aqs syslog system. MongoDB creates
the log file at the path you specify.
.sp
By default, MongoDB will move any existing log file rather than overwrite
@@ -315,8 +486,8 @@ it. To instead append to the log file, set the \fI\%\-\-logappend\fP option.
.INDENT 0.0
.TP
.B \-\-syslog
-Sends all logging output to the host’s syslog system rather
-than to standard output or to a log file. , as with \fI\%\-\-logpath\fP\&.
+Sends all logging output to the host\(aqs syslog system rather
+than to standard output or to a log file (\fI\%\-\-logpath\fP).
.sp
The \fI\%\-\-syslog\fP option is not supported on Windows.
.sp
@@ -330,6 +501,18 @@ recommend using the \fI\%\-\-logpath\fP option for production systems to
ensure accurate timestamps.
.UNINDENT
.UNINDENT
+.sp
+Starting in version 4.2, MongoDB includes the component in its log messages to \fBsyslog\fP\&.
+.INDENT 7.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+\&... ACCESS [repl writer worker 5] Unsupported modification to roles collection ...
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
.UNINDENT
.INDENT 0.0
.TP
@@ -338,7 +521,7 @@ ensure accurate timestamps.
.sp
Specifies the facility level used when logging messages to syslog.
The value you specify must be supported by your
-operating system’s implementation of syslog. To use this option, you
+operating system\(aqs implementation of syslog. To use this option, you
must enable the \fI\%\-\-syslog\fP option.
.UNINDENT
.INDENT 0.0
@@ -433,6 +616,21 @@ that MongoDB instances use to authenticate to each other in a
sharded cluster or replica set\&. \fI\%\-\-keyFile\fP implies
\fI\%\-\-auth\fP\&. See inter\-process\-auth for more
information.
+.sp
+Starting in MongoDB 4.2, keyfiles for internal membership
+authentication use YAML format to allow for
+multiple keys in a keyfile. The YAML format accepts content of:
+.INDENT 7.0
+.IP \(bu 2
+a single key string (same as in earlier versions),
+.IP \(bu 2
+multiple key strings (each string must be enclosed in quotes), or
+.IP \(bu 2
+sequence of key strings.
+.UNINDENT
+.sp
+The YAML format is compatible with the existing single\-key
+keyfiles that use the text file format.
.UNINDENT
.INDENT 0.0
.TP
@@ -455,7 +653,7 @@ always listens on the UNIX socket unless one of the following is true:
.IP \(bu 2
\fBnet.bindIp\fP is not set
.IP \(bu 2
-\fBnet.bindIp\fP does not specify \fB127.0.0.1\fP
+\fBnet.bindIp\fP does not specify \fBlocalhost\fP or its associated IP address
.UNINDENT
.sp
New in version 2.6: \fBmongod\fP installed from official \&.deb and \&.rpm packages
@@ -482,7 +680,7 @@ creates and listens on a UNIX socket unless one of the following is true:
.IP \(bu 2
\fBnet.bindIp\fP is not set
.IP \(bu 2
-\fBnet.bindIp\fP does not specify \fB127.0.0.1\fP
+\fBnet.bindIp\fP does not specify \fBlocalhost\fP or its associated IP address
.UNINDENT
.UNINDENT
.INDENT 0.0
@@ -506,7 +704,7 @@ daemonization process (e.g. as with \fBupstart\fP and \fBsystemd\fP).
.INDENT 0.0
.TP
.B \-\-auth
-Enables authorization to control user’s access to database resources
+Enables authorization to control user\(aqs access to database resources
and operations. When authorization is enabled, MongoDB requires all
clients to authenticate themselves first in order to determine the
access for the client.
@@ -589,6 +787,8 @@ configuration file and the
\fI\%\-\-config\fP option.
.sp
The \fI\%\-\-shutdown\fP option is available only on Linux systems.
+.sp
+For additional ways to shut down, see also terminate\-mongod\-processes\&.
.UNINDENT
.INDENT 0.0
.TP
@@ -602,8 +802,10 @@ potentially sensitive data stored on the database to the diagnostic log.
Metadata such as error or operation codes, line numbers, and source file
names are still visible in the logs.
.sp
-Use \fI\%\-\-redactClientLogData\fP in conjunction with encryption to assist compliance with regulatory
-requirements.
+Use \fI\%\-\-redactClientLogData\fP in conjunction with
+/core/security\-encryption\-at\-rest and
+/core/security\-transport\-encryption to assist compliance with
+regulatory requirements.
.sp
For example, a MongoDB deployment might store Personally Identifiable
Information (PII) in one or more collections. The \fBmongod\fP logs events
@@ -636,32 +838,42 @@ db.adminCommand(
.INDENT 0.0
.TP
.B \-\-networkMessageCompressors <string>
+\fIDefault\fP: snappy,zstd,zlib
+.sp
New in version 3.4.
.sp
+Specifies the default compressor(s) to use for
+communication between this \fBmongod\fP instance and:
.INDENT 7.0
-Changed in version 3.6: .IP \(bu 2
-Add support for zlib compressor.
.IP \(bu 2
-Enabled by default. To disable, set to \fBdisabled\fP\&.
+other members of the deployment if the instance is part of a replica set or a sharded cluster
+.IP \(bu 2
+a \fBmongo\fP shell
+.IP \(bu 2
+drivers that support the \fBOP_COMPRESSED\fP message format.
.UNINDENT
-
.sp
-Enables network compression for communication between this
-\fBmongod\fP instance and:
+MongoDB supports the following compressors:
.INDENT 7.0
.IP \(bu 2
-other members of the replica set, if the instance is part of a
-replica set
-.IP \(bu 2
-other members of the sharded cluster, if the instance is part of a
-sharded cluster
+snappy
.IP \(bu 2
-a \fBmongo\fP shell,
+zlib (Available starting in MongoDB 3.6)
.IP \(bu 2
-drivers that support the \fBOP_COMPRESSED\fP message format.
+zstd (Available starting in MongoDB 4.2)
.UNINDENT
.sp
+\fBIn versions 3.6 and 4.0\fP, \fI\%mongod\fP and
+\fBmongos\fP enable network compression by default with
+\fBsnappy\fP as the compressor.
+.sp
+\fBStarting in version 4.2\fP, \fI\%mongod\fP and
+\fBmongos\fP instances default to both \fBsnappy,zstd,zlib\fP
+compressors, in that order.
+.sp
+To disable network compression, set the value to \fBdisabled\fP\&.
+.sp
\fBIMPORTANT:\fP
.INDENT 7.0
.INDENT 3.5
@@ -671,14 +883,6 @@ uncompressed.
.UNINDENT
.UNINDENT
.sp
-You can specify the following compressors:
-.INDENT 7.0
-.IP \(bu 2
-snappy (Default)
-.IP \(bu 2
-zlib
-.UNINDENT
-.sp
If you specify multiple compressors, then the order in which you list
the compressors matter as well as the communication initiator. For
example, if a \fBmongo\fP shell specifies the following network
@@ -768,6 +972,19 @@ T}
_
.TE
.UNINDENT
+.INDENT 0.0
+.TP
+.B \-\-outputConfig
+New in version 4.2.
+
+.sp
+Outputs the resolved YAML configuration document for the \fBmongod\fP
+to \fBstdout\fP and halts the \fBmongod\fP instance. For configuration
+options using externally\-sourced\-values, \fI\%\-\-outputConfig\fP returns the
+resolved value for those options. This may include any configured
+passwords or secrets previously obfuscated through the external
+source.
+.UNINDENT
.SS Free Monitoring
.sp
New in version 4.0.
@@ -827,7 +1044,7 @@ For the corresponding configuration file setting, see
.UNINDENT
.INDENT 0.0
.TP
-.B \-\-enableFreeMonitoringTag <string>
+.B \-\-freeMonitoringTag <string>
New in version 4.0: Available for MongoDB Community Edition.
.sp
@@ -835,7 +1052,7 @@ Optional tag to describe environment context. The tag can be sent as
part of the free MongoDB Cloud monitoring registration at start up.
.sp
For the corresponding configuration file setting, see
-\fBcloud.monitoring.free.tag\fP\&.
+\fBcloud.monitoring.free.tags\fP\&.
.UNINDENT
.SS LDAP Authentication or Authorization Options
.INDENT 0.0
@@ -854,7 +1071,7 @@ If your LDAP infrastrucure partitions the LDAP directory over multiple LDAP
servers, specify \fIone\fP LDAP server any of its replicated instances to
\fI\%\-\-ldapServers\fP\&. MongoDB supports following LDAP referrals as defined in \fI\%RFC 4511
4.1.10\fP\&. Do not use \fI\%\-\-ldapServers\fP
-for listing every LDAP server in your infrastucture.
+for listing every LDAP server in your infrastructure.
.sp
This setting can be configured on a running \fBmongod\fP using
\fBsetParameter\fP\&.
@@ -1055,7 +1272,7 @@ By default, \fBmongod\fP creates a TLS/SSL secured connection to the LDAP
server.
.sp
For Linux deployments, you must configure the appropriate TLS Options in
-\fB/etc/openldap/ldap.conf\fP file. Your operating system’s package manager
+\fB/etc/openldap/ldap.conf\fP file. Your operating system\(aqs package manager
creates this file as part of the MongoDB Enterprise installation, via the
\fBlibldap\fP dependency. See the documentation for \fBTLS Options\fP in the
\fI\%ldap.conf OpenLDAP documentation\fP
@@ -1168,6 +1385,8 @@ authentication name matched by the \fBmatch\fP regex into a LDAP DN.
Each curly bracket\-enclosed numeric value is replaced by the
corresponding \fI\%regex capture group\fP extracted
from the authentication username via the \fBmatch\fP regex.
+.sp
+The result of the substitution must be an \fI\%RFC4514\fP escaped string.
T} T{
\fB"cn={0},ou=engineering,
dc=example,dc=com"\fP
@@ -1192,6 +1411,17 @@ T}
_
.TE
.sp
+\fBNOTE:\fP
+.INDENT 7.0
+.INDENT 3.5
+An explanation of \fI\%RFC4514\fP,
+\fI\%RFC4515\fP,
+\fI\%RFC4516\fP, or LDAP queries is out
+of scope for the MongoDB Documentation. Please review the RFC directly or
+use your preferred LDAP resource.
+.UNINDENT
+.UNINDENT
+.sp
For each document in the array, you must use either \fBsubstitution\fP or
\fBldapQuery\fP\&. You \fIcannot\fP specify both in the same document.
.sp
@@ -1263,16 +1493,6 @@ when attempting to authenticate or authorize a user against the LDAP server.
.sp
This setting can be configured on a running \fBmongod\fP using the
\fBsetParameter\fP database command.
-.sp
-\fBNOTE:\fP
-.INDENT 7.0
-.INDENT 3.5
-An explanation of \fI\%RFC4515\fP,
-\fI\%RFC4516\fP or LDAP queries is out
-of scope for the MongoDB Documentation. Please review the RFC directly or
-use your preferred LDAP resource.
-.UNINDENT
-.UNINDENT
.UNINDENT
.INDENT 0.0
.TP
@@ -1315,7 +1535,7 @@ roles and privileges assigned to that role. See the
.INDENT 3.5
.SS Example
.sp
-This LDAP query returns any groups listed in the LDAP user object’s
+This LDAP query returns any groups listed in the LDAP user object\(aqs
\fBmemberOf\fP attribute.
.INDENT 0.0
.INDENT 3.5
@@ -1356,8 +1576,13 @@ use your preferred LDAP resource.
.B \-\-storageEngine string
\fIDefault\fP: \fBwiredTiger\fP
.sp
-Changed in version 4.0: MongoDB deprecates the MMAPv1 storage engine.
-
+\fBNOTE:\fP
+.INDENT 7.0
+.INDENT 3.5
+Starting in version 4.2, MongoDB removes the deprecated MMAPv1 storage
+engine.
+.UNINDENT
+.UNINDENT
.sp
Specifies the storage engine for the \fBmongod\fP database. Available
values include:
@@ -1385,12 +1610,6 @@ To specify the /core/inmemory\&.
New in version 3.2: Available in MongoDB Enterprise only.
T}
_
-T{
-\fBmmapv1\fP (Deprecated in MongoDB 4.0)
-T} T{
-To specify the /core/mmapv1\&.
-T}
-_
.TE
.sp
If you attempt to start a \fBmongod\fP with a
@@ -1449,10 +1668,12 @@ in\-memory storage engine\&.
.TP
.B \-\-noIndexBuildRetry
Changed in version 4.0: \fI\%\-\-noIndexBuildRetry\fP cannot be used in
-conjunction with \fI\%\-\-replSet\fP\&.
+conjunction with \fI\%\-\-replSet\fP; i.e., you cannot
+use \fI\%\-\-noIndexBuildRetry\fP for a \fI\%mongod\fP instance that is part of
+a replica set.
.sp
-Stops the \fBmongod\fP standalone instance from rebuilding incomplete indexes on the next
+Stops the \fBmongod\fP \fBstandalone\fP instance from rebuilding incomplete indexes on the next
start up. This applies in cases where the \fBmongod\fP restarts after it
has shut down or stopped in the middle of an index build. In such cases,
the \fBmongod\fP always removes any incomplete indexes, and then also, by
@@ -1460,20 +1681,13 @@ default, attempts to rebuild them. To stop the \fBmongod\fP from
rebuilding incomplete indexes on start up, include this option on the
command\-line.
.sp
+The \fI\%\-\-noIndexBuildRetry\fP only applies to standalones.
+.sp
Not available for \fI\%mongod\fP instances that use the
in\-memory storage engine\&.
.UNINDENT
.INDENT 0.0
.TP
-.B \-\-noprealloc
-Deprecated since version 2.6: By default, MongoDB does not preallocate data files. The option
-exists for compatibility and clarity.
-
-.sp
-Disables the preallocation of data files.
-.UNINDENT
-.INDENT 0.0
-.TP
.B \-\-nssize <value>
\fIDefault\fP: 16
.sp
@@ -1542,7 +1756,7 @@ purposes, you should also set \fI\%\-\-nojournal\fP
to \fBtrue\fP\&.
.sp
The \fBserverStatus\fP command reports the background flush
-thread’s status via the \fBbackgroundFlushing\fP field.
+thread\(aqs status via the \fBbackgroundFlushing\fP field.
.sp
Not available for \fI\%mongod\fP instances that use the
in\-memory storage engine\&.
@@ -1557,78 +1771,63 @@ This option only affects the operation of the \fBmongod\fP if the data
files are in an old format.
.sp
In most cases you should not set this value, so you can exercise the
-most control over your upgrade process. See the MongoDB \fI\%release notes\fP (on the download page) for more
-information about the upgrade process.
+most control over your upgrade process. See the MongoDB release notes
+for more information about the upgrade process.
.UNINDENT
.INDENT 0.0
.TP
.B \-\-repair
-Runs a repair routine on all databases. This is equivalent
-to shutting down and running the \fBrepairDatabase\fP database
-command on all databases.
+Changed in version 4.0.3.
+
+.sp
+Runs a repair routine on all databases for a \fI\%mongod\fP
+instance. The operation attempts to salvage corrupt data as well as
+rebuilds all the indexes. The operation discards any corrupt data
+that cannot be salvaged.
+.INDENT 7.0
+.INDENT 3.5
+.SS Tip
+.sp
+If you are running with journaling enabled, there is
+almost never any need to run repair since the server can use the
+journal files to restore the data files to a clean state automatically.
+However, you may need to run repair in cases where you need to recover
+from a disk\-level data corruption.
+.UNINDENT
+.UNINDENT
.sp
\fBWARNING:\fP
.INDENT 7.0
.INDENT 3.5
.INDENT 0.0
.IP \(bu 2
-Before using \fBrepairDatabase\fP, make a backup copy of
-the dbpath directory.
+Only use \fI\%mongod \-\-repair\fP if you have no other options.
+The operation removes and does not save any corrupt data during
+the repair process.
+.IP \(bu 2
+Avoid running \fI\%\-\-repair\fP against
+a replica set member:
+.INDENT 2.0
.IP \(bu 2
-Avoid running \fBrepairDatabase\fP against a replica set.
-If you are trying to repair a replica set member, and you
-have access to an intact copy of your data (e.g. a recent backup
-or an intact member of the replica set), you should
-restore from that intact copy (see
-/tutorial/resync\-replica\-set\-member), and \fBnot\fP use
-\fBrepairDatabase\fP\&.
+To repair a replica set member, if you have an intact
+copy of your data available (e.g. a recent backup or an intact
+member of the replica set), restore from that intact
+copy instead(see /tutorial/resync\-replica\-set\-member).
.IP \(bu 2
-Only use the \fBrepairDatabase\fP command and associated
-wrappers, including \fBdb.repairDatabase()\fP and
-\fI\%mongod \-\-repair\fP, if you have no other options. These
-operations remove and do not save any corrupt data during the
-repair process.
+If you do choose to run \fI\%mongod \-\-repair\fP against a
+replica set member and the operation modifies the data or the
+metadata, you must still perform a full resync in order for the
+member to rejoin the replica set.
.UNINDENT
+.IP \(bu 2
+Before using \fI\%\-\-repair\fP, make a backup
+copy of the \fI\%dbpath\fP directory.
+.IP \(bu 2
+If repair fails to complete for any reason, you must restart the
+instance using the \fI\%\-\-repair\fP option.
.UNINDENT
.UNINDENT
-.sp
-If you are running with journaling enabled, there is
-almost never any need to run \fBrepairDatabase\fP unless you
-need to recover from a disk\-level data corruption. In the event of an
-unclean shutdown, the server will be able to restore the data files to
-a clean state automatically.
-.sp
-Changed in version 2.1.2.
-
-.sp
-If you run the repair option \fIand\fP have data in a journal file, the
-\fBmongod\fP instance refuses to start. In these cases you should start
-the \fBmongod\fP without the \fI\%\-\-repair\fP option, which allows the
-\fBmongod\fP to recover data from the journal. This completes more
-quickly and is more likely to produce valid data files. To continue the
-repair operation despite the journal files, shut down the \fBmongod\fP
-cleanly and restart with the \fI\%\-\-repair\fP option.
-.sp
-The \fI\%\-\-repair\fP option copies data from the source data files into new data
-files in the \fBrepairPath\fP and then replaces the original data
-files with the repaired data files.
.UNINDENT
-.INDENT 0.0
-.TP
-.B \-\-repairpath <path>
-\fIDefault\fP: A \fB_tmp_repairDatabase_<num>\fP directory under the
-\fBdbPath\fP\&.
-.sp
-Specifies a working directory that MongoDB will use during the
-\fI\%\-\-repair\fP operation. When \fB\-\-repair\fP completes, the
-\fI\%\-\-repairpath\fP directory is empty, and
-\fBdbPath\fP contains the repaired files.
-.sp
-The \fI\%\-\-repairpath\fP must be within the \fBdbPath\fP\&. You can
-specify a symlink to \fI\%\-\-repairpath\fP to use a path on a different file
-system.
-.sp
-Only available for \fI\%mongod\fP instance using the MMAPv1 storage engine.
.UNINDENT
.INDENT 0.0
.TP
@@ -1643,6 +1842,12 @@ in\-memory storage engine\&.
If any voting member of a replica set uses the in\-memory
storage engine, you must set
\fBwriteConcernMajorityJournalDefault\fP to \fBfalse\fP\&.
+.sp
+Starting in version 4.2, if a replica set member uses the
+in\-memory storage engine (voting or
+non\-voting) but the replica set has
+\fBwriteConcernMajorityJournalDefault\fP set to true, the replica set member
+logs a startup warning.
.UNINDENT
.INDENT 0.0
.TP
@@ -1678,13 +1883,7 @@ The maximum amount of time in milliseconds that
the \fBmongod\fP process allows between
journal operations. Values can range from 1 to 500 milliseconds. Lower
values increase the durability of the journal, at the expense of disk
-performance. The default journal commit interval is 100 milliseconds.
-.sp
-On MMAPv1, if the journal is on a different block device (e.g. physical
-volume, RAID device, or LVM volume) than the data files, the default journal
-commit interval is 30 milliseconds. Additionally, on MMAPv1, when a write
-operation with \fBj:true\fP is pending, \fBmongod\fP will reduce
-\fBcommitIntervalMs\fP to a third of the set value.
+performance. The default journal commit interval is 100 milliseconds.
.sp
On WiredTiger, the default journal commit interval is 100 milliseconds. Additionally,
a write with \fBj:true\fP will cause an immediate sync of the journal.
@@ -1695,15 +1894,16 @@ in\-memory storage engine\&.
.SS WiredTiger Options
.INDENT 0.0
.TP
-.B \-\-wiredTigerCacheSizeGB float
+.B \-\-wiredTigerCacheSizeGB <float>
Defines the maximum size of the internal cache that WiredTiger will
-use for all data.
+use for all data. The memory consumed by an index build (see
+\fBmaxIndexBuildMemoryUsageMegabytes\fP) is separate from the
+WiredTiger cache memory.
.sp
-Changed in version 3.4: Values can range from 256MB to 10TB and can be a float. In
-addition, the default value has also changed.
-
+Starting in MongoDB 3.4, \fI\%\-\-wiredTigerCacheSizeGB\fP values can range from 0.25 GB to
+10000 GB and can be a float.
.sp
-Starting in 3.4, the WiredTiger internal cache, by default, will use
+Starting in MongoDB 3.4, the default WiredTiger internal cache size is
the larger of either:
.INDENT 7.0
.IP \(bu 2
@@ -1773,6 +1973,8 @@ Available compressors are:
snappy
.IP \(bu 2
zlib
+.IP \(bu 2
+zstd (Available starting in MongoDB 4.2)
.UNINDENT
.UNINDENT
.INDENT 0.0
@@ -1801,9 +2003,8 @@ the new destination.
New in version 3.0.0.
.sp
-Specifies the default type of compression to use to compress collection
-data. You can override this on a per\-collection basis when creating
-collections.
+Specifies the default compression for collection data. You can
+override this on a per\-collection basis when creating collections.
.sp
Available compressors are:
.INDENT 7.0
@@ -1813,6 +2014,8 @@ Available compressors are:
snappy
.IP \(bu 2
zlib
+.IP \(bu 2
+zstd (Available starting MongoDB 4.2)
.UNINDENT
.sp
\fI\%\-\-wiredTigerCollectionBlockCompressor\fP affects all collections created. If you change
@@ -1864,14 +2067,25 @@ connections by replica set name.
.TP
.B \-\-oplogSize <value>
Specifies a maximum size in megabytes for the replication operation log
-(i.e., the oplog). The \fBmongod\fP process creates an
-oplog based on the maximum amount of space available. For 64\-bit
-systems, the oplog is typically 5% of available disk space.
+(i.e., the oplog).
+.sp
+\fBNOTE:\fP
+.INDENT 7.0
+.INDENT 3.5
+Starting in MongoDB 4.0, the oplog can grow past its configured size
+limit to avoid deleting the \fBmajority commit point\fP\&.
+.UNINDENT
+.UNINDENT
+.sp
+By default, the \fBmongod\fP process creates an oplog based on
+the maximum amount of space available. For 64\-bit systems, the oplog
+is typically 5% of available disk space.
.sp
Once the \fBmongod\fP has created the oplog for the first time,
changing the \fI\%\-\-oplogSize\fP option will not affect the size of the oplog.
-Use the \fBreplSetResizeOplog\fP administrative command to
-change the oplog size of a running \fBmongod\fP replica set member.
+.sp
+To change the oplog size of a running replica set member, use the
+\fBreplSetResizeOplog\fP administrative command.
\fBreplSetResizeOplog\fP enables you to resize the oplog
dynamically without restarting the \fI\%mongod\fP process.
.sp
@@ -1879,60 +2093,55 @@ See replica\-set\-oplog\-sizing for more information.
.UNINDENT
.INDENT 0.0
.TP
-.B \-\-replIndexPrefetch
-\fIDefault\fP: all
+.B \-\-enableMajorityReadConcern
+\fIDefault\fP: True
+.sp
+Starting in MongoDB 3.6, MongoDB enables support for
+\fB"majority"\fP read concern by default.
+.sp
+You can disable read concern \fB"majority"\fP to prevent
+the storage cache pressure from immobilizing a deployment with a
+three\-member primary\-secondary\-arbiter (PSA) architecture. For more
+information about disabling read concern \fB"majority"\fP,
+see disable\-read\-concern\-majority\&.
+.sp
+To disable, set \fI\%\-\-enableMajorityReadConcern\fP to false. \fI\%\-\-enableMajorityReadConcern\fP has no effect for
+MongoDB versions: 4.0.0, 4.0.1, 4.0.2, 3.6.0.
+.sp
+\fBIMPORTANT:\fP
.INDENT 7.0
.INDENT 3.5
-.IP "Storage Engine Specific Feature"
+In general, avoid disabling \fB"majority"\fP read concern
+unless necessary. However, if you have a three\-member replica set
+with a primary\-secondary\-arbiter (PSA) architecture or a sharded
+cluster with a three\-member PSA shards, disable to prevent the
+storage cache pressure from immobilizing the deployment.
.sp
-\fI\%\-\-replIndexPrefetch\fP is only available with the \fBmmapv1\fP
-storage engine.
-.UNINDENT
+Disabling \fB"majority"\fP read concern affects support for
+transactions on sharded clusters. Specifically:
+.INDENT 0.0
+.IP \(bu 2
+A transaction cannot use read concern \fB"snapshot"\fP if
+the transaction involves a shard that has disabled read
+concern "majority"\&.
+.IP \(bu 2
+A transaction that writes to multiple shards errors if any of the
+transaction\(aqs read or write operations involves a shard that has
+disabled read concern \fB"majority"\fP\&.
.UNINDENT
.sp
-Determines which indexes secondary members of a replica
-set load into memory before applying operations from the oplog. By
-default secondaries load all indexes related to an operation into memory
-before applying operations from the oplog.
+However, it does not affect transactions
+on replica sets. For transactions on replica sets, you can specify
+read concern \fB"majority"\fP (or \fB"snapshot"\fP
+or \fB"local"\fP ) for multi\-document transactions even if
+read concern \fB"majority"\fP is disabled.
.sp
-Set this option to one of the following:
-.TS
-center;
-|l|l|.
-_
-T{
-Value
-T} T{
-Description
-T}
-_
-T{
-\fBnone\fP
-T} T{
-Secondaries do not load indexes into memory.
-T}
-_
-T{
-\fBall\fP
-T} T{
-Secondaries load all indexes related to an operation.
-T}
-_
-T{
-\fB_id_only\fP
-T} T{
-Secondaries load no additional indexes into memory beyond the
-already existing \fB_id\fP index.
-T}
-_
-.TE
+Disabling \fB"majority"\fP read concern disables support
+for /changeStreams for MongoDB 4.0 and earlier. For MongoDB
+4.2+, disabling read concern \fB"majority"\fP has no effect on change
+streams availability.
+.UNINDENT
.UNINDENT
-.INDENT 0.0
-.TP
-.B \-\-enableMajorityReadConcern
-Deprecated since version 3.6: Starting in MongoDB 3.6, \fB"majority"\fP read concern
-is always enabled, and this option has no effect.
-
.UNINDENT
.SS Sharded Cluster Options
.INDENT 0.0
@@ -1964,6 +2173,15 @@ The \fI\%\-\-configsvr\fP option creates a local oplog\&.
.sp
Do not use the \fI\%\-\-configsvr\fP option with \fI\%\-\-shardsvr\fP\&. Config
servers cannot be a shard server.
+.sp
+Do not use the \fI\%\-\-configsvr\fP with the
+\fBskipShardingConfigurationChecks\fP parameter. That is, if
+you are temporarily starting the \fI\%mongod\fP as a
+standalone for maintenance operations, include the parameter
+\fBskipShardingConfigurationChecks\fP and exclude \fI\%\-\-configsvr\fP\&.
+Once maintenance has completed, remove the
+\fBskipShardingConfigurationChecks\fP parameter and restart
+with \fI\%\-\-configsvr\fP\&.
.UNINDENT
.INDENT 0.0
.TP
@@ -1976,8 +2194,8 @@ config servers is also a member of a replica set. \fBconfigsvrMode\fP
only accepts the value \fBsccc\fP\&.
.sp
If unset, config servers running as replica sets expect to use the
-“config server replica set” protocol for writing to config servers,
-rather than the “mirrored mongod” write protocol.
+"config server replica set" protocol for writing to config servers,
+rather than the "mirrored mongod" write protocol.
.UNINDENT
.INDENT 0.0
.TP
@@ -1991,13 +2209,19 @@ sharded cluster. The default port for these instances is
\fBIMPORTANT:\fP
.INDENT 7.0
.INDENT 3.5
-Changed in version 3.6.
-
-.sp
-You must deploy shards as replica sets. See the \fI\%\-\-replSet\fP
+Starting in MongoDB 3.6, you must deploy shards as replica sets. See the \fI\%\-\-replSet\fP
option to deploy \fBmongod\fP as part of a replica set.
.UNINDENT
.UNINDENT
+.sp
+Do not use the \fI\%\-\-shardsvr\fP with the
+\fBskipShardingConfigurationChecks\fP parameter. That is, if
+you are temporarily starting the \fI\%mongod\fP as a
+standalone for maintenance operations, include the parameter
+\fBskipShardingConfigurationChecks\fP and exclude \fI\%\-\-shardsvr\fP\&.
+Once maintenance has completed, remove the
+\fBskipShardingConfigurationChecks\fP parameter and restart
+with \fI\%\-\-shardsvr\fP\&.
.UNINDENT
.INDENT 0.0
.TP
@@ -2018,40 +2242,23 @@ Changed in version 3.2: Starting in 3.2, MongoDB uses \fB\-\-noMoveParanoia\fP a
During chunk migration, a shard does not save documents migrated from
the shard.
.UNINDENT
-.SS TLS/SSL Options
+.SS TLS Options
.INDENT 0.0
.INDENT 3.5
.SS See
.sp
/tutorial/configure\-ssl for full
-documentation of MongoDB’s support.
+documentation of MongoDB\(aqs support.
.UNINDENT
.UNINDENT
.INDENT 0.0
.TP
-.B \-\-sslOnNormalPorts
-Deprecated since version 2.6: Use \fI\%\-\-sslMode requireSSL\fP instead.
-
-.sp
-Enables TLS/SSL for \fBmongod\fP\&.
-.sp
-With \fI\%\-\-sslOnNormalPorts\fP, a \fBmongod\fP requires TLS/SSL encryption for all
-connections on the default MongoDB port, or the port specified by
-\fI\%\-\-port\fP\&. By default, \fI\%\-\-sslOnNormalPorts\fP is
-disabled.
-.sp
-For more information about TLS/SSL and MongoDB, see
-/tutorial/configure\-ssl and
-/tutorial/configure\-ssl\-clients .
-.UNINDENT
-.INDENT 0.0
-.TP
-.B \-\-sslMode <mode>
-New in version 2.6.
+.B \-\-tlsMode <mode>
+New in version 4.2.
.sp
-Enables TLS/SSL or mixed TLS/SSL used for all network connections. The
-argument to the \fI\%\-\-sslMode\fP option can be one of the following:
+Enables TLS used for all network connections. The
+argument to the \fI\%\-\-tlsMode\fP option can be one of the following:
.TS
center;
|l|l|.
@@ -2065,70 +2272,98 @@ _
T{
\fBdisabled\fP
T} T{
-The server does not use TLS/SSL.
+The server does not use TLS.
T}
_
T{
-\fBallowSSL\fP
+\fBallowTLS\fP
T} T{
-Connections between servers do not use TLS/SSL. For incoming
-connections, the server accepts both TLS/SSL and non\-TLS/non\-SSL.
+Connections between servers do not use TLS. For incoming
+connections, the server accepts both TLS and non\-TLS.
T}
_
T{
-\fBpreferSSL\fP
+\fBpreferTLS\fP
T} T{
-Connections between servers use TLS/SSL. For incoming
-connections, the server accepts both TLS/SSL and non\-TLS/non\-SSL.
+Connections between servers use TLS. For incoming
+connections, the server accepts both TLS and non\-TLS.
T}
_
T{
-\fBrequireSSL\fP
+\fBrequireTLS\fP
T} T{
-The server uses and accepts only TLS/SSL encrypted connections.
+The server uses and accepts only TLS encrypted connections.
T}
_
.TE
.sp
-Starting in version 3.4, if \fB\-\-sslCAFile\fP or \fBssl.CAFile\fP is not
+If \fB\-\-tlsCAFile\fP or \fBtls.CAFile\fP is not
specified and you are not using x.509 authentication, the
system\-wide CA certificate store will be used when connecting to an
-TLS/SSL\-enabled server.
+TLS\-enabled server.
.sp
-If using x.509 authentication, \fB\-\-sslCAFile\fP or \fBssl.CAFile\fP
-must be specified.
+If using x.509 authentication, \fB\-\-tlsCAFile\fP or \fBtls.CAFile\fP
+must be specified unless using \fI\%\-\-tlsCertificateSelector\fP\&.
.sp
-For more information about TLS/SSL and MongoDB, see
+For more information about TLS and MongoDB, see
/tutorial/configure\-ssl and
/tutorial/configure\-ssl\-clients .
.UNINDENT
.INDENT 0.0
.TP
-.B \-\-sslPEMKeyFile <filename>
-Specifies the \fB\&.pem\fP file that contains both the TLS/SSL certificate
-and key. Specify the file name of the \fB\&.pem\fP file using relative
-or absolute paths.
+.B \-\-tlsCertificateKeyFile <filename>
+New in version 4.2.
+
.sp
-You must specify \fI\%\-\-sslPEMKeyFile\fP when TLS/SSL is enabled.
+\fBNOTE:\fP
+.INDENT 7.0
+.INDENT 3.5
+Starting in 4.0, on macOS or Windows, you can use a certificate from
+the operating system\(aqs secure store instead of specifying a PEM file. See
+\fI\%\-\-tlsCertificateSelector\fP\&.
+.UNINDENT
+.UNINDENT
.sp
-For more information about TLS/SSL and MongoDB, see
+Specifies the \fB\&.pem\fP file that contains both the TLS certificate
+and key.
+.INDENT 7.0
+.IP \(bu 2
+On Linux/BSD, you must specify \fI\%\-\-tlsCertificateKeyFile\fP when TLS is enabled.
+.IP \(bu 2
+On Windows or macOS, you must specify either \fI\%\-\-tlsCertificateKeyFile\fP or
+\fI\%\-\-tlsCertificateSelector\fP when TLS is enabled.
+.UNINDENT
+.sp
+For more information about TLS and MongoDB, see
/tutorial/configure\-ssl and
/tutorial/configure\-ssl\-clients .
.UNINDENT
.INDENT 0.0
.TP
-.B \-\-sslPEMKeyPassword <value>
+.B \-\-tlsCertificateKeyFilePassword <value>
+New in version 4.2.
+
+.sp
Specifies the password to de\-crypt the certificate\-key file (i.e.
-\fI\%\-\-sslPEMKeyFile\fP). Use the \fI\%\-\-sslPEMKeyPassword\fP option only if the
+\fI\%\-\-tlsCertificateKeyFile\fP). Use the \fI\%\-\-tlsCertificateKeyFilePassword\fP option only if the
certificate\-key file is encrypted. In all cases, the \fBmongod\fP will
redact the password from all logging and reporting output.
.sp
-Changed in version 2.6: If the private key in the PEM file is encrypted and you do not
-specify the \fI\%\-\-sslPEMKeyPassword\fP option, the \fBmongod\fP will prompt for a
+Starting in MongoDB 4.0:
+.INDENT 7.0
+.IP \(bu 2
+On Linux/BSD, if the private key in the PEM file is encrypted and
+you do not specify the \fI\%\-\-tlsCertificateKeyFilePassword\fP option, MongoDB will prompt for a
passphrase. See ssl\-certificate\-password\&.
-
+.IP \(bu 2
+On macOS or Windows, if the private key in the PEM file is
+encrypted, you must explicitly specify the \fI\%\-\-tlsCertificateKeyFilePassword\fP option.
+Alternatively, you can use a certificate from the secure system
+store (see \fI\%\-\-tlsCertificateSelector\fP) instead of a PEM file or use an
+unencrypted PEM file.
+.UNINDENT
.sp
-For more information about TLS/SSL and MongoDB, see
+For more information about TLS and MongoDB, see
/tutorial/configure\-ssl and
/tutorial/configure\-ssl\-clients .
.UNINDENT
@@ -2185,13 +2420,406 @@ T}
_
.TE
.sp
-Starting in version 3.4, if \fB\-\-sslCAFile\fP or \fBssl.CAFile\fP is not
+If \fB\-\-tlsCAFile\fP or \fBtls.CAFile\fP is not
specified and you are not using x.509 authentication, the
system\-wide CA certificate store will be used when connecting to an
-TLS/SSL\-enabled server.
+TLS\-enabled server.
+.sp
+If using x.509 authentication, \fB\-\-tlsCAFile\fP or \fBtls.CAFile\fP
+must be specified unless using \fI\%\-\-tlsCertificateSelector\fP\&.
+.sp
+For more information about TLS and MongoDB, see
+/tutorial/configure\-ssl and
+/tutorial/configure\-ssl\-clients .
+.UNINDENT
+.INDENT 0.0
+.TP
+.B \-\-tlsClusterFile <filename>
+New in version 4.2.
+
+.sp
+\fBNOTE:\fP
+.INDENT 7.0
+.INDENT 3.5
+Starting in 4.0, on macOS or Windows, you can use a certificate
+from the operating system\(aqs secure store instead of a PEM
+file. See \fI\%\-\-tlsClusterCertificateSelector\fP\&.
+.UNINDENT
+.UNINDENT
+.sp
+Specifies the \fB\&.pem\fP file that contains the x.509 certificate\-key
+file for membership authentication
+for the cluster or replica set.
+.sp
+If \fI\%\-\-tlsClusterFile\fP does not specify the \fB\&.pem\fP file for internal cluster
+authentication or the alternative
+\fI\%\-\-tlsClusterCertificateSelector\fP, the cluster uses the
+\fB\&.pem\fP file specified in the \fI\%\-\-tlsCertificateKeyFile\fP option or
+the certificate returned by the \fI\%\-\-tlsCertificateSelector\fP\&.
+.sp
+If using x.509 authentication, \fB\-\-tlsCAFile\fP or \fBtls.CAFile\fP
+must be specified unless using \fI\%\-\-tlsCertificateSelector\fP\&.
+.sp
+For more information about TLS and MongoDB, see
+/tutorial/configure\-ssl and
+/tutorial/configure\-ssl\-clients .
+.UNINDENT
+.INDENT 0.0
+.TP
+.B \-\-tlsCertificateSelector <parameter>=<value>
+New in version 4.2: Available on Windows and macOS as an alternative to \fI\%\-\-tlsCertificateKeyFile\fP\&.
+.sp
+The \fI\%\-\-tlsCertificateKeyFile\fP and \fI\%\-\-tlsCertificateSelector\fP options are mutually exclusive. You can only
+specify one.
+
+.sp
+Specifies a certificate property in order to select a matching
+certificate from the operating system\(aqs certificate store.
+.sp
+\fI\%\-\-tlsCertificateSelector\fP accepts an argument of the format \fB<property>=<value>\fP
+where the property can be one of the following:
+.TS
+center;
+|l|l|l|.
+_
+T{
+Property
+T} T{
+Value type
+T} T{
+Description
+T}
+_
+T{
+\fBsubject\fP
+T} T{
+ASCII string
+T} T{
+Subject name or common name on certificate
+T}
+_
+T{
+\fBthumbprint\fP
+T} T{
+hex string
+T} T{
+A sequence of bytes, expressed as hexadecimal, used to
+identify a public key by its SHA\-1 digest.
+.sp
+The \fBthumbprint\fP is sometimes referred to as a
+\fBfingerprint\fP\&.
+T}
+_
+.TE
+.sp
+When using the system SSL certificate store, OCSP (Online
+Certificate Status Protocol) is used to validate the revocation
+status of certificates.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B \-\-tlsClusterCertificateSelector <parameter>=<value>
+New in version 4.2: Available on Windows and macOS as an alternative to
+\fI\%\-\-tlsClusterFile\fP\&.
+.sp
+\fI\%\-\-tlsClusterFile\fP and \fI\%\-\-tlsClusterCertificateSelector\fP options are mutually exclusive. You can only
+specify one.
+
+.sp
+Specifies a certificate property in order to select a matching
+certificate from the operating system\(aqs certificate store to use for
+internal authentication.
+.sp
+\fI\%\-\-tlsClusterCertificateSelector\fP accepts an argument of the format \fB<property>=<value>\fP
+where the property can be one of the following:
+.TS
+center;
+|l|l|l|.
