Configuration File Options配置文件选项

On this page本页内容

The following page describes the configuration options available in MongoDB 5.0. For configuration file options for other versions of MongoDB, see the appropriate version of the MongoDB Manual.下页介绍了MongoDB 5.0中可用的配置选项。有关其他版本MongoDB的配置文件选项,请参阅相应版本的MongoDB手册。

Configuration File配置文件

You can configure mongod and mongos instances at startup using a configuration file. 可以在启动时使用配置文件配置mongodmongos实例。The configuration file contains settings that are equivalent to the mongod and mongos command-line options. 配置文件包含与mongodmongos命令行选项等效的设置。See Configuration File Settings and Command-Line Options Mapping.请参见配置文件设置和命令行选项映射

Using a configuration file makes managing mongod and mongos options easier, especially for large-scale deployments. 使用配置文件可以更轻松地管理mongodmongos选项,尤其是对于大规模部署。You can also add comments to the configuration file to explain the server's settings.您还可以向配置文件添加注释,以解释服务器的设置。

  • If you installed MongoDB with a package manager such as yum or apt on Linux or brew on macOS, or with the MSI installer on Windows, a default configuration file has been provided as part of your installation:如果您在Linux上使用软件包管理器(如yumapt安装了MongoDB,在macOS上使用brew安装了MongoDB,或者在Windows上使用MSI安装程序安装了MongoDB,则在安装过程中会提供一个默认配置文件:

    Platform站台Method方法Configuration File配置文件
    Linuxapt, yum, or zypper Package Manageraptyumzypper软件包管理器/etc/mongod.conf
    macOSbrew Package Manager软件包管理器

    /usr/local/etc/mongod.conf (on Intel processors), or(在英特尔处理器上),或

    /opt/homebrew/etc/mongod.conf (on Apple M1 processors)(在苹果M1处理器上)

    WindowsMSI Installer<install directory>\bin\mongod.cfg
  • If you installed MongoDB via a downloaded TGZ or ZIP file, you will need to create your own configuration file. 如果通过下载的TGZZIP文件安装MongoDB,则需要创建自己的配置文件。The basic example configuration is a good place to start.基本示例配置是一个很好的起点。

File Format文件格式

MongoDB configuration files use the YAML format MongoDB配置文件使用YAML格式[1].

The following sample configuration file contains several mongod settings that you may adapt to your local configuration:以下示例配置文件包含几个mongod设置,您可以根据本地配置进行调整:

Note注意

YAML does not support tab characters for indentation: use spaces instead.YAML不支持缩进的制表符:请使用空格。

systemLog:
   destination: file
   path: "/var/log/mongodb/mongod.log"
   logAppend: true
storage:
   journal:
      enabled: true
processManagement:
   fork: true
net:
   bindIp: 127.0.0.1
   port: 27017
setParameter:
   enableLocalhostAuthBypass: false
...

The Linux package init scripts included in the official MongoDB packages depend on specific values for systemLog.path, storage.dbPath, and processManagement.fork. 官方MongoDB包中包含的Linux包初始化脚本取决于systemLog.pathstorage.dbPathprocessManagement.fork的特定值。If you modify these settings in the default configuration file, mongod may not start.如果在默认配置文件中修改这些设置,mongod可能无法启动。

[1] YAML is a superset of JSON.YAML是JSON的超集。

Externally Sourced Values外部来源的值

New in version 4.2.在版本4.2中新增MongoDB supports using expansion directives in configuration files to load externally sourced values. MongoDB支持在配置文件中使用扩展指令来加载外部来源的值。Expansion directives can load values for specific configuration file options or load the entire configuration file.扩展指令可以加载特定配置文件选项的值,也可以加载整个配置文件。

The following expansion directives are available:以下扩展指令可用:

Expansion Directive扩展指令Description描述
__rest

Allows users to specify a REST endpoint as the external source for configuration file options or the full configuration file.允许用户将REST端点指定为配置文件选项或完整配置文件的外部源。

If the configuration file includes the __rest expansion, on Linux/macOS, the read access to the configuration file must be limited to the user running the mongod/mongos process only.如果配置文件包括Linux/macOS上的__rest扩展,则对配置文件的读取权限必须仅限于运行mongod/mongos进程的用户。

__exec

Allows users to specify a shell or terminal command as the external source for configuration file options or the full configuration file.允许用户指定shell或终端命令作为配置文件选项或完整配置文件的外部源。

If the configuration file includes the __exec expansion, on Linux/macOS, the write access to the configuration file must be limited to the user running the mongod/mongos process only.如果配置文件包括Linux/macOS上的__exec扩展,则对配置文件的写访问权限必须仅限于运行mongod/mongos进程的用户。

For complete documentation, see Externally Sourced Configuration File Values.有关完整文档,请参阅外部来源的配置文件值

Use the Configuration File使用配置文件

To configure mongod or mongos using a config file, specify the config file with the --config option or the -f option, as in the following examples:要使用配置文件配置mongodmongos,请使用--config选项或-f选项指定配置文件,如以下示例所示:

For example, the following uses 例如,以下使用mongod --config <configuration file> mongos --config <configuration file>:

mongod --config /etc/mongod.conf
mongos --config /etc/mongos.conf

You can also use the -f alias to specify the configuration file, as in the following:还可以使用-f别名指定配置文件,如下所示:

mongod -f /etc/mongod.conf
mongos -f /etc/mongos.conf

If you installed from a package and have started MongoDB using your system's init script, you are already using a configuration file.如果您是从软件包安装的,并且已经使用系统的init脚本启动了MongoDB,那么您已经在使用配置文件。

Expansion Directives and 扩展指令和--configExpand

If you are using expansion directives in the configuration file, you must include the --configExpand option when starting the mongod or mongos. 如果在配置文件中使用扩展指令,则在启动mongodmongos时必须包含--configExpand选项。For example:例如:

mongod --config /etc/mongod.conf  --configExpand "rest,exec"
mongos --config /etc/mongos.conf  --configExpand "rest,exec"

If the configuration file includes an expansion directive and you start the mongod/mongos without specifying that directive in the --configExpand option, the mongod/mongos fails to start.如果配置文件包含一个扩展指令,并且您在没有在--configExpand选项中指定该指令的情况下启动mongod/mongos,则mongod/mongos无法启动。

For complete documentation, see Externally Sourced Configuration File Values.有关完整文档,请参阅外部来源的配置文件值

Core Options核心选项

systemLog Options选项

systemLog:
   verbosity: <int>
   quiet: <boolean>
   traceAllExceptions: <boolean>
   syslogFacility: <string>
   path: <string>
   logAppend: <boolean>
   logRotate: <string>
   destination: <string>
   timeStampFormat: <string>
   component:
      accessControl:
         verbosity: <int>
      command:
         verbosity: <int>
      # COMMENT additional component verbosity settings omitted for brevity
systemLog.verbosity

Type类型: integer

Default默认值: 0

The default log message verbosity level for components. 组件的默认日志消息详细级别。The verbosity level determines the amount of Informational and Debug messages MongoDB outputs. 详细级别决定MongoDB输出的信息和调试消息的数量。[2]

The verbosity level can range from 0 to 5:详细程度可以在05之间:

  • 0 is the MongoDB's default log verbosity level, to include Informational messages.是MongoDB的默认日志详细级别,包括信息性消息。
  • 1 to 5 increases the verbosity level to include Debug messages.增加详细级别以包含调试消息。

To use a different verbosity level for a named component, use the component's verbosity setting. 要为命名组件使用不同的详细级别,请使用组件的详细级别设置。For example, use the systemLog.component.accessControl.verbosity to set the verbosity level specifically for ACCESS components.例如,使用systemLog.component.accessControl.verbosity专门为ACCESS组件设置详细级别。

See the systemLog.component.<name>.verbosity settings for specific component verbosity settings.请参阅特定组件详细设置的systemLog.component.<name>.verbosity设置。

For various ways to set the log verbosity level, see Configure Log Verbosity Levels.有关设置日志详细程度的各种方法,请参阅配置日志详细程度

[2] Starting in version 4.2, MongoDB includes the Debug verbosity level (1-5) in the log messages. 从4.2版开始,MongoDB在日志消息中包含调试详细级别(1-5)。For example, if the verbosity level is 2, MongoDB logs D2. 例如,如果详细级别为2,MongoDB将记录D2In previous versions, MongoDB log messages only specified D for Debug level.在以前的版本中,MongoDB日志消息只为调试级别指定了D
systemLog.quiet

Type类型: boolean

Default默认值: false

Run mongos or mongod in a quiet mode that attempts to limit the amount of output.以安静模式运行mongosmongod,尝试限制输出量。

systemLog.quiet is not recommended for production systems as it may make tracking problems during particular connections much more difficult.建议用于生产系统,因为这可能会使特定连接期间的跟踪问题更加困难。

systemLog.traceAllExceptions

Type类型: boolean

Default默认值: false

Print verbose information for debugging. 打印详细信息以进行调试。Use for additional logging for support-related troubleshooting.用于与支持相关的故障排除的附加日志记录。

systemLog.syslogFacility

Type类型: string

Default默认值: user

The facility level used when logging messages to syslog. 将消息记录到syslog时使用的设备级别。The value you specify must be supported by your operating system's implementation of syslog. 您指定的值必须由您的操作系统的syslog实现支持。To use this option, you must set systemLog.destination to syslog.要使用此选项,必须将systemLog.destination设置为syslog

systemLog.path

Type类型: string

The path of the log file to which mongod or mongos should send all diagnostic logging information, rather than the standard output or the host's syslog. mongodmongos应将所有诊断日志信息发送到的日志文件的路径,而不是标准输出或主机的系统日志。MongoDB creates the log file at the specified path.MongoDB在指定路径创建日志文件。

The Linux package init scripts do not expect systemLog.path to change from the defaults. Linux包初始化脚本不希望systemLog.path改变默认值。If you use the Linux packages and change systemLog.path, you will have to use your own init scripts and disable the built-in scripts.如果使用Linux软件包并更改systemLog.path,则必须使用自己的初始化脚本并禁用内置脚本。

systemLog.logAppend

Type类型: boolean

Default默认值: false

When true, mongos or mongod appends new entries to the end of the existing log file when the mongos or mongod instance restarts. 如果为true,则当mongosmongod实例重新启动时,mongosmongod会将新条目追加到现有日志文件的末尾。Without this option, mongod will back up the existing log and create a new file.如果没有此选项,mongod将备份现有日志并创建一个新文件。

systemLog.logRotate

Type类型: string

Default默认值: rename

Determines the behavior for the logRotate command when rotating the server log and/or the audit log. 确定在旋转服务器日志和/或审核日志时logRotate命令的行为。Specify either rename or reopen:指定renamereopen

  • rename renames the log file.重命名日志文件。

  • reopen closes and reopens the log file following the typical Linux/Unix log rotate behavior. 按照典型的Linux/Unix日志旋转行为关闭并重新打开日志文件。Use reopen when using the Linux/Unix logrotate utility to avoid log loss.使用Linux/Unix logrotate实用程序时,请使用reopen,以避免日志丢失。

    If you specify reopen, you must also set systemLog.logAppend to true.如果指定reopen,还必须将systemLog.logAppend设置为true

systemLog.destination

Type类型: string

The destination to which MongoDB sends all log output. MongoDB将所有日志输出发送到的目标。Specify either file or syslog. 指定filesyslogIf you specify file, you must also specify systemLog.path.如果指定file,还必须指定systemLog.path

If you do not specify systemLog.destination, MongoDB sends all log output to standard output.如果未指定systemLog.destination,MongoDB会将所有日志输出发送到标准输出。

Warning警告

The syslog daemon generates timestamps when it logs a message, not when MongoDB issues the message. syslog守护进程在记录消息时生成时间戳,而不是在MongoDB发出消息时。This can lead to misleading timestamps for log entries, especially when the system is under heavy load. 这可能会导致对日志条目的时间戳产生误导,尤其是在系统负载较重时。We recommend using the file option for production systems to ensure accurate timestamps.我们建议在生产系统中使用file选项,以确保时间戳的准确性。

systemLog.timeStampFormat

Type类型: string

Default默认值: iso8601-local

The time format for timestamps in log messages. 日志消息中时间戳的时间格式。Specify one of the following values:指定以下值之一:

ValueDescription描述
iso8601-utcDisplays timestamps in Coordinated Universal Time (UTC) in the ISO-8601 format. 以ISO-8601格式的协调世界时(UTC)显示时间戳。For example, for New York at the start of the Epoch: 例如,对于新纪元之初的纽约:1970-01-01T00:00:00.000Z
iso8601-localDisplays timestamps in local time in the ISO-8601 format. For example, for New York at the start of the Epoch:以ISO-8601格式显示本地时间的时间戳。例如,对于新纪元之初的纽约: 1969-12-31T19:00:00.000-05:00
Note注意

Starting in MongoDB 4.4, systemLog.timeStampFormat no longer supports ctime. 从MongoDB 4.4开始,systemLog.timeStampFormat不再支持ctimeAn example of ctime formatted date is: ctime格式日期的一个例子是:Wed Dec 31 18:17:54.811.

systemLog.component Options选项

systemLog:
   component:
      accessControl:
         verbosity: <int>
      command:
         verbosity: <int>
      # COMMENT some component verbosity settings omitted for brevity
      replication:
         verbosity: <int>
         election:
            verbosity: <int>
         heartbeats:
            verbosity: <int>
         initialSync:
            verbosity: <int>
         rollback:
            verbosity: <int>
      storage:
         verbosity: <int>
         journal:
            verbosity: <int>
         recovery:
            verbosity: <int>
      write:
         verbosity: <int>
Note注意

Starting in version 4.2, MongoDB includes the Debug verbosity level (1-5) in the log messages. 从4.2版开始,MongoDB在日志消息中包含调试详细级别(1-5)。For example, if the verbosity level is 2, MongoDB logs D2. 例如,如果详细级别为2,MongoDB将记录D2In previous versions, MongoDB log messages only specified D for Debug level.在以前的版本中,MongoDB日志消息只为调试级别指定了D

systemLog.component.accessControl.verbosity

Type类型: integer

Default默认值: 0

The log message verbosity level for components related to access control. 与访问控制相关的组件的日志消息详细级别。See ACCESS components.请参阅ACCESS组件。

The verbosity level can range from 0 to 5:详细程度可以在05之间:

  • 0 is the MongoDB's default log verbosity level, to include Informational messages.是MongoDB的默认日志详细级别,包括信息性消息。
  • 1 to 5 increases the verbosity level to include Debug messages.增加详细级别以包含调试消息。
systemLog.component.command.verbosity

Type类型: integer

Default默认值: 0

The log message verbosity level for components related to commands. 与命令相关的组件的日志消息详细级别。See COMMAND components.请参阅COMMAND组件。

The verbosity level can range from 0 to 5:详细程度可以在05之间:

  • 0 is the MongoDB's default log verbosity level, to include Informational messages.是MongoDB的默认日志详细级别,包括信息性消息。
  • 1 to 5 increases the verbosity level to include Debug messages.增加详细级别以包含调试消息。
systemLog.component.control.verbosity

Type类型: integer

Default默认值: 0

The log message verbosity level for components related to control operations. 与控制操作相关的组件的日志消息详细级别。See CONTROL components.请参阅CONTROL组件。

The verbosity level can range from 0 to 5:详细程度可以在05之间:

  • 0 is the MongoDB's default log verbosity level, to include Informational messages.是MongoDB的默认日志详细级别,包括信息性消息。
  • 1 to 5 increases the verbosity level to include Debug messages.增加详细级别以包含调试消息。
systemLog.component.ftdc.verbosity

Type类型: integer

Default默认值: 0

The log message verbosity level for components related to diagnostic data collection operations. 与诊断数据集合操作相关的组件的日志消息详细级别。See FTDC components.请参阅FTDC组件。

The verbosity level can range from 0 to 5:详细程度可以在05之间:

  • 0 is the MongoDB's default log verbosity level, to include Informational messages.是MongoDB的默认日志详细级别,包括信息性消息。
  • 1 to 5 increases the verbosity level to include Debug messages.增加详细级别以包含调试消息。
systemLog.component.geo.verbosity

Type类型: integer

Default默认值: 0

The log message verbosity level for components related to geospatial parsing operations. 与地理空间分析操作相关的组件的日志消息详细级别。See GEO components.请参阅GEO组件。

The verbosity level can range from 0 to 5:详细程度可以在05之间:

  • 0 is the MongoDB's default log verbosity level, to include Informational messages.是MongoDB的默认日志详细级别,包括信息性消息。
  • 1 to 5 increases the verbosity level to include Debug messages.增加详细级别以包含调试消息。
systemLog.component.index.verbosity

Type类型: integer

Default默认值: 0

The log message verbosity level for components related to indexing operations. 与索引操作相关的组件的日志消息详细级别。See INDEX components.请参阅INDEX组件。

The verbosity level can range from 0 to 5:详细程度可以在05之间:

  • 0 is the MongoDB's default log verbosity level, to include Informational messages.是MongoDB的默认日志详细级别,包括信息性消息。
  • 1 to 5 increases the verbosity level to include Debug messages.增加详细级别以包含调试消息。
systemLog.component.network.verbosity

Type类型: integer

Default默认值: 0

The log message verbosity level for components related to networking operations. 与网络操作相关的组件的日志消息详细级别。See NETWORK components.请参阅NETWORK组件。

The verbosity level can range from 0 to 5:详细程度可以在05之间:

  • 0 is the MongoDB's default log verbosity level, to include Informational messages.是MongoDB的默认日志详细级别,包括信息性消息。
  • 1 to 5 increases the verbosity level to include Debug messages.增加详细级别以包含调试消息。
systemLog.component.query.verbosity

Type类型: integer

Default默认值: 0

The log message verbosity level for components related to query operations. 与查询操作相关的组件的日志消息详细级别。See QUERY components.请参阅QUERY组件。

The verbosity level can range from 0 to 5:详细程度可以在05之间:

  • 0 is the MongoDB's default log verbosity level, to include Informational messages.是MongoDB的默认日志详细级别,包括信息性消息。
  • 1 to 5 increases the verbosity level to include Debug messages.增加详细级别以包含调试消息。
systemLog.component.replication.verbosity

Type类型: integer

Default默认值: 0

The log message verbosity level for components related to replication. 与复制相关的组件的日志消息详细级别。See REPL components.请参阅REPL组件。

The verbosity level can range from 0 to 5:详细程度可以在05之间:

  • 0 is the MongoDB's default log verbosity level, to include Informational messages.是MongoDB的默认日志详细级别,包括信息性消息。
  • 1 to 5 increases the verbosity level to include Debug messages.增加详细级别以包含调试消息。
systemLog.component.replication.election.verbosity

Type类型: integer

Default默认值: 0

New in version 4.2.在版本4.2中新增

The log message verbosity level for components related to election. 与选举相关的组件的日志消息详细级别。See ELECTION components.请参阅ELECTION组件。

If systemLog.component.replication.election.verbosity is unset, systemLog.component.replication.verbosity level also applies to election components.如果未设置systemLog.component.replication.election.verbosity,则systemLog.component.replication.verbosity级别也适用于选举组件。

The verbosity level can range from 0 to 5:详细程度可以在05之间:

  • 0 is the MongoDB's default log verbosity level, to include Informational messages.是MongoDB的默认日志详细级别,包括信息性消息。
  • 1 to 5 increases the verbosity level to include Debug messages.增加详细级别以包含调试消息。
systemLog.component.replication.heartbeats.verbosity

Type类型: integer

Default默认值: 0

The log message verbosity level for components related to heartbeats. 与心跳相关的组件的日志消息详细级别。See REPL_HB components.请参阅REPL_HB组件。

If systemLog.component.replication.heartbeats.verbosity is unset, systemLog.component.replication.verbosity level also applies to heartbeats components.如果未设置systemLog.component.replication.heartbeats.verbosity,则systemLog.component.replication.verbosity级别也适用于心跳组件。

The verbosity level can range from 0 to 5:详细程度可以在05之间:

  • 0 is the MongoDB's default log verbosity level, to include Informational messages.是MongoDB的默认日志详细级别,包括信息性消息。
  • 1 to 5 increases the verbosity level to include Debug messages.增加详细级别以包含调试消息。
systemLog.component.replication.initialSync.verbosity

Type类型: integer

Default默认值: 0

New in version 4.2.在版本4.2中新增

The log message verbosity level for components related to initialSync. 与initialSync相关的组件的日志消息详细级别。See INITSYNC components.请参阅INITSYNC组件。

If systemLog.component.replication.initialSync.verbosity is unset, systemLog.component.replication.verbosity level also applies to initialSync components.如果未设置systemLog.component.replication.initialSync.verbosity,则systemLog.component.replication.verbosity级别也适用于initialSync组件。

The verbosity level can range from 0 to 5:详细程度可以在05之间:

  • 0 is the MongoDB's default log verbosity level, to include Informational messages.是MongoDB的默认日志详细级别,包括信息性消息。
  • 1 to 5 increases the verbosity level to include Debug messages.增加详细级别以包含调试消息。
systemLog.component.replication.rollback.verbosity

Type类型: integer

Default默认值: 0

The log message verbosity level for components related to rollback. 与回滚相关的组件的日志消息详细级别。See ROLLBACK components.请参阅ROLLBACK组件。

If systemLog.component.replication.rollback.verbosity is unset, systemLog.component.replication.verbosity level also applies to rollback components.如果未设置systemLog.component.replication.rollback.verbosity,则systemLog.component.replication.verbosity级别也适用于回滚组件。

The verbosity level can range from 0 to 5:详细程度可以在05之间:

  • 0 is the MongoDB's default log verbosity level, to include Informational messages.是MongoDB的默认日志详细级别,包括信息性消息。
  • 1 to 5 increases the verbosity level to include Debug messages.增加详细级别以包含调试消息。
systemLog.component.sharding.verbosity

Type类型: integer

Default默认值: 0

The log message verbosity level for components related to sharding. 与分片相关的组件的日志消息详细级别。See SHARDING components.请参阅SHARDING组件。

The verbosity level can range from 0 to 5:详细程度可以在05之间:

  • 0 is the MongoDB's default log verbosity level, to include Informational messages.是MongoDB的默认日志详细级别,包括信息性消息。
  • 1 to 5 increases the verbosity level to include Debug messages.增加详细级别以包含调试消息。
systemLog.component.storage.verbosity

Type类型: integer

Default默认值: 0

The log message verbosity level for components related to storage. 与存储相关的组件的日志消息详细级别。See STORAGE components.请参阅STORAGE组件。

If systemLog.component.storage.journal.verbosity is unset, systemLog.component.storage.verbosity level also applies to journaling components.如果未设置systemLog.component.storage.journal.verbosity,则systemLog.component.storage.verbosity级别也适用于日志组件。

The verbosity level can range from 0 to 5:详细程度可以在05之间:

  • 0 is the MongoDB's default log verbosity level, to include Informational messages.是MongoDB的默认日志详细级别,包括信息性消息。
  • 1 to 5 increases the verbosity level to include Debug messages.增加详细级别以包含调试消息。
systemLog.component.storage.journal.verbosity

Type类型: integer

Default默认值: 0

The log message verbosity level for components related to journaling. 与日志记录相关的组件的日志消息详细级别。See JOURNAL components.请参阅JOURNAL组件。

If systemLog.component.storage.journal.verbosity is unset, the journaling components have the same verbosity level as the parent storage components: i.e. either the systemLog.component.storage.verbosity level if set or the default verbosity level.如果未设置systemLog.component.storage.journal.verbosity,则日志组件与父存储组件具有相同的详细级别:即systemLog.component.storage.verbosity级别(如果设置)或默认详细级别。

The verbosity level can range from 0 to 5:详细程度可以在05之间:

  • 0 is the MongoDB's default log verbosity level, to include Informational messages.是MongoDB的默认日志详细级别,包括信息性消息。
  • 1 to 5 increases the verbosity level to include Debug messages.增加详细级别以包含调试消息。
systemLog.component.storage.recovery.verbosity

Type类型: integer

Default默认值: 0

New in version 4.0.在版本4.0中新增

The log message verbosity level for components related to recovery. 与恢复相关的组件的日志消息详细级别。See RECOVERY components.请参阅RECOVERY组件。

If systemLog.component.storage.recovery.verbosity is unset, systemLog.component.storage.verbosity level also applies to recovery components.如果未设置systemLog.component.storage.recovery.verbosity,则systemLog.component.storage.verbosity级别也适用于恢复组件。

The verbosity level can range from 0 to 5:详细程度可以在05之间:

  • 0 is the MongoDB's default log verbosity level, to include Informational messages.是MongoDB的默认日志详细级别,包括信息性消息。
  • 1 to 5 increases the verbosity level to include Debug messages.增加详细级别以包含调试消息。
systemLog.component.storage.wt.verbosity

Type类型: integer

Default默认值: -1

New in version 5.3.在版本5.3中新增

The log message verbosity level for components related to the WiredTiger storage engine. WiredTiger存储引擎相关的组件的日志消息详细级别。See WT components.请参阅WT组件。

The verbosity level can range from 0 to 5:详细程度可以在05之间:

  • 0 is the MongoDB's default log verbosity level, to include Informational messages.是MongoDB的默认日志详细级别,包括信息性消息。
  • 1 to 5 increases the verbosity level to include Debug messages.增加详细级别以包含调试消息。
systemLog.component.storage.wt.wtBackup.verbosity

Type类型: integer

Default默认值: -1

New in version 5.3.在版本5.3中新增

The log message verbosity level for components related to backup operations performed by the WiredTiger storage engine. WiredTiger存储引擎执行的备份操作相关的组件的日志消息详细级别。See WTBACKUP components.请参阅WTBACKUP组件。

The verbosity level can range from 0 to 5:详细程度可以在05之间:

  • 0 is the MongoDB's default log verbosity level, to include Informational messages.是MongoDB的默认日志详细级别,包括信息性消息。
  • 1 to 5 increases the verbosity level to include Debug messages.增加详细级别以包含调试消息。
systemLog.component.storage.wt.wtCheckpoint.verbosity

Type类型: integer

Default默认值: -1

New in version 5.3.在版本5.3中新增

The log message verbosity for components related to checkpoint operations performed by the WiredTiger storage engine. WiredTiger存储引擎执行的检查点操作相关的组件的日志消息详细程度。See WTCHKPT components.请参阅WTCHKPT组件。

The verbosity level can range from 0 to 5:详细程度可以在05之间:

  • 0 is the MongoDB's default log verbosity level, to include Informational messages.是MongoDB的默认日志详细级别,包括信息性消息。
  • 1 to 5 increases the verbosity level to include Debug messages.增加详细级别以包含调试消息。
systemLog.component.storage.wt.wtCompact.verbosity

Type类型: integer

Default默认值: -1

New in version 5.3.在版本5.3中新增

The log message verbosity for components related to compaction operations performed by the WiredTiger storage engine. WiredTiger存储引擎执行的压缩操作相关的组件的日志消息详细程度。See WTCMPCT components.请参阅WTCMPCT组件。

The verbosity level can range from 0 to 5:详细程度可以在05之间:

  • 0 is the MongoDB's default log verbosity level, to include Informational messages.是MongoDB的默认日志详细级别,包括信息性消息。
  • 1 to 5 increases the verbosity level to include Debug messages.增加详细级别以包含调试消息。
systemLog.component.storage.wt.wtEviction.verbosity

Type类型: integer

Default默认值: -1

New in version 5.3.在版本5.3中新增

The log message verbosity for components related to eviction operations performed by the WiredTiger storage engine. WiredTiger存储引擎执行的逐出操作相关的组件的日志消息详细程度。See WTEVICT components.请参阅WTEVICT组件。

The verbosity level can range from 0 to 5:详细程度可以在05之间:

  • 0 is the MongoDB's default log verbosity level, to include Informational messages.是MongoDB的默认日志详细级别,包括信息性消息。
  • 1 to 5 increases the verbosity level to include Debug messages.增加详细级别以包含调试消息。
systemLog.component.storage.wt.wtHS.verbosity

Type类型: integer

Default默认值: -1

New in version 5.3.在版本5.3中新增

The log message verbosity for components related to history store operations performed by the WiredTiger storage engine. WiredTiger存储引擎执行的历史存储操作相关的组件的日志消息详细程度。See WTHS components.请参阅WTHS组件。

The verbosity level can range from 0 to 5:详细程度可以在05之间:

  • 0 is the MongoDB's default log verbosity level, to include Informational messages.是MongoDB的默认日志详细级别,包括信息性消息。
  • 1 to 5 increases the verbosity level to include Debug messages.增加详细级别以包含调试消息。
systemLog.component.storage.wt.wtRecovery.verbosity

Type类型: integer

Default默认值: -1

New in version 5.3.在版本5.3中新增

The log message verbosity for components related to recovery operations performed by the WiredTiger storage engine. WiredTiger存储引擎执行的恢复操作相关的组件的日志消息详细程度。See WTRECOV components.请参阅WTRECOV组件。

The verbosity level can range from 0 to 5:详细程度可以在05之间:

  • 0 is the MongoDB's default log verbosity level, to include Informational messages.是MongoDB的默认日志详细级别,包括信息性消息。
  • 1 to 5 increases the verbosity level to include Debug messages.增加详细级别以包含调试消息。
systemLog.component.storage.wt.wtRTS.verbosity

Type类型: integer

Default默认值: -1

New in version 5.3.在版本5.3中新增

The log message verbosity for components related to rollback to stable (RTS) operations performed by the WiredTiger storage engine. WiredTiger存储引擎执行的回滚到稳定(RTS)操作相关的组件的日志消息详细程度。See WTRTS components.请参阅WTRTS组件。

The verbosity level can range from 0 to 5:详细程度可以在05之间:

  • 0 is the MongoDB's default log verbosity level, to include Informational messages.是MongoDB的默认日志详细级别,包括信息性消息。
  • 1 to 5 increases the verbosity level to include Debug messages.增加详细级别以包含调试消息。
systemLog.component.storage.wt.wtSalvage.verbosity

Type类型: integer

Default默认值: -1

New in version 5.3.在版本5.3中新增

The log message verbosity for components related to salvage operations performed by the WiredTiger storage engine. WiredTiger存储引擎执行的修复操作相关的组件的日志消息详细程度。See WTSLVG components.请参阅WTSLVG组件。

The verbosity level can range from 0 to 5:详细程度可以在05之间:

  • 0 is the MongoDB's default log verbosity level, to include Informational messages.是MongoDB的默认日志详细级别,包括信息性消息。
  • 1 to 5 increases the verbosity level to include Debug messages.增加详细级别以包含调试消息。
systemLog.component.storage.wt.wtTiered.verbosity

Type类型: integer

Default默认值: -1

New in version 5.3.在版本5.3中新增

The log message verbosity for components related to tiered storage operations performed by the WiredTiger storage engine. WiredTiger存储引擎执行的分层存储操作相关的组件的日志消息详细程度。See WTTIER components.请参阅WTTIER组件。

The verbosity level can range from 0 to 5:详细程度可以在05之间:

  • 0 is the MongoDB's default log verbosity level, to include Informational messages.是MongoDB的默认日志详细级别,包括信息性消息。
  • 1 to 5 increases the verbosity level to include Debug messages.增加详细级别以包含调试消息。
systemLog.component.storage.wt.wtTimestamp.verbosity

Type类型: integer

Default默认值: -1

New in version 5.3.在版本5.3中新增

The log message verbosity for components related to timestamps used by the WiredTiger storage engine. WiredTiger存储引擎使用的时间戳相关的组件的日志消息详细程度。See WTTS components.请参阅WTTS组件。

The verbosity level can range from 0 to 5:详细程度可以在05之间:

  • 0 is the MongoDB's default log verbosity level, to include Informational messages.是MongoDB的默认日志详细级别,包括信息性消息。
  • 1 to 5 increases the verbosity level to include Debug messages.增加详细级别以包含调试消息。
systemLog.component.storage.wt.wtTransaction.verbosity

Type类型: integer

Default默认值: -1

New in version 5.3.在版本5.3中新增

The log message verbosity for components related to transaction operations performed by the WiredTiger storage engine. WiredTiger存储引擎执行的事务操作相关的组件的日志消息详细程度。See WTTXN components.请参阅WTTXN组件。

The verbosity level can range from 0 to 5:详细程度可以在05之间:

  • 0 is the MongoDB's default log verbosity level, to include Informational messages.是MongoDB的默认日志详细级别,包括信息性消息。
  • 1 to 5 increases the verbosity level to include Debug messages.增加详细级别以包含调试消息。
systemLog.component.storage.wt.wtVerify.verbosity

Type类型: integer

Default默认值: -1

New in version 5.3.在版本5.3中新增

The log message verbosity for components related to verification operations performed by the WiredTiger storage engine. WiredTiger存储引擎执行的验证操作相关的组件的日志消息详细程度。See WTVRFY components.请参阅WTVRFY组件。

The verbosity level can range from 0 to 5:详细程度可以在05之间:

  • 0 is the MongoDB's default log verbosity level, to include Informational messages.是MongoDB的默认日志详细级别,包括信息性消息。
  • 1 to 5 increases the verbosity level to include Debug messages.增加详细级别以包含调试消息。
systemLog.component.storage.wt.wtWriteLog.verbosity

Type类型: integer

Default默认值: -1

New in version 5.3.在版本5.3中新增

The log message verbosity for components related to log write operations performed by the WiredTiger storage engine. WiredTiger存储引擎执行的日志写入操作相关的组件的日志消息详细程度。See WTWRTLOG components.请参阅WTWRTLOG组件。

The verbosity level can range from 0 to 5:详细程度可以在05之间:

  • 0 is the MongoDB's default log verbosity level, to include Informational messages.是MongoDB的默认日志详细级别,包括信息性消息。
  • 1 to 5 increases the verbosity level to include Debug messages.增加详细级别以包含调试消息。
systemLog.component.transaction.verbosity

Type类型: integer

Default默认值: 0

New in version 4.0.2.在版本4.0.2中新增

The log message verbosity level for components related to transaction. 与事务相关的组件的日志消息详细级别。See TXN components.请参阅TXN组件。

The verbosity level can range from 0 to 5:详细程度可以在05之间:

  • 0 is the MongoDB's default log verbosity level, to include Informational messages.是MongoDB的默认日志详细级别,包括信息性消息。
  • 1 to 5 increases the verbosity level to include Debug messages.增加详细级别以包含调试消息。
systemLog.component.write.verbosity

Type类型: integer

Default默认值: 0

The log message verbosity level for components related to write operations. 与写操作相关的组件的日志消息详细级别。See WRITE components.请参阅WRITE组件。

The verbosity level can range from 0 to 5:详细程度可以在05之间:

  • 0 is the MongoDB's default log verbosity level, to include Informational messages.是MongoDB的默认日志详细级别,包括信息性消息。
  • 1 to 5 increases the verbosity level to include Debug messages.增加详细级别以包含调试消息。

processManagement Options选项

processManagement:
   fork: <boolean>
   pidFilePath: <string>
   timeZoneInfo: <string>
processManagement.fork

Type类型: boolean

Default默认值: false

Enable a daemon mode that runs the mongos or mongod process in the background. 启用后台运行mongosmongod进程的守护程序模式。By default mongos or mongod does not run as a daemon: typically you will run mongos or mongod as a daemon, either by using processManagement.fork or by using a controlling process that handles the daemonization process (e.g. as with upstart and systemd).默认情况下,mongosmongod不作为守护进程运行:通常,您将作为守护进程运行mongosmongod,可以使用processManagement.fork,也可以使用处理守护进程的控制进程(如upstartsystemd)。

The processManagement.fork option is not supported on Windows.Windows不支持processManagement.fork选项。

The Linux package init scripts do not expect processManagement.fork to change from the defaults. Linux包初始化脚本不希望processManagement.fork更改默认值。If you use the Linux packages and change processManagement.fork, you will have to use your own init scripts and disable the built-in scripts.如果使用Linux软件包并更改processManagement.fork,则必须使用自己的初始化脚本并禁用内置脚本。

processManagement.pidFilePath

Type类型: string

Specifies a file location to store the process ID (PID) of the mongos or mongod process. 指定用于存储mongosmongod进程的进程ID(PID)的文件位置。The user running the mongod or mongos process must be able to write to this path. 运行mongodmongos进程的用户必须能够写入此路径。If the processManagement.pidFilePath option is not specified, the process does not create a PID file. 如果未指定processManagement.pidFilePath选项,则进程不会创建PID文件。This option is generally only useful in combination with the processManagement.fork setting.此选项通常仅与processManagement.fork设置结合使用。

Note注意
Linux

On Linux, PID file management is generally the responsibility of your distro's init system: usually a service file in the /etc/init.d directory, or a systemd unit file registered with systemctl. 在Linux上,PID文件管理通常由发行版的init系统负责:通常是/etc/init.d目录中的服务文件,或者是向systemctl注册的systemd单元文件。Only use the processManagement.pidFilePath option if you are not using one of these init systems. 如果不使用这些初始化系统之一,请仅使用processManagement.pidFilePath选项。For more information, please see the respective Installation Guide for your operating system.有关更多信息,请参阅相应操作系统的安装指南

Note注意
macOS

On macOS, PID file management is generally handled by brew. 在macOS上,PID文件管理通常由brew处理。Only use the processManagement.pidFilePath option if you are not using brew on your macOS system. 只有在macOS系统上未使用brew时,才使用processManagement.pidFilePath选项。For more information, please see the respective Installation Guide for your operating system.有关更多信息,请参阅相应操作系统的安装指南

processManagement.timeZoneInfo

Type类型: string

The full path from which to load the time zone database. 从中加载时区数据库的完整路径。If this option is not provided, then MongoDB will use its built-in time zone database.如果未提供此选项,MongoDB将使用其内置的时区数据库。

The configuration file included with Linux and macOS packages sets the time zone database path to /usr/share/zoneinfo by default.Linux和macOS软件包附带的配置文件默认情况下将时区数据库路径设置为/usr/share/zoneinfo

The built-in time zone database is a copy of the Olson/IANA time zone database. 内置时区数据库是 Olson/IANA时区数据库的副本。It is updated along with MongoDB releases, but the time zone database release cycle differs from the MongoDB release cycle. 它随MongoDB版本一起更新,但时区数据库发布周期与MongoDB发布周期不同。The most recent release of the time zone database is available on our download site.时区数据库的最新版本可在下载网站上获得。

Warning警告

MongoDB uses the third party timelib library to provide accurate conversions between timezones. MongoDB使用第三方timelib库提供时区之间的精确转换。Due to a recent update, timelib could create inaccurate time zone conversions in older versions of MongoDB.由于最近的一次更新,timelib可能会在旧版本的MongoDB中创建不准确的时区转换。

To explicitly link to the time zone database in versions of MongoDB prior to 5.0, 4.4.7, 4.2.14, and 4.0.25, download the time zone database. and use the timeZoneInfo parameter.要在MongoDB 5.0、4.4.7、4.2.14和4.0.25之前的版本中显式链接到时区数据库,请下载时区数据库,并使用timeZoneInfo参数。

cloud Options选项

New in version 4.0.在版本4.0中新增

cloud:
   monitoring:
      free:
         state: <string>
         tags: <string>
cloud.monitoring.free.state

Type类型: string

New in version 4.0.在版本4.0中新增 Available for MongoDB Community Edition.可用于MongoDB社区版。

Enables or disables free MongoDB Cloud monitoring. 启用或禁用免费MongoDB云监控cloud.monitoring.free.state accepts the following values:接受以下值:

runtime

Default. 默认值。You can enable or disable free monitoring during runtime.您可以在运行时启用或禁用免费监视。

To enable or disable free monitoring during runtime, see db.enableFreeMonitoring() and db.disableFreeMonitoring().要在运行时启用或禁用自由监控,请参阅db.enableFreeMonitoring()db.disableFreeMonitoring()

To enable or disable free monitoring during runtime when running with access control, users must have required privileges. 要在使用访问控制运行时启用或禁用运行时的免费监视,用户必须具有所需的权限。See db.enableFreeMonitoring() and db.disableFreeMonitoring() for details.有关详细信息,请参阅db.enableFreeMonitoring()db.disableFreeMonitoring()

onEnables free monitoring at startup; i.e. registers for free monitoring. 启用启动时的免费监控;注册免费监控。When enabled at startup, you cannot disable free monitoring during runtime.如果在启动时启用,则无法在运行时禁用自由监视。
offDisables free monitoring at startup, regardless of whether you have previously registered for free monitoring. 在启动时禁用免费监控,无论您之前是否注册了免费监控。 When disabled at startup, you cannot enable free monitoring during runtime.如果在启动时禁用,则无法在运行时启用免费监视。

Once enabled, the free monitoring state remains enabled until explicitly disabled. 一旦启用,空闲监视状态将保持启用状态,直到显式禁用。That is, you do not need to re-enable each time you start the server.也就是说,无需每次启动服务器时重新启用。

For the corresponding command-line option, see --enableFreeMonitoring.有关相应的命令行选项,请参阅--enableFreeMonitoring

cloud.monitoring.free.tags

Type类型: string

New in version 4.0.在版本4.0中新增 Available for MongoDB Community Edition.可用于MongoDB社区版。

Optional tag to describe environment context. 描述环境上下文的可选标记。The tag can be sent as part of the free MongoDB Cloud monitoring registration at start up.该标签可以在启动时作为免费MongoDB云监控注册的一部分发送。

For the corresponding command-line option, see --freeMonitoringTag.有关相应的命令行选项,请参阅--freeMonitoringTag

net Options选项

Changed in version 4.2.在版本4.2中更改

MongoDB 4.2 deprecates ssl options in favor of tls options with identical functionality.MongoDB 4.2不支持ssl选项,而支持具有相同功能的tls选项。

Changed in version 5.0.在版本5.0中更改

MongoDB removes the net.serviceExecutor configuration option and the corresponding --serviceExecutor command-line option.MongoDB删除net.serviceExecutor配置选项和相应的--serviceExecutor命令行选项

net:
   port: <int>
   bindIp: <string>
   bindIpAll: <boolean>
   maxIncomingConnections: <int>
   wireObjectCheck: <boolean>
   ipv6: <boolean>
   unixDomainSocket:
      enabled: <boolean>
      pathPrefix: <string>
      filePermissions: <int>
   tls:
      certificateSelector: <string>
      clusterCertificateSelector: <string>
      mode: <string>
      certificateKeyFile: <string>
      certificateKeyFilePassword: <string>
      clusterFile: <string>
      clusterPassword: <string>
      CAFile: <string>
      clusterCAFile: <string>
      CRLFile: <string>
      allowConnectionsWithoutCertificates: <boolean>
      allowInvalidCertificates: <boolean>
      allowInvalidHostnames: <boolean>
      disabledProtocols: <string>
      FIPSMode: <boolean>
      logVersions: <string>
   compression:
      compressors: <string>
net.port

Type类型: integer

Default默认值:

The TCP port on which the MongoDB instance listens for client connections.MongoDB实例侦听客户端连接的TCP端口。

net.bindIp

Type类型: string

Default默认值: localhost

The hostnames and/or IP addresses and/or full Unix domain socket paths on which mongos or mongod should listen for client connections. mongosmongod应在其上侦听客户端连接的主机名和/或IP地址和/或完整Unix域套接字路径。You may attach mongos or mongod to any interface. 您可以将mongosmongod连接到任何接口。To bind to multiple addresses, enter a list of comma-separated values.要绑定到多个地址,请输入逗号分隔的值列表。

Example实例

localhost,/tmp/mongod.sock

You can specify both IPv4 and IPv6 addresses, or hostnames that resolve to an IPv4 or IPv6 address.您可以指定IPv4和IPv6地址,或解析为IPv4或IPv6地址的主机名。

Example

localhost, 2001:0DB8:e132:ba26:0d5c:2774:e7f9:d513

Note注意

If specifying an IPv6 address or a hostname that resolves to an IPv6 address to net.bindIp, you must start mongos or mongod with net.ipv6 : true to enable IPv6 support. 如果将IPv6地址或主机名解析为net.bindIp的IPv6地址,则必须使用netipv6:true启动mongosmongod才能启用IPv6支持。Specifying an IPv6 address to net.bindIp does not enable IPv6 support.net.bindIp指定IPv6地址不会启用IPv6支持。

If specifying a link-local IPv6 address(fe80::/10), you must append the zone index to that address (i.e. fe80::<address>%<adapter-name>).如果指定链路本地IPv6地址fe80::/10),则必须将区域索引附加到该地址(即fe80::<address>%<adapter-name>)。

Example

localhost,fe80::a00:27ff:fee0:1fcf%enp0s3

Important重要

To avoid configuration updates due to IP address changes, use DNS hostnames instead of IP addresses. 为了避免由于IP地址更改而进行配置更新,请使用DNS主机名而不是IP地址。It is particularly important to use a DNS hostname instead of an IP address when configuring replica set members or sharded cluster members.在配置复制集成员或分片集群成员时,使用DNS主机名而不是IP地址尤为重要。

Use hostnames instead of IP addresses to configure clusters across a split network horizon. 使用主机名而不是IP地址跨拆分网络范围配置群集。Starting in MongDB 5.0, nodes that are only configured with an IP address will fail startup validation and will not start.从Mongdb5.0开始,只配置了IP地址的节点将无法启动验证,并且不会启动。

Warning警告

Before binding to a non-localhost (e.g. publicly accessible) IP address, ensure you have secured your cluster from unauthorized access. 在绑定到非本地主机(例如,可公开访问的)IP地址之前,请确保已保护您的群集不受未经授权的访问。For a complete list of security recommendations, see Security Checklist. 有关安全建议的完整列表,请参阅安全检查表At minimum, consider enabling authentication and hardening network infrastructure.至少,考虑启用身份验证加固网络基础设施

For more information about IP Binding, refer to the IP Binding documentation.有关IP绑定的更多信息,请参阅IP绑定文档。

To bind to all IPv4 addresses, enter 0.0.0.0.要绑定到所有IPv4地址,请输入0.0.0.0

To bind to all IPv4 and IPv6 addresses, enter ::,0.0.0.0 or starting in MongoDB 4.2, an asterisk "*" (enclose the asterisk in quotes to distinguish from YAML alias nodes). 要绑定到所有IPv4和IPv6地址,请输入::,0.0.0.0或从MongoDB 4.2开始,输入星号"*"(将星号括在引号中以区分YAML别名节点)。Alternatively, use the net.bindIpAll setting.或者,使用net.bindIpAll设置。

Note注意
  • net.bindIp and net.bindIpAll are mutually exclusive. 相互排斥。That is, you can specify one or the other, but not both.也就是说,可以指定其中一个,但不能同时指定两个。
  • The command-line option --bind_ip overrides the configuration file setting net.bindIp.命令行选项--bind_ip覆盖配置文件设置net.bindIp

To configure cluster nodes for split horizon DNS, use host names instead of IP addresses.要为拆分地平线DNS配置群集节点,请使用主机名而不是IP地址。

Starting in MongoDB v5.0, replSetInitiate and replSetReconfig reject configurations that use IP addresses instead of hostnames.从MongoDB v5.0开始,replSetInitiatereplSetReconfig拒绝使用IP地址而不是主机名的配置。

Use disableSplitHorizonIPCheck to modify nodes that cannot be updated to use host names. 使用disableSplitHorizonIPCheck修改无法更新为使用主机名的节点。The parameter only applies to the configuration commands.该参数仅适用于配置命令。

mongod and mongos do not rely on disableSplitHorizonIPCheck for validation at startup. mongodmongos在启动时不依赖disableSplitHorizonIPCheck进行验证。Legacy mongod and mongos instances that use IP addresses instead of host names will start after an upgrade.使用IP地址而不是主机名的旧版mongodmongos实例将在升级后启动。

Instances that are configured with IP addresses log a warning to use host names instead of IP addresses.配置了IP地址的实例会记录一条警告,要求使用主机名而不是IP地址。

net.bindIpAll

Type类型: boolean

Default默认值: false

If true, the mongos or mongod instance binds to all IPv4 addresses (i.e. 0.0.0.0). 如果为truemongosmongod实例将绑定到所有IPv4地址(即0.0.0.0)。If mongos or mongod starts with net.ipv6 : true, net.bindIpAll also binds to all IPv6 addresses (i.e. ::).如果mongosmongodnet.ipv6 : true开头,则net.bindIpAll也会绑定到所有IPv6地址(即::)。

mongos or mongod only supports IPv6 if started with net.ipv6 : true. mongosmongod仅在使用net.ipv6 : true启动时支持IPv6。Specifying net.bindIpAll alone does not enable IPv6 support.仅指定net.bindIpAll无法启用IPv6支持。

Warning警告

Before binding to a non-localhost (e.g. publicly accessible) IP address, ensure you have secured your cluster from unauthorized access. 在绑定到非本地主机(例如,可公开访问的)IP地址之前,请确保已保护您的群集不受未经授权的访问。For a complete list of security recommendations, see Security Checklist. 有关安全建议的完整列表,请参阅安全检查表At minimum, consider enabling authentication and hardening network infrastructure.至少,考虑启用身份验证加固网络基础设施

For more information about IP Binding, refer to the IP Binding documentation.有关IP绑定的更多信息,请参阅IP绑定文档。

Alternatively, set net.bindIp to ::,0.0.0.0 or, starting in MongoDB 4.2, to an asterisk "*" (enclose the asterisk in quotes to distinguish from YAML alias nodes) to bind to all IP addresses.或者,将net.bindIp设置为::,0.0.0.0,或者从MongoDB 4.2开始,设置为星号"*"(将星号括在引号中以区别于YAML别名节点),以绑定到所有IP地址。

Note注意

net.bindIp and net.bindIpAll are mutually exclusive. 相互排斥。Specifying both options causes mongos or mongod to throw an error and terminate.指定这两个选项会导致mongosmongod抛出错误并终止。

net.maxIncomingConnections

Type类型: integer

Default默认值: 65536

The maximum number of simultaneous connections that mongos or mongod will accept. mongosmongod将接受的最大同时连接数。This setting has no effect if it is higher than your operating system's configured maximum connection tracking threshold.如果该设置高于操作系统配置的最大连接跟踪阈值,则该设置无效。

Do not assign too low of a value to this option, or you will encounter errors during normal application operation.不要为该选项指定太低的值,否则在正常的应用程序操作过程中会遇到错误。

This is particularly useful for a mongos if you have a client that creates multiple connections and allows them to timeout rather than closing them.如果您的客户端创建了多个连接,并允许它们超时,而不是关闭连接,那么这对mongos尤其有用。

In this case, set maxIncomingConnections to a value slightly higher than the maximum number of connections that the client creates, or the maximum size of the connection pool.在这种情况下,将maxIncomingConnections设置为略高于客户端创建的最大连接数或连接池的最大大小的值。

This setting prevents the mongos from causing connection spikes on the individual shards. 此设置可防止mongos在单个分片上造成连接峰值。Spikes like these may disrupt the operation and memory allocation of the sharded cluster.这样的峰值可能会中断分片集群的操作和内存分配。

net.wireObjectCheck

Type类型: boolean

Default默认值: true

When true, the mongod or mongos instance validates all requests from clients upon receipt to prevent clients from inserting malformed or invalid BSON into a MongoDB database.如果为truemongodmongos实例将在收到来自客户端的所有请求时进行验证,以防止客户端将格式错误或无效的BSON插入MongoDB数据库。

For objects with a high degree of sub-document nesting, net.wireObjectCheck can have a small impact on performance.对于具有高度子文档嵌套的对象,net.wireObjectCheck对性能的影响很小。

net.ipv6

Type类型: boolean

Default默认值: false

Set net.ipv6 to true to enable IPv6 support. net.ipv6设置为true以启用IPv6支持。mongos/mongod disables IPv6 support by default.默认情况下禁用IPv6支持。

Setting net.ipv6 does not direct the mongos/mongod to listen on any local IPv6 addresses or interfaces. To configure the mongos/mongod to listen on an IPv6 interface, you must either:

  • Configure net.bindIp with one or more IPv6 addresses or hostnames that resolve to IPv6 addresses, or使用一个或多个解析为IPv6地址的IPv6地址或主机名配置net.bindIp,或
  • Set net.bindIpAll to true.net.bindIpAll设置为true

net.unixDomainSocket Options选项

net:
   unixDomainSocket:
      enabled: <boolean>
      pathPrefix: <string>
      filePermissions: <int>
net.unixDomainSocket.enabled

Type类型: boolean

Default默认值: true

Enable or disable listening on the UNIX domain socket. 启用或禁用UNIX域套接字上的侦听。net.unixDomainSocket.enabled applies only to Unix-based systems.仅适用于基于Unix的系统。

When net.unixDomainSocket.enabled is true, mongos or mongod listens on the UNIX socket.

The mongos or mongod process always listens on the UNIX socket unless one of the following is true:mongosmongod进程始终侦听UNIX套接字,除非以下情况之一为真:

  • net.unixDomainSocket.enabled is false
  • --nounixsocket is set. 已设置。The command line option takes precedence over the configuration file setting.命令行选项优先于配置文件设置。
  • net.bindIp is not set未设置。
  • net.bindIp does not specify localhost or its associated IP address不指定localhost或其关联的IP地址

mongos or mongod installed from official mongosmongod由官方安装.deb and .rpm packages have the bind_ip configuration set to 127.0.0.1 by default.默认情况下,.deb.rpm包的bind_ip配置设置为127.0.0.1

net.unixDomainSocket.pathPrefix

Type类型: string

Default默认值: /tmp

The path for the UNIX socket. UNIX套接字的路径。net.unixDomainSocket.pathPrefix applies only to Unix-based systems.仅适用于基于Unix的系统。

If this option has no value, the mongos or mongod process creates a socket with /tmp as a prefix. 如果此选项没有值,mongosmongod进程将创建一个以/tmp为前缀的套接字。MongoDB creates and listens on a UNIX socket unless one of the following is true:MongoDB在UNIX套接字上创建并侦听,除非以下情况之一为真:

net.unixDomainSocket.filePermissions

Type类型: int

Default默认值: 0700

Sets the permission for the UNIX domain socket file.设置UNIX域套接字文件的权限。

net.unixDomainSocket.filePermissions applies only to Unix-based systems.仅适用于基于Unix的系统。

net.http Options选项

Changed in version 3.6.在版本3.6中更改

MongoDB 3.6 removes the deprecated net.http options. MongoDB 3.6删除了不推荐使用的net.http选项。The options have been deprecated since version 3.2.自3.2版以来,这些选项已被弃用。

net.tls Options选项

New in version 4.2.在版本4.2中新增 The tls options provide identical functionality as the previous ssl options.tls选项提供与以前的ssl选项相同的功能。

net:
   tls:
      mode: <string>
      certificateKeyFile: <string>
      certificateKeyFilePassword: <string>
      certificateSelector: <string>
      clusterCertificateSelector: <string>
      clusterFile: <string>
      clusterPassword: <string>
      CAFile: <string>
      clusterCAFile: <string>
      CRLFile: <string>
      allowConnectionsWithoutCertificates: <boolean>
      allowInvalidCertificates: <boolean>
      allowInvalidHostnames: <boolean>
      disabledProtocols: <string>
      FIPSMode: <boolean>
      logVersions: <string>
net.tls.mode

Type类型: string

New in version 4.2.在版本4.2中新增

Enables TLS used for all network connections. 启用用于所有网络连接的TLS。The argument to the net.tls.mode setting can be one of the following:net.tls.mode设置的参数可以是以下参数之一:

ValueDescription描述
disabledThe server does not use TLS.服务器不使用TLS。
allowTLSConnections between servers do not use TLS. 服务器之间的连接不使用TLS。For incoming connections, the server accepts both TLS and non-TLS.对于传入连接,服务器同时接受TLS和非TLS。
preferTLSConnections between servers use TLS. For incoming connections, the server accepts both TLS and non-TLS.服务器之间的连接使用TLS。对于传入连接,服务器同时接受TLS和非TLS。
requireTLSThe server uses and accepts only TLS encrypted connections.服务器只使用和接受TLS加密的连接。

If --tlsCAFile or tls.CAFile is not specified and you are not using x.509 authentication, the system-wide CA certificate store will be used when connecting to an TLS-enabled server.如果未指定--tlsCAFiletlsCAFile,并且您未使用x.509身份验证,则在连接到启用TLS的服务器时,将使用系统范围的CA证书存储。

If using x.509 authentication, --tlsCAFile or tls.CAFile must be specified unless using --tlsCertificateSelector.如果使用x.509身份验证,则必须指定-tlsCAFiletls.CAFile,除非使用--tlsCertificateSelector

For more information about TLS and MongoDB, see Configure mongod and mongos for TLS/SSL and TLS/SSL Configuration for Clients .有关TLS和MongoDB的更多信息,请参阅为TLS/SSL配置mongodmongos,以及用于客户端的TLS/SSL配置

net.tls.certificateKeyFile

Type类型: string

New in version 4.2.在版本4.2中新增 The .pem file that contains both the TLS certificate and key.包含TLS证书和密钥的.pem文件。

Starting with MongoDB 4.0 on macOS or Windows, you can use the net.tls.certificateSelector setting to specify a certificate from the operating system's secure certificate store instead of a PEM key file. 从macOS或Windows上的MongoDB 4.0开始,您可以使用net.tls.certificateSelector设置从操作系统的安全证书存储中指定证书,而不是PEM密钥文件。certificateKeyFile and net.tls.certificateSelector are mutually exclusive. 相互排斥。You can only specify one.只能指定一个。

For more information about TLS and MongoDB, see Configure mongod and mongos for TLS/SSL and TLS/SSL Configuration for Clients .有关TLS和MongoDB的更多信息,请参阅为TLS/SSL配置mongodmongos,以及用于客户端的TLS/SSL配置

net.tls.certificateKeyFilePassword

Type类型: string

New in version 4.2.在版本4.2中新增 The password to de-crypt the certificate-key file (i.e. certificateKeyFile). 对证书密钥文件(即certificateKeyFile)进行解密的密码。Use the net.tls.certificateKeyFilePassword option only if the certificate-key file is encrypted. 仅当证书密钥文件已加密时,才使用net.tls.certificateKeyFilePassword选项。In all cases, the mongos or mongod will redact the password from all logging and reporting output.在所有情况下,mongosmongod都将从所有日志记录和报告输出中编辑密码。

Starting in MongoDB 4.0:从MongoDB 4.0开始:

For more information about TLS and MongoDB, see Configure mongod and mongos for TLS/SSL and TLS/SSL Configuration for Clients .有关TLS和MongoDB的更多信息,请参阅为TLS/SSL配置mongodmongos,以及用于客户端的TLS/SSL配置

net.tls.certificateSelector

Type类型: string

New in version 4.2.在版本4.2中新增 Available on Windows and macOS as an alternative to net.tls.certificateKeyFile. 可在Windows和macOS上作为net.tls.certificateKeyFile的替代品使用。In MongoDB 4.0, see net.ssl.certificateSelector.在MongoDB 4.0中,请参阅net.ssl.certificateSelector

Specifies a certificate property in order to select a matching certificate from the operating system's certificate store to use for TLS/SSL.指定证书属性,以便从操作系统的证书存储中选择用于TLS/SSL的匹配证书。

net.tls.certificateKeyFile and net.tls.certificateSelector options are mutually exclusive. 选择是相互排斥的。You can only specify one.只能指定一个。

net.tls.certificateSelector accepts an argument of the format <property>=<value> where the property can be one of the following:接受格式为<property>=<value>的参数,其中属性可以是以下之一:

Property所有物Value type值类型Description描述
subjectASCII stringSubject name or common name on certificate证书上的使用者名称或通用名称
thumbprinthex string

A sequence of bytes, expressed as hexadecimal, used to identify a public key by its SHA-1 digest.用十六进制表示的字节序列,用于通过公钥的SHA-1摘要来识别公钥。

The thumbprint is sometimes referred to as a fingerprint.thumbprint有时被称为fingerprint

When using the system SSL certificate store, OCSP (Online Certificate Status Protocol) is used to validate the revocation status of certificates.使用系统SSL证书存储时,OCSP(联机证书状态协议)用于验证证书的吊销状态。

The mongod searches the operating system's secure certificate store for the CA certificates required to validate the full certificate chain of the specified TLS certificate. mongod在操作系统的安全证书存储中搜索验证指定TLS证书的完整证书链所需的CA证书。Specifically, the secure certificate store must contain the root CA and any intermediate CA certificates required to build the full certificate chain to the TLS certificate. 具体地说,安全证书存储必须包含根CA和构建TLS证书的完整证书链所需的任何中间CA证书。Do not use net.tls.CAFile or net.tls.clusterFile to specify the root and intermediate CA certificate不要使用net.tls.CAFilenet.tls.clusterFile来指定根证书和中间CA证书

For example, if the TLS certificate was signed with a single root CA certificate, the secure certificate store must contain that root CA certificate. 例如,如果TLS证书是使用单个根CA证书签名的,则安全证书存储必须包含该根CA证书。If the TLS certificate was signed with an intermediate CA certificate, the secure certificate store must contain the intermedia CA certificate and the root CA certificate.如果TLS证书是用中间CA证书签名的,则安全证书存储必须包含中间CA证书根CA证书。

Note注意

You cannot use the rotateCertificates command or the db.rotateCertificates() shell method when using net.tls.certificateSelector or --tlsCertificateSelector set to thumbprint当使用net.tls.certificateSelector--tlsCertificateSelector设置为thumbprint时,不能使用rotateCertificates命令或db.rotateCertificates()shell方法

net.tls.clusterCertificateSelector

Type类型: string

New in version 4.2.在版本4.2中新增 Available on Windows and macOS as an alternative to net.tls.clusterFile.可在Windows和macOS上作为net.tls.clusterFile的替代品使用。

Specifies a certificate property to select a matching certificate from the operating system's secure certificate store to use for internal x.509 membership authentication.指定证书属性,以从操作系统的安全证书存储中选择匹配的证书,用于内部x.509成员身份验证

net.tls.clusterFile and net.tls.clusterCertificateSelector options are mutually exclusive. 选择是相互排斥的。You can only specify one.只能指定一个。

net.tls.clusterCertificateSelector accepts an argument of the format <property>=<value> where the property can be one of the following:接受格式为<property>=<value>的参数,其中属性可以是以下之一:

Property属性Value type值类型Description描述
subjectASCII stringSubject name or common name on certificate证书上的使用者名称或通用名称
thumbprinthex string

A sequence of bytes, expressed as hexadecimal, used to identify a public key by its SHA-1 digest.用十六进制表示的字节序列,用于通过公钥的SHA-1摘要来识别公钥。

The thumbprint is sometimes referred to as a fingerprint.thumbprint有时被称为fingerprint

The mongod searches the operating system's secure certificate store for the CA certificates required to validate the full certificate chain of the specified cluster certificate. mongod在操作系统的安全证书存储中搜索验证指定群集证书的完整证书链所需的CA证书。Specifically, the secure certificate store must contain the root CA and any intermediate CA certificates required to build the full certificate chain to the cluster certificate. 具体来说,安全证书存储必须包含根CA和任何中间CA证书,这些证书是构建集群证书的完整证书链所必需的。Do not use net.tls.CAFile or net.tls.clusterCAFile to specify the root and intermediate CA certificate.不要使用net.tls.CAFilenet.tls.clusterCAFile指定根证书和中间CA证书。

For example, if the cluster certificate was signed with a single root CA certificate, the secure certificate store must contain that root CA certificate. 例如,如果群集证书是使用单个根CA证书签名的,则安全证书存储必须包含该根CA证书。If the cluster certificate was signed with an intermediate CA certificate, the secure certificate store must contain the intermediate CA certificate and the root CA certificate.如果群集证书是用中间CA证书签名的,则安全证书存储必须包含中间CA证书和根CA证书。

Changed in version 4.4.在版本4.4中更改

mongod / mongos logs a warning on connection if the presented x.509 certificate expires within 30 days of the mongod/mongos host system time. 如果提供的x.509证书在mongod/mongos主机系统时间后30天内过期,mongod/mongos会在连接时记录警告。See x.509 Certificates Nearing Expiry Trigger Warnings for more information.有关更多信息,请参阅x.509证书即将到期触发警告

net.tls.clusterFile

Type类型: string

New in version 4.2.在版本4.2中新增The .pem file that contains the x.509 certificate-key file for membership authentication for the cluster or replica set.包含x.509证书密钥文件的.pem文件,用于群集或副本集的成员身份验证

