diff options
| author | Zakhar Kleyman <zakhar.kleyman@mongodb.com> | 2020-07-30 13:59:51 -0400 |
|---|---|---|
| committer | Evergreen Agent <no-reply@evergreen.mongodb.com> | 2020-10-15 13:55:19 +0000 |
| commit | 122e9e8fe5db8f4b1bfcc2f30e2f574045d19547 (patch) | |
| tree | 4256da8d53ceac819a57d0a057afb04bff0cc99c /debian | |
| parent | e62f90245be98c6763ae85441eb6ebd9448bb85c (diff) | |
| download | mongo-122e9e8fe5db8f4b1bfcc2f30e2f574045d19547.tar.gz | |
SERVER-46321 update man pages for 4.4
Diffstat (limited to 'debian')
| -rw-r--r-- | debian/mongo.1 | 405 | ||||
| -rw-r--r-- | debian/mongod.1 | 1095 | ||||
| -rw-r--r-- | debian/mongodb-parameters.5 | 1460 | ||||
| -rw-r--r-- | debian/mongokerberos.1 | 489 | ||||
| -rw-r--r-- | debian/mongoldap.1 | 191 | ||||
| -rw-r--r-- | debian/mongos.1 | 309 |
6 files changed, 3346 insertions, 603 deletions
diff --git a/debian/mongo.1 b/debian/mongo.1 index a38d4270deb..07fe0da64bd 100644 --- a/debian/mongo.1 +++ b/debian/mongo.1 @@ -1,6 +1,6 @@ .\" Man page generated from reStructuredText. . -.TH "MONGO" "1" "Aug 16, 2019" "4.2" "mongodb-manual" +.TH "MONGO" "1" "Jun 23, 2020" "4.4" "mongodb-manual" .SH NAME mongo \- MongoDB Shell . @@ -54,14 +54,65 @@ MongoDB, which provides a powerful interface for system administrators as well as a way for developers to test queries and operations directly with the database. \fI\%mongo\fP also provides a fully functional JavaScript environment for use with a MongoDB. -The \fI\%mongo\fP shell is part of the \fI\%MongoDB distributions\fP\&. +.sp +The \fI\%mongo\fP shell is included as part of the MongoDB Server installation. MongoDB also provides the \fI\%mongo\fP +shell as a standalone package. To download the standalone \fI\%mongo\fP +shell package: +.INDENT 0.0 +.IP 1. 3 +Access the Download Center for your Edition of MongoDB: +.INDENT 3.0 +.IP \(bu 2 +\fI\%MongoDB Community Download Center\fP +.IP \(bu 2 +\fI\%MongoDB Enterprise Download Center\fP +.UNINDENT +.IP 2. 3 +Select your preferred Version and Platform +from the dropdowns. +.IP 3. 3 +Select the Package to download according to your +platform: +.TS +center; +|l|l|. +_ +T{ +Platform +T} T{ +Download Package +T} +_ +T{ +\fIWindows\fP +T} T{ +Select the \fBzip\fP package to download an archive which +includes the \fI\%mongo\fP shell. +T} +_ +T{ +\fImacOS\fP +T} T{ +Select the \fBtgz\fP package to download an archive which +includes the \fI\%mongo\fP shell. +T} +_ +T{ +\fILinux\fP +T} T{ +Select the \fBshell\fP package to download the +\fI\%mongo\fP shell. +T} +_ +.TE +.UNINDENT .sp \fBNOTE:\fP .INDENT 0.0 .INDENT 3.5 .INDENT 0.0 .IP \(bu 2 -Starting in MongoDB 4.2, the \fI\%mongo\fP shell displays a +Starting in MongoDB 4.2 (and 4.0.13), the \fI\%mongo\fP shell displays a warning message when connected to non\-genuine MongoDB instances as these instances may behave differently from the official MongoDB instances; e.g. missing or incomplete features, different feature @@ -260,6 +311,12 @@ As a result many options of the shell environment are not available. Specifies a username with which to authenticate to a MongoDB database that uses authentication. Use in conjunction with the \fI\%\-\-password\fP and \fI\%\-\-authenticationDatabase\fP options. +.sp +If connecting to a \fI\%MongoDB Atlas\fP cluster +using the \fBMONGODB\-AWS\fP \fI\%authentication mechanism\fP, specify your AWS access key ID in this +field, or in the connection string\&. Alternatively, this value may +also be supplied as the environment variable \fBAWS_ACCESS_KEY_ID\fP\&. +See \fI\%Connect to a MongoDB Atlas Cluster using AWS IAM Credentials\fP\&. .UNINDENT .INDENT 0.0 .TP @@ -269,6 +326,27 @@ that uses authentication. Use in conjunction with the \fI\%\-\-username\fP and \fI\%\-\-authenticationDatabase\fP options. To force \fBmongo\fP to prompt for a password, enter the \fI\%\-\-password\fP option as the last option and leave out the argument. +.sp +If connecting to a \fI\%MongoDB Atlas\fP cluster +using the \fBMONGODB\-AWS\fP \fI\%authentication mechanism\fP, specify your AWS secret access key in +this field, or in the connection string\&. Alternatively, this value may +also be supplied as the environment variable +\fBAWS_SECRET_ACCESS_KEY\fP\&. See +\fI\%Connect to a MongoDB Atlas Cluster using AWS IAM Credentials\fP\&. +.UNINDENT +.INDENT 0.0 +.TP +.B \-\-awsIamSessionToken <aws session token> +If connecting to a \fI\%MongoDB Atlas\fP cluster +using the \fBMONGODB\-AWS\fP \fI\%authentication mechanism\fP and using session tokens in addition to +your AWS access key ID and secret access key, specify your AWS +session token in this field, or in the connection string\&. Alternatively, this value may +also be supplied as the environment variable +\fBAWS_SESSION_TOKEN\fP\&. See +\fI\%Connect to a MongoDB Atlas Cluster using AWS IAM Credentials\fP\&. +.sp +Only valid when using the \fBMONGODB\-AWS\fP +\fI\%authentication mechanism\fP\&. .UNINDENT .INDENT 0.0 .TP @@ -411,7 +489,7 @@ New in version 3.4. .sp Allows fields of type javascript and -javascriptWithScope to be automatically +javascriptWithScope (*Deprecated*) to be automatically marshalled to JavaScript functions in the \fI\%mongo\fP shell. .sp @@ -457,7 +535,7 @@ object > doc.func instanceof Code true > doc.jsFunc() -2016\-11\-09T12:30:36.808\-0800 E QUERY [thread1] TypeError: doc.jsFunc is +2016\-11\-09T12:30:36.808\-08:00 E QUERY [thread1] TypeError: doc.jsFunc is not a function : @(shell):1:1 .ft P @@ -504,6 +582,11 @@ See user\-authentication\-database\&. .sp If you do not specify a value for \fI\%\-\-authenticationDatabase\fP, \fBmongo\fP uses the database specified in the connection string. +.sp +If using the GSSAPI (Kerberos), +PLAIN (LDAP SASL), or \fBMONGODB\-AWS\fP +\fI\%authentication mechanisms\fP, you +must set \fI\%\-\-authenticationDatabase\fP to \fB$external\fP\&. .UNINDENT .INDENT 0.0 .TP @@ -513,11 +596,9 @@ specified in the connection string. Specifies the authentication mechanism the \fBmongo\fP instance uses to authenticate to the \fBmongod\fP or \fBmongos\fP\&. .sp -Changed in version 4.0: MongoDB removes support for the deprecated MongoDB -Challenge\-Response (\fBMONGODB\-CR\fP) authentication mechanism. -.sp -MongoDB adds support for SCRAM mechanism using the SHA\-256 hash -function (\fBSCRAM\-SHA\-256\fP). +Changed in version 4.4: With MongoDB 4.4, the \fBmongo\fP shell adds support for the +new \fBMONGODB\-AWS\fP authentication mechanism when connecting to a +\fI\%MongoDB Atlas\fP cluster. .TS center; @@ -556,6 +637,17 @@ MongoDB TLS/SSL certificate authentication. T} _ T{ +\fBMONGODB\-AWS\fP +T} T{ +External authentication using AWS IAM credentials for use in +connecting to a +\fI\%MongoDB Atlas\fP +cluster. See \fI\%Connect to a MongoDB Atlas Cluster using AWS IAM Credentials\fP\&. +.sp +New in version 4.4. +T} +_ +T{ GSSAPI (Kerberos) T} T{ External authentication using Kerberos. This mechanism is @@ -576,9 +668,6 @@ _ .INDENT 0.0 .TP .B \-\-gssapiHostName -New in version 2.6. - -.sp Specify the hostname of a service using GSSAPI/Kerberos\&. \fIOnly\fP required if the hostname of a machine does not match the hostname resolved by DNS. .sp @@ -587,9 +676,6 @@ This option is available only in MongoDB Enterprise. .INDENT 0.0 .TP .B \-\-gssapiServiceName -New in version 2.6. - -.sp Specify the name of the service using GSSAPI/Kerberos\&. Only required if the service does not use the default name of \fBmongodb\fP\&. .sp @@ -654,6 +740,13 @@ option to connect to a \fBmongod\fP or \fBmongos\fP instance that requires client certificates\&. That is, the \fI\%mongo\fP shell present this certificate to the server. .sp +Changed in version 4.4: \fBmongod\fP / \fBmongos\fP logs a warning on +connection if the presented x.509 certificate expires within \fB30\fP +days of the \fBmongod/mongos\fP host system time. See +4.4\-rel\-notes\-certificate\-expiration\-warning for more +information. + +.sp For more information about TLS/SSL and MongoDB, see /tutorial/configure\-ssl and /tutorial/configure\-ssl\-clients . @@ -713,7 +806,7 @@ For more information about TLS/SSL and MongoDB, see .INDENT 0.0 .TP .B \-\-tlsCRLFile <filename> -New in version 4.2. +New in version 4.2: In MongoDB 4.0 and earlier, see \fI\%\-\-sslCRLFile\fP\&. .sp Specifies the \fB\&.pem\fP file that contains the Certificate Revocation @@ -723,6 +816,17 @@ absolute paths. For more information about TLS/SSL and MongoDB, see /tutorial/configure\-ssl and /tutorial/configure\-ssl\-clients . +.sp +\fBNOTE:\fP +.INDENT 7.0 +.INDENT 3.5 +Starting in version 4.4, to check for certificate revocation, +MongoDB \fBenables\fP the use of OCSP +(Online Certificate Status Protocol) by default as an alternative +to specifying a CRL file or using the system SSL certificate +store. +.UNINDENT +.UNINDENT .UNINDENT .INDENT 0.0 .TP @@ -763,8 +867,6 @@ authentication. .UNINDENT .UNINDENT .sp -# We created a separate blurb for tls in the ssl\-clients page. -.sp \fBWARNING:\fP .INDENT 7.0 .INDENT 3.5 @@ -864,6 +966,13 @@ _ When using the system SSL certificate store, OCSP (Online Certificate Status Protocol) is used to validate the revocation status of certificates. +.sp +Changed in version 4.4: \fBmongod\fP / \fBmongos\fP logs a warning on +connection if the presented x.509 certificate expires within \fB30\fP +days of the \fBmongod/mongos\fP host system time. See +4.4\-rel\-notes\-certificate\-expiration\-warning for more +information. + .UNINDENT .INDENT 0.0 .TP @@ -873,7 +982,7 @@ New in version 4.2. .sp Disables the specified TLS protocols. The option recognizes the following protocols: \fBTLS1_0\fP, \fBTLS1_1\fP, \fBTLS1_2\fP, and -starting in version 4.0.4 (and 3.6.9), \fBTLS1_3\fP\&. +starting in version 4.0.4 (and 3.6.9 and 3.4.24), \fBTLS1_3\fP\&. .INDENT 7.0 .IP \(bu 2 On macOS, you cannot disable \fBTLS1_1\fP and leave both \fBTLS1_0\fP and @@ -1066,6 +1175,17 @@ Specifies the \fB\&.pem\fP file that contains the Certificate Revocation List. Specify the file name of the \fB\&.pem\fP file using relative or absolute paths. .sp +\fBNOTE:\fP +.INDENT 7.0 +.INDENT 3.5 +Starting in version 4.4, to check for certificate revocation, +MongoDB \fBenables\fP the use of OCSP +(Online Certificate Status Protocol) by default as an alternative +to specifying a CRL file or using the system SSL certificate +store. +.UNINDENT +.UNINDENT +.sp For more information about TLS/SSL and MongoDB, see /tutorial/configure\-ssl and /tutorial/configure\-ssl\-clients . @@ -1112,8 +1232,6 @@ authentication. .UNINDENT .UNINDENT .sp -# We created a separate blurb for tls in the ssl\-clients page. -.sp \fBWARNING:\fP .INDENT 7.0 .INDENT 3.5 @@ -1198,6 +1316,98 @@ Enables retryable writes as the default for sessions in the .sp For more information on sessions, see sessions\&. .UNINDENT +.SS Client\-Side Field Level Encryption Options +.INDENT 0.0 +.TP +.B \-\-awsAccessKeyId <string> +An AWS \fI\%Access Key\fP +associated to an IAM user with \fBList\fP and \fBRead\fP permissions for the +AWS Key Management Service (KMS). The \fBmongo\fP shell uses the specified +\fI\%\-\-awsAccessKeyId\fP to access the KMS. +.sp +\fI\%\-\-awsAccessKeyId\fP is required for enabling /core/security\-client\-side\-encryption +for the \fBmongo\fP shell session. \fI\%\-\-awsAccessKeyId\fP requires \fIall\fP of the following +command line options: +.INDENT 7.0 +.IP \(bu 2 +\fI\%\-\-awsSecretAccessKey\fP +.IP \(bu 2 +\fI\%\-\-keyVaultNamespace\fP +.UNINDENT +.sp +If \fI\%\-\-awsAccessKeyId\fP is omitted, use the \fBMongo()\fP constructor within the shell +session to enable client\-side field level encryption. +.sp +To mitigate the risk of leaking access keys into logs, consider specifying +an environmental variable to \fI\%\-\-awsAccessKeyId\fP\&. +.UNINDENT +.INDENT 0.0 +.TP +.B \-\-awsSecretAccessKey <string> +An AWS \fI\%Secret Key\fP +associated to the specified \fI\%\-\-awsAccessKeyId\fP\&. +.sp +\fI\%\-\-awsSecretAccessKey\fP is required for enabling /core/security\-client\-side\-encryption +for the \fBmongo\fP shell session. \fI\%\-\-awsSecretAccessKey\fP requires \fIall\fP of the following +command line options: +.INDENT 7.0 +.IP \(bu 2 +\fI\%\-\-awsAccessKeyId\fP +.IP \(bu 2 +\fI\%\-\-keyVaultNamespace\fP +.UNINDENT +.sp +If \fI\%\-\-awsSecretAccessKey\fP and its supporting options are omitted, use \fBMongo()\fP +within the shell session to enable client\-side field level encryption. +.sp +To mitigate the risk of leaking access keys into logs, consider specifying +an environmental variable to \fI\%\-\-awsSecretAccessKey\fP\&. +.UNINDENT +.INDENT 0.0 +.TP +.B \-\-awsSessionToken <string> +An AWS \fI\%Session Token\fP +associated to the specified \fI\%\-\-awsAccessKeyId\fP\&. +.sp +\fI\%\-\-awsSessionToken\fP is required for enabling /core/security\-client\-side\-encryption +for the \fBmongo\fP shell session. \fI\%\-\-awsSessionToken\fP requires \fIall\fP of the following +command line options: +.INDENT 7.0 +.IP \(bu 2 +\fI\%\-\-awsAccessKeyId\fP +.IP \(bu 2 +\fI\%\-\-awsSecretAccessKey\fP +.IP \(bu 2 +\fI\%\-\-keyVaultNamespace\fP +.UNINDENT +.sp +If \fI\%\-\-awsSessionToken\fP and its supporting options are omitted, use \fBMongo()\fP +within the shell session to enable client\-side field level encryption. +.sp +To mitigate the risk of leaking access keys into logs, consider specifying +an environmental variable to \fI\%\-\-awsSessionToken\fP\&. +.UNINDENT +.INDENT 0.0 +.TP +.B \-\-keyVaultNamespace <string> +The full namespace (\fB<database>.<collection>\fP) of the collection used as a +key vault for /core/security\-client\-side\-encryption\&. \fI\%\-\-keyVaultNamespace\fP is +required for enabling client\-side field level encryption. for the \fBmongo\fP +shell session. \fBmongo\fP creates the specified namespace if it does not +exist. +.sp +\fI\%\-\-keyVaultNamespace\fP requires \fIall\fP of the following command line options: +.INDENT 7.0 +.IP \(bu 2 +\fI\%\-\-awsAccessKeyId\fP +.IP \(bu 2 +\fI\%\-\-awsSecretAccessKey\fP +.UNINDENT +.sp +If \fI\%\-\-keyVaultNamespace\fP and its supporting options are omitted, use the \fBMongo()\fP +constructor within the shell session to enable client\-side field level +encryption. +.UNINDENT .SH FILES .INDENT 0.0 .TP @@ -1650,6 +1860,129 @@ mongo \-\-host "mongodb+srv://server.example.com/?username=allison" .sp The \fI\%mongo\fP shell will automatically prompt you to provide the password for the user specified in the \fBusername\fP option. +.SS Connect to a MongoDB Atlas Cluster using AWS IAM Credentials +.sp +New in version 4.4. + +.sp +To connect to a \fI\%MongoDB Atlas\fP cluster which +has been configured to support authentication via \fI\%AWS IAM credentials\fP, +provide a connection string to +the \fI\%mongo\fP shell similar to the following: +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +mongo \(aqmongodb+srv://<aws access key id>:<aws secret access key>@cluster0.example.com/testdb?authSource=$external&authMechanism=MONGODB\-AWS\(aq +.ft P +.fi +.UNINDENT +.UNINDENT +.sp +Connecting to Atlas using AWS IAM credentials in this manner uses the +\fBMONGODB\-AWS\fP \fBauthentication mechanism\fP +and the \fB$external\fP \fBauthSource\fP, as shown in this example. +.sp +If using an \fI\%AWS session token\fP +as well, provide it with the \fBAWS_SESSION_TOKEN\fP +\fBauthMechanismProperties\fP value in your +connection string, as follows: +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +mongo \(aqmongodb+srv://<aws access key id>:<aws secret access key>@cluster0.example.com/testdb?authSource=$external&authMechanism=MONGODB\-AWS&authMechanismProperties=AWS_SESSION_TOKEN:<aws session token>\(aq +.ft P +.fi +.UNINDENT +.UNINDENT +.sp +If the AWS access key ID, secret access key, or session token include +the \(aqat\(aq sign \fB@\fP, colon \fB:\fP, slash \fB/\fP, or the percent sign \fB%\fP +characters, those characters must be converted using \fI\%percent encoding\fP\&. +.sp +Alternatively, the AWS access key ID, and secret access key, and +optionally session token can each be provided outside of the connection +string using the \fI\%\-\-username\fP, \fI\%\-\-password\fP, and +\fI\%\-\-awsIamSessionToken\fP options instead, like so: +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +mongo \(aqmongodb+srv://cluster0.example.com/testdb?authSource=$external&authMechanism=MONGODB\-AWS\(aq \-\-username <aws access key id> \-\-password <aws secret access key> \-\-awsIamSessionToken <aws session token> +.ft P +.fi +.UNINDENT +.UNINDENT +.sp +When provided as command line parameters, these three options do not +require percent encoding. +.sp +You may also set these credentials on your platform using standard +\fI\%AWS IAM environment variables\fP\&. +The \fI\%mongo\fP shell checks for the following environment +variables when you use the \fBMONGODB\-AWS\fP +\fBauthentication mechanism\fP: +.INDENT 0.0 +.IP \(bu 2 +\fBAWS_ACCESS_KEY_ID\fP +.IP \(bu 2 +\fBAWS_SECRET_ACCESS_KEY\fP +.IP \(bu 2 +\fBAWS_SESSION_TOKEN\fP +.UNINDENT +.sp +If set, these credentials do not need to be specified in the connection +string or via the explicit options to the \fI\%mongo\fP shell +(i.e. \fI\%\-\-username\fP and \fI\%\-\-password\fP). +.sp +The following example sets these environment variables in the \fBbash\fP +shell: +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +export AWS_ACCESS_KEY_ID=\(aq<aws access key id>\(aq +export AWS_SECRET_ACCESS_KEY=\(aq<aws secret access key>\(aq +export AWS_SESSION_TOKEN=\(aq<aws session token>\(aq +.ft P +.fi +.UNINDENT +.UNINDENT +.sp +Syntax for setting environment variables in other shells will be +different. Consult the documentation for your platform for more +information. +.sp +You can verify that these environment variables have been set with the +following command: +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +env | grep AWS +.ft P +.fi +.UNINDENT +.UNINDENT +.sp +Once set, the following example connects to a MongoDB Atlas cluster +using these environment variables: +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +mongo \(aqmongodb+srv://cluster0.example.com/testdb?authSource=$external&authMechanism=MONGODB\-AWS\(aq +.ft P +.fi +.UNINDENT +.UNINDENT .SS Execute JavaScript Against the \fI\%mongo\fP Shell .sp To execute a JavaScript file without evaluating the \fB~/.mongorc.js\fP @@ -1684,10 +2017,16 @@ mongo script\-file.js \-u <user> \-p \fBisInteractive()\fP .UNINDENT .UNINDENT -.SS Use \fI\%\-\-eval\fP to Print Query Results as JSON +.SS Use \fI\%\-\-eval\fP to Execute JavaScript Code .sp -To print return a query as JSON, from the system prompt using -the \fI\%\-\-eval\fP option, use the following form: +You may use the \fI\%\-\-eval\fP option to execute +JavaScript directly from the command line. +.sp +For example, the following operation evaluates a JavaScript string +which queries a collection and prints the results as JSON. +.sp +On Linux and macOS, you will need to use single quotes (e.g. \fB\(aq\fP) +to enclose the JavaScript, using the following form: .INDENT 0.0 .INDENT 3.5 .sp @@ -1699,8 +2038,18 @@ mongo \-\-eval \(aqdb.collection.find().forEach(printjson)\(aq .UNINDENT .UNINDENT .sp -Use single quotes (e.g. \fB\(aq\fP) to enclose the JavaScript, as well as -the additional JavaScript required to generate this output. +On Windows, you will need to use double quotes (e.g. \fB"\fP) +to enclose the JavaScript, using the following form: +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +mongo \-\-eval "db.collection.find().forEach(printjson)" +.ft P +.fi +.UNINDENT +.UNINDENT .sp \fBSEE ALSO:\fP .INDENT 0.0 @@ -1720,6 +2069,6 @@ the additional JavaScript required to generate this output. .SH AUTHOR MongoDB Documentation Project .SH COPYRIGHT -2008-2019 +2008-2020 .\" Generated by docutils manpage writer. . diff --git a/debian/mongod.1 b/debian/mongod.1 index 700a0774222..7d70e315630 100644 --- a/debian/mongod.1 +++ b/debian/mongod.1 @@ -1,6 +1,6 @@ .