+_
+T{
+Property
+T} T{
+Value type
+T} T{
+Description
+T}
+_
+T{
+\fBsubject\fP
+T} T{
+ASCII string
+T} T{
+Subject name or common name on certificate
+T}
+_
+T{
+\fBthumbprint\fP
+T} T{
+hex string
+T} T{
+A sequence of bytes, expressed as hexadecimal, used to
+identify a public key by its SHA\-1 digest.
+.sp
+The \fBthumbprint\fP is sometimes referred to as a
+\fBfingerprint\fP\&.
+T}
+_
+.TE
+.UNINDENT
+.INDENT 0.0
+.TP
+.B \-\-tlsClusterPassword <value>
+New in version 4.2.
+
+.sp
+Specifies the password to de\-crypt the x.509 certificate\-key file
+specified with \fB\-\-tlsClusterFile\fP\&. Use the \fI\%\-\-tlsClusterPassword\fP option only
+if the certificate\-key file is encrypted. In all cases, the \fBmongod\fP
+will redact the password from all logging and reporting output.
+.sp
+Starting in MongoDB 4.0:
+.INDENT 7.0
+.IP \(bu 2
+On Linux/BSD, if the private key in the x.509 file is encrypted and
+you do not specify the \fI\%\-\-tlsClusterPassword\fP option, MongoDB will prompt for a
+passphrase. See ssl\-certificate\-password\&.
+.IP \(bu 2
+On macOS or Windows, if the private key in the x.509 file is
+encrypted, you must explicitly specify the \fI\%\-\-tlsClusterPassword\fP option.
+Alternatively, you can either use a certificate from the secure
+system store (see \fI\%\-\-tlsClusterCertificateSelector\fP) instead of a cluster PEM file or
+use an unencrypted PEM file.
+.UNINDENT
+.sp
+For more information about TLS and MongoDB, see
+/tutorial/configure\-ssl and
+/tutorial/configure\-ssl\-clients .
+.UNINDENT
+.INDENT 0.0
+.TP
+.B \-\-tlsCAFile <filename>
+New in version 4.2.
+
+.sp
+Specifies the \fB\&.pem\fP file that contains the root certificate chain
+from the Certificate Authority. Specify the file name of the
+\fB\&.pem\fP file using relative or absolute paths.
+.sp
+Starting in 4.0, on macOS or Windows, you can use a certificate from
+the operating system\(aqs secure store instead of a PEM key file. See
+\fI\%\-\-tlsCertificateSelector\fP\&. When using the secure store, you
+do not need to, but can, also specify the \fI\%\-\-tlsCAFile\fP\&.
+.sp
+For more information about TLS and MongoDB, see
+/tutorial/configure\-ssl and
+/tutorial/configure\-ssl\-clients .
+.UNINDENT
+.INDENT 0.0
+.TP
+.B \-\-tlsClusterCAFile <filename>
+New in version 4.2.
+
+.sp
+Specifies the \fB\&.pem\fP file that contains the root certificate chain
+from the Certificate Authority used to validate the certificate
+presented by a client establishing a connection. Specify the file
+name of the \fB\&.pem\fP file using relative or absolute paths.
+.sp
+If \fI\%\-\-tlsClusterCAFile\fP does not specify the \fB\&.pem\fP file for validating the
+certificate from a client establishing a connection, the cluster uses
+the \fB\&.pem\fP file specified in the \fI\%\-\-tlsCAFile\fP option.
.sp
-If using x.509 authentication, \fB\-\-sslCAFile\fP or \fBssl.CAFile\fP
-must be specified.
+\fI\%\-\-tlsClusterCAFile\fP lets you use separate Certificate Authorities to verify the
+client to server and server to client portions of the TLS handshake.
+.sp
+Starting in 4.0, on macOS or Windows, you can use a certificate from
+the operating system\(aqs secure store instead of a PEM key file. See
+\fI\%\-\-tlsClusterCertificateSelector\fP\&. When using the secure store, you
+do not need to, but can, also specify the \fI\%\-\-tlsClusterCAFile\fP\&.
+.sp
+Requires that \fI\%\-\-tlsCAFile\fP is set.
+.sp
+For more information about TLS and MongoDB, see
+/tutorial/configure\-ssl and
+/tutorial/configure\-ssl\-clients .
+.UNINDENT
+.INDENT 0.0
+.TP
+.B \-\-tlsCRLFile <filename>
+New in version 4.2.
+
+.sp
+Specifies the the \fB\&.pem\fP file that contains the Certificate Revocation
+List. Specify the file name of the \fB\&.pem\fP file using relative or
+absolute paths.
+.sp
+\fBNOTE:\fP
+.INDENT 7.0
+.INDENT 3.5
+Starting in MongoDB 4.0, you cannot specify \fI\%\-\-tlsCRLFile\fP on macOS. Use \fI\%\-\-tlsCertificateSelector\fP instead.
+.UNINDENT
+.UNINDENT
+.sp
+For more information about TLS and MongoDB, see
+/tutorial/configure\-ssl and
+/tutorial/configure\-ssl\-clients .
+.UNINDENT
+.INDENT 0.0
+.TP
+.B \-\-tlsAllowInvalidCertificates
+New in version 4.2.
+
+.sp
+Bypasses the validation checks for TLS certificates on other
+servers in the cluster and allows the use of invalid certificates to
+connect.
+.sp
+\fBNOTE:\fP
+.INDENT 7.0
+.INDENT 3.5
+If you specify
+\fB\-\-tlsAllowInvalidCertificates\fP or \fBtls.allowInvalidCertificates:
+true\fP when using x.509 authentication, an invalid certificate is
+only sufficient to establish a TLS connection but is
+\fIinsufficient\fP for authentication.
+.UNINDENT
+.UNINDENT
+.sp
+When using
+the \fI\%\-\-tlsAllowInvalidCertificates\fP setting, MongoDB
+logs a warning regarding the use of the invalid certificate.
+.sp
+For more information about TLS and MongoDB, see
+/tutorial/configure\-ssl and
+/tutorial/configure\-ssl\-clients .
+.UNINDENT
+.INDENT 0.0
+.TP
+.B \-\-tlsAllowInvalidHostnames
+New in version 4.2.
+
+.sp
+Disables the validation of the hostnames in TLS certificates,
+when connecting to other members of the replica set or sharded cluster
+for inter\-process authentication. This allows \fBmongod\fP to connect
+to other members if the hostnames in their certificates do not match
+their configured hostname.
+.sp
+For more information about TLS and MongoDB, see
+/tutorial/configure\-ssl and
+/tutorial/configure\-ssl\-clients .
+.UNINDENT
+.INDENT 0.0
+.TP
+.B \-\-tlsAllowConnectionsWithoutCertificates
+New in version 4.2.
+
+.sp
+For clients that do not present certificates, \fBmongod\fP bypasses
+TLS/SSL certificate validation when establishing the connection.
+.sp
+For clients that present a certificate, however, \fBmongod\fP performs
+certificate validation using the root certificate chain specified by
+\fB\-\-tlsCAFile\fP and reject clients with invalid certificates.
+.sp
+Use the \fI\%\-\-tlsAllowConnectionsWithoutCertificates\fP option if you have a mixed deployment that includes
+clients that do not or cannot present certificates to the \fBmongod\fP\&.
+.sp
+For more information about TLS and MongoDB, see
+/tutorial/configure\-ssl and
+/tutorial/configure\-ssl\-clients .
+.UNINDENT
+.INDENT 0.0
+.TP
+.B \-\-tlsDisabledProtocols <protocol(s)>
+New in version 4.2.
+
+.sp
+Prevents a MongoDB server running with TLS from accepting
+incoming connections that use a specific protocol or protocols. To
+specify multiple protocols, use a comma separated list of protocols.
+.sp
+\fI\%\-\-tlsDisabledProtocols\fP recognizes the following protocols: \fBTLS1_0\fP, \fBTLS1_1\fP,
+\fBTLS1_2\fP, and starting in version 4.0.4 (and 3.6.9), \fBTLS1_3\fP\&.
+.INDENT 7.0
+.IP \(bu 2
+On macOS, you cannot disable \fBTLS1_1\fP and leave both \fBTLS1_0\fP and
+\fBTLS1_2\fP enabled. You must disable at least one of the other
+two, for example, \fBTLS1_0,TLS1_1\fP\&.
+.IP \(bu 2
+To list multiple protocols, specify as a comma separated list of
+protocols. For example \fBTLS1_0,TLS1_1\fP\&.
+.IP \(bu 2
+Specifying an unrecognized protocol will prevent the server from
+starting.
+.IP \(bu 2
+The specified disabled protocols overrides any default disabled
+protocols.
+.UNINDENT
+.sp
+Starting in version 4.0, MongoDB disables the use of TLS 1.0 if TLS
+1.1+ is available on the system. To enable the disabled TLS 1.0,
+specify \fBnone\fP to \fI\%\-\-tlsDisabledProtocols\fP\&. See 4.0\-disable\-tls\&.
+.sp
+Members of replica sets and sharded clusters must speak at least one
+protocol in common.
+.sp
+\fBSEE ALSO:\fP
+.INDENT 7.0
+.INDENT 3.5
+ssl\-disallow\-protocols
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.INDENT 0.0
+.TP
+.B \-\-tlsFIPSMode
+New in version 4.2.
+
+.sp
+Directs the \fBmongod\fP to use the FIPS mode of the TLS
+library. Your system must have a FIPS
+compliant library to use the \fI\%\-\-tlsFIPSMode\fP option.
+.sp
+\fBNOTE:\fP
+.INDENT 7.0
+.INDENT 3.5
+FIPS\-compatible TLS/SSL is
+available only in \fI\%MongoDB Enterprise\fP\&. See
+/tutorial/configure\-fips for more information.
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.SS SSL Options (Deprecated)
+.sp
+\fBIMPORTANT:\fP
+.INDENT 0.0
+.INDENT 3.5
+All SSL options are deprecated since 4.2. Use the \fI\%TLS counterparts\fP instead, as they have identical functionality to the
+SSL options. The SSL protocol is deprecated and MongoDB supports TLS 1.0
+and later.
+.UNINDENT
+.UNINDENT
+.INDENT 0.0
+.INDENT 3.5
+.SS See
+.sp
+/tutorial/configure\-ssl for full
+documentation of MongoDB\(aqs support.
+.UNINDENT
+.UNINDENT
+.INDENT 0.0
+.TP
+.B \-\-sslOnNormalPorts
+Deprecated since version 2.6: Use \fI\%\-\-tlsMode requireTLS\fP instead.
+
+.sp
+Enables TLS/SSL for \fBmongod\fP\&.
+.sp
+With \fI\%\-\-sslOnNormalPorts\fP, a \fBmongod\fP requires TLS/SSL encryption for all
+connections on the default MongoDB port, or the port specified by
+\fI\%\-\-port\fP\&. By default, \fI\%\-\-sslOnNormalPorts\fP is
+disabled.
.sp
For more information about TLS/SSL and MongoDB, see
/tutorial/configure\-ssl and
@@ -2199,20 +2827,157 @@ For more information about TLS/SSL and MongoDB, see
.UNINDENT
.INDENT 0.0
.TP
-.B \-\-sslClusterFile <filename>
+.B \-\-sslMode <mode>
+Deprecated since version 4.2: Use \fI\%\-\-tlsMode\fP instead.
+
+.sp
New in version 2.6.
.sp
+Enables TLS/SSL or mixed TLS/SSL used for all network connections. The
+argument to the \fI\%\-\-sslMode\fP option can be one of the following:
+.TS
+center;
+|l|l|.
+_
+T{
+Value
+T} T{
+Description
+T}
+_
+T{
+\fBdisabled\fP
+T} T{
+The server does not use TLS/SSL.
+T}
+_
+T{
+\fBallowSSL\fP
+T} T{
+Connections between servers do not use TLS/SSL. For incoming
+connections, the server accepts both TLS/SSL and non\-TLS/non\-SSL.
+T}
+_
+T{
+\fBpreferSSL\fP
+T} T{
+Connections between servers use TLS/SSL. For incoming
+connections, the server accepts both TLS/SSL and non\-TLS/non\-SSL.
+T}
+_
+T{
+\fBrequireSSL\fP
+T} T{
+The server uses and accepts only TLS/SSL encrypted connections.
+T}
+_
+.TE
+.sp
+Starting in version 3.4, if \fB\-\-tlsCAFile\fP/\fBnet.tls.CAFile\fP (or
+their aliases \fB\-\-sslCAFile\fP/\fBnet.ssl.CAFile\fP) is not specified
+and you are not using x.509 authentication, the system\-wide CA
+certificate store will be used when connecting to an TLS/SSL\-enabled
+server.
+.sp
+To use x.509 authentication, \fB\-\-tlsCAFile\fP or \fBnet.tls.CAFile\fP
+must be specified unless using \fB\-\-tlsCertificateSelector\fP or
+\fB\-\-net.tls.certificateSelector\fP\&. Or if using the \fBssl\fP aliases,
+\fB\-\-sslCAFile\fP or \fBnet.ssl.CAFile\fP must be specified unless using
+\fB\-\-sslCertificateSelector\fP or \fBnet.ssl.certificateSelector\fP\&.
+.sp
+For more information about TLS/SSL and MongoDB, see
+/tutorial/configure\-ssl and
+/tutorial/configure\-ssl\-clients .
+.UNINDENT
+.INDENT 0.0
+.TP
+.B \-\-sslPEMKeyFile <filename>
+Deprecated since version 4.2: Use \fI\%\-\-tlsCertificateKeyFile\fP instead.
+
+.sp
+\fBNOTE:\fP
+.INDENT 7.0
+.INDENT 3.5
+Starting in 4.0, on macOS or Windows, you can use a certificate from
+the operating system\(aqs secure store instead of a PEM file. See
+\fI\%\-\-sslCertificateSelector\fP\&.
+.UNINDENT
+.UNINDENT
+.sp
+Specifies the \fB\&.pem\fP file that contains both the TLS/SSL certificate
+and key.
+.INDENT 7.0
+.IP \(bu 2
+On Linux/BSD, you must specify \fI\%\-\-sslPEMKeyFile\fP when TLS/SSL is enabled.
+.IP \(bu 2
+On Windows or macOS, you must specify either \fI\%\-\-sslPEMKeyFile\fP or
+\fI\%\-\-sslCertificateSelector\fP when TLS/SSL is enabled.
+.UNINDENT
+.sp
+For more information about TLS/SSL and MongoDB, see
+/tutorial/configure\-ssl and
+/tutorial/configure\-ssl\-clients .
+.UNINDENT
+.INDENT 0.0
+.TP
+.B \-\-sslPEMKeyPassword <value>
+Deprecated since version 4.2: Use \fI\%\-\-tlsCertificateKeyFilePassword\fP instead.
+
+.sp
+Specifies the password to de\-crypt the certificate\-key file (i.e.
+\fI\%\-\-sslPEMKeyFile\fP). Use the \fI\%\-\-sslPEMKeyPassword\fP option only if the
+certificate\-key file is encrypted. In all cases, the \fBmongod\fP will
+redact the password from all logging and reporting output.
+.sp
+Starting in MongoDB 4.0:
+.INDENT 7.0
+.IP \(bu 2
+On Linux/BSD, if the private key in the PEM file is encrypted and
+you do not specify the \fI\%\-\-sslPEMKeyPassword\fP option, MongoDB will prompt for a
+passphrase. See ssl\-certificate\-password\&.
+.IP \(bu 2
+On macOS or Windows, if the private key in the PEM file is
+encrypted, you must explicitly specify the \fI\%\-\-sslPEMKeyPassword\fP option.
+Alternatively, you can use a certificate from the secure system
+store (see \fI\%\-\-sslCertificateSelector\fP) instead of a PEM key file or use an
+unencrypted PEM file.
+.UNINDENT
+.sp
+For more information about TLS/SSL and MongoDB, see
+/tutorial/configure\-ssl and
+/tutorial/configure\-ssl\-clients .
+.UNINDENT
+.INDENT 0.0
+.TP
+.B \-\-sslClusterFile <filename>
+Deprecated since version 4.2: Use \fI\%\-\-tlsClusterFile\fP instead.
+
+.sp
+\fBNOTE:\fP
+.INDENT 7.0
+.INDENT 3.5
+Starting in 4.0, on macOS or Windows, you can use a certificate
+from the operating system\(aqs secure store instead of a PEM key
+file. See \fI\%\-\-sslClusterCertificateSelector\fP\&.
+.UNINDENT
+.UNINDENT
+.sp
Specifies the \fB\&.pem\fP file that contains the x.509 certificate\-key
file for membership authentication
for the cluster or replica set.
.sp
If \fI\%\-\-sslClusterFile\fP does not specify the \fB\&.pem\fP file for internal cluster
-authentication, the cluster uses the \fB\&.pem\fP file specified in the
-\fI\%\-\-sslPEMKeyFile\fP option.
+authentication or the alternative
+\fI\%\-\-sslClusterCertificateSelector\fP, the cluster uses the
+\fB\&.pem\fP file specified in the \fI\%\-\-sslPEMKeyFile\fP option or
+the certificate returned by the \fI\%\-\-sslCertificateSelector\fP\&.
.sp
-If using x.509 authentication, \fB\-\-sslCAFile\fP or \fBssl.CAFile\fP
-must be specified.
+To use x.509 authentication, \fB\-\-tlsCAFile\fP or \fBnet.tls.CAFile\fP
+must be specified unless using \fB\-\-tlsCertificateSelector\fP or
+\fB\-\-net.tls.certificateSelector\fP\&. Or if using the \fBssl\fP aliases,
+\fB\-\-sslCAFile\fP or \fBnet.ssl.CAFile\fP must be specified unless using
+\fB\-\-sslCertificateSelector\fP or \fBnet.ssl.certificateSelector\fP\&.
.sp
For more information about TLS/SSL and MongoDB, see
/tutorial/configure\-ssl and
@@ -2220,7 +2985,118 @@ For more information about TLS/SSL and MongoDB, see
.UNINDENT
.INDENT 0.0
.TP
+.B \-\-sslCertificateSelector <parameter>=<value>
+Deprecated since version 4.2: Use \fI\%\-\-tlsCertificateSelector\fP instead.
+
+.sp
+New in version 4.0: Available on Windows and macOS as an alternative to \fI\%\-\-tlsCertificateKeyFile\fP\&.
+.sp
+\fI\%\-\-tlsCertificateKeyFile\fP and \fI\%\-\-sslCertificateSelector\fP options are mutually exclusive. You can only
+specify one.
+
+.sp
+Specifies a certificate property in order to select a matching
+certificate from the operating system\(aqs certificate store.
+.sp
+\fI\%\-\-sslCertificateSelector\fP accepts an argument of the format \fB<property>=<value>\fP
+where the property can be one of the following:
+.TS
+center;
+|l|l|l|.
+_
+T{
+Property
+T} T{
+Value type
+T} T{
+Description
+T}
+_
+T{
+\fBsubject\fP
+T} T{
+ASCII string
+T} T{
+Subject name or common name on certificate
+T}
+_
+T{
+\fBthumbprint\fP
+T} T{
+hex string
+T} T{
+A sequence of bytes, expressed as hexadecimal, used to
+identify a public key by its SHA\-1 digest.
+.sp
+The \fBthumbprint\fP is sometimes referred to as a
+\fBfingerprint\fP\&.
+T}
+_
+.TE
+.sp
+When using the system SSL certificate store, OCSP (Online
+Certificate Status Protocol) is used to validate the revocation
+status of certificates.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B \-\-sslClusterCertificateSelector <parameter>=<value>
+Deprecated since version 4.2: Use \fI\%\-\-tlsClusterCertificateSelector\fP instead.
+
+.sp
+New in version 4.0: Available on Windows and macOS as an alternative to
+\fI\%\-\-sslClusterFile\fP\&.
+.sp
+\fI\%\-\-sslClusterFile\fP and \fI\%\-\-sslClusterCertificateSelector\fP options are mutually exclusive. You can only
+specify one.
+
+.sp
+Specifies a certificate property in order to select a matching
+certificate from the operating system\(aqs certificate store to use for
+internal authentication.
+.sp
+\fI\%\-\-sslClusterCertificateSelector\fP accepts an argument of the format \fB<property>=<value>\fP
+where the property can be one of the following:
+.TS
+center;
+|l|l|l|.
+_
+T{
+Property
+T} T{
+Value type
+T} T{
+Description
+T}
+_
+T{
+\fBsubject\fP
+T} T{
+ASCII string
+T} T{
+Subject name or common name on certificate
+T}
+_
+T{
+\fBthumbprint\fP
+T} T{
+hex string
+T} T{
+A sequence of bytes, expressed as hexadecimal, used to
+identify a public key by its SHA\-1 digest.
+.sp
+The \fBthumbprint\fP is sometimes referred to as a
+\fBfingerprint\fP\&.
+T}
+_
+.TE
+.UNINDENT
+.INDENT 0.0
+.TP
.B \-\-sslClusterPassword <value>
+Deprecated since version 4.2: Use \fI\%\-\-tlsClusterPassword\fP instead.
+
+.sp
New in version 2.6.
.sp
@@ -2229,9 +3105,19 @@ specified with \fB\-\-sslClusterFile\fP\&. Use the \fI\%\-\-sslClusterPassword\f
if the certificate\-key file is encrypted. In all cases, the \fBmongod\fP
will redact the password from all logging and reporting output.
.sp
-If the x.509 key file is encrypted and you do not specify the
-\fI\%\-\-sslClusterPassword\fP option, the \fBmongod\fP will prompt for a passphrase. See
-ssl\-certificate\-password\&.
+Starting in MongoDB 4.0:
+.INDENT 7.0
+.IP \(bu 2
+On Linux/BSD, if the private key in the x.509 file is encrypted and
+you do not specify the \fI\%\-\-sslClusterPassword\fP option, MongoDB will prompt for a
+passphrase. See ssl\-certificate\-password\&.
+.IP \(bu 2
+On macOS or Windows, if the private key in the x.509 file is
+encrypted, you must explicitly specify the \fI\%\-\-sslClusterPassword\fP option.
+Alternatively, you can either use a certificate from the secure
+system store (see \fI\%\-\-sslClusterCertificateSelector\fP) instead of a cluster PEM file or
+use an unencrypted PEM file.
+.UNINDENT
.sp
For more information about TLS/SSL and MongoDB, see
/tutorial/configure\-ssl and
@@ -2240,17 +3126,46 @@ For more information about TLS/SSL and MongoDB, see
.INDENT 0.0
.TP
.B \-\-sslCAFile <filename>
+Deprecated since version 4.2: Use \fI\%\-\-tlsCAFile\fP instead.
+
+.sp
Specifies the \fB\&.pem\fP file that contains the root certificate chain
from the Certificate Authority. Specify the file name of the
\fB\&.pem\fP file using relative or absolute paths.
.sp
-Starting in version 3.4, if \fB\-\-sslCAFile\fP or \fBssl.CAFile\fP is not
-specified and you are not using x.509 authentication, the
-system\-wide CA certificate store will be used when connecting to an
-TLS/SSL\-enabled server.
+Starting in 4.0, on macOS or Windows, you can use a certificate from
+the operating system\(aqs secure store instead of a PEM key file. See
+\fI\%\-\-sslCertificateSelector\fP\&. When using the secure store, you
+do not need to, but can, also specify the \fI\%\-\-sslCAFile\fP\&.
.sp
-If using x.509 authentication, \fB\-\-sslCAFile\fP or \fBssl.CAFile\fP
-must be specified.
+For more information about TLS/SSL and MongoDB, see
+/tutorial/configure\-ssl and
+/tutorial/configure\-ssl\-clients .
+.UNINDENT
+.INDENT 0.0
+.TP
+.B \-\-sslClusterCAFile <filename>
+Deprecated since version 4.2: Use \fI\%\-\-tlsClusterCAFile\fP instead.
+
+.sp
+Specifies the \fB\&.pem\fP file that contains the root certificate chain
+from the Certificate Authority used to validate the certificate
+presented by a client establishing a connection. Specify the file
+name of the \fB\&.pem\fP file using relative or absolute paths.
+.sp
+If \fI\%\-\-sslClusterCAFile\fP does not specify the \fB\&.pem\fP file for validating the
+certificate from a client establishing a connection, the cluster uses
+the \fB\&.pem\fP file specified in the \fI\%\-\-sslCAFile\fP option.
+.sp
+\fI\%\-\-sslClusterCAFile\fP lets you use separate Certificate Authorities to verify the
+client to server and server to client portions of the TLS handshake.
+.sp
+Starting in 4.0, on macOS or Windows, you can use a certificate from
+the operating system\(aqs secure store instead of a PEM key file. See
+\fI\%\-\-sslClusterCertificateSelector\fP\&. When using the secure store, you
+do not need to, but can, also specify the \fI\%\-\-sslClusterCAFile\fP\&.
+.sp
+Requires that \fI\%\-\-sslCAFile\fP is set.
.sp
For more information about TLS/SSL and MongoDB, see
/tutorial/configure\-ssl and
@@ -2259,10 +3174,20 @@ For more information about TLS/SSL and MongoDB, see
.INDENT 0.0
.TP
.B \-\-sslCRLFile <filename>
+Deprecated since version 4.2: Use \fI\%\-\-tlsCRLFile\fP instead.
+
+.sp
Specifies the the \fB\&.pem\fP file that contains the Certificate Revocation
List. Specify the file name of the \fB\&.pem\fP file using relative or
absolute paths.
.sp
+\fBNOTE:\fP
+.INDENT 7.0
+.INDENT 3.5
+Starting in MongoDB 4.0, you cannot specify \fI\%\-\-sslCRLFile\fP on macOS. Use \fI\%\-\-sslCertificateSelector\fP instead.
+.UNINDENT
+.UNINDENT
+.sp
For more information about TLS/SSL and MongoDB, see
/tutorial/configure\-ssl and
/tutorial/configure\-ssl\-clients .
@@ -2270,6 +3195,9 @@ For more information about TLS/SSL and MongoDB, see
.INDENT 0.0
.TP
.B \-\-sslAllowInvalidCertificates
+Deprecated since version 4.2: Use \fI\%\-\-tlsAllowInvalidCertificates\fP instead.
+
+.sp
Bypasses the validation checks for TLS/SSL certificates on other
servers in the cluster and allows the use of invalid certificates to
connect.
@@ -2278,10 +3206,13 @@ connect.
.INDENT 7.0
.INDENT 3.5
Starting in MongoDB 4.0, if you specify
-\fB\-\-sslAllowInvalidCertificates\fP or \fBssl.allowInvalidCertificates:
-true\fP when using x.509 authentication, an invalid certificate is
-only sufficient to establish a TLS/SSL connection but is
-\fIinsufficient\fP for authentication.
+\fB\-\-sslAllowInvalidCertificates\fP or
+\fBnet.ssl.allowInvalidCertificates: true\fP (or in MongoDB 4.2, the
+alias \fB\-\-tlsAllowInvalidateCertificates\fP or
+\fBnet.tls.allowInvalidCertificates: true\fP) when using x.509
+authentication, an invalid certificate is only sufficient to
+establish a TLS/SSL connection but is \fIinsufficient\fP for
+authentication.
.UNINDENT
.UNINDENT
.sp
@@ -2296,6 +3227,9 @@ For more information about TLS/SSL and MongoDB, see
.INDENT 0.0
.TP
.B \-\-sslAllowInvalidHostnames
+Deprecated since version 4.2: Use \fI\%\-\-tlsAllowInvalidHostnames\fP instead.
+
+.sp
New in version 3.0.
.sp
@@ -2312,15 +3246,15 @@ For more information about TLS/SSL and MongoDB, see
.INDENT 0.0
.TP
.B \-\-sslAllowConnectionsWithoutCertificates
-Disables the requirement for TLS/SSL certificate validation that
-\fB\-\-sslCAFile\fP enables. With the \fI\%\-\-sslAllowConnectionsWithoutCertificates\fP option, the \fBmongod\fP
-will accept connections when the client does not present a certificate
-when establishing the connection.
+Deprecated since version 4.2: Use \fI\%\-\-tlsAllowConnectionsWithoutCertificates\fP instead.
+
+.sp
+For clients that do not present certificates, \fBmongod\fP bypasses
+TLS/SSL certificate validation when establishing the connection.
.sp
-If the client presents a certificate and the \fBmongod\fP has \fI\%\-\-sslAllowConnectionsWithoutCertificates\fP
-enabled, the \fBmongod\fP will validate the certificate using the root
-certificate chain specified by \fB\-\-sslCAFile\fP and reject clients
-with invalid certificates.
+For clients that present a certificate, however, \fBmongod\fP performs
+certificate validation using the root certificate chain specified by
+\fB\-\-sslCAFile\fP and reject clients with invalid certificates.
.sp
Use the \fI\%\-\-sslAllowConnectionsWithoutCertificates\fP option if you have a mixed deployment that includes
clients that do not or cannot present certificates to the \fBmongod\fP\&.
@@ -2332,6 +3266,9 @@ For more information about TLS/SSL and MongoDB, see
.INDENT 0.0
.TP
.B \-\-sslDisabledProtocols <protocol(s)>
+Deprecated since version 4.2: Use \fI\%\-\-tlsDisabledProtocols\fP instead.
+
+.sp
New in version 3.0.7.
.sp
@@ -2340,7 +3277,7 @@ incoming connections that use a specific protocol or protocols. To
specify multiple protocols, use a comma separated list of protocols.
.sp
\fI\%\-\-sslDisabledProtocols\fP recognizes the following protocols: \fBTLS1_0\fP, \fBTLS1_1\fP,
-and \fBTLS1_2\fP\&.
+\fBTLS1_2\fP, and starting in version 4.0.4 (and 3.6.9), \fBTLS1_3\fP\&.
.INDENT 7.0
.IP \(bu 2
On macOS, you cannot disable \fBTLS1_1\fP and leave both \fBTLS1_0\fP and
@@ -2359,7 +3296,7 @@ protocols.
.sp
Starting in version 4.0, MongoDB disables the use of TLS 1.0 if TLS
1.1+ is available on the system. To enable the disabled TLS 1.0,
-specify \fBnone\fP to \fI\%\-\-sslDisabledProtocols\fP\&. 4.0\-disable\-tls
+specify \fBnone\fP to \fI\%\-\-sslDisabledProtocols\fP\&. See 4.0\-disable\-tls\&.
.sp
Members of replica sets and sharded clusters must speak at least one
protocol in common.
@@ -2374,9 +3311,12 @@ ssl\-disallow\-protocols
.INDENT 0.0
.TP
.B \-\-sslFIPSMode
-Directs the \fBmongod\fP to use the FIPS mode of the installed OpenSSL
+Deprecated since version 4.2: Use \fI\%\-\-tlsFIPSMode\fP instead.
+
+.sp
+Directs the \fBmongod\fP to use the FIPS mode of the TLS/SSL
library. Your system must have a FIPS
-compliant OpenSSL library to use the \fI\%\-\-sslFIPSMode\fP option.
+compliant library to use the \fI\%\-\-sslFIPSMode\fP option.
.sp
\fBNOTE:\fP
.INDENT 7.0
@@ -2448,11 +3388,18 @@ potential performance degradation.
The \fIslow\fP operation time threshold, in milliseconds. Operations
that run for longer than this threshold are considered \fIslow\fP\&.
.sp
-When \fBlogLevel\fP is set to \fB0\fP, MongoDB
-records \fIslow\fP operations to the diagnostic log at a rate determined by
-\fBslowOpSampleRate\fP\&. At higher
-\fBlogLevel\fP settings, all operations appear in the diagnostic
-log regardless of their latency.
+When \fBlogLevel\fP is set to \fB0\fP, MongoDB records \fIslow\fP
+operations to the diagnostic log at a rate determined by
+\fBslowOpSampleRate\fP\&. Starting in MongoDB
+4.2, the secondaries of replica sets log all oplog entry messages
+that take longer than the slow operation threshold to apply regardless of the sample rate.
+.sp
+At higher \fBlogLevel\fP settings, all operations appear in
+the diagnostic log regardless of their latency with the following
+exception: the logging of slow oplog entry messages by the
+secondaries\&. The secondaries log only the slow oplog
+entries; increasing the \fBlogLevel\fP does not log all
+oplog entries.
.sp
For \fI\%mongod\fP instances, \fI\%\-\-slowms\fP affects the diagnostic log
and, if enabled, the profiler.
@@ -2472,6 +3419,10 @@ and, if enabled, the profiler.
The fraction of \fIslow\fP operations that should be profiled or logged.
\fI\%\-\-slowOpSampleRate\fP accepts values between 0 and 1, inclusive.
.sp
+\fI\%\-\-slowOpSampleRate\fP does not affect the slow oplog entry logging by the secondary members of a replica set. Secondary
+members log all oplog entries that take longer than the slow
+operation threshold regardless of the \fI\%\-\-slowOpSampleRate\fP\&.
+.sp
For \fI\%mongod\fP instances, \fI\%\-\-slowOpSampleRate\fP affects the
diagnostic log and, if enabled, the profiler.
.UNINDENT
@@ -2524,7 +3475,8 @@ _
\fBNOTE:\fP
.INDENT 7.0
.INDENT 3.5
-Available only in \fI\%MongoDB Enterprise\fP\&.
+Available only in \fI\%MongoDB Enterprise\fP
+and \fI\%MongoDB Atlas\fP\&.
.UNINDENT
.UNINDENT
.UNINDENT
@@ -2568,7 +3520,8 @@ performance more than printing to a file in BSON format.
\fBNOTE:\fP
.INDENT 7.0
.INDENT 3.5
-Available only in \fI\%MongoDB Enterprise\fP\&.
+Available only in \fI\%MongoDB Enterprise\fP
+and \fI\%MongoDB Atlas\fP\&.
.UNINDENT
.UNINDENT
.UNINDENT
@@ -2585,7 +3538,8 @@ option can take either a full path name or a relative path name.
\fBNOTE:\fP
.INDENT 7.0
.INDENT 3.5
-Available only in \fI\%MongoDB Enterprise\fP\&.
+Available only in \fI\%MongoDB Enterprise\fP
+and \fI\%MongoDB Atlas\fP\&.
.UNINDENT
.UNINDENT
.UNINDENT
@@ -2621,7 +3575,8 @@ the configuration file.
\fBNOTE:\fP
.INDENT 7.0
.INDENT 3.5
-Available only in \fI\%MongoDB Enterprise\fP\&.
+Available only in \fI\%MongoDB Enterprise\fP
+and \fI\%MongoDB Atlas\fP\&.
.UNINDENT
.UNINDENT
.UNINDENT
@@ -2636,15 +3591,36 @@ to \fI\%SERVER\-29352\fP\&.
.UNINDENT
.INDENT 0.0
.TP
+.B \-\-snmp\-disabled
+Disables SNMP access to \fI\%mongod\fP\&. The option is incompatible
+with \fI\%\-\-snmp\-subagent\fP and \fI\%\-\-snmp\-master\fP\&.
+.sp
+New in version 4.0.6.
+
+.UNINDENT
+.INDENT 0.0
+.TP
.B \-\-snmp\-subagent
-Runs SNMP as a subagent. For more information, see
-/tutorial/monitor\-with\-snmp\&.
+Runs SNMP as a subagent. The option is incompatible with \fI\%\-\-snmp\-disabled\fP\&.
.UNINDENT
.INDENT 0.0
.TP
.B \-\-snmp\-master
-Runs SNMP as a master. For more information, see
-/tutorial/monitor\-with\-snmp\&.
+Runs SNMP as a master. The option is incompatible with \fI\%\-\-snmp\-disabled\fP\&.
+.UNINDENT
+.sp
+\fBSEE ALSO:\fP
+.INDENT 0.0
+.INDENT 3.5
+.INDENT 0.0
+.IP \(bu 2
+/tutorial/monitor\-with\-snmp
+.IP \(bu 2
+/tutorial/monitor\-with\-snmp\-on\-windows
+.IP \(bu 2
+/tutorial/troubleshoot\-snmp
+.UNINDENT
+.UNINDENT
.UNINDENT
.SS inMemory Options
.INDENT 0.0
@@ -2720,9 +3696,8 @@ T{
T} T{
256\-bit Advanced Encryption Standard in Galois/Counter Mode
.sp
-Available only on Linux.
-.sp
-Changed in version 4.0: MongoDB Enterprise on Windows no longer supports \fBAES256\-GCM\fP\&.
+Changed in version 4.0: MongoDB Enterprise on Windows no longer supports \fBAES256\-GCM\fP\&. This
+cipher is now available only on Linux.
T}
_
.TE
@@ -2744,6 +3719,9 @@ The path to the local keyfile when managing keys via process \fIother
than\fP KMIP. Only set when managing keys via process other than KMIP.
If data is already encrypted using KMIP, MongoDB will throw an error.
.sp
+The keyfile can contain only a single key. The key is either a 16 or
+32 character string.
+.sp
Requires \fBenableEncryption\fP to be \fBtrue\fP\&.
.INDENT 7.0
.INDENT 3.5
@@ -2812,6 +3790,18 @@ New in version 3.2.
.sp
Hostname or IP address of key management solution running a KMIP
server. Requires \fBenableEncryption\fP to be true.
+.sp
+When connecting to the KMIP server, the \fI\%mongod\fP
+verifies that the specified \fI\%\-\-kmipServerName\fP matches the Subject Alternative
+Name \fBSAN\fP (or, if \fBSAN\fP is not present, the Common Name \fBCN\fP)
+in the certificate presented by the KMIP server. If \fBSAN\fP is
+present, \fI\%mongod\fP does not match against the \fBCN\fP\&. If
+the hostname does not match the \fBSAN\fP (or \fBCN\fP), the
+\fI\%mongod\fP will fail to connect.
+.sp
+Starting in MongoDB 4.2, when performing comparison of SAN, MongoDB
+supports comparison of DNS names or IP addresses. In previous versions,
+MongoDB only supports comparisons of DNS names.
.INDENT 7.0
.INDENT 3.5
.IP "Enterprise Feature"
@@ -2841,6 +3831,63 @@ Available in MongoDB Enterprise only.
.UNINDENT
.INDENT 0.0
.TP
+.B \-\-kmipClientCertificateSelector <string>
+New in version 4.0: Available on Windows and macOS as an alternative to
+\fI\%\-\-kmipClientCertificateFile\fP\&.
+.sp
+\fI\%\-\-kmipClientCertificateFile\fP and \fI\%\-\-kmipClientCertificateSelector\fP options are mutually exclusive. You can only
+specify one.
+
+.sp
+Specifies a certificate property in order to select a matching
+certificate from the operating system\(aqs certificate store to
+authenticate MongoDB to the KMIP server.
+.sp
+\fI\%\-\-kmipClientCertificateSelector\fP accepts an argument of the format \fB<property>=<value>\fP
+where the property can be one of the following:
+.TS
+center;
+|l|l|l|.
+_
+T{
+Property
+T} T{
+Value type
+T} T{
+Description
+T}
+_
+T{
+\fBsubject\fP
+T} T{
+ASCII string
+T} T{
+Subject name or common name on certificate
+T}
+_
+T{
+\fBthumbprint\fP
+T} T{
+hex string
+T} T{
+A sequence of bytes, expressed as hexadecimal, used to
+identify a public key by its SHA\-1 digest.
+.sp
+The \fBthumbprint\fP is sometimes referred to as a
+\fBfingerprint\fP\&.
+T}
+_
+.TE
+.INDENT 7.0
+.INDENT 3.5
+.IP "Enterprise Feature"
+.sp
+Available in MongoDB Enterprise only.
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.INDENT 0.0
+.TP
.B \-\-kmipClientCertificateFile <string>
New in version 3.2.
@@ -2848,6 +3895,15 @@ New in version 3.2.
String containing the path to the client certificate used for
authenticating MongoDB to the KMIP server. Requires that a
\fBkmipServerName\fP be provided.
+.sp
+\fBNOTE:\fP
+.INDENT 7.0
+.INDENT 3.5
+Starting in 4.0, on macOS or Windows, you can use a certificate
+from the operating system\(aqs secure store instead of a PEM key
+file. See \fI\%\-\-kmipClientCertificateSelector\fP\&.
+.UNINDENT
+.UNINDENT
.INDENT 7.0
.INDENT 3.5
.IP "Enterprise Feature"
@@ -2882,28 +3938,20 @@ New in version 3.2.
.sp
Path to CA File. Used for validating secure client connection to
KMIP server.
-.UNINDENT
-.SS Text Search Options
-.INDENT 0.0
-.TP
-.B \-\-basisTechRootDirectory <path>
-New in version 3.2.