Starting with MongoDB 4.0 on macOS or Windows, you can use the net.tls.clusterCertificateSelector option to specify a certificate from the operating system's secure certificate store instead of a PEM key file. 从macOS或Windows上的MongoDB 4.0开始,您可以使用net.tls.clusterCertificateSelector选项从操作系统的安全证书存储中指定证书,而不是PEM密钥文件。net.tls.clusterFile and net.tls.clusterCertificateSelector options are mutually exclusive. 选择是相互排斥的。You can only specify one.只能指定一个。

If net.tls.clusterFile does not specify the .pem file for internal cluster authentication or the alternative net.tls.clusterCertificateSelector, the cluster uses the .pem file specified in the certificateKeyFile setting or the certificate returned by the net.tls.certificateSelector.如果nettlsclusterFile未指定用于内部群集身份验证的.pem文件或可选的net.tls.clusterFile,则群集将使用在certificateKeyFile设置中指定的.pemnet.tls.certificateSelector返回的证书。

If using x.509 authentication, --tlsCAFile or tls.CAFile must be specified unless using --tlsCertificateSelector.如果使用x.509身份验证,则必须指定--tlsCAFiletls.CAFile,除非使用--tlsCertificateSelector

Changed in version 4.4.在版本4.4中更改

mongod / mongos logs a warning on connection if the presented x.509 certificate expires within 30 days of the mongod/mongos host system time. 如果提供的x.509证书在mongod/mongos主机系统时间后30天内过期,mongod/mongos会在连接时记录警告。See x.509 Certificates Nearing Expiry Trigger Warnings for more information.有关更多信息,请参阅x.509证书即将到期触发警告

For more information about TLS and MongoDB, see Configure mongod and mongos for TLS/SSL and TLS/SSL Configuration for Clients .有关TLS和MongoDB的更多信息,请参阅为TLS/SSL配置mongodmongos,以及用于客户端的TLS/SSL配置

Important重要

For Windows only, MongoDB 4.0 and later do not support encrypted PEM files. 仅限Windows,MongoDB 4.0及更高版本不支持加密的PEM文件。The mongod fails to start if it encounters an encrypted PEM file. 如果遇到加密的PEM文件,mongod将无法启动。To securely store and access a certificate for use with membership authentication on Windows, use net.tls.clusterCertificateSelector.要在Windows上安全地存储和访问用于成员身份验证的证书,请使用net.tls.clusterCertificateSelector

net.tls.clusterPassword

Type类型: string

New in version 4.2.在版本4.2中新增 The password to de-crypt the x.509 certificate-key file specified with --sslClusterFile. 用于对用--sslClusterFile指定的x.509证书密钥文件进行解密的密码。Use the net.tls.clusterPassword option only if the certificate-key file is encrypted. 仅当证书密钥文件已加密时,才使用net.tls.clusterPassword选项。In all cases, the mongos or mongod will redact the password from all logging and reporting output.在所有情况下,mongosmongod都将从所有日志记录和报告输出中编辑密码。

Starting in MongoDB 4.0:从MongoDB 4.0开始:

For more information about TLS and MongoDB, see Configure mongod and mongos for TLS/SSL and TLS/SSL Configuration for Clients .有关TLS和MongoDB的更多信息,请参阅为TLS/SSL配置mongodmongos,以及用于客户端的TLS/SSL配置

net.tls.CAFile

Type类型: string

New in version 4.2.在版本4.2中新增 The .pem file that contains the root certificate chain from the Certificate Authority. .pem文件,包含来自证书颁发机构的根证书链。Specify the file name of the .pem file using relative or absolute paths.使用相对或绝对路径指定.pem文件的文件名。

Windows/macOS Only
If using net.tls.certificateSelector and/or net.tls.clusterCertificateSelector, do not use net.tls.CAFile to specify the root and intermediate CA certificates. 如果使用net.tls.certificateSelector和/或net.tls.clusterCertificateSelector,请不要使用net.tls.CAFile指定根证书和中间CA证书。Store all CA certificates required to validate the full trust chain of the net.tls.certificateSelector and/or net.tls.clusterCertificateSelector certificates in the secure certificate store.在安全证书存储中存储验证net.tls.certificateSelector和/或net.tls.clusterCertificateSelector证书的完整信任链所需的所有CA证书。

For more information about TLS and MongoDB, see Configure mongod and mongos for TLS/SSL and TLS/SSL Configuration for Clients .有关TLS和MongoDB的更多信息,请参阅为TLS/SSL配置mongodmongos,以及用于客户端的TLS/SSL配置

net.tls.clusterCAFile

Type类型: string

New in version 4.2.在版本4.2中新增 The .pem file that contains the root certificate chain from the Certificate Authority used to validate the certificate presented by a client establishing a connection. .pem文件,其中包含来自证书颁发机构的根证书链,用于验证建立连接的客户端提供的证书。Specify the file name of the .pem file using relative or absolute paths. 使用相对或绝对路径指定.pem文件的文件名。net.tls.clusterCAFile requires that net.tls.CAFile is set.要求设置net.tls.CAFile

If net.tls.clusterCAFile does not specify the .pem file for validating the certificate from a client establishing a connection, the cluster uses the .pem file specified in the net.tls.CAFile option.如果net.tls.clusterCAFile未指定用于验证建立连接的客户端的证书的.pem文件,则群集将使用net.tls.CAFile选项中指定的.pem

net.tls.clusterCAFile lets you use separate Certificate Authorities to verify the client to server and server to client portions of the TLS handshake允许您使用单独的证书颁发机构来验证TLS握手的客户端到服务器和服务器到客户端部分.

Starting in 4.0, on macOS or Windows, you can use a certificate from the operating system's secure store instead of a PEM key file. 从4.0开始,在macOS或Windows上,您可以使用来自操作系统安全存储的证书,而不是PEM密钥文件。See net.tls.clusterCertificateSelector. 请参阅net.tls.clusterCertificateSelectorWhen using the secure store, you do not need to, but can, also specify the net.tls.clusterCAFile.使用安全存储时,您不需要,但也可以指定net.tls.clusterCAFile

Windows/macOS Only
If using net.tls.certificateSelector and/or net.tls.clusterCertificateSelector, do not use net.tls.clusterCAFile to specify the root and intermediate CA certificates. 如果使用net.tls.certificateSelector和/或net.tls.clusterCertificateSelector,请不要使用net.tls.clusterCAFile指定根证书和中间CA证书。Store all CA certificates required to validate the full trust chain of the net.tls.certificateSelector and/or net.tls.clusterCertificateSelector certificates in the secure certificate store.在安全证书存储中存储验证net.tls.certificateSelector和/或net.tls.clusterCertificateSelector证书的完整信任链所需的所有CA证书。

For more information about TLS and MongoDB, see Configure mongod and mongos for TLS/SSL and TLS/SSL Configuration for Clients .有关TLS和MongoDB的更多信息,请参阅为TLS/SSL配置mongodmongos,以及用于客户端的TLS/SSL配置

net.tls.CRLFile

Type类型: string

New in version 4.2.在版本4.2中新增 In MongoDB 4.0 and earlier, see net.ssl.CRLFile.在MongoDB 4.0及更早版本中,请参阅net.ssl.CRLFile

The .pem file that contains the Certificate Revocation List. 包含证书吊销列表的.pem文件。Specify the file name of the .pem file using relative or absolute paths.使用相对或绝对路径指定.pem文件的文件名。

Note注意
  • Starting in MongoDB 4.0, you cannot specify net.tls.CRLFile on macOS. 从MongoDB 4.0开始,您不能在macOS上指定net.tls.CRLFileInstead, you can use the system SSL certificate store, which uses OCSP (Online Certificate Status Protocol) to validate the revocation status of certificates. 相反,您可以使用系统SSL证书存储,它使用OCSP(联机证书状态协议)来验证证书的吊销状态。See net.ssl.certificateSelector in MongoDB 4.0 and net.tls.certificateSelector in MongoDB 4.2+ to use the system SSL certificate store.请参阅MongoDB 4.0中的net.ssl.certificateSelector和MongoDB 4.2+中的net.tls.certificateSelector以使用系统SSL证书存储。
  • Starting in version 4.4, to check for certificate revocation, MongoDB enables the use of OCSP (Online Certificate Status Protocol) by default as an alternative to specifying a CRL file or using the system SSL certificate store.从4.4版开始,为了检查证书吊销,MongoDB在默认情况下启用OCSP(在线证书状态协议),作为指定CRL文件或使用系统SSL证书存储的替代方案。

For more information about TLS and MongoDB, see Configure mongod and mongos for TLS/SSL and TLS/SSL Configuration for Clients .有关TLS和MongoDB的更多信息,请参阅为TLS/SSL配置mongodmongos,以及用于客户端的TLS/SSL配置

net.tls.allowConnectionsWithoutCertificates

Type类型: boolean

New in version 4.2.在版本4.2中新增

For clients that do not present certificates, mongos or mongod bypasses TLS/SSL certificate validation when establishing the connection.对于不提供证书的客户端,mongosmongod在建立连接时会绕过TLS/SSL证书验证。

For clients that present a certificate, however, mongos or mongod performs certificate validation using the root certificate chain specified by CAFile and reject clients with invalid certificates.但是,对于提供证书的客户端,mongosmongod使用CAFile指定的根证书链执行证书验证,并拒绝具有无效证书的客户端。

Use the net.tls.allowConnectionsWithoutCertificates option if you have a mixed deployment that includes clients that do not or cannot present certificates to the mongos or mongod.如果混合部署包含不向或无法向mongosmongod提供证书的客户端,请使用net.tls.allowConnectionsWithoutCertificates选项。

For more information about TLS and MongoDB, see Configure mongod and mongos for TLS/SSL and TLS/SSL Configuration for Clients .有关TLS和MongoDB的更多信息,请参阅为TLS/SSL配置mongodmongos,以及用于客户端的TLS/SSL配置

net.tls.allowInvalidCertificates

Type类型: boolean

New in version 4.2.在版本4.2中新增

Enable or disable the validation checks for TLS certificates on other servers in the cluster and allows the use of invalid certificates to connect.启用或禁用群集中其他服务器上TLS证书的验证检查,并允许使用无效证书进行连接。

Note注意

If you specify --tlsAllowInvalidCertificates or tls.allowInvalidCertificates: true when using x.509 authentication, an invalid certificate is only sufficient to establish a TLS connection but is insufficient for authentication.如果在使用x.509身份验证时指定--tlsAllowInvalidCertificatestls.allowInvalidCertificates: true,则无效证书仅足以建立TLS连接,但不足以进行身份验证。

When using the net.tls.allowInvalidCertificates setting, MongoDB logs a warning regarding the use of the invalid certificate.使用net.tls.allowInvalidCertificates设置时,MongoDB会记录一条关于使用无效证书的警告。

For more information about TLS and MongoDB, see Configure mongod and mongos for TLS/SSL and TLS/SSL Configuration for Clients .有关TLS和MongoDB的更多信息,请参阅为TLS/SSL配置mongodmongos,以及用于客户端的TLS/SSL配置

net.tls.allowInvalidHostnames

Type类型: boolean

Default默认值: false

When net.tls.allowInvalidHostnames is true, MongoDB disables the validation of the hostnames in TLS certificates, allowing mongod to connect to MongoDB instances if the hostname their certificates do not match the specified hostname.net.tls.allowInvalidHostnamestrue时,MongoDB将禁用TLS证书中主机名的验证,如果主机名及其证书与指定主机名不匹配,则允许mongod连接到MongoDB实例。

For more information about TLS and MongoDB, see Configure mongod and mongos for TLS/SSL and TLS/SSL Configuration for Clients .有关TLS和MongoDB的更多信息,请参阅为TLS/SSL配置mongodmongos,以及用于客户端的TLS/SSL配置

net.tls.disabledProtocols

Type类型: string

New in version 4.2.在版本4.2中新增

Prevents a MongoDB server running with TLS from accepting incoming connections that use a specific protocol or protocols. 防止使用TLS运行的MongoDB服务器接受使用特定协议的传入连接。To specify multiple protocols, use a comma separated list of protocols.要指定多个协议,请使用逗号分隔的协议列表。

net.tls.disabledProtocols recognizes the following protocols: TLS1_0, TLS1_1, TLS1_2, and starting in version 4.0.4 (and 3.6.9), TLS1_3.识别以下协议:TLS1_0TLS1_1TLS1_2,以及从版本4.0.4(和3.6.9)开始的TLS1_3

  • On macOS, you cannot disable TLS1_1 and leave both TLS1_0 and TLS1_2 enabled. 在macOS上,您不能禁用TLS1_1并同时启用TLS1_0TLS1_2You must disable at least one of the other two, for example, TLS1_0,TLS1_1.您必须禁用其他两个选项中的至少一个,例如TLS1_0TLS1_1
  • To list multiple protocols, specify as a comma separated list of protocols. 要列出多个协议,请指定为以逗号分隔的协议列表。For example TLS1_0,TLS1_1.例如TLS1_0TLS1_1
  • Specifying an unrecognized protocol will prevent the server from starting.指定无法识别的协议将阻止服务器启动。
  • The specified disabled protocols overrides any default disabled protocols.指定的禁用协议将覆盖任何默认禁用的协议。

Starting in version 4.0, MongoDB disables the use of TLS 1.0 if TLS 1.1+ is available on the system. 从版本4.0开始,如果TLS 1.1+在系统上可用,MongoDB将禁用TLS 1.0的使用。To enable the disabled TLS 1.0, specify none to net.tls.disabledProtocols. 要启用禁用的TLS 1.0,请为net.tls.disabledProtocols指定noneSee Disable TLS 1.0.请参见禁用TLS 1.0

Members of replica sets and sharded clusters must speak at least one protocol in common.副本集和分片集群的成员必须至少使用一种通用协议。

Tip提示
net.tls.FIPSMode

Type类型: boolean

New in version 4.2.在版本4.2中新增

Enable or disable the use of the FIPS mode of the TLS library for the mongos or mongod. mongosmongod启用或禁用TLS库的FIPS模式。Your system must have a FIPS compliant library to use the net.tls.FIPSMode option.您的系统必须具有符合FIPS的库才能使用net.tls.FIPSMode选项。

Note注意

FIPS-compatible TLS/SSL is available only in MongoDB Enterprise. FIPS兼容的TLS/SSL仅在MongoDB Enterprise中可用。See Configure MongoDB for FIPS for more information.有关更多信息,请参阅为FIP配置MongoDB

net.tls.logVersions

Type类型: string

Instructs mongos or mongod to log a message when a client connects using a specified TLS version.指示mongosmongod在客户端使用指定的TLS版本连接时记录消息。

Specify either a single TLS version or a comma-separated list of multiple TLS versions.指定单个TLS版本或多个TLS版本的逗号分隔列表。

Example示例

To instruct mongos or mongod to log a message when a client connects using either TLS 1.2 or TLS 1.3, set net.tls.logVersions to "TLS1_2,TLS1_3".要指示mongosmongod在客户端使用TLS1.2或TLS1.3连接时记录消息,请将net.tls.logVersions设置为"TLS1_2,TLS1_3"

net.ssl Options选项

Important重要

All SSL options are deprecated since 4.2. 自4.2以来,所有SSL选项都已弃用。Use the TLS counterparts instead, as they have identical functionality to the SSL options. 使用TLS对应项,因为它们具有与SSL选项相同的功能。 The SSL protocol is deprecated and MongoDB supports TLS 1.0 and later.SSL协议已被弃用,MongoDB支持TLS 1.0及更高版本。

net:
   ssl:
                            # deprecated since 4.2
      sslOnNormalPorts: <boolean>  # deprecated since 2.6
      mode: <string>
      PEMKeyFile: <string>
      PEMKeyPassword: <string>
      certificateSelector: <string>
      clusterCertificateSelector: <string>
      clusterFile: <string>
      clusterPassword: <string>
      CAFile: <string>
      clusterCAFile: <string>
      CRLFile: <string>
      allowConnectionsWithoutCertificates: <boolean>
      allowInvalidCertificates: <boolean>
      allowInvalidHostnames: <boolean>
      disabledProtocols: <string>
      FIPSMode: <boolean>
net.ssl.sslOnNormalPorts

Type类型: boolean

Deprecated since version 2.6从2.6版起已弃用: Use net.tls.mode: requireTLS instead.:改为使用net.tls.mode: requireTLS

Enable or disable TLS/SSL for mongos or mongod.mongosmongod启用或禁用TLS/SSL。

With net.ssl.sslOnNormalPorts, a mongos or mongod requires TLS/SSL encryption for all connections on the default MongoDB port, or the port specified by net.port. 对于net.ssl.sslOnNormalPortsmongosmongod需要对默认MongoDB端口或net.port指定的端口上的所有连接进行TLS/SSL加密。By default, net.ssl.sslOnNormalPorts is disabled.默认情况下,net.ssl.sslOnNormalPorts处于禁用状态。

For more information about TLS/SSL and MongoDB, see Configure mongod and mongos for TLS/SSL and TLS/SSL Configuration for Clients .有关TLS/SSL和MongoDB的更多信息,请参阅为TLS/SSL配置mongodmongos以及客户机的TLS/SSL配置

net.ssl.mode

Type类型: string

Deprecated since version 4.2从版本4.2起已弃用: Use net.tls.mode instead.答:改用net.tls.mode

Enables TLS/SSL or mixed TLS/SSL used for all network connections. 启用用于所有网络连接的TLS/SSL或混合TLS/SSL。The argument to the net.ssl.mode setting can be one of the following:net.ssl.mode设置的参数可以是以下参数之一:

ValueDescription描述
disabledThe server does not use TLS/SSL.服务器不使用TLS/SSL。
allowSSLConnections between servers do not use TLS/SSL. 服务器之间的连接不使用TLS/SSL。For incoming connections, the server accepts both TLS/SSL and non-TLS/non-SSL.对于传入连接,服务器同时接受TLS/SSL和非TLS/非SSL。
preferSSLConnections between servers use TLS/SSL. 服务器之间的连接使用TLS/SSL。For incoming connections, the server accepts both TLS/SSL and non-TLS/non-SSL.对于传入连接,服务器同时接受TLS/SSL和非TLS/非SSL。
requireSSLThe server uses and accepts only TLS/SSL encrypted connections.服务器只使用和接受TLS/SSL加密连接。

Starting in version 3.4, if --tlsCAFile/net.tls.CAFile (or their aliases --sslCAFile/net.ssl.CAFile) is not specified and you are not using x.509 authentication, the system-wide CA certificate store will be used when connecting to an TLS/SSL-enabled server.从版本3.4开始,如果未指定--tlsCAFile/net.tls.CAFile(或其别名--sslCAFile/net.ssl.CAFile),并且您未使用x.509身份验证,则在连接到启用TLS/SSL的服务器时将使用系统范围的CA证书存储。

To use x.509 authentication, --tlsCAFile or net.tls.CAFile must be specified unless you are using --tlsCertificateSelector or --net.tls.certificateSelector.若要使用x.509身份验证,必须指定--tlsCAFilenet.tls.CAFile,除非您使用的是--tlsCertificateSelector--net.tls.certificateSelector

For more information about TLS/SSL and MongoDB, see Configure mongod and mongos for TLS/SSL and TLS/SSL Configuration for Clients .有关TLS/SSL和MongoDB的更多信息,请参阅为TLS/SSL配置mongodmongos以及用于客户端的TLS/SSL配置。。

net.ssl.PEMKeyFile

Type类型: string

Deprecated since version 4.2从版本4.2起已弃用: Use net.tls.certificateKeyFile instead.答:改用net.tls.certificateKeyFile

The .pem file that contains both the TLS/SSL certificate and key.包含TLS/SSL证书和密钥的.pem文件。

Starting with MongoDB 4.0 on macOS or Windows, you can use the net.ssl.certificateSelector setting to specify a certificate from the operating system's secure certificate store instead of a PEM key file. 从macOS或Windows上的MongoDB 4.0开始,可以使用net.ssl.certificateSelector设置从操作系统的安全证书存储中指定证书,而不是PEM密钥文件。PEMKeyFile and net.ssl.certificateSelector are mutually exclusive. 相互排斥。You can only specify one.只能指定一个。

For more information about TLS/SSL and MongoDB, see Configure mongod and mongos for TLS/SSL and TLS/SSL Configuration for Clients .有关TLS/SSL和MongoDB的更多信息,请参阅为TLS/SSL配置mongodmongos以及用于客户端的TLS/SSL配置

net.ssl.PEMKeyPassword

Type类型: string

Deprecated since version 4.2从版本4.2起已弃用: Use net.tls.certificateKeyFilePassword instead.:请改用net.tls.certificateKeyFilePassword

The password to de-crypt the certificate-key file (i.e. PEMKeyFile). 对证书密钥文件(即PEMKeyFile)进行解密的密码。Use the net.ssl.PEMKeyPassword option only if the certificate-key file is encrypted. 仅当证书密钥文件已加密时,才使用net.ssl.PEMKeyPassword选项。In all cases, the mongos or mongod will redact the password from all logging and reporting output.在所有情况下,mongosmongod都会从所有日志记录和报告输出中修改密码。

Starting in MongoDB 4.0:从MongoDB 4.0开始:

For more information about TLS/SSL and MongoDB, see Configure mongod and mongos for TLS/SSL and TLS/SSL Configuration for Clients .有关TLS/SSL和MongoDB的更多信息,请参阅为TLS/SSL配置mongodmongos以及用于客户端的TLS/SSL配置

net.ssl.certificateSelector

Type类型: string

Deprecated since version 4.2自4.2版以来已弃用: Use net.tls.certificateSelector instead.