\" Man page generated from reStructuredText. . -.TH "MONGOD" "1" "Aug 16, 2019" "4.2" "mongodb-manual" +.TH "MONGOD" "1" "Jun 23, 2020" "4.4" "mongodb-manual" .SH NAME mongod \- MongoDB Server . @@ -109,6 +109,16 @@ in 3.4.18+, 3.6.9+, 4.0.3+) .UNINDENT .UNINDENT .UNINDENT +.INDENT 0.0 +.INDENT 3.5 +.IP "Starting in version 4.4" +.INDENT 0.0 +.IP \(bu 2 +MongoDB removes the \fB\-\-noIndexBuildRetry\fP command\-line option +and the corresponding \fBstorage.indexBuildRetry\fP option. +.UNINDENT +.UNINDENT +.UNINDENT .SS Core Options .INDENT 0.0 .TP @@ -502,15 +512,6 @@ system\(aqs configured maximum connection tracking threshold. .sp Do not assign too low of a value to this option, or you will encounter errors during normal application operation. -.sp -\fBNOTE:\fP -.INDENT 7.0 -.INDENT 3.5 -Changed in version 2.6: MongoDB removed the upward limit on the \fBmaxIncomingConnections\fP -setting. - -.UNINDENT -.UNINDENT .UNINDENT .INDENT 0.0 .TP @@ -575,9 +576,6 @@ existing log and create a new file. .B \-\-logRotate <string> \fIDefault\fP: rename .sp -New in version 3.0.0. - -.sp Determines the behavior for the \fBlogRotate\fP command. Specify either \fBrename\fP or \fBreopen\fP: .INDENT 7.0 @@ -609,13 +607,6 @@ Description T} _ T{ -\fBctime\fP -T} T{ -Displays timestamps as \fBWed Dec 31 -18:17:54.811\fP\&. -T} -_ -T{ \fBiso8601\-utc\fP T} T{ Displays timestamps in Coordinated Universal Time (UTC) in the @@ -628,10 +619,19 @@ T{ T} T{ Displays timestamps in local time in the ISO\-8601 format. For example, for New York at the start of the Epoch: -\fB1969\-12\-31T19:00:00.000\-0500\fP +\fB1969\-12\-31T19:00:00.000\-05:00\fP T} _ .TE +.sp +\fBNOTE:\fP +.INDENT 7.0 +.INDENT 3.5 +Starting in MongoDB 4.4, \fI\%\-\-timeStampFormat\fP no longer supports \fBctime\fP\&. +An example of \fBctime\fP formatted date is: \fBWed Dec 31 +18:17:54.811\fP\&. +.UNINDENT +.UNINDENT .UNINDENT .INDENT 0.0 .TP @@ -641,11 +641,33 @@ For internal diagnostic use only. .INDENT 0.0 .TP .B \-\-pidfilepath <path> -Specifies a file location to hold the process ID of the \fBmongod\fP -process where \fBmongod\fP will write its PID. This is useful for -tracking the \fBmongod\fP process in combination with -the \fI\%\-\-fork\fP option. Without a specified \fI\%\-\-pidfilepath\fP option, the -process creates no PID file. +Specifies a file location to store the process ID (PID) of the \fBmongod\fP +process. The user running the \fBmongod\fP or \fBmongos\fP +process must be able to write to this path. If the \fI\%\-\-pidfilepath\fP option is not +specified, the process does not create a PID file. This option is generally +only useful in combination with the \fI\%\-\-fork\fP option. +.INDENT 7.0 +.INDENT 3.5 +.IP "Linux" +.sp +On Linux, PID file management is generally the responsibility of +your distro\(aqs init system: usually a service file in the \fB/etc/init.d\fP +directory, or a systemd unit file registered with \fBsystemctl\fP\&. Only +use the \fI\%\-\-pidfilepath\fP option if you are not using one of these init +systems. For more information, please see the respective +Installation Guide for your operating system. +.UNINDENT +.UNINDENT +.INDENT 7.0 +.INDENT 3.5 +.IP "macOS" +.sp +On macOS, PID file management is generally handled by \fBbrew\fP\&. Only use +the \fI\%\-\-pidfilepath\fP option if you are not using \fBbrew\fP on your macOS system. +For more information, please see the respective +Installation Guide for your operating system. +.UNINDENT +.UNINDENT .UNINDENT .INDENT 0.0 .TP @@ -695,10 +717,9 @@ always listens on the UNIX socket unless one of the following is true: \fBnet.bindIp\fP does not specify \fBlocalhost\fP or its associated IP address .UNINDENT .sp -New in version 2.6: \fBmongod\fP installed from official \&.deb and \&.rpm packages +\fBmongod\fP installed from official \&.deb and \&.rpm packages have the \fBbind_ip\fP configuration set to \fB127.0.0.1\fP by default. - .UNINDENT .INDENT 0.0 .TP @@ -739,6 +760,8 @@ background. By default \fBmongod\fP does not run as a daemon: typically you will run \fBmongod\fP as a daemon, either by using \fI\%\-\-fork\fP or by using a controlling process that handles the daemonization process (e.g. as with \fBupstart\fP and \fBsystemd\fP). +.sp +The \fI\%\-\-fork\fP option is not supported on Windows. .UNINDENT .INDENT 0.0 .TP @@ -859,20 +882,8 @@ due to the lack of data related to a log event. See the process logging manual page for an example of the effect of \fI\%\-\-redactClientLogData\fP on log output. .sp -You can enable or disable log redaction on a running \fBmongod\fP -using the \fBsetParameter\fP database command. -.INDENT 7.0 -.INDENT 3.5 -.sp -.nf -.ft C -db.adminCommand( - { setParameter: 1, redactClientLogData : true | false } -) -.ft P -.fi -.UNINDENT -.UNINDENT +On a running \fBmongod\fP, use \fBsetParameter\fP with the +\fBredactClientLogData\fP parameter to configure this setting. .UNINDENT .INDENT 0.0 .TP @@ -972,6 +983,47 @@ mongod \-\-timeZoneInfo timezonedb\-2017b/ .UNINDENT .INDENT 0.0 .TP +.B \-\-serviceExecutor <string> +\fIDefault\fP: synchronous +.sp +New in version 3.6. + +.sp +Determines the threading and execution model \fBmongod\fP uses to +execute client requests. The \fB\-\-serviceExecutor\fP option accepts one +of the following values: +.TS +center; +|l|l|. +_ +T{ +Value +T} T{ +Description +T} +_ +T{ +\fBsynchronous\fP +T} T{ +The \fBmongod\fP uses synchronous networking and manages its +networking thread pool on a per connection basis. Previous +versions of MongoDB managed threads in this way. +T} +_ +T{ +\fBadaptive\fP +T} T{ +The \fBmongod\fP uses the new experimental asynchronous +networking mode with an adaptive thread pool which manages +threads on a per request basis. This mode should have more +consistent performance and use less resources when there are +more inactive connections than database requests. +T} +_ +.TE +.UNINDENT +.INDENT 0.0 +.TP .B \-\-outputConfig New in version 4.2. @@ -1073,14 +1125,14 @@ For the corresponding configuration file setting, see New in version 3.4: Available in MongoDB Enterprise only. .sp -The LDAP server against which the \fBmongod\fP executes LDAP operations -against to authenticate users or determine what actions a user is authorized -to perform on a given database. If the LDAP server specified has any -replicated instances, you may specify the host and port of each replicated -server in a comma\-delimited list. +The LDAP server against which the \fBmongod\fP authenticates users or +determines what actions a user is authorized to perform on a given +database. If the LDAP server specified has any replicated instances, +you may specify the host and port of each replicated server in a +comma\-delimited list. .sp -If your LDAP infrastrucure partitions the LDAP directory over multiple LDAP -servers, specify \fIone\fP LDAP server any of its replicated instances to +If your LDAP infrastructure partitions the LDAP directory over multiple LDAP +servers, specify \fIone\fP LDAP server or any of its replicated instances to \fI\%\-\-ldapServers\fP\&. MongoDB supports following LDAP referrals as defined in \fI\%RFC 4511 4.1.10\fP\&. Do not use \fI\%\-\-ldapServers\fP for listing every LDAP server in your infrastructure. @@ -1092,6 +1144,24 @@ If unset, \fBmongod\fP cannot use LDAP authentication or authorization\&. .UNINDENT .INDENT 0.0 .TP +.B \-\-ldapValidateLDAPServerConfig <boolean> +\fIAvailable in MongoDB Enterprise\fP +.sp +A flag that determines if the \fI\%mongod\fP instance checks +the availability of the \fI\%LDAP server(s)\fP as part of its startup: +.INDENT 7.0 +.IP \(bu 2 +If \fBtrue\fP, the \fI\%mongod\fP instance performs the +availability check and only continues to start up if the LDAP +server is available. +.IP \(bu 2 +If \fBfalse\fP, the \fI\%mongod\fP instance skips the +availability check; i.e. the instance starts up even if the LDAP +server is unavailable. +.UNINDENT +.UNINDENT +.INDENT 0.0 +.TP .B \-\-ldapQueryUser <string> New in version 3.4: Available in MongoDB Enterprise only. @@ -1152,7 +1222,7 @@ both \fI\%\-\-ldapQueryPassword\fP and \fI\%\-\-ldapBindWithOSDefaults\fP at the .INDENT 0.0 .TP .B \-\-ldapBindWithOSDefaults <bool> -\fIDefault\fP: False +\fIDefault\fP: false .sp New in version 3.4: Available in MongoDB Enterprise for the Windows platform only. @@ -1194,12 +1264,12 @@ connect to the LDAP server. .UNINDENT .sp If you specify \fBsasl\fP, you can configure the available SASL mechanisms -using \fI\%\-\-ldapBindSASLMechanisms\fP\&. \fBmongod\fP defaults to +using \fI\%\-\-ldapBindSaslMechanisms\fP\&. \fBmongod\fP defaults to using \fBDIGEST\-MD5\fP mechanism. .UNINDENT .INDENT 0.0 .TP -.B \-\-ldapBindSASLMechanisms <string> +.B \-\-ldapBindSaslMechanisms <string> \fIDefault\fP: DIGEST\-MD5 .sp New in version 3.4: Available in MongoDB Enterprise only. @@ -1444,10 +1514,17 @@ username against the \fBmatch\fP filter. If a match is found, authenticating the user. \fBmongod\fP does not check the remaining documents in the array. .sp -If the given document does not match the provided authentication name, or -the transformation described by the document fails, \fBmongod\fP continues -through the list of documents to find additional matches. If no matches are -found in any document, \fBmongod\fP returns an error. +If the given document does not match the provided authentication +name, \fI\%mongod\fP continues through the list of documents +to find additional matches. If no matches are found in any document, +or the transformation the document describes fails, +\fI\%mongod\fP returns an error. +.sp +Starting in MongoDB 4.4, \fI\%mongod\fP also returns an error +if one of the transformations cannot be evaluated due to networking +or authentication failures to the LDAP server. \fI\%mongod\fP +rejects the connection request and does not check the remaining +documents in the array. .INDENT 7.0 .INDENT 3.5 .SS Example @@ -1663,16 +1740,16 @@ will refuse to start. .sp The directory where the \fBmongod\fP instance stores its data. .sp -If you -installed MongoDB using a package management system, check the -\fB/etc/mongod.conf\fP file provided by your packages to see the -directory is specified. +If using the default +configuration file +included with a package manager installation of MongoDB, the +corresponding \fBstorage.dbPath\fP setting uses a different +default. .sp -Changed in version 3.0: The files in \fI\%\-\-dbpath\fP must correspond to the storage engine +The files in \fI\%\-\-dbpath\fP must correspond to the storage engine specified in \fI\%\-\-storageEngine\fP\&. If the data files do not correspond to \fI\%\-\-storageEngine\fP, \fBmongod\fP will refuse to start. - .UNINDENT .INDENT 0.0 .TP @@ -1681,49 +1758,49 @@ Uses a separate directory to store data for each database. The directories are under the \fI\%\-\-dbpath\fP directory, and each subdirectory name corresponds to the database name. .sp -Changed in version 3.0: To change the \fI\%\-\-directoryperdb\fP option for existing deployments, you must -restart the \fI\%mongod\fP instances with the new \fI\%\-\-directoryperdb\fP -value \fBand\fP a new data directory (\fI\%\-\-dbpath <new path>\fP), and then -repopulate the data. +Not available for \fI\%mongod\fP instances that use the +in\-memory storage engine\&. +.sp +To change the \fI\%\-\-directoryperdb\fP option for existing +deployments: .INDENT 7.0 .IP \(bu 2 -For standalone instances, you can use \fBmongodump\fP on -the existing instance, stop the instance, restart with the new -\fI\%\-\-directoryperdb\fP value \fBand\fP a new data directory, and use -\fBmongorestore\fP to populate the new data directory. +For standalone instances: +.INDENT 2.0 +.IP 1. 3 +Use \fI\%mongodump\fP on the existing +\fI\%mongod\fP instance to generate a backup. +.IP 2. 3 +Stop the \fI\%mongod\fP instance. +.IP 3. 3 +Add the \fI\%\-\-directoryperdb\fP value \fBand\fP +configure a new data directory +.IP 4. 3 +Restart the \fI\%mongod\fP instance. +.IP 5. 3 +Use \fI\%mongorestore\fP to populate the new data +directory. +.UNINDENT .IP \(bu 2 -For replica sets, you can update in a rolling manner by stopping -a secondary member, restart with the new \fI\%\-\-directoryperdb\fP value \fBand\fP -a new data directory, and use initial sync to populate the new data directory. -To update all members, start with the secondary members first. -Then step down the primary, and update the stepped\-down member. +For replica sets: +.INDENT 2.0 +.IP 1. 3 +Stop a secondary member. +.IP 2. 3 +Add the \fI\%\-\-directoryperdb\fP value \fBand\fP +configure a new data directory to that secondary member. +.IP 3. 3 +Restart that secondary. +.IP 4. 3 +Use initial sync to populate +the new data directory. +.IP 5. 3 +Update remaining secondaries in the same fashion. +.IP 6. 3 +Step down the primary, and update the stepped\-down member in the +same fashion. .UNINDENT - -.sp -Not available for \fI\%mongod\fP instances that use the -in\-memory storage engine\&. .UNINDENT -.INDENT 0.0 -.TP -.B \-\-noIndexBuildRetry -Changed in version 4.0: \fI\%\-\-noIndexBuildRetry\fP cannot be used in -conjunction with \fI\%\-\-replSet\fP; i.e., you cannot -use \fI\%\-\-noIndexBuildRetry\fP for a \fI\%mongod\fP instance that is part of -a replica set. - -.sp -Stops the \fBmongod\fP \fBstandalone\fP instance from rebuilding incomplete indexes on the next -start up. This applies in cases where the \fBmongod\fP restarts after it -has shut down or stopped in the middle of an index build. In such cases, -the \fBmongod\fP always removes any incomplete indexes, and then also, by -default, attempts to rebuild them. To stop the \fBmongod\fP from -rebuilding incomplete indexes on start up, include this option on the -command\-line. -.sp -The \fI\%\-\-noIndexBuildRetry\fP only applies to standalones. -.sp -Not available for \fI\%mongod\fP instances that use the -in\-memory storage engine\&. .UNINDENT .INDENT 0.0 .TP @@ -1841,11 +1918,11 @@ If any voting member of a replica set uses the in\-memory storage engine, you must set \fBwriteConcernMajorityJournalDefault\fP to \fBfalse\fP\&. .sp -Starting in version 4.2, if a replica set member uses the -in\-memory storage engine (voting or -non\-voting) but the replica set has -\fBwriteConcernMajorityJournalDefault\fP set to true, the replica set member -logs a startup warning. +Starting in version 4.2 (and 4.0.13 and 3.6.14 ), if a replica set +member uses the in\-memory storage engine +(voting or non\-voting) but the replica set has +\fBwriteConcernMajorityJournalDefault\fP set to true, the +replica set member logs a startup warning. .UNINDENT .INDENT 0.0 .TP @@ -1863,22 +1940,29 @@ WiredTiger storage engine. .INDENT 0.0 .TP .B \-\-journalCommitInterval <value> -\fIDefault\fP: 100 or 30 -.sp -Changed in version 3.2. - +\fIDefault\fP: 100 .sp The maximum amount of time in milliseconds that the \fBmongod\fP process allows between journal operations. Values can range from 1 to 500 milliseconds. Lower values increase the durability of the journal, at the expense of disk -performance. The default journal commit interval is 100 milliseconds. +performance. .sp -On WiredTiger, the default journal commit interval is 100 milliseconds. Additionally, -a write with \fBj:true\fP will cause an immediate sync of the journal. +On WiredTiger, the default journal commit interval is 100 +milliseconds. Additionally, a write that includes or implies +\fBj:true\fP will cause an immediate sync of the journal. For details +or additional conditions that affect the frequency of the sync, see +journal\-process\&. .sp Not available for \fI\%mongod\fP instances that use the in\-memory storage engine\&. +.sp +\fBNOTE:\fP +.INDENT 7.0 +.INDENT 3.5 +Known Issue in 4.2.0: The \fI\%\-\-journalCommitInterval\fP is missing in 4.2.0. +.UNINDENT +.UNINDENT .UNINDENT .SS WiredTiger Options .INDENT 0.0 @@ -1887,8 +1971,9 @@ in\-memory storage engine\&. Defines the maximum size of the internal cache that WiredTiger will use for all data. The memory consumed by an index build (see \fBmaxIndexBuildMemoryUsageMegabytes\fP) is separate from the -WiredTiger cache memory. Starting in MongoDB 3.4, the values can range -from 0.25 GB to 10000 GB and can be a float. +WiredTiger cache memory. +.sp +Values can range from \fB0.25\fP GB to \fB10000\fP GB. .sp Starting in MongoDB 3.4, the default WiredTiger internal cache size is the larger of either: @@ -1956,12 +2041,60 @@ amount depends on the other processes running in the container. See .UNINDENT .INDENT 0.0 .TP +.B \-\-wiredTigerMaxCacheOverflowFileSizeGB <float> +.INDENT 7.0 +.INDENT 3.5 +.IP "Deprecated in MongoDB 4.4" +.sp +MongoDB deprecates the \fB\-\-wiredTigerMaxCacheOverflowFileSizeGB\fP +option. The option has no effect starting in MongoDB 4.4. +.UNINDENT +.UNINDENT +.sp +Specifies the maximum size (in GB) for the "lookaside (or cache +overflow) table" file \fBWiredTigerLAS.wt\fP for MongoDB +4.2.1\-4.2.x and 4.0.12\-4.0.x. The file no longer exists starting in +version 4.4. +.sp +The setting can accept the following values: +.TS +center; +|l|l|. +_ +T{ +Value +T} T{ +Description +T} +_ +T{ +\fB0\fP +T} T{ +The default value. If set to \fB0\fP, the file size is +unbounded. +T} +_ +T{ +number >= 0.1 +T} T{ +The maximum size (in GB). If the \fBWiredTigerLAS.wt\fP +file exceeds this size, \fI\%mongod\fP exits with a +fatal assertion. You can clear the \fBWiredTigerLAS.wt\fP +file and restart \fI\%mongod\fP\&. +T} +_ +.TE +.sp +To change the maximum size during runtime, use the +\fBwiredTigerMaxCacheOverflowSizeGB\fP parameter. +.sp +\fIAvailable starting in MongoDB 4.2.1 (and 4.0.12)\fP +.UNINDENT +.INDENT 0.0 +.TP .B \-\-wiredTigerJournalCompressor <compressor> \fIDefault\fP: snappy .sp -New in version 3.0.0. - -.sp Specifies the type of compression to use to compress WiredTiger journal data. .sp @@ -1980,9 +2113,6 @@ zstd (Available starting in MongoDB 4.2) .INDENT 0.0 .TP .B \-\-wiredTigerDirectoryForIndexes -New in version 3.0.0. - -.sp When you start \fBmongod\fP with \fI\%\-\-wiredTigerDirectoryForIndexes\fP, \fBmongod\fP stores indexes and collections in separate subdirectories under the data (i.e. \fI\%\-\-dbpath\fP) directory. Specifically, \fBmongod\fP stores the indexes in a subdirectory named @@ -2000,9 +2130,6 @@ the new destination. .B \-\-wiredTigerCollectionBlockCompressor <compressor> \fIDefault\fP: snappy .sp -New in version 3.0.0. - -.sp Specifies the default compression for collection data. You can override this on a per\-collection basis when creating collections. .sp @@ -2029,9 +2156,6 @@ created, or the default compressor at that time. .B \-\-wiredTigerIndexPrefixCompression <boolean> \fIDefault\fP: true .sp -New in version 3.0.0. - -.sp Enables or disables prefix compression for index data. .sp Specify \fBtrue\fP for \fI\%\-\-wiredTigerIndexPrefixCompression\fP to enable prefix compression for @@ -2052,9 +2176,6 @@ this set. All hosts in the replica set must have the same set name. Starting in MongoDB 4.0, .INDENT 7.0 .IP \(bu 2 -\fI\%\-\-replSet\fP cannot be used in conjunction with -\fI\%\-\-noIndexBuildRetry\fP\&. -.IP \(bu 2 For the WiredTiger storage engine, \fI\%\-\-replSet\fP cannot be used in conjunction with \fI\%\-\-nojournal\fP\&. .UNINDENT @@ -2082,19 +2203,77 @@ the maximum amount of space available. For 64\-bit systems, the oplog is typically 5% of available disk space. .sp Once the \fBmongod\fP has created the oplog for the first time, -changing the \fI\%\-\-oplogSize\fP option will not affect the size of the oplog. -.sp -To change the oplog size of a running replica set member, use the -\fBreplSetResizeOplog\fP administrative command. -\fBreplSetResizeOplog\fP enables you to resize the oplog -dynamically without restarting the \fI\%mongod\fP process. +changing the \fI\%\-\-oplogSize\fP option will not affect the size of +the oplog. To change the minimum oplog retention period after +starting the \fI\%mongod\fP, use +\fBreplSetResizeOplog\fP\&. \fBreplSetResizeOplog\fP +enables you to resize the oplog dynamically without restarting the +\fI\%mongod\fP process. To persist the changes made using +\fBreplSetResizeOplog\fP through a restart, update the value +of \fI\%\-\-oplogSize\fP\&. .sp See replica\-set\-oplog\-sizing for more information. .UNINDENT .INDENT 0.0 .TP +.B \-\-oplogMinRetentionHours <value> +New in version 4.4: Specifies the minimum number of hours to preserve an oplog entry, +where the decimal values represent the fractions of an hour. For +example, a value of \fB1.5\fP represents one hour and thirty +minutes. +.sp +The value must be greater than or equal to \fB0\fP\&. A value of \fB0\fP +indicates that the \fI\%mongod\fP should truncate the oplog +starting with the oldest entries to maintain the configured +maximum oplog size. + +.sp +Defaults to \fB0\fP\&. +.sp +A \fI\%mongod\fP started with \fB\-\-oplogMinRetentionHours\fP +only removes an oplog entry \fIif\fP: +.INDENT 7.0 +.IP \(bu 2 +The oplog has reached the maximum configured oplog size \fIand\fP +.IP \(bu 2 +The oplog entry is older than the configured number of hours based +on the host system clock. +.UNINDENT +.sp +The \fI\%mongod\fP has the following behavior when configured +with a minimum oplog retention period: +.INDENT 7.0 +.IP \(bu 2 +The oplog can grow without constraint so as to retain oplog entries +for the configured number of hours. This may result in reduction or +exhaustion of system disk space due to a combination of high write +volume and large retention period. +.IP \(bu 2 +If the oplog grows beyond its maximum size, the +\fI\%mongod\fP may continue to hold that disk space even if +the oplog returns to its maximum size \fIor\fP is configured for a +smaller maximum size. See replSetResizeOplog\-cmd\-compact\&. +.IP \(bu 2 +The \fI\%mongod\fP compares the system wall clock to an +oplog entries creation wall clock time when enforcing oplog entry +retention. Clock drift between cluster components may result in +unexpected oplog retention behavior. See +production\-notes\-clock\-synchronization for more information on +clock synchronization across cluster members. +.UNINDENT +.sp +To change the minimum oplog retention period after starting the +\fI\%mongod\fP, use \fBreplSetResizeOplog\fP\&. +\fBreplSetResizeOplog\fP enables you to resize the oplog +dynamically without restarting the \fI\%mongod\fP process. To +persist the changes made using \fBreplSetResizeOplog\fP +through a restart, update the value of +\fI\%\-\-oplogMinRetentionHours\fP\&. +.UNINDENT +.INDENT 0.0 +.TP .B \-\-enableMajorityReadConcern -\fIDefault\fP: True +\fIDefault\fP: true .sp Starting in MongoDB 3.6, MongoDB enables support for \fB"majority"\fP read concern by default. @@ -2312,26 +2491,35 @@ For more information about TLS and MongoDB, see .INDENT 0.0 .TP .B \-\-tlsCertificateKeyFile <filename> -New in version 4.2. +New in version 4.2: Specifies the \fB\&.pem\fP file that contains both the TLS +certificate and key. .sp -\fBNOTE:\fP +Starting with MongoDB 4.0 on macOS or Windows, you can use the +\fI\%\-\-tlsCertificateSelector\fP option to specify a +certificate from the operating system\(aqs secure certificate store +instead of a PEM key file. \fI\%\-\-tlsCertificateKeyFile\fP and +\fI\%\-\-tlsCertificateSelector\fP options are mutually exclusive. +You can only specify one. .INDENT 7.0 +.IP \(bu 2 +On Linux/BSD, you must specify \fI\%\-\-tlsCertificateKeyFile\fP +when TLS/SSL is enabled. +.IP \(bu 2 +On Windows or macOS, you must specify either +\fI\%\-\-tlsCertificateKeyFile\fP or +\fI\%\-\-tlsCertificateSelector\fP when TLS/SSL is enabled. +.sp +\fBIMPORTANT:\fP +.INDENT 2.0 .INDENT 3.5 -Starting in 4.0, on macOS or Windows, you can use a certificate from -the operating system\(aqs secure store instead of specifying a PEM file. See -\fI\%\-\-tlsCertificateSelector\fP\&. +For Windows \fBonly\fP, MongoDB 4.0 and later do not support +encrypted PEM files. The \fI\%mongod\fP fails to start if +it encounters an encrypted PEM file. To securely store and +access a certificate for use