-
.sp
-Specify the root directory of the Basis Technology Rosette
-Linguistics Platform installation to support additional languages for
-text search operations.
+\fBNOTE:\fP
.INDENT 7.0
.INDENT 3.5
-.IP "Enterprise Feature"
-.sp
-Available in MongoDB Enterprise only.
+Starting in 4.0, on macOS or Windows, you can use a certificate
+from the operating system\(aqs secure store instead of a PEM key
+file. See \fI\%\-\-kmipClientCertificateSelector\fP\&. When using the secure store, you do not
+need to, but can, also specify the \fI\%\-\-kmipServerCAFile\fP\&.
.UNINDENT
.UNINDENT
.UNINDENT
.SH AUTHOR
MongoDB Documentation Project
.SH COPYRIGHT
-2008-2018
+2008-2019
.\" Generated by docutils manpage writer.
.
diff --git a/debian/mongodump.1 b/debian/mongodump.1
index e1a3b0ed1ab..317550be310 100644
--- a/debian/mongodump.1
+++ b/debian/mongodump.1
@@ -1,6 +1,6 @@
.\" Man page generated from reStructuredText.
.
-.TH "MONGODUMP" "1" "Jun 21, 2018" "4.0" "mongodb-manual"
+.TH "MONGODUMP" "1" "Jul 25, 2019" "4.2" "mongodb-manual"
.SH NAME
mongodump \- MongoDB Data Dump Utility
.
@@ -35,6 +35,8 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
.IP \(bu 2
\fI\%Synopsis\fP
.IP \(bu 2
+\fI\%Syntax\fP
+.IP \(bu 2
\fI\%Behavior\fP
.IP \(bu 2
\fI\%Required Access\fP
@@ -45,9 +47,9 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
.UNINDENT
.INDENT 0.0
.INDENT 3.5
-.IP "Mac OSX Sierra and Go 1.6 Incompatibility"
+.IP "macOS Sierra and Go 1.6 Incompatibility"
.sp
-Users running on Mac OSX Sierra require the 3.2.10 or newer version
+Users running on macOS Sierra require the 3.2.10 or newer version
of mongodump\&.
.UNINDENT
.UNINDENT
@@ -64,90 +66,310 @@ standalone. However, the use of \fI\%mongodump\fP and
\fBmongorestore\fP as a backup strategy can be problematic for
sharded clusters and replica sets.
.sp
+For an overview of \fI\%mongodump\fP in conjunction with
+\fBmongorestore\fP part of a backup and recovery strategy, see:
+.INDENT 0.0
+.IP \(bu 2
+/tutorial/backup\-and\-restore\-tools
+.IP \(bu 2
+/tutorial/backup\-sharded\-cluster\-with\-database\-dumps
+.IP \(bu 2
+/core/backups
+.UNINDENT
+.SH SYNTAX
+.sp
Run \fI\%mongodump\fP from the system command line, not the \fBmongo\fP shell.
+.INDENT 0.0
+.INDENT 3.5
.sp
-For an overview of \fI\%mongodump\fP in conjunction with
-\fBmongorestore\fP part of a backup and recovery strategy, see
-/tutorial/backup\-and\-restore\-tools\&.
+.nf
+.ft C
+mongodump [options]
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.SS Connect to a MongoDB Instance
.sp
-\fBSEE ALSO:\fP
+To connect to a local MongoDB instance running on port 27017 and use
+the default settings to export the content, run
+\fI\%mongodump\fP without any command\-line options:
.INDENT 0.0
.INDENT 3.5
-\fBmongorestore\fP,
-/tutorial/backup\-sharded\-cluster\-with\-database\-dumps
-and /core/backups\&.
+.sp
+.nf
+.ft C
+mongodump
+.ft P
+.fi
.UNINDENT
.UNINDENT
-.SH BEHAVIOR
-.SS Data Exclusion
.sp
-\fI\%mongodump\fP excludes the content of the \fBlocal\fP database in its output.
+To specify a host and/or port of the MongoDB instance, you can either:
+.INDENT 0.0
+.IP \(bu 2
+Specify the hostname and port in the \fI\%\-\-uri connection string\fP:
+.INDENT 2.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+mongodump \-\-uri "mongodb://mongodb0.example.com:27017" [additional options]
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.IP \(bu 2
+Specify the hostname and port in the \fI\%\-\-host\fP:
+.INDENT 2.0
+.INDENT 3.5
.sp
-\fI\%mongodump\fP only captures the documents in the database in its
-backup data and does not include index data. \fBmongorestore\fP or
-\fBmongod\fP must then rebuild the indexes after restoring data.
+.nf
+.ft C
+mongodump \-\-host "mongodb0.example.com:27017" [additional options]
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.IP \(bu 2
+Specify the hostname and port in the \fI\%\-\-host\fP and \fI\%\-\-port\fP:
+.INDENT 2.0
+.INDENT 3.5
.sp
-Changed in version 3.4: MongoDB 3.4 added support for
-read\-only views\&. By default,
-\fI\%mongodump\fP only captures a view’s metadata: it does not
-create a binary export of the documents included in the view. To
-capture the documents in a view use \fI\%\-\-viewsAsCollections\fP\&.
-
-.SS Read Preference
-.SS Replica Sets
+.nf
+.ft C
+mongodump \-\-host "mongodb0.example.com" \-\-port 27017 [additional options]
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.UNINDENT
.sp
-Changed in version 3.2.0: The choice of target or targets for the \fI\%\-\-host\fP
-parameter affects the read preference of \fI\%mongodump\fP
-when connecting to a replica set.
+For more information on the options available, see \fI\%Options\fP\&.
+.SS Connect to a Replica Set
+.sp
+To connect to a replica set to export its data, you can either:
.INDENT 0.0
.IP \(bu 2
-If the string passed to \fB\-\-host\fP is prefixed by the replica set name,
-\fI\%mongodump\fP reads from the \fBprimary\fP replica set
-member by default. For example:
+Specify the replica set name and members in the \fI\%\-\-uri connection string\fP:
.INDENT 2.0
.INDENT 3.5
.sp
.nf
.ft C
-\-\-host "replSet/rep1.example.net:27017,rep2.example.net:27017,rep3.example.net:27017"
+mongodump \-\-uri "mongodb://mongodb0.example.com:27017,mongodb1.example.com:27017,mongodb2.example.com:27017/?replicaSet=myReplicaSetName" [additional options]
.ft P
.fi
.UNINDENT
.UNINDENT
.IP \(bu 2
-If the string passed to \fB\-\-host\fP contains a list of
-\fBmongod\fP instances, but does not include the replica set
-name as a prefix to the host string, \fI\%mongodump\fP
-reads from the \fBnearest\fP node by default. For example:
+Specify the replica set name and members in the \fI\%\-\-host\fP:
.INDENT 2.0
.INDENT 3.5
.sp
.nf
.ft C
-\-\-host "rep1.example.net:27017,rep2.example.net:27017,rep3.example.net:27017"
+mongodump \-\-host "myReplicaSetName/mongodb0.example.com:27017,mongodb1.example.com:27017,mongodb2.example.com" [additional options]
.ft P
.fi
.UNINDENT
.UNINDENT
.UNINDENT
-
-.SS Sharded Clusters
.sp
-Changed in version 3.0.5: For a sharded cluster where the shards are replica sets,
-\fI\%mongodump\fP no longer prefers reads from secondary
-members when run against the \fBmongos\fP instance.
-
+By default, \fI\%mongodump\fP reads from the primary of the
+replica set. To override the default, you can specify the read
+preference:
+.INDENT 0.0
+.IP \(bu 2
+You can specify the read preference in the
+\fI\%\-\-uri connection string\fP
+.INDENT 2.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+mongodump \-\-uri "mongodb://mongodb0.example.com:27017,mongodb1.example.com:27017,mongodb2.example.com:27017/?replicaSet=myReplicaSetName&readPreference=secondary" [additional options]
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+If specifying the read preference tags, include the
+\fBreadPreferenceTags\fP option:
+.INDENT 2.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+mongodump \-\-uri "mongodb://mongodb0.example.com:27017,mongodb1.example.com:27017,mongodb2.example.com:27017/?replicaSet=myReplicaSetName&readPreference=secondary&readPreferenceTags=region:east" [additional options]
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.IP \(bu 2
+You can specify the read preference in using the
+\fI\%\-\-readPreference\fP command\-line
+option. The command\-line option takes a string if specifying only the read preference mode:
+.INDENT 2.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+mongodump \-\-host "myReplicaSetName/mongodb0.example.com:27017,mongodb1.example.com:27017,mongodb2.example.com:27017" \-\-readPreference secondary [additional options]
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+Or, the command\-line option can takes a quote\-enclosed document
+\fB\(aq{ mode: <mode>, tagSets: [ <tag1>, ... ], maxStalenessSeconds:<num>}\(aq\fP
+to specify the mode, the optional read preference tag
+sets, and the optional
+maxStalenessSeconds:
+.INDENT 2.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+mongodump \-\-host "myReplicaSetName/mongodb0.example.com:27017,mongodb1.example.com:27017,mongodb2.example.com:27017" \-\-readPreference \(aq{mode: "secondary", tagSets: [ { "region": "east" } ]}\(aq [additional options]
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.sp
+For more information on the options available, see \fI\%Options\fP\&.
+.SS Connect to a Sharded Cluster
+.sp
+To connect to a sharded cluster to export its data, you can either:
+.INDENT 0.0
+.IP \(bu 2
+Specify the hostname of the \fBmongos\fP instance in the
+\fI\%\-\-uri connection string\fP
+.INDENT 2.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+mongodump \-\-uri "mongodb://mongos0.example.com:27017" [additional options]
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.IP \(bu 2
+Specify the hostname and port of the \fBmongos\fP instance in the \fI\%\-\-host\fP
+.INDENT 2.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+mongodump \-\-host "mongos0.example.com:27017" [additional options]
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.sp
+By default, \fI\%mongodump\fP reads from the primary of the
+shard replica set. To override the default, you can specify the read
+preference:
+.INDENT 0.0
+.IP \(bu 2
+You can specify the read preference in the
+\fI\%\-\-uri connection string\fP
+.INDENT 2.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+mongodump \-\-uri "mongodb://mongos0.example.com:27017/?readPreference=secondary" [additional options]
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+If specifying the read preference tags, include the
+\fBreadPreferenceTags\fP option:
+.INDENT 2.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+mongodump \-\-uri "mongodb://mongos0.example.com:27017/?readPreference=secondary&readPreferenceTags=region:east" [additional options]
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.IP \(bu 2
+You can specify the read preference in using the
+\fI\%\-\-readPreference\fP command\-line
+option. The command\-line option takes a string if specifying only the read preference mode:
+.INDENT 2.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+mongodump \-\-host "mongos0.example.com:27017" \-\-readPreference secondary [additional options]
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
.sp
-For sharded clusters, specify the hostname of a \fBmongos\fP
-for the \fB\-\-host\fP option.
-\fI\%mongodump\fP reads from the \fBprimary\fP replica set
-member on each shard replica set in the cluster.
+Or, the command\-line option can takes a quote\-enclosed document
+\fB\(aq{ mode: <mode>, tagSets: [ <tag1>, ... ], maxStalenessSeconds: <num>}\(aq\fP
+to specify the mode, the optional read preference tag
+sets, and the optional
+maxStalenessSeconds:
+.INDENT 2.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+mongodump \-\-host "mongos0.example.com:27017" \-\-readPreference \(aq{mode: "secondary", tagSets: [ { "region": "east" } ]}\(aq [additional options]
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.UNINDENT
.sp
-Unsharded collections in a sharded cluster are stored on a
-primary shard\&.
-\fI\%mongodump\fP reads from the primary replica set member on
-the primary shard for any unsharded collections. Note: each
-database has its own primary shard.
+For more information on the options available, see \fI\%Options\fP\&.
+.sp
+\fBSEE ALSO:\fP
+.INDENT 0.0
+.INDENT 3.5
+\fI\%Examples\fP
+.UNINDENT
+.UNINDENT
+.SH BEHAVIOR
+.SS Read Preference
+.sp
+By default, \fI\%mongodump\fP uses read preference
+\fBprimary\fP\&. To override the default, you can specify the
+read preference in the
+\fI\%\-\-readPreference\fP command\-line
+option or in the \fI\%\-\-uri connection string\fP\&.
+.sp
+Starting in version 4.2, if you specify read preference in the URI
+string and the \fI\%\-\-readPreference\fP
+option, the \fI\%\-\-readPreference\fP
+value overrides the read preference specified in the URI string.
+.sp
+In earlier versions, the two options are incompatible.
+.SS Data Exclusion
+.sp
+\fI\%mongodump\fP excludes the content of the \fBlocal\fP database in its output.
+.sp
+\fI\%mongodump\fP output only captures the documents in the
+database and does not include index data. \fBmongorestore\fP
+or \fBmongod\fP must then rebuild the indexes after restoring
+data.
+.sp
+Changed in version 3.4: MongoDB 3.4 added support for
+read\-only views\&. By default,
+\fI\%mongodump\fP only captures a view\(aqs metadata: it does not
+create a binary export of the documents included in the view. To
+capture the documents in a view use \fI\%\-\-viewsAsCollections\fP\&.
+
.SS Overwrite Files
.sp
\fI\%mongodump\fP overwrites output files if they exist in the
@@ -165,6 +387,14 @@ WiredTiger storage engine,
\fI\%mongodump\fP can adversely affect performance of the
\fBmongod\fP\&. If your data is larger than system memory, the
\fI\%mongodump\fP will push the working set out of memory.
+.SS FIPS
+.sp
+Starting in version 4.2, MongoDB removes the \fB\-\-sslFIPSMode\fP
+option for mongodump\&. mongodump
+will use FIPS compliant connections to
+\fBmongod\fP/\fBmongos\fP if the
+\fBmongod\fP/\fBmongos\fP instances are
+configured to use FIPS mode\&.
.SH REQUIRED ACCESS
.sp
To run \fI\%mongodump\fP against a MongoDB deployment that has
@@ -231,50 +461,55 @@ New in version 3.4.6.
.sp
Specify a resolvable URI
-connection string for the \fBmongod\fP to which to
-connect.
-.sp
-The following is the standard
-URI connection scheme:
+connection string (enclose in quotes) to connect to the MongoDB deployment.
.INDENT 7.0
.INDENT 3.5
.sp
.nf
.ft C
-mongodb://[username:password@]host1[:port1][,host2[:port2],...[,hostN[:portN]]][/[database][?options]]
+\-\-uri "mongodb://[username:password@]host1[:port1][,host2[:port2],...[,hostN[:portN]]][/[database][?options]]"
.ft P
.fi
.UNINDENT
.UNINDENT
.sp
-For detailed explanations of the components of this string, refer to
-the
-Connection String URI Format
-documentation.
+For information on the components of the connection string, see
+the Connection String URI Format documentation.
+.sp
+\fBNOTE:\fP
+.INDENT 7.0
+.INDENT 3.5
+For TLS/SSL options, use the command\-line options instead of the
+URI options for TLS/SSL (Available starting in
+4.2)\&.
+.UNINDENT
+.UNINDENT
.sp
\fBIMPORTANT:\fP
.INDENT 7.0
.INDENT 3.5
-The following \fI\%mongodump\fP options are incompatible with the
-\fB\-\-uri\fP option. Instead, specify these options as part of your
-\fB\-\-uri\fP connection string when applicable:
+The following command\-line options cannot be used in conjunction
+with \fI\%\-\-uri\fP option:
.INDENT 0.0
.IP \(bu 2
-\fB\-\-host\fP
+\fI\%\-\-host\fP
.IP \(bu 2
-\fB\-\-port\fP
+\fI\%\-\-port\fP
.IP \(bu 2
-\fB\-\-db\fP
+\fI\%\-\-db\fP
.IP \(bu 2
-\fB\-\-username\fP
+\fI\%\-\-username\fP
.IP \(bu 2
-\fB\-\-password\fP (when specifying the password as part of the
-URI connection string)
+\fI\%\-\-password\fP (if the
+URI connection string also includes the password)
.IP \(bu 2
-\fB\-\-authenticationDatabase\fP
+\fI\%\-\-authenticationDatabase\fP
.IP \(bu 2
-\fB\-\-authenticationMechanism\fP
+\fI\%\-\-authenticationMechanism\fP
.UNINDENT
+.sp
+Instead, specify these options as part of your \fI\%\-\-uri\fP
+connection string.
.UNINDENT
.UNINDENT
.UNINDENT
@@ -295,19 +530,39 @@ the following:
.sp
.nf
.ft C
-<replSetName>/<hostname1><:port>,<hostname2><:port>,<...>
+\-\-host <replSetName>/<hostname1><:port>,<hostname2><:port>,<...>
.ft P
.fi
.UNINDENT
.UNINDENT
.sp
-You can always connect directly to a single MongoDB instance by
-specifying the host and port number directly.
+When specifying the replica set list format, \fBmongodump\fP always connects to
+the primary\&.
+.sp
+You can also connect to any single member of the replica set by specifying
+the host and port of only that member:
+.INDENT 7.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+\-\-host <hostname1><:port>
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
.sp
Changed in version 3.0.0: If you use IPv6 and use the \fB<address>:<port>\fP format, you must
enclose the portion of an address and port combination in
brackets (e.g. \fB[<address>]\fP).
+.sp
+\fBNOTE:\fP
+.INDENT 7.0
+.INDENT 3.5
+You cannot specify both \fI\%\-\-host\fP and \fI\%\-\-uri\fP\&.
+.UNINDENT
+.UNINDENT
.UNINDENT
.INDENT 0.0
.TP
@@ -316,6 +571,13 @@ brackets (e.g. \fB[<address>]\fP).
.sp
Specifies the TCP port on which the MongoDB instance listens for
client connections.
+.sp
+\fBNOTE:\fP
+.INDENT 7.0
+.INDENT 3.5
+You cannot specify both \fI\%\-\-port\fP and \fI\%\-\-uri\fP\&.
+.UNINDENT
+.UNINDENT
.UNINDENT
.INDENT 0.0
.TP
@@ -350,13 +612,17 @@ Specifies the \fB\&.pem\fP file that contains the root certificate chain
from the Certificate Authority. Specify the file name of the
\fB\&.pem\fP file using relative or absolute paths.
.sp
-Starting in version 3.4, if \fB\-\-sslCAFile\fP or \fBssl.CAFile\fP is not
-specified and you are not using x.509 authentication, the
-system\-wide CA certificate store will be used when connecting to an
-TLS/SSL\-enabled server.
+Starting in version 3.4, if \fB\-\-tlsCAFile\fP/\fBnet.tls.CAFile\fP (or
+their aliases \fB\-\-sslCAFile\fP/\fBnet.ssl.CAFile\fP) is not specified
+and you are not using x.509 authentication, the system\-wide CA
+certificate store will be used when connecting to an TLS/SSL\-enabled
+server.
.sp
-If using x.509 authentication, \fB\-\-sslCAFile\fP or \fBssl.CAFile\fP
-must be specified.
+To use x.509 authentication, \fB\-\-tlsCAFile\fP or \fBnet.tls.CAFile\fP
+must be specified unless using \fB\-\-tlsCertificateSelector\fP or
+\fB\-\-net.tls.certificateSelector\fP\&. Or if using the \fBssl\fP aliases,
+\fB\-\-sslCAFile\fP or \fBnet.ssl.CAFile\fP must be specified unless using
+\fB\-\-sslCertificateSelector\fP or \fBnet.ssl.certificateSelector\fP\&.
.sp
\fBWARNING:\fP
.INDENT 7.0
@@ -441,19 +707,23 @@ the use of invalid certificates. When using the
warning the use of the invalid certificate.
.sp
Starting in MongoDB 4.0, if you specify
-\fB\-\-sslAllowInvalidCertificates\fP or \fBssl.allowInvalidCertificates:
-true\fP when using x.509 authentication, an invalid certificate is
-only sufficient to establish a TLS/SSL connection but is
-\fIinsufficient\fP for authentication.
+\fB\-\-sslAllowInvalidCertificates\fP or
+\fBnet.ssl.allowInvalidCertificates: true\fP (or in MongoDB 4.2, the
+alias \fB\-\-tlsAllowInvalidateCertificates\fP or
+\fBnet.tls.allowInvalidCertificates: true\fP) when using x.509
+authentication, an invalid certificate is only sufficient to
+establish a TLS/SSL connection but is \fIinsufficient\fP for
+authentication.
+.sp
+# We created a separate blurb for tls in the ssl\-clients page.
.sp
\fBWARNING:\fP
.INDENT 7.0
.INDENT 3.5
-For TLS/SSL connections to \fBmongod\fP and
-\fBmongos\fP, avoid using
-\fB\-\-sslAllowInvalidCertificates\fP if possible and only use
-\fB\-\-sslAllowInvalidCertificates\fP on systems where intrusion is
-not possible.
+Although available, avoid using the
+\fB\-\-sslAllowInvalidCertificates\fP option if possible. If the use of
+\fB\-\-sslAllowInvalidCertificates\fP is necessary, only use the option
+on systems where intrusion is not possible.
.sp
If the \fBmongo\fP shell (and other
mongodb\-tools\-support\-ssl) runs with the
@@ -463,7 +733,9 @@ mongodb\-tools\-support\-ssl) will not attempt to validate
the server certificates. This creates a vulnerability to expired
\fBmongod\fP and \fBmongos\fP certificates as
well as to foreign processes posing as valid
-\fBmongod\fP or \fBmongos\fP instances.
+\fBmongod\fP or \fBmongos\fP instances. If you
+only need to disable the validation of the hostname in the
+TLS/SSL certificates, see \fB\-\-sslAllowInvalidHostnames\fP\&.
.UNINDENT
.UNINDENT
.sp
@@ -487,58 +759,56 @@ For more information about TLS/SSL and MongoDB, see
.UNINDENT
.INDENT 0.0
.TP
-.B \-\-sslFIPSMode
-New in version 2.6.
-
-.sp
-Directs the \fBmongodump\fP to use the FIPS mode of the installed OpenSSL
-library. Your system must have a FIPS compliant OpenSSL library to use
-the \fI\%\-\-sslFIPSMode\fP option.
+.B \-\-username <username>, \-u <username>
+Specifies a username with which to authenticate to a MongoDB database
+that uses authentication. Use in conjunction with the \fI\%\-\-password\fP and
+\fI\%\-\-authenticationDatabase\fP options.
.sp
\fBNOTE:\fP
.INDENT 7.0
.INDENT 3.5
-FIPS\-compatible TLS/SSL is
-available only in \fI\%MongoDB Enterprise\fP\&. See
-/tutorial/configure\-fips for more information.
-.UNINDENT
+You cannot specify both \fI\%\-\-username\fP and \fI\%\-\-uri\fP\&.
.UNINDENT
.UNINDENT
-.INDENT 0.0
-.TP
-.B \-\-username <username>, \-u <username>
-Specifies a username with which to authenticate to a MongoDB database
-that uses authentication. Use in conjunction with the \fB\-\-password\fP and
-\fB\-\-authenticationDatabase\fP options.
.UNINDENT
.INDENT 0.0
.TP
.B \-\-password <password>, \-p <password>
Specifies a password with which to authenticate to a MongoDB database
-that uses authentication. Use in conjunction with the \fB\-\-username\fP and
-\fB\-\-authenticationDatabase\fP options.
-.sp
-Changed in version 3.0.0: If you do not specify an argument for \fI\%\-\-password\fP, \fBmongodump\fP returns
-an error.
-
+that uses authentication. Use in conjunction with the \fI\%\-\-username\fP and
+\fI\%\-\-authenticationDatabase\fP options.
.sp
-Changed in version 3.0.2: If you wish \fBmongodump\fP to prompt the user
+Changed in version 3.0.2: To prompt the user
for the password, pass the \fI\%\-\-username\fP option without
\fI\%\-\-password\fP or specify an empty string as the \fI\%\-\-password\fP value,
as in \fB\-\-password ""\fP .
+.sp
+\fBNOTE:\fP
+.INDENT 7.0
+.INDENT 3.5
+You cannot specify both \fI\%\-\-password\fP and \fI\%\-\-uri\fP\&.
+.UNINDENT
+.UNINDENT
.UNINDENT
.INDENT 0.0
.TP
.B \-\-authenticationDatabase <dbname>
-Specifies the database in which the user is created.
+Specifies the authentication database where the specified \fI\%\-\-username\fP has been created.
See user\-authentication\-database\&.
.sp
+\fBNOTE:\fP
+.INDENT 7.0
+.INDENT 3.5
+You cannot specify both \fI\%\-\-authenticationDatabase\fP and \fI\%\-\-uri\fP\&.
+.UNINDENT
+.UNINDENT
+.sp
If you do not specify an authentication database, \fBmongodump\fP
-assumes that the database specified to export holds the user’s credentials.
+assumes that the database specified to export holds the user\(aqs credentials.
.sp
If you do not specify an authentication database or a database to
-export, \fBmongodump\fP assumes the \fBadmin\fP database holds the user’s
+export, \fBmongodump\fP assumes the \fBadmin\fP database holds the user\(aqs
credentials.
.UNINDENT
.INDENT 0.0
@@ -608,6 +878,13 @@ passwords in plain text. This mechanism is available only in
T}
_
.TE
+.sp
+\fBNOTE:\fP
+.INDENT 7.0
+.INDENT 3.5
+You cannot specify both \fI\%\-\-authenticationMechanism\fP and \fI\%\-\-uri\fP\&.
+.UNINDENT
+.UNINDENT
.UNINDENT
.INDENT 0.0
.TP
@@ -637,6 +914,13 @@ This option is available only in MongoDB Enterprise.
Specifies a database to backup. If you do not specify a database,
\fI\%mongodump\fP copies all databases in this instance into the dump
files.
+.sp
+\fBNOTE:\fP
+.INDENT 7.0
+.INDENT 3.5
+You cannot specify both \fI\%\-\-db\fP and \fI\%\-\-uri\fP\&.
+.UNINDENT
+.UNINDENT
.UNINDENT
.INDENT 0.0
.TP
@@ -651,7 +935,7 @@ to the dump files.
Provides a JSON document as a query that optionally limits the
documents included in the output of \fI\%mongodump\fP\&.
.sp
-You must enclose the query in single quotes (e.g. \fB\(aq\fP) to ensure that it does
+You must enclose the query document in single quotes (\fB\(aq{ ... }\(aq\fP) to ensure that it does
not interact with your shell environment.
.UNINDENT
.INDENT 0.0
@@ -663,21 +947,55 @@ New in version 3.2.
Specifies the path to a file containing a JSON document as a query
filter that limits the documents included in the output of
\fI\%mongodump\fP\&. \fI\%\-\-queryFile\fP enables you to create query filters that
-are too large to fit in your terminal’s buffer.
+are too large to fit in your terminal\(aqs buffer.
.UNINDENT
.INDENT 0.0
.TP
-.B \-\-readPreference <string>
-Specify the read preference for
-\fBmongodump\fP\&.
+.B \-\-readPreference <string|document>
+\fIDefault\fP: \fBprimary\fP
.sp
-See replica\-set\-read\-preference\-modes\&.
+Specifies the read preference for
+\fBmongodump\fP\&. The \fI\%\-\-readPreference\fP option can take:
+.INDENT 7.0
+.IP \(bu 2
+A string if specifying only the read preference mode:
+.INDENT 2.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+\-\-readPreference secondary
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.IP \(bu 2
+A quote\-enclosed document to specify the mode, the optional
+read preference tag sets, and the
+optional maxStalenessSeconds:
+.INDENT 2.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+\-\-readPreference \(aq{mode: "secondary", tagSets: [ { "region": "east" } ], maxStalenessSeconds: 120}\(aq
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+If specifying the maxStalenessSeconds, the value must be greater than or equal to 90.
+.sp
+New in version 4.2.
+
+.UNINDENT
.sp
\fBmongodump\fP defaults to \fBprimary\fP
-read preference when connected to a
-\fBmongos\fP or a replica set\&.
+read preference\&.
.sp
-Otherwise, \fBmongodump\fP defaults to \fBnearest\fP\&.
+Starting in version 4.2, if the read
+preference is also included in the \fI\%\-\-uri connection string\fP, the command\-line \fI\%\-\-readPreference\fP overrides the read preference
+specified in the URI string.
.sp
\fBWARNING:\fP
.INDENT 7.0
@@ -687,39 +1005,20 @@ Using a read preference other than
inconsistencies, duplicates, or result in missed documents.
.UNINDENT
.UNINDENT
-.sp
-See \fI\%Read Preference\fP\&.
.UNINDENT
.INDENT 0.0
.TP
.B \-\-forceTableScan
-Forces \fI\%mongodump\fP to scan the data store directly: typically,
-\fI\%mongodump\fP saves entries as they appear in the index of
-the \fB_id\fP field. If you specify a query \fI\%\-\-query\fP,
-\fBmongodump\fP will use the most appropriate index to support that query.
-.sp
-Use \fI\%\-\-forceTableScan\fP to skip the index and scan the data directly. Typically
-there are two cases where this behavior is preferable to the
-default:
-.INDENT 7.0
-.IP 1. 3
-If you have key sizes over 800 bytes that would not be present in the
+By default, \fBmongodump\fP uses the \fB_id\fP index when scanning
+collections with that index is available (e.g.
+3.4\-reference\-views do not have any indexes). Specify \fI\%\-\-forceTableScan\fP
+to direct \fBmongodump\fP to scan collection data without the use of the
\fB_id\fP index.
-.IP 2. 3
-Your database uses a custom \fB_id\fP field.
-.UNINDENT
.sp
-When you run with \fI\%\-\-forceTableScan\fP, the dump produced by
-\fI\%mongodump\fP can reflect the state of the database at many
-different points in time.
+\fI\%\-\-forceTableScan\fP does not ensure a point\-in\-time snapshot. Use
+\fI\%\-\-oplog\fP to create a point\-in\-time snapshot.
.sp
-\fBIMPORTANT:\fP
-.INDENT 7.0
-.INDENT 3.5
-Use \fI\%\-\-forceTableScan\fP with extreme caution and
-consideration.
-.UNINDENT
-.UNINDENT
+You cannot use \fI\%\-\-forceTableScan\fP with the \fI\%\-\-query\fP option.
.UNINDENT
.INDENT 0.0
.TP
@@ -743,7 +1042,7 @@ BSON files for the dumped databases. By default,
\fI\%mongodump\fP saves output files in a directory named
\fBdump\fP in the current working directory.
.sp
-To send the database dump to standard output, specify “\fB\-\fP” instead of
+To send the database dump to standard output, specify "\fB\-\fP" instead of
a path. Write to standard output if you want process the output before
saving it, such as to use \fBgzip\fP to compress the dump. When writing
standard output, \fI\%mongodump\fP does not write the metadata that
@@ -774,34 +1073,6 @@ You cannot use the \fB\-\-archive\fP option with the
.UNINDENT
.INDENT 0.0
.TP
-.B \-\-repair
-.
-\fBNOTE:\fP
-.INDENT 7.0
-.INDENT 3.5
-When repairing a database, you should use \fBmongod \-\-repair\fP
-rather than this option. For instructions on repairing a database,
-refer to
-/tutorial/recover\-data\-following\-unexpected\-shutdown\&.
-.UNINDENT
-.UNINDENT
-.sp
-Changes the behavior of \fBmongodump\fP to only write valid data and
-exclude data that may be in an invalid state as a result of an
-improper shutdown or \fBmongod\fP crash.
-.sp
-\fI\%\-\-repair\fP is different from \fBmongod \-\-repair\fP, and may produce
-a large amount of duplicate documents. It is only available for use
-against \fBmongod\fP instances using the \fBmmapv1\fP storage
-engine. You cannot run \fI\%\-\-repair\fP against \fBmongos\fP, or against
-\fBmongod\fP instances that use the \fBwiredTiger\fP storage
-engine.
-.sp
-For instructions on repairing a database, refer to
-/tutorial/recover\-data\-following\-unexpected\-shutdown\&.
-.UNINDENT
-.INDENT 0.0
-.TP
.B \-\-oplog
Creates a file named \fBoplog.bson\fP as part of the
\fI\%mongodump\fP output. The \fBoplog.bson\fP file, located in
@@ -852,7 +1123,7 @@ if you use any of the following options to limit the data to be dumped:
.INDENT 0.0
.TP
.B \-\-dumpDbUsersAndRoles
-Includes user and role definitions in the database’s dump directory
+Includes user and role definitions in the database\(aqs dump directory
when performing \fI\%mongodump\fP on a specific database. This
option applies only when you specify a database in the
\fI\%\-\-db\fP option. MongoDB always includes user and role
@@ -898,8 +1169,8 @@ produce a BSON file containing the documents in the view. If you
restored as a collection\&.
.sp
If you do \fInot\fP include \fI\%\-\-viewsAsCollections\fP,
-\fBmongodump\fP captures each view’s metadata. If you include a
-view’s metadata file in a \fBmongorestore\fP operation, the view
+\fBmongodump\fP captures each view\(aqs metadata. If you include a
+view\(aqs metadata file in a \fBmongorestore\fP operation, the view
is recreated.
.UNINDENT
.SH EXAMPLES
@@ -1028,6 +1299,6 @@ mongodump \-\-archive=test.20150715.gz \-\-gzip \-\-db test
.SH AUTHOR
MongoDB Documentation Project
.SH COPYRIGHT
-2008-2018
+2008-2019
.\" Generated by docutils manpage writer.
.
diff --git a/debian/mongoexport.1 b/debian/mongoexport.1
index 80decfae323..cbab4dc4ffb 100644
--- a/debian/mongoexport.1
+++ b/debian/mongoexport.1
@@ -1,6 +1,6 @@
.\" Man page generated from reStructuredText.
.
-.TH "MONGOEXPORT" "1" "Jun 21, 2018" "4.0" "mongodb-manual"
+.TH "MONGOEXPORT" "1" "Jul 25, 2019" "4.2" "mongodb-manual"
.SH NAME
mongoexport \- MongoDB Export Utility
.
@@ -35,35 +35,345 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
.IP \(bu 2
\fI\%Synopsis\fP
.IP \(bu 2
-\fI\%Considerations\fP
+\fI\%Syntax\fP
.IP \(bu 2
\fI\%Required Access\fP
.IP \(bu 2
-\fI\%Read Preference\fP
+\fI\%Behavior\fP
.IP \(bu 2
\fI\%Options\fP
.IP \(bu 2
-\fI\%Use\fP
+\fI\%Examples\fP
.UNINDENT
.INDENT 0.0
.INDENT 3.5
-.IP "Mac OSX Sierra and Go 1.6 Incompatibility"
+.IP "macOS Sierra and Go 1.6 Incompatibility"
.sp
-Users running on Mac OSX Sierra require the 3.2.10 or newer version
+Users running on macOS Sierra require the 3.2.10 or newer version
of mongoexport\&.
.UNINDENT
.UNINDENT
.SH SYNOPSIS
.sp
-\fI\%mongoexport\fP is a utility that produces a JSON or CSV export
-of data stored in a MongoDB instance.
-.sp
-See the mongoimport document for more
-information regarding the \fBmongoimport\fP utility, which
-provides the inverse “importing” capability.
+\fI\%mongoexport\fP is a command\-line tool that produces a JSON
+or CSV export of data stored in a MongoDB instance.
.sp
Run \fI\%mongoexport\fP from the system command line, not the \fBmongo\fP shell.
-.SH CONSIDERATIONS
+.sp
+\fBSEE ALSO:\fP
+.INDENT 0.0
+.INDENT 3.5
+\fBmongoimport\fP which provides the corresponding "import"
+capability.
+.UNINDENT
+.UNINDENT
+.SH SYNTAX
+.sp
+\fI\%mongoexport\fP must be run directly from the system command line.
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+mongoexport \-\-collection <coll> [options]
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+You must specify the \fI\%collection\fP to
+export. If you do not specify an \fI\%output file\fP, \fI\%mongoexport\fP writes to the standard output (e.g.
+stdout).
+.SS Connect to a MongoDB Instance
+.sp
+To connect to a local MongoDB instance running on port 27017, you do
+not have to specify the host or port.
+.sp
+For example, to export the specified \fI\%collection\fP to the specified \fI\%output file\fP from a local MongoDB instance running on port 27017:
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+mongoexport \-\-collection events \-\-db reporting \-\-out events.json
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+To specify a host and/or port of the MongoDB instance, you can either:
+.INDENT 0.0
+.IP \(bu 2
+Specify the hostname and port in the \fI\%\-\-uri connection string\fP:
+.INDENT 2.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+mongoexport \-\-uri "mongodb://mongodb0.example.com:27017/reporting" \-\-collection events \-\-out events.json [additional options]
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+If using the \fI\%\-\-uri connection string\fP,
+specify the database as part of the string. You cannot use the
+command\-line option \fI\%\-\-db\fP in conjunction
+with the \fI\%\-\-uri connection string\fP\&.
+.IP \(bu 2
+Specify the hostname and port in the \fI\%\-\-host\fP:
+.INDENT 2.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+mongoexport \-\-host "mongodb0.example.com:27017" \-\-collection events \-\-db reporting \-\-out events.json [additional options]
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.IP \(bu 2
+Specify the hostname and port in the \fI\%\-\-host\fP and \fI\%\-\-port\fP:
+.INDENT 2.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+mongoexport \-\-host "mongodb0.example.com" \-\-port 27017 \-\-collection events \-\-db reporting \-\-out events.json [additional options]
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.sp
+For more information on the options available, see \fI\%Options\fP\&.
+.SS Connect to a Replica Set
+.sp
+To connect to a replica set to export its data, you can either:
+.INDENT 0.0
+.IP \(bu 2
+Specify the replica set name and members in the \fI\%\-\-uri connection string\fP:
+.INDENT 2.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+mongoexport \-\-uri "mongodb://mongodb0.example.com:27017,mongodb1.example.com:27017,mongodb2.example.com:27017/reporting?replicaSet=myReplicaSetName" \-\-collection events \-\-out events.json [additional options]
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+If using the \fI\%\-\-uri connection string\fP,
+specify the database as part of the string. You cannot use the
+command\-line option \fI\%\-\-db\fP in conjunction
+with the \fI\%\-\-uri connection string\fP\&.
+.IP \(bu 2
+Specify the replica set name and members in the \fI\%\-\-host\fP:
+.INDENT 2.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+mongoexport \-\-host "myReplicaSetName/mongodb0.example.com:27017,mongodb1.example.com:27017,mongodb2.example.com" \-\-collection events \-\-db reporting \-\-out events.json [additional options]
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.sp
+By default, \fI\%mongoexport\fP reads from the primary of the
+replica set. To override the default, you can specify the read
+preference:
+.INDENT 0.0
+.IP \(bu 2
+You can specify the read preference in the
+\fI\%\-\-uri connection string\fP
+.INDENT 2.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+mongoexport \-\-uri "mongodb://mongodb0.example.com:27017,mongodb1.example.com:27017,mongodb2.example.com:27017/reporting?replicaSet=myReplicaSetName&readPreference=secondary" \-\-collection events \-\-out events.json [additional options]
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+If specifying the read preference tags, include the
+\fBreadPreferenceTags\fP option:
+.INDENT 2.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+mongoexport \-\-uri "mongodb://mongodb0.example.com:27017,mongodb1.example.com:27017,mongodb2.example.com:27017/reporting?replicaSet=myReplicaSetName&readPreference=secondary&readPreferenceTags=region:east" \-\-collection events \-\-out events.json [additional options]
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+If using the \fI\%\-\-uri connection string\fP,
+specify the database as part of the string. You cannot use the
+command\-line option \fI\%\-\-db\fP in conjunction
+with the \fI\%\-\-uri connection string\fP\&.
+.IP \(bu 2
+You can specify the read preference in using the
+\fI\%\-\-readPreference\fP command\-line
+option. The command\-line option takes a string if specifying only the read preference mode:
+.INDENT 2.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+mongoexport \-\-host "myReplicaSetName/mongodb0.example.com:27017,mongodb1.example.com:27017,mongodb2.example.com:27017" \-\-readPreference secondary \-\-collection events \-\-db reporting \-\-out events.json [additional options]
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+Or, the command\-line option can takes a quote\-enclosed document
+\fB\(aq{ mode: <mode>, tagSets: [ <tag1>, ... ], maxStalenessSeconds:<num>}\(aq\fP
+to specify the mode, the optional read preference tag
+sets, and the optional
+maxStalenessSeconds:
+.INDENT 2.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+mongoexport \-\-host "myReplicaSetName/mongodb0.example.com:27017,mongodb1.example.com:27017,mongodb2.example.com:27017" \-\-readPreference \(aq{mode: "secondary", tagSets: [ { "region": "east" } ]}\(aq \-\-collection events \-\-db reporting \-\-out events.json [additional options]
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.sp
+For more information on the options available, see \fI\%Options\fP\&.