New in version 4.0.在版本4.0中新增 Available on Windows and macOS as an alternative to net.ssl.PEMKeyFile.可在Windows和macOS上作为net.ssl.PEMKeyFile的替代品使用。

Specifies a certificate property in order to select a matching certificate from the operating system's certificate store to use for TLS/SSL.指定证书属性,以便从操作系统的证书存储中选择用于TLS/SSL的匹配证书。

net.ssl.PEMKeyFile and net.ssl.certificateSelector options are mutually exclusive. 选择是相互排斥的。You can only specify one.只能指定一个。

net.ssl.certificateSelector accepts an argument of the format <property>=<value> where the property can be one of the following:接受格式为<property>=<value>的参数,其中属性可以是以下之一:

Property属性Value type值类型Description描述
subjectASCII stringSubject name or common name on certificate证书上的使用者名称或通用名称
thumbprinthex string

A sequence of bytes, expressed as hexadecimal, used to identify a public key by its SHA-1 digest.用十六进制表示的字节序列,用于通过公钥的SHA-1摘要来识别公钥。

The thumbprint is sometimes referred to as a fingerprint.thumbprint有时被称为fingerprint

When using the system SSL certificate store, OCSP (Online Certificate Status Protocol) is used to validate the revocation status of certificates.使用系统SSL证书存储时,OCSP(联机证书状态协议)用于验证证书的吊销状态。

The mongod searches the operating system's secure certificate store for the CA certificates required to validate the full certificate chain of the specified TLS/SSL certificate. mongod在操作系统的安全证书存储中搜索验证指定TLS/SSL证书的完整证书链所需的CA证书。Specifically, the secure certificate store must contain the root CA and any intermediate CA certificates required to build the full certificate chain to the TLS/SSL certificate. 具体地说,安全证书存储必须包含根CA和构建TLS/SSL证书的完整证书链所需的任何中间CA证书。Do not use net.ssl.CAFile or net.ssl.clusterFile to specify the root and intermediate CA certificate不要使用net.ssl.CAFilenet.ssl.clusterFile指定根证书和中间CA证书

For example, if the TLS/SSL certificate was signed with a single root CA certificate, the secure certificate store must contain that root CA certificate. 例如,如果TLS/SSL证书是使用单个根CA证书签名的,则安全证书存储必须包含该根CA证书。If the TLS/SSL certificate was signed with an intermediate CA certificate, the secure certificate store must contain the intermedia CA certificate and the root CA certificate.如果TLS/SSL证书是用中间CA证书签名的,则安全证书存储必须包含中间CA证书和根CA证书。

net.ssl.clusterCertificateSelector

Type类型: string

Deprecated since version 4.2自4.2版以来已弃用: Use net.tls.clusterCertificateSelector instead.

New in version 4.0.在版本4.0中新增 Available on Windows and macOS as an alternative to net.ssl.clusterFile.可在Windows和macOS上作为net.ssl.clusterFile的替代品使用。

Specifies a certificate property to select a matching certificate from the operating system's secure certificate store to use for internal x.509 membership authentication.指定证书属性,以从操作系统的安全证书存储中选择匹配的证书,用于内部x.509成员身份验证

net.ssl.clusterFile and net.ssl.clusterCertificateSelector options are mutually exclusive. 选择是相互排斥的。You can only specify one.只能指定一个。

net.ssl.clusterCertificateSelector accepts an argument of the format <property>=<value> where the property can be one of the following:接受格式<property>=<value>的参数,其中属性可以是以下之一:

Property属性Value type值类型Description描述
subjectASCII stringSubject name or common name on certificate证书上的使用者名称或通用名称
thumbprinthex string

A sequence of bytes, expressed as hexadecimal, used to identify a public key by its SHA-1 digest.用十六进制表示的字节序列,用于通过公钥的SHA-1摘要来识别公钥。

The thumbprint is sometimes referred to as a fingerprint.thumbprint有时被称为fingerprint

The mongod searches the operating system's secure certificate store for the CA certificates required to validate the full certificate chain of the specified cluster certificate. mongod在操作系统的安全证书存储中搜索验证指定群集证书的完整证书链所需的CA证书。Specifically, the secure certificate store must contain the root CA and any intermediate CA certificates required to build the full certificate chain to the cluster certificate. 具体来说,安全证书存储必须包含根CA和任何中间CA证书,这些证书是构建集群证书的完整证书链所必需的。Do not use net.ssl.CAFile or net.ssl.clusterFile to specify the root and intermediate CA certificate.不要使用net.ssl.CAFilenet.ssl.clusterFile指定根证书和中间CA证书。

For example, if the cluster certificate was signed with a single root CA certificate, the secure certificate store must contain that root CA certificate. 例如,如果群集证书是使用单个根CA证书签名的,则安全证书存储必须包含该根CA证书。If the cluster certificate was signed with an intermediate CA certificate, the secure certificate store must contain the intermedia CA certificate and the root CA certificate.如果群集证书是用中间CA证书签名的,则安全证书存储必须包含中间CA证书和根CA证书。

net.ssl.clusterFile

Type类型: string

Deprecated since version 4.2自4.2版以来已弃用: Use net.tls.clusterFile instead.:请改用net.tls.clusterFile

The .pem file that contains the x.509 certificate-key file for membership authentication for the cluster or replica set.包含x.509证书密钥文件的.pem文件,用于群集或副本集的成员身份验证

Starting with MongoDB 4.0 on macOS or Windows, you can use the net.ssl.clusterCertificateSelector option to specify a certificate from the operating system's secure certificate store instead of a PEM key file. 从macOS或Windows上的MongoDB 4.0开始,您可以使用net.ssl.clusterCertificateSelector选项从操作系统的安全证书存储中指定证书,而不是PEM密钥文件。net.ssl.clusterFile and net.ssl.clusterCertificateSelector options are mutually exclusive. 选择是相互排斥的。You can only specify one.只能指定一个。

If net.ssl.clusterFile does not specify the .pem file for internal cluster authentication or the alternative net.ssl.clusterCertificateSelector, the cluster uses the .pem file specified in the PEMKeyFile setting or the certificate returned by the net.ssl.certificateSelector.如果net.ssl.clusterFile未指定用于内部群集身份验证的.pem文件或替代net.ssl.clusterCertificateSelector,则群集将使用PEMKeyFile设置中指定的.pem文件或net.ssl.certificateSelector返回的证书。

To use x.509 authentication, --tlsCAFile or net.tls.CAFile must be specified unless you are using --tlsCertificateSelector or --net.tls.certificateSelector.要使用x.509身份验证,必须指定-tlsCAFilenet.tls.CAFile,除非使用--tlsCertificateSelector--net.tls.certificateSelector

For more information about TLS/SSL and MongoDB, see Configure mongod and mongos for TLS/SSL and TLS/SSL Configuration for Clients .有关TLS/SSL和MongoDB的更多信息,请参阅为TLS/SSL配置mongodmongos用于客户端的TLS/SSL配置

Important重要

For Windows only, MongoDB 4.0 and later do not support encrypted PEM files. 仅限Windows,MongoDB 4.0及更高版本不支持加密的PEM文件。The mongod fails to start if it encounters an encrypted PEM file. 如果遇到加密的PEM文件,mongod将无法启动。To securely store and access a certificate for use with membership authentication on Windows, use net.ssl.clusterCertificateSelector.要在Windows上安全地存储和访问用于成员身份验证的证书,请使用net.ssl.clusterCertificateSelector

net.ssl.clusterPassword

Type类型: string

Deprecated since version 4.2自4.2版以来已弃用: Use net.tls.clusterPassword instead.:请改用net.tls.clusterPassword

The password to de-crypt the x.509 certificate-key file specified with --sslClusterFile. 用于对用--sslClusterFile指定的x.509证书密钥文件进行解密的密码。Use the net.ssl.clusterPassword option only if the certificate-key file is encrypted. 仅当证书密钥文件已加密时,才使用net.ssl.clusterPassword选项。In all cases, the mongos or mongod will redact the password from all logging and reporting output.在所有情况下,mongosmongod都将从所有日志记录和报告输出中编辑密码。

Starting in MongoDB 4.0:从MongoDB 4.0开始:

For more information about TLS/SSL and MongoDB, see Configure mongod and mongos for TLS/SSL and TLS/SSL Configuration for Clients .有关TLS/SSL和MongoDB的更多信息,请参阅为TLS/SSL配置mongodmongos以及用于客户端的TLS/SSL配置

net.ssl.CAFile

Type类型: string

Deprecated since version 4.2自4.2版以来已弃用: Use net.tls.CAFile instead.:请改用net.tls.CAFile

The .pem file that contains the root certificate chain from the Certificate Authority. .pem文件,包含来自证书颁发机构的根证书链的。Specify the file name of the .pem file using relative or absolute paths.使用相对或绝对路径指定.pem文件的文件名。

Windows/macOS Only
If using net.ssl.certificateSelector and/or net.ssl.clusterCertificateSelector, do not use net.ssl.CAFile to specify the root and intermediate CA certificates. 如果使用net.ssl.certificateSelector和/或net.ssl.clusterCertificateSelector,请不要使用net.ssl.CAFile指定根证书和中间CA证书。Store all CA certificates required to validate the full trust chain of the net.ssl.certificateSelector and/or net.ssl.clusterCertificateSelector certificates in the secure certificate store.将验证net.ssl.certificateSelector和/或net.ssl.clusterCertificateSelector证书的完整信任链所需的所有CA证书存储在安全证书存储中。

For more information about TLS/SSL and MongoDB, see Configure mongod and mongos for TLS/SSL and TLS/SSL Configuration for Clients .有关TLS/SSL和MongoDB的更多信息,请参阅为TLS/SSL配置mongodmongos以及用于客户端的TLS/SSL配置

net.ssl.clusterCAFile

Type类型: string

Deprecated since version 4.2自4.2版以来已弃用: Use net.tls.clusterCAFile instead.:请改用net.tls.clusterCAFile

The .pem file that contains the root certificate chain from the Certificate Authority used to validate the certificate presented by a client establishing a connection. .pem文件,其中包含来自证书颁发机构的根证书链,用于验证建立连接的客户端提供的证书。Specify the file name of the .pem file using relative or absolute paths. 使用相对或绝对路径指定.pem文件的文件名。net.ssl.clusterCAFile requires that net.ssl.CAFile is set.要求net.ssl.CAFile已设置。

If net.ssl.clusterCAFile does not specify the .pem file for validating the certificate from a client establishing a connection, the cluster uses the .pem file specified in the net.ssl.CAFile option.如果net.ssl.clusterCAFile没有指定用于验证建立连接的客户端的证书的.pem文件,则群集将使用net.ssl.CAFile选项中指定的.pem文件。

net.ssl.clusterCAFile lets you use separate Certificate Authorities to verify the client to server and server to client portions of the TLS handshake.允许您使用单独的证书颁发机构来验证TLS握手的客户端到服务器和服务器到客户端部分。

Starting in 4.0, on macOS or Windows, you can use a certificate from the operating system's secure store instead of a PEM key file. 从4.0开始,在macOS或Windows上,您可以使用来自操作系统安全存储的证书,而不是PEM密钥文件。See net.ssl.clusterCertificateSelector. 请参阅net.ssl.clusterCertificateSelectorWhen using the secure store, you do not need to, but can, also specify the net.ssl.clusterCAFile.使用安全存储时,您不需要,但也可以指定net.ssl.clusterCAFile

Windows/macOS Only
If using net.ssl.certificateSelector and/or net.ssl.clusterCertificateSelector, do not use net.ssl.clusterCAFile to specify the root and intermediate CA certificates. 如果使用net.ssl.certificateSelector和/或net.ssl.clusterCertificateSelector,请不要使用net.ssl.clusterCAFile指定根证书和中间CA证书。Store all CA certificates required to validate the full trust chain of the net.ssl.certificateSelector and/or net.ssl.clusterCertificateSelector certificates in the secure certificate store.将验证net.ssl.certificateSelector和/或net.ssl.clusterCertificateSelector证书的完整信任链所需的所有CA证书存储在安全证书存储中。

For more information about TLS/SSL and MongoDB, see Configure mongod and mongos for TLS/SSL and TLS/SSL Configuration for Clients .有关TLS/SSL和MongoDB的更多信息,请参阅为TLS/SSL配置mongodmongos以及用于客户端的TLS/SSL配置

net.ssl.CRLFile

Type类型: string

Deprecated since version 4.2自4.2版以来已弃用: Use net.tls.CRLFile instead.:改用net.tls.CRLFile

The .pem file that contains the Certificate Revocation List. 包含证书吊销列表的.pem文件。Specify the file name of the .pem file using relative or absolute paths.使用相对或绝对路径指定.pem文件的文件名。

Note注意

For more information about TLS/SSL and MongoDB, see Configure mongod and mongos for TLS/SSL and TLS/SSL Configuration for Clients .有关TLS/SSL和MongoDB的更多信息,请参阅为TLS/SSL配置mongodmongos以及用于客户端的TLS/SSL配置

net.ssl.allowConnectionsWithoutCertificates

Type类型: boolean

Deprecated since version 4.2从版本4.2起已弃用: Use net.tls.allowConnectionsWithoutCertificates instead.:请改用net.tls.allowConnectionsWithoutCertificates

For clients that do not present certificates, mongos or mongod bypasses TLS/SSL certificate validation when establishing the connection.对于不提供证书的客户端,mongosmongod在建立连接时绕过TLS/SSL证书验证。

For clients that present a certificate, however, mongos or mongod performs certificate validation using the root certificate chain specified by CAFile and reject clients with invalid certificates.但是,对于提供证书的客户端,mongosmongod使用CAFile指定的根证书链执行证书验证,并拒绝具有无效证书的客户端。

Use the net.ssl.allowConnectionsWithoutCertificates option if you have a mixed deployment that includes clients that do not or cannot present certificates to the mongos or mongod.如果您的混合部署包括不向mongosmongod提供证书或无法向其提供证书的客户端,请使用net.ssl.allowConnectionsWithoutCertificates选项。

For more information about TLS/SSL and MongoDB, see Configure mongod and mongos for TLS/SSL and TLS/SSL Configuration for Clients .有关TLS/SSL和MongoDB的更多信息,请参阅为TLS/SSL配置mongodmongos以及用于客户端的TLS/SSL配置

net.ssl.allowInvalidCertificates

Type类型: boolean

Deprecated since version 4.2从版本4.2起已弃用: Use net.tls.allowInvalidCertificates instead.:请改用net.tls.allowInvalidCertificates

Enable or disable the validation checks for TLS/SSL certificates on other servers in the cluster and allows the use of invalid certificates to connect.在群集中的其他服务器上启用或禁用TLS/SSL证书的验证检查,并允许使用无效证书进行连接。

Note注意

Starting in MongoDB 4.2, if you specify --tlsAllowInvalidateCertificates or net.tls.allowInvalidCertificates: true when using x.509 authentication, an invalid certificate is only sufficient to establish a TLS connection but it is insufficient for authentication.从MongoDB 4.2开始,如果在使用x.509身份验证时指定--tlsAllowInvalidateCertificatesnet.tls.allowInvalidCertificates: true,则无效证书仅足以建立TLS连接,但不足以进行身份验证。

When using the net.ssl.allowInvalidCertificates setting, MongoDB logs a warning regarding the use of the invalid certificate.使用net.ssl.allowInvalidCertificates设置时,MongoDB会记录有关使用无效证书的警告。

For more information about TLS/SSL and MongoDB, see Configure mongod and mongos for TLS/SSL and TLS/SSL Configuration for Clients .有关TLS/SSL和MongoDB的更多信息,请参阅为TLS/SSL配置mongodmongos以及用于客户端的TLS/SSL配置

net.ssl.allowInvalidHostnames

Type类型: boolean

Default默认值: false

Deprecated since version 4.2自4.2版以来已弃用.

Use net.tls.allowInvalidHostnames instead.请改用net.tls.allowInvalidHostnames

When net.ssl.allowInvalidHostnames is true, MongoDB disables the validation of the hostnames in TLS/SSL certificates, allowing mongod to connect to MongoDB instances if the hostname their certificates do not match the specified hostname.net.ssl.allowInvalidHostnamestrue时,MongoDB将禁用TLS/SSL证书中主机名的验证,如果其证书的主机名与指定的主机名不匹配,则允许mongod连接到MongoDB实例。

For more information about TLS/SSL and MongoDB, see Configure mongod and mongos for TLS/SSL and TLS/SSL Configuration for Clients .有关TLS/SSL和MongoDB的更多信息,请参阅为TLS/SSL配置mongodmongos以及用于客户端的TLS/SSL配置

net.ssl.disabledProtocols

Type类型: string

Deprecated since version 4.2自4.2版以来已弃用: Use net.tls.disabledProtocols instead.:请改用net.tls.disabledProtocols

Prevents a MongoDB server running with TLS/SSL from accepting incoming connections that use a specific protocol or protocols. 防止使用TLS/SSL运行的MongoDB服务器接受使用特定协议的传入连接。To specify multiple protocols, use a comma separated list of protocols.要指定多个协议,请使用逗号分隔的协议列表。

net.ssl.disabledProtocols recognizes the following protocols: TLS1_0, TLS1_1, TLS1_2, and starting in version 4.0.4 (and 3.6.9), TLS1_3.识别以下协议:TLS1_0TLS1_1TLS1_2,以及从版本4.0.4(和3.6.9)开始的TLS1_3

  • On macOS, you cannot disable TLS1_1 and leave both TLS1_0 and TLS1_2 enabled. 在macOS上,您不能禁用TLS1_1并同时启用TLS1_0TLS1_2You must disable at least one of the other two, for example, TLS1_0,TLS1_1.您必须禁用其他两个选项中的至少一个,例如TLS1_0TLS1_1
  • To list multiple protocols, specify as a comma separated list of protocols. 要列出多个协议,请指定为以逗号分隔的协议列表。For example TLS1_0,TLS1_1.例如TLS1_0,TLS1_1
  • Specifying an unrecognized protocol will prevent the server from starting.指定无法识别的协议将阻止服务器启动。
  • The specified disabled protocols overrides any default disabled protocols.指定的禁用协议将覆盖任何默认禁用的协议。

Starting in version 4.0, MongoDB disables the use of TLS 1.0 if TLS 1.1+ is available on the system. 从4.0版开始,如果系统上有TLS 1.1+,MongoDB将禁用TLS 1.0的使用。To enable the disabled TLS 1.0, specify none to net.ssl.disabledProtocols. 要启用禁用的TLS 1.0,请将为net.ssl.disabledProtocols指定NoneSee Disable TLS 1.0.请参见禁用TLS 1.0

Members of replica sets and sharded clusters must speak at least one protocol in common.副本集和分片集群的成员必须至少使用一种通用协议。

Tip提示
See also: 参阅:

Disallow Protocols禁止协议

net.ssl.FIPSMode

Type类型: boolean

Deprecated since version 4.2自4.2版以来已弃用: Use net.tls.FIPSMode instead.:请改用net.tls.FIPSMode

Enable or disable the use of the FIPS mode of the TLS/SSL library for the mongos or mongod. mongosmongod启用或禁用TLS/SSL库的FIPS模式。Your system must have a FIPS compliant library to use the net.ssl.FIPSMode option.您的系统必须具有符合FIPS的库才能使用net.ssl.FIPSMode选项。

Note注意

FIPS-compatible TLS/SSL is available only in MongoDB Enterprise. FIPS兼容的TLS/SSL仅在MongoDB Enterprise中可用。See Configure MongoDB for FIPS for more information.有关更多信息,请参阅为FIP配置MongoDB

net.compression Option选项

net:
   compression:
      compressors: <string>
net.compression.compressors

Default默认值: snappy,zstd,zlib

Specifies the default compressor(s) to use for communication between this mongod or mongos instance and:指定用于此mongodmongos实例与以下对象之间通信的默认压缩器:

  • other members of the deployment if the instance is part of a replica set or a sharded cluster如果实例是副本集或分片集群的一部分,则部署的其他成员
  • mongosh
  • drivers that support the OP_COMPRESSED message format.支持OP_COMPRESSED消息格式的驱动程序。

MongoDB supports the following compressors:MongoDB支持以下压缩器:

  • snappy
  • zlib (Available starting in MongoDB 3.6)(从MongoDB 3.6开始提供)
  • zstd (Available starting in MongoDB 4.2)(从MongoDB 4.2开始提供)

In versions 3.6 and 4.0在版本3.6和4.0中, mongod and mongos enable network compression by default with snappy as the compressor.默认情况下,mongodmongos使用snappy作为压缩器启用网络压缩。

Starting in version 4.2从4.2版开始, mongod and mongos instances default to both snappy,zstd,zlib compressors, in that order.mongodmongos实例都默认按该顺序使用snappy,zstd,zlib压缩器。

To disable network compression, set the value to disabled.要禁用网络压缩,请将该值设置为disabled

Important重要

Messages are compressed when both parties enable network compression. 当双方都启用网络压缩时,消息会被压缩。Otherwise, messages between the parties are uncompressed.否则,双方之间的消息将被解压缩。

If you specify multiple compressors, then the order in which you list the compressors matter as well as the communication initiator. 如果指定了多个压缩器,那么列出压缩器的顺序和通信启动器同样重要。For example, if mongosh specifies the following network compressors zlib,snappy and the mongod specifies snappy,zlib, messages between mongosh and mongod uses zlib.例如,如果mongosh指定了以下网络压缩器zlib,snappy,而mongod指定了snappy,zlib,则mongoshmongod之间的消息使用zlib

If the parties do not share at least one common compressor, messages between the parties are uncompressed. 如果双方不共享至少一个公共压缩器,则双方之间的消息将被解压缩。For example, if mongosh specifies the network compressor zlib and mongod specifies snappy, messages between mongosh and mongod are not compressed.例如,如果mongosh指定网络压缩器zlib,而mongod指定snappy,则mongoshmongod之间的消息不会被压缩。

security Options选项

security:
   keyFile: <string>
   clusterAuthMode: <string>
   authorization: <string>
   transitionToAuth: <boolean>
   javascriptEnabled:  <boolean>
   redactClientLogData: <boolean>
   clusterIpSourceAllowlist:
     - <string>
   sasl:
      hostName: <string>
      serviceName: <string>
      saslauthdSocketPath: <string>
   enableEncryption: <boolean>
   encryptionCipherMode: <string>
   encryptionKeyFile: <string>
   kmip:
      keyIdentifier: <string>
      rotateMasterKey: <boolean>
      serverName: <string>
      port: <string>
      clientCertificateFile: <string>
      clientCertificatePassword: <string>
      clientCertificateSelector: <string>
      serverCAFile: <string>
      connectRetries: <int>
      connectTimeoutMS: <int>
   ldap:
      servers: <string>
      bind:
         method: <string>
         saslMechanisms: <string>
         queryUser: <string>
         queryPassword: <string | array>
         useOSDefaults: <boolean>
      transportSecurity: <string>
      timeoutMS: <int>
      userToDNMapping: <string>
      authz:
         queryTemplate: <string>
      validateLDAPServerConfig: <boolean>
security.keyFile

Type类型: string

The path to a key file that stores the shared secret that MongoDB instances use to authenticate to each other in a sharded cluster or replica set. 密钥文件的路径,该文件存储MongoDB实例用于在分片集群副本集中相互验证的共享密钥。keyFile implies security.authorization. keyFile意味着security.authorizationSee Internal/Membership Authentication for more information.有关更多信息,请参阅内部/成员身份验证

Starting in MongoDB 4.2, keyfiles for internal membership authentication use YAML format to allow for multiple keys in a keyfile. 从MongoDB 4.2开始,用于内部成员身份验证的密钥文件使用YAML格式,以允许密钥文件中有多个密钥。The YAML format accepts content of:YAML格式接受以下内容:

  • a single key string (same as in earlier versions),单个键字符串(与早期版本相同),
  • multiple key strings (each string must be enclosed in quotes), or多个键字符串(每个字符串必须用引号括起来),或
  • sequence of key strings.