with TLS on Windows, +use \fI\%\-\-tlsCertificateSelector\fP\&. .UNINDENT .UNINDENT -.sp -Specifies the \fB\&.pem\fP file that contains both the TLS certificate -and key. -.INDENT 7.0 -.IP \(bu 2 -On Linux/BSD, you must specify \fI\%\-\-tlsCertificateKeyFile\fP when TLS is enabled. -.IP \(bu 2 -On Windows or macOS, you must specify either \fI\%\-\-tlsCertificateKeyFile\fP or -\fI\%\-\-tlsCertificateSelector\fP when TLS is enabled. .UNINDENT .sp For more information about TLS and MongoDB, see @@ -2345,9 +2533,11 @@ New in version 4.2. .sp Specifies the password to de\-crypt the certificate\-key file (i.e. -\fI\%\-\-tlsCertificateKeyFile\fP). Use the \fI\%\-\-tlsCertificateKeyFilePassword\fP option only if the -certificate\-key file is encrypted. In all cases, the \fBmongod\fP will -redact the password from all logging and reporting output. +\fI\%\-\-tlsCertificateKeyFile\fP). Use the +\fI\%\-\-tlsCertificateKeyFilePassword\fP option only if the +certificate\-key file is encrypted. In all cases, the +\fBmongod\fP will redact the password from all logging and +reporting output. .sp Starting in MongoDB 4.0: .INDENT 7.0 @@ -2356,11 +2546,16 @@ On Linux/BSD, if the private key in the PEM file is encrypted and you do not specify the \fI\%\-\-tlsCertificateKeyFilePassword\fP option, MongoDB will prompt for a passphrase. See ssl\-certificate\-password\&. .IP \(bu 2 -On macOS or Windows, if the private key in the PEM file is -encrypted, you must explicitly specify the \fI\%\-\-tlsCertificateKeyFilePassword\fP option. -Alternatively, you can use a certificate from the secure system -store (see \fI\%\-\-tlsCertificateSelector\fP) instead of a PEM file or use an +On macOS, if the private key in the PEM file is +encrypted, you must explicitly specify the +\fI\%\-\-tlsCertificateKeyFilePassword\fP option. Alternatively, +you can use a certificate from the secure system store (see +\fI\%\-\-tlsCertificateSelector\fP) instead of a PEM file or use an unencrypted PEM file. +.IP \(bu 2 +On Windows, MongoDB does not support encrypted certificates. +The \fI\%mongod\fP fails if it encounters an encrypted +PEM file. Use \fI\%\-\-tlsCertificateSelector\fP instead. .UNINDENT .sp For more information about TLS and MongoDB, see @@ -2372,9 +2567,6 @@ For more information about TLS and MongoDB, see .B \-\-clusterAuthMode <option> \fIDefault\fP: keyFile .sp -New in version 2.6. - -.sp The authentication mode used for cluster authentication. If you use internal x.509 authentication, specify so here. This option can have one of the following values: @@ -2435,49 +2627,68 @@ For more information about TLS and MongoDB, see .INDENT 0.0 .TP .B \-\-tlsClusterFile <filename> -New in version 4.2. +New in version 4.2: Specifies the \fB\&.pem\fP file that contains the x.509 +certificate\-key file for membership authentication for the cluster or replica set. .sp -\fBNOTE:\fP -.INDENT 7.0 -.INDENT 3.5 -Starting in 4.0, on macOS or Windows, you can use a certificate -from the operating system\(aqs secure store instead of a PEM -file. See \fI\%\-\-tlsClusterCertificateSelector\fP\&. -.UNINDENT -.UNINDENT +Starting with MongoDB 4.0 on macOS or Windows, you can use the +\fI\%\-\-tlsClusterCertificateSelector\fP option to specify a +certificate from the operating system\(aqs secure certificate store +instead of a PEM key file. \fI\%\-\-tlsClusterFile\fP and +\fI\%\-\-tlsClusterCertificateSelector\fP options are mutually +exclusive. You can only specify one. .sp -Specifies the \fB\&.pem\fP file that contains the x.509 certificate\-key -file for membership authentication -for the cluster or replica set. -.sp -If \fI\%\-\-tlsClusterFile\fP does not specify the \fB\&.pem\fP file for internal cluster -authentication or the alternative +If \fI\%\-\-tlsClusterFile\fP does not specify the \fB\&.pem\fP file for +internal cluster authentication or the alternative \fI\%\-\-tlsClusterCertificateSelector\fP, the cluster uses the -\fB\&.pem\fP file specified in the \fI\%\-\-tlsCertificateKeyFile\fP option or -the certificate returned by the \fI\%\-\-tlsCertificateSelector\fP\&. +\fB\&.pem\fP file specified in the \fI\%\-\-tlsCertificateKeyFile\fP +option or the certificate returned by the +\fI\%\-\-tlsCertificateSelector\fP\&. .sp If using x.509 authentication, \fB\-\-tlsCAFile\fP or \fBtls.CAFile\fP must be specified unless using \fI\%\-\-tlsCertificateSelector\fP\&. .sp +Changed in version 4.4: \fI\%mongod\fP / \fBmongos\fP logs a warning on +connection if the presented x.509 certificate expires within \fB30\fP +days of the \fBmongod/mongos\fP host system time. See +4.4\-rel\-notes\-certificate\-expiration\-warning for more +information. + +.sp For more information about TLS and MongoDB, see /tutorial/configure\-ssl and /tutorial/configure\-ssl\-clients . +.sp +\fBIMPORTANT:\fP +.INDENT 7.0 +.INDENT 3.5 +For Windows \fBonly\fP, MongoDB 4.0 and later do not support +encrypted PEM files. The \fI\%mongod\fP fails to start if +it encounters an encrypted PEM file. To securely store and +access a certificate for use with membership authentication on +Windows, use \fI\%\-\-tlsClusterCertificateSelector\fP\&. +.UNINDENT +.UNINDENT .UNINDENT .INDENT 0.0 .TP .B \-\-tlsCertificateSelector <parameter>=<value> -New in version 4.2: Available on Windows and macOS as an alternative to \fI\%\-\-tlsCertificateKeyFile\fP\&. -.sp -The \fI\%\-\-tlsCertificateKeyFile\fP and \fI\%\-\-tlsCertificateSelector\fP options are mutually exclusive. You can only -specify one. +New in version 4.2: Available on Windows and macOS as an alternative to +\fI\%\-\-tlsCertificateKeyFile\fP\&. In version 4.0, see +\fI\%\-\-sslCertificateSelector\fP\&. .sp Specifies a certificate property in order to select a matching -certificate from the operating system\(aqs certificate store. +certificate from the operating system\(aqs certificate store to use for +TLS. .sp -\fI\%\-\-tlsCertificateSelector\fP accepts an argument of the format \fB<property>=<value>\fP -where the property can be one of the following: +The \fI\%\-\-tlsCertificateKeyFile\fP and +\fI\%\-\-tlsCertificateSelector\fP options are mutually exclusive. +You can only specify one. +.sp +\fI\%\-\-tlsCertificateSelector\fP accepts an argument of the format +\fB<property>=<value>\fP where the property can be one of the +following: .TS center; |l|l|l|. @@ -2515,6 +2726,21 @@ _ When using the system SSL certificate store, OCSP (Online Certificate Status Protocol) is used to validate the revocation status of certificates. +.sp +The \fI\%mongod\fP searches the operating system\(aqs secure +certificate store for the CA certificates required to validate the +full certificate chain of the specified TLS certificate. +Specifically, the secure certificate store must contain the root CA +and any intermediate CA certificates required to build the full +certificate chain to the TLS certificate. Do \fBnot\fP use +\fI\%\-\-tlsCAFile\fP or \fI\%\-\-tlsClusterCAFile\fP to specify the +root and intermediate CA certificate +.sp +For example, if the TLS/SSL certificate was signed with a single root +CA certificate, the secure certificate store must contain that root +CA certificate. If the TLS/SSL certificate was signed with an +intermediate CA certificate, the secure certificate store must +contain the intermedia CA certificate \fIand\fP the root CA certificate. .UNINDENT .INDENT 0.0 .TP @@ -2522,16 +2748,18 @@ status of certificates. New in version 4.2: Available on Windows and macOS as an alternative to \fI\%\-\-tlsClusterFile\fP\&. .sp -\fI\%\-\-tlsClusterFile\fP and \fI\%\-\-tlsClusterCertificateSelector\fP options are mutually exclusive. You can only -specify one. - -.sp Specifies a certificate property in order to select a matching -certificate from the operating system\(aqs certificate store to use for -internal authentication. +certificate from the operating system\(aqs certificate store to use +for internal x.509 membership authentication\&. .sp -\fI\%\-\-tlsClusterCertificateSelector\fP accepts an argument of the format \fB<property>=<value>\fP -where the property can be one of the following: +\fI\%\-\-tlsClusterFile\fP and +\fI\%\-\-tlsClusterCertificateSelector\fP options are mutually +exclusive. You can only specify one. + +.sp +\fI\%\-\-tlsClusterCertificateSelector\fP accepts an argument of the +format \fB<property>=<value>\fP where the property can be one of the +following: .TS center; |l|l|l|. @@ -2565,30 +2793,57 @@ The \fBthumbprint\fP is sometimes referred to as a T} _ .TE +.sp +The \fI\%mongod\fP searches the operating system\(aqs secure +certificate store for the CA certificates required to validate the +full certificate chain of the specified cluster certificate. +Specifically, the secure certificate store must contain the root CA +and any intermediate CA certificates required to build the full +certificate chain to the cluster certificate. Do \fBnot\fP use +\fI\%\-\-tlsCAFile\fP or \fI\%\-\-tlsClusterCAFile\fP to specify the +root and intermediate CA certificate. +.sp +For example, if the cluster certificate was signed with a single root +CA certificate, the secure certificate store must contain that root +CA certificate. If the cluster certificate was signed with an +intermediate CA certificate, the secure certificate store must +contain the intermedia CA certificate \fIand\fP the root CA certificate. +.sp +Changed in version 4.4: \fI\%mongod\fP / \fBmongos\fP logs a warning on +connection if the presented x.509 certificate expires within \fB30\fP +days of the \fBmongod/mongos\fP host system time. See +4.4\-rel\-notes\-certificate\-expiration\-warning for more +information. + .UNINDENT .INDENT 0.0 .TP .B \-\-tlsClusterPassword <value> -New in version 4.2. +New in version 4.2: Specifies the password to de\-crypt the x.509 certificate\-key file +specified with \fI\%\-\-tlsClusterFile\fP\&. Use the +\fI\%\-\-tlsClusterPassword\fP option only if the certificate\-key +file is encrypted. In all cases, the \fBmongod\fP will redact +the password from all logging and reporting output. .sp -Specifies the password to de\-crypt the x.509 certificate\-key file -specified with \fB\-\-tlsClusterFile\fP\&. Use the \fI\%\-\-tlsClusterPassword\fP option only -if the certificate\-key file is encrypted. In all cases, the \fBmongod\fP -will redact the password from all logging and reporting output. -.sp Starting in MongoDB 4.0: .INDENT 7.0 .IP \(bu 2 On Linux/BSD, if the private key in the x.509 file is encrypted and -you do not specify the \fI\%\-\-tlsClusterPassword\fP option, MongoDB will prompt for a -passphrase. See ssl\-certificate\-password\&. +you do not specify the \fI\%\-\-tlsClusterPassword\fP option, +MongoDB will prompt for a passphrase. See +ssl\-certificate\-password\&. .IP \(bu 2 -On macOS or Windows, if the private key in the x.509 file is -encrypted, you must explicitly specify the \fI\%\-\-tlsClusterPassword\fP option. -Alternatively, you can either use a certificate from the secure -system store (see \fI\%\-\-tlsClusterCertificateSelector\fP) instead of a cluster PEM file or -use an unencrypted PEM file. +On macOS, if the private key in the x.509 file is +encrypted, you must explicitly specify the +\fI\%\-\-tlsClusterPassword\fP option. Alternatively, you can +either use a certificate from the secure system store (see +\fI\%\-\-tlsClusterCertificateSelector\fP) instead of a cluster PEM +file or use an unencrypted PEM file. +.IP \(bu 2 +On Windows, MongoDB does not support encrypted certificates. +The \fI\%mongod\fP fails if it encounters an encrypted +PEM file. Use \fI\%\-\-tlsClusterCertificateSelector\fP instead. .UNINDENT .sp For more information about TLS and MongoDB, see @@ -2601,14 +2856,20 @@ For more information about TLS and MongoDB, see New in version 4.2. .sp -Specifies the \fB\&.pem\fP file that contains the root certificate chain -from the Certificate Authority. Specify the file name of the +Specifies the \fB\&.pem\fP file that contains the root certificate +chain from the Certificate Authority. Specify the file name of the \fB\&.pem\fP file using relative or absolute paths. -.sp -Starting in 4.0, on macOS or Windows, you can use a certificate from -the operating system\(aqs secure store instead of a PEM key file. See -\fI\%\-\-tlsCertificateSelector\fP\&. When using the secure store, you -do not need to, but can, also specify the \fI\%\-\-tlsCAFile\fP\&. +.INDENT 7.0 +.TP +.B Windows/macOS Only +If using \fI\%\-\-tlsCertificateSelector\fP and/or +\fI\%\-\-tlsClusterCertificateSelector\fP, do \fBnot\fP use +\fI\%\-\-tlsCAFile\fP to specify the root and intermediate CA +certificates. Store all CA certificates required to validate the +full trust chain of the \fI\%\-\-tlsCertificateSelector\fP and/or +\fI\%\-\-tlsClusterCertificateSelector\fP certificates in the +secure certificate store. +.UNINDENT .sp For more information about TLS and MongoDB, see /tutorial/configure\-ssl and @@ -2620,24 +2881,33 @@ For more information about TLS and MongoDB, see New in version 4.2. .sp -Specifies the \fB\&.pem\fP file that contains the root certificate chain -from the Certificate Authority used to validate the certificate +Specifies the \fB\&.pem\fP file that contains the root certificate +chain from the Certificate Authority used to validate the certificate presented by a client establishing a connection. Specify the file name of the \fB\&.pem\fP file using relative or absolute paths. +\fI\%\-\-tlsClusterCAFile\fP requires that +\fI\%\-\-tlsCAFile\fP is set. .sp -If \fI\%\-\-tlsClusterCAFile\fP does not specify the \fB\&.pem\fP file for validating the -certificate from a client establishing a connection, the cluster uses -the \fB\&.pem\fP file specified in the \fI\%\-\-tlsCAFile\fP option. -.sp -\fI\%\-\-tlsClusterCAFile\fP lets you use separate Certificate Authorities to verify the -client to server and server to client portions of the TLS handshake. +If \fI\%\-\-tlsClusterCAFile\fP does not specify the \fB\&.pem\fP +file for validating the certificate from a client establishing a +connection, the cluster uses the \fB\&.pem\fP file specified in the +\fI\%\-\-tlsCAFile\fP option. .sp -Starting in 4.0, on macOS or Windows, you can use a certificate from -the operating system\(aqs secure store instead of a PEM key file. See -\fI\%\-\-tlsClusterCertificateSelector\fP\&. When using the secure store, you -do not need to, but can, also specify the \fI\%\-\-tlsClusterCAFile\fP\&. -.sp -Requires that \fI\%\-\-tlsCAFile\fP is set. +\fI\%\-\-tlsClusterCAFile\fP lets you use separate Certificate +Authorities to verify the client to server and server to client +portions of the TLS handshake. +.INDENT 7.0 +.TP +.B Windows/macOS Only +If using \fI\%\-\-tlsCertificateSelector\fP and/or +\fI\%\-\-tlsClusterCertificateSelector\fP, do \fBnot\fP use +\fI\%\-\-tlsClusterCAFile\fP to specify the root and +intermediate CA certificates. Store all CA certificates required to +validate the full trust chain of the +\fI\%\-\-tlsCertificateSelector\fP and/or +\fI\%\-\-tlsClusterCertificateSelector\fP certificates in the +secure certificate store. +.UNINDENT .sp For more information about TLS and MongoDB, see /tutorial/configure\-ssl and @@ -2646,17 +2916,32 @@ For more information about TLS and MongoDB, see .INDENT 0.0 .TP .B \-\-tlsCRLFile <filename> -New in version 4.2. +New in version 4.2: For MongoDB 4.0 and earlier, see \fI\%\-\-sslCRLFile\fP\&. .sp -Specifies the the \fB\&.pem\fP file that contains the Certificate Revocation +Specifies the \fB\&.pem\fP file that contains the Certificate Revocation List. Specify the file name of the \fB\&.pem\fP file using relative or absolute paths. .sp \fBNOTE:\fP .INDENT 7.0 .INDENT 3.5 -Starting in MongoDB 4.0, you cannot specify \fI\%\-\-tlsCRLFile\fP on macOS. Use \fI\%\-\-tlsCertificateSelector\fP instead. +.INDENT 0.0 +.IP \(bu 2 +Starting in MongoDB 4.0, you cannot specify a CRL file on +macOS. Instead, you can use the system SSL certificate store, +which uses OCSP (Online Certificate Status Protocol) to +validate the revocation status of certificates. See +\fI\%\-\-sslCertificateSelector\fP in MongoDB 4.0 and +\fI\%\-\-tlsCertificateSelector\fP in MongoDB 4.2+ to use the +system SSL certificate store. +.IP \(bu 2 +Starting in version 4.4, to check for certificate revocation, +MongoDB \fBenables\fP the use of OCSP +(Online Certificate Status Protocol) by default as an +alternative to specifying a CRL file or using the system SSL +certificate store. +.UNINDENT .UNINDENT .UNINDENT .sp @@ -2740,7 +3025,7 @@ incoming connections that use a specific protocol or protocols. To specify multiple protocols, use a comma separated list of protocols. .sp \fI\%\-\-tlsDisabledProtocols\fP recognizes the following protocols: \fBTLS1_0\fP, \fBTLS1_1\fP, -\fBTLS1_2\fP, and starting in version 4.0.4 (and 3.6.9), \fBTLS1_3\fP\&. +\fBTLS1_2\fP, and \fBTLS1_3\fP\&. .INDENT 7.0 .IP \(bu 2 On macOS, you cannot disable \fBTLS1_1\fP and leave both \fBTLS1_0\fP and @@ -2831,9 +3116,6 @@ For more information about TLS/SSL and MongoDB, see Deprecated since version 4.2: Use \fI\%\-\-tlsMode\fP instead. .sp -New in version 2.6. - -.sp Enables TLS/SSL or mixed TLS/SSL used for all network connections. The argument to the \fI\%\-\-sslMode\fP option can be one of the following: .TS @@ -2896,23 +3178,34 @@ For more information about TLS/SSL and MongoDB, see Deprecated since version 4.2: Use \fI\%\-\-tlsCertificateKeyFile\fP instead. .sp -\fBNOTE:\fP -.INDENT 7.0 -.INDENT 3.5 -Starting in 4.0, on macOS or Windows, you can use a certificate from -the operating system\(aqs secure store instead of a PEM file. See -\fI\%\-\-sslCertificateSelector\fP\&. -.UNINDENT -.UNINDENT +Specifies the \fB\&.pem\fP file that contains both the TLS/SSL +certificate and key. .sp -Specifies the \fB\&.pem\fP file that contains both the TLS/SSL certificate -and key. +Starting with MongoDB 4.0 on macOS or Windows, you can use the +\fI\%\-\-sslCertificateSelector\fP option to specify a +certificate from the operating system\(aqs secure certificate store +instead of a PEM key file. \fI\%\-\-sslPEMKeyFile\fP and +\fI\%\-\-sslCertificateSelector\fP options are mutually exclusive. +You can only specify one. .INDENT 7.0 .IP \(bu 2 -On Linux/BSD, you must specify \fI\%\-\-sslPEMKeyFile\fP when TLS/SSL is enabled. +On Linux/BSD, you must specify \fI\%\-\-sslPEMKeyFile\fP when +TLS/SSL is enabled. .IP \(bu 2 -On Windows or macOS, you must specify either \fI\%\-\-sslPEMKeyFile\fP or -\fI\%\-\-sslCertificateSelector\fP when TLS/SSL is enabled. +On Windows or macOS, you must specify either +\fI\%\-\-sslPEMKeyFile\fP or \fI\%\-\-sslCertificateSelector\fP +when TLS/SSL is enabled. +.sp +\fBIMPORTANT:\fP +.INDENT 2.0 +.INDENT 3.5 +For Windows \fBonly\fP, MongoDB 4.0 and later do not support +encrypted PEM files. The \fI\%mongod\fP fails to start if +it encounters an encrypted PEM file. To securely store and +access a certificate for use with TLS/SSL on Windows, +use \fI\%\-\-sslCertificateSelector\fP\&. +.UNINDENT +.UNINDENT .UNINDENT .sp For more information about TLS/SSL and MongoDB, see @@ -2937,11 +3230,16 @@ On Linux/BSD, if the private key in the PEM file is encrypted and you do not specify the \fI\%\-\-sslPEMKeyPassword\fP option, MongoDB will prompt for a passphrase. See ssl\-certificate\-password\&. .IP \(bu 2 -On macOS or Windows, if the private key in the PEM file is -encrypted, you must explicitly specify the \fI\%\-\-sslPEMKeyPassword\fP option. -Alternatively, you can use a certificate from the secure system -store (see \fI\%\-\-sslCertificateSelector\fP) instead of a PEM key file or use an -unencrypted PEM file. +On macOS, if the private key in the PEM file is +encrypted, you must explicitly specify the +\fI\%\-\-sslPEMKeyPassword\fP option. Alternatively, you can use a +certificate from the secure system store (see +\fI\%\-\-sslCertificateSelector\fP) instead of a PEM key file or +use an unencrypted PEM file. +.IP \(bu 2 +On Windows, MongoDB does not support encrypted certificates. +The \fI\%mongod\fP fails if it encounters an encrypted +PEM file. Use \fI\%\-\-sslCertificateSelector\fP instead. .UNINDENT .sp For more information about TLS/SSL and MongoDB, see @@ -2954,21 +3252,18 @@ For more information about TLS/SSL and MongoDB, see Deprecated since version 4.2: Use \fI\%\-\-tlsClusterFile\fP instead. .sp -\fBNOTE:\fP -.INDENT 7.0 -.INDENT 3.5 -Starting in 4.0, on macOS or Windows, you can use a certificate -from the operating system\(aqs secure store instead of a PEM key -file. See \fI\%\-\-sslClusterCertificateSelector\fP\&. -.UNINDENT -.UNINDENT +Specifies the \fB\&.pem\fP file that contains the x.509 +certificate\-key file for membership authentication for the cluster or replica set. .sp -Specifies the \fB\&.pem\fP file that contains the x.509 certificate\-key -file for membership authentication -for the cluster or replica set. +Starting with MongoDB 4.0 on macOS or Windows, you can use the +\fI\%\-\-sslClusterCertificateSelector\fP option to specify a +certificate from the operating system\(aqs secure certificate store +instead of a PEM key file. \fI\%\-\-sslClusterFile\fP and +\fI\%\-\-sslClusterCertificateSelector\fP options are mutually +exclusive. You can only specify one. .sp -If \fI\%\-\-sslClusterFile\fP does not specify the \fB\&.pem\fP file for internal cluster -authentication or the alternative +If \fI\%\-\-sslClusterFile\fP does not specify the \fB\&.pem\fP file for +internal cluster authentication or the alternative \fI\%\-\-sslClusterCertificateSelector\fP, the cluster uses the \fB\&.pem\fP file specified in the \fI\%\-\-sslPEMKeyFile\fP option or the certificate returned by the \fI\%\-\-sslCertificateSelector\fP\&. @@ -2982,6 +3277,17 @@ must be specified unless using \fB\-\-tlsCertificateSelector\fP or For more information about TLS/SSL and MongoDB, see /tutorial/configure\-ssl and /tutorial/configure\-ssl\-clients . +.sp +\fBIMPORTANT:\fP +.INDENT 7.0 +.INDENT 3.5 +For Windows \fBonly\fP, MongoDB 