+.SS Connect to a Sharded Cluster
+.sp
+To connect to a sharded cluster to export its data, you can either:
+.INDENT 0.0
+.IP \(bu 2
+Specify the hostname of the \fBmongos\fP instance in the
+\fI\%\-\-uri connection string\fP
+.INDENT 2.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+mongoexport \-\-uri "mongodb://mongos0.example.com:27017/reporting" \-\-collection events \-\-out events.json [additional options]
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+If using the \fI\%\-\-uri connection string\fP,
+specify the database as part of the string. You cannot use the
+command\-line option \fI\%\-\-db\fP in conjunction
+with the \fI\%\-\-uri connection string\fP\&.
+.IP \(bu 2
+Specify the hostname and port of the \fBmongos\fP instance in the \fI\%\-\-host\fP
+.INDENT 2.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+mongoexport \-\-host "mongos0.example.com:27017" \-\-collection events \-\-db reporting \-\-out events.json[additional options]
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.sp
+By default, \fI\%mongoexport\fP reads from the primary of the
+shard replica set. To override the default, you can specify the read
+preference:
+.INDENT 0.0
+.IP \(bu 2
+You can specify the read preference in the
+\fI\%\-\-uri connection string\fP
+.INDENT 2.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+mongoexport \-\-uri "mongodb://mongos0.example.com:27017/reporting?readPreference=secondary" \-\-collection events \-\-out events.json [additional options]
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+If specifying the read preference tags, include the
+\fBreadPreferenceTags\fP option:
+.INDENT 2.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+mongoexport \-\-uri "mongodb://mongos0.example.com:27017/reporting?readPreference=secondary&readPreferenceTags=region:east" \-\-collection events \-\-out events.json [additional options]
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+If using the \fI\%\-\-uri connection string\fP,
+specify the database as part of the string. You cannot use the
+command\-line option \fI\%\-\-db\fP in conjunction
+with the \fI\%\-\-uri connection string\fP\&.
+.IP \(bu 2
+You can specify the read preference in using the
+\fI\%\-\-readPreference\fP command\-line
+option. The command\-line option takes a string if specifying only the read preference mode:
+.INDENT 2.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+mongoexport \-\-host "mongos0.example.com:27017" \-\-readPreference secondary \-\-collection events \-\-db reporting \-\-out events.json [additional options]
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+Or, the command\-line option can takes a quote\-enclosed document
+\fB\(aq{ mode: <mode>, tagSets: [ <tag1>, ... ], maxStalenessSeconds:<num>}\(aq\fP
+to specify the mode, the optional read preference tag
+sets, and the optional
+maxStalenessSeconds:
+.INDENT 2.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+mongoexport \-\-host "mongos0.example.com:27017" \-\-readPreference \(aq{mode: "secondary", tagSets: [ { "region": "east" } ]}\(aq \-\-collection events \-\-db reporting \-\-out events.json [additional options]
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.sp
+For more information on the options available, see \fI\%Options\fP\&.
+.sp
+\fBSEE ALSO:\fP
+.INDENT 0.0
+.INDENT 3.5
+\fI\%Examples\fP
+.UNINDENT
+.UNINDENT
+.SH REQUIRED ACCESS
+.sp
+\fI\%mongoexport\fP requires read access on the target database.
+.sp
+Ensure that the connecting user possesses, at a minimum, the \fBread\fP
+role on the target database.
+.sp
+When connecting to a \fBmongod\fP or \fBmongos\fP that enforces
+/core/authentication, ensure you use the required security
+parameters based on the configured
+authentication mechanism\&.
+.SH BEHAVIOR
+.SS Type Fidelity
.sp
\fBWARNING:\fP
.INDENT 0.0
@@ -77,8 +387,6 @@ kind of functionality.
.UNINDENT
.UNINDENT
.sp
-\fI\%mongoexport\fP must be run directly from the system command line.
-.sp
To preserve type information, \fI\%mongoexport\fP and \fBmongoimport\fP
uses the strict mode representation
for certain types.
@@ -127,34 +435,27 @@ The exported data is in strict mode representation to preserve type information:
.sp
See /reference/mongodb\-extended\-json for a complete list of
these types and the representations used.
-.SH REQUIRED ACCESS
-.sp
-\fI\%mongoexport\fP requires read access on the target database.
-.sp
-Ensure that the connecting user possesses, at a minimum, the \fBread\fP
-role on the target database.
-.sp
-When connecting to a \fBmongod\fP or \fBmongos\fP that enforces
-/core/authentication, ensure you use the required security
-parameters based on the configured
-authentication mechanism\&.
-.SH READ PREFERENCE
-.sp
-\fI\%mongoexport\fP defaults to \fBprimary\fP read
-preference when connected to a \fBmongos\fP
-or a replica set\&.
-.sp
-You can override the default read preference using the
-\fI\%\-\-readPreference\fP option.
-.sp
-\fBIMPORTANT:\fP
-.INDENT 0.0
-.INDENT 3.5
-Using a non\-primary read preference on a \fBmongos\fP may
-produce inconsistencies in data, including duplicates or missing
-documents.
-.UNINDENT
-.UNINDENT
+.SS FIPS
+.sp
+Starting in version 4.2, MongoDB removes the \fB\-\-sslFIPSMode\fP
+option for mongoexport\&. mongoexport
+will use FIPS compliant connections to
+\fBmongod\fP/\fBmongos\fP if the
+\fBmongod\fP/\fBmongos\fP instances are
+configured to use FIPS mode\&.
+.SS Read Preference
+.sp
+By default, \fI\%mongoexport\fP uses read preference
+\fBprimary\fP\&. To override the default, you can specify the
+read preference in the
+\fI\%\-\-readPreference\fP command line
+option or in the \fI\%\-\-uri connection string\fP\&.
+.sp
+Starting in version 4.2, if you specify read preference in the URI
+string and the \fI\%\-\-readPreference\fP, the \fI\%\-\-readPreference\fP value overrides the read preference specified in the
+URI string.
+.sp
+In earlier versions, the two options are incompatible.
.SH OPTIONS
.sp
Changed in version 3.0.0: \fI\%mongoexport\fP removed the \fB\-\-dbpath\fP as well as related
@@ -213,50 +514,55 @@ New in version 3.4.6.
.sp
Specify a resolvable URI
-connection string for the \fBmongod\fP to which to
-connect.
-.sp
-The following is the standard
-URI connection scheme:
+connection string (enclose in quotes) to connect to the MongoDB deployment.
.INDENT 7.0
.INDENT 3.5
.sp
.nf
.ft C
-mongodb://[username:password@]host1[:port1][,host2[:port2],...[,hostN[:portN]]][/[database][?options]]
+\-\-uri "mongodb://[username:password@]host1[:port1][,host2[:port2],...[,hostN[:portN]]][/[database][?options]]"
.ft P
.fi
.UNINDENT
.UNINDENT
.sp
-For detailed explanations of the components of this string, refer to
-the
-Connection String URI Format
-documentation.
+For information on the components of the connection string, see
+the Connection String URI Format documentation.
+.sp
+\fBNOTE:\fP
+.INDENT 7.0
+.INDENT 3.5
+For TLS/SSL options, use the command\-line options instead of the
+URI options for TLS/SSL (Available starting in
+4.2)\&.
+.UNINDENT
+.UNINDENT
.sp
\fBIMPORTANT:\fP
.INDENT 7.0
.INDENT 3.5
-The following \fI\%mongoexport\fP options are incompatible with the
-\fB\-\-uri\fP option. Instead, specify these options as part of your
-\fB\-\-uri\fP connection string when applicable:
+The following command\-line options cannot be used in conjunction
+with \fI\%\-\-uri\fP option:
.INDENT 0.0
.IP \(bu 2
-\fB\-\-host\fP
+\fI\%\-\-host\fP
.IP \(bu 2
-\fB\-\-port\fP
+\fI\%\-\-port\fP
.IP \(bu 2
-\fB\-\-db\fP
+\fI\%\-\-db\fP
.IP \(bu 2
-\fB\-\-username\fP
+\fI\%\-\-username\fP
.IP \(bu 2
-\fB\-\-password\fP (when specifying the password as part of the
-URI connection string)
+\fI\%\-\-password\fP (if the
+URI connection string also includes the password)
.IP \(bu 2
-\fB\-\-authenticationDatabase\fP
+\fI\%\-\-authenticationDatabase\fP
.IP \(bu 2
-\fB\-\-authenticationMechanism\fP
+\fI\%\-\-authenticationMechanism\fP
.UNINDENT
+.sp
+Instead, specify these options as part of your \fI\%\-\-uri\fP
+connection string.
.UNINDENT
.UNINDENT
.UNINDENT
@@ -277,19 +583,39 @@ the following:
.sp
.nf
.ft C
-<replSetName>/<hostname1><:port>,<hostname2><:port>,<...>
+\-\-host <replSetName>/<hostname1><:port>,<hostname2><:port>,<...>
.ft P
.fi
.UNINDENT
.UNINDENT
.sp
-You can always connect directly to a single MongoDB instance by
-specifying the host and port number directly.
+When specifying the replica set list format, \fBmongoexport\fP always connects to
+the primary\&.
+.sp
+You can also connect to any single member of the replica set by specifying
+the host and port of only that member:
+.INDENT 7.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+\-\-host <hostname1><:port>
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
.sp
Changed in version 3.0.0: If you use IPv6 and use the \fB<address>:<port>\fP format, you must
enclose the portion of an address and port combination in
brackets (e.g. \fB[<address>]\fP).
+.sp
+\fBNOTE:\fP
+.INDENT 7.0
+.INDENT 3.5
+You cannot specify both \fI\%\-\-host\fP and \fI\%\-\-uri\fP\&.
+.UNINDENT
+.UNINDENT
.UNINDENT
.INDENT 0.0
.TP
@@ -298,6 +624,13 @@ brackets (e.g. \fB[<address>]\fP).
.sp
Specifies the TCP port on which the MongoDB instance listens for
client connections.
+.sp
+\fBNOTE:\fP
+.INDENT 7.0
+.INDENT 3.5
+You cannot specify both \fI\%\-\-port\fP and \fI\%\-\-uri\fP\&.
+.UNINDENT
+.UNINDENT
.UNINDENT
.INDENT 0.0
.TP
@@ -332,13 +665,17 @@ Specifies the \fB\&.pem\fP file that contains the root certificate chain
from the Certificate Authority. Specify the file name of the
\fB\&.pem\fP file using relative or absolute paths.
.sp
-Starting in version 3.4, if \fB\-\-sslCAFile\fP or \fBssl.CAFile\fP is not
-specified and you are not using x.509 authentication, the
-system\-wide CA certificate store will be used when connecting to an
-TLS/SSL\-enabled server.
+Starting in version 3.4, if \fB\-\-tlsCAFile\fP/\fBnet.tls.CAFile\fP (or
+their aliases \fB\-\-sslCAFile\fP/\fBnet.ssl.CAFile\fP) is not specified
+and you are not using x.509 authentication, the system\-wide CA
+certificate store will be used when connecting to an TLS/SSL\-enabled
+server.
.sp
-If using x.509 authentication, \fB\-\-sslCAFile\fP or \fBssl.CAFile\fP
-must be specified.
+To use x.509 authentication, \fB\-\-tlsCAFile\fP or \fBnet.tls.CAFile\fP
+must be specified unless using \fB\-\-tlsCertificateSelector\fP or
+\fB\-\-net.tls.certificateSelector\fP\&. Or if using the \fBssl\fP aliases,
+\fB\-\-sslCAFile\fP or \fBnet.ssl.CAFile\fP must be specified unless using
+\fB\-\-sslCertificateSelector\fP or \fBnet.ssl.certificateSelector\fP\&.
.sp
\fBWARNING:\fP
.INDENT 7.0
@@ -423,19 +760,23 @@ the use of invalid certificates. When using the
warning the use of the invalid certificate.
.sp
Starting in MongoDB 4.0, if you specify
-\fB\-\-sslAllowInvalidCertificates\fP or \fBssl.allowInvalidCertificates:
-true\fP when using x.509 authentication, an invalid certificate is
-only sufficient to establish a TLS/SSL connection but is
-\fIinsufficient\fP for authentication.
+\fB\-\-sslAllowInvalidCertificates\fP or
+\fBnet.ssl.allowInvalidCertificates: true\fP (or in MongoDB 4.2, the
+alias \fB\-\-tlsAllowInvalidateCertificates\fP or
+\fBnet.tls.allowInvalidCertificates: true\fP) when using x.509
+authentication, an invalid certificate is only sufficient to
+establish a TLS/SSL connection but is \fIinsufficient\fP for
+authentication.
+.sp
+# We created a separate blurb for tls in the ssl\-clients page.
.sp
\fBWARNING:\fP
.INDENT 7.0
.INDENT 3.5
-For TLS/SSL connections to \fBmongod\fP and
-\fBmongos\fP, avoid using
-\fB\-\-sslAllowInvalidCertificates\fP if possible and only use
-\fB\-\-sslAllowInvalidCertificates\fP on systems where intrusion is
-not possible.
+Although available, avoid using the
+\fB\-\-sslAllowInvalidCertificates\fP option if possible. If the use of
+\fB\-\-sslAllowInvalidCertificates\fP is necessary, only use the option
+on systems where intrusion is not possible.
.sp
If the \fBmongo\fP shell (and other
mongodb\-tools\-support\-ssl) runs with the
@@ -445,7 +786,9 @@ mongodb\-tools\-support\-ssl) will not attempt to validate
the server certificates. This creates a vulnerability to expired
\fBmongod\fP and \fBmongos\fP certificates as
well as to foreign processes posing as valid
-\fBmongod\fP or \fBmongos\fP instances.
+\fBmongod\fP or \fBmongos\fP instances. If you
+only need to disable the validation of the hostname in the
+TLS/SSL certificates, see \fB\-\-sslAllowInvalidHostnames\fP\&.
.UNINDENT
.UNINDENT
.sp
@@ -469,55 +812,53 @@ For more information about TLS/SSL and MongoDB, see
.UNINDENT
.INDENT 0.0
.TP
-.B \-\-sslFIPSMode
-New in version 2.6.
-
-.sp
-Directs the \fBmongoexport\fP to use the FIPS mode of the installed OpenSSL
-library. Your system must have a FIPS compliant OpenSSL library to use
-the \fI\%\-\-sslFIPSMode\fP option.
+.B \-\-username <username>, \-u <username>
+Specifies a username with which to authenticate to a MongoDB database
+that uses authentication. Use in conjunction with the \fI\%\-\-password\fP and
+\fI\%\-\-authenticationDatabase\fP options.
.sp
\fBNOTE:\fP
.INDENT 7.0
.INDENT 3.5
-FIPS\-compatible TLS/SSL is
-available only in \fI\%MongoDB Enterprise\fP\&. See
-/tutorial/configure\-fips for more information.
+You cannot specify both \fI\%\-\-username\fP and \fI\%\-\-uri\fP\&.
.UNINDENT
.UNINDENT
.UNINDENT
.INDENT 0.0
.TP
-.B \-\-username <username>, \-u <username>
-Specifies a username with which to authenticate to a MongoDB database
-that uses authentication. Use in conjunction with the \fB\-\-password\fP and
-\fB\-\-authenticationDatabase\fP options.
-.UNINDENT
-.INDENT 0.0
-.TP
.B \-\-password <password>, \-p <password>
Specifies a password with which to authenticate to a MongoDB database
-that uses authentication. Use in conjunction with the \fB\-\-username\fP and
-\fB\-\-authenticationDatabase\fP options.
-.sp
-Changed in version 3.0.0: If you do not specify an argument for \fI\%\-\-password\fP, \fBmongoexport\fP returns
-an error.
-
+that uses authentication. Use in conjunction with the \fI\%\-\-username\fP and
+\fI\%\-\-authenticationDatabase\fP options.
.sp
-Changed in version 3.0.2: If you wish \fBmongoexport\fP to prompt the user
+Changed in version 3.0.2: To prompt the user
for the password, pass the \fI\%\-\-username\fP option without
\fI\%\-\-password\fP or specify an empty string as the \fI\%\-\-password\fP value,
as in \fB\-\-password ""\fP .
+.sp
+\fBNOTE:\fP
+.INDENT 7.0
+.INDENT 3.5
+You cannot specify both \fI\%\-\-password\fP and \fI\%\-\-uri\fP\&.
+.UNINDENT
+.UNINDENT
.UNINDENT
.INDENT 0.0
.TP
.B \-\-authenticationDatabase <dbname>
-Specifies the database in which the user is created.
+Specifies the authentication database where the specified \fI\%\-\-username\fP has been created.
See user\-authentication\-database\&.
.sp
+\fBNOTE:\fP
+.INDENT 7.0
+.INDENT 3.5
+You cannot specify both \fI\%\-\-authenticationDatabase\fP and \fI\%\-\-uri\fP\&.
+.UNINDENT
+.UNINDENT
+.sp
If you do not specify an authentication database, \fBmongoexport\fP
-assumes that the database specified to export holds the user’s credentials.
+assumes that the database specified to export holds the user\(aqs credentials.
.UNINDENT
.INDENT 0.0
.TP
@@ -586,6 +927,13 @@ passwords in plain text. This mechanism is available only in
T}
_
.TE
+.sp
+\fBNOTE:\fP
+.INDENT 7.0
+.INDENT 3.5
+You cannot specify both \fI\%\-\-authenticationMechanism\fP and \fI\%\-\-uri\fP\&.
+.UNINDENT
+.UNINDENT
.UNINDENT
.INDENT 0.0
.TP
@@ -613,6 +961,13 @@ This option is available only in MongoDB Enterprise.
.TP
.B \-\-db <database>, \-d <database>
Specifies the name of the database on which to run the \fBmongoexport\fP\&.
+.sp
+\fBNOTE:\fP
+.INDENT 7.0
+.INDENT 3.5
+You cannot specify both \fI\%\-\-db\fP and \fI\%\-\-uri\fP\&.
+.UNINDENT
+.UNINDENT
.UNINDENT
.INDENT 0.0
.TP
@@ -661,11 +1016,11 @@ See \fI\%Use a File to Specify the Fields to Export in CSV Format\fP for sample
.INDENT 0.0
.TP
.B \-\-query <JSON>, \-q <JSON>
-Provides a JSON document as a query that optionally limits
-the documents returned in the export. Specify JSON in strict
+Provides a query as a JSON document (enclosed in quotes) to
+return matching documents in the export. Specify JSON in strict
format\&.
.sp
-You must enclose the query in single quotes (e.g. \fB\(aq\fP) to ensure that it does
+You must enclose the query document in single quotes (\fB\(aq{ ... }\(aq\fP) to ensure that it does
not interact with your shell environment.
.sp
For example, given a collection named \fBrecords\fP in the database
@@ -675,11 +1030,12 @@ For example, given a collection named \fBrecords\fP in the database
.sp
.nf
.ft C
-{ "_id" : ObjectId("51f0188846a64a1ed98fde7c"), "a" : 1 }
-{ "_id" : ObjectId("520e61b0c6646578e3661b59"), "a" : 1, "b" : 2 }
-{ "_id" : ObjectId("520e642bb7fa4ea22d6b1871"), "a" : 2, "b" : 3, "c" : 5 }
-{ "_id" : ObjectId("520e6431b7fa4ea22d6b1872"), "a" : 3, "b" : 3, "c" : 6 }
-{ "_id" : ObjectId("520e6445b7fa4ea22d6b1873"), "a" : 5, "b" : 6, "c" : 8 }
+{ "_id" : ObjectId("51f0188846a64a1ed98fde7c"), "a" : 1, "date" : ISODate("1960\-05\-01T00:00:00Z") }
+{ "_id" : ObjectId("520e61b0c6646578e3661b59"), "a" : 1, "b" : 2, "date" : ISODate("1970\-05\-01T00:00:00Z") }
+{ "_id" : ObjectId("520e642bb7fa4ea22d6b1871"), "a" : 2, "b" : 3, "c" : 5, "date" : ISODate("2010\-05\-01T00:00:00Z") }
+{ "_id" : ObjectId("520e6431b7fa4ea22d6b1872"), "a" : 3, "b" : 3, "c" : 6, "date" : ISODate("2015\-05\-02T00:00:00Z") }
+{ "_id" : ObjectId("520e6445b7fa4ea22d6b1873"), "a" : 5, "b" : 6, "c" : 8, "date" : ISODate("2018\-03\-01T00:00:00Z") }
+{ "_id" : ObjectId("5cd0de910dbce4346295ae28"), "a" : 15, "b" : 5, "date" : ISODate("2015\-03\-01T00:00:00Z") }
.ft P
.fi
.UNINDENT
@@ -687,13 +1043,15 @@ For example, given a collection named \fBrecords\fP in the database
.sp
The following \fI\%mongoexport\fP uses the \fI\%\-q\fP option to
export only the documents with the field \fBa\fP greater than or equal to
-(\fB$gte\fP) to \fB3\fP:
+(\fB$gte\fP) to \fB3\fP and the field \fBdate\fP less than
+\fBISODate("2016\-01\-01T00:00:00Z")\fP (using the strict format
+for dates { "$date": "YYYY\-MM\-DDTHH:mm:ss.mmm<offset>"}):
.INDENT 7.0
.INDENT 3.5
.sp
.nf
.ft C
-mongoexport \-d test \-c records \-q \(aq{ a: { $gte: 3 } }\(aq \-\-out exportdir/myRecords.json
+mongoexport \-d test \-c records \-q \(aq{ a: { $gte: 3 }, date: { $lt: { "$date": "2016\-01\-01T00:00:00.000Z" } } }\(aq \-\-out exportdir/myRecords.json
.ft P
.fi
.UNINDENT
@@ -705,8 +1063,8 @@ The resulting file contains the following documents:
.sp
.nf
.ft C
-{ "_id" : { "$oid" : "520e6431b7fa4ea22d6b1872" }, "a" : 3, "b" : 3, "c" : 6 }
-{ "_id" : { "$oid" : "520e6445b7fa4ea22d6b1873" }, "a" : 5, "b" : 6, "c" : 8 }
+{"_id":{"$oid":"520e6431b7fa4ea22d6b1872"},"a":3.0,"b":3.0,"c":6.0,"date":{"$date":"2015\-05\-02T00:00:00Z"}}
+{"_id":{"$oid":"5cd0de910dbce4346295ae28"},"a":15.0,"b":5.0,"date":{"$date":"2015\-03\-01T00:00:00Z"}}
.ft P
.fi
.UNINDENT
@@ -791,17 +1149,51 @@ inconsistencies, duplicates, or result in missed documents.
.UNINDENT
.INDENT 0.0
.TP
-.B \-\-readPreference <string>
-Specify the read preference for
-\fBmongoexport\fP\&.
+.B \-\-readPreference <string|document>
+\fIDefault\fP: \fBprimary\fP
.sp
-See replica\-set\-read\-preference\-modes\&.
+Specifies the read preference for
+\fBmongoexport\fP\&. The \fI\%\-\-readPreference\fP option can take:
+.INDENT 7.0
+.IP \(bu 2
+A string if specifying only the read preference mode:
+.INDENT 2.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+\-\-readPreference secondary
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.IP \(bu 2
+A quote\-enclosed document to specify the mode, the optional
+read preference tag sets, and the
+optional maxStalenessSeconds:
+.INDENT 2.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+\-\-readPreference \(aq{mode: "secondary", tagSets: [ { "region": "east" } ], maxStalenessSeconds: 120}\(aq
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+If specifying the maxStalenessSeconds, the value must be greater than or equal to 90.
+.sp
+New in version 4.2.
+
+.UNINDENT
.sp
\fBmongoexport\fP defaults to \fBprimary\fP
-read preference when connected to a
-\fBmongos\fP or a replica set\&.
+read preference\&.
.sp
-Otherwise, \fBmongoexport\fP defaults to \fBnearest\fP\&.
+Starting in version 4.2, if the read
+preference is also included in the \fI\%\-\-uri connection string\fP, the command\-line \fI\%\-\-readPreference\fP overrides the read preference
+specified in the URI string.
.sp
\fBWARNING:\fP
.INDENT 7.0
@@ -878,7 +1270,7 @@ mongoexport \-d test \-c records \-\-sort \(aq{a: 1}\(aq \-\-limit 100 \-\-skip
See \fBsort()\fP for information about the underlying
operation.
.UNINDENT
-.SH USE
+.SH EXAMPLES
.SS Export in CSV Format
.sp
Changed in version 3.0.0: \fI\%mongoexport\fP removed the \fB\-\-csv\fP option. Use the
@@ -1003,18 +1395,61 @@ mongoexport \-\-db sales \-\-collection contacts \-\-out contacts.json
.UNINDENT
.SS Export from Remote Host Running with Authentication
.sp
-The following example exports the \fBcontacts\fP collection from the
-\fBmarketing\fP database, which requires authentication.
+The following example exports the \fBcontacts\fP collection in the
+\fBmarketing\fP database from a remote MongoDB instance that requires
+authentication.
+.sp
+Specify the:
+.INDENT 0.0
+.IP \(bu 2
+\fI\%\-\-host\fP
+.IP \(bu 2
+\fI\%\-\-port\fP
+.IP \(bu 2
+\fI\%\-\-username\fP
+.IP \(bu 2
+\fI\%\-\-authenticationDatabase\fP
+.IP \(bu 2
+\fI\%\-\-collection\fP
+.IP \(bu 2
+\fI\%\-\-db\fP
+.IP \(bu 2
+\fI\%\-\-out\fP
+.UNINDENT
+.INDENT 0.0
+.INDENT 3.5
+.SS Tip
+.sp
+Omit the \fI\%\-\-password\fP option to
+have \fBmongoexport\fP prompt for the password:
+.UNINDENT
+.UNINDENT
+.INDENT 0.0
+.INDENT 3.5
.sp
-This data resides on the MongoDB instance located on the host
-\fBmongodb1.example.net\fP running on port \fB37017\fP, which requires the username
-\fBuser\fP and the password \fBpass\fP\&.
+.nf
+.ft C
+mongoexport \-\-host mongodb1.example.net \-\-port 27017 \-\-username someUser \-\-authenticationDatabase admin \-\-collection contacts \-\-db marketing \-\-out mdb1\-examplenet.json
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+Alternatively, you use the \fI\%\-\-uri\fP option to specify the host, port, username, authentication database, and db.
+.INDENT 0.0
+.INDENT 3.5
+.SS Tip
+.sp
+Omit the password in the URI string to have \fBmongoexport\fP prompt
+for the password:
+.UNINDENT
+.UNINDENT
.INDENT 0.0
.INDENT 3.5
.sp
.nf
.ft C
-mongoexport \-\-host mongodb1.example.net \-\-port 37017 \-\-username user \-\-password "pass" \-\-collection contacts \-\-db marketing \-\-out mdb1\-examplenet.json
+mongoexport \-\-uri \(aqmongodb://someUser@mongodb0.example.com:27017/marketing?authsource=admin\(aq \-\-collection contacts \-\-out mdb1\-examplenet.json
.ft P
.fi
.UNINDENT
@@ -1023,27 +1458,29 @@ mongoexport \-\-host mongodb1.example.net \-\-port 37017 \-\-username user \-\-p
.sp
You can export only the results of a query by supplying a query filter with
the \fI\%\-\-query\fP option, and limit the results to a single
-database using the “\fI\%\-\-db\fP” option.
+database using the "\fI\%\-\-db\fP" option.
.sp
-For instance, this command returns all documents in the \fBsales\fP database’s
-\fBcontacts\fP collection that contain a field named \fBfield\fP with a value
-of \fB1\fP\&.
+For instance, this command returns all documents in the \fBsales\fP
+database\(aqs \fBcontacts\fP collection that contain a field named \fBdept\fP
+equal to \fB"ABC"\fP and the field \fBdate\fP greater than or equal to
+ISODate("2018\-01\-01") (using the strict format for dates
+{ "$date": "YYYY\-MM\-DDTHH:mm:ss.mmm<offset>"} )
.INDENT 0.0
.INDENT 3.5
.sp
.nf
.ft C
-mongoexport \-\-db sales \-\-collection contacts \-\-query \(aq{"field": 1}\(aq
+mongoexport \-\-db sales \-\-collection contacts \-\-query \(aq{"dept": "ABC", date: { $gte: { "$date": "2018\-01\-01T00:00:00.000Z" } }}\(aq
.ft P
.fi
.UNINDENT
.UNINDENT
.sp
-You must enclose the query in single quotes (e.g. \fB\(aq\fP) to ensure that it does
+You must enclose the query document in single quotes (\fB\(aq{ ... }\(aq\fP) to ensure that it does
not interact with your shell environment.
.SH AUTHOR
MongoDB Documentation Project
.SH COPYRIGHT
-2008-2018
+2008-2019
.\" Generated by docutils manpage writer.
.
diff --git a/debian/mongofiles.1 b/debian/mongofiles.1
index 2926b7ec090..742fd9d7af5 100644
--- a/debian/mongofiles.1
+++ b/debian/mongofiles.1
@@ -1,6 +1,6 @@
.\" Man page generated from reStructuredText.
.
-.TH "MONGOFILES" "1" "Jun 21, 2018" "4.0" "mongodb-manual"
+.TH "MONGOFILES" "1" "Jul 25, 2019" "4.2" "mongodb-manual"
.SH NAME
mongofiles \- MongoDB GridFS Utility
.
@@ -37,6 +37,8 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
.IP \(bu 2
\fI\%Required Access\fP
.IP \(bu 2
+\fI\%Behavior\fP
+.IP \(bu 2
\fI\%Options\fP
.IP \(bu 2
\fI\%Commands\fP
@@ -45,9 +47,9 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
.UNINDENT
.INDENT 0.0
.INDENT 3.5
-.IP "Mac OSX Sierra and Go 1.6 Incompatibility"
+.IP "macOS Sierra and Go 1.6 Incompatibility"
.sp
-Users running on Mac OSX Sierra require the 3.2.10 or newer version
+Users running on macOS Sierra require the 3.2.10 or newer version
of mongofiles\&.
.UNINDENT
.UNINDENT
@@ -79,7 +81,7 @@ these options to control the behavior of \fI\%mongofiles\fP\&.
\fI\%Commands\fP\&. Use one of these commands to
determine the action of \fI\%mongofiles\fP\&.
.IP 3. 3
-A filename which is either: the name of a file on your local’s file
+A filename which is either: the name of a file on your local\(aqs file
system, or a GridFS object.
.UNINDENT
.sp
@@ -89,7 +91,7 @@ Run \fI\%mongofiles\fP from the system command line, not the \fBmongo\fP shell.
.INDENT 0.0
.INDENT 3.5
For replica sets,
-\fI\%mongofiles\fP can only read from the set’s
+\fI\%mongofiles\fP can only read from the set\(aqs
primary\&.
.UNINDENT
.UNINDENT
@@ -107,6 +109,38 @@ the \fBread\fP role for the accessed database when using the
the \fBreadWrite\fP role for the accessed database when using
the \fBput\fP or \fBdelete\fP commands.
.UNINDENT
+.SH BEHAVIOR
+.SS FIPS
+.sp
+Starting in version 4.2, MongoDB removes the \fB\-\-sslFIPSMode\fP
+option for mongofiles\&. mongofiles
+will use FIPS compliant connections to
+\fBmongod\fP/\fBmongos\fP if the
+\fBmongod\fP/\fBmongos\fP instances are
+configured to use FIPS mode\&.
+.SS Read Preference
+.sp
+By default, \fI\%mongofiles\fP uses read preference
+\fBprimary\fP\&. To override the default, you can specify the
+read preference in the
+\fI\%\-\-readPreference\fP command line
+option or in the \fI\%\-\-uri connection string\fP\&.
+.sp
+Starting in version 4.2, if you specify read preference in the URI
+string and the \fI\%\-\-readPreference\fP, the \fI\%\-\-readPreference\fP value overrides the read preference specified in the
+URI string.
+.sp
+In earlier versions, the two options are incompatible.
+.SS Write Concern
+.sp
+Starting in version 4.2, you can specify both the
+\fI\%\-\-writeConcern\fP and the
+\fI\%\-\-uri connection string\fP option. If write
+concern is specified using both options, the
+\fI\%\-\-writeConcern\fP value overrides
+the write concern specified in the URI string.
+.sp
+In earlier versions, the two options are incompatible.
.SH OPTIONS
.sp
Changed in version 3.0.0: \fI\%mongofiles\fP removed the \fB\-\-dbpath\fP as well as related
@@ -156,50 +190,55 @@ New in version 3.4.6.
.sp
Specify a resolvable URI
-connection string for the \fBmongod\fP to which to
-connect.
-.sp
-The following is the standard
-URI connection scheme:
+connection string (enclose in quotes) to connect to the MongoDB deployment.
.INDENT 7.0
.INDENT 3.5
.sp
.nf
.ft C
-mongodb://[username:password@]host1[:port1][,host2[:port2],...[,hostN[:portN]]][/[database][?options]]
+\-\-uri "mongodb://[username:password@]host1[:port1][,host2[:port2],...[,hostN[:portN]]][/[database][?options]]"
.ft P
.fi
.UNINDENT
.UNINDENT
.sp
-For detailed explanations of the components of this string, refer to
-the
-Connection String URI Format
-documentation.
+For information on the components of the connection string, see
+the Connection String URI Format documentation.
+.sp
+\fBNOTE:\fP
+.INDENT 7.0
+.INDENT 3.5
+For TLS/SSL options, use the command\-line options instead of the
+URI options for TLS/SSL (Available starting in
+4.2)\&.
+.UNINDENT
+.UNINDENT
.sp
\fBIMPORTANT:\fP
.INDENT 7.0
.INDENT 3.5
-The following \fI\%mongofiles\fP options are incompatible with the
-\fB\-\-uri\fP option. Instead, specify these options as part of your
-\fB\-\-uri\fP connection string when applicable:
+The following command\-line options cannot be used in conjunction
+with \fI\%\-\-uri\fP option:
.INDENT 0.0
.IP \(bu 2
-\fB\-\-host\fP
+\fI\%\-\-host\fP
.IP \(bu 2
-\fB\-\-port\fP
+\fI\%\-\-port\fP
.IP \(bu 2
-\fB\-\-db\fP
+\fI\%\-\-db\fP
.IP \(bu 2
-\fB\-\-username\fP
+\fI\%\-\-username\fP
.IP \(bu 2
-\fB\-\-password\fP (when specifying the password as part of the
-URI connection string)
+\fI\%\-\-password\fP (if the
+URI connection string also includes the password)
.IP \(bu 2
-\fB\-\-authenticationDatabase\fP
+\fI\%\-\-authenticationDatabase\fP
.IP \(bu 2
-\fB\-\-authenticationMechanism\fP
+\fI\%\-\-authenticationMechanism\fP
.UNINDENT
+.sp
+Instead, specify these options as part of your \fI\%\-\-uri\fP
+connection string.
.UNINDENT
.UNINDENT
.UNINDENT
@@ -212,6 +251,13 @@ to a MongoDB process running on the localhost port number \fB27017\fP\&.
.sp
Optionally, specify a port number to connect a MongoDB instance running
on a port other than 27017.
+.sp
+\fBNOTE:\fP
+.INDENT 7.0
+.INDENT 3.5
+You cannot specify both \fI\%\-\-host\fP and \fI\%\-\-uri\fP\&.
+.UNINDENT
+.UNINDENT
.UNINDENT
.INDENT 0.0
.TP
@@ -220,6 +266,13 @@ on a port other than 27017.
.sp
Specifies the TCP port on which the MongoDB instance listens for
client connections.
+.sp
+\fBNOTE:\fP
+.INDENT 7.0
+.INDENT 3.5
+You cannot specify both \fI\%\-\-port\fP and \fI\%\-\-uri\fP\&.
+.UNINDENT
+.UNINDENT
.UNINDENT
.INDENT 0.0
.TP
@@ -254,13 +307,17 @@ Specifies the \fB\&.pem\fP file that contains the root certificate chain
from the Certificate Authority. Specify the file name of the
\fB\&.pem\fP file using relative or absolute paths.
.sp
-Starting in version 3.4, if \fB\-\-sslCAFile\fP or \fBssl.CAFile\fP is not
-specified and you are not using x.509 authentication, the
-system\-wide CA certificate store will be used when connecting to an
-TLS/SSL\-enabled server.
+Starting in version 3.4, if \fB\-\-tlsCAFile\fP/\fBnet.tls.CAFile\fP (or
+their aliases \fB\-\-sslCAFile\fP/\fBnet.ssl.CAFile\fP) is not specified
+and you are not using x.509 authentication, the system\-wide CA
+certificate store will be used when connecting to an TLS/SSL\-enabled
+server.
.sp
-If using x.509 authentication, \fB\-\-sslCAFile\fP or \fBssl.CAFile\fP
-must be specified.
+To use x.509 authentication, \fB\-\-tlsCAFile\fP or \fBnet.tls.CAFile\fP
+must be specified unless using \fB\-\-tlsCertificateSelector\fP or
+\fB\-\-net.tls.certificateSelector\fP\&. Or if using the \fBssl\fP aliases,
+\fB\-\-sslCAFile\fP or \fBnet.ssl.CAFile\fP must be specified unless using
+\fB\-\-sslCertificateSelector\fP or \fBnet.ssl.certificateSelector\fP\&.
.sp
\fBWARNING:\fP
.INDENT 7.0
@@ -345,19 +402,23 @@ the use of invalid certificates. When using the
warning the use of the invalid certificate.
.sp
Starting in MongoDB 4.0, if you specify
-\fB\-\-sslAllowInvalidCertificates\fP or \fBssl.allowInvalidCertificates:
-true\fP when using x.509 authentication, an invalid certificate is
-only sufficient to establish a TLS/SSL connection but is
-\fIinsufficient\fP for authentication.
+\fB\-\-sslAllowInvalidCertificates\fP or
+\fBnet.ssl.allowInvalidCertificates: true\fP (or in MongoDB 4.2, the
+alias \fB\-\-tlsAllowInvalidateCertificates\fP or
+\fBnet.tls.allowInvalidCertificates: true\fP) when using x.509
+authentication, an invalid certificate is only sufficient to
+establish a TLS/SSL connection but is \fIinsufficient\fP for
+authentication.
+.sp
+# We created a separate blurb for tls in the ssl\-clients page.
.sp
\fBWARNING:\fP
.INDENT 7.0
.INDENT 3.5
-For TLS/SSL connections to \fBmongod\fP and
-\fBmongos\fP, avoid using
-\fB\-\-sslAllowInvalidCertificates\fP if possible and only use
-\fB\-\-sslAllowInvalidCertificates\fP on systems where intrusion is
-not possible.
+Although available, avoid using the
+\fB\-\-sslAllowInvalidCertificates\fP option if possible. If the use of
+\fB\-\-sslAllowInvalidCertificates\fP is necessary, only use the option
+on systems where intrusion is not possible.
.sp
If the \fBmongo\fP shell (and other
mongodb\-tools\-support\-ssl) runs with the
@@ -367,7 +428,9 @@ mongodb\-tools\-support\-ssl) will not attempt to validate
the server certificates. This creates a vulnerability to expired
\fBmongod\fP and \fBmongos\fP certificates as
well as to foreign processes posing as valid
-\fBmongod\fP or \fBmongos\fP instances.
+\fBmongod\fP or \fBmongos\fP instances. If you
+only need to disable the validation of the hostname in the
+TLS/SSL certificates, see \fB\-\-sslAllowInvalidHostnames\fP\&.
.UNINDENT
.UNINDENT
.sp
@@ -391,52 +454,50 @@ For more information about TLS/SSL and MongoDB, see
.UNINDENT
.INDENT 0.0
.TP
-.B \-\-sslFIPSMode
-New in version 2.6.
-
-.sp
-Directs the \fBmongofiles\fP to use the FIPS mode of the installed OpenSSL
-library. Your system must have a FIPS compliant OpenSSL library to use
-the \fI\%\-\-sslFIPSMode\fP option.
+.B \-\-username <username>, \-u <username>
+Specifies a username with which to authenticate to a MongoDB database
+that uses authentication. Use in conjunction with the \fI\%\-\-password\fP and
+\fI\%\-\-authenticationDatabase\fP options.
.sp
\fBNOTE:\fP
.INDENT 7.0
.INDENT 3.5
-FIPS\-compatible TLS/SSL is
-available only in \fI\%MongoDB Enterprise\fP\&. See
-/tutorial/configure\-fips for more information.