The YAML format is compatible with the existing single-key keyfiles that use the text file format.YAML格式与使用文本文件格式的现有单键密钥文件兼容。

security.clusterAuthMode

Type类型: string

Default默认值: keyFile

The authentication mode used for cluster authentication. 用于群集身份验证的身份验证模式。If you use internal x.509 authentication, specify so here. 如果使用内部x.509身份验证,请在此处指定。This option can have one of the following values:此选项可以具有以下值之一:

ValueDescription描述
keyFileUse a keyfile for authentication. 使用密钥文件进行身份验证。Accept only keyfiles.只接受密钥文件。
sendKeyFileFor rolling upgrade purposes. 用于滚动升级目的。Send a keyfile for authentication but can accept both keyfiles and x.509 certificates.发送密钥文件进行身份验证,但可以同时接受密钥文件和x.509证书。
sendX509For rolling upgrade purposes. 用于滚动升级目的。Send the x.509 certificate for authentication but can accept both keyfiles and x.509 certificates.发送x.509证书进行身份验证,但可以同时接受密钥文件和x.509证书。
x509Recommended. 推荐。Send the x.509 certificate for authentication and accept only x.509 certificates.发送x.509证书进行身份验证,并且只接受x.509证书。

If --tlsCAFile or tls.CAFile is not specified and you are not using x.509 authentication, the system-wide CA certificate store will be used when connecting to an TLS-enabled server.如果未指定--tlsCAFiletls.CAFile,并且您未使用x.509身份验证,则在连接到启用TLS的服务器时,将使用系统范围的CA证书存储。

If using x.509 authentication, --tlsCAFile or tls.CAFile must be specified unless using --tlsCertificateSelector.

For more information about TLS and MongoDB, see Configure mongod and mongos for TLS/SSL and TLS/SSL Configuration for Clients .有关TLS和MongoDB的更多信息,请参阅为TLS/SSL配置mongodmongos,以及用于客户端的TLS/SSL配置

security.authorization

Type类型: string

Default默认值: disabled

Enable or disable Role-Based Access Control (RBAC) to govern each user's access to database resources and operations.启用或禁用基于角色的访问控制(RBAC),以控制每个用户对数据库资源和操作的访问。

Set this option to one of the following:将此选项设置为以下选项之一:

ValueDescription描述
enabledA user can access only the database resources and actions for which they have been granted privileges.用户只能访问被授予权限的数据库资源和操作。
disabledA user can access any database and perform any action.用户可以访问任何数据库并执行任何操作。

See Role-Based Access Control for more information.有关更多信息,请参阅基于角色的访问控制

The security.authorization setting is available only for mongod.security.authorization设置仅适用于mongod

security.transitionToAuth

Type类型: boolean

Default默认值: false

Allows the mongod or mongos to accept and create authenticated and non-authenticated connections to and from other mongod and mongos instances in the deployment. 允许mongodmongos接受并创建与部署中其他mongodmongos实例之间的经过身份验证和未经身份验证的连接。Used for performing rolling transition of replica sets or sharded clusters from a no-auth configuration to internal authentication. 用于执行副本集或分片群集从无身份验证配置到内部身份验证的滚动转换。Requires specifying a internal authentication mechanism such as security.keyFile.需要指定内部身份验证机制,如security.keyFile

For example, if using keyfiles for internal authentication, the mongod or mongos creates an authenticated connection with any mongod or mongos in the deployment using a matching keyfile. 例如,如果使用密钥文件进行内部身份验证mongodmongos将使用匹配的密钥文件与部署中的任何mongodmongos创建经过身份验证的连接。If the security mechanisms do not match, the mongod or mongos utilizes a non-authenticated connection instead.如果安全机制不匹配,mongodmongos将使用未经身份验证的连接。

A mongod or mongos running with security.transitionToAuth does not enforce user access controls. 使用security.transitionToAuth运行的mongodmongos不会强制执行用户访问控制Users may connect to your deployment without any access control checks and perform read, write, and administrative operations.用户可以在不进行任何访问控制检查的情况下连接到部署,并执行读、写和管理操作。

Note注意

A mongod or mongos running with internal authentication and without security.transitionToAuth requires clients to connect using user access controls. 使用内部身份验证不使用security.transitionToAuth运行的mongodmongos要求客户端使用用户访问控制进行连接。Update clients to connect to the mongod or mongos using the appropriate user prior to restarting mongod or mongos without security.transitionToAuth.在不使用security.transitionToAuth的情况下重新启动mongodmongos之前,使用适当的用户更新客户端以连接到mongodmongos

security.javascriptEnabled

Type类型: boolean

Default默认值: true

Enables or disables server-side JavaScript execution. 启用或禁用服务器端JavaScript执行When disabled, you cannot use operations that perform server-side execution of JavaScript code, such as the $where query operator, mapReduce command, $accumulator, and $function.禁用时,不能使用执行JavaScript代码服务器端执行的操作,例如$where查询运算符、mapReduce命令、$accumulator$function

If you do not use these operations, disable server-side scripting.如果不使用这些操作,请禁用服务器端脚本。

Starting in version 4.4, the security.javascriptEnabled is available for both mongod and mongos. 从4.4版开始,security.javascriptEnabled可用于mongodmongosIn earlier versions, the setting is only available for mongod.在早期版本中,该设置仅适用于mongod

security.redactClientLogData

Type类型: boolean

Available in MongoDB Enterprise only.仅在MongoDB Enterprise中提供。

A mongod or mongos running with security.redactClientLogData redacts any message accompanying a given log event before logging. 使用security.redactClientLogData运行的mongodmongos会在日志记录之前编辑任何伴随给定日志事件的消息。This prevents the mongod or mongos from writing potentially sensitive data stored on the database to the diagnostic log. 这可防止mongodmongos将数据库中存储的潜在敏感数据写入诊断日志。Metadata such as error or operation codes, line numbers, and source file names are still visible in the logs.错误或操作代码、行号和源文件名等元数据仍在日志中可见。

Use security.redactClientLogData in conjunction with Encryption at Rest and TLS/SSL (Transport Encryption) to assist compliance with regulatory requirements.security.redactClientLogData静态加密TLS/SSL(传输加密)结合使用,以帮助遵守法规要求。

For example, a MongoDB deployment might store Personally Identifiable Information (PII) in one or more collections. 例如,MongoDB部署可能会在一个或多个集合中存储个人身份信息(PII)。The mongod or mongos logs events such as those related to CRUD operations, sharding metadata, etc. mongodmongos记录与CRUD操作、分片元数据等相关的事件。It is possible that the mongod or mongos may expose PII as a part of these logging operations. mongodmongos可能会在这些日志记录操作中公开PII。A mongod or mongos running with security.redactClientLogData removes any message accompanying these events before being output to the log, effectively removing the PII.使用security.redactClientLogData运行的mongodmongos会在输出到日志之前删除伴随这些事件的任何消息,从而有效地删除PII。

Diagnostics on a mongod or mongos running with security.redactClientLogData may be more difficult due to the lack of data related to a log event. 由于缺少与日志事件相关的数据,在运行security.redactClientLogDatamongodmongos上进行诊断可能会更加困难。See the process logging manual page for an example of the effect of security.redactClientLogData on log output.有关security.redactClientLogData对日志输出的影响的示例,请参阅流程日志记录手册页面。

On a running mongod or mongos, use setParameter with the redactClientLogData parameter to configure this setting.在运行的mongodmongos上,使用setParameter配合redactClientLogData参数来配置此设置。

security.clusterIpSourceAllowlist

Type类型: list

New in version 5.0.在版本5.0中新增

A list of IP addresses/CIDR (Classless Inter-Domain Routing) ranges against which the mongod validates authentication requests from other members of the replica set and, if part of a sharded cluster, the mongos instances. IP地址/CIDR(无类域间路由)范围的列表,mongod根据该列表验证来自副本集其他成员的身份验证请求,如果是分片集群的一部分,则验证来自mongos实例的身份验证请求。The mongod verifies that the originating IP is either explicitly in the list or belongs to a CIDR range in the list. mongod验证源IP是否显式位于列表中,或者是否属于列表中的CIDR范围。If the IP address is not present, the server does not authenticate the mongod or mongos.如果IP地址不存在,服务器不会对mongodmongos进行身份验证。

security.clusterIpSourceAllowlist has no effect on a mongod started without authentication.security.clusterIpSourceAllowlist对未经身份验证启动的mongod无效。

security.clusterIpSourceAllowlist requires specifying each IPv4/6 address or Classless Inter-Domain Routing (CIDR) range as a YAML list:需要将每个IPv4/6地址或无类别域间路由(CIDR)范围指定为YAML列表:

security:
  clusterIpSourceAllowlist:
    - 192.0.2.0/24
    - 127.0.0.1
    - ::1
Important重要

Ensure security.clusterIpSourceAllowlist includes the IP address or CIDR ranges that include the IP address of each replica set member or mongos in the deployment to ensure healthy communication between cluster components.确保security.clusterIpSourceAllowlist包含IP地址或CIDR范围,其中包括部署中每个副本集成员或mongos的IP地址,以确保群集组件之间的正常通信。

security.clusterIpSourceWhitelist

Type类型: list

Deprecated in version 5.0:5.0版中已弃用: Use security.clusterIpSourceAllowlist instead.请改用security.clusterIpSourceAllowlist

A list of IP addresses/CIDR (Classless Inter-Domain Routing) ranges against which the mongod validates authentication requests from other members of the replica set and, if part of a sharded cluster, the mongos instances. IP地址/CIDR(无类域间路由)范围的列表,mongod根据该列表验证来自副本集其他成员的身份验证请求,如果是分片集群的一部分,则验证来自mongos实例的身份验证请求。The mongod verifies that the originating IP is either explicitly in the list or belongs to a CIDR range in the list. mongod验证源IP是否显式位于列表中,或者是否属于列表中的CIDR范围。If the IP address is not present, the server does not authenticate the mongod or mongos.如果IP地址不存在,服务器不会对mongodmongos进行身份验证。

security.clusterIpSourceWhitelist has no effect on a mongod started without authentication.对未经身份验证启动的mongod无效。

security.clusterIpSourceWhitelist requires specifying each IPv4/6 address or Classless Inter-Domain Routing (CIDR) range as a YAML list:需要将每个IPv4/6地址或无类别域间路由(CIDR)范围指定为YAML列表:

security:
  clusterIpSourceWhitelist:
    - 192.0.2.0/24
    - 127.0.0.1
    - ::1
Important重要

Ensure security.clusterIpSourceWhitelist includes the IP address or CIDR ranges that include the IP address of each replica set member or mongos in the deployment to ensure healthy communication between cluster components.确保security.clusterIpSourceWhitelist白名单包含IP地址或CIDR范围,其中包括部署中每个副本集成员或mongos的IP地址,以确保群集组件之间的正常通信。

Key Management Configuration Options密钥管理配置选项

security:
   enableEncryption: <boolean>
   encryptionCipherMode: <string>
   encryptionKeyFile: <string>
   kmip:
      keyIdentifier: <string>
      rotateMasterKey: <boolean>
      serverName: <string>
      port: <string>
      clientCertificateFile: <string>
      clientCertificatePassword: <string>
      clientCertificateSelector: <string>
      serverCAFile: <string>
      connectRetries: <int>
      connectTimeoutMS: <int>
      activateKeys: <boolean>
      keyStatePollingSeconds: <int>
security.enableEncryption

Type类型: boolean

Default默认值: false

Enables encryption for the WiredTiger storage engine. 为WiredTiger存储引擎启用加密。You must set to true to pass in encryption keys and configurations.必须设置为true才能传入加密密钥和配置。

Note注意
Enterprise Feature企业版功能

Available in MongoDB Enterprise only.仅在MongoDB Enterprise中提供。

security.encryptionCipherMode

Type类型: string

Default默认值: AES256-CBC

The cipher mode to use for encryption at rest:静止时用于加密的密码模式:

ModeDescription描述
AES256-CBC256-bit Advanced Encryption Standard in Cipher Block Chaining Mode密码块链接模式下的256位高级加密标准
AES256-GCM

256-bit Advanced Encryption Standard in Galois/Counter ModeGalois/计数器模式下的256位高级加密标准

Available only on Linux.仅在Linux上可用。

Changed in version 4.0.在版本4.0中更改

MongoDB Enterprise on Windows no longer supports AES256-GCM. Windows上的MongoDB Enterprise不再支持AES256-GCMThis cipher is now available only on Linux.这个密码现在只在Linux上可用。

Note注意
Enterprise Feature企业版功能

Available in MongoDB Enterprise only.仅在MongoDB Enterprise中提供。

security.encryptionKeyFile

Type类型: string

The path to the local keyfile when managing keys via process other than KMIP. 通过KMIP以外的进程管理密钥时本地密钥文件的路径。Only set when managing keys via process other than KMIP. 仅在通过KMIP以外的进程管理密钥时设置。If data is already encrypted using KMIP, MongoDB will throw an error.如果数据已经使用KMIP加密,MongoDB将抛出一个错误。

Requires security.enableEncryption to be true.要求security.enableEncryptiontrue

Note注意
Enterprise Feature企业版功能

Available in MongoDB Enterprise only.仅在MongoDB Enterprise中提供。

security.kmip.keyIdentifier

Type类型: string

Unique KMIP identifier for an existing key within the KMIP server. KMIP服务器中现有密钥的唯一KMIP标识符。Include to use the key associated with the identifier as the system key. Include将与标识符关联的密钥用作系统密钥。You can only use the setting the first time you enable encryption for the mongod instance. 只能在首次为mongod实例启用加密时使用该设置。Requires security.enableEncryption to be true.<要求security.enableEncryptiontrue</p>

If unspecified, MongoDB will request that the KMIP server create a new key to utilize as the system key.如果未指定,MongoDB将请求KMIP服务器创建一个新密钥,用作系统密钥。

If the KMIP server cannot locate a key with the specified identifier or the data is already encrypted with a key, MongoDB will throw an error.如果KMIP服务器找不到具有指定标识符的密钥,或者数据已经用密钥加密,MongoDB将抛出错误。

Note注意
Enterprise Feature企业版功能

Available in MongoDB Enterprise only.仅在MongoDB Enterprise中提供。

security.kmip.rotateMasterKey

Type类型: boolean

Default默认值: false

If true, rotate the master key and re-encrypt the internal keystore.如果为true,则旋转主密钥并重新加密内部密钥库。

Note注意
Enterprise Feature企业版功能

Available in MongoDB Enterprise only.仅在MongoDB Enterprise中提供。

Tip提示
See also: 参阅:

KMIP Master Key Rotation

security.kmip.serverName

Type类型: string

Hostname or IP address of the KMIP server to connect to. 要连接的KMIP服务器的主机名或IP地址。Requires security.enableEncryption to be true.要求security.enableEncryptiontrue

Starting in MongoDB 4.2.1 (and 4.0.14), you can specify multiple KMIP servers as a comma-separated list, e.g. server1.example.com,server2.example.com. 从MongoDB 4.2.1(和4.0.14)开始,可以将多个KMIP服务器指定为逗号分隔的列表,例如server1.example.com,server2.example.comOn startup, the mongod will attempt to establish a connection to each server in the order listed, and will select the first server to which it can successfully establish a connection. KMIP server selection occurs only at startup.启动时,mongod将尝试按照列出的顺序与每台服务器建立连接,并选择第一台可以成功建立连接的服务器。KMIP服务器选择仅在启动时发生。

When connecting to a KMIP server, the mongod verifies that the specified security.kmip.serverName matches the Subject Alternative Name SAN (or, if SAN is not present, the Common Name CN) in the certificate presented by the KMIP server. 连接到KMIP服务器时,mongod会验证指定的security.kmip.serverName是否与KMIP服务器提供的证书中的主题替代名称SAN(或者,如果SAN不存在,则与通用名称CN)匹配。If SAN is present, mongod does not match against the CN. 如果存在SAN,则mongod不与CN匹配。If the hostname does not match the SAN(or CN), the mongod will fail to connect.如果主机名与SAN(或CN)不匹配,mongod将无法连接。

Starting in MongoDB 4.2, when performing comparison of SAN, MongoDB supports comparison of DNS names or IP addresses. 从MongoDB 4.2开始,在执行SAN比较时,MongoDB支持DNS名称或IP地址的比较。In previous versions, MongoDB only supports comparisons of DNS names.在以前的版本中,MongoDB只支持DNS名称的比较。

Note注意
Enterprise Feature企业版功能

Available in MongoDB Enterprise only.仅在MongoDB Enterprise中提供。

security.kmip.port

Type类型: string

Default默认值: 5696

Port number to use to communicate with the KMIP server. 用于与KMIP服务器通信的端口号。Requires security.kmip.serverName. 需要security.kmip.serverNameRequires security.enableEncryption to be true.要求security.enableEncryptiontrue

If specifying multiple KMIP servers with security.kmip.serverName, the mongod will use the port specified with security.kmip.port for all provided KMIP servers.如果使用security.kmip.serverName指定多个KMIP服务器,mongod将使用security.kmip.port为所有提供的KMIP服务器指定的端口。

Note注意
Enterprise Feature企业版功能

Available in MongoDB Enterprise only.仅在MongoDB Enterprise中提供。

security.kmip.clientCertificateFile

Type类型: string

String containing the path to the client certificate used for authenticating MongoDB to the KMIP server. 字符串,其中包含用于向KMIP服务器验证MongoDB的客户端证书的路径。Requires that a security.kmip.serverName be provided.要求提供security.kmip.serverName

Note注意

Starting in 4.0, on macOS or Windows, you can use a certificate from the operating system's secure store instead of a PEM key file. 从4.0开始,在macOS或Windows上,您可以使用来自操作系统安全存储的证书,而不是PEM密钥文件。See security.kmip.clientCertificateSelector.请参阅security.kmip.clientCertificateSelector

Note注意
Enterprise Feature企业版功能

Available in MongoDB Enterprise only.仅在MongoDB Enterprise中提供。

security.kmip.clientCertificatePassword

Type类型: string

The password to decrypt the client certificate (i.e. security.kmip.clientCertificateFile), used to authenticate MongoDB to the KMIP server. 解密客户端证书(即security.kmip.clientCertificateFile)的密码,用于向KMIP服务器验证MongoDB。Use the option only if the certificate is encrypted.仅当证书已加密时才使用该选项。

Note注意
Enterprise Feature企业版功能

Available in MongoDB Enterprise only.仅在MongoDB Enterprise中提供。

security.kmip.clientCertificateSelector

Type类型: string

New in version 4.0.在版本4.0中新增 (and 4.2.15, 4.4.7, and 5.0)

Available on Windows and macOS as an alternative to security.kmip.clientCertificateFile.可在Windows和macOS上作为security.kmip.clientCertificateFile的替代品使用。

security.kmip.clientCertificateFile and security.kmip.clientCertificateSelector options are mutually exclusive. 选择是相互排斥的。You can only specify one.只能指定一个。

Specifies a certificate property in order to select a matching certificate from the operating system's certificate store to authenticate MongoDB to the KMIP server.指定证书属性,以便从操作系统的证书存储中选择匹配的证书,以将MongoDB验证到KMIP服务器。

security.kmip.clientCertificateSelector accepts an argument of the format <property>=<value> where the property can be one of the following:接受格式为<property>=<value>的参数,其中属性可以是以下之一:

Property属性Value type值类型Description描述
subjectASCII stringSubject name or common name on certificate证书上的使用者名称或通用名称
thumbprinthex string

A sequence of bytes, expressed as hexadecimal, used to identify a public key by its SHA-1 digest.用十六进制表示的字节序列,用于通过公钥的SHA-1摘要来识别公钥。