4.0 and later do not support +encrypted PEM files. The \fI\%mongod\fP fails to start if +it encounters an encrypted PEM file. To securely store and +access a certificate for use with membership authentication on +Windows, use \fI\%\-\-sslClusterCertificateSelector\fP\&. +.UNINDENT +.UNINDENT .UNINDENT .INDENT 0.0 .TP @@ -2989,17 +3295,20 @@ For more information about TLS/SSL and MongoDB, see Deprecated since version 4.2: Use \fI\%\-\-tlsCertificateSelector\fP instead. .sp -New in version 4.0: Available on Windows and macOS as an alternative to \fI\%\-\-tlsCertificateKeyFile\fP\&. +New in version 4.0: Available on Windows and macOS as an alternative to +\fI\%\-\-tlsCertificateKeyFile\fP\&. .sp -\fI\%\-\-tlsCertificateKeyFile\fP and \fI\%\-\-sslCertificateSelector\fP options are mutually exclusive. You can only -specify one. - +Specifies a certificate property to select a matching certificate +from the operating system\(aqs secure certificate store to use for +TLS/SSL. .sp -Specifies a certificate property in order to select a matching -certificate from the operating system\(aqs certificate store. +\fI\%\-\-sslPEMKeyFile\fP and \fI\%\-\-sslCertificateSelector\fP +options are mutually exclusive. You can only specify one. + .sp -\fI\%\-\-sslCertificateSelector\fP accepts an argument of the format \fB<property>=<value>\fP -where the property can be one of the following: +\fI\%\-\-sslCertificateSelector\fP accepts an argument of the format +\fB<property>=<value>\fP where the property can be one of the +following: .TS center; |l|l|l|. @@ -3037,6 +3346,21 @@ _ When using the system SSL certificate store, OCSP (Online Certificate Status Protocol) is used to validate the revocation status of certificates. +.sp +The \fI\%mongod\fP searches the operating system\(aqs secure +certificate store for the CA certificates required to validate the +full certificate chain of the specified TLS/SSL certificate. +Specifically, the secure certificate store must contain the root CA +and any intermediate CA certificates required to build the full +certificate chain to the TLS/SSL certificate. Do \fBnot\fP use +\fI\%\-\-sslCAFile\fP or \fI\%\-\-sslClusterCAFile\fP to specify the +root and intermediate CA certificate +.sp +For example, if the TLS/SSL certificate was signed with a single root +CA certificate, the secure certificate store must contain that root +CA certificate. If the TLS/SSL certificate was signed with an +intermediate CA certificate, the secure certificate store must +contain the intermedia CA certificate \fIand\fP the root CA certificate. .UNINDENT .INDENT 0.0 .TP @@ -3047,16 +3371,18 @@ Deprecated since version 4.2: Use \fI\%\-\-tlsClusterCertificateSelector\fP inst New in version 4.0: Available on Windows and macOS as an alternative to \fI\%\-\-sslClusterFile\fP\&. .sp -\fI\%\-\-sslClusterFile\fP and \fI\%\-\-sslClusterCertificateSelector\fP options are mutually exclusive. You can only -specify one. - +Specifies a certificate property to select a matching certificate +from the operating system\(aqs secure certificate store to use for +internal x.509 membership authentication\&. .sp -Specifies a certificate property in order to select a matching -certificate from the operating system\(aqs certificate store to use for -internal authentication. +\fI\%\-\-sslClusterFile\fP and +\fI\%\-\-sslClusterCertificateSelector\fP options are mutually +exclusive. You can only specify one. + .sp -\fI\%\-\-sslClusterCertificateSelector\fP accepts an argument of the format \fB<property>=<value>\fP -where the property can be one of the following: +\fI\%\-\-sslClusterCertificateSelector\fP accepts an argument of the +format \fB<property>=<value>\fP where the property can be one of the +following: .TS center; |l|l|l|. @@ -3090,6 +3416,21 @@ The \fBthumbprint\fP is sometimes referred to as a T} _ .TE +.sp +The \fI\%mongod\fP searches the operating system\(aqs secure +certificate store for the CA certificates required to validate the +full certificate chain of the specified cluster certificate. +Specifically, the secure certificate store must contain the root CA +and any intermediate CA certificates required to build the full +certificate chain to the cluster certificate. Do \fBnot\fP use +\fI\%\-\-sslCAFile\fP or \fI\%\-\-sslClusterCAFile\fP to specify the +root and intermediate CA certificate. +.sp +For example, if the cluster certificate was signed with a single root +CA certificate, the secure certificate store must contain that root +CA certificate. If the cluster certificate was signed with an +intermediate CA certificate, the secure certificate store must +contain the intermedia CA certificate \fIand\fP the root CA certificate. .UNINDENT .INDENT 0.0 .TP @@ -3097,9 +3438,6 @@ _ Deprecated since version 4.2: Use \fI\%\-\-tlsClusterPassword\fP instead. .sp -New in version 2.6. - -.sp Specifies the password to de\-crypt the x.509 certificate\-key file specified with \fB\-\-sslClusterFile\fP\&. Use the \fI\%\-\-sslClusterPassword\fP option only if the certificate\-key file is encrypted. In all cases, the \fBmongod\fP @@ -3112,11 +3450,15 @@ On Linux/BSD, if the private key in the x.509 file is encrypted and you do not specify the \fI\%\-\-sslClusterPassword\fP option, MongoDB will prompt for a passphrase. See ssl\-certificate\-password\&. .IP \(bu 2 -On macOS or Windows, if the private key in the x.509 file is -encrypted, you must explicitly specify the \fI\%\-\-sslClusterPassword\fP option. +On macOS, if the private key in the x.509 file is encrypted, you +must explicitly specify the \fI\%\-\-sslClusterPassword\fP option. Alternatively, you can either use a certificate from the secure -system store (see \fI\%\-\-sslClusterCertificateSelector\fP) instead of a cluster PEM file or -use an unencrypted PEM file. +system store (see \fI\%\-\-sslClusterCertificateSelector\fP) +instead of a cluster PEM file or use an unencrypted PEM file. +.IP \(bu 2 +On Windows, MongoDB does not support encrypted certificates. +The \fI\%mongod\fP fails if it encounters an encrypted +PEM file. Use \fI\%\-\-sslClusterCertificateSelector\fP instead. .UNINDENT .sp For more information about TLS/SSL and MongoDB, see @@ -3129,14 +3471,20 @@ For more information about TLS/SSL and MongoDB, see Deprecated since version 4.2: Use \fI\%\-\-tlsCAFile\fP instead. .sp -Specifies the \fB\&.pem\fP file that contains the root certificate chain -from the Certificate Authority. Specify the file name of the +Specifies the \fB\&.pem\fP file that contains the root certificate +chain from the Certificate Authority. Specify the file name of the \fB\&.pem\fP file using relative or absolute paths. -.sp -Starting in 4.0, on macOS or Windows, you can use a certificate from -the operating system\(aqs secure store instead of a PEM key file. See -\fI\%\-\-sslCertificateSelector\fP\&. When using the secure store, you -do not need to, but can, also specify the \fI\%\-\-sslCAFile\fP\&. +.INDENT 7.0 +.TP +.B Windows/macOS Only +If using \fI\%\-\-sslCertificateSelector\fP and/or +\fI\%\-\-sslClusterCertificateSelector\fP, do \fBnot\fP use +\fI\%\-\-sslCAFile\fP to specify the root and intermediate CA +certificates. Store all CA certificates required to validate the +full trust chain of the \fI\%\-\-sslCertificateSelector\fP and/or +\fI\%\-\-sslClusterCertificateSelector\fP certificates in the +secure certificate store. +.UNINDENT .sp For more information about TLS/SSL and MongoDB, see /tutorial/configure\-ssl and @@ -3148,24 +3496,33 @@ For more information about TLS/SSL and MongoDB, see Deprecated since version 4.2: Use \fI\%\-\-tlsClusterCAFile\fP instead. .sp -Specifies the \fB\&.pem\fP file that contains the root certificate chain -from the Certificate Authority used to validate the certificate +Specifies the \fB\&.pem\fP file that contains the root certificate +chain from the Certificate Authority used to validate the certificate presented by a client establishing a connection. Specify the file name of the \fB\&.pem\fP file using relative or absolute paths. +\fI\%\-\-sslClusterCAFile\fP requires that +\fI\%\-\-sslCAFile\fP is set. .sp -If \fI\%\-\-sslClusterCAFile\fP does not specify the \fB\&.pem\fP file for validating the -certificate from a client establishing a connection, the cluster uses -the \fB\&.pem\fP file specified in the \fI\%\-\-sslCAFile\fP option. -.sp -\fI\%\-\-sslClusterCAFile\fP lets you use separate Certificate Authorities to verify the -client to server and server to client portions of the TLS handshake. +If \fI\%\-\-sslClusterCAFile\fP does not specify the \fB\&.pem\fP +file for validating the certificate from a client establishing a +connection, the cluster uses the \fB\&.pem\fP file specified in the +\fI\%\-\-sslCAFile\fP option. .sp -Starting in 4.0, on macOS or Windows, you can use a certificate from -the operating system\(aqs secure store instead of a PEM key file. See -\fI\%\-\-sslClusterCertificateSelector\fP\&. When using the secure store, you -do not need to, but can, also specify the \fI\%\-\-sslClusterCAFile\fP\&. -.sp -Requires that \fI\%\-\-sslCAFile\fP is set. +\fI\%\-\-sslClusterCAFile\fP lets you use separate Certificate +Authorities to verify the client to server and server to client +portions of the TLS handshake. +.INDENT 7.0 +.TP +.B Windows/macOS Only +If using \fI\%\-\-sslCertificateSelector\fP and/or +\fI\%\-\-sslClusterCertificateSelector\fP, do \fBnot\fP use +\fI\%\-\-sslClusterCAFile\fP to specify the root and +intermediate CA certificates. Store all CA certificates required to +validate the full trust chain of the +\fI\%\-\-sslCertificateSelector\fP and/or +\fI\%\-\-sslClusterCertificateSelector\fP certificates in the +secure certificate store. +.UNINDENT .sp For more information about TLS/SSL and MongoDB, see /tutorial/configure\-ssl and @@ -3177,14 +3534,29 @@ For more information about TLS/SSL and MongoDB, see Deprecated since version 4.2: Use \fI\%\-\-tlsCRLFile\fP instead. .sp -Specifies the the \fB\&.pem\fP file that contains the Certificate Revocation +Specifies the \fB\&.pem\fP file that contains the Certificate Revocation List. Specify the file name of the \fB\&.pem\fP file using relative or absolute paths. .sp \fBNOTE:\fP .INDENT 7.0 .INDENT 3.5 -Starting in MongoDB 4.0, you cannot specify \fI\%\-\-sslCRLFile\fP on macOS. Use \fI\%\-\-sslCertificateSelector\fP instead. +.INDENT 0.0 +.IP \(bu 2 +Starting in MongoDB 4.0, you cannot specify a CRL file on +macOS. Instead, you can use the system SSL certificate store, +which uses OCSP (Online Certificate Status Protocol) to +validate the revocation status of certificates. See +\fI\%\-\-sslCertificateSelector\fP in MongoDB 4.0 and +\fI\%\-\-tlsCertificateSelector\fP in MongoDB 4.2+ to use the +system SSL certificate store. +.IP \(bu 2 +Starting in version 4.4, to check for certificate revocation, +MongoDB \fBenables\fP the use of OCSP +(Online Certificate Status Protocol) by default as an +alternative to specifying a CRL file or using the system SSL +certificate store. +.UNINDENT .UNINDENT .UNINDENT .sp @@ -3230,9 +3602,6 @@ For more information about TLS/SSL and MongoDB, see Deprecated since version 4.2: Use \fI\%\-\-tlsAllowInvalidHostnames\fP instead. .sp -New in version 3.0. - -.sp Disables the validation of the hostnames in TLS/SSL certificates, when connecting to other members of the replica set or sharded cluster for inter\-process authentication. This allows \fBmongod\fP to connect @@ -3269,15 +3638,12 @@ For more information about TLS/SSL and MongoDB, see Deprecated since version 4.2: Use \fI\%\-\-tlsDisabledProtocols\fP instead. .sp -New in version 3.0.7. - -.sp Prevents a MongoDB server running with TLS/SSL from accepting incoming connections that use a specific protocol or protocols. To specify multiple protocols, use a comma separated list of protocols. .sp \fI\%\-\-sslDisabledProtocols\fP recognizes the following protocols: \fBTLS1_0\fP, \fBTLS1_1\fP, -\fBTLS1_2\fP, and starting in version 4.0.4 (and 3.6.9), \fBTLS1_3\fP\&. +\fBTLS1_2\fP, and starting in version 4.0.4 (and 3.6.9 and 3.4.24), \fBTLS1_3\fP\&. .INDENT 7.0 .IP \(bu 2 On macOS, you cannot disable \fBTLS1_1\fP and leave both \fBTLS1_0\fP and @@ -3483,9 +3849,6 @@ and \fI\%MongoDB Atlas\fP\&. .INDENT 0.0 .TP .B \-\-auditFormat -New in version 2.6. - -.sp Specifies the format of the output file for auditing if \fI\%\-\-auditDestination\fP is \fBfile\fP\&. The \fI\%\-\-auditFormat\fP option can have one of the following values: .TS @@ -3528,9 +3891,6 @@ and \fI\%MongoDB Atlas\fP\&. .INDENT 0.0 .TP .B \-\-auditPath -New in version 2.6. - -.sp Specifies the output file for auditing if \fI\%\-\-auditDestination\fP has value of \fBfile\fP\&. The \fI\%\-\-auditPath\fP option can take either a full path name or a relative path name. @@ -3546,9 +3906,6 @@ and \fI\%MongoDB Atlas\fP\&. .INDENT 0.0 .TP .B \-\-auditFilter -New in version 2.6. - -.sp Specifies the filter to limit the types of operations the audit system records. The option takes a string representation of a query document of the form: .INDENT 7.0 @@ -3650,7 +4007,7 @@ Available in MongoDB Enterprise only. .INDENT 0.0 .TP .B \-\-enableEncryption <boolean> -\fIDefault\fP: False +\fIDefault\fP: false .sp New in version 3.2. @@ -3760,7 +4117,7 @@ Available in MongoDB Enterprise only. .INDENT 0.0 .TP .B \-\-kmipRotateMasterKey <boolean> -\fIDefault\fP: False +\fIDefault\fP: false .sp New in version 3.2. @@ -3788,16 +4145,24 @@ kmip\-master\-key\-rotation New in version 3.2. .sp -Hostname or IP address of key management solution running a KMIP -server. Requires \fBenableEncryption\fP to be true. -.sp -When connecting to the KMIP server, the \fI\%mongod\fP -verifies that the specified \fI\%\-\-kmipServerName\fP matches the Subject Alternative -Name \fBSAN\fP (or, if \fBSAN\fP is not present, the Common Name \fBCN\fP) -in the certificate presented by the KMIP server. If \fBSAN\fP is -present, \fI\%mongod\fP does not match against the \fBCN\fP\&. If -the hostname does not match the \fBSAN\fP (or \fBCN\fP), the -\fI\%mongod\fP will fail to connect. +Hostname or IP address of the KMIP server to connect to. Requires +\fI\%\-\-enableEncryption\fP to be true. +.sp +Starting in MongoDB 4.2.1 (and 4.0.14), you can specify multiple KMIP +servers as a comma\-separated list, e.g. +\fBserver1.example.com,server2.example.com\fP\&. On startup, the +\fI\%mongod\fP will attempt to establish a connection to each +server in the order listed, and will select the first server to +which it can successfully establish a connection. KMIP server +selection occurs only at startup. +.sp +When connecting to a KMIP server, the \fI\%mongod\fP +verifies that the specified \fI\%\-\-kmipServerName\fP matches the +Subject Alternative Name \fBSAN\fP (or, if \fBSAN\fP is not present, the +Common Name \fBCN\fP) in the certificate presented by the KMIP server. +If \fBSAN\fP is present, \fI\%mongod\fP does not match against +the \fBCN\fP\&. If the hostname does not match the \fBSAN\fP (or \fBCN\fP), +the \fI\%mongod\fP will fail to connect. .sp Starting in MongoDB 4.2, when performing comparison of SAN, MongoDB supports comparison of DNS names or IP addresses. In previous versions, @@ -3818,9 +4183,55 @@ Available in MongoDB Enterprise only. New in version 3.2. .sp -Port number the KMIP server is listening on. Requires that a -\fBkmipServerName\fP be provided. Requires -\fBenableEncryption\fP to be true. +Port number to use to communicate with the KMIP server. +Requires \fI\%\-\-kmipServerName\fP\&. Requires +\fI\%\-\-enableEncryption\fP to be true. +.sp +If specifying multiple KMIP servers with \fI\%\-\-kmipServerName\fP, +the \fI\%mongod\fP will use the port specified with +\fI\%\-\-kmipPort\fP for all provided KMIP servers. +.INDENT 7.0 +.INDENT 3.5 +.IP "Enterprise Feature" +.sp +Available in MongoDB Enterprise only. +.UNINDENT +.UNINDENT +.UNINDENT +.INDENT 0.0 +.TP +.B \-\-kmipConnectRetries <number> +\fIDefault\fP: 0 +.sp +New in version 4.4. + +.sp +How many times to retry the initial connection to the KMIP server. +Use together with \fI\%\-\-kmipConnectTimeoutMS\fP to +control how long the \fI\%mongod\fP waits for a response +between each retry. +.INDENT 7.0 +.INDENT 3.5 +.IP "Enterprise Feature" +.sp +Available in MongoDB Enterprise only. +.UNINDENT +.UNINDENT +.UNINDENT +.INDENT 0.0 +.TP +.B \-\-kmipConnectTimeoutMS <number> +\fIDefault\fP: 5000 +.sp +New in version 4.4. + +.sp +Timeout in milliseconds to wait for a response from the KMIP server. +If the \fI\%\-\-kmipConnectRetries\fP setting is specified, +the \fI\%mongod\fP will wait up to the value specified with +\fI\%\-\-kmipConnectTimeoutMS\fP for each retry. +.sp +Value must be \fB1000\fP or greater. .INDENT 7.0 .INDENT 3.5 .IP "Enterprise Feature" @@ -3971,6 +4382,6 @@ Available in MongoDB Enterprise only. .SH AUTHOR MongoDB Documentation Project .SH COPYRIGHT -2008-2019 +2008-2020 .\" Generated by docutils manpage writer. . diff --git a/debian/mongodb-parameters.5 b/debian/mongodb-parameters.5 index f4bc67dc5cd..14cc41b7eb3 100644 --- a/debian/mongodb-parameters.5 +++ b/debian/mongodb-parameters.5 @@ -1,6 +1,6 @@ .\" Man page generated from reStructuredText. . -.TH "MONGODB-PARAMETERS" "5" "Aug 16, 2019" "4.2" "mongodb-manual" +.TH "MONGODB-PARAMETERS" "5" "Jun 23, 2020" "4.4" "mongodb-manual" .SH NAME mongodb-parameters \- MongoDB setParameter Options . @@ -198,9 +198,6 @@ mongod \-\-setParameter authenticationMechanisms=PLAIN,SCRAM\-SHA\-256 \-\-auth .INDENT 0.0 .TP .B clusterAuthMode -New in version 2.6. - -.sp Available for both \fBmongod\fP and \fBmongos\fP\&. .sp Set the \fBclusterAuthMode\fP to either \fBsendX509\fP or @@ -257,12 +254,15 @@ start\-up, and cannot change this setting with the .INDENT 0.0 .TP .B ldapUserCacheInvalidationInterval -For use with MongoDB servers using security\-ldap\-external\&. +For use with MongoDB deployments using +security\-ldap\-external\&. Available for \fBmongod\fP +instances only. .sp -The interval (in seconds) MongoDB waits -between external user cache flushes. After MongoDB flushes the external -user cache, the next operation an LDAP\-authorized user, MongoDB -reacquires authorization data from the LDAP server. +The interval (in seconds) that the \fBmongod\fP instance +waits between external user cache flushes. After MongoDB flushes the +external user cache, MongoDB +reacquires authorization data from the LDAP server the +next time an LDAP\-authorized user issues an operation. .sp Increasing the value specified increases the amount of time MongoDB and the LDAP server can be out of sync, but reduces the load on @@ -274,6 +274,201 @@ Defaults to 30 seconds. .UNINDENT .INDENT 0.0 .TP +.B ldapUseConnectionPool +New in version 4.0.9. + +.sp +Specifies whether MongoDB should use connection pooling when +connecting to the LDAP server for authentication/authorization. +.sp +\fBStarting in version 4.2\fP, MongoDB uses the following default values: +.INDENT 7.0 +.IP \(bu 2 +true on Windows. +.IP \(bu 2 +true on Linux where MongoDB Enterprise binaries are linked against +\fBlibldap_r\fP\&. +.IP \(bu 2 +false on Linux where MongoDB Enterprise binaries are linked against +\fBlibldap\fP\&. +.UNINDENT +.sp +\fBIn earlier versions (versions 4.0.9+)\fP, the default value is +\fBfalse\fP\&. +.sp +You can only set \fI\%ldapUseConnectionPool\fP during +start\-up, and cannot change this setting with the +\fBsetParameter\fP database command. +.UNINDENT +.INDENT 0.0 +.TP +.B ldapConnectionPoolUseLatencyForHostPriority +\fINew in version 4.2.1 and 4.0.13\fP +.sp +\fIDefault\fP: true +.sp +A boolean that determines whether the LDAP connection pool (see +\fI\%ldapUseConnectionPool\fP) should use latency of the LDAP +servers to determine the connection order (from lowest latency to +highest). +.sp +You can only set +\fI\%ldapConnectionPoolUseLatencyForHostPriority\fP during +start\-up, and cannot change this setting during runtime with the +\fBsetParameter\fP database command. +.UNINDENT +.INDENT 0.0 +.TP +.B ldapConnectionPoolMinimumConnectionsPerHost +\fINew in version 4.2.1 and 4.0.13\fP +.sp +\fIDefault\fP: 1 +.sp +The minimum number of connections to keep open to each LDAP server. +.sp +You can only set +\fI\%ldapConnectionPoolMinimumConnectionsPerHost\fP during +start\-up, and cannot change this setting during runtime with the +\fBsetParameter\fP database command. +.UNINDENT +.INDENT 0.0 +.TP +.B ldapConnectionPoolMaximumConnectionsPerHost +\fINew in version 4.2.1 and 4.0.13\fP +.sp +\fIChanged in version 4.4\fP Changed default value to \fB2\fP\&. In previous +versions, the default is unset. +.sp +\fIDefault\fP: 2 +.sp +The maximum number of connections to keep open to each LDAP server. +.sp +You can only set +\fI\%ldapConnectionPoolMaximumConnectionsPerHost\fP during +start\-up, and cannot change this setting during runtime with the +\fBsetParameter\fP database command. +.UNINDENT +.INDENT 0.0 +.TP +.B ldapConnectionPoolMaximumConnectionsInProgressPerHost +\fINew in version 4.2.1 and 4.0.13\fP +.sp +The maximum number of in\-progress connect operations to each LDAP server. +.sp +You can only set +\fI\%ldapConnectionPoolMaximumConnectionsInProgressPerHost\fP +during start\-up, and cannot change this setting with the +\fBsetParameter\fP database command. +.UNINDENT +.INDENT 0.0 +.TP +.B ldapConnectionPoolHostRefreshIntervalMillis +\fINew in version 4.2.1 and 4.0.13\fP +.sp +\fIDefault\fP: 60000 +.sp +The number of milliseconds in\-between health checks of the pooled +LDAP connections. +.sp +You can only set +\fI\%ldapConnectionPoolHostRefreshIntervalMillis\fP during +start\-up, and cannot change this setting with the +\fBsetParameter\fP database command. +.UNINDENT +.INDENT 0.0 +.TP +.B ldapConnectionPoolIdleHostTimeoutSecs +\fINew in version 4.2.1 and 4.0.13\fP +.sp +\fIDefault\fP: 300 +.sp +The maximum number of seconds that the pooled connections to an LDAP +server can remain idle before being closed. +.sp +You can only set +\fI\%ldapConnectionPoolIdleHostTimeoutSecs\fP during +start\-up, and cannot change this setting with the +\fBsetParameter\fP database command. +.UNINDENT +.INDENT 0.0 +.TP +.B ocspEnabled +New in version 4.4: Available on Linux and macOS. + +.sp +\fIDefault\fP: true +.sp +The flag that enables or disables OCSP. +.sp +You can only set \fI\%ocspEnabled\fP during startup in the +\fBconfiguration file\fP or with the +\fB\-\-setParameter\fP option on the command line. For example, the +following disables OCSP: +.INDENT 7.0 +.INDENT 3.5 +.sp +.nf +.ft C +mongod \-\-setParameter ocspEnabled=false ... +.ft P +.fi +.UNINDENT +.UNINDENT +.sp +\fBSEE ALSO:\fP +.INDENT 7.0 +.INDENT 3.5 +.INDENT 0.0 +.IP \(bu 2 +\fI\%ocspValidationRefreshPeriodSecs\fP +.IP \(bu 2 +\fI\%tlsOCSPStaplingTimeoutSecs\fP +.IP \(bu 2 +\fI\%tlsOCSPVerifyTimeoutSecs\fP +.UNINDENT +.UNINDENT +.UNINDENT +.UNINDENT +.INDENT 0.0 +.TP +.B ocspValidationRefreshPeriodSecs +New in version 4.4: Available on Linux. + +.sp +The number of seconds to wait before refreshing the stapled OCSP +status response. Specify a number greater than or equal to 1. +.sp +You can only set \fI\%ocspValidationRefreshPeriodSecs\fP during +startup in the \fBconfiguration file\fP or with +the \fB\-\-setParameter\fP option on the command line. For example, the +following sets the parameter to 3600 seconds: +.INDENT 7.0 +.INDENT 3.5 +.sp +.nf +.ft C +mongod \-\-setParameter ocspValidationRefreshPeriodSecs=3600 ... +.ft P +.fi +.UNINDENT +.UNINDENT +.sp +\fBSEE ALSO:\fP +.INDENT 7.0 +.INDENT 3.5 +.INDENT 0.0 +.IP \(bu 2 +\fI\%ocspEnabled\fP +.IP \(bu 2 +\fI\%tlsOCSPStaplingTimeoutSecs\fP +.IP \(bu 2 +\fI\%tlsOCSPVerifyTimeoutSecs\fP +.UNINDENT +.UNINDENT +.UNINDENT +.UNINDENT +.INDENT 0.0 +.TP .B opensslCipherConfig New in version 3.6. @@ -300,7 +495,7 @@ the \fBSSL\fP options. .sp .nf .ft C -mongod \-\-setParameter opensslCipherConfig=HIGH:!EXPORT:!aNULL@STRENGTH \-\-tlsMode requireTLS \-\-tlsCertificateKeyFile Certs/server.pem +mongod \-\-setParameter opensslCipherConfig=\(aqHIGH:!EXPORT:!aNULL@STRENGTH\(aq \-\-tlsMode requireTLS \-\-tlsCertificateKeyFile Certs/server.pem .ft P .fi .UNINDENT @@ -312,7 +507,59 @@ For versions 4.0 and earlier: .sp .nf .ft C -mongod \-\-setParameter opensslCipherConfig=HIGH:!EXPORT:!aNULL@STRENGTH \-\-sslMode requireSSL \-\-sslPEMKeyFile Certs/server.pem +mongod \-\-setParameter opensslCipherConfig=\(aqHIGH:!EXPORT:!aNULL@STRENGTH\(aq \-\-sslMode requireSSL \-\-sslPEMKeyFile Certs/server.pem +.ft P +.fi +.UNINDENT +.UNINDENT +.UNINDENT +.INDENT 0.0 +.TP +.B opensslDiffieHellmanParameters +New in version 3.6. + +.sp +\fIAvailable on Linux only\fP +.sp +Specify the path to the PEM file that contains the OpenSSL +Diffie\-Hellman parameters. Specifying the OpenSSL Diffie\-Hellman +parameters enables support for dhe cipher suites during +TLS/SSL encryption. +.sp +Ephemeral Diffie\-Hellman (DHE) cipher suites (and Ephemeral Elliptic +Curve Diffie\-Hellman (ECDHE) cipher suites) provide +tls\-forward\-secrecy\&. tls\-forward\-secrecy cipher suites +create an ephemeral session key that is protected by the server\(aqs +private key but never transmitted. This ensures that even if a +server\(aqs private key is compromised, you cannot decrypt past +sessions with the compromised key. +.sp +\fBNOTE:\fP +.INDENT 7.0 +.INDENT 3.5 +Starting in MongoDB 4.2, if +\fI\%opensslDiffieHellmanParameters\fP is unset but +ECDHE is enabled, MongoDB enables DHE using +\fBffdhe3072\fP Diffie\-Hellman parameter, as defined in +\fI\%RFC 7919#appendix\-A.2\fP\&. The \fBffdhe3072\fP is a strong parameter +(i.e. size is greater than 1024). Strong parameters are not +supported with Java 6 and 7 unless extended support has been +purchased from Oracle. +.UNINDENT +.UNINDENT +.sp +You can only set \fI\%opensslDiffieHellmanParameters\fP during +startup, and cannot change this setting using the +\fBsetParameter\fP database command. +.sp +If for performance reasons, you need to disable support for DHE +cipher suites, use the \fI\%opensslCipherConfig\fP parameter: +.INDENT 7.0 +.INDENT 3.5 +.sp +.nf +.ft C +mongod \-\-setParameter opensslCipherConfig=\(aqHIGH:!EXPORT:!aNULL:!DHE:!kDHE@STRENGTH\(aq ... .ft P .fi .UNINDENT @@ -355,9 +602,16 @@ database command. .INDENT 7.0 .INDENT 3.5 \fI\%saslHostName\fP supports Kerberos authentication and is -only included in MongoDB Enterprise. For Linux systems, see +only included in MongoDB Enterprise. For more information, see the +following: +.INDENT 0.0 +.IP \(bu 2 +Linux: /tutorial/control\-access\-to\-mongodb\-with\-kerberos\-authentication -for more information. +.IP \(bu 2 +Windows: +/tutorial/control\-access\-to\-mongodb\-windows\-with\-kerberos\-authentication +.UNINDENT .UNINDENT .UNINDENT .UNINDENT @@ -388,9 +642,6 @@ Ensure that your driver supports alternate service names. .INDENT 0.0 .TP .B scramIterationCount -New in version 3.0.0. - -.sp \fIDefault\fP: \fB10000\fP .sp Available for both \fBmongod\fP and \fBmongos\fP\&. @@ -508,9 +759,6 @@ db.adminCommand( { setParameter: 1, scramSHA256IterationCount: 20000 } ) .INDENT 0.0 .TP .B sslMode -New in version 2.6. - -.sp Available for both \fBmongod\fP and \fBmongos\fP\&. .sp Set the \fBnet.ssl.mode\fP to either \fBpreferSSL\fP or @@ -580,6 +828,95 @@ For more information about TLS/SSL and MongoDB, see .UNINDENT .INDENT 0.0 .TP +.B tlsOCSPStaplingTimeoutSecs +New in version 4.4: Available for Linux. + +.sp +The maximum number of seconds the +\fBmongod\fP/\fBmongos\fP instance should wait to +receive the OCSP status response for its certificates. +.sp +Specify an integer greater than or equal to (\fB>=\fP) 1. If unset, +\fI\%tlsOCSPStaplingTimeoutSecs\fP uses the +\fI\%tlsOCSPVerifyTimeoutSecs\fP value. +.sp +You can only set \fI\%tlsOCSPStaplingTimeoutSecs\fP during +startup in the \fBconfiguration file\fP or with +the \fB\-\-setParameter\fP option on the command line. For example, the +following sets the \fI\%tlsOCSPStaplingTimeoutSecs\fP to 20 +seconds: +.INDENT 7.0 +.INDENT 3.5 +.sp +.nf +.ft C +mongod \-\-setParameter tlsOCSPStaplingTimeoutSecs=20 ... +.ft P +.fi +.UNINDENT +.UNINDENT +.sp +\fBSEE ALSO:\fP +.INDENT 7.0 +.INDENT 3.5 +.INDENT 0.0 +.IP \(bu 2 +\fI\%ocspEnabled\fP +.IP \(bu 2 +\fI\%ocspValidationRefreshPeriodSecs\fP +.IP \(bu 2 +\fI\%tlsOCSPVerifyTimeoutSecs\fP +.UNINDENT +.UNINDENT +.UNINDENT +.UNINDENT +.INDENT 0.0 +.TP +.B tlsOCSPVerifyTimeoutSecs +New in version 4.4: Available for Linux and Windows. + +.sp +\fIDefault\fP: 5 +.sp +The maximum number of seconds that the +\fBmongod\fP/\fBmongos\fP should wait for the OCSP +response when verifying client certificates. +.sp +Specify an integer greater than or equal to (\fB>=\fP) 1. Default is +unlimited. +.sp +You can only set \fI\%tlsOCSPVerifyTimeoutSecs\fP during +startup in the \fBconfiguration file\fP or with +the \fB\-\-setParameter\fP option on the command line. For example, the +following sets the \fI\%tlsOCSPVerifyTimeoutSecs\fP to 20 +seconds: +.INDENT 7.0 +.INDENT 3.5 +.sp +.nf +.ft C +mongod \-\-setParameter tlsOCSPVerifyTimeoutSecs=20 ... +.ft P +.fi +.UNINDENT +.UNINDENT +.sp +\fBSEE ALSO:\fP +.INDENT 7.0 +.INDENT 3.5 +.INDENT 0.0 +.IP \(bu 2 +\fI\%ocspEnabled\fP +.IP \(bu 2 +\fI\%ocspValidationRefreshPeriodSecs\fP +.IP \(bu 2 +\fI\%tlsOCSPStaplingTimeoutSecs\fP +.UNINDENT +.UNINDENT +.UNINDENT +.UNINDENT +.INDENT 0.0 +.TP .B tlsWithholdClientCertificate \fIDefault\fP: false .sp @@ -632,7 +969,7 @@ certificates. That is the member checks the presented certificates against its \fBnet.tls.clusterFile\fP/\fBnet.tls.certificateKeyFile\fP\&. If the DN does not match, the member checks the presented -certifcate against the \fI\%tlsX509ClusterAuthDNOverride\fP +certificate against the \fI\%tlsX509ClusterAuthDNOverride\fP value. .sp \fBNOTE:\fP @@ -652,6 +989,51 @@ x509\-member\-certificate\-requirements for details. .UNINDENT .INDENT 0.0 .TP +.B tlsX509ExpirationWarningThresholdDays +New in version 4.4. + +.sp +\fIDefault\fP : 30 +.sp +Available for both \fBmongod\fP and \fBmongos\fP\&. +.sp +Starting in MongoDB 4.4, \fBmongod\fP/\fBmongos\fP +logs a warning on connection if the presented x.509 certificate +expires within \fB30\fP days of the \fBmongod/mongos\fP system clock. +Use the \fI\%tlsX509ExpirationWarningThresholdDays\fP parameter +to control the certificate expiration warning threshold: +.INDENT 7.0 +.IP \(bu 2 +Increase the parameter value to trigger warnings farther ahead of +the certificate expiration date. +.IP \(bu 2 +Decrease the parameter value to trigger warnings closer to the +certificate expiration date. +.IP \(bu 2 +Set the parameter to \fB0\fP to disable the warning. +.UNINDENT +.sp +This parameter has a minimum value of \fB0\fP\&. +.sp +You can only set \fI\%tlsX509ExpirationWarningThresholdDays\fP +during \fBmongod/mongos\fP startup using either: +.INDENT 7.0 +.IP \(bu 2 +The \fBsetParameter\fP configuration setting, \fIor\fP +.IP \(bu 2 +The \fBmongod \-\-setParameter\fP / +\fBmongos \-\-setParameter\fP command +line option. +.UNINDENT +.sp +See 4.4\-rel\-notes\-certificate\-expiration\-warning for more +information on x.509 expiration warnings in MongoDB 4.4. +.sp +For more information on x.509 certificate validity, see \fI\%RFC 5280 +4.1.2.5\fP\&. +.UNINDENT +.INDENT 0.0 +.TP .B sslWithholdClientCertificate \fIDefault\fP: false .sp @@ -691,11 +1073,6 @@ clears the cache. If there are no changes to user objects, .sp This parameter has a minimum value of \fB1\fP second and a maximum value of \fB86400\fP seconds (24 hours). -.sp -Changed in version 3.0: Default value has changed to \fB30\fP seconds, and the minimum -value allowed has changed to \fB1\fP second. \fBmongos\fP -only clears the user cache if there are changes. - .UNINDENT .INDENT 0.0 .TP @@ -743,9 +1120,6 @@ startup in the config file or on the command line. .INDENT 0.0 .TP .B connPoolMaxShardedConnsPerHost -New in version 2.6. - -.sp \fIDefault\fP: 200 .sp Available for both \fBmongod\fP and \fBmongos\fP\&. @@ -850,9 +1224,6 @@ mongos \-\-setParameter shardedConnPoolIdleTimeoutMinutes=10 .INDENT 0.0 .TP .B connPoolMaxConnsPerHost -New in version 2.6. - -.sp \fIDefault\fP: 200 .sp Available for both \fBmongod\fP and \fBmongos\fP\&. @@ -959,9 +1330,6 @@ mongos \-\-setParameter globalConnPoolIdleTimeoutMinutes=10 .INDENT 0.0 .TP .B cursorTimeoutMillis -New in version 3.0.2. - -.sp \fIDefault\fP: 600000 (i.e. 10 minutes) .sp Available for both \fBmongod\fP and \fBmongos\fP\&. @@ -1006,22 +1374,28 @@ timeout period. .INDENT 0.0 .TP .B failIndexKeyTooLong -Available for \fBmongod\fP only. +\fIRemoved in 4.4\fP .sp +\fBIMPORTANT:\fP .INDENT 7.0 -Changed in version 4.2: .IP \(bu 2 -MongoDB removes the \fBIndex Key Limit\fP for +.INDENT 3.5 +.INDENT 0.0 +.IP \(bu 2 +\fBMongoDB 4.4\fP \fIremoves\fP the deprecated +\fI\%failIndexKeyTooLong\fP parameter. Attempting to use +this parameter with MongoDB 4.4 will result in an error. +.IP \(bu 2 +\fBMongoDB 4.2\fP \fIdeprecates\fP the +\fI\%failIndexKeyTooLong\fP parameter and \fIremoves\fP the +\fBIndex Key Length Limit\fP for featureCompatibilityVersion (fCV) set to \fB"4.2"\fP or greater. -.IP \(bu 2 -In concert with the removal of the limit, -\fBfailIndexTooLong\fP only applies for MongoDB 2.6 -through MongoDB versions with featureCompatibilityVersion (fCV) set to \fB"4.0"\fP or earlier. .UNINDENT - +.UNINDENT +.UNINDENT .sp For MongoDB 2.6 through MongoDB versions with -\fBfeatureCompatibilityVersion\fP (fCV) set to \fB"4.0"\fP or earlier, +featureCompatibilityVersion (fCV) set to \fB"4.0"\fP or earlier, \fBIndex Key Length Limit\fP applies. If you attempt to insert or update a document whose index field exceeds the \fBIndex Key Length Limit\fP, the operation @@ -1032,9 +1406,6 @@ existing data set and want to disable this behavior so you can upgrade and then gradually resolve these indexing issues, you can use \fI\%failIndexKeyTooLong\fP to disable this behavior. .sp -\fBIMPORTANT:\fP -.INDENT 7.0 -.INDENT 3.5 Setting \fI\%failIndexKeyTooLong\fP to \fBfalse\fP is a temporary workaround, not a permanent solution to the problem of oversized index keys. With @@ -1042,8 +1413,6 @@ problem of oversized index keys. With return incomplete results if they use indexes that skip over documents whose indexed fields exceed the \fBIndex Key Length Limit\fP\&. -.UNINDENT -.UNINDENT .sp \fI\%failIndexKeyTooLong\fP defaults to \fBtrue\fP\&. .sp @@ -1103,7 +1472,7 @@ To detect unindexed queries without \fBnotablescan\fP, consider reading the /tutorial/evaluate\-operation\-performance and /tutorial/optimize\-query\-performance\-with\-indexes\-and\-projections sections and using the \fI\%logLevel\fP parameter, -the mongostat tool, and profiling\&. +/reference/program/mongostat and profiling\&. .sp Don\(aqt run production \fBmongod\fP instances with \fI\%notablescan\fP because preventing collection scans can potentially @@ -1147,6 +1516,164 @@ mongod \-\-setParameter ttlMonitorEnabled=false .UNINDENT .INDENT 0.0 .TP +.B tcpFastOpenServer +New in version 4.4. + +.sp +Available for both \fBmongod\fP and \fBmongos\fP\&. +.sp +\fIDefault\fP: \fBtrue\fP +.sp +Enables support for accepting inbound TCP Fast Open (TFO) connections +to the \fBmongod/mongos\fP from a client. TFO requires both the +client and \fBmongod/mongos\fP host machine support and enable +TFO: +.INDENT 7.0 +.TP +.B Windows +The following Windows operating systems support TFO: +.INDENT 7.0 +.IP \(bu 2 +Microsoft Windows Server 2016 and later. +.IP \(bu 2 +Microsoft Windows 10 Update 1607 and later. +.UNINDENT +.TP +.B macOS +macOS 10.11 (El Capitan) and later support TFO. +.TP +.B Linux +Linux operating systems running Linux Kernel 3.7 or later +can support inbound TFO. +.sp +Set the value of \fB/proc/sys/net/ipv4/tcp_fastopen\fP to +enable inbound TFO connections: +.INDENT 7.0 +.IP \(bu 2 +Set to \fB2\fP to enable only inbound TFO connections. +.IP \(bu 2 +Set to \fB3\fP to enable inbound and outbound TFO connections. +.UNINDENT +.UNINDENT +.sp +This parameter has no effect if the host operating system does not +support \fIor\fP is not configured to support TFO connections. +.sp +You can only set this parameter on startup, using either the +\fBsetParameter\fP configuration file setting or the +\fB\-\-setParameter\fP command line option. +.sp +See 4.4\-rel\-notes\-tcp\-fast\-open for more information on +MongoDB TFO support. +.sp +\fBSEE ALSO:\fP +.INDENT 7.0 +.INDENT 3.5 +\fI\%RFC7413\fP\&. +.UNINDENT +.UNINDENT +.UNINDENT +.INDENT 0.0 +.TP +.B tcpFastOpenClient +New in version 4.4. + +.sp +Available for both \fBmongod\fP and \fBmongos\fP\&. +.sp +\fIDefault\fP: \fBtrue\fP +.sp +\fILinux Operating System Only\fP +.sp +Enables support for outbound TCP Fast Open (TFO) connections from the +\fBmongod/mongos\fP to a client. TFO requires both the client +and the \fBmongod/mongos\fP host machine support and enable TFO. +.sp +Linux operating systems running Linux Kernel 4.11 or later can +support outbound TFO. +.sp +Set the value of \fB/proc/sys/net/ipv4/tcp_fastopen\fP to enable +outbound TFO connections: +.INDENT 7.0 +.IP \(bu 2 +\fB1\fP to enable only outbound TFO connections. +.IP \(bu 2 +\fB3\fP to enable inbound and outbound TFO connections. +.UNINDENT +.sp +This parameter has no effect if the host operating system does not +support \fIor\fP is not configured to support TFO connections. +.sp +You can only set this parameter on startup, using either the +\fBsetParameter\fP configuration file setting or the +\fB\-\-setParameter\fP command line option. +.sp +See 4.4\-rel\-notes\-tcp\-fast\-open for more information on +MongoDB TFO support. +.sp +\fBSEE ALSO:\fP +.INDENT 7.0 +.INDENT 3.5 +\fI\%RFC7413\fP\&. +.UNINDENT +.UNINDENT +.UNINDENT +.INDENT 0.0 +.TP +.B tcpFastOpenQueueSize +New in version 4.4. + +.sp +Available for both \fBmongod\fP and \fBmongos\fP\&. +.sp +\fIDefault\fP: \fB1024\fP +.sp +As part of establishing a TCP Fast Open (TFO) connection, the client +submits a valid TFO cookie to the \fBmongod/mongos\fP \fIbefore\fP +completion of the standard TCP 3\-way handshake. The +\fBmongod/mongos\fP keeps a queue of all such pending TFO connections. +.sp +The \fBtcpFastOpenQueueSize\fP parameter sets the size of the queue of +pending TFO connections. While the queue is full, the +\fBmongod/mongos\fP falls back to the normal three\-way handshake for +incoming client requests and ignores the presence of TFO cookies. +Once the queue size falls back below the limit, the \fBmongod/mongos\fP +begins accepting new TFO cookies. +.INDENT 7.0 +.IP \(bu 2 +Increasing the default queue size may improve the effect of +TFO on network performance. However, large queue sizes also +increase the risk of server resource exhaustion due to excessive +incoming TFO requests. +.IP \(bu 2 +Decreasing the default queue size may reduce the risk of resource +server resource exhaustion due to excessive incoming TFO requests. +However, small queue sizes may also reduce the effect of TFO on +network performance. +.sp +The minimum queue size is \fB0\fP\&. A queue of \fB0\fP effectively +disables TFO. +.UNINDENT +.sp +This parameter has no effect on host operating systems that do +not support or are not configured for TFO connections. See +4.4\-rel\-notes\-tcp\-fast\-open for more information on +MongoDB TFO support. +.sp +\fBSEE ALSO:\fP +.INDENT 7.0 +.INDENT 3.5 +.INDENT 0.0 +.IP \(bu 2 +\fI\%RFC7413 TCP Fast Open Section 5: Security Considerations\fP +.IP \(bu 2 +\fI\%RFC7413 TCP Fast Open Section 6: TFO Applicability\fP +.UNINDENT +.UNINDENT +.UNINDENT +.UNINDENT +.INDENT 0.0 +.TP .B disableJavaScriptJIT Changed in version 4.0: The JavaScript engine\(aqs JIT compiler is now disabled by default. @@ -1197,7 +1724,13 @@ mongod \-\-setParameter disableJavaScriptJIT=false New in version 3.4. .sp -\fIDefault\fP: 500 +\fIDefault\fP: +.INDENT 7.0 +.IP \(bu 2 +200 (For versions 4.2.3 and later) +.IP \(bu 2 +500 (For versions 4.2.2 and earlier) +.UNINDENT .sp Limits the amount of memory that simultaneous index builds on one collection may consume for the duration of the @@ -1314,7 +1847,7 @@ The directory of \fB\-\-logpath\fP file The directory of \fB\-\-auditPath\fP file .UNINDENT .sp -Valid values for \fBwatchdobgPeriodSeconds\fP are: +Valid values for \fI\%watchdogPeriodSeconds\fP are: .INDENT 7.0 .IP \(bu 2 \fB\-1\fP (the default), to disable/pause Storage Node Watchdog, or @@ -1399,6 +1932,54 @@ startup time. .UNINDENT .UNINDENT .UNINDENT +.INDENT 0.0 +.TP +.B tcmallocReleaseRate +New in version 4.2.3: \fIAlso available in 3.6.17+ and 4.0.14+\fP + +.sp +Default: 1.0 +.sp +Specifies the tcmalloc release rate (\fI\%TCMALLOC_RELEASE_RATE\fP). +Per \fI\%https://gperftools.github.io/gperftools/tcmalloc.html#runtime\fP +TCMALLOC_RELEASE_RATE is described as: +.INDENT 7.0 +.INDENT 3.5 +Rate at which we release unused memory to the system, via +madvise(MADV_DONTNEED), on systems that support it. Zero means we +never release memory back to the system. Increase this flag to +return memory faster; decrease it to return memory slower. +Reasonable rates are in the range [0,10]. +\(em \fI\%https://gperftools.github.io/gperftools/tcmalloc.html#runtime\fP +.UNINDENT +.UNINDENT +.sp +To modify the release rate during runtime, you can use the +\fBsetParameter\fP command; for example: +.INDENT 7.0 +.INDENT 3.5 +.sp +.nf +.ft C +db.adminCommand( { setParameter: 1, tcmallocReleaseRate: 5.0 } ) +.ft P +.fi +.UNINDENT +.UNINDENT +.sp +You can also set \fI\%tcmallocReleaseRate\fP at startup time; +for example: +.INDENT 7.0 +.INDENT 3.5 +.sp +.nf +.ft C +mongod \-\-setParameter "tcmallocReleaseRate=5.0" +.ft P +.fi +.UNINDENT +.UNINDENT +.UNINDENT .SS Logging Parameters .INDENT 0.0 .TP @@ -1430,7 +2011,7 @@ db.adminCommand( { setParameter: 1, logLevel: 2 } ) .IP \(bu 2 \fI\%logComponentVerbosity\fP .IP \(bu 2 -\fBverbosity\fP +\fBsystemLog.verbosity\fP .UNINDENT .UNINDENT .UNINDENT @@ -1443,9 +2024,6 @@ versions, MongoDB log messages only specified \fBD\fP for Debug level. .INDENT 0.0 .TP .B logComponentVerbosity -New in version 3.0.0. - -.sp Available for both \fBmongod\fP and \fBmongos\fP\&. .sp Sets the verbosity levels of various components for log messages\&. The verbosity level determines the @@ -1627,15 +2205,37 @@ New in version 3.4. .sp Available for both \fBmongod\fP and \fBmongos\fP\&. .sp -\fIType\fP: integer +\fIType\fP: non\-negative integer .sp \fIDefault\fP: 10 .sp -Specifies the maximum size, in kilobytes, for a log line. Lines exceeding -this limit print only the beginning and end of the line, excising the middle -portion. +Specifies the maxium size, in kilobytes, for an individual +attribute field in a log entry; attributes exceeding this limit are +truncated. +.sp +Truncated attribute fields print field content up to the +\fI\%maxLogSizeKB\fP limit and excise field content past that +limit, retaining valid JSON formating. Log entires that contain +truncated attributes append a \fBtruncated\fP object to the end of the +log entry. +.sp +See log message truncation for more +information. .sp -For example, the following sets the maximum size to \fB20\fP kilobytes: +A value of \fB0\fP disables truncation entirely. Negative values for +this parameter are not valid. +.sp +\fBWARNING:\fP +.INDENT 7.0 +.INDENT 3.5 +Using a large value, or disabling truncation with a value of +\fB0\fP, may adversely affect system performance and negatively +impact database operations. +.UNINDENT +.UNINDENT +.sp +The following example sets the maximum log line size to \fB20\fP +kilobytes: .INDENT 7.0 .INDENT 3.5 .sp @@ -1646,14 +2246,6 @@ mongod \-\-setParameter maxLogSizeKB=20 .fi .UNINDENT .UNINDENT -.sp -\fBWARNING:\fP -.INDENT 7.0 -.INDENT 3.5 -Using a large value for \fI\%maxLogSizeKB\fP may adversely affect -system performance and negatively impact database operations. -.UNINDENT -.UNINDENT .UNINDENT .INDENT 0.0 .TP @@ -1692,7 +2284,56 @@ db.adminCommand( { setParameter: 1, quiet: 1 } ) \fBSEE ALSO:\fP .INDENT 7.0 .INDENT 3.5 -\fBquiet\fP +\fBsystemLog.quiet\fP +.UNINDENT +.UNINDENT +.UNINDENT +.INDENT 0.0 +.TP +.B redactClientLogData +New in version 3.4. + +.sp +Available for both \fBmongod\fP and \fBmongos\fP\&. +.sp +\fIType\fP: boolean +.INDENT 7.0 +.INDENT 3.5 +.IP "Enterprise Feature" +.sp +Available in MongoDB Enterprise only. +.UNINDENT +.UNINDENT +.sp +Configure the \fBmongod\fP or \fBmongos\fP to +redact any message accompanying a given log event before logging. +This prevents the program from writing potentially sensitive data +stored on the database to the diagnostic log. Metadata such as error +or operation codes, line numbers, and source file names are still +visible in the logs. +.sp +Use \fI\%redactClientLogData\fP in conjunction with +/core/security\-encryption\-at\-rest and +/core/security\-transport\-encryption to assist compliance with +regulatory requirements. +.sp +To enable log redaction on a running \fBmongod\fP or +\fBmongos\fP, use the following command: +.INDENT 7.0 +.INDENT 3.5 +.sp +.nf +.ft C +db.adminCommand( { setParameter: 1, redactClientLogData : true } ) +.ft P +.fi +.UNINDENT +.UNINDENT +.sp +\fBSEE ALSO:\fP +.INDENT 7.0 +.INDENT 3.5 +\fBsecurity.redactClientLogData\fP .UNINDENT .UNINDENT .UNINDENT @@ -1776,10 +2417,10 @@ extension(s) and concatenating \fBdiagnostic.data\fP to the remaining name. .sp For example, if \fBmongos\fP has \fB\-\-logpath -/var/log/mongos.log.201708015\fP, then the diagnostic data directory is -\fB/var/log/mongos.diagnostic.data/\fP directory. To specify a different -diagnostic data directory for \fBmongos\fP, set the -\fI\%diagnosticDataCollectionDirectoryPath\fP parameter. +/var/log/mongodb/mongos.log.201708015\fP, then the diagnostic data +directory is \fB/var/log/mongodb/mongos.diagnostic.data/\fP directory. To +specify a different diagnostic data directory for \fBmongos\fP, +set the \fI\%diagnosticDataCollectionDirectoryPath\fP parameter. .sp The following parameters support diagnostic data capture (FTDC): .sp @@ -1841,8 +2482,8 @@ truncating the \fBmongos\fP instance\(aqs \fB\-\-logpath\fP or \fBdiagnostic.data\fP\&. .sp For example, if \fBmongos\fP has \fB\-\-logpath -/var/log/mongos.log.201708015\fP, then the diagnostic data directory is -\fB/var/log/mongos.diagnostic.data/\fP\&. +/var/log/mongodb/mongos.log.201708015\fP, then the diagnostic data +directory is \fB/var/log/mongodb/mongos.diagnostic.data/\fP\&. .sp \fBIMPORTANT:\fP .INDENT 7.0 @@ -2222,6 +2863,71 @@ disable warnings. .UNINDENT .INDENT 0.0 .TP +.B initialSyncTransientErrorRetryPeriodSeconds +New in version 4.4. + +.sp +\fIType\fP: integer +.sp +\fIDefault\fP: 86400 +.sp +The amount of time in seconds a secondary performing initial sync +attempts to resume the process if interrupted by a transient +network error. The default value is equivalent to 24 hours. +.UNINDENT +.INDENT 0.0 +.TP +.B initialSyncSourceReadPreference +New in version 4.4. + +.sp +\fIType\fP: String +.sp +Available for \fBmongod\fP only. +.sp +The preferred source for performing initial sync\&. Specify one of the following read +preference modes: +.INDENT 7.0 +.IP \(bu 2 +\fBprimary\fP +.IP \(bu 2 +\fBprimaryPreferred\fP (Default for voting replica set members) +.IP \(bu 2 +\fBsecondary\fP +.IP \(bu 2 +\fBsecondaryPreferred\fP +.IP \(bu 2 +\fBnearest\fP (Default for newly added \fIor\fP non\-voting replica set members) +.UNINDENT +.sp +If the replica set has disabled \fBchaining\fP, the default +\fI\%initialSyncSourceReadPreference\fP read preference mode +is \fBprimary\fP\&. +.sp +You cannot specify a tag set or \fBmaxStalenessSeconds\fP to +\fI\%initialSyncSourceReadPreference\fP\&. +.sp +If the \fBmongod\fP cannot find a sync source based on the +specified read preference, it logs an error and restarts the initial +sync process. The \fBmongod\fP exits with an error if it +cannot complete the initial sync process after \fB10\fP attempts. For +more information on sync source selection, see +replica\-set\-initial\-sync\-source\-selection\&. +.sp +\fI\%initialSyncSourceReadPreference\fP takes precedence over +the replica set\(aqs \fBsettings.chainingAllowed\fP setting when +selecting an initial sync source. After a replica set member +successfully completes initial sync, it defers to the value of +\fBchainingAllowed\fP when selecting a replication sync +source. +.sp +You can only set this parameter on startup, using either the +\fBsetParameter\fP +configuration file setting or the +\fB\-\-setParameter\fP command line option. +.UNINDENT +.INDENT 0.0 +.TP .B oplogInitialFindMaxSeconds New in version 3.6. @@ -2256,9 +2962,6 @@ setting with the \fBsetParameter\fP command. .INDENT 0.0 .TP .B rollbackTimeLimitSecs -Changed in version 4.2. - -.sp \fIType\fP: 64\-bit integer .sp \fIDefault\fP: 86400 (1 day) @@ -2266,13 +2969,13 @@ Changed in version 4.2. Maximum age of data that can be rolled back. Negative values for this parameter are not valid. .sp -Starting in MongoDB 4.2, if the time between the end of the -to\-be\-rolledback instance\(aqs oplog and the first operation after the -common point (the last point where the source node and the +Starting in MongoDB 4.2+ and 4.0.13+, if the time between the end +of the to\-be\-rolledback instance\(aqs oplog and the first operation +after the common point (the last point where the source node and the to\-be\-rolledback node had the same data) exceeds this value, the rollback will fail. .sp -In MongoDB 4.0, if the time between the end of the to\-be\-rolledback +In MongoDB 4.0.0\-4.0.12, if the time between the end of the to\-be\-rolledback instance\(aqs oplog and the common point (the last point where the source node and the to\-be\-rolledback node had the same data) exceeds this value, the rollback will fail. @@ -2446,6 +3149,118 @@ db.adminCommand( { setParameter: 1, replBatchLimitBytes: 64 * 1024 * 1024 } ) New in version 4.0.10. .UNINDENT +.INDENT 0.0 +.TP +.B mirrorReads +Available for \fBmongod\fP only. +.sp +\fINew in version 4.4\fP +.sp +\fIType\fP: Document +.sp +\fIDefault\fP: \fB{ samplingRate: 0.01, maxTimeMS: 1000 }\fP +.sp +Specifies the settings for mirrored reads +for the \fBmongod\fP instance. The settings only take +effect when the member is a primary. +.sp +The parameter \fI\%mirrorReads\fP takes a JSON document with +the following fields: +.TS +center; +|l|l|. +_ +T{ +Field +T} T{ +Description +T} +_ +T{ +\fBsamplingRate\fP +T} T{ +The sampling rate used to mirror a subset of operations +that support mirroring +to a subset of electable (i.e. \fBpriority greater than +0\fP) secondaries. That is, the primary +mirrors reads to each electable secondary at the specified +sampling rate. +.sp +Valid values are greater than or equal to \fB0.0\fP and less +than or equal to \fB1.0\fP\&. Value of \fB0.0\fP turns off mirroring. +.sp +For example, given a replica set with a primary and two +electable secondaries and a sampling rate of \fB0.10\fP, the +primary mirrors reads to each electable secondary at the +sampling rate of 10 percent such that one read may be +mirrored to one secondary and not to the other or to both or +to neither. That is, if the primary receives \fB100\fP +operations that can be mirrored, the sampling rate of +\fB0.10\fP may result in \fB8\fP reads being mirrored to one +secondary and \fB13\fP reads to the other or \fB10\fP to each, +etc. +.sp +The default value is \fB0.01\fP\&. +T} +_ +T{ +\fBmaxTimeMS\fP +T} T{ +The maximum time in milliseconds for the mirrored reads. The +default value is \fB1000\fP\&. +.sp +The \fBmaxTimeMS\fP for the mirrored reads is separate from the +\fBmaxTimeMS\fP of the original read being mirrored. +T} +_ +.TE +.sp +You can set \fI\%mirrorReads\fP during startup in the +\fBconfiguration file\fP or with the +\fB\-\-setParameter\fP option on the command line. If specifying from +the configuration file or on the command line, \fBenclose the\fP +\fBmirrorReads\fP \fBdocument in quotes\fP\&. +.sp +For example, the following sets the mirror reads sampling rate to +\fB0.10\fP from the command line: +.INDENT 7.0 +.INDENT 3.5 +.sp +.nf +.ft C +mongod \-\-setParameter mirrorReads=\(aq{ samplingRate: 0.10 }\(aq +.ft P +.fi +.UNINDENT +.UNINDENT +.sp +Or, to specify in a configuration file: +.INDENT 7.0 +.INDENT 3.5 +.sp +.nf +.ft C +setParameter: + mirrorReads: \(aq{samplingRate: 0.10}\(aq +.ft P +.fi +.UNINDENT +.UNINDENT +.sp +Or if using the \fBsetParameter\fP command in a +\fBmongo\fP shell connected to a running +\fBmongod\fP, do \fBnot\fP enclose the document in quotes: +.INDENT 7.0 +.INDENT 3.5 +.sp +.nf +.ft C +db.adminCommand( { setParameter: 1, mirrorReads: { samplingRate: 0.10 } } ) +.ft P +.fi +.UNINDENT +.UNINDENT +.UNINDENT .SS Sharding Parameters .sp \fBNOTE:\fP @@ -2458,6 +3273,249 @@ enhancement controlled by the parameter. .UNINDENT .INDENT 0.0 .TP +.B enableShardedIndexConsistencyCheck +\fINew in version 4.4 (and 4.2.6).\fP +.sp +\fIType\fP: boolean +.sp +\fIDefault\fP: true +.sp +Available for \fBmongod\fP only. +.sp +If set on the config server\(aqs primary, enables or disables the index +consistency check for sharded collections. The parameter has no +effect on the \fBmongod\fP if it is not the config server\(aqs +primary. +.sp +The following example sets +\fI\%enableShardedIndexConsistencyCheck\fP to \fBfalse\fP for a +config server primary: +.INDENT 7.0 +.INDENT 3.5 +.sp +.nf +.ft C +mongod \-\-setParameter enableShardedIndexConsistencyCheck=false +.ft P +.fi +.UNINDENT +.UNINDENT +.sp +During runtime, you can also set the parameter with the +\fBsetParameter\fP command: +.INDENT 7.0 +.INDENT 3.5 +.sp +.nf +.ft C +db.adminCommand( { setParameter: 1, enableShardedIndexConsistencyCheck: false } ) +.ft P +.fi +.UNINDENT +.UNINDENT +.sp +\fBSEE ALSO:\fP +.INDENT 7.0 +.INDENT 3.5 +.INDENT 0.0 +.IP \(bu 2 +\fI\%shardedIndexConsistencyCheckIntervalMS\fP parameter +.IP \(bu 2 +\fBshardedIndexConsistency\fP metrics returned by the +\fBserverStatus\fP command. +.UNINDENT +.UNINDENT +.UNINDENT +.UNINDENT +.INDENT 0.0 +.TP +.B shardedIndexConsistencyCheckIntervalMS +\fINew in version 4.4 (and 4.2.6).\fP +.sp +\fIType\fP: integer +.sp +\fIDefault\fP: 600000 +.sp +Available for \fBmongod\fP only. +.sp +If set on the config server\(aqs primary, the interval, in +milliseconds, at which the config server\(aqs primary checks the index +consistency of sharded collections. The parameter has no effect on +the \fBmongod\fP if it is not the config server\(aqs primary. +.sp +You can only set the parameter during startup, and cannot change +this setting using the \fBsetParameter\fP database command. +.sp +For example, the following sets the interval at 300000 milliseconds +(i.e. 5 minutes) at startup: +.INDENT 7.0 +.INDENT 3.5 +.sp +.nf +.ft C +mongod \-\-setParameter shardedIndexConsistencyCheckIntervalMS=300000 +.ft P +.fi +.UNINDENT +.UNINDENT +.sp +\fBSEE ALSO:\fP +.INDENT 7.0 +.INDENT 3.5 +.INDENT 0.0 +.IP \(bu 2 +\fI\%enableShardedIndexConsistencyCheck\fP parameter +.IP \(bu 2 +\fBshardedIndexConsistency\fP metrics returned by the +\fBserverStatus\fP commandq +.UNINDENT +.UNINDENT +.UNINDENT +.UNINDENT +.INDENT 0.0 +.TP +.B maxTimeMSForHedgedReads +New in version 4.4. + +.sp +\fIType\fP: integer +.sp +\fIDefault\fP: 150 +.sp +Available for \fBmongos\fP only. +.sp +Specifies the maximimum time limit (in milliseconds) for the +hedged read\&. That is, the additional +read sent to hedge the read operation uses the \fBmaxTimeMS\fP value +of \fI\%maxTimeMSForHedgedReads\fP while the read operation +that is being hedged uses the \fBmaxTimeMS\fP value specified for the +operation. +.sp +For example, to set the limit to 200 milliseconds, you can issue the +following during startup: +.INDENT 7.0 +.INDENT 3.5 +.sp +.nf +.ft C +mongos \-\-setParameter maxTimeMSForHedgedReads=200 +.ft P +.fi +.UNINDENT +.UNINDENT +.sp +Or if using the \fBsetParameter\fP command in a +\fBmongo\fP shell connected to a running +\fBmongos\fP: +.INDENT 7.0 +.INDENT 3.5 +.sp +.nf +.ft C +db.adminCommand( { setParameter: 1, maxTimeMSForHedgedReads: 200 } ) +.ft P +.fi +.UNINDENT +.UNINDENT +.sp +\fBSEE ALSO:\fP +.INDENT 7.0 +.INDENT 3.5 +.INDENT 0.0 +.IP \(bu 2 +\fI\%readHedgingMode\fP +.IP \(bu 2 +mongos\-hedged\-reads +.UNINDENT +.UNINDENT +.UNINDENT +.UNINDENT +.INDENT 0.0 +.TP +.B readHedgingMode +New in version 4.4. + +.sp +\fIType\fP: string +.sp +\fIDefault\fP: on +.sp +Available for \fBmongos\fP only. +.sp +Specifies whether \fBmongos\fP supports hedged reads for +those read operations whose read preference have enabled the hedged read option. +.sp +Available values are: +.TS +center; +|l|l|. +_ +T{ +Value +T} T{ +Description +T} +_ +T{ +\fBon\fP +T} T{ +The \fBmongos\fP instance supports hedged reads for +read operations whose read preference have enabled the hedged read option. +T} +_ +T{ +\fBoff\fP +T} T{ +The \fBmongos\fP instance does not support hedged +reads. That is, hedged reads are unavailable, even for read +operations whose read preference have enabled the hedged read +option. +T} +_ +.TE +.sp +For example, to turn off hedged read support for a +\fBmongos\fP instance, you can issue the following during +startup: +.INDENT 7.0 +.INDENT 3.5 +.sp +.nf +.ft C +mongos \-\-setParameter readHedgingMode=off +.ft P +.fi +.UNINDENT +.UNINDENT +.sp +Or if using the \fBsetParameter\fP command in a +\fBmongo\fP shell connected to a running +\fBmongos\fP: +.INDENT 7.0 +.INDENT 3.5 +.sp +.nf +.ft C +db.adminCommand( { setParameter: 1, readHedgingMode: "off" } ) +.ft P +.fi +.UNINDENT +.UNINDENT +.sp +\fBSEE ALSO:\fP +.INDENT 7.0 +.INDENT 3.5 +.INDENT 0.0 +.IP \(bu 2 +mongos\-hedged\-reads +.IP \(bu 2 +\fI\%maxTimeMSForHedgedReads\fP +.UNINDENT +.UNINDENT +.UNINDENT +.UNINDENT +.INDENT 0.0 +.TP .B replMonitorMaxFailedChecks \fIAvailable in MongoDB 3.2 only\fP .sp @@ -2478,7 +3536,8 @@ replica set is the config server replica set: .IP \(bu 2 For MongoDB 3.2.0\-3.2.9, the monitoring \fBmongod\fP or \fBmongos\fP instance will become unusable and needs to be -restarted. See the troubleshooting guide for more details. +restarted. See the \fI\%v3.2 troubleshooting guide\fP +for more details. .IP \(bu 2 For MongoDB 3.2.10 and later 3.2\-series, see also \fI\%timeOutMonitoringReplicaSets\fP\&. @@ -2503,7 +3562,8 @@ If the monitored replica set is the config server replica set and must restart \fBmongod\fP or \fBmongos\fP if the \fBmongod\fP or \fBmongos\fP instance cannot reach any of the config servers for the specified number of times. See the -troubleshooting guide for more details. +\fI\%v3.2 troubleshooting guide\fP +for more details. .UNINDENT .INDENT 0.0 .TP @@ -2629,7 +3689,7 @@ Type: integer .sp Default: 1 .sp -Available for \fBmongos\fP only. +Available for both \fBmongod\fP and \fBmongos\fP\&. .sp Minimum number of outbound connections each TaskExecutor connection pool can open to any given \fBmongod\fP instance. @@ -2640,6 +3700,22 @@ While the pool is idle, the pool maintains this number of connections until \fI\%ShardingTaskExecutorPoolHostTimeoutMS\fP milliseconds pass without any application using that pool. .sp +For a \fBmongos\fP using the +\fI\%warmMinConnectionsInShardingTaskExecutorPoolOnStartup\fP +parameter, the \fBShardingTaskExecutorPoolMinSize\fP parameter also +controls how many connections to each shard host are established on +startup of the \fBmongos\fP instance before it begins +accepting incoming client connections. +.sp +\fBNOTE:\fP +.INDENT 7.0 +.INDENT 3.5 +In MongoDB 4.4, the +\fI\%warmMinConnectionsInShardingTaskExecutorPoolOnStartup\fP +parameter is enabled by default for the \fBmongos\fP\&. +.UNINDENT +.UNINDENT +.sp You can only set this parameter during start\-up and cannot change this setting using the \fBsetParameter\fP database command. .INDENT 7.0 @@ -2660,7 +3736,12 @@ pools, where \fBn\fP is the number of cores. See \fBSEE ALSO:\fP .INDENT 7.0 .INDENT 3.5 +.INDENT 0.0 +.IP \(bu 2 \fI\%ShardingTaskExecutorPoolMaxSize\fP +.IP \(bu 2 +\fI\%warmMinConnectionsInShardingTaskExecutorPoolOnStartup\fP +.UNINDENT .UNINDENT .UNINDENT .UNINDENT @@ -2891,6 +3972,124 @@ mongos \-\-setParameter taskExecutorPoolSize=6 .UNINDENT .INDENT 0.0 .TP +.B loadRoutingTableOnStartup +New in version 4.4. + +.sp +Type: boolean +.sp +\fIDefault\fP: true +.sp +Available for \fBmongos\fP only. +.sp +Configures a \fBmongos\fP instance to preload the routing +table for a sharded cluster on startup. With this setting +enabled, the \fBmongos\fP caches the cluster\-wide routing +table for each sharded collection as part of its startup procedure, +before it begins accepting client connections. +.sp +Without this setting enabled, the \fBmongos\fP only loads +a routing table as needed for incoming client connections, and only +loads the specific routing table for the namespace of a given +request. +.sp +A \fBmongos\fP instance with the +\fI\%loadRoutingTableOnStartup\fP parameter enabled may +experience longer startup times, but will result in faster servicing +of initial client connections once started. +.sp +\fI\%loadRoutingTableOnStartup\fP is enabled by default. +.sp +You can only set this parameter on startup, using either the +\fBsetParameter\fP configuration file setting or the +\fB\-\-setParameter\fP command line option. +.UNINDENT +.INDENT 0.0 +.TP +.B warmMinConnectionsInShardingTaskExecutorPoolOnStartup +New in version 4.4. + +.sp +Type: boolean +.sp +\fIDefault\fP: true +.sp +Available for \fBmongos\fP only. +.sp +Configures a \fBmongos\fP instance to prewarm its connection +pool on startup. With this parameter enabled, the +\fBmongos\fP attempts to establish +\fI\%ShardingTaskExecutorPoolMinSize\fP network +connections to each shard server as part of its startup procedure, +before it begins accepting client connections. +.sp +A timeout for this behavior can be configured with the +\fI\%warmMinConnectionsInShardingTaskExecutorPoolOnStartupWaitMS\fP +parameter. If this timeout is reached, the \fBmongos\fP will +begin accepting client connections regardless of the size of its +connection pool. +.sp +A \fBmongos\fP instance with this parameter enabled may +experience longer startup times, but will result in faster servicing +of initial client connections once started. +.sp +\fI\%warmMinConnectionsInShardingTaskExecutorPoolOnStartup\fP is +enabled by default. +.sp +You can only set this parameter on startup, using either the +\fBsetParameter\fP configuration file setting or the +\fB\-\-setParameter\fP command line option. +.sp +\fBSEE ALSO:\fP +.INDENT 7.0 +.INDENT 3.5 +.INDENT 0.0 +.IP \(bu 2 +\fI\%warmMinConnectionsInShardingTaskExecutorPoolOnStartupWaitMS\fP +.IP \(bu 2 +\fI\%ShardingTaskExecutorPoolMinSize\fP +.UNINDENT +.UNINDENT +.UNINDENT +.UNINDENT +.INDENT 0.0 +.TP +.B warmMinConnectionsInShardingTaskExecutorPoolOnStartupWaitMS +New in version 4.4. + +.sp +Type: integer +.sp +\fIDefault\fP: 2000 (i.e. 2 seconds) +.sp +Available for \fBmongos\fP only. +.sp +Sets the timeout threshold in milliseconds for a +\fBmongos\fP to wait for \fI\%ShardingTaskExecutorPoolMinSize\fP +connections to be established per shard host when using the +\fI\%warmMinConnectionsInShardingTaskExecutorPoolOnStartup\fP +parameter. If this timeout is reached, the \fBmongos\fP will +begin accepting client connections regardless of the size of its +connection pool. +.sp +You can only set this parameter on startup, using either the +\fBsetParameter\fP configuration file setting or the +\fB\-\-setParameter\fP command line option. +.sp +\fBSEE ALSO:\fP +.INDENT 7.0 +.INDENT 3.5 +.INDENT 0.0 +.IP \(bu 2 +\fI\%warmMinConnectionsInShardingTaskExecutorPoolOnStartup\fP +.IP \(bu 2 +\fI\%ShardingTaskExecutorPoolMinSize\fP +.UNINDENT +.UNINDENT +.UNINDENT +.UNINDENT +.INDENT 0.0 +.TP .B migrateCloneInsertionBatchDelayMS New in version 4.0.5: The parameter is also available starting in 3.4.18 and 3.6.10 @@ -3234,8 +4433,12 @@ db.adminCommand( { setParameter: 1, syncdelay: 60 } ) \fBSEE ALSO:\fP .INDENT 7.0 .INDENT 3.5 -\fBsyncPeriodSecs\fP and -\fI\%journalCommitInterval\fP\&. +.INDENT 0.0 +.IP \(bu 2 +\fI\%journalCommitInterval\fP +.IP \(bu 2 +\fBstorage.syncPeriodSecs\fP +.UNINDENT .UNINDENT .UNINDENT .UNINDENT @@ -3279,12 +4482,78 @@ mongod \-\-setParameter honorSystemUmask=true .SS WiredTiger Parameters .INDENT 0.0 .TP -.B wiredTigerConcurrentReadTransactions -New in version 3.0.0. - +.B wiredTigerMaxCacheOverflowSizeGB +.INDENT 7.0 +.INDENT 3.5 +.IP "Deprecated in MongoDB 4.4" +.sp +MongoDB deprecates the \fBwiredTigerMaxCacheOverflowSizeGB\fP +parameter. The parameter has no effect starting in MongoDB 4.4. +.UNINDENT +.UNINDENT +.sp +\fIDefault\fP: 0 (No specified maximum) .sp Available for \fBmongod\fP only. .sp +Specify the maximum size (in GB) for the "lookaside (or cache +overflow) table" file \fBWiredTigerLAS.wt\fP for MongoDB +4.2.1\-4.2.x and 4.0.12\-4.0.x. The file no longer exists starting in +version 4.4. +.sp +The parameter can accept the following values: +.TS +center; +|l|l|. +_ +T{ +Value +T} T{ +Description +T} +_ +T{ +\fB0\fP +T} T{ +The default value. If set to \fB0\fP, the file size is +unbounded. +T} +_ +T{ +number >= 0.1 +T} T{ +The maximum size (in GB). If the \fBWiredTigerLAS.wt\fP +file exceeds this size, \fBmongod\fP exits with a +fatal assertion. You can clear the \fBWiredTigerLAS.wt\fP +file and restart \fBmongod\fP\&. +T} +_ +.TE +.sp +You can only set this parameter during runtime using the +\fBsetParameter\fP database command: +.INDENT 7.0 +.INDENT 3.5 +.sp +.nf +.ft C +db.adminCommand( { setParameter: 1, wiredTigerMaxCacheOverflowSizeGB: 100 } ) +.ft P +.fi +.UNINDENT +.UNINDENT +.sp +To set the maximum size during start up, use the +\fBstorage.wiredTiger.engineConfig.maxCacheOverflowFileSizeGB\fP +instead. +.sp +\fIAvailable starting in MongoDB 4.2.1 (and 4.0.12)\fP +.UNINDENT +.INDENT 0.0 +.TP +.B wiredTigerConcurrentReadTransactions +Available for \fBmongod\fP only. +.sp Available for the WiredTiger storage engine only. .sp Specify the maximum number of concurrent read transactions allowed @@ -3310,9 +4579,6 @@ db.adminCommand( { setParameter: 1, wiredTigerConcurrentReadTransactions: <num> .INDENT 0.0 .TP .B wiredTigerConcurrentWriteTransactions -New in version 3.0.0. - -.sp Available for \fBmongod\fP only. .sp Available for the WiredTiger storage engine only. @@ -3340,9 +4606,6 @@ db.adminCommand( { setParameter: 1, wiredTigerConcurrentWriteTransactions: <num> .INDENT 0.0 .TP .B wiredTigerEngineRuntimeConfig -New in version 3.0.0. - -.sp Available for \fBmongod\fP only. .sp Specify \fBwiredTiger\fP storage engine configuration options for a @@ -3381,9 +4644,6 @@ configuration options\fP\&. .INDENT 0.0 .TP .B auditAuthorizationSuccess -New in version 2.6.5. - -.sp \fIDefault\fP: \fBfalse\fP .sp \fBNOTE:\fP @@ -3550,6 +4810,6 @@ mongod \-\-setParameter maxTransactionLockRequestTimeoutMillis=20 .SH AUTHOR MongoDB Documentation Project .SH COPYRIGHT -2008-2019 +2008-2020 .