+You cannot specify both \fI\%\-\-username\fP and \fI\%\-\-uri\fP\&.
.UNINDENT
.UNINDENT
.UNINDENT
.INDENT 0.0
.TP
-.B \-\-username <username>, \-u <username>
-Specifies a username with which to authenticate to a MongoDB database
-that uses authentication. Use in conjunction with the \fB\-\-password\fP and
-\fB\-\-authenticationDatabase\fP options.
-.UNINDENT
-.INDENT 0.0
-.TP
.B \-\-password <password>, \-p <password>
Specifies a password with which to authenticate to a MongoDB database
-that uses authentication. Use in conjunction with the \fB\-\-username\fP and
-\fB\-\-authenticationDatabase\fP options.
+that uses authentication. Use in conjunction with the \fI\%\-\-username\fP and
+\fI\%\-\-authenticationDatabase\fP options.
.sp
-Changed in version 3.0.0: If you do not specify an argument for \fI\%\-\-password\fP, \fBmongofiles\fP returns
-an error.
-
-.sp
-Changed in version 3.0.2: If you wish \fBmongofiles\fP to prompt the user
+Changed in version 3.0.2: To prompt the user
for the password, pass the \fI\%\-\-username\fP option without
\fI\%\-\-password\fP or specify an empty string as the \fI\%\-\-password\fP value,
as in \fB\-\-password ""\fP .
+.sp
+\fBNOTE:\fP
+.INDENT 7.0
+.INDENT 3.5
+You cannot specify both \fI\%\-\-password\fP and \fI\%\-\-uri\fP\&.
+.UNINDENT
+.UNINDENT
.UNINDENT
.INDENT 0.0
.TP
.B \-\-authenticationDatabase <dbname>
-Specifies the database in which the user is created.
+Specifies the authentication database where the specified \fI\%\-\-username\fP has been created.
See user\-authentication\-database\&.
+.sp
+\fBNOTE:\fP
+.INDENT 7.0
+.INDENT 3.5
+You cannot specify both \fI\%\-\-authenticationDatabase\fP and \fI\%\-\-uri\fP\&.
+.UNINDENT
+.UNINDENT
.UNINDENT
.INDENT 0.0
.TP
@@ -505,6 +566,13 @@ passwords in plain text. This mechanism is available only in
T}
_
.TE
+.sp
+\fBNOTE:\fP
+.INDENT 7.0
+.INDENT 3.5
+You cannot specify both \fI\%\-\-authenticationMechanism\fP and \fI\%\-\-uri\fP\&.
+.UNINDENT
+.UNINDENT
.UNINDENT
.INDENT 0.0
.TP
@@ -532,12 +600,13 @@ This option is available only in MongoDB Enterprise.
.TP
.B \-\-db <database>, \-d <database>
Specifies the name of the database on which to run the \fBmongofiles\fP\&.
+.sp
+\fBNOTE:\fP
+.INDENT 7.0
+.INDENT 3.5
+You cannot specify both \fI\%\-\-db\fP and \fI\%\-\-uri\fP\&.
+.UNINDENT
.UNINDENT
-.INDENT 0.0
-.TP
-.B \-\-collection <collection>, \-c <collection>
-This option has no use in this context and a future release may
-remove it. See \fI\%SERVER\-4931\fP for more information.
.UNINDENT
.INDENT 0.0
.TP
@@ -548,7 +617,7 @@ operations.
In the \fBmongofiles put\fP and \fBmongofiles get\fP commands,
the required \fB<filename>\fP modifier refers to the name the object will
have in GridFS. \fI\%mongofiles\fP assumes that this reflects the
-file’s name on the local file system. This setting overrides this
+file\(aqs name on the local file system. This setting overrides this
default.
.UNINDENT
.INDENT 0.0
@@ -583,9 +652,81 @@ GridFS prefix to use.
\fIDefault\fP: majority
.sp
Specifies the write concern for each write operation that \fBmongofiles\fP
-writes to the target database.
+performs.
+.sp
+Specify the write concern as a document with w options:
+.INDENT 7.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+\-\-writeConcern "{w:\(aqmajority\(aq}"
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+If the write concern is also included in the \fI\%\-\-uri
+connection string\fP, the command\-line
+\fI\%\-\-writeConcern\fP overrides the write concern specified in
+the URI string.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B \-\-readPreference <string|document>
+\fIDefault\fP: \fBprimary\fP
+.sp
+Specifies the read preference for
+\fBmongofiles\fP\&. The \fI\%\-\-readPreference\fP option can take:
+.INDENT 7.0
+.IP \(bu 2
+A string if specifying only the read preference mode:
+.INDENT 2.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+\-\-readPreference secondary
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.IP \(bu 2
+A quote\-enclosed document to specify the mode, the optional
+read preference tag sets, and the
+optional maxStalenessSeconds:
+.INDENT 2.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+\-\-readPreference \(aq{mode: "secondary", tagSets: [ { "region": "east" } ], maxStalenessSeconds: 120}\(aq
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+If specifying the maxStalenessSeconds, the value must be greater than or equal to 90.
+.sp
+New in version 4.2.
+
+.UNINDENT
+.sp
+\fBmongofiles\fP defaults to \fBprimary\fP
+read preference\&.
.sp
-Specify the write concern as a document with w options\&.
+Starting in version 4.2, if the read
+preference is also included in the \fI\%\-\-uri connection string\fP, the command\-line \fI\%\-\-readPreference\fP overrides the read preference
+specified in the URI string.
+.sp
+\fBWARNING:\fP
+.INDENT 7.0
+.INDENT 3.5
+Using a read preference other than
+\fBprimary\fP with a connection to a \fBmongos\fP may produce
+inconsistencies, duplicates, or result in missed documents.
+.UNINDENT
+.UNINDENT
.UNINDENT
.SH COMMANDS
.INDENT 0.0
@@ -620,7 +761,7 @@ system.
.sp
Here, \fB<filename>\fP refers to the name the object will have in
GridFS. \fI\%mongofiles\fP writes the file to the local
-file system using the file’s \fBfilename\fP in GridFS. To choose a
+file system using the file\(aqs \fBfilename\fP in GridFS. To choose a
different location for the file on the local file system, use the
\fI\%\-\-local\fP option.
.UNINDENT
@@ -634,7 +775,7 @@ Copy the specified file from GridFS storage to the local file system.
.sp
Here \fB<ObjectId>\fP refers to the extended JSON \fB_id\fP of the
object in GridFS. \fI\%mongofiles\fP writes the file to the local
-file system using the file’s \fBfilename\fP in GridFS. To choose a
+file system using the file\(aqs \fBfilename\fP in GridFS. To choose a
different location for the file on the local file system, use the
\fI\%\-\-local\fP option.
.UNINDENT
@@ -684,7 +825,7 @@ mongofiles \-\-host db1.example.net \-\-port 37017 \-d records list
.UNINDENT
.UNINDENT
.sp
-Modify any of the following commands as needed if you’re connecting
+Modify any of the following commands as needed if you\(aqre connecting
the \fBmongod\fP instances on different ports or hosts.
.sp
To upload a file named \fB32\-corinth.lp\fP to the GridFS collection in
@@ -771,6 +912,6 @@ You must include quotation marks around the \fB_id\fP\&.
.SH AUTHOR
MongoDB Documentation Project
.SH COPYRIGHT
-2008-2018
+2008-2019
.\" Generated by docutils manpage writer.
.
diff --git a/debian/mongoimport.1 b/debian/mongoimport.1
index bcd607690fc..c494b85d758 100644
--- a/debian/mongoimport.1
+++ b/debian/mongoimport.1
@@ -1,6 +1,6 @@
.\" Man page generated from reStructuredText.
.
-.TH "MONGOIMPORT" "1" "Jun 21, 2018" "4.0" "mongodb-manual"
+.TH "MONGOIMPORT" "1" "Jul 25, 2019" "4.2" "mongodb-manual"
.SH NAME
mongoimport \- MongoDB LDAP Configuration Testing Utility
.
@@ -45,12 +45,12 @@ New in version 3.4: MongoDB Enterprise
.SH SYNOPSIS
.sp
Starting in version 3.4, MongoDB Enterprise provides
-\fI\%mongoldap\fP for testing MongoDB’s LDAP configuration
+\fI\%mongoldap\fP for testing MongoDB\(aqs LDAP configuration
options against a running LDAP server or set
of servers.
.sp
To validate the LDAP options in the configuration file, set the
-\fI\%mongoldap\fP \fI\%\-\-config\fP option to the configuration file’s
+\fI\%mongoldap\fP \fI\%\-\-config\fP option to the configuration file\(aqs
path.
.sp
To test the LDAP configuration options, you must specify a \fI\%\-\-user\fP
@@ -214,7 +214,7 @@ If your LDAP infrastrucure partitions the LDAP directory over multiple LDAP
servers, specify \fIone\fP LDAP server any of its replicated instances to
\fI\%\-\-ldapServers\fP\&. MongoDB supports following LDAP referrals as defined in \fI\%RFC 4511
4.1.10\fP\&. Do not use \fI\%\-\-ldapServers\fP
-for listing every LDAP server in your infrastucture.
+for listing every LDAP server in your infrastructure.
.sp
This setting can be configured on a running \fBmongoldap\fP using
\fBsetParameter\fP\&.
@@ -415,7 +415,7 @@ By default, \fBmongoldap\fP creates a TLS/SSL secured connection to the LDAP
server.
.sp
For Linux deployments, you must configure the appropriate TLS Options in
-\fB/etc/openldap/ldap.conf\fP file. Your operating system’s package manager
+\fB/etc/openldap/ldap.conf\fP file. Your operating system\(aqs package manager
creates this file as part of the MongoDB Enterprise installation, via the
\fBlibldap\fP dependency. See the documentation for \fBTLS Options\fP in the
\fI\%ldap.conf OpenLDAP documentation\fP
@@ -528,6 +528,8 @@ authentication name matched by the \fBmatch\fP regex into a LDAP DN.
Each curly bracket\-enclosed numeric value is replaced by the
corresponding \fI\%regex capture group\fP extracted
from the authentication username via the \fBmatch\fP regex.
+.sp
+The result of the substitution must be an \fI\%RFC4514\fP escaped string.
T} T{
\fB"cn={0},ou=engineering,
dc=example,dc=com"\fP
@@ -552,6 +554,17 @@ T}
_
.TE
.sp
+\fBNOTE:\fP
+.INDENT 7.0
+.INDENT 3.5
+An explanation of \fI\%RFC4514\fP,
+\fI\%RFC4515\fP,
+\fI\%RFC4516\fP, or LDAP queries is out
+of scope for the MongoDB Documentation. Please review the RFC directly or
+use your preferred LDAP resource.
+.UNINDENT
+.UNINDENT
+.sp
For each document in the array, you must use either \fBsubstitution\fP or
\fBldapQuery\fP\&. You \fIcannot\fP specify both in the same document.
.sp
@@ -623,16 +636,6 @@ when attempting to authenticate or authorize a user against the LDAP server.
.sp
This setting can be configured on a running \fBmongoldap\fP using the
\fBsetParameter\fP database command.
-.sp
-\fBNOTE:\fP
-.INDENT 7.0
-.INDENT 3.5
-An explanation of \fI\%RFC4515\fP,
-\fI\%RFC4516\fP or LDAP queries is out
-of scope for the MongoDB Documentation. Please review the RFC directly or
-use your preferred LDAP resource.
-.UNINDENT
-.UNINDENT
.UNINDENT
.INDENT 0.0
.TP
@@ -675,7 +678,7 @@ roles and privileges assigned to that role. See the
.INDENT 3.5
.SH EXAMPLE
.sp
-This LDAP query returns any groups listed in the LDAP user object’s
+This LDAP query returns any groups listed in the LDAP user object\(aqs
\fBmemberOf\fP attribute.
.INDENT 0.0
.INDENT 3.5
@@ -713,6 +716,6 @@ use your preferred LDAP resource.
.SH AUTHOR
MongoDB Documentation Project
.SH COPYRIGHT
-2008-2018
+2008-2019
.\" Generated by docutils manpage writer.
.
diff --git a/debian/mongorestore.1 b/debian/mongorestore.1
index d3180931a7e..ce2e6bd4b2c 100644
--- a/debian/mongorestore.1
+++ b/debian/mongorestore.1
@@ -1,6 +1,6 @@
.\" Man page generated from reStructuredText.
.
-.TH "MONGORESTORE" "1" "Jun 21, 2018" "4.0" "mongodb-manual"
+.TH "MONGORESTORE" "1" "Jul 25, 2019" "4.2" "mongodb-manual"
.SH NAME
mongorestore \- MongoDB Data Restoration Tool
.
@@ -35,6 +35,8 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
.IP \(bu 2
\fI\%Synopsis\fP
.IP \(bu 2
+\fI\%Syntax\fP
+.IP \(bu 2
\fI\%Behavior\fP
.IP \(bu 2
\fI\%Required Access\fP
@@ -45,9 +47,9 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
.UNINDENT
.INDENT 0.0
.INDENT 3.5
-.IP "Mac OSX Sierra and Go 1.6 Incompatibility"
+.IP "macOS Sierra and Go 1.6 Incompatibility"
.sp
-Users running on Mac OSX Sierra require the 3.2.10 or newer version
+Users running on macOS Sierra require the 3.2.10 or newer version
of mongorestore\&.
.UNINDENT
.UNINDENT
@@ -58,10 +60,106 @@ database dump created by \fBmongodump\fP or the standard input
(starting in version 3.0.0) into a \fBmongod\fP or
\fBmongos\fP instance.
.sp
-Run \fI\%mongorestore\fP from the system command line, not the \fBmongo\fP shell.
-.sp
For an overview of \fI\%mongorestore\fP usage, see
/tutorial/backup\-and\-restore\-tools\&.
+.SH SYNTAX
+.sp
+Run \fI\%mongorestore\fP from the system command line, not the \fBmongo\fP shell.
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+mongorestore [options] [<directory>/<BSON file>]
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+For example, to restore from a \fBdump\fP directory to a local
+\fBmongod\fP instance running on port \fB27017\fP:
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+mongorestore dump/
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+As \fI\%mongorestore\fP restores from the \fBdump/\fP directory,
+it creates the database and collections as needed and logs its progress:
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+2019\-07\-08T14:37:38.942\-0400 preparing collections to restore from
+2019\-07\-08T14:37:38.944\-0400 reading metadata for test.bakesales from dump/test/bakesales.metadata.json
+2019\-07\-08T14:37:38.944\-0400 reading metadata for test.salaries from dump/test/salaries.metadata.json
+2019\-07\-08T14:37:38.976\-0400 restoring test.salaries from dump/test/salaries.bson
+2019\-07\-08T14:37:38.985\-0400 no indexes to restore
+2019\-07\-08T14:37:38.985\-0400 finished restoring test.salaries (10 documents, 0 failures)
+2019\-07\-08T14:37:39.009\-0400 restoring test.bakesales from dump/test/bakesales.bson
+2019\-07\-08T14:37:39.011\-0400 restoring indexes for collection test.bakesales from metadata
+2019\-07\-08T14:37:39.118\-0400 finished restoring test.bakesales (21 documents, 0 failures)
+2019\-07\-08T14:37:39.118\-0400 restoring users from dump/admin/system.users.bson
+2019\-07\-08T14:37:39.163\-0400 restoring roles from dump/admin/system.roles.bson
+2019\-07\-08T14:37:39.249\-0400 31 document(s) restored successfully. 0 document(s) failed to restore.
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+You can also restore a specific collection or collections from the
+\fBdump/\fP directory. For example, the following operation restores a
+single collection from corresponding data files in the \fBdump/\fP
+directory:
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+mongorestore \-\-nsInclude test.purchaseorders dump/
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+If the \fBdump/\fP directory does not contain the corresponding data file
+for the specified namespace, no data will be restored. For example, the
+following specifies a collection namespace that does not have a
+corresponding data in the \fBdump/\fP directory:
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+mongorestore \-\-nsInclude foo.bar dump/
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+The \fI\%mongorestore\fP outputs the following messages:
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+2019\-07\-08T14:38:15.142\-0400 preparing collections to restore from
+2019\-07\-08T14:38:15.142\-0400 0 document(s) restored successfully. 0 document(s) failed to restore.
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+For more examples, see \fI\%Examples\fP\&.
+.sp
+For more information on the options and arguments, see
+\fI\%Options\fP\&.
.SH BEHAVIOR
.SS Insert Only
.sp
@@ -79,16 +177,16 @@ same value \fB_id\fP field as the to\-be\-restored documents,
\fBNOTE:\fP
.INDENT 0.0
.INDENT 3.5
-Starting in MongoDB 2.6, creating indexes will error if an
-index key in an existing document exceeds the limit\&. See
-2.6\-index\-key\-length\-incompatibility for more information and
-solution.
+For MongoDB 2.6 through MongoDB versions with
+\fBfeatureCompatibilityVersion\fP (fCV) set to \fB"4.0"\fP or earlier,
+creating indexes will \fBerror if an
+index key in an existing document exceeds the limit\fP\&.
.sp
-If you have an existing data set that violates this limit but want
-to resolve the index issue after restoring the data, you can disable
-the default index key length validation on the target database by
-setting the \fBmongod\fP instance’s
-\fBfailIndexKeyTooLong\fP parameter to false.
+To avoid this issue, consider using hashed indexes or indexing a
+computed value instead. If you want to resolve the index issue after
+restoring the data, you can disable the default index key length
+validation on the target database by setting the \fBmongod\fP
+instance\(aqs \fBfailIndexKeyTooLong\fP parameter to false.
.UNINDENT
.UNINDENT
.SS Version Compatibility
@@ -100,6 +198,23 @@ data stores.
.SS Exclude \fBsystem.profile\fP Collection
.sp
\fI\%mongorestore\fP does not restore the \fBsystem.profile\fP collection data.
+.SS FIPS
+.sp
+Starting in version 4.2, MongoDB removes the \fB\-\-sslFIPSMode\fP
+option for mongorestore\&. mongorestore
+will use FIPS compliant connections to
+\fBmongod\fP/\fBmongos\fP if the
+\fBmongod\fP/\fBmongos\fP instances are
+configured to use FIPS mode\&.
+.SS Write Concern
+.sp
+Starting in version 4.2, if you specify write concern in both the
+\fI\%\-\-writeConcern\fP option and the
+\fI\%\-\-uri connection string\fP option, the
+\fI\%\-\-writeConcern\fP value overrides
+the write concern specified in the URI string.
+.sp
+In earlier versions, the two options are incompatible.
.SH REQUIRED ACCESS
.sp
To restore data to a MongoDB deployment that has access control enabled, the \fBrestore\fP role provides
@@ -174,50 +289,55 @@ New in version 3.4.6.
.sp
Specify a resolvable URI
-connection string for the \fBmongod\fP to which to
-connect.
-.sp
-The following is the standard
-URI connection scheme:
+connection string (enclose in quotes) to connect to the MongoDB deployment.
.INDENT 7.0
.INDENT 3.5
.sp
.nf
.ft C
-mongodb://[username:password@]host1[:port1][,host2[:port2],...[,hostN[:portN]]][/[database][?options]]
+\-\-uri "mongodb://[username:password@]host1[:port1][,host2[:port2],...[,hostN[:portN]]][/[database][?options]]"
.ft P
.fi
.UNINDENT
.UNINDENT
.sp
-For detailed explanations of the components of this string, refer to
-the
-Connection String URI Format
-documentation.
+For information on the components of the connection string, see
+the Connection String URI Format documentation.
+.sp
+\fBNOTE:\fP
+.INDENT 7.0
+.INDENT 3.5
+For TLS/SSL options, use the command\-line options instead of the
+URI options for TLS/SSL (Available starting in
+4.2)\&.
+.UNINDENT
+.UNINDENT
.sp
\fBIMPORTANT:\fP
.INDENT 7.0
.INDENT 3.5
-The following \fI\%mongorestore\fP options are incompatible with the
-\fB\-\-uri\fP option. Instead, specify these options as part of your
-\fB\-\-uri\fP connection string when applicable:
+The following command\-line options cannot be used in conjunction
+with \fI\%\-\-uri\fP option:
.INDENT 0.0
.IP \(bu 2
-\fB\-\-host\fP
+\fI\%\-\-host\fP
.IP \(bu 2
-\fB\-\-port\fP
+\fI\%\-\-port\fP
.IP \(bu 2
-\fB\-\-db\fP
+\fI\%\-\-db\fP
.IP \(bu 2
-\fB\-\-username\fP
+\fI\%\-\-username\fP
.IP \(bu 2
-\fB\-\-password\fP (when specifying the password as part of the
-URI connection string)
+\fI\%\-\-password\fP (if the
+URI connection string also includes the password)
.IP \(bu 2
-\fB\-\-authenticationDatabase\fP
+\fI\%\-\-authenticationDatabase\fP
.IP \(bu 2
-\fB\-\-authenticationMechanism\fP
+\fI\%\-\-authenticationMechanism\fP
.UNINDENT
+.sp
+Instead, specify these options as part of your \fI\%\-\-uri\fP
+connection string.
.UNINDENT
.UNINDENT
.UNINDENT
@@ -238,19 +358,39 @@ the following:
.sp
.nf
.ft C
-<replSetName>/<hostname1><:port>,<hostname2><:port>,<...>
+\-\-host <replSetName>/<hostname1><:port>,<hostname2><:port>,<...>
.ft P
.fi
.UNINDENT
.UNINDENT
.sp
-You can always connect directly to a single MongoDB instance by
-specifying the host and port number directly.
+When specifying the replica set list format, \fBmongorestore\fP always connects to
+the primary\&.
+.sp
+You can also connect to any single member of the replica set by specifying
+the host and port of only that member:
+.INDENT 7.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+\-\-host <hostname1><:port>
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
.sp
Changed in version 3.0.0: If you use IPv6 and use the \fB<address>:<port>\fP format, you must
enclose the portion of an address and port combination in
brackets (e.g. \fB[<address>]\fP).
+.sp
+\fBNOTE:\fP
+.INDENT 7.0
+.INDENT 3.5
+You cannot specify both \fI\%\-\-host\fP and \fI\%\-\-uri\fP\&.
+.UNINDENT
+.UNINDENT
.UNINDENT
.INDENT 0.0
.TP
@@ -259,6 +399,13 @@ brackets (e.g. \fB[<address>]\fP).
.sp
Specifies the TCP port on which the MongoDB instance listens for
client connections.
+.sp
+\fBNOTE:\fP
+.INDENT 7.0
+.INDENT 3.5
+You cannot specify both \fI\%\-\-port\fP and \fI\%\-\-uri\fP\&.
+.UNINDENT
+.UNINDENT
.UNINDENT
.INDENT 0.0
.TP
@@ -283,13 +430,17 @@ Specifies the \fB\&.pem\fP file that contains the root certificate chain
from the Certificate Authority. Specify the file name of the
\fB\&.pem\fP file using relative or absolute paths.
.sp
-Starting in version 3.4, if \fB\-\-sslCAFile\fP or \fBssl.CAFile\fP is not
-specified and you are not using x.509 authentication, the
-system\-wide CA certificate store will be used when connecting to an
-TLS/SSL\-enabled server.
+Starting in version 3.4, if \fB\-\-tlsCAFile\fP/\fBnet.tls.CAFile\fP (or
+their aliases \fB\-\-sslCAFile\fP/\fBnet.ssl.CAFile\fP) is not specified
+and you are not using x.509 authentication, the system\-wide CA
+certificate store will be used when connecting to an TLS/SSL\-enabled
+server.
.sp
-If using x.509 authentication, \fB\-\-sslCAFile\fP or \fBssl.CAFile\fP
-must be specified.
+To use x.509 authentication, \fB\-\-tlsCAFile\fP or \fBnet.tls.CAFile\fP
+must be specified unless using \fB\-\-tlsCertificateSelector\fP or
+\fB\-\-net.tls.certificateSelector\fP\&. Or if using the \fBssl\fP aliases,
+\fB\-\-sslCAFile\fP or \fBnet.ssl.CAFile\fP must be specified unless using
+\fB\-\-sslCertificateSelector\fP or \fBnet.ssl.certificateSelector\fP\&.
.sp
\fBWARNING:\fP
.INDENT 7.0
@@ -374,19 +525,23 @@ the use of invalid certificates. When using the
warning the use of the invalid certificate.
.sp
Starting in MongoDB 4.0, if you specify
-\fB\-\-sslAllowInvalidCertificates\fP or \fBssl.allowInvalidCertificates:
-true\fP when using x.509 authentication, an invalid certificate is
-only sufficient to establish a TLS/SSL connection but is
-\fIinsufficient\fP for authentication.
+\fB\-\-sslAllowInvalidCertificates\fP or
+\fBnet.ssl.allowInvalidCertificates: true\fP (or in MongoDB 4.2, the
+alias \fB\-\-tlsAllowInvalidateCertificates\fP or
+\fBnet.tls.allowInvalidCertificates: true\fP) when using x.509
+authentication, an invalid certificate is only sufficient to
+establish a TLS/SSL connection but is \fIinsufficient\fP for
+authentication.
+.sp
+# We created a separate blurb for tls in the ssl\-clients page.
.sp
\fBWARNING:\fP
.INDENT 7.0
.INDENT 3.5
-For TLS/SSL connections to \fBmongod\fP and
-\fBmongos\fP, avoid using
-\fB\-\-sslAllowInvalidCertificates\fP if possible and only use
-\fB\-\-sslAllowInvalidCertificates\fP on systems where intrusion is
-not possible.
+Although available, avoid using the
+\fB\-\-sslAllowInvalidCertificates\fP option if possible. If the use of
+\fB\-\-sslAllowInvalidCertificates\fP is necessary, only use the option
+on systems where intrusion is not possible.
.sp
If the \fBmongo\fP shell (and other
mongodb\-tools\-support\-ssl) runs with the
@@ -396,7 +551,9 @@ mongodb\-tools\-support\-ssl) will not attempt to validate
the server certificates. This creates a vulnerability to expired
\fBmongod\fP and \fBmongos\fP certificates as
well as to foreign processes posing as valid
-\fBmongod\fP or \fBmongos\fP instances.
+\fBmongod\fP or \fBmongos\fP instances. If you
+only need to disable the validation of the hostname in the
+TLS/SSL certificates, see \fB\-\-sslAllowInvalidHostnames\fP\&.
.UNINDENT
.UNINDENT
.sp
@@ -420,52 +577,50 @@ For more information about TLS/SSL and MongoDB, see
.UNINDENT
.INDENT 0.0
.TP
-.B \-\-sslFIPSMode
-New in version 2.6.
-
-.sp
-Directs the \fBmongorestore\fP to use the FIPS mode of the installed OpenSSL
-library. Your system must have a FIPS compliant OpenSSL library to use
-the \fI\%\-\-sslFIPSMode\fP option.
+.B \-\-username <username>, \-u <username>
+Specifies a username with which to authenticate to a MongoDB database
+that uses authentication. Use in conjunction with the \fI\%\-\-password\fP and
+\fI\%\-\-authenticationDatabase\fP options.
.sp
\fBNOTE:\fP
.INDENT 7.0
.INDENT 3.5
-FIPS\-compatible TLS/SSL is
-available only in \fI\%MongoDB Enterprise\fP\&. See
-/tutorial/configure\-fips for more information.
+You cannot specify both \fI\%\-\-username\fP and \fI\%\-\-uri\fP\&.
.UNINDENT
.UNINDENT
.UNINDENT
.INDENT 0.0
.TP
-.B \-\-username <username>, \-u <username>
-Specifies a username with which to authenticate to a MongoDB database
-that uses authentication. Use in conjunction with the \fB\-\-password\fP and
-\fB\-\-authenticationDatabase\fP options.
-.UNINDENT
-.INDENT 0.0
-.TP
.B \-\-password <password>, \-p <password>
Specifies a password with which to authenticate to a MongoDB database
-that uses authentication. Use in conjunction with the \fB\-\-username\fP and
-\fB\-\-authenticationDatabase\fP options.
-.sp
-Changed in version 3.0.0: If you do not specify an argument for \fI\%\-\-password\fP, \fBmongorestore\fP returns
-an error.
-
+that uses authentication. Use in conjunction with the \fI\%\-\-username\fP and
+\fI\%\-\-authenticationDatabase\fP options.
.sp
-Changed in version 3.0.2: If you wish \fBmongorestore\fP to prompt the user
+Changed in version 3.0.2: To prompt the user
for the password, pass the \fI\%\-\-username\fP option without
\fI\%\-\-password\fP or specify an empty string as the \fI\%\-\-password\fP value,
as in \fB\-\-password ""\fP .
+.sp
+\fBNOTE:\fP
+.INDENT 7.0
+.INDENT 3.5
+You cannot specify both \fI\%\-\-password\fP and \fI\%\-\-uri\fP\&.
+.UNINDENT
+.UNINDENT
.UNINDENT
.INDENT 0.0
.TP
.B \-\-authenticationDatabase <dbname>
-Specifies the database in which the user is created.
+Specifies the authentication database where the specified \fI\%\-\-username\fP has been created.
See user\-authentication\-database\&.
+.sp
+\fBNOTE:\fP
+.INDENT 7.0
+.INDENT 3.5
+You cannot specify both \fI\%\-\-authenticationDatabase\fP and \fI\%\-\-uri\fP\&.
+.UNINDENT
+.UNINDENT
.UNINDENT
.INDENT 0.0
.TP
@@ -534,6 +689,13 @@ passwords in plain text. This mechanism is available only in
T}
_
.TE
+.sp
+\fBNOTE:\fP
+.INDENT 7.0
+.INDENT 3.5
+You cannot specify both \fI\%\-\-authenticationMechanism\fP and \fI\%\-\-uri\fP\&.
+.UNINDENT
+.UNINDENT
.UNINDENT
.INDENT 0.0
.TP
@@ -560,26 +722,60 @@ This option is available only in MongoDB Enterprise.
.INDENT 0.0
.TP
.B \-\-db <database>, \-d <database>
-Specifies a database for \fBmongorestore\fP to restore data \fIinto\fP\&.
-If the database does not exist, \fBmongorestore\fP creates the
-database. If you do not specify a \fB<db>\fP, \fBmongorestore\fP
-creates new databases that correspond to the databases where data
-originated and data may be overwritten. Use this option to restore data
-into a MongoDB instance that already has data.
+Specifies the destination database for \fBmongorestore\fP to restore data
+\fIinto\fP when restoring from a BSON file. If the database does not
+exist, \fBmongorestore\fP creates the database. For example, the following
+restores the \fBsalaries\fP collection into the \fBreporting\fP database.
+.INDENT 7.0
+.INDENT 3.5
.sp
-\fI\%\-\-db\fP does \fInot\fP control which BSON files
-\fBmongorestore\fP restores. You must use the
-\fBmongorestore\fP \fI\%path option\fP to
-limit that restored data.
+.nf
+.ft C
+mongorestore \-\-db reporting dump/test/salaries.bson
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+If you do not specify \fI\%\-\-db\fP, \fBmongorestore\fP takes the database name
+from the data files.
+.sp
+The use of \fI\%\-\-db\fP and \fI\%\-\-collection\fP options are
+deprecated when restoring from a directory or an archive file.
+Instead, to restore from an archive or a directory, see
+\fI\%\-\-nsInclude\fP instead.
+.sp
+\fBNOTE:\fP
+.INDENT 7.0
+.INDENT 3.5
+You cannot specify both \fI\%\-\-db\fP and \fI\%\-\-uri\fP\&.
+.UNINDENT
+.UNINDENT
.UNINDENT
.INDENT 0.0
.TP
.B \-\-collection <collection>, \-c <collection>
-Specifies a single collection for \fBmongorestore\fP to restore. If
+Specifies the name of the destination collection for \fBmongorestore\fP to
+restore data \fIinto\fP when restoring from a BSON file. If
you do not specify \fI\%\-\-collection\fP, \fBmongorestore\fP takes
the collection name from the input filename. If the input file has an
extension, MongoDB omits the extension of the file from the collection
name.
+.INDENT 7.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+mongorestore \-\-db reporting \-\-collection employeesalaries dump/test/salaries.bson
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+The use of \fI\%\-\-db\fP and \fI\%\-\-collection\fP options are
+deprecated when restoring from a directory or an archive file.
+Instead, to restore from an archive or a directory, see
+\fI\%\-\-nsInclude\fP instead.
.UNINDENT
.INDENT 0.0
.TP
@@ -587,17 +783,14 @@ name.
New in version 3.4.
.sp
-Excludes the specified namespaces from the
-restore operation.
+Specifies a namespace pattern (e.g. \fB"test.myCollection"\fP,
+\fB"reporting.*"\fP, \fB"dept*.bar"\fP) to \fIexclude\fP the matching
+namespaces from the restore. In the pattern, you can use asterisks
+\fB*\fP as \fIwild cards\fP\&. For an example of the wildcard pattern, see
+\fI\%Restore Collections Using Wild Cards\fP\&.
.sp
-\fI\%\-\-nsExclude\fP accepts a \fInamespace pattern\fP as its argument. The namespace
-pattern permits \fI\%\-\-nsExclude\fP to refer to any namespace that matches the
-specified pattern. \fI\%mongorestore\fP matches the smallest valid occurence
-of the namespace pattern.
-.sp
-Use asterisks (\fB*\fP) as wild cards. Escape all literal asterisks
-and backslashes with a backslash. \fI\%Restore Collections Using Wild Cards\fP
-provides an example of using asterisks as wild cards.
+You can specify \fI\%\-\-nsExclude\fP multiple times to exclude multiple namespace
+patterns.
.UNINDENT
.INDENT 0.0
.TP
@@ -605,20 +798,18 @@ provides an example of using asterisks as wild cards.
New in version 3.4.
.sp
-Includes only the specified namespaces in the
-restore operation.
-By enabling you to specify multiple collections to restore,
-\fI\%\-\-nsInclude\fP offers a superset of the functionality of the
-\fI\%\-\-collection\fP option.
+Specifies a namespace pattern (e.g. \fB"test.myCollection"\fP,
+\fB"reporting.*"\fP, \fB"dept*.bar"\fP) to restore only the namespaces
+that match the pattern. In the pattern, you can use asterisks \fB*\fP
+as \fIwild cards\fP\&. For an example of the wildcard pattern, see
+\fI\%Restore Collections Using Wild Cards\fP\&.
.sp
-\fI\%\-\-nsInclude\fP accepts a \fInamespace pattern\fP as its argument. The namespace
-pattern permits \fI\%\-\-nsInclude\fP to refer to any namespace that matches the
-specified pattern. \fI\%mongorestore\fP matches the smallest valid occurence
-of the namespace pattern.
+You can specify \fI\%\-\-nsInclude\fP multiple times to include multiple namespace
+patterns.
.sp
-Use asterisks (\fB*\fP) as wild cards. Escape all literal asterisks
-and backslashes with a backslash. \fI\%Restore Collections Using Wild Cards\fP
-provides an example of using asterisks as wild cards.
+If source directory or file (i.e. the directory/file from which you
+are restoring the data) does not contain data files that match the
+namespace pattern, no data will be restored.
.UNINDENT
.INDENT 0.0
.TP
@@ -642,9 +833,9 @@ Replacements correspond linearly to matches: each asterisk in
\fB\-\-nsFrom\fP must correspond to an asterisk in \fB\-\-nsTo\fP, and the
first asterisk in \fB\-\-nsFrom\fP matches the first asterisk in \fBnsTo\fP\&.
.sp
-For more complex replacements, use dollar signs to delimit a “wild
-card” variable to use in the replacement.
-\fI\%Change Collections’ Namespaces during Restore\fP provides an example of complex
+For more complex replacements, use dollar signs to delimit a "wild
+card" variable to use in the replacement.
+\fI\%Change Collections\(aq Namespaces during Restore\fP provides an example of complex
replacements with dollar sign\-delimited wild cards.
.sp
Unlike replacements with asterisks, replacements with dollar
@@ -672,9 +863,9 @@ Replacements correspond linearly to matches: each asterisk in
\fB\-\-nsFrom\fP must correspond to an asterisk in \fB\-\-nsTo\fP, and the
first asterisk in \fB\-\-nsFrom\fP matches the first asterisk in \fBnsTo\fP\&.
.sp
-For more complex replacements, use dollar signs to delimit a “wild
-card” variable to use in the replacement.
-\fI\%Change Collections’ Namespaces during Restore\fP provides an example of complex
+For more complex replacements, use dollar signs to delimit a "wild
+card" variable to use in the replacement.
+\fI\%Change Collections\(aq Namespaces during Restore\fP provides an example of complex
replacements with dollar sign\-delimited wild cards.
.sp
Unlike replacements with asterisks, replacements with dollar
@@ -700,7 +891,7 @@ When the restore includes the \fBadmin\fP database, \fBmongorestore\fP with
users defined in the dump file. Therefore, in systems with
\fBauthorization\fP enabled, \fBmongorestore\fP must be able
to authenticate to an existing user \fIand\fP to a user defined in the
-dump file. If \fBmongorestore\fP can’t authenticate to a user defined in the
+dump file. If \fBmongorestore\fP can\(aqt authenticate to a user defined in the
dump file, the restoration process will fail, leaving an empty
database.
.UNINDENT
@@ -848,9 +1039,24 @@ Restore user and role definitions for the given database. See
\fIDefault\fP: majority
.sp
Specifies the write concern for each write operation that \fBmongorestore\fP
-writes to the target database.
+performs.
.sp
-Specify the write concern as a document with w options\&.
+Specify the write concern as a document with w options:
+.INDENT 7.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+\-\-writeConcern "{w:\(aqmajority\(aq}"
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+If the write concern is also included in the \fI\%\-\-uri
+connection string\fP, the command\-line
+\fI\%\-\-writeConcern\fP overrides the write concern specified in
+the URI string.
.UNINDENT
.INDENT 0.0
.TP
@@ -912,23 +1118,13 @@ New in version 3.2.
.sp
Restores from compressed files or data stream created by
-\fB~bin.mongodump \-\-archive\fP
+\fB~bin.mongodump \-\-gzip\fP
.sp
To restore from a dump directory that contains compressed files, run
-\fI\%mongorestore\fP with the new \fB\-\-gzip\fP option.
+\fI\%mongorestore\fP with the \fI\%\-\-gzip\fP option.
.sp
To restore from a compressed archive file, run \fI\%mongorestore\fP with
-the \fB\-\-gzip\fP option in conjunction with the \fB\-\-archive\fP option.
-.UNINDENT
-.INDENT 0.0
-.TP
-.B <path>
-The final argument of the \fBmongorestore\fP command is a
-directory path. This argument specifies the location of the
-database dump from which to restore.
-.sp
-You cannot specify both the \fB<path>\fP argument and the \fB\-\-dir\fP
-option, which also specifies the dump directory, to \fBmongorestore\fP\&.
+both the \fI\%\-\-gzip\fP and the \fI\-\-archive\fP options.
.UNINDENT
.INDENT 0.0
.TP
@@ -948,8 +1144,18 @@ To restore from the standard input, run \fBmongorestore\fP with the
.INDENT 7.0
.INDENT 3.5
.INDENT 0.0
+.INDENT 3.5
+.INDENT 0.0
.IP \(bu 2
-You cannot use the \fB\-\-archive\fP option with the \fB\-\-dir\fP option.
+You cannot use the \fB\-\-archive\fP option with the \fI\%\-\-dir\fP
+option.
+.IP \(bu 2
+If you use the \fI\%\-\-archive\fP option with the \fI\%<path>\fP
+parameter, \fBmongorestore\fP ignores \fI\%<path>\fP parameter.
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.INDENT 0.0
.IP \(bu 2
\fBmongorestore\fP still supports the positional \fB\-\fP parameter to
restore a \fIsingle\fP collection from the standard input.
@@ -959,6 +1165,14 @@ restore a \fIsingle\fP collection from the standard input.
.UNINDENT
.INDENT 0.0
.TP
+.B <path>
+The directory path or BSON file name from which to restore data.
+.sp
+You cannot specify both the \fB<path>\fP argument and the \fB\-\-dir\fP
+option, which also specifies the dump directory, to \fBmongorestore\fP\&.
+.UNINDENT
+.INDENT 0.0
+.TP
.B \-\-dir string
Specifies the dump directory.
.INDENT 7.0
@@ -970,41 +1184,115 @@ You cannot use the \fB\-\-archive\fP option with the \fB\-\-dir\fP option.
