#!/bin/bash
log_status=1
log_file=/tmp/setup_mongodb_`date +%F`.log
case $log_status in
0)
log_file=/dev/null
;;
1)
log_file=$log_file
;;
2)
log_file=/dev/stdout
;;
*)
log_file=/tmp/setup_mongodb_`date +%F`.log
;;
esac
echo "" >> $log_file
echo "------- HEAD: start initializing mongodb at $(date +'%F %T')" >> $log_file
echo "" >> $log_file
echo "----- Prepare YUM" >> $log_file
cat > /etc/yum.repos.d/mongodb-org-4.4.repo << EOF
[mongodb-org-4.4]
name=MongoDB Repository
baseurl=https://repo.mongodb.org/yum/redhat/\$releasever/mongodb-org/4.4/x86_64/
gpgcheck=1
enabled=1
gpgkey=https://www.mongodb.org/static/pgp/server-4.4.asc
EOF
echo "custom mongodb-yum-repo locate: /etc/yum.repos.d/mongodb-org-4.4.repo" >> $log_file
echo "" >> $log_file
echo "----- Install MongoDB" >> $log_file
dnf install -y mongodb-org >> $log_file
echo "" >> $log_file
echo "----- Setup SELinux" >> $log_file
echo "" >> $log_file
echo "--- Install checkpolicy" >> $log_file
dnf install -y checkpolicy >> $log_file
echo "" >> $log_file
echo "--- Enable cgroup memory access" >> $log_file
cat > /tmp/mongodb_cgroup_memory.te <<EOF
module mongodb_cgroup_memory 1.0;
require {
type cgroup_t;
type mongod_t;
class dir search;
class file { getattr open read };
}
allow mongod_t cgroup_t:dir search;
allow mongod_t cgroup_t:file { getattr open read };
EOF
echo "- custom policy file locate /tmp/mongodb_cgroup_memory.te" >> $log_file
checkmodule -M -m -o /tmp/mongodb_cgroup_memory.mod /tmp/mongodb_cgroup_memory.te >> $log_file
semodule_package -o /tmp/mongodb_cgroup_memory.pp -m /tmp/mongodb_cgroup_memory.mod >> $log_file
semodule -i /tmp/mongodb_cgroup_memory.pp >> $log_file
echo "" >> $log_file
echo "--- Enable read netstat" >> $log_file
cat > /tmp/mongodb_proc_net.te <<EOF
module mongodb_proc_net 1.0;
require {
type proc_net_t;
type mongod_t;
class file { open read };
}
allow mongod_t proc_net_t:file { open read };
EOF
echo "- custom policy file locate /tmp/mongodb_proc_net.te" >> $log_file
checkmodule -M -m -o /tmp/mongodb_proc_net.mod /tmp/mongodb_proc_net.te >> $log_file
semodule_package -o /tmp/mongodb_proc_net.pp -m /tmp/mongodb_proc_net.mod >> $log_file
semodule -i /tmp/mongodb_proc_net.pp >> $log_file
echo "" >> $log_file
echo "--- Enable search net directory" >> $log_file
cat > /tmp/mongodb_sysctl_net.te <<EOF
module mongodb_sysctl_net 1.0;
require {
type sysctl_net_t;
type mongod_t;
class dir search;
}
allow mongod_t sysctl_net_t:dir search;
EOF
echo "- custom policy file locate /tmp/mongodb_sysctl_net.te" >> $log_file
checkmodule -M -m -o /tmp/mongodb_sysctl_net.mod /tmp/mongodb_sysctl_net.te >> $log_file
semodule_package -o /tmp/mongodb_sysctl_net.pp -m /tmp/mongodb_sysctl_net.mod >> $log_file
semodule -i /tmp/mongodb_sysctl_net.pp >> $log_file
echo "" >> $log_file
echo "----- Disable Transparent Huge Pages (THP) " >> $log_file
echo "" >> $log_file
echo "--- Custom service " >> $log_file
cat > /etc/systemd/system/disable-transparent-huge-pages.service << EOF
[Unit]
Description=Disable Transparent Huge Pages (THP)
DefaultDependencies=no
After=sysinit.target local-fs.target
Before=mongod.service
[Service]
Type=oneshot
ExecStart=/bin/sh -c 'echo never | tee /sys/kernel/mm/transparent_hugepage/enabled > /dev/null'
[Install]
WantedBy=basic.target
EOF
echo "- custom service locate: /etc/systemd/system/disable-transparent-huge-pages.service" >> $log_file
echo "" >> $log_file
echo "--- Enable service" >> $log_file
systemctl daemon-reload >> $log_file
systemctl enable disable-transparent-huge-pages >> $log_file
systemctl start disable-transparent-huge-pages >> $log_file
echo "" >> $log_file
echo "------- TAIL: finish initializing mongodb at $(date +'%F %T')" >> $log_file
Processed:
0.054, SQL:
8