\" Generated by docutils manpage writer. . diff --git a/debian/mongokerberos.1 b/debian/mongokerberos.1 new file mode 100644 index 00000000000..75165b963c6 --- /dev/null +++ b/debian/mongokerberos.1 @@ -0,0 +1,489 @@ +.\" Man page generated from reStructuredText. +. +.TH "MONGOKERBEROS" "1" "Jun 23, 2020" "4.4" "mongodb-manual" +.SH NAME +mongokerberos \- MongoDB Kerberos Validation Utility +. +.nr rst2man-indent-level 0 +. +.de1 rstReportMargin +\\$1 \\n[an-margin] +level \\n[rst2man-indent-level] +level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] +- +\\n[rst2man-indent0] +\\n[rst2man-indent1] +\\n[rst2man-indent2] +.. +.de1 INDENT +.\" .rstReportMargin pre: +. RS \\$1 +. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin] +. nr rst2man-indent-level +1 +.\" .rstReportMargin post: +.. +.de UNINDENT +. RE +.\" indent \\n[an-margin] +.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]] +.nr rst2man-indent-level -1 +.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] +.in \\n[rst2man-indent\\n[rst2man-indent-level]]u +.. +.SS On this page +.INDENT 0.0 +.IP \(bu 2 +\fI\%Synopsis\fP +.IP \(bu 2 +\fI\%Installation\fP +.IP \(bu 2 +\fI\%Usage\fP +.IP \(bu 2 +\fI\%Options\fP +.UNINDENT +.sp +New in version 4.4: MongoDB Enterprise + +.SH SYNOPSIS +.sp +Starting in version 4.4, MongoDB Enterprise provides +\fI\%mongokerberos\fP for testing MongoDB\(aqs Kerberos and GSSAPI +configuration options against a +running Kerberos deployment. \fI\%mongokerberos\fP can be used +in one of two modes: \fIserver\fP and \fIclient\fP\&. +.TS +center; +|l|l|. +_ +T{ +Mode +T} T{ +Description +T} +_ +T{ +Server +T} T{ +In \fIserver mode\fP, \fI\%mongokerberos\fP analyzes +Kerberos\-related configurations on the server, and returns a +report which includes error messages for any configurations that +are problematic. For usage, see \fI\%Server Mode\fP +T} +_ +T{ +Client +T} T{ +In \fIclient mode\fP, \fI\%mongokerberos\fP tests Kerberos +authentication for a provided username, and returns a report +which includes the success or failure of each step in the +Kerberos authentication procedure. For usage, see +\fI\%Client Mode\fP +T} +_ +.TE +.sp +Error messages for both modes include information on specific errors +encountered and potential advice for resolving the error. +.sp +\fI\%mongokerberos\fP supports the following deployment types, +in both server and client modes: +.INDENT 0.0 +.IP \(bu 2 +Linux MongoDB clients authenticating to MIT Kerberos deployments on +supported Linux platforms\&. +.IP \(bu 2 +Windows MongoDB clients authenticating to Windows Active Directory +deployments on +supported Windows platforms\&. +.IP \(bu 2 +Linux MongoDB clients authenticating to Windows Active Directory +deployments. +.UNINDENT +.sp +\fBNOTE:\fP +.INDENT 0.0 +.INDENT 3.5 +MongoDB Enterprise and \fI\%mongokerberos\fP only support the +\fI\%MIT implementation\fP +of Kerberos. +.UNINDENT +.UNINDENT +.sp +Generally, when configuring options related to +Kerberos authentication, it is good practice +to verify your configuration with \fI\%mongokerberos\fP\&. +.sp +\fI\%mongokerberos\fP is a testing and verification tool; it does not +edit any files or configure any services. For configuring Kerberos on +your platform please consult the \fI\%MIT Kerberos documentation\fP, or your platform\(aqs +documentation. For configuring MongoDB to authenticate using Kerberos, +please reference the following tutorials: +.INDENT 0.0 +.IP \(bu 2 +/tutorial/control\-access\-to\-mongodb\-with\-kerberos\-authentication +.IP \(bu 2 +/tutorial/control\-access\-to\-mongodb\-windows\-with\-kerberos\-authentication\&. +.UNINDENT +.sp +This document provides a complete overview of all command line options +for \fI\%mongokerberos\fP\&. +.SH INSTALLATION +.sp +The \fI\%mongokerberos\fP tool is part of the \fIMongoDB Database Tools Extra\fP +package, and can be \fI\%installed with the MongoDB Server\fP or as a +\fI\%standalone installation\fP\&. +.SS Install with Server +.sp +To install \fI\%mongokerberos\fP as part of a MongoDB Enterprise Server +installation: +.INDENT 0.0 +.IP \(bu 2 +Follow the instructions for your platform: +Install MongoDB Enterprise Server +.IP \(bu 2 +After completing the installation, \fI\%mongokerberos\fP and the other +included tools are available in the same location as the Server. +.sp +\fBNOTE:\fP +.INDENT 2.0 +.INDENT 3.5 +For the Windows \fB\&.msi\fP installer wizard, the +Complete installation option includes \fI\%mongokerberos\fP\&. +.UNINDENT +.UNINDENT +.UNINDENT +.SS Install as Standalone +.sp +To install \fI\%mongokerberos\fP as a standalone installation: +.INDENT 0.0 +.IP \(bu 2 +Follow the download link for MongoDB Enterprise Edition: +\fI\%MongoDB Enterprise Download Center\fP +.IP \(bu 2 +Select your Platform (operating system) from the dropdown +menu, then select the appropriate Package for your +platform according to the following chart: +.TS +center; +|l|l|. +_ +T{ +OS +T} T{ +Package +T} +_ +T{ +\fILinux\fP +T} T{ +\fBtgz\fP package +T} +_ +T{ +\fIWindows\fP +T} T{ +\fBzip\fP package +T} +_ +T{ +\fImacOS\fP +T} T{ +\fBtgz\fP package +T} +_ +.TE +.IP \(bu 2 +Once downloaded, unpack the archive and copy \fI\%mongokerberos\fP to a +location on your hard drive. +.INDENT 2.0 +.INDENT 3.5 +.SS Tip +.sp +Linux and macOS users may wish to copy \fI\%mongokerberos\fP to a filesystem +location that is defined in the \fB$PATH\fP environment variable, such +as \fB/usr/bin\fP\&. Doing so allows referencing \fI\%mongokerberos\fP directly +on the command line by name, without needing to specify its full +path, or first navigating to its parent directory. See the +installation guide for your platform +for more information. +.UNINDENT +.UNINDENT +.UNINDENT +.SH USAGE +.sp +\fI\%mongokerberos\fP can be run in two modes: \fIserver\fP and +\fIclient\fP\&. +.sp +Run \fI\%mongokerberos\fP from the system command line, not the \fBmongo\fP shell. +.SS Server Mode +.sp +Running \fI\%mongokerberos\fP in server mode performs a series of +verification steps against your system\(aqs Kerberos configuration, +including checking for proper DNS resolution, validation of the Kerberos +system keytab file, and testing against the MongoDB service principal +for your \fBmongod\fP or \fBmongos\fP instance. +.sp +Before you can use \fI\%mongokerberos\fP in server mode, you must: +.INDENT 0.0 +.IP 1. 3 +Configure Kerberos on your platform according to your platform\(aqs +documentation. +.IP 2. 3 +Create the MongoDB service principal for use with your +\fBmongod\fP or \fBmongos\fP instance, as described +in the following steps: +.INDENT 3.0 +.IP \(bu 2 +Configure Service Principal on Linux +.IP \(bu 2 +Configure Service Principal on Windows +.UNINDENT +.UNINDENT +.sp +Once you have completed these steps, you can run +\fI\%mongokerberos\fP in server mode using the +\fB\-\-server\fP flag as follows: +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +mongokerberos \-\-server +.ft P +.fi +.UNINDENT +.UNINDENT +.sp +If Kerberos has been configured properly on the server, and the service +principal created successfully, the output might resemble the following: +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +Resolving kerberos environment... +[OK] Kerberos environment resolved without errors. + +Verifying DNS resolution works with Kerberos service at <hostname>... +[OK] DNS test successful. + +Getting MIT Kerberos KRB5 environment variables... + * KRB5CCNAME: not set. + * KRB5_CLIENT_KTNAME: not set. + * KRB5_CONFIG: not set. + * KRB5_KTNAME: not set. + * KRB5_TRACE: not set. +[OK] + +Verifying existence of KRB5 keytab FILE:/etc/krb5.keytab... +[OK] KRB5 keytab exists and is populated. + +Checking principal(s) in KRB5 keytab... +Found the following principals for MongoDB service mongodb: + * mongodb/server.example.com@SERVER.EXAMPLE.COM +Found the following kvnos in keytab entries for service mongodb: + * 3 +[OK] KRB5 keytab is valid. + +Fetching KRB5 Config... +KRB5 config profile resolved as: + <Your Kerberos profile file will be output here> +[OK] KRB5 config profile resolved without errors. + +Attempting to initiate security context with service credentials... +[OK] Security context initiated successfully. +.ft P +.fi +.UNINDENT +.UNINDENT +.sp +The final message indicates that the system\(aqs Kerberos configuration is +ready to be used with MongoDB. If any errors are encountered with +the configuration, they will be presented as part of the above output. +.SS Client Mode +.sp +Running \fI\%mongokerberos\fP in client mode tests authentication +against your system\(aqs Kerberos environment, performing each step in the +Kerberos authentication process, including checking for proper DNS +resolution, verification of the Kerberos client keytab file, and testing +whether a ticket can be successfully granted. Running +\fI\%mongokerberos\fP in client mode simulates the client +authentication procedure of the \fBmongo\fP shell. +.sp +Before you can use \fI\%mongokerberos\fP in client mode, you must +first have configured Kerberos on your platform according to your +platform\(aqs documentation. Optionally, you may also choose to run +\fI\%mongokerberos\fP in +\fI\%server mode\fP first to verify that your +platform\(aqs Kerberos configuration is valid before using client mode. +.sp +Once you have completed these steps, you can run +\fI\%mongokerberos\fP in client mode to test user authentication, +using the \fB\-\-client\fP flag as follows: +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +mongokerberos \-\-client \-\-username <username> +.ft P +.fi +.UNINDENT +.UNINDENT +.sp +You must provide a valid username, which is used to request a Kerberos +ticket as part of the authentication procedure. Your platform\(aqs +Kerberos infrastructure must be aware of this user. +.sp +If the provided credentials are valid, and the Kerberos options in the +configuration files are valid, the output might resemble the following: +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C + Resolving kerberos environment... + [OK] Kerberos environment resolved without errors. + + Verifying DNS resolution works with Kerberos service at <hostname>... + [OK] DNS test successful. + + Getting MIT Kerberos KRB5 environment variables... + * KRB5CCNAME: not set. + * KRB5_CLIENT_KTNAME: not set. + * KRB5_CONFIG: not set. + * KRB5_KTNAME: not set. + * KRB5_TRACE: not set. + [OK] + + Verifying existence of KRB5 client keytab FILE:/path/to/client.keytab... + [OK] KRB5 client keytab exists and is populated. + + Checking principal(s) in KRB5 keytab... + [OK] KRB5 keytab is valid. + + Fetching KRB5 Config... + KRB5 config profile resolved as: + <Your Kerberos profile file will be output here> + [OK] KRB5 config profile resolved without errors. + + Attempting client half of GSSAPI conversation... + [OK] Client half of GSSAPI conversation completed successfully. +.ft P +.fi +.UNINDENT +.UNINDENT +.sp +The final message indicates that client authentication completed +successfully for the user provided. If any errors are encountered +during the authentication steps, they will be presented as part of the +above output. +.SH OPTIONS +.INDENT 0.0 +.TP +.B \-\-server +Runs \fI\%mongokerberos\fP in server mode to test that your +platform\(aqs Kerberos configuration is valid for use with MongoDB. +.sp +See \fI\%Server Mode\fP for example usage and expected +output. +.UNINDENT +.INDENT 0.0 +.TP +.B \-\-client +Runs \fI\%mongokerberos\fP in client mode to test client +authentication against your system\(aqs Kerberos environment. Requires +specifying a valid username with \fI\%\-\-username\fP when running in +client mode. \fI\%mongokerberos\fP will request a Kerberos ticket +for this username as part of the validation procedure. Running +\fI\%mongokerberos\fP in client mode simulates the client +authentication procedure of the \fBmongo\fP shell. +.sp +See \fI\%Client Mode\fP for example usage and expected +output. +.UNINDENT +.INDENT 0.0 +.TP +.B \-\-config <filename>, \-f <filename> +Specifies a configuration file for runtime configuration options. +The options are equivalent to the command\-line +configuration options. See /reference/configuration\-options for +more information. +.sp +\fI\%mongokerberos\fP will read the values for +\fBsaslHostName\fP and \fBsaslServiceName\fP from this +file if present. These values can alteratively be specified with the +\fI\%\-\-setParameter\fP option instead. +.sp +Ensure the configuration file uses ASCII encoding. The +\fI\%mongokerberos\fP instance does not support configuration +files with non\-ASCII encoding, including UTF\-8. +.sp +Only valid in \fI\%server mode\fP\&. +.UNINDENT +.INDENT 0.0 +.TP +.B \-\-setParameter <options> +Sets a configurable parameter. You can specify multiple +\fBsetParameter\fP fields. +.sp +While you can use any supported parameters with \fBsetParameter\fP, +\fI\%mongokerberos\fP only checks for the value of the following: +.INDENT 7.0 +.IP \(bu 2 +\fBsaslHostName\fP +.IP \(bu 2 +\fBsaslServiceName\fP +.UNINDENT +.sp +If using the \fI\%\-\-config\fP option with a configuration file that +also contains these values, the \fBsetParameter\fP values will +override the values from the configuration file. +.sp +Valid in both \fI\%server mode\fP +and \fI\%client mode\fP\&. +.UNINDENT +.INDENT 0.0 +.TP +.B \-\-host <hostname> +Specify the hostname of the MongoDB server to connect to when testing +authentication. +.sp +If \fI\%\-\-host\fP is not specified, \fI\%mongokerberos\fP does +not perform any DNS validation of the hostname (i.e. PTR record +verification) +.sp +Only valid in \fI\%client mode\fP\&. +.UNINDENT +.INDENT 0.0 +.TP +.B \-\-username <username>, \-u <username> +Username for \fI\%mongokerberos\fP to use when attempting Kerberos +authentication. This value is required when running in +\fI\%client mode\fP\&. +.sp +Only valid in \fI\%client mode\fP\&. +.UNINDENT +.INDENT 0.0 +.TP +.B \-\-gssapiServiceName <servicename> +\fIdefault: \(aqmongodb\(aq\fP +.sp +Service principal name to use when authenticating using +GSSAPI/Kerberos. +.sp +Only valid in \fI\%client mode\fP\&. +.UNINDENT +.INDENT 0.0 +.TP +.B \-\-gssapiHostName <hostname> +Remote hostname to use for purpose of GSSAPI/Kerberos authentication. +.sp +Only valid in \fI\%client mode\fP\&. +.UNINDENT +.SH AUTHOR +MongoDB Documentation Project +.SH COPYRIGHT +2008-2020 +.\" Generated by docutils manpage writer. +. diff --git a/debian/mongoldap.1 b/debian/mongoldap.1 index e3e606d4bf9..2d45ee37736 100644 --- a/debian/mongoldap.1 +++ b/debian/mongoldap.1 @@ -1,6 +1,6 @@ .\" Man page generated from reStructuredText. . -.TH "MONGOLDAP" "1" "Aug 16, 2019" "4.2" "mongodb-manual" +.TH "MONGOLDAP" "1" "Jun 23, 2020" "4.4" "mongodb-manual" .SH NAME mongoldap \- MongoDB LDAP Configuration Testing Utility . @@ -35,6 +35,8 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] .IP \(bu 2 \fI\%Synopsis\fP .IP \(bu 2 +\fI\%Installation\fP +.IP \(bu 2 \fI\%Usage\fP .IP \(bu 2 \fI\%Options\fP @@ -80,6 +82,88 @@ Run \fI\%mongoldap\fP from the system command line, not the \fBmongo\fP shell. .sp This document provides a complete overview of all command line options for \fI\%mongoldap\fP\&. +.SH INSTALLATION +.sp +The \fI\%mongoldap\fP tool is part of the \fIMongoDB Database Tools Extra\fP +package, and can be \fI\%installed with the MongoDB Server\fP or as a +\fI\%standalone installation\fP\&. +.SS Install with Server +.sp +To install \fI\%mongoldap\fP as part of a MongoDB Enterprise Server +installation: +.INDENT 0.0 +.IP \(bu 2 +Follow the instructions for your platform: +Install MongoDB Enterprise Server +.IP \(bu 2 +After completing the installation, \fI\%mongoldap\fP and the other +included tools are available in the same location as the Server. +.sp +\fBNOTE:\fP +.INDENT 2.0 +.INDENT 3.5 +For the Windows \fB\&.msi\fP installer wizard, the +Complete installation option includes \fI\%mongoldap\fP\&. +.UNINDENT +.UNINDENT +.UNINDENT +.SS Install as Standalone +.sp +To install \fI\%mongoldap\fP as a standalone installation: +.INDENT 0.0 +.IP \(bu 2 +Follow the download link for MongoDB Enterprise Edition: +\fI\%MongoDB Enterprise Download Center\fP +.IP \(bu 2 +Select your Platform (operating system) from the dropdown +menu, then select the appropriate Package for your +platform according to the following chart: +.TS +center; +|l|l|. +_ +T{ +OS +T} T{ +Package +T} +_ +T{ +\fILinux\fP +T} T{ +\fBtgz\fP package +T} +_ +T{ +\fIWindows\fP +T} T{ +\fBzip\fP package +T} +_ +T{ +\fImacOS\fP +T} T{ +\fBtgz\fP package +T} +_ +.TE +.IP \(bu 2 +Once downloaded, unpack the archive and copy \fI\%mongoldap\fP to a +location on your hard drive. +.INDENT 2.0 +.INDENT 3.5 +.SS Tip +.sp +Linux and macOS users may wish to copy \fI\%mongoldap\fP to a filesystem +location that is defined in the \fB$PATH\fP environment variable, such +as \fB/usr/bin\fP\&. Doing so allows referencing \fI\%mongoldap\fP directly +on the command line by name, without needing to specify its full +path, or first navigating to its parent directory. See the +installation guide for your platform +for more information. +.UNINDENT +.UNINDENT +.UNINDENT .SH USAGE .sp \fBNOTE:\fP @@ -128,7 +212,7 @@ for \fI\%mongoldap\fP\&. .sp .nf .ft C -mongoldap \-\-config <path\-to\-config> \-\-user "bob@dba.example.com" \-\-password "secret123" +mongoldap \-\-config=<path\-to\-config> \-\-user="bob@dba.example.com" \-\-password="secret123" .ft P .fi .UNINDENT @@ -169,7 +253,7 @@ Executing query against LDAP server... .SH OPTIONS .INDENT 0.0 .TP -.B \-\-config <filename>, \-f <filename> +.B \-\-config=<filename>, \-f=<filename> Specifies a configuration file for runtime configuration options. The options are equivalent to the command\-line configuration options. See /reference/configuration\-options for @@ -188,30 +272,31 @@ including UTF\-8. .UNINDENT .INDENT 0.0 .TP -.B \-\-user <string> +.B \-\-user=<string> Username for \fBmongoldap\fP to use when attempting LDAP authentication or authorization. .UNINDENT .INDENT 0.0 .TP -.B \-\-password <string> -Password of the \fB\-\-user\fP for \fBmongoldap\fP to use when attempting LDAP -authentication. Not required for LDAP authorization. +.B \-\-password=<string> +Password of the \fI\%\-\-user\fP for +\fBmongoldap\fP to use when attempting LDAP authentication. Not +required for LDAP authorization. .UNINDENT .INDENT 0.0 .TP -.B \-\-ldapServers <host1>:<port>,<host2>:<port>,...,<hostN>:<port> +.B \-\-ldapServers=<host1>:<port>,<host2>:<port>,...,<hostN>:<port> New in version 3.4: Available in MongoDB Enterprise only. .sp -The LDAP server against which the \fBmongoldap\fP executes LDAP operations -against to authenticate users or determine what actions a user is authorized -to perform on a given database. If the LDAP server specified has any -replicated instances, you may specify the host and port of each replicated -server in a comma\-delimited list. +The LDAP server against which the \fBmongoldap\fP authenticates users or +determines what actions a user is authorized to perform on a given +database. If the LDAP server specified has any replicated instances, +you may specify the host and port of each replicated server in a +comma\-delimited list. .sp -If your LDAP infrastrucure partitions the LDAP directory over multiple LDAP -servers, specify \fIone\fP LDAP server any of its replicated instances to +If your LDAP infrastructure partitions the LDAP directory over multiple LDAP +servers, specify \fIone\fP LDAP server or any of its replicated instances to \fI\%\-\-ldapServers\fP\&. MongoDB supports following LDAP referrals as defined in \fI\%RFC 4511 4.1.10\fP\&. Do not use \fI\%\-\-ldapServers\fP for listing every LDAP server in your infrastructure. @@ -223,7 +308,7 @@ If unset, \fBmongoldap\fP cannot use LDAP authentication or authorization\&. .UNINDENT .INDENT 0.0 .TP -.B \-\-ldapQueryUser <string> +.B \-\-ldapQueryUser=<string> New in version 3.4: Available in MongoDB Enterprise only. .sp @@ -258,7 +343,7 @@ both \fI\%\-\-ldapQueryUser\fP and \fI\%\-\-ldapBindWithOSDefaults\fP at the sam .UNINDENT .INDENT 0.0 .TP -.B \-\-ldapQueryPassword <string> +.B \-\-ldapQueryPassword=<string> New in version 3.4: Available in MongoDB Enterprise only. .sp The password used to bind to an LDAP server when using @@ -282,8 +367,8 @@ both \fI\%\-\-ldapQueryPassword\fP and \fI\%\-\-ldapBindWithOSDefaults\fP at the .UNINDENT .INDENT 0.0 .TP -.B \-\-ldapBindWithOSDefaults <bool> -\fIDefault\fP: False +.B \-\-ldapBindWithOSDefaults=<bool> +\fIDefault\fP: false .sp New in version 3.4: Available in MongoDB Enterprise for the Windows platform only. @@ -306,31 +391,48 @@ Use \fI\%\-\-ldapBindWithOSDefaults\fP to replace \fI\%\-\-ldapQueryUser\fP and .UNINDENT .INDENT 0.0 .TP -.B \-\-ldapBindMethod <string> +.B \-\-ldapBindMethod=<string> \fIDefault\fP: simple .sp New in version 3.4: Available in MongoDB Enterprise only. .sp -The method \fBmongoldap\fP uses to authenticate to an LDAP server. -Use with \fI\%\-\-ldapQueryUser\fP and \fI\%\-\-ldapQueryPassword\fP to -connect to the LDAP server. +The method \fBmongoldap\fP uses to authenticate