.UNINDENT
.UNINDENT
.SH EXAMPLES
-.SS Restore a Collection
+.SS Restore with Access Control
.sp
-Consider the following example:
+In the following example, \fI\%mongorestore\fP restores from
+\fB/opt/backup/mongodump\-2011\-10\-24\fP to a \fBmongod\fP
+instance running on port \fB27017\fP on the host
+\fBmongodb1.example.net\fP\&. The \fI\%\-\-uri\fP
+string omits the user\(aqs password to have \fI\%mongorestore\fP
+prompt for the password.
.INDENT 0.0
.INDENT 3.5
.sp
.nf
.ft C
-mongorestore \-\-collection people \-\-db accounts dump/
+mongorestore \-\-uri "mongodb://user@mongodb1.example.net:27017/?authSource=admin" /opt/backup/mongodump\-2011\-10\-24
.ft P
.fi
.UNINDENT
.UNINDENT
.sp
-Here, \fI\%mongorestore\fP reads the database dump in the \fBdump/\fP
-sub\-directory of the current directory, and restores \fIonly\fP the
-documents in the collection named \fBpeople\fP from the database named
-\fBaccounts\fP\&. \fI\%mongorestore\fP restores data to the instance
-running on the localhost interface on port \fB27017\fP\&.
+Alternatively, you can specify the host, port, username, and
+authentication database using \fI\%\-\-host\fP,
+\fI\%\-\-port\fP, \fI\%\-\-username\fP, and \fI\%\-\-authenticationDatabase\fP\&. Omit \fI\%\-\-password\fP to have \fI\%mongorestore\fP prompt for the password:
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+mongorestore \-\-host mongodb1.example.net \-\-port 27017 \-\-username user \-\-authenticationDatabase=admin /opt/backup/mongodump\-2011\-10\-24
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.SS Restore a Collection
.sp
New in version 3.4.
.sp
-You may alternatively use \fI\%\-\-nsInclude\fP to specify the canonical name of the collection that you
-wish to restore rather than \fI\%\-\-collection\fP\&. \fI\%\-\-nsInclude\fP
-enables you to specify the namespace of one or more collections
-that you wish to include in the restore operation. The following
-example restores the \fBpeople\fP collection from the \fBaccounts\fP
-database in the \fBdump/\fP sub\-directory of the current directory:
+To restore a specific collection, use \fI\%\-\-nsInclude\fP, passing in the full namespace
+(\fB<database>.<collection>\fP) of the collection.
+.sp
+For example, the following restores the collection named
+\fBpurchaseorders\fP in the database \fBtest\fP from the corresponding
+files located in the \fBdump/\fP directory.
.INDENT 0.0
.INDENT 3.5
.sp
.nf
.ft C
-mongorestore \-\-nsInclude accounts.people dump/
+mongorestore \-\-nsInclude test.purchaseorders dump/
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+The \fI\%mongorestore\fP outputs the results, including the
+number of documents restored:
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+2019\-06\-28T19:23:42.858\-0400 preparing collections to restore from
+2019\-06\-28T19:23:42.858\-0400 reading metadata for test.purchaseorders from dump/test/purchaseorders.metadata.json
+2019\-06\-28T19:23:42.893\-0400 restoring test.purchaseorders from dump/test/purchaseorders.bson
+2019\-06\-28T19:23:42.896\-0400 restoring indexes for collection test.purchaseorders from metadata
+2019\-06\-28T19:23:42.991\-0400 finished restoring test.purchaseorders (6 documents, 0 failures)
+2019\-06\-28T19:23:42.991\-0400 6 document(s) restored successfully. 0 document(s) failed to restore.
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+If the \fBdump/\fP directory does not contain the corresponding data
+files for the specified namespace, no data will be restored:
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+2019\-07\-08T14:39:57.121\-0400 preparing collections to restore from
+2019\-07\-08T14:39:57.121\-0400 0 document(s) restored successfully. 0 document(s) failed to restore.
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+Alternatively, you can restore a specific collection using the
+\fI\%\-\-db\fP, \fI\%\-\-collection\fP, and a \fB\&.bson\fP file:
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+mongorestore \-\-db test \-\-collection purchaseorders dump/test/purchaseorders.bson
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+2019\-06\-30T12:21:44.777\-0400 checking for collection data in dump/test/purchaseorders.bson
+2019\-06\-30T12:21:44.779\-0400 reading metadata for test.purchaseorders from dump/test/purchaseorders.metadata.json
+2019\-06\-30T12:21:44.813\-0400 restoring test.purchaseorders from dump/test/purchaseorders.bson
+2019\-06\-30T12:21:44.881\-0400 restoring indexes for collection test.purchaseorders from metadata
+2019\-06\-30T12:21:44.987\-0400 finished restoring test.purchaseorders (6 documents, 0 failures)
+2019\-06\-30T12:21:44.987\-0400 6 document(s) restored successfully. 0 document(s) failed to restore.
.ft P
.fi
.UNINDENT
@@ -1038,7 +1326,7 @@ mongorestore \-\-nsInclude \(aqtransactions.*\(aq \-\-nsExclude \(aqtransactions
.fi
.UNINDENT
.UNINDENT
-.SS Change Collections’ Namespaces during Restore
+.SS Change Collections\(aq Namespaces during Restore
.sp
New in version 3.4.
@@ -1047,7 +1335,7 @@ MongoDB 3.4 added the \fI\%\-\-nsFrom\fP and
\fI\%\-\-nsTo\fP options, which enable you to
change the namespace of a collection that you are restoring.
\fI\%\-\-nsFrom\fP and \fI\%\-\-nsTo\fP support using asterisks as wild cards \fIand\fP
-support using dollar signs to delimit “wild card” variables to use in
+support using dollar signs to delimit "wild card" variables to use in
the replacement.
.sp
Consider a database \fBdata\fP that you have exported to a \fBdump/\fP
@@ -1089,34 +1377,16 @@ mongorestore \-\-nsInclude \(aqdata.*\(aq \-\-nsFrom \(aqdata.$prefix$_$customer
.fi
.UNINDENT
.UNINDENT
-.SS Restore with Access Control
+.SS Restore from an Archive File
.sp
-In the following example, \fI\%mongorestore\fP restores a
-database dump located at \fB/opt/backup/mongodump\-2011\-10\-24\fP, to a
-database running on port \fB37017\fP on the host
-\fBmongodb1.example.net\fP\&. The \fI\%mongorestore\fP command
-authenticates to the MongoDB instance using the username \fBuser\fP and
-the password \fBpass\fP, as follows:
-.INDENT 0.0
-.INDENT 3.5
-.sp
-.nf
-.ft C
-mongorestore \-\-host mongodb1.example.net \-\-port 37017 \-\-username user \-\-password "pass" /opt/backup/mongodump\-2011\-10\-24
-.ft P
-.fi
-.UNINDENT
-.UNINDENT
-.SS Restore a Collection from Standard Input
-.sp
-You can also \fIpipe\fP data directly into to \fI\%mongorestore\fP
-through standard input, as in the following example:
+To restore from an archive file, run \fBrestore\fP with the new
+\fB\-\-archive\fP option and the archive filename.
.INDENT 0.0
.INDENT 3.5
.sp
.nf
.ft C
-zcat /opt/backup/mongodump\-2014\-12\-03/accounts.people.bson.gz | mongorestore \-\-collection people \-\-db accounts \-
+mongorestore \-\-archive=test.20150715.archive
.ft P
.fi
.UNINDENT
@@ -1135,59 +1405,60 @@ following operation restores the \fBtest\fP database from the file
.sp
.nf
.ft C
-mongorestore \-\-archive=test.20150715.archive \-\-db test
+mongorestore \-\-archive=test.20150715.archive \-\-nsInclude "test.*"
.ft P
.fi
.UNINDENT
.UNINDENT
-.SS Restore a Database from Standard Input
+.SS Restore from Compressed Data
.sp
-New in version 3.2.
+New in version 3.2: With the \fB\-\-gzip\fP option, \fI\%mongorestore\fP can restore from
+compressed files or data stream created by \fBmongodump\fP\&.
.sp
-To restore from the standard input, run \fI\%mongorestore\fP
-with the \fBarchive\fP option but \fIomit\fP the filename. For example:
+To restore from a dump directory that contains compressed files, run
+\fI\%mongorestore\fP with the \fI\%\-\-gzip\fP\&. For example, the following operation restores the \fBtest\fP
+database from the compressed files located in the default \fBdump\fP
+directory:
.INDENT 0.0
.INDENT 3.5
.sp
.nf
.ft C
-mongodump \-\-archive \-\-db test \-\-port 27017 | mongorestore \-\-archive \-\-port 27018
+mongorestore \-\-gzip \-\-nsInclude "test.*" dump/
.ft P
.fi
.UNINDENT
.UNINDENT
-.SS Restore from Compressed Data
.sp
-New in version 3.2: With the \fB\-\-gzip\fP option, \fI\%mongorestore\fP can restore from
-compressed files or data stream created by \fBmongodump\fP\&.
-
-.sp
-To restore from a dump directory that contains compressed files, run
-\fI\%mongorestore\fP with the new \fB\-\-gzip\fP option. For
-example, the following operation restores the \fBtest\fP database from
-the compressed files located in the default \fBdump\fP directory:
+To restore from a compressed archive file, run
+\fI\%mongorestore\fP with the \fI\%\-\-gzip\fP option and the \fI\%\-\-archive\fP
+option. For example, the following operation restores the \fBtest\fP
+database from the archive file \fBtest.20150715.gz\fP\&.
.INDENT 0.0
.INDENT 3.5
.sp
.nf
.ft C
-mongorestore \-\-gzip \-\-db test
+mongorestore \-\-gzip \-\-archive=test.20150715.gz \-\-nsInclude "test.*"
.ft P
.fi
.UNINDENT
.UNINDENT
+.SS Restore a Database from Standard Input
.sp
-To restore from a compressed archive file, run \fI\%mongorestore\fP
-with the \fB\-\-gzip\fP option in conjunction with the new \fB\-\-archive\fP
-option. For example, the following operation restores the \fBtest\fP
-database from the archive file \fBtest.20150715.gz\fP\&.
+New in version 3.2.
+
+.sp
+To restore from the standard input, run \fI\%mongorestore\fP
+with the \fI\%\-\-archive\fP option but \fIomit\fP
+the filename. For example:
.INDENT 0.0
.INDENT 3.5
.sp
.nf
.ft C
-mongorestore \-\-gzip \-\-archive=test.20150715.gz \-\-db test
+mongodump \-\-archive \-\-db test \-\-port 27017 | mongorestore \-\-archive \-\-port 27018
.ft P
.fi
.UNINDENT
@@ -1195,6 +1466,6 @@ mongorestore \-\-gzip \-\-archive=test.20150715.gz \-\-db test
.SH AUTHOR
MongoDB Documentation Project
.SH COPYRIGHT
-2008-2018
+2008-2019
.\" Generated by docutils manpage writer.
.
diff --git a/debian/mongos.1 b/debian/mongos.1
index 72fb11495e8..f1a5c14f9b6 100644
--- a/debian/mongos.1
+++ b/debian/mongos.1
@@ -1,6 +1,6 @@
.\" Man page generated from reStructuredText.
.
-.TH "MONGOS" "1" "Jun 21, 2018" "4.0" "mongodb-manual"
+.TH "MONGOS" "1" "Jul 25, 2019" "4.2" "mongodb-manual"
.SH NAME
mongos \- MongoDB Sharded Cluster Query Router
.
@@ -41,26 +41,52 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
.UNINDENT
.SH SYNOPSIS
.sp
-\fI\%mongos\fP for “MongoDB Shard,” is a routing service for
-MongoDB shard configurations that processes queries from the
-application layer, and determines the location of this data in the
-sharded cluster, in order to complete these operations.
-From the perspective of the application, a
-\fI\%mongos\fP instance behaves identically to any other MongoDB
-instance.
-.sp
-\fBNOTE:\fP
+For a sharded cluster, the \fI\%mongos\fP
+instances provide the interface between the client applications and the
+sharded cluster. The \fI\%mongos\fP instances route queries and
+write operations to the shards. From the perspective of the
+application, a \fI\%mongos\fP instance behaves identically to
+any other MongoDB instance.
+.SH CONSIDERATIONS
.INDENT 0.0
-.INDENT 3.5
+.IP \(bu 2
+Never change the name of the \fI\%mongos\fP binary.
+.IP \(bu 2
Starting in version 4.0, MongoDB disables support for TLS 1.0
encryption on systems where TLS 1.1+ is available. For
more details, see 4.0\-disable\-tls\&.
+.IP \(bu 2
+Starting in MongoDB 4.0, the \fI\%mongos\fP binary will crash when
+attempting to connect to \fBmongod\fP instances whose
+feature compatibility version (fCV) is greater than
+that of the \fI\%mongos\fP\&. For example, you cannot connect
+a MongoDB 4.0 version \fI\%mongos\fP to a 4.2
+sharded cluster with fCV set to 4.2\&. You
+can, however, connect a MongoDB 4.0 version
+\fI\%mongos\fP to a 4.2 sharded cluster with fCV set to 4.0\&.
.UNINDENT
-.UNINDENT
-.SH CONSIDERATIONS
-.sp
-Never change the name of the \fI\%mongos\fP binary.
.SH OPTIONS
+.sp
+\fBSEE ALSO:\fP
+.INDENT 0.0
+.INDENT 3.5
+conf\-file\-command\-line\-mapping
+.UNINDENT
+.UNINDENT
+.INDENT 0.0
+.INDENT 3.5
+.IP "Starting in version 4.2"
+.INDENT 0.0
+.IP \(bu 2
+MongoDB deprecates the SSL options and insteads adds new
+corresponding TLS options.
+.IP \(bu 2
+MongoDB adds
+\fI\%\-\-tlsClusterCAFile\fP/\fBnet.tls.clusterCAFile\fP\&. (Also availalbe
+in 3.4.18+, 3.6.9+, 4.0.3+)
+.UNINDENT
+.UNINDENT
+.UNINDENT
.SS Core Options
.INDENT 0.0
.TP
@@ -87,6 +113,61 @@ including UTF\-8.
.UNINDENT
.INDENT 0.0
.TP
+.B \-\-configExpand <none|rest|exec>
+\fIDefault\fP: none
+.sp
+New in version 4.2.
+
+.sp
+Enables using Expansion Directives
+in configuration files. Expansion directives allow you to set
+externally sourced values for configuration file options.
+.sp
+\fI\%\-\-configExpand\fP supports the following expansion directives:
+.TS
+center;
+|l|l|.
+_
+T{
+Value
+T} T{
+Description
+T}
+_
+T{
+\fBnone\fP
+T} T{
+Default. \fBmongos\fP does not expand expansion directives.
+\fBmongos\fP fails to start if any configuration file settings
+use expansion directives.
+T}
+_
+T{
+\fBrest\fP
+T} T{
+\fBmongos\fP expands \fB__rest\fP expansion directives when
+parsing the configuration file.
+T}
+_
+T{
+\fBexec\fP
+T} T{
+\fBmongos\fP expands \fB__exec\fP expansion directives when
+parsing the configuration file.
+T}
+_
+.TE
+.sp
+You can specify multiple expansion directives as a comma\-separated
+list, e.g. \fBrest, exec\fP\&. If the configuration file contains
+expansion directives not specified to \fI\%\-\-configExpand\fP, the \fBmongos\fP
+returns an error and terminates.
+.sp
+See externally\-sourced\-values for configuration files
+for more information on expansion directives.
+.UNINDENT
+.INDENT 0.0
+.TP
.B \-\-verbose, \-v
Increases the amount of internal reporting returned on standard output
or in log files. Increase the verbosity with the \fB\-v\fP form by
@@ -115,26 +196,26 @@ connection closed events
.B \-\-port <port>
\fIDefault\fP: 27017
.sp
-Specifies the TCP port on which the MongoDB instance listens for
+The TCP port on which the \fI\%mongos\fP instance listens for
client connections.
.UNINDENT
.INDENT 0.0
.TP
-.B \-\-bind_ip <ip address>
+.B \-\-bind_ip <hostnames|ipaddresses|Unix domain socket paths>
\fIDefault\fP: localhost
.sp
\fBNOTE:\fP
.INDENT 7.0
.INDENT 3.5
Starting in MongoDB 3.6, \fBmongos\fP bind to localhost
-(\fB127.0.0.1\fP) by default. See 3.6\-bind\-to\-localhost\&.
+by default. See 3.6\-bind\-to\-localhost\&.
.UNINDENT
.UNINDENT
.sp
-The IP addresses and/or full Unix domain socket paths on which
-\fBmongos\fP should listen for client connections. You may attach
-\fBmongos\fP to any interface. To bind to multiple addresses, enter a
-list of comma\-separated values.
+The hostnames and/or IP addresses and/or full Unix domain socket
+paths on which \fBmongos\fP should listen for client connections. You
+may attach \fBmongos\fP to any interface. To bind to multiple
+addresses, enter a list of comma\-separated values.
.INDENT 7.0
.INDENT 3.5
.SS Example
@@ -143,26 +224,83 @@ list of comma\-separated values.
.UNINDENT
.UNINDENT
.sp
+You can specify both IPv4 and IPv6 addresses, or hostnames that
+resolve to an IPv4 or IPv6 address.
+.INDENT 7.0
+.INDENT 3.5
+.SS Example
+.sp
+\fBlocalhost, 2001:0DB8:e132:ba26:0d5c:2774:e7f9:d513\fP
+.UNINDENT
+.UNINDENT
+.sp
+\fBNOTE:\fP
+.INDENT 7.0
+.INDENT 3.5
+If specifying an IPv6 address \fIor\fP a hostname that resolves to an
+IPv6 address to \fI\%\-\-bind_ip\fP, you must start \fBmongos\fP with
+\fI\%\-\-ipv6\fP to enable IPv6 support. Specifying an IPv6 address
+to \fI\%\-\-bind_ip\fP does not enable IPv6 support.
+.UNINDENT
+.UNINDENT
+.sp
+If specifying a
+\fI\%link\-local IPv6 address\fP
+(\fBfe80::/10\fP), you must append the
+\fI\%zone index\fP
+to that address (i.e. \fBfe80::<address>%<adapter\-name>\fP).
+.INDENT 7.0
+.INDENT 3.5
+.SS Example
+.sp
+\fBlocalhost,fe80::a00:27ff:fee0:1fcf%enp0s3\fP
+.UNINDENT
+.UNINDENT
+.INDENT 7.0
+.INDENT 3.5
+.SS Tip
+.sp
+When possible, use a logical DNS hostname instead of an ip address,
+particularly when configuring replica set members or sharded cluster
+members. The use of logical DNS hostnames avoids configuration
+changes due to ip address changes.
+.UNINDENT
+.UNINDENT
+.sp
\fBWARNING:\fP
.INDENT 7.0
.INDENT 3.5
-Before you bind to other ip addresses, consider enabling
-access control and other security measures listed
-in /administration/security\-checklist to prevent unauthorized
-access.
+Before binding to a non\-localhost (e.g. publicly accessible)
+IP address, ensure you have secured your cluster from unauthorized
+access. For a complete list of security recommendations, see
+/administration/security\-checklist\&. At minimum, consider
+enabling authentication and
+hardening network infrastructure\&.
.UNINDENT
.UNINDENT
.sp
+For more information about IP Binding, refer to the
+/core/security\-mongodb\-configuration documentation.
+.sp
To bind to all IPv4 addresses, enter \fB0.0.0.0\fP\&.
.sp
-To bind to all IPv4 and IPv6 addresses, enter \fB0.0.0.0,::\fP
-or alternatively, use the \fBnet.bindIpAll\fP setting.
+To bind to all IPv4 and IPv6 addresses, enter \fB::,0.0.0.0\fP or
+starting in MongoDB 4.2, an asterisk \fB"*"\fP (enclose the asterisk in
+quotes to avoid filename pattern expansion). Alternatively, use the
+\fBnet.bindIpAll\fP setting.
.sp
\fBNOTE:\fP
.INDENT 7.0
.INDENT 3.5
-\fB\-\-bind_ip\fP and \fB\-\-bind_ip_all\fP are mutually exclusive. That
-is, you can specify one or the other, but not both.
+.INDENT 0.0
+.IP \(bu 2
+\fB\-\-bind_ip\fP and \fB\-\-bind_ip_all\fP are mutually exclusive.
+Specifying both options causes \fBmongos\fP to throw an error and
+terminate.
+.IP \(bu 2
+The command\-line option \fB\-\-bind\fP overrides the configuration
+file setting \fBnet.bindIp\fP\&.
+.UNINDENT
.UNINDENT
.UNINDENT
.UNINDENT
@@ -172,23 +310,32 @@ is, you can specify one or the other, but not both.
New in version 3.6.
.sp
-If specified, the \fBmongos\fP instance binds to all ip addresses. When
-attaching \fBmongos\fP to a publicly accessible interface, ensure
-that you have implemented proper authentication and firewall
-restrictions to protect the integrity of your database.
+If specified, the \fBmongos\fP instance binds to all IPv4
+addresses (i.e. \fB0.0.0.0\fP). If \fBmongos\fP starts with
+\fI\%\-\-ipv6\fP, \fI\%\-\-bind_ip_all\fP also binds to all IPv6 addresses
+(i.e. \fB::\fP).
+.sp
+\fBmongos\fP only supports IPv6 if started with \fI\%\-\-ipv6\fP\&. Specifying
+\fI\%\-\-bind_ip_all\fP alone does not enable IPv6 support.
.sp
\fBWARNING:\fP
.INDENT 7.0
.INDENT 3.5
-Before you bind to other ip addresses, consider enabling
-access control and other security measures listed
-in /administration/security\-checklist to prevent unauthorized
-access.
+Before binding to a non\-localhost (e.g. publicly accessible)
+IP address, ensure you have secured your cluster from unauthorized
+access. For a complete list of security recommendations, see
+/administration/security\-checklist\&. At minimum, consider
+enabling authentication and
+hardening network infrastructure\&.
.UNINDENT
.UNINDENT
.sp
-Alternatively, you can set the \fB\-\-bind_ip\fP option to
-\fB0.0.0.0,::\fP to bind to all IP addresses.
+For more information about IP Binding, refer to the
+/core/security\-mongodb\-configuration documentation.
+.sp
+Alternatively, you can set the \fB\-\-bind_ip\fP option to \fB::,0.0.0.0\fP
+or, starting in MongoDB 4.2, to an asterisk \fB"*"\fP (enclose the
+asterisk in quotes to avoid filename pattern expansion).
.sp
\fBNOTE:\fP
.INDENT 7.0
@@ -203,7 +350,7 @@ is, you can specify one or the other, but not both.
.B \-\-maxConns <number>
The maximum number of simultaneous connections that \fBmongos\fP will
accept. This setting has no effect if it is higher than your operating
-system’s configured maximum connection tracking threshold.
+system\(aqs configured maximum connection tracking threshold.
.sp
Do not assign too low of a value to this option, or you will
encounter errors during normal application operation.
@@ -232,8 +379,8 @@ setting.
.INDENT 0.0
.TP
.B \-\-syslog
-Sends all logging output to the host’s syslog system rather
-than to standard output or to a log file. , as with \fI\%\-\-logpath\fP\&.
+Sends all logging output to the host\(aqs syslog system rather
+than to standard output or to a log file (\fI\%\-\-logpath\fP).
.sp
The \fI\%\-\-syslog\fP option is not supported on Windows.
.sp
@@ -247,6 +394,18 @@ recommend using the \fI\%\-\-logpath\fP option for production systems to
ensure accurate timestamps.
.UNINDENT
.UNINDENT
+.sp
+Starting in version 4.2, MongoDB includes the component in its log messages to \fBsyslog\fP\&.
+.INDENT 7.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+\&... ACCESS [repl writer worker 5] Unsupported modification to roles collection ...
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
.UNINDENT
.INDENT 0.0
.TP
@@ -255,14 +414,14 @@ ensure accurate timestamps.
.sp
Specifies the facility level used when logging messages to syslog.
The value you specify must be supported by your
-operating system’s implementation of syslog. To use this option, you
+operating system\(aqs implementation of syslog. To use this option, you
must enable the \fI\%\-\-syslog\fP option.
.UNINDENT
.INDENT 0.0
.TP
.B \-\-logpath <path>
Sends all diagnostic logging information to a log file instead of to
-standard output or to the host’s syslog system. MongoDB creates
+standard output or to the host\(aqs syslog system. MongoDB creates
the log file at the path you specify.
.sp
By default, MongoDB will move any existing log file rather than overwrite
@@ -287,8 +446,10 @@ potentially sensitive data stored on the database to the diagnostic log.
Metadata such as error or operation codes, line numbers, and source file
names are still visible in the logs.
.sp
-Use \fI\%\-\-redactClientLogData\fP in conjunction with encryption to assist compliance with regulatory
-requirements.
+Use \fI\%\-\-redactClientLogData\fP in conjunction with
+/core/security\-encryption\-at\-rest and
+/core/security\-transport\-encryption to assist compliance with
+regulatory requirements.
.sp
For example, a MongoDB deployment might store Personally Identifiable
Information (PII) in one or more collections. The \fBmongos\fP logs events
@@ -377,6 +538,21 @@ that MongoDB instances use to authenticate to each other in a
sharded cluster or replica set\&. \fI\%\-\-keyFile\fP implies
\fBclient authorization\fP\&. See inter\-process\-auth for more
information.
+.sp
+Starting in MongoDB 4.2, keyfiles for internal membership
+authentication use YAML format to allow for
+multiple keys in a keyfile. The YAML format accepts content of:
+.INDENT 7.0
+.IP \(bu 2
+a single key string (same as in earlier versions),
+.IP \(bu 2
+multiple key strings (each string must be enclosed in quotes), or
+.IP \(bu 2
+sequence of key strings.
+.UNINDENT
+.sp
+The YAML format is compatible with the existing single\-key
+keyfiles that use the text file format.
.UNINDENT
.INDENT 0.0
.TP
@@ -399,7 +575,7 @@ always listens on the UNIX socket unless one of the following is true:
.IP \(bu 2
\fBnet.bindIp\fP is not set
.IP \(bu 2
-\fBnet.bindIp\fP does not specify \fB127.0.0.1\fP
+\fBnet.bindIp\fP does not specify \fBlocalhost\fP or its associated IP address
.UNINDENT
.sp
New in version 2.6: \fBmongos\fP installed from official \&.deb and \&.rpm packages
@@ -426,7 +602,7 @@ creates and listens on a UNIX socket unless one of the following is true:
.IP \(bu 2
\fBnet.bindIp\fP is not set
.IP \(bu 2
-\fBnet.bindIp\fP does not specify \fB127.0.0.1\fP
+\fBnet.bindIp\fP does not specify \fBlocalhost\fP or its associated IP address
.UNINDENT
.UNINDENT
.INDENT 0.0
@@ -482,21 +658,42 @@ prior to restarting \fBmongos\fP without \fI\%\-\-transitionToAuth\fP\&.
.INDENT 0.0
.TP
.B \-\-networkMessageCompressors <string>
-New in version 3.4.
-
+\fIDefault\fP: snappy,zstd,zlib
.sp
-Changed in version 3.6: Add support for zlib compressor.
+New in version 3.4.
.sp
-Enables network compression for communication between this
-\fBmongos\fP instance and:
+Specifies the default compressor(s) to use for
+communication between this \fBmongos\fP instance and:
.INDENT 7.0
.IP \(bu 2
other members of the sharded cluster
.IP \(bu 2
-a \fBmongo\fP shell.
+a \fBmongo\fP shell
+.IP \(bu 2
+drivers that support the \fBOP_COMPRESSED\fP message format.
.UNINDENT
.sp
+MongoDB supports the following compressors:
+.INDENT 7.0
+.IP \(bu 2
+snappy
+.IP \(bu 2
+zlib (Available starting in MongoDB 3.6)
+.IP \(bu 2
+zstd (Available starting in MongoDB 4.2)
+.UNINDENT
+.sp
+\fBIn versions 3.6 and 4.0\fP, \fBmongod\fP and
+\fI\%mongos\fP enable network compression by default with
+\fBsnappy\fP as the compressor.
+.sp
+\fBStarting in version 4.2\fP, \fBmongod\fP and
+\fI\%mongos\fP instances default to both \fBsnappy,zstd,zlib\fP
+compressors, in that order.
+.sp
+To disable network compression, set the value to \fBdisabled\fP\&.
+.sp
\fBIMPORTANT:\fP
.INDENT 7.0
.INDENT 3.5
@@ -506,14 +703,6 @@ uncompressed.
.UNINDENT
.UNINDENT
.sp
-You can specify the following compressors:
-.INDENT 7.0
-.IP \(bu 2
-snappy (Default)
-.IP \(bu 2
-zlib
-.UNINDENT
-.sp
If you specify multiple compressors, then the order in which you list
the compressors matter as well as the communication initiator. For
example, if a \fBmongo\fP shell specifies the following network
@@ -596,6 +785,19 @@ mongos \-\-timeZoneInfo timezonedb\-2017b/
.UNINDENT
.UNINDENT
.UNINDENT
+.INDENT 0.0
+.TP
+.B \-\-outputConfig
+New in version 4.2.
+
+.sp
+Outputs the resolved YAML configuration document for the \fBmongos\fP
+to \fBstdout\fP and halts the \fBmongos\fP instance. For configuration
+options using externally\-sourced\-values, \fI\%\-\-outputConfig\fP returns the
+resolved value for those options. This may include any configured
+passwords or secrets previously obfuscated through the external
+source.
+.UNINDENT
.SS Sharded Cluster Options
.INDENT 0.0
.TP
@@ -619,7 +821,7 @@ at least one of the members of the config server replica set.
.nf
.ft C
sharding:
- configDB: <configReplSetName>/cfg1.example.net:27017, cfg2.example.net:27017,...
+ configDB: <configReplSetName>/cfg1.example.net:27019, cfg2.example.net:27019,...
.ft P
.fi
.UNINDENT
@@ -637,7 +839,7 @@ port of different members of the replica set.
Specifies the ping time, in milliseconds, that \fI\%mongos\fP uses
to determine which secondary replica set members to pass read
operations from clients. The default value of \fB15\fP corresponds to
-the default value in all of the client drivers\&.
+the default value in all of the client \fI\%drivers\fP\&.
.sp
When \fI\%mongos\fP receives a request that permits reads to
secondary members, the \fI\%mongos\fP will:
@@ -664,40 +866,23 @@ See the replica\-set\-read\-preference\-behavior\-member\-selection
section of the read preference
documentation for more information.
.UNINDENT
-.SS TLS/SSL Options
+.SS TLS Options
.INDENT 0.0
.INDENT 3.5
.SS See
.sp
/tutorial/configure\-ssl for full
-documentation of MongoDB’s support.
-.UNINDENT
+documentation of MongoDB\(aqs support.
.UNINDENT
-.INDENT 0.0
-.TP
-.B \-\-sslOnNormalPorts
-Deprecated since version 2.6: Use \fI\%\-\-sslMode requireSSL\fP instead.
-
-.sp
-Enables TLS/SSL for \fBmongos\fP\&.
-.sp
-With \fI\%\-\-sslOnNormalPorts\fP, a \fBmongos\fP requires TLS/SSL encryption for all
-connections on the default MongoDB port, or the port specified by
-\fI\%\-\-port\fP\&. By default, \fI\%\-\-sslOnNormalPorts\fP is
-disabled.
-.sp
-For more information about TLS/SSL and MongoDB, see
-/tutorial/configure\-ssl and
-/tutorial/configure\-ssl\-clients .
.UNINDENT
.INDENT 0.0
.TP
-.B \-\-sslMode <mode>
-New in version 2.6.
+.B \-\-tlsMode <mode>
+New in version 4.2.
.sp
-Enables TLS/SSL or mixed TLS/SSL used for all network connections. The
-argument to the \fI\%\-\-sslMode\fP option can be one of the following:
+Enables TLS used for all network connections. The
+argument to the \fI\%\-\-tlsMode\fP option can be one of the following:
.TS
center;
|l|l|.
@@ -711,70 +896,98 @@ _
T{
\fBdisabled\fP
T} T{
-The server does not use TLS/SSL.
+The server does not use TLS.
T}
_
T{
-\fBallowSSL\fP
+\fBallowTLS\fP
T} T{
-Connections between servers do not use TLS/SSL. For incoming
-connections, the server accepts both TLS/SSL and non\-TLS/non\-SSL.
+Connections between servers do not use TLS. For incoming
+connections, the server accepts both TLS and non\-TLS.
T}
_
T{
-\fBpreferSSL\fP
+\fBpreferTLS\fP
T} T{
-Connections between servers use TLS/SSL. For incoming
-connections, the server accepts both TLS/SSL and non\-TLS/non\-SSL.
+Connections between servers use TLS. For incoming
+connections, the server accepts both TLS and non\-TLS.
T}
_
T{
-\fBrequireSSL\fP
+\fBrequireTLS\fP
T} T{
-The server uses and accepts only TLS/SSL encrypted connections.
+The server uses and accepts only TLS encrypted connections.
T}
_
.TE
.sp
-Starting in version 3.4, if \fB\-\-sslCAFile\fP or \fBssl.CAFile\fP is not
+If \fB\-\-tlsCAFile\fP or \fBtls.CAFile\fP is not
specified and you are not using x.509 authentication, the
system\-wide CA certificate store will be used when connecting to an
-TLS/SSL\-enabled server.
+TLS\-enabled server.
.sp
-If using x.509 authentication, \fB\-\-sslCAFile\fP or \fBssl.CAFile\fP
-must be specified.
+If using x.509 authentication, \fB\-\-tlsCAFile\fP or \fBtls.CAFile\fP
+must be specified unless using \fB\-\-tlsCertificateSelector\fP\&.
.sp
-For more information about TLS/SSL and MongoDB, see
+For more information about TLS and MongoDB, see
/tutorial/configure\-ssl and
/tutorial/configure\-ssl\-clients .
.UNINDENT
.INDENT 0.0
.TP
-.B \-\-sslPEMKeyFile <filename>
-Specifies the \fB\&.pem\fP file that contains both the TLS/SSL certificate
-and key. Specify the file name of the \fB\&.pem\fP file using relative
-or absolute paths.
+.B \-\-tlsCertificateKeyFile <filename>
+New in version 4.2.
+
.sp
-You must specify \fI\%\-\-sslPEMKeyFile\fP when TLS/SSL is enabled.
+\fBNOTE:\fP
+.INDENT 7.0
+.INDENT 3.5
+Starting in 4.0, on macOS or Windows, you can use a certificate from
+the operating system\(aqs secure store instead of specifying a PEM file. See
+\fI\%\-\-tlsCertificateSelector\fP\&.
+.UNINDENT
+.UNINDENT
.sp
-For more information about TLS/SSL and MongoDB, see
+Specifies the \fB\&.pem\fP file that contains both the TLS certificate
+and key.
+.INDENT 7.0
+.IP \(bu 2
+On Linux/BSD, you must specify \fI\%\-\-tlsCertificateKeyFile\fP when TLS is enabled.
+.IP \(bu 2
+On Windows or macOS, you must specify either \fI\%\-\-tlsCertificateKeyFile\fP or
+\fI\%\-\-tlsCertificateSelector\fP when TLS is enabled.
+.UNINDENT
+.sp
+For more information about TLS and MongoDB, see
/tutorial/configure\-ssl and
/tutorial/configure\-ssl\-clients .
.UNINDENT
.INDENT 0.0
.TP
-.B \-\-sslPEMKeyPassword <value>
+.B \-\-tlsCertificateKeyFilePassword <value>
+New in version 4.2.
+
+.sp
Specifies the password to de\-crypt the certificate\-key file (i.e.
-\fI\%\-\-sslPEMKeyFile\fP). Use the \fI\%\-\-sslPEMKeyPassword\fP option only if the
+\fI\%\-\-tlsCertificateKeyFile\fP). Use the \fI\%\-\-tlsCertificateKeyFilePassword\fP option only if the
certificate\-key file is encrypted. In all cases, the \fBmongos\fP will
redact the password from all logging and reporting output.
.sp
-Changed in version 2.6: If the private key in the PEM file is encrypted and you do not
-specify the \fI\%\-\-sslPEMKeyPassword\fP option, the \fBmongos\fP will prompt for a
+Starting in MongoDB 4.0:
+.INDENT 7.0
+.IP \(bu 2
+On Linux/BSD, if the private key in the PEM file is encrypted and
+you do not specify the \fI\%\-\-tlsCertificateKeyFilePassword\fP option, MongoDB will prompt for a
passphrase. See ssl\-certificate\-password\&.
-
+.IP \(bu 2
+On macOS or Windows, if the private key in the PEM file is
+encrypted, you must explicitly specify the \fI\%\-\-tlsCertificateKeyFilePassword\fP option.
+Alternatively, you can use a certificate from the secure system
+store (see \fI\%\-\-tlsCertificateSelector\fP) instead of a PEM file or use an
+unencrypted PEM file.
+.UNINDENT
.sp
-For more information about TLS/SSL and MongoDB, see
+For more information about TLS and MongoDB, see
/tutorial/configure\-ssl and
/tutorial/configure\-ssl\-clients .
.UNINDENT
@@ -831,13 +1044,406 @@ T}
_
.TE
.sp
-Starting in version 3.4, if \fB\-\-sslCAFile\fP or \fBssl.CAFile\fP is not
+If \fB\-\-tlsCAFile\fP or \fBtls.CAFile\fP is not
specified and you are not using x.509 authentication, the
system\-wide CA certificate store will be used when connecting to an
-TLS/SSL\-enabled server.
+TLS\-enabled server.
+.sp
+If using x.509 authentication, \fB\-\-tlsCAFile\fP or \fBtls.CAFile\fP
+must be specified unless using \fB\-\-tlsCertificateSelector\fP\&.
+.sp
+For more information about TLS and MongoDB, see
+/tutorial/configure\-ssl and
+/tutorial/configure\-ssl\-clients .
+.UNINDENT
+.INDENT 0.0
+.TP
+.B \-\-tlsClusterFile <filename>
+New in version 4.2.
+
+.sp
+\fBNOTE:\fP
+.INDENT 7.0
+.INDENT 3.5
+Starting in 4.0, on macOS or Windows, you can use a certificate
+from the operating system\(aqs secure store instead of a PEM
+file. See \fI\%\-\-tlsClusterCertificateSelector\fP\&.
+.UNINDENT
+.UNINDENT
+.sp
+Specifies the \fB\&.pem\fP file that contains the x.509 certificate\-key
+file for membership authentication
+for the cluster or replica set.
+.sp
+If \fI\%\-\-tlsClusterFile\fP does not specify the \fB\&.pem\fP file for internal cluster
+authentication or the alternative
+\fI\%\-\-tlsClusterCertificateSelector\fP, the cluster uses the
+\fB\&.pem\fP file specified in the \fI\%\-\-tlsCertificateKeyFile\fP option or
+the certificate returned by the \fI\%\-\-tlsCertificateSelector\fP\&.
+.sp
+If using x.509 authentication, \fB\-\-tlsCAFile\fP or \fBtls.CAFile\fP
+must be specified unless using \fB\-\-tlsCertificateSelector\fP\&.
+.sp
+For more information about TLS and MongoDB, see
+/tutorial/configure\-ssl and
+/tutorial/configure\-ssl\-clients .
+.UNINDENT
+.INDENT 0.0
+.TP
+.B \-\-tlsClusterPassword <value>
+New in version 4.2.
+
+.sp
+Specifies the password to de\-crypt the x.509 certificate\-key file
+specified with \fB\-\-tlsClusterFile\fP\&. Use the \fI\%\-\-tlsClusterPassword\fP option only
+if the certificate\-key file is encrypted. In all cases, the \fBmongos\fP
+will redact the password from all logging and reporting output.
+.sp
+Starting in MongoDB 4.0:
+.INDENT 7.0
+.IP \(bu 2
+On Linux/BSD, if the private key in the x.509 file is encrypted and
+you do not specify the \fI\%\-\-tlsClusterPassword\fP option, MongoDB will prompt for a
+passphrase. See ssl\-certificate\-password\&.
+.IP \(bu 2
+On macOS or Windows, if the private key in the x.509 file is
+encrypted, you must explicitly specify the \fI\%\-\-tlsClusterPassword\fP option.
+Alternatively, you can either use a certificate from the secure
+system store (see \fI\%\-\-tlsClusterCertificateSelector\fP) instead of a cluster PEM file or
+use an unencrypted PEM file.
+.UNINDENT
+.sp
+For more information about TLS and MongoDB, see
+/tutorial/configure\-ssl and
+/tutorial/configure\-ssl\-clients .
+.UNINDENT
+.INDENT 0.0
+.TP
+.B \-\-tlsCAFile <filename>
+New in version 4.2.