The thumbprint is sometimes referred to as a fingerprint.thumbprint有时被称为fingerprint

Note注意
Enterprise Feature企业版功能

Available in MongoDB Enterprise only.仅在MongoDB Enterprise中提供。

security.kmip.serverCAFile

Type类型: string

Path to CA File. CA文件的路径。Used for validating secure client connection to KMIP server.用于验证与KMIP服务器的安全客户端连接。

Note注意

Starting in 4.0, on macOS or Windows, you can use a certificate from the operating system's secure store instead of a PEM key file. 从4.0开始,在macOS或Windows上,您可以使用来自操作系统安全存储的证书,而不是PEM密钥文件。See security.kmip.clientCertificateSelector. 请参阅security.kmip.clientCertificateSelectorWhen using the secure store, you do not need to, but can, also specify the security.kmip.serverCAFile.使用安全存储时,您不需要,但也可以指定security.kmip.serverCAFile

Note注意
Enterprise Feature企业版功能

Available in MongoDB Enterprise only.仅在MongoDB Enterprise中提供。

security.kmip.connectRetries

Type类型: int

Default默认值: 0

New in version 4.4.在版本4.4中新增

How many times to retry the initial connection to the KMIP server. 重试与KMIP服务器的初始连接的次数。Use together with connectTimeoutMS to control how long the mongod waits for a response between each retry.connectTimeoutMS一起使用可控制mongod在每次重试之间等待响应的时间。

Note注意
Enterprise Feature企业版功能

Available in MongoDB Enterprise only.仅在MongoDB Enterprise中提供。

security.kmip.connectTimeoutMS

Type类型: int

Default默认值: 5000

New in version 4.4.在版本4.4中新增

Timeout in milliseconds to wait for a response from the KMIP server. 等待KMIP服务器响应的超时(毫秒)。If the connectRetries setting is specified, the mongod will wait up to the value specified with connectTimeoutMS for each retry.如果指定了connectRetries设置,mongod将在每次重试时等待connectTimeoutMS指定的值。

Value must be 1000 or greater.值必须为1000或更大。

Note注意
Enterprise Feature企业版功能

Available in MongoDB Enterprise only.仅在MongoDB Enterprise中提供。

security.kmip.activateKeys

Type类型: boolean

Default默认值: true

New in version 5.3.在版本5.3中新增

Activates all newly created KMIP keys upon creation and then periodically checks those keys are in an active state.在创建时激活所有新创建的KMIP密钥,然后定期检查这些密钥是否处于活动状态。

When security.kmip.activateKeys is true and you have existing keys on a KMIP server, the key must be activated first or the mongod node will fail to start.security.kmip.activateKeystrue且KMIP服务器上存在密钥时,必须首先激活密钥,否则mongod节点将无法启动。

If the key being used by the mongod transitions into a non-active state, the mongod node will shut down unless kmipActivateKeys is false. 如果mongod使用的密钥转换为非活动状态,mongod节点将关闭,除非kmipActivateKeysfalseTo ensure you have an active key, rotate the KMIP master key by using security.kmip.rotateMasterKey.要确保您拥有活动密钥,请使用security.kmip.rotateMasterKey旋转KMIP主密钥。

security.kmip.keyStatePollingSeconds

Type类型: int

Default默认值: 900 seconds

New in version 5.3.在版本5.3中新增

Frequency in seconds at which mongod polls the KMIP server for active keys.mongod轮询KMIP服务器以获取活动密钥的频率(秒)。

To disable disable polling, set the value to -1.要禁用轮询,请将该值设置为-1

security.sasl Options选项

security:
   sasl:
      hostName: <string>
      serviceName: <string>
      saslauthdSocketPath: <string>
security.sasl.hostName

Type类型: string

A fully qualified server domain name for the purpose of configuring SASL and Kerberos authentication. 用于配置SASL和Kerberos身份验证的完全限定的服务器域名。The SASL hostname overrides the hostname only for the configuration of SASL and Kerberos.SASL主机名仅在配置SASL和Kerberos时覆盖主机名。

security.sasl.serviceName

Type类型: string

Registered name of the service using SASL. 使用SASL的服务的注册名称。This option allows you to override the default Kerberos service name component of the Kerberos principal name, on a per-instance basis. 此选项允许您在每个实例的基础上覆盖Kerberos主体名称的默认Kerberos服务名称组件。If unspecified, the default value is mongodb.如果未指定,默认值为mongodb

MongoDB permits setting this option only at startup. MongoDB只允许在启动时设置此选项。The setParameter can not change this setting.setParameter无法更改此设置。

This option is available only in MongoDB Enterprise.此选项仅在MongoDB Enterprise中可用。

Important重要

Ensure that your driver supports alternate service names. 确保驱动程序支持备用服务名称。For mongosh and other MongoDB tools to connect to the new serviceName, see the gssapiServiceName option.有关连接到新serviceNamemongosh和其他MongoDB工具,请参阅gssapiServiceName选项。

security.sasl.saslauthdSocketPath

Type类型: string

The path to the UNIX domain socket file for saslauthd.saslauthd的UNIX域套接字文件的路径。

security.ldap Options选项

security:
   ldap:
      servers: <string>
      bind:
         method: <string>
         saslMechanisms: <string>
         queryUser: <string>
         queryPassword: <string | array>
         useOSDefaults: <boolean>
      transportSecurity: <string>
      timeoutMS: <int>
      userToDNMapping: <string>
      authz:
         queryTemplate: <string>
      validateLDAPServerConfig: <boolean>
security.ldap.servers

Type类型: string

Available in MongoDB Enterprise only.仅在MongoDB Enterprise中提供。

The LDAP server against which the mongod or mongos authenticates users or determines what actions a user is authorized to perform on a given database. mongodmongos对用户进行身份验证或确定用户有权对给定数据库执行哪些操作的LDAP服务器。If the LDAP server specified has any replicated instances, you may specify the host and port of each replicated server in a comma-delimited list.如果指定的LDAP服务器有任何复制实例,则可以在逗号分隔的列表中指定每个复一致性务器的主机和端口。

If your LDAP infrastructure partitions the LDAP directory over multiple LDAP servers, specify one LDAP server or any of its replicated instances to security.ldap.servers. 如果LDAP基础结构将LDAP目录划分到多个LDAP服务器上,请指定一个LDAP服务器或其任何复制到security.ldap.servers的实例。MongoDB supports following LDAP referrals as defined in RFC 4511 4.1.10. MongoDB支持RFC 4511 4.1.10中定义的以下LDAP引用。Do not use security.ldap.servers for listing every LDAP server in your infrastructure.不要使用security.ldap.servers列出基础结构中的每台LDAP服务器。

This setting can be configured on a running mongod or mongos using setParameter.可以使用setParameter在运行中的mongodmongos上配置此设置。

If unset, mongod or mongos cannot use LDAP authentication or authorization.如果未设置,mongodmongos将无法使用LDAP身份验证或授权

security.ldap.bind.queryUser

Type类型: string

Available in MongoDB Enterprise only.仅在MongoDB Enterprise中提供。

The identity with which mongod or mongos binds as, when connecting to or performing queries on an LDAP server.连接到LDAP服务器或在LDAP服务器上执行查询时,mongodmongos绑定为的标识。

Only required if any of the following are true:仅当以下任何一项为真时才需要:

You must use queryUser with queryPassword.您必须将queryUserqueryPassword一起使用。

If unset, mongod or mongos will not attempt to bind to the LDAP server.如果未设置,mongodmongos将不会尝试绑定到LDAP服务器。

This setting can be configured on a running mongod or mongos using setParameter.可以使用setParameter在运行中的mongodmongos上配置此设置。

Note注意

Windows MongoDB deployments can use useOSDefaults instead of queryUser and queryPassword. Windows MongoDB部署可以使用useOSDefaults,而不是queryUserqueryPasswordYou cannot specify both queryUser and useOSDefaults at the same time.不能同时指定queryUseruseOSDefaults

security.ldap.bind.queryPassword

Type类型: string or array

Available in MongoDB Enterprise only.仅在MongoDB Enterprise中提供。

The password used to bind to an LDAP server when using queryUser. 使用queryUser时用于绑定到LDAP服务器的密码。You must use queryPassword with queryUser.您必须在queryUser中使用queryPassword

If not set, mongod or mongos does not attempt to bind to the LDAP server.如果未设置,mongodmongos不会尝试绑定到LDAP服务器。

You can configure this setting on a running mongod or mongos using setParameter.可以使用setParameter在运行的mongodmongos上配置此设置。

Starting in MongoDB 4.4, the ldapQueryPasswordsetParameter command accepts either a string or an array of strings. 从MongoDB 4.4开始,ldapQueryPasswordsetParameter命令接受字符串或字符串数组。If ldapQueryPassword is set to an array, MongoDB tries each password in order until one succeeds. 如果ldapQueryPassword设置为数组,MongoDB会按顺序尝试每个密码,直到一个密码成功。Use a password array to roll over the LDAP account password without downtime.使用密码数组在不停机的情况下滚动LDAP帐户密码。

Note注意

Windows MongoDB deployments can use useOSDefaults instead of queryUser and queryPassword. Windows MongoDB部署可以使用useOSDefaults而不是queryUserqueryPasswordYou cannot specify both queryPassword and useOSDefaults at the same time.不能同时指定queryPassworduseOSDefaults

security.ldap.bind.useOSDefaults

Type类型: boolean

Default默认值: false

Available in MongoDB Enterprise for the Windows platform only.MongoDB Enterprise中仅适用于Windows平台。

Allows mongod or mongos to authenticate, or bind, using your Windows login credentials when connecting to the LDAP server.允许mongodmongos在连接到LDAP服务器时使用Windows登录凭据进行身份验证或绑定。

Only required if:仅在以下情况下需要:

Use useOSDefaults to replace queryUser and queryPassword.使用useOSDefaults替换queryUserqueryPassword

security.ldap.bind.method

Type类型: string

Default默认值: simple

Available in MongoDB Enterprise only.仅在MongoDB Enterprise中提供。

The method mongod or mongos uses to authenticate to an LDAP server. mongodmongos用于向LDAP服务器进行身份验证的方法。Use with queryUser and queryPassword to connect to the LDAP server.queryUserqueryPassword一起使用可连接到LDAP服务器。

method supports the following values:支持以下值:

  • simple - mongod or mongos uses simple authentication.使用简单的身份验证。
  • sasl - mongod or mongos uses SASL protocol for authentication使用SASL协议进行身份验证

If you specify sasl, you can configure the available SASL mechanisms using security.ldap.bind.saslMechanisms. 如果指定sasl,则可以使用security.ldap.bind.saslMechanisms配置可用的sasl机制。mongod or mongos defaults to using DIGEST-MD5 mechanism.mongodmongos默认使用DIGEST-MD5机制。

security.ldap.bind.saslMechanisms

Type类型: string

Default默认值: DIGEST-MD5

Available in MongoDB Enterprise only.仅在MongoDB Enterprise中提供。

A comma-separated list of SASL mechanisms mongod or mongos can use when authenticating to the LDAP server. mongodmongos在对LDAP服务器进行身份验证时可以使用的以逗号分隔的SASL机制列表。The mongod or mongos and the LDAP server must agree on at least one mechanism. mongodmongos和LDAP服务器必须至少就一种机制达成一致。The mongod or mongos dynamically loads any SASL mechanism libraries installed on the host machine at runtime.mongodmongos在运行时动态加载主机上安装的任何SASL机制库。

Install and configure the appropriate libraries for the selected SASL mechanism(s) on both the mongod or mongos host and the remote LDAP server host. mongodmongos主机以及远程LDAP服务器主机上为所选SASL机制安装并配置适当的库。Your operating system may include certain SASL libraries by default. 默认情况下,您的操作系统可能包括某些SASL库。Defer to the documentation associated with each SASL mechanism for guidance on installation and configuration.遵循与每个SASL机制相关的文档,获取安装和配置指南。

If using the GSSAPI SASL mechanism for use with Kerberos Authentication, verify the following for the mongod or mongos host machine:如果将GSSAPI SASL机制用于Kerberos身份验证,请验证mongodmongos主机的以下内容:

Linux
  • The KRB5_CLIENT_KTNAME environment variable resolves to the name of the client Linux Keytab Files for the host machine. KRB5_CLIENT_KTNAME环境变量解析为主机的客户机Linux Keytab文件的名称。For more on Kerberos environment variables, please defer to the Kerberos documentation.有关Kerberos环境变量的更多信息,请参阅Kerberos文档
  • The client keytab includes a User Principal for the mongod or mongos to use when connecting to the LDAP server and execute LDAP queries.客户端密钥表包括一个用户主体,供mongodmongos在连接到LDAP服务器并执行LDAP查询时使用。
Windows
If connecting to an Active Directory server, the Windows Kerberos configuration automatically generates a Ticket-Granting-Ticket when the user logs onto the system. 如果连接到活动目录服务器,Windows Kerberos配置会在用户登录到系统时自动生成一个票证授予票证Set useOSDefaults to true to allow mongod or mongos to use the generated credentials when connecting to the Active Directory server and execute queries.useOSDefaults设置为true,以允许mongodmongos在连接到活动目录服务器并执行查询时使用生成的凭据。

Set method to sasl to use this option.method设置为sasl以使用此选项。

Note注意

For a complete list of SASL mechanisms see the IANA listing. 有关SASL机制的完整列表,请参阅IANA列表Defer to the documentation for your LDAP or Active Directory service for identifying the SASL mechanisms compatible with the service.按照LDAP或活动目录服务的文档来确定与该服务兼容的SASL机制。

MongoDB is not a source of SASL mechanism libraries, nor is the MongoDB documentation a definitive source for installing or configuring any given SASL mechanism. MongoDB不是SASL机制库的来源,MongoDB文档也不是安装或配置任何给定SASL机制的最终来源。For documentation and support, defer to the SASL mechanism library vendor or owner.有关文档和支持,请咨询SASL机制库供应商或所有者。

For more information on SASL, defer to the following resources:有关SASL的更多信息,请参阅以下参考资料:

security.ldap.transportSecurity

Type类型: string

Default默认值: tls

Available in MongoDB Enterprise only.仅在MongoDB Enterprise中提供。

By default, mongod or mongos creates a TLS/SSL secured connection to the LDAP server.默认情况下,mongodmongos会创建到LDAP服务器的TLS/SSL安全连接。

For Linux deployments, you must configure the appropriate TLS Options in /etc/openldap/ldap.conf file. 对于Linux部署,必须在/etc/openldap/ldap.conf文件中配置适当的TLS选项。Your operating system's package manager creates this file as part of the MongoDB Enterprise installation, via the libldap dependency. 作为MongoDB Enterprise安装的一部分,操作系统的包管理器通过libldap依赖项创建此文件。See the documentation for TLS Options in the ldap.conf OpenLDAP documentation for more complete instructions.有关更完整的说明,请参阅ldap.conf OpenLDAP文档中有关TLS选项的文档。

For Windows deployment, you must add the LDAP server CA certificates to the Windows certificate management tool. 对于Windows部署,必须将LDAP服务器CA证书添加到Windows证书管理工具。The exact name and functionality of the tool may vary depending on operating system version. 工具的确切名称和功能可能因操作系统版本而异。Please see the documentation for your version of Windows for more information on certificate management.有关证书管理的更多信息,请参阅Windows版本的文档。

Set transportSecurity to none to disable TLS/SSL between mongod or mongos and the LDAP server.transportSecurity设置为none以禁用mongodmongos与LDAP服务器之间的TLS/SSL。

Warning警告

Setting transportSecurity to none transmits plaintext information and possibly credentials between mongod or mongos and the LDAP server.transportSecurity设置为none可在mongodmongos与LDAP服务器之间传输明文信息和可能的凭据。

security.ldap.timeoutMS

Type类型: int

Default默认值: 10000

Available in MongoDB Enterprise only.仅在MongoDB Enterprise中提供。

The amount of time in milliseconds mongod or mongos should wait for an LDAP server to respond to a request.mongodmongos等待LDAP服务器响应请求的时间(毫秒)。

Increasing the value of timeoutMS may prevent connection failure between the MongoDB server and the LDAP server, if the source of the failure is a connection timeout. 如果故障源是连接超时,增加timeoutMS的值可以防止MongoDB服务器和LDAP服务器之间的连接失败。Decreasing the value of timeoutMS reduces the time MongoDB waits for a response from the LDAP server.减少timeoutMS的值可以减少MongoDB等待LDAP服务器响应的时间。

This setting can be configured on a running mongod or mongos using setParameter.可以使用setParameter在运行的mongodmongos上配置此设置。

security.ldap.userToDNMapping

Type类型: string

Available in MongoDB Enterprise only.仅在MongoDB Enterprise中提供。

Maps the username provided to mongod or mongos for authentication to a LDAP Distinguished Name (DN). 将提供给mongodmongos进行身份验证的用户名映射到LDAP可分辨名称(DN)。You may need to use userToDNMapping to transform a username into an LDAP DN in the following scenarios:在以下情况下,您可能需要使用userToDNMapping将用户名转换为LDAP DN:

  • Performing LDAP authentication with simple LDAP binding, where users authenticate to MongoDB with usernames that are not full LDAP DNs.使用简单的LDAP绑定执行LDAP身份验证,其中用户使用非完整LDAP DNs的用户名向MongoDB进行身份验证。
  • Using an LDAP authorization query template that requires a DN.使用需要DN的LDAP授权查询模板
  • Transforming the usernames of clients authenticating to Mongo DB using different authentication mechanisms (e.g. x.509, kerberos) to a full LDAP DN for authorization.将使用不同身份验证机制(如x.509、kerberos)对Mongo DB进行身份验证的客户端的用户名转换为完整的LDAP DN进行授权。

userToDNMapping expects a quote-enclosed JSON-string representing an ordered array of documents. 需要一个引号内的JSON字符串,表示文档的有序数组。Each document contains a regular expression match and either a substitution or ldapQuery template used for transforming the incoming username.每个文档都包含一个正则表达式match,以及用于转换传入用户名的substitutionldapQuery模板。

Each document in the array has the following form:数组中的每个文档都有以下格式:

{
  match: "<regex>"
  substitution: "<LDAP DN>" | ldapQuery: "<LDAP Query>"
}
Field领域Description描述Example实例
matchAn ECMAScript-formatted regular expression (regex) to match against a provided username. 一个ECMAScript格式的正则表达式(regex),与提供的用户名匹配。Each parenthesis-enclosed section represents a regex capture group used by substitution or ldapQuery.每个括号内的部分表示substitutionldapQuery使用的正则表达式捕获组。 "(.+)ENGINEERING""(.+)DBA"
substitution

An LDAP distinguished name (DN) formatting template that converts the authentication name matched by the match regex into a LDAP DN. LDAP可分辨名称(DN)格式模板,用于将match正则表达式匹配的身份验证名称转换为LDAP DN。Each curly bracket-enclosed numeric value is replaced by the corresponding regex capture group extracted from the authentication username via the match regex.每个用花括号括起来的数值都由通过match正则表达式从身份验证用户名中提取的相应正则表达式捕获组替换。

The result of the substitution must be an RFC4514 escaped string.替换的结果必须是RFC4514转义字符串。

"cn={0},ou=engineering, dc=example,dc=com"
ldapQueryA LDAP query formatting template that inserts the authentication name matched by the match regex into an LDAP query URI encoded respecting RFC4515 and RFC4516. 一种LDAP查询格式模板,用于将match正则表达式匹配的身份验证名称插入按照RFC4515和RFC4516编码的LDAP查询URI中。Each curly bracket-enclosed numeric value is replaced by the corresponding regex capture group extracted from the authentication username via the match expression. 每个用花括号括起来的数值都被通过match表达式从身份验证用户名中提取的相应正则表达式捕获组替换mongod or mongos executes the query against the LDAP server to retrieve the LDAP DN for the authenticated user. 对LDAP服务器执行查询,以检索经过身份验证的用户的LDAP DN。mongod or mongos requires exactly one returned result for the transformation to be successful, or mongod or mongos skips this transformation.mongodmongos要求只有一个返回的结果,转换才能成功,或者mongodmongos跳过此转换。"ou=engineering,dc=example, dc=com??one?(user={0})"
Note注意

An explanation of RFC4514, RFC4515, RFC4516, or LDAP queries is out of scope for the MongoDB Documentation. RFC4514RFC4515RFC4516或LDAP查询的解释不在MongoDB文档的范围内。Please review the RFC directly or use your preferred LDAP resource.请直接查看RFC或使用您首选的LDAP资源。

For each document in the array, you must use either substitution or ldapQuery. 对于数组中的每个文档,必须使用substitutionldapQueryYou cannot specify both in the same document.不能在同一文档中同时指定两者。

When performing authentication or authorization, mongod or mongos steps through each document in the array in the given order, checking the authentication username against the match filter. 在执行身份验证或授权时,mongodmongos会按给定顺序遍历数组中的每个文档,根据match筛选器检查身份验证用户名。 If a match is found, mongod or mongos applies the transformation and uses the output for authenticating the user. 如果找到匹配项,mongodmongos将应用转换并使用输出对用户进行身份验证。mongod or mongos does not check the remaining documents in the array.mongodmongos不会检查数组中的剩余文档。

If the given document does not match the provided authentication name, mongod or mongos continues through the list of documents to find additional matches. 如果给定的文档与提供的身份验证名称不匹配,mongodmongos将继续查看文档列表以查找其他匹配项。If no matches are found in any document, or the transformation the document describes fails, mongod or mongos returns an error.如果在任何文档中都没有找到匹配项,或者文档描述的转换失败,mongodmongos将返回一个错误。