to an LDAP +server. Use with \fI\%\-\-ldapQueryUser\fP and \fI\%\-\-ldapQueryPassword\fP to connect to the LDAP server. .sp -\fI\%\-\-ldapBindMethod\fP supports the following values: -.INDENT 7.0 -.IP \(bu 2 -\fBsimple\fP \- \fBmongoldap\fP uses simple authentication. -.IP \(bu 2 -\fBsasl\fP \- \fBmongoldap\fP uses SASL protocol for authentication -.UNINDENT +\fI\%\-\-ldapBindMethod\fP supports +the following values: +.TS +center; +|l|l|. +_ +T{ +Value +T} T{ +Description +T} +_ +T{ +\fBsimple\fP +T} T{ +\fBmongoldap\fP uses simple authentication. +T} +_ +T{ +\fBsasl\fP +T} T{ +\fBmongoldap\fP uses SASL protocol for authentication. +T} +_ +.TE .sp If you specify \fBsasl\fP, you can configure the available SASL mechanisms -using \fI\%\-\-ldapBindSASLMechanisms\fP\&. \fBmongoldap\fP defaults to +using \fI\%\-\-ldapBindSaslMechanisms\fP\&. \fBmongoldap\fP defaults to using \fBDIGEST\-MD5\fP mechanism. .UNINDENT .INDENT 0.0 .TP -.B \-\-ldapBindSASLMechanisms <string> +.B \-\-ldapBindSaslMechanisms=<string> \fIDefault\fP: DIGEST\-MD5 .sp New in version 3.4: Available in MongoDB Enterprise only. @@ -405,7 +507,7 @@ For Windows, please see the \fI\%Windows SASL documentation\fP\&. .UNINDENT .INDENT 0.0 .TP -.B \-\-ldapTransportSecurity <string> +.B \-\-ldapTransportSecurity=<string> \fIDefault\fP: tls .sp New in version 3.4: Available in MongoDB Enterprise only. @@ -440,7 +542,7 @@ credentials between \fBmongoldap\fP and the LDAP server. .UNINDENT .INDENT 0.0 .TP -.B \-\-ldapTimeoutMS <long> +.B \-\-ldapTimeoutMS=<long> \fIDefault\fP: 10000 .sp New in version 3.4: Available in MongoDB Enterprise only. @@ -459,7 +561,7 @@ This setting can be configured on a running \fBmongoldap\fP using .UNINDENT .INDENT 0.0 .TP -.B \-\-ldapUserToDNMapping <string> +.B \-\-ldapUserToDNMapping=<string> New in version 3.4: Available in MongoDB Enterprise only. .sp @@ -575,10 +677,17 @@ username against the \fBmatch\fP filter. If a match is found, authenticating the user. \fBmongoldap\fP does not check the remaining documents in the array. .sp -If the given document does not match the provided authentication name, or -the transformation described by the document fails, \fBmongoldap\fP continues -through the list of documents to find additional matches. If no matches are -found in any document, \fBmongoldap\fP returns an error. +If the given document does not match the provided authentication +name, \fBmongoldap\fP continues through the list of documents +to find additional matches. If no matches are found in any document, +or the transformation the document describes fails, +\fBmongoldap\fP returns an error. +.sp +Starting in MongoDB 4.4, \fBmongoldap\fP also returns an error +if one of the transformations cannot be evaluated due to networking +or authentication failures to the LDAP server. \fBmongoldap\fP +rejects the connection request and does not check the remaining +documents in the array. .INDENT 7.0 .INDENT 3.5 .SH EXAMPLE @@ -639,7 +748,7 @@ This setting can be configured on a running \fBmongoldap\fP using the .UNINDENT .INDENT 0.0 .TP -.B \-\-ldapAuthzQueryTemplate <string> +.B \-\-ldapAuthzQueryTemplate=<string> New in version 3.4: Available in MongoDB Enterprise only. .sp @@ -743,6 +852,6 @@ use your preferred LDAP resource. .SH AUTHOR MongoDB Documentation Project .SH COPYRIGHT -2008-2019 +2008-2020 .\" Generated by docutils manpage writer. . diff --git a/debian/mongos.1 b/debian/mongos.1 index e9e6f6d2464..40a5149e2b3 100644 --- a/debian/mongos.1 +++ b/debian/mongos.1 @@ -1,6 +1,6 @@ .\" Man page generated from reStructuredText. . -.TH "MONGOS" "1" "Aug 16, 2019" "4.2" "mongodb-manual" +.TH "MONGOS" "1" "Jun 23, 2020" "4.4" "mongodb-manual" .SH NAME mongos \- MongoDB Sharded Cluster Query Router . @@ -52,6 +52,10 @@ any other MongoDB instance. .IP \(bu 2 Never change the name of the \fI\%mongos\fP binary. .IP \(bu 2 +Starting in version 4.4, \fI\%mongos\fP +can support hedged reads to minimize +latencies. +.IP \(bu 2 Starting in version 4.0, MongoDB disables support for TLS 1.0 encryption on systems where TLS 1.1+ is available. For more details, see 4.0\-disable\-tls\&. @@ -366,15 +370,16 @@ maximum size of the connection pool. This setting prevents the \fI\%mongos\fP from causing connection spikes on the individual shards\&. Spikes like these may disrupt the operation and memory allocation of the sharded cluster\&. -.sp -\fBNOTE:\fP -.INDENT 7.0 -.INDENT 3.5 -Changed in version 2.6: MongoDB removed the upward limit on the \fBmaxIncomingConnections\fP -setting. - -.UNINDENT .UNINDENT +.INDENT 0.0 +.TP +.B \-\-logpath <path> +Sends all diagnostic logging information to a log file instead of to +standard output or to the host\(aqs syslog system. MongoDB creates +the log file at the path you specify. +.sp +By default, MongoDB will move any existing log file rather than overwrite +it. To instead append to the log file, set the \fI\%\-\-logappend\fP option. .UNINDENT .INDENT 0.0 .TP @@ -419,16 +424,6 @@ must enable the \fI\%\-\-syslog\fP option. .UNINDENT .INDENT 0.0 .TP -.B \-\-logpath <path> -Sends all diagnostic logging information to a log file instead of to -standard output or to the host\(aqs syslog system. MongoDB creates -the log file at the path you specify. -.sp -By default, MongoDB will move any existing log file rather than overwrite -it. To instead append to the log file, set the \fI\%\-\-logappend\fP option. -.UNINDENT -.INDENT 0.0 -.TP .B \-\-logappend Appends new entries to the end of the existing log file when the \fBmongos\fP instance restarts. Without this option, \fBmongod\fP will back up the @@ -436,6 +431,24 @@ existing log and create a new file. .UNINDENT .INDENT 0.0 .TP +.B \-\-logRotate <string> +\fIDefault\fP: rename +.sp +Determines the behavior for the \fBlogRotate\fP command. +Specify either \fBrename\fP or \fBreopen\fP: +.INDENT 7.0 +.IP \(bu 2 +\fBrename\fP renames the log file. +.IP \(bu 2 +\fBreopen\fP closes and reopens the log file following the typical +Linux/Unix log rotate behavior. Use \fBreopen\fP when using the +Linux/Unix logrotate utility to avoid log loss. +.sp +If you specify \fBreopen\fP, you must also use \fI\%\-\-logappend\fP\&. +.UNINDENT +.UNINDENT +.INDENT 0.0 +.TP .B \-\-redactClientLogData New in version 3.4: Available in MongoDB Enterprise only. @@ -464,20 +477,8 @@ due to the lack of data related to a log event. See the process logging manual page for an example of the effect of \fI\%\-\-redactClientLogData\fP on log output. .sp -You can enable or disable log redaction on a running \fBmongos\fP -using the \fBsetParameter\fP database command. -.INDENT 7.0 -.INDENT 3.5 -.sp -.nf -.ft C -db.adminCommand( - { setParameter: 1, redactClientLogData : true | false } -) -.ft P -.fi -.UNINDENT -.UNINDENT +On a running \fBmongos\fP, use \fBsetParameter\fP with the +\fBredactClientLogData\fP parameter to configure this setting. .UNINDENT .INDENT 0.0 .TP @@ -497,13 +498,6 @@ Description T} _ T{ -\fBctime\fP -T} T{ -Displays timestamps as \fBWed Dec 31 -18:17:54.811\fP\&. -T} -_ -T{ \fBiso8601\-utc\fP T} T{ Displays timestamps in Coordinated Universal Time (UTC) in the @@ -516,19 +510,50 @@ T{ T} T{ Displays timestamps in local time in the ISO\-8601 format. For example, for New York at the start of the Epoch: -\fB1969\-12\-31T19:00:00.000\-0500\fP +\fB1969\-12\-31T19:00:00.000\-05:00\fP T} _ .TE +.sp +\fBNOTE:\fP +.INDENT 7.0 +.INDENT 3.5 +Starting in MongoDB 4.4, \fI\%\-\-timeStampFormat\fP no longer supports \fBctime\fP\&. +An example of \fBctime\fP formatted date is: \fBWed Dec 31 +18:17:54.811\fP\&. +.UNINDENT +.UNINDENT .UNINDENT .INDENT 0.0 .TP .B \-\-pidfilepath <path> -Specifies a file location to hold the process ID of the \fBmongos\fP -process where \fBmongos\fP will write its PID. This is useful for -tracking the \fBmongos\fP process in combination with -the \fI\%\-\-fork\fP option. Without a specified \fI\%\-\-pidfilepath\fP option, the -process creates no PID file. +Specifies a file location to store the process ID (PID) of the \fBmongos\fP +process. The user running the \fBmongod\fP or \fBmongos\fP +process must be able to write to this path. If the \fI\%\-\-pidfilepath\fP option is not +specified, the process does not create a PID file. This option is generally +only useful in combination with the \fI\%\-\-fork\fP option. +.INDENT 7.0 +.INDENT 3.5 +.IP "Linux" +.sp +On Linux, PID file management is generally the responsibility of +your distro\(aqs init system: usually a service file in the \fB/etc/init.d\fP +directory, or a systemd unit file registered with \fBsystemctl\fP\&. Only +use the \fI\%\-\-pidfilepath\fP option if you are not using one of these init +systems. For more information, please see the respective +Installation Guide for your operating system. +.UNINDENT +.UNINDENT +.INDENT 7.0 +.INDENT 3.5 +.IP "macOS" +.sp +On macOS, PID file management is generally handled by \fBbrew\fP\&. Only use +the \fI\%\-\-pidfilepath\fP option if you are not using \fBbrew\fP on your macOS system. +For more information, please see the respective +Installation Guide for your operating system. +.UNINDENT +.UNINDENT .UNINDENT .INDENT 0.0 .TP @@ -563,6 +588,19 @@ fields. .UNINDENT .INDENT 0.0 .TP +.B \-\-noscripting +Disables the scripting engine. When disabled, you cannot use +operations that perform server\-side execution of JavaScript code, +such as the \fB$where\fP query operator, \fBmapReduce\fP +command, \fB$accumulator\fP, and \fB$function\fP\&. +.sp +If you do not use these operations, disable server\-side scripting. +.sp +New in version 4.4. + +.UNINDENT +.INDENT 0.0 +.TP .B \-\-nounixsocket Disables listening on the UNIX domain socket. \fI\%\-\-nounixsocket\fP applies only to Unix\-based systems. @@ -578,10 +616,9 @@ always listens on the UNIX socket unless one of the following is true: \fBnet.bindIp\fP does not specify \fBlocalhost\fP or its associated IP address .UNINDENT .sp -New in version 2.6: \fBmongos\fP installed from official \&.deb and \&.rpm packages +\fBmongos\fP installed from official \&.deb and \&.rpm packages have the \fBbind_ip\fP configuration set to \fB127.0.0.1\fP by default. - .UNINDENT .INDENT 0.0 .TP @@ -622,6 +659,8 @@ background. By default \fBmongos\fP does not run as a daemon: typically you will run \fBmongos\fP as a daemon, either by using \fI\%\-\-fork\fP or by using a controlling process that handles the daemonization process (e.g. as with \fBupstart\fP and \fBsystemd\fP). +.sp +The \fI\%\-\-fork\fP option is not supported on Windows. .UNINDENT .INDENT 0.0 .TP @@ -718,6 +757,47 @@ between \fBmongo\fP shell and \fBmongod\fP are not compressed. .UNINDENT .INDENT 0.0 .TP +.B \-\-serviceExecutor <string> +\fIDefault\fP: synchronous +.sp +New in version 3.6. + +.sp +Determines the threading and execution model \fBmongos\fP uses to +execute client requests. The \fB\-\-serviceExecutor\fP option accepts one +of the following values: +.TS +center; +|l|l|. +_ +T{ +Value +T} T{ +Description +T} +_ +T{ +\fBsynchronous\fP +T} T{ +The \fBmongos\fP uses synchronous networking and manages its +networking thread pool on a per connection basis. Previous +versions of MongoDB managed threads in this way. +T} +_ +T{ +\fBadaptive\fP +T} T{ +The \fBmongos\fP uses the new experimental asynchronous +networking mode with an adaptive thread pool which manages +threads on a per request basis. This mode should have more +consistent performance and use less resources when there are +more inactive connections than database requests. +T} +_ +.TE +.UNINDENT +.INDENT 0.0 +.TP .B \-\-timeZoneInfo <path> The full path from which to load the time zone database. If this option is not provided, then MongoDB will use its built\-in time zone database. @@ -969,9 +1049,6 @@ For more information about TLS and MongoDB, see .B \-\-clusterAuthMode <option> \fIDefault\fP: keyFile .sp -New in version 2.6. - -.sp The authentication mode used for cluster authentication. If you use internal x.509 authentication, specify so here. This option can have one of the following values: @@ -1057,6 +1134,13 @@ the certificate returned by the \fI\%\-\-tlsCertificateSelector\fP\&. If using x.509 authentication, \fB\-\-tlsCAFile\fP or \fBtls.CAFile\fP must be specified unless using \fB\-\-tlsCertificateSelector\fP\&. .sp +Changed in version 4.4: \fBmongod\fP / \fI\%mongos\fP logs a warning on +connection if the presented x.509 certificate expires within \fB30\fP +days of the \fBmongod/mongos\fP host system time. See +4.4\-rel\-notes\-certificate\-expiration\-warning for more +information. + +.sp For more information about TLS and MongoDB, see /tutorial/configure\-ssl and /tutorial/configure\-ssl\-clients . @@ -1239,21 +1323,43 @@ The \fBthumbprint\fP is sometimes referred to as a T} _ .TE +.sp +Changed in version 4.4: \fBmongod\fP / \fI\%mongos\fP logs a warning on +connection if the presented x.509 certificate expires within \fB30\fP +days of the \fBmongod/mongos\fP host system time. See +4.4\-rel\-notes\-certificate\-expiration\-warning for more +information. + .UNINDENT .INDENT 0.0 .TP .B \-\-tlsCRLFile <filename> -New in version 4.2. +New in version 4.2: For MongoDB 4.0 and earlier, see \fI\%\-\-sslCRLFile\fP\&. .sp -Specifies the the \fB\&.pem\fP file that contains the Certificate Revocation +Specifies the \fB\&.pem\fP file that contains the Certificate Revocation List. Specify the file name of the \fB\&.pem\fP file using relative or absolute paths. .sp \fBNOTE:\fP .INDENT 7.0 .INDENT 3.5 -Starting in MongoDB 4.0, you cannot specify \fI\%\-\-tlsCRLFile\fP on macOS. Use \fI\%\-\-tlsCertificateSelector\fP instead. +.INDENT 0.0 +.IP \(bu 2 +Starting in MongoDB 4.0, you cannot specify a CRL file on +macOS. Instead, you can use the system SSL certificate store, +which uses OCSP (Online Certificate Status Protocol) to +validate the revocation status of certificates. See +\fI\%\-\-sslCertificateSelector\fP in MongoDB 4.0 and +\fI\%\-\-tlsCertificateSelector\fP in MongoDB 4.2+ to use the +system SSL certificate store. +.IP \(bu 2 +Starting in version 4.4, to check for certificate revocation, +MongoDB \fBenables\fP the use of OCSP +(Online Certificate Status Protocol) by default as an +alternative to specifying a CRL file or using the system SSL +certificate store. +.UNINDENT .UNINDENT .UNINDENT .sp @@ -1428,9 +1534,6 @@ For more information about TLS/SSL and MongoDB, see Deprecated since version 4.2: Use \fI\%\-\-tlsMode\fP instead. .sp -New in version 2.6. - -.sp Enables TLS/SSL or mixed TLS/SSL used for all network connections. The argument to the \fI\%\-\-sslMode\fP option can be one of the following: .TS @@ -1586,9 +1689,6 @@ For more information about TLS/SSL and MongoDB, see Deprecated since version 4.2: Use \fI\%\-\-tlsClusterPassword\fP instead. .sp -New in version 2.6. - -.sp Specifies the password to de\-crypt the x.509 certificate\-key file specified with \fB\-\-sslClusterFile\fP\&. Use the \fI\%\-\-sslClusterPassword\fP option only if the certificate\-key file is encrypted. In all cases, the \fBmongos\fP @@ -1774,14 +1874,29 @@ _ Deprecated since version 4.2: Use \fI\%\-\-tlsCRLFile\fP instead. .sp -Specifies the the \fB\&.pem\fP file that contains the Certificate Revocation +Specifies the \fB\&.pem\fP file that contains the Certificate Revocation List. Specify the file name of the \fB\&.pem\fP file using relative or absolute paths. .sp \fBNOTE:\fP .INDENT 7.0 .INDENT 3.5 -Starting in MongoDB 4.0, you cannot specify \fI\%\-\-sslCRLFile\fP on macOS. Use \fI\%\-\-sslCertificateSelector\fP instead. +.INDENT 0.0 +.IP \(bu 2 +Starting in MongoDB 4.0, you cannot specify a CRL file on +macOS. Instead, you can use the system SSL certificate store, +which uses OCSP (Online Certificate Status Protocol) to +validate the revocation status of certificates. See +\fI\%\-\-sslCertificateSelector\fP in MongoDB 4.0 and +\fI\%\-\-tlsCertificateSelector\fP in MongoDB 4.2+ to use the +system SSL certificate store. +.IP \(bu 2 +Starting in version 4.4, to check for certificate revocation, +MongoDB \fBenables\fP the use of OCSP +(Online Certificate Status Protocol) by default as an +alternative to specifying a CRL file or using the system SSL +certificate store. +.UNINDENT .UNINDENT .UNINDENT .sp @@ -1847,9 +1962,6 @@ For more information about TLS/SSL and MongoDB, see Deprecated since version 4.2: Use \fI\%\-\-tlsAllowInvalidHostnames\fP instead. .sp -New in version 3.0. - -.sp Disables the validation of the hostnames in TLS/SSL certificates, when connecting to other members of the replica set or sharded cluster for inter\-process authentication. This allows \fBmongos\fP to connect @@ -1866,9 +1978,6 @@ For more information about TLS/SSL and MongoDB, see Deprecated since version 4.2: Use \fI\%\-\-tlsDisabledProtocols\fP instead. .sp -New in version 3.0.7. - -.sp Prevents a MongoDB server running with TLS/SSL from accepting incoming connections that use a specific protocol or protocols. To specify multiple protocols, use a comma separated list of protocols. @@ -1981,9 +2090,6 @@ and \fI\%MongoDB Atlas\fP\&. .INDENT 0.0 .TP .B \-\-auditFormat -New in version 2.6. - -.sp Specifies the format of the output file for auditing if \fI\%\-\-auditDestination\fP is \fBfile\fP\&. The \fI\%\-\-auditFormat\fP option can have one of the following values: .TS @@ -2026,9 +2132,6 @@ and \fI\%MongoDB Atlas\fP\&. .INDENT 0.0 .TP .B \-\-auditPath -New in version 2.6. - -.sp Specifies the output file for auditing if \fI\%\-\-auditDestination\fP has value of \fBfile\fP\&. The \fI\%\-\-auditPath\fP option can take either a full path name or a relative path name. @@ -2044,9 +2147,6 @@ and \fI\%MongoDB Atlas\fP\&. .INDENT 0.0 .TP .B \-\-auditFilter -New in version 2.6. - -.sp Specifies the filter to limit the types of operations the audit system records. The option takes a string representation of a query document of the form: .INDENT 7.0 @@ -2126,14 +2226,14 @@ New in version 4.0. New in version 3.4: Available in MongoDB Enterprise only. .sp -The LDAP server against which the \fBmongos\fP executes LDAP operations -against to authenticate users or determine what actions a user is authorized -to perform on a given database. If the LDAP server specified has any -replicated instances, you may specify the host and port of each replicated -server in a comma\-delimited list. +The LDAP server against which the \fBmongos\fP authenticates users or +determines what actions a user is authorized to perform on a given +database. If the LDAP server specified has any replicated instances, +you may specify the host and port of each replicated server in a +comma\-delimited list. .sp -If your LDAP infrastrucure partitions the LDAP directory over multiple LDAP -servers, specify \fIone\fP LDAP server any of its replicated instances to +If your LDAP infrastructure partitions the LDAP directory over multiple LDAP +servers, specify \fIone\fP LDAP server or any of its replicated instances to \fI\%\-\-ldapServers\fP\&. MongoDB supports following LDAP referrals as defined in \fI\%RFC 4511 4.1.10\fP\&. Do not use \fI\%\-\-ldapServers\fP for listing every LDAP server in your infrastructure. @@ -2145,6 +2245,24 @@ If unset, \fBmongos\fP cannot use LDAP authentication or authorization\&. .UNINDENT .INDENT 0.0 .TP +.B \-\-ldapValidateLDAPServerConfig <boolean> +\fIAvailable in MongoDB Enterprise\fP +.sp +A flag that determines if the \fI\%mongos\fP instance checks +the availability of the \fI\%LDAP server(s)\fP as part of its startup: +.INDENT 7.0 +.IP \(bu 2 +If \fBtrue\fP, the \fI\%mongos\fP instance performs the +availability check and only continues to start up if the LDAP +server is available. +.IP \(bu 2 +If \fBfalse\fP, the \fI\%mongos\fP instance skips the +availability check; i.e. the instance starts up even if the LDAP +server is unavailable. +.UNINDENT +.UNINDENT +.INDENT 0.0 +.TP .B \-\-ldapQueryUser <string> New in version 3.4: Available in MongoDB Enterprise only. @@ -2205,7 +2323,7 @@ both \fI\%\-\-ldapQueryPassword\fP and \fI\%\-\-ldapBindWithOSDefaults\fP at the .INDENT 0.0 .TP .B \-\-ldapBindWithOSDefaults <bool> -\fIDefault\fP: False +\fIDefault\fP: false .sp New in version 3.4: Available in MongoDB Enterprise for the Windows platform only. @@ -2247,12 +2365,12 @@ connect to the LDAP server. .UNINDENT .sp If you specify \fBsasl\fP, you can configure the available SASL mechanisms -using \fI\%\-\-ldapBindSASLMechanisms\fP\&. \fBmongos\fP defaults to +using \fI\%\-\-ldapBindSaslMechanisms\fP\&. \fBmongos\fP defaults to using \fBDIGEST\-MD5\fP mechanism. .UNINDENT .INDENT 0.0 .TP -.B \-\-ldapBindSASLMechanisms <string> +.B \-\-ldapBindSaslMechanisms <string> \fIDefault\fP: DIGEST\-MD5 .sp New in version 3.4: Available in MongoDB Enterprise only. @@ -2497,10 +2615,17 @@ username against the \fBmatch\fP filter. If a match is found, authenticating the user. \fBmongos\fP does not check the remaining documents in the array. .sp -If the given document does not match the provided authentication name, or -the transformation described by the document fails, \fBmongos\fP continues -through the list of documents to find additional matches. If no matches are -found in any document, \fBmongos\fP returns an error. +If the given document does not match the provided authentication +name, \fI\%mongos\fP continues through the list of documents +to find additional matches. If no matches are found in any document, +or the transformation the document describes fails, +\fI\%mongos\fP returns an error. +.sp +Starting in MongoDB 4.4, \fI\%mongos\fP also returns an error +if one of the transformations cannot be evaluated due to networking +or authentication failures to the LDAP server. \fI\%mongos\fP +rejects the connection request and does not check the remaining +documents in the array. .INDENT 7.0 .INDENT 3.5 .SS Example @@ -2579,6 +2704,6 @@ Set \fI\%\-\-bind_ip_all\fP to \fBtrue\fP\&. .SH AUTHOR MongoDB Documentation Project .SH COPYRIGHT -2008-2019 +2008-2020 .\" Generated by docutils manpage writer. . |