+
+.sp
+Specifies the \fB\&.pem\fP file that contains the root certificate chain
+from the Certificate Authority. Specify the file name of the
+\fB\&.pem\fP file using relative or absolute paths.
+.sp
+Starting in 4.0, on macOS or Windows, you can use a certificate from
+the operating system\(aqs secure store instead of a PEM key file. See
+\fI\%\-\-tlsCertificateSelector\fP\&. When using the secure store, you
+do not need to, but can, also specify the \fI\%\-\-tlsCAFile\fP\&.
+.sp
+For more information about TLS and MongoDB, see
+/tutorial/configure\-ssl and
+/tutorial/configure\-ssl\-clients .
+.UNINDENT
+.INDENT 0.0
+.TP
+.B \-\-tlsClusterCAFile <filename>
+New in version 4.2.
+
+.sp
+Specifies the \fB\&.pem\fP file that contains the root certificate chain
+from the Certificate Authority used to validate the certificate
+presented by a client establishing a connection. Specify the file
+name of the \fB\&.pem\fP file using relative or absolute paths.
+.sp
+If \fI\%\-\-tlsClusterCAFile\fP does not specify the \fB\&.pem\fP file for validating the
+certificate from a client establishing a connection, the cluster uses
+the \fB\&.pem\fP file specified in the \fI\%\-\-tlsCAFile\fP option.
+.sp
+\fI\%\-\-tlsClusterCAFile\fP lets you use separate Certificate Authorities to verify the
+client to server and server to client portions of the TLS handshake.
+.sp
+Starting in 4.0, on macOS or Windows, you can use a certificate from
+the operating system\(aqs secure store instead of a PEM key file. See
+\fI\%\-\-tlsClusterCertificateSelector\fP\&. When using the secure store, you
+do not need to, but can, also specify the \fI\%\-\-tlsClusterCAFile\fP\&.
+.sp
+Requires that \fI\%\-\-tlsCAFile\fP is set.
+.sp
+For more information about TLS and MongoDB, see
+/tutorial/configure\-ssl and
+/tutorial/configure\-ssl\-clients .
+.UNINDENT
+.INDENT 0.0
+.TP
+.B \-\-tlsCertificateSelector <parameter>=<value>
+New in version 4.2: Available on Windows and macOS as an alternative to \fI\%\-\-tlsCertificateKeyFile\fP\&.
+.sp
+The \fI\%\-\-tlsCertificateKeyFile\fP and \fI\%\-\-tlsCertificateSelector\fP options are mutually exclusive. You can only
+specify one.
+
+.sp
+Specifies a certificate property in order to select a matching
+certificate from the operating system\(aqs certificate store.
+.sp
+\fI\%\-\-tlsCertificateSelector\fP accepts an argument of the format \fB<property>=<value>\fP
+where the property can be one of the following:
+.TS
+center;
+|l|l|l|.
+_
+T{
+Property
+T} T{
+Value type
+T} T{
+Description
+T}
+_
+T{
+\fBsubject\fP
+T} T{
+ASCII string
+T} T{
+Subject name or common name on certificate
+T}
+_
+T{
+\fBthumbprint\fP
+T} T{
+hex string
+T} T{
+A sequence of bytes, expressed as hexadecimal, used to
+identify a public key by its SHA\-1 digest.
+.sp
+The \fBthumbprint\fP is sometimes referred to as a
+\fBfingerprint\fP\&.
+T}
+_
+.TE
+.sp
+When using the system SSL certificate store, OCSP (Online
+Certificate Status Protocol) is used to validate the revocation
+status of certificates.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B \-\-tlsClusterCertificateSelector <parameter>=<value>
+New in version 4.2: Available on Windows and macOS as an alternative to
+\fI\%\-\-tlsClusterFile\fP\&.
+.sp
+\fI\%\-\-tlsClusterFile\fP and \fI\%\-\-tlsClusterCertificateSelector\fP options are mutually exclusive. You can only
+specify one.
+
+.sp
+Specifies a certificate property in order to select a matching
+certificate from the operating system\(aqs certificate store to use for
+internal authentication.
+.sp
+\fI\%\-\-tlsClusterCertificateSelector\fP accepts an argument of the format \fB<property>=<value>\fP
+where the property can be one of the following:
+.TS
+center;
+|l|l|l|.
+_
+T{
+Property
+T} T{
+Value type
+T} T{
+Description
+T}
+_
+T{
+\fBsubject\fP
+T} T{
+ASCII string
+T} T{
+Subject name or common name on certificate
+T}
+_
+T{
+\fBthumbprint\fP
+T} T{
+hex string
+T} T{
+A sequence of bytes, expressed as hexadecimal, used to
+identify a public key by its SHA\-1 digest.
+.sp
+The \fBthumbprint\fP is sometimes referred to as a
+\fBfingerprint\fP\&.
+T}
+_
+.TE
+.UNINDENT
+.INDENT 0.0
+.TP
+.B \-\-tlsCRLFile <filename>
+New in version 4.2.
+
+.sp
+Specifies the the \fB\&.pem\fP file that contains the Certificate Revocation
+List. Specify the file name of the \fB\&.pem\fP file using relative or
+absolute paths.
+.sp
+\fBNOTE:\fP
+.INDENT 7.0
+.INDENT 3.5
+Starting in MongoDB 4.0, you cannot specify \fI\%\-\-tlsCRLFile\fP on macOS. Use \fI\%\-\-tlsCertificateSelector\fP instead.
+.UNINDENT
+.UNINDENT
+.sp
+For more information about TLS and MongoDB, see
+/tutorial/configure\-ssl and
+/tutorial/configure\-ssl\-clients .
+.UNINDENT
+.INDENT 0.0
+.TP
+.B \-\-tlsAllowConnectionsWithoutCertificates
+New in version 4.2.
+
+.sp
+For clients that do not present certificates, \fBmongos\fP bypasses
+TLS/SSL certificate validation when establishing the connection.
+.sp
+For clients that present a certificate, however, \fBmongos\fP performs
+certificate validation using the root certificate chain specified by
+\fB\-\-tlsCAFile\fP and reject clients with invalid certificates.
+.sp
+Use the \fI\%\-\-tlsAllowConnectionsWithoutCertificates\fP option if you have a mixed deployment that includes
+clients that do not or cannot present certificates to the \fBmongos\fP\&.
+.sp
+For more information about TLS and MongoDB, see
+/tutorial/configure\-ssl and
+/tutorial/configure\-ssl\-clients .
+.UNINDENT
+.INDENT 0.0
+.TP
+.B \-\-tlsAllowInvalidCertificates
+New in version 4.2.
+
+.sp
+Bypasses the validation checks for TLS certificates on other
+servers in the cluster and allows the use of invalid certificates to
+connect.
.sp
-If using x.509 authentication, \fB\-\-sslCAFile\fP or \fBssl.CAFile\fP
-must be specified.
+\fBNOTE:\fP
+.INDENT 7.0
+.INDENT 3.5
+If you specify
+\fB\-\-tlsAllowInvalidCertificates\fP or \fBtls.allowInvalidCertificates:
+true\fP when using x.509 authentication, an invalid certificate is
+only sufficient to establish a TLS connection but is
+\fIinsufficient\fP for authentication.
+.UNINDENT
+.UNINDENT
+.sp
+When using
+the \fI\%\-\-tlsAllowInvalidCertificates\fP setting, MongoDB
+logs a warning regarding the use of the invalid certificate.
+.sp
+For more information about TLS and MongoDB, see
+/tutorial/configure\-ssl and
+/tutorial/configure\-ssl\-clients .
+.UNINDENT
+.INDENT 0.0
+.TP
+.B \-\-tlsAllowInvalidHostnames
+New in version 4.2.
+
+.sp
+Disables the validation of the hostnames in TLS certificates,
+when connecting to other members of the replica set or sharded cluster
+for inter\-process authentication. This allows \fBmongos\fP to connect
+to other members if the hostnames in their certificates do not match
+their configured hostname.
+.sp
+For more information about TLS and MongoDB, see
+/tutorial/configure\-ssl and
+/tutorial/configure\-ssl\-clients .
+.UNINDENT
+.INDENT 0.0
+.TP
+.B \-\-tlsDisabledProtocols <protocol(s)>
+New in version 4.2.
+
+.sp
+Prevents a MongoDB server running with TLS from accepting
+incoming connections that use a specific protocol or protocols. To
+specify multiple protocols, use a comma separated list of protocols.
+.sp
+\fI\%\-\-tlsDisabledProtocols\fP recognizes the following protocols: \fBTLS1_0\fP, \fBTLS1_1\fP,
+\fBTLS1_2\fP, and starting in version 4.0.4 (and 3.6.9), \fBTLS1_3\fP\&.
+.INDENT 7.0
+.IP \(bu 2
+On macOS, you cannot disable \fBTLS1_1\fP and leave both \fBTLS1_0\fP and
+\fBTLS1_2\fP enabled. You must disable at least one of the other
+two, for example, \fBTLS1_0,TLS1_1\fP\&.
+.IP \(bu 2
+To list multiple protocols, specify as a comma separated list of
+protocols. For example \fBTLS1_0,TLS1_1\fP\&.
+.IP \(bu 2
+Specifying an unrecognized protocol will prevent the server from
+starting.
+.IP \(bu 2
+The specified disabled protocols overrides any default disabled
+protocols.
+.UNINDENT
+.sp
+Starting in version 4.0, MongoDB disables the use of TLS 1.0 if TLS
+1.1+ is available on the system. To enable the disabled TLS 1.0,
+specify \fBnone\fP to \fI\%\-\-tlsDisabledProtocols\fP\&. See 4.0\-disable\-tls\&.
+.sp
+Members of replica sets and sharded clusters must speak at least one
+protocol in common.
+.sp
+\fBSEE ALSO:\fP
+.INDENT 7.0
+.INDENT 3.5
+ssl\-disallow\-protocols
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.INDENT 0.0
+.TP
+.B \-\-tlsFIPSMode
+New in version 4.2.
+
+.sp
+Directs the \fBmongos\fP to use the FIPS mode of the TLS
+library. Your system must have a FIPS
+compliant library to use the \fI\%\-\-tlsFIPSMode\fP option.
+.sp
+\fBNOTE:\fP
+.INDENT 7.0
+.INDENT 3.5
+FIPS\-compatible TLS/SSL is
+available only in \fI\%MongoDB Enterprise\fP\&. See
+/tutorial/configure\-fips for more information.
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.SS SSL Options (Deprecated)
+.sp
+\fBIMPORTANT:\fP
+.INDENT 0.0
+.INDENT 3.5
+All SSL options are deprecated since 4.2. Use the TLS counterparts
+instead, as they have identical functionality to the SSL options. The SSL
+protocol is deprecated and MongoDB supports TLS 1.0 and later.
+.UNINDENT
+.UNINDENT
+.INDENT 0.0
+.INDENT 3.5
+.SS See
+.sp
+/tutorial/configure\-ssl for full
+documentation of MongoDB\(aqs support.
+.UNINDENT
+.UNINDENT
+.INDENT 0.0
+.TP
+.B \-\-sslOnNormalPorts
+Deprecated since version 2.6: Use \fI\%\-\-tlsMode requireTLS\fP instead.
+
+.sp
+Enables TLS/SSL for \fBmongos\fP\&.
+.sp
+With \fI\%\-\-sslOnNormalPorts\fP, a \fBmongos\fP requires TLS/SSL encryption for all
+connections on the default MongoDB port, or the port specified by
+\fI\%\-\-port\fP\&. By default, \fI\%\-\-sslOnNormalPorts\fP is
+disabled.
.sp
For more information about TLS/SSL and MongoDB, see
/tutorial/configure\-ssl and
@@ -845,20 +1451,157 @@ For more information about TLS/SSL and MongoDB, see
.UNINDENT
.INDENT 0.0
.TP
-.B \-\-sslClusterFile <filename>
+.B \-\-sslMode <mode>
+Deprecated since version 4.2: Use \fI\%\-\-tlsMode\fP instead.
+
+.sp
New in version 2.6.
.sp
+Enables TLS/SSL or mixed TLS/SSL used for all network connections. The
+argument to the \fI\%\-\-sslMode\fP option can be one of the following:
+.TS
+center;
+|l|l|.
+_
+T{
+Value
+T} T{
+Description
+T}
+_
+T{
+\fBdisabled\fP
+T} T{
+The server does not use TLS/SSL.
+T}
+_
+T{
+\fBallowSSL\fP
+T} T{
+Connections between servers do not use TLS/SSL. For incoming
+connections, the server accepts both TLS/SSL and non\-TLS/non\-SSL.
+T}
+_
+T{
+\fBpreferSSL\fP
+T} T{
+Connections between servers use TLS/SSL. For incoming
+connections, the server accepts both TLS/SSL and non\-TLS/non\-SSL.
+T}
+_
+T{
+\fBrequireSSL\fP
+T} T{
+The server uses and accepts only TLS/SSL encrypted connections.
+T}
+_
+.TE
+.sp
+Starting in version 3.4, if \fB\-\-tlsCAFile\fP/\fBnet.tls.CAFile\fP (or
+their aliases \fB\-\-sslCAFile\fP/\fBnet.ssl.CAFile\fP) is not specified
+and you are not using x.509 authentication, the system\-wide CA
+certificate store will be used when connecting to an TLS/SSL\-enabled
+server.
+.sp
+To use x.509 authentication, \fB\-\-tlsCAFile\fP or \fBnet.tls.CAFile\fP
+must be specified unless using \fB\-\-tlsCertificateSelector\fP or
+\fB\-\-net.tls.certificateSelector\fP\&. Or if using the \fBssl\fP aliases,
+\fB\-\-sslCAFile\fP or \fBnet.ssl.CAFile\fP must be specified unless using
+\fB\-\-sslCertificateSelector\fP or \fBnet.ssl.certificateSelector\fP\&.
+.sp
+For more information about TLS/SSL and MongoDB, see
+/tutorial/configure\-ssl and
+/tutorial/configure\-ssl\-clients .
+.UNINDENT
+.INDENT 0.0
+.TP
+.B \-\-sslPEMKeyFile <filename>
+Deprecated since version 4.2: Use \fI\%\-\-tlsPEMKeyFile\fP instead.
+
+.sp
+\fBNOTE:\fP
+.INDENT 7.0
+.INDENT 3.5
+Starting in 4.0, on macOS or Windows, you can use a certificate from
+the operating system\(aqs secure store instead of a PEM file. See
+\fI\%\-\-sslCertificateSelector\fP\&.
+.UNINDENT
+.UNINDENT
+.sp
+Specifies the \fB\&.pem\fP file that contains both the TLS/SSL certificate
+and key.
+.INDENT 7.0
+.IP \(bu 2
+On Linux/BSD, you must specify \fI\%\-\-sslPEMKeyFile\fP when TLS/SSL is enabled.
+.IP \(bu 2
+On Windows or macOS, you must specify either \fI\%\-\-sslPEMKeyFile\fP or
+\fI\%\-\-sslCertificateSelector\fP when TLS/SSL is enabled.
+.UNINDENT
+.sp
+For more information about TLS/SSL and MongoDB, see
+/tutorial/configure\-ssl and
+/tutorial/configure\-ssl\-clients .
+.UNINDENT
+.INDENT 0.0
+.TP
+.B \-\-sslPEMKeyPassword <value>
+Deprecated since version 4.2: Use \fI\%\-\-tlsPEMKeyPassword\fP instead.
+
+.sp
+Specifies the password to de\-crypt the certificate\-key file (i.e.
+\fI\%\-\-sslPEMKeyFile\fP). Use the \fI\%\-\-sslPEMKeyPassword\fP option only if the
+certificate\-key file is encrypted. In all cases, the \fBmongos\fP will
+redact the password from all logging and reporting output.
+.sp
+Starting in MongoDB 4.0:
+.INDENT 7.0
+.IP \(bu 2
+On Linux/BSD, if the private key in the PEM file is encrypted and
+you do not specify the \fI\%\-\-sslPEMKeyPassword\fP option, MongoDB will prompt for a
+passphrase. See ssl\-certificate\-password\&.
+.IP \(bu 2
+On macOS or Windows, if the private key in the PEM file is
+encrypted, you must explicitly specify the \fI\%\-\-sslPEMKeyPassword\fP option.
+Alternatively, you can use a certificate from the secure system
+store (see \fI\%\-\-sslCertificateSelector\fP) instead of a PEM key file or use an
+unencrypted PEM file.
+.UNINDENT
+.sp
+For more information about TLS/SSL and MongoDB, see
+/tutorial/configure\-ssl and
+/tutorial/configure\-ssl\-clients .
+.UNINDENT
+.INDENT 0.0
+.TP
+.B \-\-sslClusterFile <filename>
+Deprecated since version 4.2: Use \fI\%\-\-tlsClusterFile\fP instead.
+
+.sp
+\fBNOTE:\fP
+.INDENT 7.0
+.INDENT 3.5
+Starting in 4.0, on macOS or Windows, you can use a certificate
+from the operating system\(aqs secure store instead of a PEM key
+file. See \fI\%\-\-sslClusterCertificateSelector\fP\&.
+.UNINDENT
+.UNINDENT
+.sp
Specifies the \fB\&.pem\fP file that contains the x.509 certificate\-key
file for membership authentication
for the cluster or replica set.
.sp
If \fI\%\-\-sslClusterFile\fP does not specify the \fB\&.pem\fP file for internal cluster
-authentication, the cluster uses the \fB\&.pem\fP file specified in the
-\fI\%\-\-sslPEMKeyFile\fP option.
+authentication or the alternative
+\fI\%\-\-sslClusterCertificateSelector\fP, the cluster uses the
+\fB\&.pem\fP file specified in the \fI\%\-\-sslPEMKeyFile\fP option or
+the certificate returned by the \fI\%\-\-sslCertificateSelector\fP\&.
.sp
-If using x.509 authentication, \fB\-\-sslCAFile\fP or \fBssl.CAFile\fP
-must be specified.
+To use x.509 authentication, \fB\-\-tlsCAFile\fP or \fBnet.tls.CAFile\fP
+must be specified unless using \fB\-\-tlsCertificateSelector\fP or
+\fB\-\-net.tls.certificateSelector\fP\&. Or if using the \fBssl\fP aliases,
+\fB\-\-sslCAFile\fP or \fBnet.ssl.CAFile\fP must be specified unless using
+\fB\-\-sslCertificateSelector\fP or \fBnet.ssl.certificateSelector\fP\&.
.sp
For more information about TLS/SSL and MongoDB, see
/tutorial/configure\-ssl and
@@ -867,6 +1610,9 @@ For more information about TLS/SSL and MongoDB, see
.INDENT 0.0
.TP
.B \-\-sslClusterPassword <value>
+Deprecated since version 4.2: Use \fI\%\-\-tlsClusterPassword\fP instead.
+
+.sp
New in version 2.6.
.sp
@@ -875,9 +1621,19 @@ specified with \fB\-\-sslClusterFile\fP\&. Use the \fI\%\-\-sslClusterPassword\f
if the certificate\-key file is encrypted. In all cases, the \fBmongos\fP
will redact the password from all logging and reporting output.
.sp
-If the x.509 key file is encrypted and you do not specify the
-\fI\%\-\-sslClusterPassword\fP option, the \fBmongos\fP will prompt for a passphrase. See
-ssl\-certificate\-password\&.
+Starting in MongoDB 4.0:
+.INDENT 7.0
+.IP \(bu 2
+On Linux/BSD, if the private key in the x.509 file is encrypted and
+you do not specify the \fI\%\-\-sslClusterPassword\fP option, MongoDB will prompt for a
+passphrase. See ssl\-certificate\-password\&.
+.IP \(bu 2
+On macOS or Windows, if the private key in the x.509 file is
+encrypted, you must explicitly specify the \fI\%\-\-sslClusterPassword\fP option.
+Alternatively, you can either use a certificate from the secure
+system store (see \fI\%\-\-sslClusterCertificateSelector\fP) instead of a cluster PEM file or
+use an unencrypted PEM file.
+.UNINDENT
.sp
For more information about TLS/SSL and MongoDB, see
/tutorial/configure\-ssl and
@@ -886,17 +1642,46 @@ For more information about TLS/SSL and MongoDB, see
.INDENT 0.0
.TP
.B \-\-sslCAFile <filename>
+Deprecated since version 4.2: Use \fI\%\-\-tlsCAFile\fP instead.
+
+.sp
Specifies the \fB\&.pem\fP file that contains the root certificate chain
from the Certificate Authority. Specify the file name of the
\fB\&.pem\fP file using relative or absolute paths.
.sp
-Starting in version 3.4, if \fB\-\-sslCAFile\fP or \fBssl.CAFile\fP is not
-specified and you are not using x.509 authentication, the
-system\-wide CA certificate store will be used when connecting to an
-TLS/SSL\-enabled server.
+Starting in 4.0, on macOS or Windows, you can use a certificate from
+the operating system\(aqs secure store instead of a PEM key file. See
+\fI\%\-\-sslCertificateSelector\fP\&. When using the secure store, you
+do not need to, but can, also specify the \fI\%\-\-sslCAFile\fP\&.
+.sp
+For more information about TLS/SSL and MongoDB, see
+/tutorial/configure\-ssl and
+/tutorial/configure\-ssl\-clients .
+.UNINDENT
+.INDENT 0.0
+.TP
+.B \-\-sslClusterCAFile <filename>
+Deprecated since version 4.2: Use \fI\%\-\-tlsClusterCAFile\fP instead.
+
+.sp
+Specifies the \fB\&.pem\fP file that contains the root certificate chain
+from the Certificate Authority used to validate the certificate
+presented by a client establishing a connection. Specify the file
+name of the \fB\&.pem\fP file using relative or absolute paths.
+.sp
+If \fI\%\-\-sslClusterCAFile\fP does not specify the \fB\&.pem\fP file for validating the
+certificate from a client establishing a connection, the cluster uses
+the \fB\&.pem\fP file specified in the \fI\%\-\-sslCAFile\fP option.
+.sp
+\fI\%\-\-sslClusterCAFile\fP lets you use separate Certificate Authorities to verify the
+client to server and server to client portions of the TLS handshake.
.sp
-If using x.509 authentication, \fB\-\-sslCAFile\fP or \fBssl.CAFile\fP
-must be specified.
+Starting in 4.0, on macOS or Windows, you can use a certificate from
+the operating system\(aqs secure store instead of a PEM key file. See
+\fI\%\-\-sslClusterCertificateSelector\fP\&. When using the secure store, you
+do not need to, but can, also specify the \fI\%\-\-sslClusterCAFile\fP\&.
+.sp
+Requires that \fI\%\-\-sslCAFile\fP is set.
.sp
For more information about TLS/SSL and MongoDB, see
/tutorial/configure\-ssl and
@@ -904,11 +1689,129 @@ For more information about TLS/SSL and MongoDB, see
.UNINDENT
.INDENT 0.0
.TP
+.B \-\-sslCertificateSelector <parameter>=<value>
+Deprecated since version 4.2: Use \fI\%\-\-tlsCertificateSelector\fP instead.
+
+.sp
+New in version 4.0: Available on Windows and macOS as an alternative to \fI\%\-\-tlsCertificateKeyFile\fP\&.
+.sp
+\fI\%\-\-tlsCertificateKeyFile\fP and \fI\%\-\-sslCertificateSelector\fP options are mutually exclusive. You can only
+specify one.
+
+.sp
+Specifies a certificate property in order to select a matching
+certificate from the operating system\(aqs certificate store.
+.sp
+\fI\%\-\-sslCertificateSelector\fP accepts an argument of the format \fB<property>=<value>\fP
+where the property can be one of the following:
+.TS
+center;
+|l|l|l|.
+_
+T{
+Property
+T} T{
+Value type
+T} T{
+Description
+T}
+_
+T{
+\fBsubject\fP
+T} T{
+ASCII string
+T} T{
+Subject name or common name on certificate
+T}
+_
+T{
+\fBthumbprint\fP
+T} T{
+hex string
+T} T{
+A sequence of bytes, expressed as hexadecimal, used to
+identify a public key by its SHA\-1 digest.
+.sp
+The \fBthumbprint\fP is sometimes referred to as a
+\fBfingerprint\fP\&.
+T}
+_
+.TE
+.sp
+When using the system SSL certificate store, OCSP (Online
+Certificate Status Protocol) is used to validate the revocation
+status of certificates.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B \-\-sslClusterCertificateSelector <parameter>=<value>
+Deprecated since version 4.2: Use \fI\%\-\-tlsClusterCertificateSelector\fP instead.
+
+.sp
+New in version 4.0: Available on Windows and macOS as an alternative to
+\fI\%\-\-sslClusterFile\fP\&.
+.sp
+\fI\%\-\-sslClusterFile\fP and \fI\%\-\-sslClusterCertificateSelector\fP options are mutually exclusive. You can only
+specify one.
+
+.sp
+Specifies a certificate property in order to select a matching
+certificate from the operating system\(aqs certificate store to use for
+internal authentication.
+.sp
+\fI\%\-\-sslClusterCertificateSelector\fP accepts an argument of the format \fB<property>=<value>\fP
+where the property can be one of the following:
+.TS
+center;
+|l|l|l|.
+_
+T{
+Property
+T} T{
+Value type
+T} T{
+Description
+T}
+_
+T{
+\fBsubject\fP
+T} T{
+ASCII string
+T} T{
+Subject name or common name on certificate
+T}
+_
+T{
+\fBthumbprint\fP
+T} T{
+hex string
+T} T{
+A sequence of bytes, expressed as hexadecimal, used to
+identify a public key by its SHA\-1 digest.
+.sp
+The \fBthumbprint\fP is sometimes referred to as a
+\fBfingerprint\fP\&.
+T}
+_
+.TE
+.UNINDENT
+.INDENT 0.0
+.TP
.B \-\-sslCRLFile <filename>
+Deprecated since version 4.2: Use \fI\%\-\-tlsCRLFile\fP instead.
+
+.sp
Specifies the the \fB\&.pem\fP file that contains the Certificate Revocation
List. Specify the file name of the \fB\&.pem\fP file using relative or
absolute paths.
.sp
+\fBNOTE:\fP
+.INDENT 7.0
+.INDENT 3.5
+Starting in MongoDB 4.0, you cannot specify \fI\%\-\-sslCRLFile\fP on macOS. Use \fI\%\-\-sslCertificateSelector\fP instead.
+.UNINDENT
+.UNINDENT
+.sp
For more information about TLS/SSL and MongoDB, see
/tutorial/configure\-ssl and
/tutorial/configure\-ssl\-clients .
@@ -916,15 +1819,15 @@ For more information about TLS/SSL and MongoDB, see
.INDENT 0.0
.TP
.B \-\-sslAllowConnectionsWithoutCertificates
-Disables the requirement for TLS/SSL certificate validation that
-\fB\-\-sslCAFile\fP enables. With the \fI\%\-\-sslAllowConnectionsWithoutCertificates\fP option, the \fBmongos\fP
-will accept connections when the client does not present a certificate
-when establishing the connection.
+Deprecated since version 4.2: Use \fI\%\-\-tlsAllowConnectionsWithoutCertificates\fP instead.
+
.sp
-If the client presents a certificate and the \fBmongos\fP has \fI\%\-\-sslAllowConnectionsWithoutCertificates\fP
-enabled, the \fBmongos\fP will validate the certificate using the root
-certificate chain specified by \fB\-\-sslCAFile\fP and reject clients
-with invalid certificates.
+For clients that do not present certificates, \fBmongos\fP bypasses
+TLS/SSL certificate validation when establishing the connection.
+.sp
+For clients that present a certificate, however, \fBmongos\fP performs
+certificate validation using the root certificate chain specified by
+\fB\-\-sslCAFile\fP and reject clients with invalid certificates.
.sp
Use the \fI\%\-\-sslAllowConnectionsWithoutCertificates\fP option if you have a mixed deployment that includes
clients that do not or cannot present certificates to the \fBmongos\fP\&.
@@ -936,6 +1839,9 @@ For more information about TLS/SSL and MongoDB, see
.INDENT 0.0
.TP
.B \-\-sslAllowInvalidCertificates
+Deprecated since version 4.2: Use \fI\%\-\-tlsAllowInvalidCertificates\fP instead.
+
+.sp
Bypasses the validation checks for TLS/SSL certificates on other
servers in the cluster and allows the use of invalid certificates to
connect.
@@ -944,10 +1850,13 @@ connect.
.INDENT 7.0
.INDENT 3.5
Starting in MongoDB 4.0, if you specify
-\fB\-\-sslAllowInvalidCertificates\fP or \fBssl.allowInvalidCertificates:
-true\fP when using x.509 authentication, an invalid certificate is
-only sufficient to establish a TLS/SSL connection but is
-\fIinsufficient\fP for authentication.
+\fB\-\-sslAllowInvalidCertificates\fP or
+\fBnet.ssl.allowInvalidCertificates: true\fP (or in MongoDB 4.2, the
+alias \fB\-\-tlsAllowInvalidateCertificates\fP or
+\fBnet.tls.allowInvalidCertificates: true\fP) when using x.509
+authentication, an invalid certificate is only sufficient to
+establish a TLS/SSL connection but is \fIinsufficient\fP for
+authentication.
.UNINDENT
.UNINDENT
.sp
@@ -962,6 +1871,9 @@ For more information about TLS/SSL and MongoDB, see
.INDENT 0.0
.TP
.B \-\-sslAllowInvalidHostnames
+Deprecated since version 4.2: Use \fI\%\-\-tlsAllowInvalidHostnames\fP instead.
+
+.sp
New in version 3.0.
.sp
@@ -978,6 +1890,9 @@ For more information about TLS/SSL and MongoDB, see
.INDENT 0.0
.TP
.B \-\-sslDisabledProtocols <protocol(s)>
+Deprecated since version 4.2: Use \fI\%\-\-tlsDisabledProtocols\fP instead.
+
+.sp
New in version 3.0.7.
.sp
@@ -986,7 +1901,7 @@ incoming connections that use a specific protocol or protocols. To
specify multiple protocols, use a comma separated list of protocols.
.sp
\fI\%\-\-sslDisabledProtocols\fP recognizes the following protocols: \fBTLS1_0\fP, \fBTLS1_1\fP,
-and \fBTLS1_2\fP\&.
+\fBTLS1_2\fP, and starting in version 4.0.4 (and 3.6.9), \fBTLS1_3\fP\&.
.INDENT 7.0
.IP \(bu 2
On macOS, you cannot disable \fBTLS1_1\fP and leave both \fBTLS1_0\fP and
@@ -1005,7 +1920,7 @@ protocols.
.sp
Starting in version 4.0, MongoDB disables the use of TLS 1.0 if TLS
1.1+ is available on the system. To enable the disabled TLS 1.0,
-specify \fBnone\fP to \fI\%\-\-sslDisabledProtocols\fP\&. 4.0\-disable\-tls
+specify \fBnone\fP to \fI\%\-\-sslDisabledProtocols\fP\&. See 4.0\-disable\-tls\&.
.sp
Members of replica sets and sharded clusters must speak at least one
protocol in common.
@@ -1020,9 +1935,12 @@ ssl\-disallow\-protocols
.INDENT 0.0
.TP
.B \-\-sslFIPSMode
-Directs the \fBmongos\fP to use the FIPS mode of the installed OpenSSL
+Deprecated since version 4.2: Use \fI\%\-\-tlsFIPSMode\fP instead.
+
+.sp
+Directs the \fBmongos\fP to use the FIPS mode of the TLS/SSL
library. Your system must have a FIPS
-compliant OpenSSL library to use the \fI\%\-\-sslFIPSMode\fP option.
+compliant library to use the \fI\%\-\-sslFIPSMode\fP option.
.sp
\fBNOTE:\fP
.INDENT 7.0
@@ -1082,7 +2000,8 @@ _
\fBNOTE:\fP
.INDENT 7.0
.INDENT 3.5
-Available only in \fI\%MongoDB Enterprise\fP\&.
+Available only in \fI\%MongoDB Enterprise\fP
+and \fI\%MongoDB Atlas\fP\&.
.UNINDENT
.UNINDENT
.UNINDENT
@@ -1126,7 +2045,8 @@ performance more than printing to a file in BSON format.
\fBNOTE:\fP
.INDENT 7.0
.INDENT 3.5
-Available only in \fI\%MongoDB Enterprise\fP\&.
+Available only in \fI\%MongoDB Enterprise\fP
+and \fI\%MongoDB Atlas\fP\&.
.UNINDENT
.UNINDENT
.UNINDENT
@@ -1143,7 +2063,8 @@ option can take either a full path name or a relative path name.
\fBNOTE:\fP
.INDENT 7.0
.INDENT 3.5
-Available only in \fI\%MongoDB Enterprise\fP\&.
+Available only in \fI\%MongoDB Enterprise\fP
+and \fI\%MongoDB Atlas\fP\&.
.UNINDENT
.UNINDENT
.UNINDENT
@@ -1179,7 +2100,8 @@ the configuration file.
\fBNOTE:\fP
.INDENT 7.0
.INDENT 3.5
-Available only in \fI\%MongoDB Enterprise\fP\&.
+Available only in \fI\%MongoDB Enterprise\fP
+and \fI\%MongoDB Atlas\fP\&.
.UNINDENT
.UNINDENT
.UNINDENT
@@ -1195,11 +2117,12 @@ New in version 4.0.
The \fIslow\fP operation time threshold, in milliseconds. Operations
that run for longer than this threshold are considered \fIslow\fP\&.
.sp
-When \fBlogLevel\fP is set to \fB0\fP, MongoDB
-records \fIslow\fP operations to the diagnostic log at a rate determined by
-\fBslowOpSampleRate\fP\&. At higher
-\fBlogLevel\fP settings, all operations appear in the diagnostic
-log regardless of their latency.
+When \fBlogLevel\fP is set to \fB0\fP, MongoDB records \fIslow\fP
+operations to the diagnostic log at a rate determined by
+\fBslowOpSampleRate\fP\&.
+.sp
+At higher \fBlogLevel\fP settings, all operations appear
+in the diagnostic log regardless of their latency.
.sp
For \fI\%mongos\fP instances, affects the diagnostic
log only and not the profiler since profiling is not available on
@@ -1223,24 +2146,6 @@ only and not the profiler since profiling is not available on
New in version 4.0.
.UNINDENT
-.SS Text Search Options
-.INDENT 0.0
-.TP
-.B \-\-basisTechRootDirectory <path>
-New in version 3.2.
-
-.sp
-Specify the root directory of the Basis Technology Rosette
-Linguistics Platform installation to support additional languages for
-text search operations.
-.INDENT 7.0
-.INDENT 3.5
-.IP "Enterprise Feature"
-.sp
-Available in MongoDB Enterprise only.
-.UNINDENT
-.UNINDENT
-.UNINDENT
.SS LDAP Authentication and Authorization Options
.INDENT 0.0
.TP
@@ -1258,7 +2163,7 @@ If your LDAP infrastrucure partitions the LDAP directory over multiple LDAP
servers, specify \fIone\fP LDAP server any of its replicated instances to
\fI\%\-\-ldapServers\fP\&. MongoDB supports following LDAP referrals as defined in \fI\%RFC 4511
4.1.10\fP\&. Do not use \fI\%\-\-ldapServers\fP
-for listing every LDAP server in your infrastucture.
+for listing every LDAP server in your infrastructure.
.sp
This setting can be configured on a running \fBmongos\fP using
\fBsetParameter\fP\&.
@@ -1459,7 +2364,7 @@ By default, \fBmongos\fP creates a TLS/SSL secured connection to the LDAP
server.
.sp
For Linux deployments, you must configure the appropriate TLS Options in
-\fB/etc/openldap/ldap.conf\fP file. Your operating system’s package manager
+\fB/etc/openldap/ldap.conf\fP file. Your operating system\(aqs package manager
creates this file as part of the MongoDB Enterprise installation, via the
\fBlibldap\fP dependency. See the documentation for \fBTLS Options\fP in the
\fI\%ldap.conf OpenLDAP documentation\fP
@@ -1572,6 +2477,8 @@ authentication name matched by the \fBmatch\fP regex into a LDAP DN.
Each curly bracket\-enclosed numeric value is replaced by the
corresponding \fI\%regex capture group\fP extracted
from the authentication username via the \fBmatch\fP regex.
+.sp
+The result of the substitution must be an \fI\%RFC4514\fP escaped string.
T} T{
\fB"cn={0},ou=engineering,
dc=example,dc=com"\fP
@@ -1596,6 +2503,17 @@ T}
_
.TE
.sp
+\fBNOTE:\fP
+.INDENT 7.0
+.INDENT 3.5
+An explanation of \fI\%RFC4514\fP,
+\fI\%RFC4515\fP,
+\fI\%RFC4516\fP, or LDAP queries is out
+of scope for the MongoDB Documentation. Please review the RFC directly or
+use your preferred LDAP resource.
+.UNINDENT
+.UNINDENT
+.sp
For each document in the array, you must use either \fBsubstitution\fP or
\fBldapQuery\fP\&. You \fIcannot\fP specify both in the same document.
.sp
@@ -1667,31 +2585,27 @@ when attempting to authenticate or authorize a user against the LDAP server.
.sp
This setting can be configured on a running \fBmongos\fP using the
\fBsetParameter\fP database command.
-.sp
-\fBNOTE:\fP
-.INDENT 7.0
-.INDENT 3.5
-An explanation of \fI\%RFC4515\fP,
-\fI\%RFC4516\fP or LDAP queries is out
-of scope for the MongoDB Documentation. Please review the RFC directly or
-use your preferred LDAP resource.
-.UNINDENT
-.UNINDENT
.UNINDENT
.SS Additional Options
.INDENT 0.0
.TP
.B \-\-ipv6
Enables IPv6 support. \fBmongos\fP disables IPv6 support by default.
+.sp
+Setting \fI\%\-\-ipv6\fP does \fInot\fP direct the \fBmongos\fP to listen on any
+local IPv6 addresses or interfaces. To configure the \fBmongos\fP to
+listen on an IPv6 interface, you must either:
+.INDENT 7.0
+.IP \(bu 2
+Configure \fI\%\-\-bind_ip\fP with one or more IPv6 addresses or
+hostnames that resolve to IPv6 addresses, \fBor\fP
+.IP \(bu 2
+Set \fI\%\-\-bind_ip_all\fP to \fBtrue\fP\&.
.UNINDENT
-.INDENT 0.0
-.TP
-.B \-\-noscripting
-Disables the scripting engine.
.UNINDENT
.SH AUTHOR
MongoDB Documentation Project
.SH COPYRIGHT
-2008-2018
+2008-2019
.\" Generated by docutils manpage writer.
.
diff --git a/debian/mongostat.1 b/debian/mongostat.1
index f4af7fb85f8..4cda514a21d 100644
--- a/debian/mongostat.1
+++ b/debian/mongostat.1
@@ -1,6 +1,6 @@
.\" Man page generated from reStructuredText.
.
-.TH "MONGOSTAT" "1" "Jun 21, 2018" "4.0" "mongodb-manual"
+.TH "MONGOSTAT" "1" "Jul 25, 2019" "4.2" "mongodb-manual"
.SH NAME
mongostat \- MongoDB Use Statistics
.
@@ -37,17 +37,21 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
.IP \(bu 2
\fI\%Required Access\fP
.IP \(bu 2
+\fI\%Behavior\fP
+.IP \(bu 2
\fI\%Options\fP
.IP \(bu 2
\fI\%Fields\fP
.IP \(bu 2
-\fI\%Use\fP
+\fI\%Examples\fP
+.IP \(bu 2
+\fI\%Additional Information\fP
.UNINDENT
.INDENT 0.0
.INDENT 3.5
-.IP "Mac OSX Sierra and Go 1.6 Incompatibility"
+.IP "macOS Sierra and Go 1.6 Incompatibility"
.sp
-Users running on Mac OSX Sierra require the 3.2.10 or newer version
+Users running on macOS Sierra require the 3.2.10 or newer version
of mongostat\&.
.UNINDENT
.UNINDENT
@@ -61,29 +65,6 @@ UNIX/Linux file system utility \fBvmstat\fP, but provides data regarding
\fBmongod\fP and \fBmongos\fP instances.
.sp
Run \fI\%mongostat\fP from the system command line, not the \fBmongo\fP shell.
-.sp
-\fBSEE ALSO:\fP
-.INDENT 0.0
-.INDENT 3.5
-For more information about monitoring MongoDB, see
-/administration/monitoring\&.
-.sp
-For more background on other MongoDB status outputs see:
-.INDENT 0.0
-.IP \(bu 2
-/reference/command/serverStatus
-.IP \(bu 2
-/reference/command/replSetGetStatus
-.IP \(bu 2
-/reference/command/dbStats
-.IP \(bu 2
-/reference/command/collStats
-.UNINDENT
-.sp
-For an additional utility that provides MongoDB metrics see
-mongotop\&.
-.UNINDENT
-.UNINDENT
.SH REQUIRED ACCESS
.sp
In order to connect to a \fBmongod\fP that enforces authorization
@@ -94,6 +75,15 @@ with the \fB\-\-auth\fP option, specify the
The built\-in role \fBclusterMonitor\fP provides this privilege as
well as other privileges. To create a role with just the privilege to
run \fI\%mongostat\fP, see create\-role\-for\-mongostat\&.
+.SH BEHAVIOR
+.SS FIPS
+.sp
+Starting in version 4.2, MongoDB removes the \fB\-\-sslFIPSMode\fP
+option for mongostat\&. mongostat
+will use FIPS compliant connections to
+\fBmongod\fP/\fBmongos\fP if the
+\fBmongod\fP/\fBmongos\fP instances are
+configured to use FIPS mode\&.
.SH OPTIONS
.INDENT 0.0
.TP
@@ -123,50 +113,53 @@ New in version 3.4.6.
.sp
Specify a resolvable URI
-connection string for the \fBmongod\fP to which to
-connect.
-.sp
-The following is the standard
-URI connection scheme:
+connection string (enclose in quotes) to connect to the MongoDB deployment.
.INDENT 7.0
.INDENT 3.5
.sp
.nf
.ft C
-mongodb://[username:password@]host1[:port1][,host2[:port2],...[,hostN[:portN]]][/[database][?options]]
+\-\-uri "mongodb://[username:password@]host1[:port1][,host2[:port2],...[,hostN[:portN]]][/[database][?options]]"
.ft P
.fi
.UNINDENT
.UNINDENT
.sp
-For detailed explanations of the components of this string, refer to
-the
-Connection String URI Format
-documentation.
+For information on the components of the connection string, see
+the Connection String URI Format documentation.
+.sp
+\fBNOTE:\fP
+.INDENT 7.0
+.INDENT 3.5
+For TLS/SSL options, use the command\-line options instead of the
+URI options for TLS/SSL (Available starting in
+4.2)\&.
+.UNINDENT
+.UNINDENT
.sp
\fBIMPORTANT:\fP
.INDENT 7.0
.INDENT 3.5
-The following \fI\%mongostat\fP options are incompatible with the
-\fB\-\-uri\fP option. Instead, specify these options as part of your
-\fB\-\-uri\fP connection string when applicable:
+The following command\-line options cannot be used in conjunction
+with \fI\%\-\-uri\fP option:
.INDENT 0.0
.IP \(bu 2
-\fB\-\-host\fP
-.IP \(bu 2
-\fB\-\-port\fP
+\fI\%\-\-host\fP
.IP \(bu 2
-\fB\-\-db\fP
+\fI\%\-\-port\fP
.IP \(bu 2
-\fB\-\-username\fP
+\fI\%\-\-username\fP
.IP \(bu 2
-\fB\-\-password\fP (when specifying the password as part of the
-URI connection string)
+\fI\%\-\-password\fP (if the
+URI connection string also includes the password)
.IP \(bu 2
-\fB\-\-authenticationDatabase\fP
+\fI\%\-\-authenticationDatabase\fP
.IP \(bu 2
-\fB\-\-authenticationMechanism\fP
+\fI\%\-\-authenticationMechanism\fP
.UNINDENT
+.sp
+Instead, specify these options as part of your \fI\%\-\-uri\fP
+connection string.
.UNINDENT
.UNINDENT
.UNINDENT
@@ -197,6 +190,13 @@ Changed in version 3.0.0: If you use IPv6 and use the \fB<address>:<port>\fP for
enclose the portion of an address and port combination in
brackets (e.g. \fB[<address>]\fP).
+.sp
+\fBNOTE:\fP
+.INDENT 7.0
+.INDENT 3.5
+You cannot specify both \fI\%\-\-host\fP and \fI\%\-\-uri\fP\&.
+.UNINDENT
+.UNINDENT
.UNINDENT
.INDENT 0.0
.TP
@@ -205,6 +205,13 @@ brackets (e.g. \fB[<address>]\fP).
.sp
Specifies the TCP port on which the MongoDB instance listens for
client connections.
+.sp
+\fBNOTE:\fP
+.INDENT 7.0
+.INDENT 3.5
+You cannot specify both \fI\%\-\-port\fP and \fI\%\-\-uri\fP\&.
+.UNINDENT
+.UNINDENT
.UNINDENT
.INDENT 0.0
.TP
@@ -239,13 +246,17 @@ Specifies the \fB\&.pem\fP file that contains the root certificate chain
from the Certificate Authority. Specify the file name of the
\fB\&.pem\fP file using relative or absolute paths.
.sp
-Starting in version 3.4, if \fB\-\-sslCAFile\fP or \fBssl.CAFile\fP is not
-specified and you are not using x.509 authentication, the
-system\-wide CA certificate store will be used when connecting to an
-TLS/SSL\-enabled server.
+Starting in version 3.4, if \fB\-\-tlsCAFile\fP/\fBnet.tls.CAFile\fP (or
+their aliases \fB\-\-sslCAFile\fP/\fBnet.ssl.CAFile\fP) is not specified
+and you are not using x.509 authentication, the system\-wide CA
+certificate store will be used when connecting to an TLS/SSL\-enabled
+server.
.sp
-If using x.509 authentication, \fB\-\-sslCAFile\fP or \fBssl.CAFile\fP
-must be specified.
+To use x.509 authentication, \fB\-\-tlsCAFile\fP or \fBnet.tls.CAFile\fP
+must be specified unless using \fB\-\-tlsCertificateSelector\fP or
+\fB\-\-net.tls.certificateSelector\fP\&. Or if using the \fBssl\fP aliases,
+\fB\-\-sslCAFile\fP or \fBnet.ssl.CAFile\fP must be specified unless using
+\fB\-\-sslCertificateSelector\fP or \fBnet.ssl.certificateSelector\fP\&.
.sp
\fBWARNING:\fP
.INDENT 7.0
@@ -330,19 +341,23 @@ the use of invalid certificates. When using the
warning the use of the invalid certificate.
.sp
Starting in MongoDB 4.0, if you specify
-\fB\-\-sslAllowInvalidCertificates\fP or \fBssl.allowInvalidCertificates:
-true\fP when using x.509 authentication, an invalid certificate is
-only sufficient to establish a TLS/SSL connection but is
-\fIinsufficient\fP for authentication.
+\fB\-\-sslAllowInvalidCertificates\fP or
+\fBnet.ssl.allowInvalidCertificates: true\fP (or in MongoDB 4.2, the
+alias \fB\-\-tlsAllowInvalidateCertificates\fP or
+\fBnet.tls.allowInvalidCertificates: true\fP) when using x.509
+authentication, an invalid certificate is only sufficient to
+establish a TLS/SSL connection but is \fIinsufficient\fP for
+authentication.
+.sp
+# We created a separate blurb for tls in the ssl\-clients page.
.sp
\fBWARNING:\fP
.INDENT 7.0
.INDENT 3.5
-For TLS/SSL connections to \fBmongod\fP and
-\fBmongos\fP, avoid using
-\fB\-\-sslAllowInvalidCertificates\fP if possible and only use
-\fB\-\-sslAllowInvalidCertificates\fP on systems where intrusion is
-not possible.
+Although available, avoid using the
+\fB\-\-sslAllowInvalidCertificates\fP option if possible. If the use of
+\fB\-\-sslAllowInvalidCertificates\fP is necessary, only use the option
+on systems where intrusion is not possible.
.sp
If the \fBmongo\fP shell (and other
mongodb\-tools\-support\-ssl) runs with the
@@ -352,7 +367,9 @@ mongodb\-tools\-support\-ssl) will not attempt to validate
the server certificates. This creates a vulnerability to expired
\fBmongod\fP and \fBmongos\fP certificates as
well as to foreign processes posing as valid
-\fBmongod\fP or \fBmongos\fP instances.
+\fBmongod\fP or \fBmongos\fP instances. If you
+only need to disable the validation of the hostname in the
+TLS/SSL certificates, see \fB\-\-sslAllowInvalidHostnames\fP\&.
.UNINDENT
.UNINDENT
.sp
@@ -376,53 +393,51 @@ For more information about TLS/SSL and MongoDB, see
.UNINDENT
.INDENT 0.0
.TP
-.B \-\-sslFIPSMode
-New in version 2.6.
-
-.sp
-Directs the \fBmongostat\fP to use the FIPS mode of the installed OpenSSL
-library. Your system must have a FIPS compliant OpenSSL library to use
-the \fI\%\-\-sslFIPSMode\fP option.
+.B \-\-username <username>, \-u <username>
+Specifies a username with which to authenticate to a MongoDB database
+that uses authentication. Use in conjunction with the \fI\%\-\-password\fP and
+\fI\%\-\-authenticationDatabase\fP options.
.sp
\fBNOTE:\fP
.INDENT 7.0
.INDENT 3.5
-FIPS\-compatible TLS/SSL is
-available only in \fI\%MongoDB Enterprise\fP\&. See
-/tutorial/configure\-fips for more information.
-.UNINDENT
+You cannot specify both \fI\%\-\-username\fP and \fI\%\-\-uri\fP\&.
.UNINDENT
.UNINDENT
-.INDENT 0.0
-.TP
-.B \-\-username <username>, \-u <username>
-Specifies a username with which to authenticate to a MongoDB database
-that uses authentication. Use in conjunction with the \fB\-\-password\fP and
-\fB\-\-authenticationDatabase\fP options.
.UNINDENT
.INDENT 0.0
.TP
.B \-\-password <password>, \-p <password>
Specifies a password with which to authenticate to a MongoDB database
-that uses authentication. Use in conjunction with the \fB\-\-username\fP and
-\fB\-\-authenticationDatabase\fP options.
+that uses authentication. Use in conjunction with the \fI\%\-\-username\fP and
+\fI\%\-\-authenticationDatabase\fP options.
.sp
-Changed in version 3.0.0: If you do not specify an argument for \fI\%\-\-password\fP, \fBmongostat\fP returns
-an error.
-
-.sp
-Changed in version 3.0.2: If you wish \fBmongostat\fP to prompt the user
+Changed in version 3.0.2: To prompt the user
for the password, pass the \fI\%\-\-username\fP option without
\fI\%\-\-password\fP or specify an empty string as the \fI\%\-\-password\fP value,
as in \fB\-\-password ""\fP .
+.sp
+\fBNOTE:\fP
+.INDENT 7.0
+.INDENT 3.5
+You cannot specify both \fI\%\-\-password\fP and \fI\%\-\-uri\fP\&.
+.UNINDENT
+.UNINDENT
.UNINDENT
.INDENT 0.0
.TP
.B \-\-authenticationDatabase <dbname>
-Specifies the database in which the user is created.
+Specifies the authentication database where the specified \fI\%\-\-username\fP has been created.
See user\-authentication\-database\&.
.sp
+\fBNOTE:\fP
+.INDENT 7.0
+.INDENT 3.5
+You cannot specify both \fI\%\-\-authenticationDatabase\fP and \fI\%\-\-uri\fP\&.
+.UNINDENT
+.UNINDENT
+.sp
\fI\%\-\-authenticationDatabase\fP is required for \fBmongod\fP
and \fBmongos\fP instances that use authentication\&.
.UNINDENT
@@ -493,6 +508,13 @@ passwords in plain text. This mechanism is available only in
T}
_
.TE
+.sp
+\fBNOTE:\fP
+.INDENT 7.0
+.INDENT 3.5
+You cannot specify both \fI\%\-\-authenticationMechanism\fP and \fI\%\-\-uri\fP\&.
+.UNINDENT
+.UNINDENT
.UNINDENT
.INDENT 0.0
.TP
@@ -782,9 +804,6 @@ Changed in version 3.0.
.sp
For the storage\-wiredtiger, \fBflushes\fP refers to the number
of WiredTiger checkpoints triggered between each polling interval.
-.sp
-For the storage\-mmapv1, \fBflushes\fP represents the number of
-fsync operations per second.
.UNINDENT
.INDENT 0.0
.TP
@@ -810,96 +829,18 @@ cache that is in use, calculated by
.UNINDENT
.INDENT 0.0
.TP
-.B mapped
-Changed in version 3.0.
-
-.sp
-Only for storage\-mmapv1\&. The total amount of data mapped in
-megabytes. This is the total data size at the time of the last
-\fI\%mongostat\fP call.
-.UNINDENT
-.INDENT 0.0
-.TP
.B vsize
The amount of virtual memory in megabytes used by the process at
the time of the last \fI\%mongostat\fP call.
.UNINDENT
.INDENT 0.0
.TP
-.B non\-mapped
-Changed in version 3.0.
-
-.sp
-Only for storage\-mmapv1\&.
-.sp
-\fIOptional\fP\&. The total amount of virtual memory excluding all mapped memory at
-the time of the last \fI\%mongostat\fP call.
-.sp
-\fI\%mongostat\fP only returns this value when started with the
-\fI\%\-\-all\fP option.
-.UNINDENT
-.INDENT 0.0
-.TP
.B res
The amount of resident memory in megabytes used by the process at
the time of the last \fI\%mongostat\fP call.
.UNINDENT
.INDENT 0.0
.TP
-.B faults
-Changed in version 3.0.
-
-.sp
-Only for storage\-mmapv1\&. The number of page faults per second.
-.sp
-Changed in version 2.1: Before version 2.1, this value was only provided for MongoDB
-instances running on Linux hosts.
-
-.UNINDENT
-.INDENT 0.0
-.TP
-.B lr
-New in version 3.2.
-
-.sp
-Only for storage\-mmapv1\&. The percentage of read lock
-acquisitions that had to wait. \fI\%mongostat\fP displays \fBlr|lw\fP
-if a lock acquisition waited.
-.UNINDENT
-.INDENT 0.0
-.TP
-.B lw
-New in version 3.2.
-
-.sp
-Only for storage\-mmapv1\&. The percentage of write lock
-acquisitions that had to wait. \fI\%mongostat\fP displays \fBlr|lw\fP
-if a lock acquisition waited.
-.UNINDENT
-.INDENT 0.0
-.TP
-.B lrt
-New in version 3.2.
-
-.sp
-Only for storage\-mmapv1\&. The average acquire time, in
-microseconds, of read lock acquisitions that waited.
-\fI\%mongostat\fP displays \fBlrt|lwt\fP if a lock acquisition
-waited.
-.UNINDENT
-.INDENT 0.0
-.TP
-.B lwt
-New in version 3.2.
-
-.sp
-Only for storage\-mmapv1\&. The average acquire time, in
-microseconds, of write lock acquisitions that waited.
-\fI\%mongostat\fP displays \fBlrt|lwt\fP if a lock acquisition
-waited.
-.UNINDENT
-.INDENT 0.0
-.TP
.B locked
Changed in version 3.0: Only appears when \fI\%mongostat\fP runs against pre\-3.0
versions of MongoDB instances.
@@ -909,16 +850,6 @@ The percent of time in a global write lock.
.UNINDENT
.INDENT 0.0
.TP
-.B idx miss
-Changed in version 3.0.
-
-.sp
-Only for storage\-mmapv1\&. The percent of index access attempts
-that required a page fault to load a btree node. This is a sampled
-value.
-.UNINDENT
-.INDENT 0.0
-.TP
.B qr
The length of the queue of clients waiting to read data from the
MongoDB instance.
@@ -1004,7 +935,7 @@ _
T{
RTR
T} T{
-mongos process (“router”)
+mongos process ("router")
T}
_
T{
@@ -1015,7 +946,7 @@ T}
_
.TE
.UNINDENT
-.SH USE
+.SH EXAMPLES
.SS Specify \fBmongostat\fP Collection Period and Frequency
.sp
In the first example, \fI\%mongostat\fP will return data every
@@ -1080,7 +1011,7 @@ New in version 3.4.
\fBserverStatus\fP output to add to the default
\fI\%mongostat\fP output. The following example adds the \fBhost\fP
and \fBversion\fP fields as well as the \fBnetwork.numRequests\fP field,
-which will display as “network requests”, to the default
+which will display as "network requests", to the default
\fI\%mongostat\fP output:
.INDENT 0.0
.INDENT 3.5
@@ -1155,9 +1086,9 @@ help you view the performance of your \fBmongod\fP instance.
.sp
The following example reports on the rate of change of the
\fBmetrics.document.inserted\fP \fBserverStatus\fP field. The
-invocation uses \fI\%\-o\fP’s ability to specify the name of an column
-to label \fBmetrics.document.inserted.rate()\fP as “inserted rate” and
-\fBmetrics.document.inserted\fP as “inserted”:
+invocation uses \fI\%\-o\fP\(aqs ability to specify the name of an column
+to label \fBmetrics.document.inserted.rate()\fP as "inserted rate" and
+\fBmetrics.document.inserted\fP as "inserted":
.INDENT 0.0
.INDENT 3.5
.sp
@@ -1285,9 +1216,28 @@ Press \(aq?\(aq to toggle help
.fi
.UNINDENT
.UNINDENT
+.SH ADDITIONAL INFORMATION
+.sp
+For more information about monitoring MongoDB, see
+/administration/monitoring\&.
+.sp
+For more background on other MongoDB status outputs see:
+.INDENT 0.0
+.IP \(bu 2
+/reference/command/serverStatus
+.IP \(bu 2
+/reference/command/replSetGetStatus
+.IP \(bu 2
+/reference/command/dbStats
+.IP \(bu 2
+/reference/command/collStats
+.UNINDENT
+.sp
+For an additional utility that provides MongoDB metrics see
+mongotop\&.
.SH AUTHOR
MongoDB Documentation Project
.SH COPYRIGHT
-2008-2018
+2008-2019
.\" Generated by docutils manpage writer.
.
diff --git a/debian/mongotop.1 b/debian/mongotop.1
index 9962045a255..23eb81c26bb 100644
--- a/debian/mongotop.1
+++ b/debian/mongotop.1
@@ -1,6 +1,6 @@
.\" Man page generated from reStructuredText.
.
-.TH "MONGOTOP" "1" "Jun 21, 2018" "4.0" "mongodb-manual"
+.TH "MONGOTOP" "1" "Jul 25, 2019" "4.2" "mongodb-manual"
.SH NAME
mongotop \- MongoDB Activity Monitor
.
@@ -33,65 +33,219 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
.SS On this page
.INDENT 0.0
.IP \(bu 2
-\fI\%Synopsis\fP
+\fI\%Description\fP
+.IP \(bu 2
+\fI\%Syntax\fP
.IP \(bu 2
\fI\%Required Access\fP
.IP \(bu 2
+\fI\%Behavior\fP
+.IP \(bu 2
\fI\%Options\fP
.IP \(bu 2
\fI\%Fields\fP
.IP \(bu 2
-\fI\%Use\fP
+\fI\%Examples\fP
+.IP \(bu 2
+\fI\%Additional Information\fP
.UNINDENT
.INDENT 0.0
.INDENT 3.5
-.IP "Mac OSX Sierra and Go 1.6 Incompatibility"
+.IP "macOS Sierra and Go 1.6 Incompatibility"
.sp
-Users running on Mac OSX Sierra require the 3.2.10 or newer version
+Users running on macOS Sierra require the 3.2.10 or newer version
of mongotop\&.
.UNINDENT
.UNINDENT
-.SH SYNOPSIS
+.SH DESCRIPTION
.sp
\fI\%mongotop\fP provides a method to track the amount of time a
-MongoDB instance spends reading and writing data. \fI\%mongotop\fP
-provides statistics on a per\-collection level. By default,
-\fI\%mongotop\fP returns values every second.
+MongoDB instance \fBmongod\fP spends reading and writing data.
+\fI\%mongotop\fP provides statistics on a per\-collection level.
+By default, \fI\%mongotop\fP returns values every second.
.sp
Run \fI\%mongotop\fP from the system command line, not the \fBmongo\fP shell.
+.SH SYNTAX
+.SS Default
+.INDENT 0.0
+.INDENT 3.5
.sp
-\fBSEE ALSO:\fP
+.nf
+.ft C
+mongotop [frequency]
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+You can run \fI\%mongotop\fP without any command\-line options to
+connect to the \fBmongod\fP instance running on the localhost
+port \fB27017\fP\&. By default, \fI\%mongotop\fP returns values
+every second.
.INDENT 0.0
.INDENT 3.5
-For more information about monitoring MongoDB, see
-/administration/monitoring\&.
.sp
-For additional background on various other MongoDB status outputs
-see:
+.nf
+.ft C
+mongotop
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+To have \fI\%mongotop\fP report every 30 seconds, specify the
+time:
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+mongotop 30
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+When connected to a \fBmongod\fP instance, the program reports
+first on the connection and then reports on the statistics at the
+configured frequency.
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+2019\-04\-29T15:35:27.785\-0400 connected to: 127.0.0.1
+
+ ns total read write <timestamp>
+<db.collection> 81802ms 0ms 81802ms
+\&...
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.SS Command Line Options
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+mongotop [options] [frequency]
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+You can run \fI\%mongotop\fP with various \fI\%command\-line
+options\fP\&.
+.sp
+For example, to connect \fI\%mongotop\fP to a
+\fBmongod\fP instance running on a remote host
+\fBmongodb0.example.com\fP and report every 30 seconds:
.INDENT 0.0
.IP \(bu 2
-/reference/command/serverStatus
-.IP \(bu 2
-/reference/command/replSetGetStatus
-.IP \(bu 2
-/reference/command/dbStats
+You can include the desired frequency of reporting (in this
+example, 30 seconds) and the \fI\%\-\-uri\fP
+option to specify the host and port:
+.INDENT 2.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+mongotop 30 \-\-uri mongodb://mongodb0.example.com:27017 [additional options]
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+If the \fBmongod\fP instance requires authentication, you
+can specify the user, password, and authentication database as part
+of the URI connection string:
+.INDENT 2.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+mongotop 30 \-\-uri mongodb://user:password@mongodb0.example.com:27017/?authSource=admin [additional options]
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+The user running \fI\%mongotop\fP must have the
+\fBserverStatus\fP and \fBtop\fP privileges.
+.sp
+For more information on the URI connection string, see
+\fI\%\-\-uri\fP\&.
.IP \(bu 2
-/reference/command/collStats
+Alternatively, you can use the \fI\%\-\-host\fP
+and \fI\%\-\-port\fP options to specify the host
+and port:
+.INDENT 2.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+mongotop 30 \-\-host mongodb0.example.com \-\-port 27017 [additional options]
+.ft P
+.fi
+.UNINDENT
.UNINDENT
.sp
-For an additional utility that provides MongoDB metrics
-see mongostat\&.
+If the \fBmongod\fP instance requires authentication, you
+can specify the user \fI\%\-u\fP, password
+\fI\%\-p\fP, and the authentication database
+\fI\%\-\-authenticationDatabase\fP\&.
+.INDENT 2.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+mongotop 30 \-\-host mongodb0.example.com \-\-port 27017 \-u user \-p password \-\-authenticationDatabase admin [additional options]
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+The user running \fI\%mongotop\fP must have the
+\fBserverStatus\fP and \fBtop\fP privileges.
+.UNINDENT
+.sp
+For more information on the options available, see
+\fI\%Options\fP\&.
+.sp
+When connected to a \fBmongod\fP instance, the program reports
+first on the connection and then reports on the statistics at the
+configured frequency.
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+2019\-04\-29T15:35:27.785\-0400 connected to: 127.0.0.1
+
+ ns total read write <timestamp>
+<db.collection> 81802ms 0ms 81802ms
+\&...
+.ft P
+.fi
.UNINDENT
.UNINDENT
.SH REQUIRED ACCESS
.sp
-In order to connect to a \fBmongod\fP that enforces authorization
-with the \fB\-\-auth\fP option, you must use the
-\fI\%\-\-username\fP and \fI\%\-\-password\fP options, and the connecting user must
-have the \fBserverStatus\fP and \fBtop\fP privileges.
+In order to connect to a \fBmongod\fP that enforces
+authorization, the connecting user must have the
+\fBserverStatus\fP and \fBtop\fP privileges.
+.sp
+The built\-in role \fBclusterMonitor\fP provides these privileges.
+.SH BEHAVIOR
+.SS FIPS
.sp
-The most appropriate built\-in role that has these privileges is
-\fBclusterMonitor\fP\&.
+Starting in version 4.2, MongoDB removes the \fB\-\-sslFIPSMode\fP
+option for mongotop\&. mongotop
+will use FIPS compliant connections to
+\fBmongod\fP/\fBmongos\fP if the
+\fBmongod\fP/\fBmongos\fP instances are
+configured to use FIPS mode\&.
.SH OPTIONS
.INDENT 0.0
.TP
@@ -139,50 +293,53 @@ New in version 3.4.6.
.sp
Specify a resolvable URI
-connection string for the \fBmongod\fP to which to
-connect.
-.sp
-The following is the standard
-URI connection scheme:
+connection string (enclose in quotes) to connect to the MongoDB deployment.
.INDENT 7.0
.INDENT 3.5
.sp
.nf
.ft C
-mongodb://[username:password@]host1[:port1][,host2[:port2],...[,hostN[:portN]]][/[database][?options]]
+\-\-uri "mongodb://[username:password@]host1[:port1][,host2[:port2],...[,hostN[:portN]]][/[database][?options]]"
.ft P
.fi
.UNINDENT
.UNINDENT
.sp
-For detailed explanations of the components of this string, refer to
-the
-Connection String URI Format
-documentation.
+For information on the components of the connection string, see
+the Connection String URI Format documentation.
+.sp
+\fBNOTE:\fP
+.INDENT 7.0
+.INDENT 3.5
+For TLS/SSL options, use the command\-line options instead of the
+URI options for TLS/SSL (Available starting in
+4.2)\&.
+.UNINDENT
+.UNINDENT
.sp
\fBIMPORTANT:\fP
.INDENT 7.0
.INDENT 3.5
-The following \fI\%mongotop\fP options are incompatible with the
-\fB\-\-uri\fP option. Instead, specify these options as part of your
-\fB\-\-uri\fP connection string when applicable:
+The following command\-line options cannot be used in conjunction
+with \fI\%\-\-uri\fP option:
.INDENT 0.0
.IP \(bu 2
-\fB\-\-host\fP
-.IP \(bu 2
-\fB\-\-port\fP
+\fI\%\-\-host\fP
.IP \(bu 2
-\fB\-\-db\fP
+\fI\%\-\-port\fP
.IP \(bu 2
-\fB\-\-username\fP
+\fI\%\-\-username\fP
.IP \(bu 2
-\fB\-\-password\fP (when specifying the password as part of the
-URI connection string)
+\fI\%\-\-password\fP (if the
+URI connection string also includes the password)
.IP \(bu 2
-\fB\-\-authenticationDatabase\fP
+\fI\%\-\-authenticationDatabase\fP
.IP \(bu 2
-\fB\-\-authenticationMechanism\fP
+\fI\%\-\-authenticationMechanism\fP
.UNINDENT
+.sp
+Instead, specify these options as part of your \fI\%\-\-uri\fP
+connection string.
.UNINDENT
.UNINDENT
.UNINDENT
@@ -203,20 +360,40 @@ the following:
.sp
.nf
.ft C
-<replSetName>/<hostname1><:port>,<hostname2><:port>,<...>
+\-\-host <replSetName>/<hostname1><:port>,<hostname2><:port>,<...>
.ft P
.fi
.UNINDENT
.UNINDENT
.sp
-You can always connect directly to a single MongoDB instance by
-specifying the host and port number directly.
+When specifying the replica set list format, \fBmongotop\fP always connects to
+the primary\&.
+.sp
+You can also connect to any single member of the replica set by specifying
+the host and port of only that member:
+.INDENT 7.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+\-\-host <hostname1><:port>
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
.sp
Changed in version 3.0.0: If you use IPv6 and use the \fB<address>:<port>\fP format, you must
enclose the portion of an address and port combination in
brackets (e.g. \fB[<address>]\fP).
.sp
+\fBNOTE:\fP
+.INDENT 7.0
+.INDENT 3.5
+You cannot specify both \fI\%\-\-host\fP and \fI\%\-\-uri\fP\&.
+.UNINDENT
+.UNINDENT
+.sp
If connected to a replica set where the primary is not
reachable, \fBmongotop\fP returns an error message.
.UNINDENT
@@ -227,6 +404,13 @@ reachable, \fBmongotop\fP returns an error message.
.sp
Specifies the TCP port on which the MongoDB instance listens for
client connections.
+.sp
+\fBNOTE:\fP
+.INDENT 7.0
+.INDENT 3.5
+You cannot specify both \fI\%\-\-port\fP and \fI\%\-\-uri\fP\&.
+.UNINDENT
+.UNINDENT
.UNINDENT
.INDENT 0.0
.TP
@@ -261,13 +445,17 @@ Specifies the \fB\&.pem\fP file that contains the root certificate chain
from the Certificate Authority. Specify the file name of the
\fB\&.pem\fP file using relative or absolute paths.
.sp
-Starting in version 3.4, if \fB\-\-sslCAFile\fP or \fBssl.CAFile\fP is not
-specified and you are not using x.509 authentication, the
-system\-wide CA certificate store will be used when connecting to an
-TLS/SSL\-enabled server.
+Starting in version 3.4, if \fB\-\-tlsCAFile\fP/\fBnet.tls.CAFile\fP (or
+their aliases \fB\-\-sslCAFile\fP/\fBnet.ssl.CAFile\fP) is not specified
+and you are not using x.509 authentication, the system\-wide CA
+certificate store will be used when connecting to an TLS/SSL\-enabled
+server.
.sp
-If using x.509 authentication, \fB\-\-sslCAFile\fP or \fBssl.CAFile\fP
-must be specified.
+To use x.509 authentication, \fB\-\-tlsCAFile\fP or \fBnet.tls.CAFile\fP
+must be specified unless using \fB\-\-tlsCertificateSelector\fP or
+\fB\-\-net.tls.certificateSelector\fP\&. Or if using the \fBssl\fP aliases,
+\fB\-\-sslCAFile\fP or \fBnet.ssl.CAFile\fP must be specified unless using
+\fB\-\-sslCertificateSelector\fP or \fBnet.ssl.certificateSelector\fP\&.
.sp
\fBWARNING:\fP
.INDENT 7.0
@@ -352,19 +540,23 @@ the use of invalid certificates. When using the
warning the use of the invalid certificate.
.sp
Starting in MongoDB 4.0, if you specify
-\fB\-\-sslAllowInvalidCertificates\fP or \fBssl.allowInvalidCertificates:
-true\fP when using x.509 authentication, an invalid certificate is
-only sufficient to establish a TLS/SSL connection but is
-\fIinsufficient\fP for authentication.
+\fB\-\-sslAllowInvalidCertificates\fP or
+\fBnet.ssl.allowInvalidCertificates: true\fP (or in MongoDB 4.2, the
+alias \fB\-\-tlsAllowInvalidateCertificates\fP or
+\fBnet.tls.allowInvalidCertificates: true\fP) when using x.509
+authentication, an invalid certificate is only sufficient to
+establish a TLS/SSL connection but is \fIinsufficient\fP for
+authentication.
+.sp
+# We created a separate blurb for tls in the ssl\-clients page.
.sp
\fBWARNING:\fP
.INDENT 7.0
.INDENT 3.5
-For TLS/SSL connections to \fBmongod\fP and
-\fBmongos\fP, avoid using
-\fB\-\-sslAllowInvalidCertificates\fP if possible and only use
-\fB\-\-sslAllowInvalidCertificates\fP on systems where intrusion is
-not possible.
+Although available, avoid using the
+\fB\-\-sslAllowInvalidCertificates\fP option if possible. If the use of
+\fB\-\-sslAllowInvalidCertificates\fP is necessary, only use the option
+on systems where intrusion is not possible.
.sp
If the \fBmongo\fP shell (and other
mongodb\-tools\-support\-ssl) runs with the
@@ -374,7 +566,9 @@ mongodb\-tools\-support\-ssl) will not attempt to validate
the server certificates. This creates a vulnerability to expired
\fBmongod\fP and \fBmongos\fP certificates as
well as to foreign processes posing as valid
-\fBmongod\fP or \fBmongos\fP instances.
+\fBmongod\fP or \fBmongos\fP instances. If you
+only need to disable the validation of the hostname in the
+TLS/SSL certificates, see \fB\-\-sslAllowInvalidHostnames\fP\&.
.UNINDENT
.UNINDENT
.sp
@@ -398,53 +592,51 @@ For more information about TLS/SSL and MongoDB, see
.UNINDENT
.INDENT 0.0
.TP
-.B \-\-sslFIPSMode
-New in version 2.6.
-
-.sp
-Directs the \fBmongotop\fP to use the FIPS mode of the installed OpenSSL
-library. Your system must have a FIPS compliant OpenSSL library to use
-the \fI\%\-\-sslFIPSMode\fP option.
+.B \-\-username <username>, \-u <username>
+Specifies a username with which to authenticate to a MongoDB database
+that uses authentication. Use in conjunction with the \fI\%\-\-password\fP and
+\fI\%\-\-authenticationDatabase\fP options.
.sp
\fBNOTE:\fP
.INDENT 7.0
.INDENT 3.5
-FIPS\-compatible TLS/SSL is
-available only in \fI\%MongoDB Enterprise\fP\&. See
-/tutorial/configure\-fips for more information.
+You cannot specify both \fI\%\-\-username\fP and \fI\%\-\-uri\fP\&.
.UNINDENT
.UNINDENT
.UNINDENT
.INDENT 0.0
.TP
-.B \-\-username <username>, \-u <username>
-Specifies a username with which to authenticate to a MongoDB database
-that uses authentication. Use in conjunction with the \fB\-\-password\fP and
-\fB\-\-authenticationDatabase\fP options.
-.UNINDENT
-.INDENT 0.0
-.TP
.B \-\-password <password>, \-p <password>
Specifies a password with which to authenticate to a MongoDB database
-that uses authentication. Use in conjunction with the \fB\-\-username\fP and
-\fB\-\-authenticationDatabase\fP options.
+that uses authentication. Use in conjunction with the \fI\%\-\-username\fP and
+\fI\%\-\-authenticationDatabase\fP options.
.sp
-Changed in version 3.0.0: If you do not specify an argument for \fI\%\-\-password\fP, \fBmongotop\fP returns
-an error.
-
-.sp
-Changed in version 3.0.2: If you wish \fBmongotop\fP to prompt the user
+Changed in version 3.0.2: To prompt the user
for the password, pass the \fI\%\-\-username\fP option without
\fI\%\-\-password\fP or specify an empty string as the \fI\%\-\-password\fP value,
as in \fB\-\-password ""\fP .
+.sp
+\fBNOTE:\fP
+.INDENT 7.0
+.INDENT 3.5
+You cannot specify both \fI\%\-\-password\fP and \fI\%\-\-uri\fP\&.
+.UNINDENT
+.UNINDENT
.UNINDENT
.INDENT 0.0
.TP
.B \-\-authenticationDatabase <dbname>
-Specifies the database in which the user is created.
+Specifies the authentication database where the specified \fI\%\-\-username\fP has been created.
See user\-authentication\-database\&.
.sp
+\fBNOTE:\fP
+.INDENT 7.0
+.INDENT 3.5
+You cannot specify both \fI\%\-\-authenticationDatabase\fP and \fI\%\-\-uri\fP\&.
+.UNINDENT
+.UNINDENT
+.sp
Changed in version 3.0.0: \fI\%\-\-authenticationDatabase\fP is required for \fBmongod\fP
and \fBmongos\fP instances that use authentication\&.
@@ -516,6 +708,13 @@ passwords in plain text. This mechanism is available only in
T}
_
.TE
+.sp
+\fBNOTE:\fP
+.INDENT 7.0
+.INDENT 3.5
+You cannot specify both \fI\%\-\-authenticationMechanism\fP and \fI\%\-\-uri\fP\&.
+.UNINDENT
+.UNINDENT
.UNINDENT
.INDENT 0.0
.TP
@@ -552,7 +751,7 @@ newer instance that does not report per\-database lock usage.
.INDENT 0.0
.TP
.B \-\-rowcount int, \-n int
-Number of lines of data that \fBmongotop\fP should print. “0 for indefinite”
+Number of lines of data that \fBmongotop\fP should print. "0 for indefinite"
.UNINDENT
.INDENT 0.0
.TP
@@ -571,11 +770,31 @@ data every second.
.UNINDENT
.SH FIELDS
.sp
-\fI\%mongotop\fP returns time values specified in milliseconds
-(ms.)
+When connected to a \fBmongod\fP instance, the program reports
+first on the connection and then reports on the statistics at the
+configured frequency. \fI\%mongotop\fP returns time values
+specified in milliseconds (ms.)
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+2019\-04\-29T15:35:27.785\-0400 connected to: 127.0.0.1
+
+ ns total read write <timestamp>
+<db.collection> 81802ms 0ms 81802ms
+\&...
+
+ ns total read write <timestamp>
+<db.collection> 0ms 0ms 0ms
+\&...
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
.sp
\fI\%mongotop\fP only reports active namespaces or databases,
-depending on the \fI\%\-\-locks\fP option. If you don’t see a database
+depending on the \fI\%\-\-locks\fP option. If you don\(aqt see a database
or collection, it has received no recent activity. You can issue a
simple operation in the \fBmongo\fP shell to generate activity to
affect the output of \fI\%mongotop\fP\&.
@@ -620,7 +839,7 @@ performing write operations on this namespace.
.B mongotop.<timestamp>
Provides a time stamp for the returned data.
.UNINDENT
-.SH USE
+.SH EXAMPLES
.sp
By default \fI\%mongotop\fP connects to the MongoDB instance
running on the localhost port \fB27017\fP\&. However, \fI\%mongotop\fP can optionally
@@ -648,37 +867,21 @@ This command produces the following output:
.sp
.nf
.ft C
- ns total read write 2014\-12\-19T15:32:01\-05:00
- admin.system.roles 0ms 0ms 0ms
- admin.system.version 0ms 0ms 0ms
- local.me 0ms 0ms 0ms
- local.oplog.rs 0ms 0ms 0ms
- local.replset.minvalid 0ms 0ms 0ms
- local.startup_log 0ms 0ms 0ms
- local.system.indexes 0ms 0ms 0ms
-local.system.namespaces 0ms 0ms 0ms
- local.system.replset 0ms 0ms 0ms
+2019\-04\-29T15:35:27.785\-0400 connected to: 127.0.0.1
+
- ns total read write 2014\-12\-19T15:32:16\-05:00
- admin.system.roles 0ms 0ms 0ms
- admin.system.version 0ms 0ms 0ms
- local.me 0ms 0ms 0ms
- local.oplog.rs 0ms 0ms 0ms
- local.replset.minvalid 0ms 0ms 0ms
- local.startup_log 0ms 0ms 0ms
- local.system.indexes 0ms 0ms 0ms
-local.system.namespaces 0ms 0ms 0ms
- local.system.replset 0ms 0ms 0ms
+ ns total read write 2019\-04\-29T15:35:57\-04:00
+ admin.system.roles 0ms 0ms 0ms
+ admin.system.users 0ms 0ms 0ms
+ admin.system.version 0ms 0ms 0ms
+config.system.sessions 0ms 0ms 0ms
+ local.startup_log 0ms 0ms 0ms
+ local.system.replset 0ms 0ms 0ms
.ft P
.fi
.UNINDENT
.UNINDENT
.sp
-The output varies depending on your MongoDB setup. For example,
-\fBlocal.system.indexes\fP and \fBlocal.system.namespaces\fP only appear
-for \fBmongod\fP instances using the MMAPv1
-storage engine.
-.sp
To return a \fI\%mongotop\fP report every 5 minutes, use the
following command:
.INDENT 0.0
@@ -691,9 +894,28 @@ mongotop 300
.fi
.UNINDENT
.UNINDENT
+.SH ADDITIONAL INFORMATION
+.sp
+For more information about monitoring MongoDB, see
+/administration/monitoring\&.
+.sp
+For additional background on various other MongoDB status outputs see:
+.INDENT 0.0
+.IP \(bu 2
+/reference/command/serverStatus
+.IP \(bu 2
+/reference/command/replSetGetStatus
+.IP \(bu 2
+/reference/command/dbStats
+.IP \(bu 2
+/reference/command/collStats
+.UNINDENT
+.sp
+For an additional utility that provides MongoDB metrics
+see mongostat\&.
.SH AUTHOR
MongoDB Documentation Project
.SH COPYRIGHT
-2008-2018
+2008-2019
.\" Generated by docutils manpage writer.
.