Starting in MongoDB 4.4, mongod or mongos also returns an error if one of the transformations cannot be evaluated due to networking or authentication failures to the LDAP server. 从MongoDB 4.4开始,如果由于LDAP服务器的联网或身份验证失败而无法评估其中一个转换,mongodmongos也会返回一个错误。mongod or mongos rejects the connection request and does not check the remaining documents in the array.mongodmongos拒绝连接请求,不检查数组中的其余文档。

Starting in MongoDB 5.0, userToDNMapping accepts an empty string "" or empty array [ ] in place of a mapping documnent. 从MongoDB 5.0开始,userToDNMapping接受空字符串""或空数组[]来代替映射文档。If providing an empty string or empty array to userToDNMapping, MongoDB will map the authenticated username as the LDAP DN. 如果向userToDNMapping提供空字符串或空数组,MongoDB会将经过身份验证的用户名映射为LDAP DN。Previously, providing an empty mapping document would cause mapping to fail.以前,提供空映射文档会导致映射失败。

Example

The following shows two transformation documents. 下面显示了两个转换文档。The first document matches against any string ending in @ENGINEERING, placing anything preceeding the suffix into a regex capture group. 第一个文档匹配以@ENGINEERING结尾的任何字符串,将后缀之前的任何内容放入正则表达式捕获组。The second document matches against any string ending in @DBA, placing anything preceeding the suffix into a regex capture group.第二个文档匹配以@DBA结尾的任何字符串,将后缀之前的任何内容放入正则表达式捕获组。

Important重要
You must pass the array to userToDNMapping as a string.必须将数组作为字符串传递给userToDNMapping。
"[
   {
      match: "(.+)@ENGINEERING.EXAMPLE.COM",
      substitution: "cn={0},ou=engineering,dc=example,dc=com"
   },
   {
      match: "(.+)@DBA.EXAMPLE.COM",
      ldapQuery: "ou=dba,dc=example,dc=com??one?(user={0})"
   }
]"

A user with username alice@ENGINEERING.EXAMPLE.COM matches the first document. 具有用户名alice@ENGINEERING.EXAMPLE.COM的用户匹配第一个文档。The regex capture group {0} corresponds to the string alice. 正则表达式捕获组{0}对应于字符串aliceThe resulting output is the DN "cn=alice,ou=engineering,dc=example,dc=com".结果输出是DN"cn=alice,ou=engineering,dc=example,dc=com"

A user with username bob@DBA.EXAMPLE.COM matches the second document. 具有用户名bob@DBA.EXAMPLE.COM的用户匹配第二个文档。The regex capture group {0} corresponds to the string bob. 正则表达式捕获组{0}对应于字符串bobThe resulting output is the LDAP query "ou=dba,dc=example,dc=com??one?(user=bob)". 结果输出是LDAP查询"ou=dba,dc=example,dc=com??one?(user=bob)"mongod or mongos executes this query against the LDAP server, returning the result "cn=bob,ou=dba,dc=example,dc=com".mongodmongos对LDAP服务器执行此查询,返回结果"cn=bob,ou=dba,dc=example,dc=com"

If userToDNMapping is unset, mongod or mongos applies no transformations to the username when attempting to authenticate or authorize a user against the LDAP server.如果userToDNMapping未设置,则mongodmongos在尝试针对LDAP服务器对用户进行身份验证或授权时,不会对用户名应用任何转换。

This setting can be configured on a running mongod or mongos using the setParameter database command.可以使用setParameter数据库命令在运行的mongodmongos上配置此设置。

security.ldap.authz.queryTemplate

Type类型: string

Available in MongoDB Enterprise only.仅在MongoDB Enterprise中提供。

A relative LDAP query URL formatted conforming to RFC4515 and RFC4516 that mongod executes to obtain the LDAP groups to which the authenticated user belongs to. 按照RFC4515RFC4515格式化的相对LDAP查询URL,mongod执行该URL以获得认证用户所属的LDAP组。The query is relative to the host or hosts specified in security.ldap.servers.查询与security.ldap.servers中指定的主机相关。

In the URL, you can use the following substitution tokens:在URL中,可以使用以下替换标记:

Substitution Token代币Description描述
{USER}Substitutes the authenticated username, or the transformed username if a userToDNMapping is specified.替换经过身份验证的用户名,如果指定了userToDNMapping,则替换转换后的用户名。
{PROVIDED_USER}

Substitutes the supplied username, i.e. before either authentication or LDAP transformation.替换提供的用户名,即在身份验证或LDAP转换之前。

New in version 4.2.在版本4.2中新增

When constructing the query URL, ensure that the order of LDAP parameters respects RFC4516:构造查询URL时,请确保LDAP参数的顺序符合RFC4516:

[ dn  [ ? [attributes] [ ? [scope] [ ? [filter] [ ? [Extensions] ] ] ] ] ]

If your query includes an attribute, mongod assumes that the query retrieves a list of the DNs which this entity is a member of.如果您的查询包含一个属性,mongod假设该查询检索该实体所属的DNs列表。

If your query does not include an attribute, mongod assumes the query retrieves all entities which the user is member of.如果您的查询不包含属性,mongod将假定该查询检索用户所属的所有实体。

For each LDAP DN returned by the query, mongod assigns the authorized user a corresponding role on the admin database. 对于查询返回的每个LDAP DN,mongodadmin数据库中为授权用户分配相应的角色。If a role on the on the admin database exactly matches the DN, mongod grants the user the roles and privileges assigned to that role. 如果admin数据库上的角色与DN完全匹配,mongod将向用户授予分配给该角色的角色和权限。See the db.createRole() method for more information on creating roles.有关创建角色的详细信息,请参阅db.createRole()方法。

Example

This LDAP query returns any groups listed in the LDAP user object's memberOf attribute.此LDAP查询返回LDAP用户对象的memberOf属性中列出的任何组。

"{USER}?memberOf?base"

Your LDAP configuration may not include the memberOf attribute as part of the user schema, may possess a different attribute for reporting group membership, or may not track group membership through attributes. LDAP配置可能不包括memberOf属性作为用户架构的一部分,可能具有报告组成员身份的不同属性,或者可能不通过属性跟踪组成员身份。Configure your query with respect to your own unique LDAP configuration.根据自己独特的LDAP配置配置查询。

If unset, mongod cannot authorize users using LDAP.如果未设置,mongod将无法授权用户使用LDAP。

This setting can be configured on a running mongod using the setParameter database command.可以使用setParameter数据库命令在运行的mongod上配置此设置。

Note注意

An explanation of RFC4515, RFC4516 or LDAP queries is out of scope for the MongoDB Documentation. RFC4515RFC4516或LDAP查询的解释超出了MongoDB文档的范围。Please review the RFC directly or use your preferred LDAP resource.请直接查看RFC或使用您首选的LDAP资源。

security.ldap.validateLDAPServerConfig

Type类型: boolean

Default默认值: true

Available in MongoDB Enterprise在MongoDB Enterprise中提供

A flag that determines if the mongod or mongos instance checks the availability of the LDAP server(s) as part of its startup:一个标志,用于确定mongodmongos实例是否在启动时检查LDAP服务器的可用性:

  • If true, the mongod or mongos instance performs the availability check and only continues to start up if the LDAP server is available.如果为truemongodmongos实例将执行可用性检查,并且只有在LDAP服务器可用时才会继续启动。
  • If false, the mongod or mongos instance skips the availability check; i.e. the instance starts up even if the LDAP server is unavailable.如果为falsemongodmongos实例将跳过可用性检查;即使LDAP服务器不可用,实例也会启动。

setParameter Option

setParameter

Set MongoDB parameter or parameters described in MongoDB Server Parameters设置MongoDB参数或MongoDB服务器参数中描述的参数

To set parameters in the YAML configuration file, use the following format:要在YAML配置文件中设置参数,请使用以下格式:

setParameter:
   <parameter1>: <value1>
   <parameter2>: <value2>

For example, to specify the enableLocalhostAuthBypass in the configuration file:

setParameter:
   enableLocalhostAuthBypass: false

LDAP Parameters参数

setParameter.ldapUserCacheInvalidationInterval

Type类型: int

Default默认值: 30

For use with mongod servers using LDAP Authorization.用于使用LDAP授权mongod服务器。

The interval (in seconds) mongod waits between external user cache flushes. mongod在外部用户缓存刷新之间等待的时间间隔(秒)。After mongod flushes the external user cache, MongoDB reacquires authorization data from the LDAP server the next time an LDAP-authorized user issues an operation.mongod刷新外部用户缓存后,下次LDAP授权用户发出操作时,MongoDB将从LDAP服务器重新获取授权数据。

Increasing the value specified increases the amount of time mongod and the LDAP server can be out of sync, but reduces the load on the LDAP server. 增加指定的值会增加mongod和LDAP服务器可能不同步的时间,但会减少LDAP服务器上的负载。Conversely, decreasing the value specified decreases the time mongod and the LDAP server can be out of sync while increasing the load on the LDAP server.相反,减少指定的值会减少mongod和LDAP服务器可能不同步的时间,同时增加LDAP服务器上的负载。

setParameter:
   ldapUserCacheInvalidationInterval: <int>

storage Options选项

Changed in version 4.4.在版本4.4中更改

  • MongoDB removes the storage.indexBuildRetry option and the corresponding --noIndexBuildRetry command-line option.MongoDB删除了storage.indexBuildRetry选项和相应的--noIndexBuilderMetry命令行选项。
  • MongoDB deprecates storage.wiredTiger.engineConfig.maxCacheOverflowFileSizeGB option. MongoDB不推荐storage.wiredTiger.engineConfig.maxCacheOverflowFileSizeGB选项。The option has no effect starting in MongoDB 4.4.从MongoDB 4.4开始,该选项无效。

storage:
   dbPath: <string>
   journal:
      enabled: <boolean>
      commitIntervalMs: <num>
   directoryPerDB: <boolean>
   syncPeriodSecs: <int>
   engine: <string>
   wiredTiger:
      engineConfig:
         cacheSizeGB: <number>
         journalCompressor: <string>
         directoryForIndexes: <boolean>
         maxCacheOverflowFileSizeGB: <number> // deprecated in MongoDB 4.4
      collectionConfig:
         blockCompressor: <string>
      indexConfig:
         prefixCompression: <boolean>
   inMemory:
      engineConfig:
         inMemorySizeGB: <number>
   oplogMinRetentionHours: <double>
storage.dbPath

Type类型: string

Default默认值:

  • /data/db on Linux and macOS用于Linux和macOS
  • \data\db on 用于Windows

The directory where the mongod instance stores its data.mongod实例存储其数据的目录。

The storage.dbPath setting is available only for mongod.storage.dbPath设置仅适用于mongod

Note注意
Configuration Files配置文件

The default mongod.conf configuration file included with package manager installations uses the following platform-specific default values for storage.dbPath:包管理器安装附带的默认mongod.conf配置文件使用以下特定于平台的storage.dbPath默认值:

PlatformPackage ManagerDefault storage.dbPath
RHEL / CentOS and Amazonyum/var/lib/mongo
SUSEzypper/var/lib/mongo
Ubuntu and Debianapt/var/lib/mongodb
macOSbrew/usr/local/var/mongodb

The Linux package init scripts do not expect storage.dbPath to change from the defaults. Linux包初始化脚本不希望storage.dbPath更改默认值。If you use the Linux packages and change storage.dbPath, you will have to use your own init scripts and disable the built-in scripts.如果使用Linux软件包并更改storage.dbPath,则必须使用自己的初始化脚本并禁用内置脚本。

storage.journal.enabled

Type类型: boolean

Default默认值: true on 64-bit systems, false on 32-bit systems:64位系统为true,32位系统为false

Enable or disable the durability journal to ensure data files remain valid and recoverable. 启用或禁用耐久性日志以确保数据文件保持有效和可恢复。This option applies only when you specify the storage.dbPath setting. 此选项仅在指定storage.dbPath设置时适用。mongod enables journaling by default.默认情况下启用日志记录。

The storage.journal.enabled setting is available only for mongod.storage.journal.enabled设置仅适用于mongod

Not available for mongod instances that use the in-memory storage engine.不适用于使用内存存储引擎mongod实例。

Starting in MongoDB 4.0, you cannot specify --nojournal option or storage.journal.enabled: false for replica set members that use the WiredTiger storage engine.从MongoDB 4.0开始,您不能为使用WiredTiger存储引擎的副本集成员指定--nojournal选项或storage.journal.enabled: false

storage.journal.commitIntervalMs

Type类型: number

Default默认值: 100

The maximum amount of time in milliseconds that the mongod process allows between journal operations. mongod进程在日志操作之间允许的最大时间(毫秒)。Values can range from 1 to 500 milliseconds. 值的范围为1到500毫秒。Lower values increase the durability of the journal, at the expense of disk performance.较低的值会增加日志的持久性,但会牺牲磁盘性能。

On WiredTiger, the default journal commit interval is 100 milliseconds. 在WiredTiger上,默认日志提交间隔为100毫秒。Additionally, a write that includes or implies j:true will cause an immediate sync of the journal. 此外,包含或暗示j:true的写入将导致日志立即同步。For details or additional conditions that affect the frequency of the sync, see Journaling Process.有关影响同步频率的详细信息或其他条件,请参阅日志记录过程

The storage.journal.commitIntervalMs setting is available only for mongod.storage.journal.commitIntervalMs设置仅适用于mongod

Not available for mongod instances that use the in-memory storage engine.不适用于使用内存存储引擎mongod实例。

Note注意

Known Issue in 4.2.0: The storage.journal.commitIntervalMs is missing in 4.2.0.4.2.0中的已知问题:storage.journal.commitIntervalMs在4.2.0中缺失。

storage.directoryPerDB

Type类型: boolean

Default默认值: false

When true, MongoDB uses a separate directory to store data for each database. 如果为true,MongoDB将使用单独的目录存储每个数据库的数据。The directories are under the storage.dbPath directory, and each subdirectory name corresponds to the database name.这些目录位于storage.dbPath目录下,每个子目录名都对应于数据库名。

The storage.directoryPerDB setting is available only for mongod.storage.directoryPerDB设置仅适用于mongod

Not available for mongod instances that use the in-memory storage engine.不适用于使用内存存储引擎mongod实例。

Starting in MongoDB 5.0, dropping the final collection in a database (or dropping the database itself) when storage.directoryPerDB is enabled deletes the newly empty subdirectory for that database.从MongoDB 5.0开始,在启用storage.directoryPerDB时删除数据库中的最终集合(或删除数据库本身),会删除该数据库新的空子目录。

To change the storage.directoryPerDB option for existing deployments:要更改现有部署的storage.directoryPerDB选项,请执行以下操作:

  • For standalone instances:对于独立实例:

    1. Use mongodump on the existing mongod instance to generate a backup.在现有mongod实例上使用mongodump生成备份。
    2. Stop the mongod instance.停止mongod实例。
    3. Add the storage.directoryPerDB value andconfigure a new data directory添加storage.directoryPerDB值并配置新的数据目录
    4. Restart the mongod instance.重新启动mongod实例。
    5. Use mongorestore to populate the new data directory.使用mongorestore填充新的数据目录。

  • For replica sets:对于副本集:

    1. Stop a secondary member.阻止一个secondary成员。
    2. Add the storage.directoryPerDB value andconfigure a new data directory to that secondary member.添加storage.directoryPerDB值,并为该secondary成员配置一个新的数据目录。
    3. Restart that secondary.重启第二个。
    4. Use initial sync to populate the new data directory.使用初始同步来填充新的数据目录。
    5. Update remaining secondaries in the same fashion.以相同的方式更新其余的辅助数据库。
    6. Step down the primary, and update the stepped-down member in the same fashion.退出主成员,并以相同的方式更新退出的成员。
storage.syncPeriodSecs

Type类型: number

Default默认值: 60

The amount of time that can pass before MongoDB flushes data to the data files via an fsync operation.MongoDB通过fsync操作将数据刷新到数据文件之前可以经过的时间量。

Do not set this value on production systems.不要在生产系统上设置此值。 In almost every situation, you should use the default setting.在几乎所有情况下,都应该使用默认设置。

Warning警告

If you set storage.syncPeriodSecs to 0, MongoDB will not sync the memory mapped files to disk.如果将storage.syncPeriodSecs设置为0,MongoDB将不会将内存映射文件同步到磁盘。

The mongod process writes data very quickly to the journal and lazily to the data files. mongod进程非常快速地将数据写入日志,并缓慢地写入数据文件。storage.syncPeriodSecs has no effect on the journal files or journaling, but if storage.syncPeriodSecs is set to 0 the journal will eventually consume all available disk space. storage.syncPeriodSecsjournal文件或日志记录没有影响,但如果storage.syncPeriodSecs设置为0,则日志最终将消耗所有可用磁盘空间。If you set storage.syncPeriodSecs to 0 for testing purposes, you should also set --nojournal to true.如果出于测试目的将storage.syncPeriodSecs设置为0,则还应将--nojournal设置为true

The storage.syncPeriodSecs setting is available only for mongod.storage.syncPeriodSecs设置仅适用于mongod

Not available for mongod instances that use the in-memory storage engine.不适用于使用内存存储引擎mongod实例。

storage.engine

Default默认值: wiredTiger

Note注意

Starting in version 4.2, MongoDB removes the deprecated MMAPv1 storage engine.从4.2版开始,MongoDB删除了不推荐使用的MMAPv1存储引擎。

The storage engine for the mongod database. mongod数据库的存储引擎。Available values include:可用值包括:

ValueDescription描述
wiredTigerTo specify the WiredTiger Storage Engine.指定WiredTiger存储引擎
inMemory

To specify the In-Memory Storage Engine.

Available in MongoDB Enterprise only.仅在MongoDB Enterprise中提供。

If you attempt to start a mongod with a storage.dbPath that contains data files produced by a storage engine other than the one specified by storage.engine, mongod will refuse to start.

storage.oplogMinRetentionHours

Type类型: double

New in version 4.4.在版本4.4中新增 Specifies the minimum number of hours to preserve an oplog entry, where the decimal values represent the fractions of an hour. 指定保留oplog条目的最小小时数,其中十进制值表示小时的小数点。For example, a value of 1.5 represents one hour and thirty minutes.例如,值1.5表示一小时三十分钟。

The value must be greater than or equal to 0. 该值必须大于或等于0A value of 0 indicates that the mongod should truncate the oplog starting with the oldest entries to maintain the configured maximum oplog size.值为0表示mongod应该从最旧的条目开始截断oplog,以保持配置的最大oplog大小。

Defaults to 0.默认值为0

A mongod started with oplogMinRetentionHours only removes an oplog entry if:oplogMinRetentionHours启动的mongod仅在以下情况下删除oplog条目:

  • The oplog has reached the maximum configured oplog size andoplog已达到配置的最大oplog大小,并且
  • The oplog entry is older than the configured number of hours based on the host system clock.oplog条目早于基于主机系统时钟配置的小时数。

The mongod has the following behavior when configured with a minimum oplog retention period:当配置了最短的oplog保留期时,mongod具有以下行为:

  • The oplog can grow without constraint so as to retain oplog entries for the configured number of hours. oplog可以不受限制地增长,以便在配置的小时数内保留oplog条目。This may result in reduction or exhaustion of system disk space due to a combination of high write volume and large retention period.由于写入量大和保留期长,这可能会导致系统磁盘空间减少或耗尽。
  • If the oplog grows beyond its maximum size, the mongod may continue to hold that disk space even if the oplog returns to its maximum size or is configured for a smaller maximum size. 如果oplog增长超过其最大大小,即使oplog恢复到其最大大小或配置为更小的最大大小,mongod也可以继续保留该磁盘空间。See Reducing Oplog Size Does Not Immediately Return Disk Space.请参阅减少Oplog大小不会立即返回磁盘空间
  • The mongod compares the system wall clock to an oplog entries creation wall clock time when enforcing oplog entry retention. mongod会在执行oplog条目保留时,将系统挂钟与oplog条目创建挂钟时间进行比较。Clock drift between cluster components may result in unexpected oplog retention behavior. 集群组件之间的时钟漂移可能会导致意外的oplog保留行为。See Clock Synchronization for more information on clock synchronization across cluster members.有关集群成员间时钟同步的更多信息,请参阅时钟同步

To change the minimum oplog retention period after starting the mongod, use replSetResizeOplog. 要在启动mongod后更改最短oplog保留期,请使用replSetResizeOplogreplSetResizeOplog enables you to resize the oplog dynamically without restarting the mongod process. 使您能够在不重新启动mongod进程的情况下动态调整oplog的大小。To persist the changes made using replSetResizeOplog through a restart, update the value of oplogMinRetentionHours.要通过重新启动来持久化使用replSetResizeOplog所做的更改,请更新oplogMinRetentionHours的值。

storage.wiredTiger Options选项

storage:
   wiredTiger:
      engineConfig:
         cacheSizeGB: <number>
         journalCompressor: <string>
         directoryForIndexes: <boolean>
         maxCacheOverflowFileSizeGB: <number>   // Deprecated in MongoDB 4.4
      collectionConfig:
         blockCompressor: <string>
      indexConfig:
         prefixCompression: <boolean>
storage.wiredTiger.engineConfig.cacheSizeGB

Type类型: float

Defines the maximum size of the internal cache that WiredTiger will use for all data. 定义WiredTiger将用于所有数据的内部缓存的最大大小。The memory consumed by an index build (see maxIndexBuildMemoryUsageMegabytes) is separate from the WiredTiger cache memory.索引生成所消耗的内存(请参阅maxIndexBuildMemoryUsageMegabytes)与WiredTiger缓存内存是分开的。

Values can range from 0.25 GB to 10000 GB.值的范围从0.25 GB到10000 GB。

Starting in MongoDB 3.4, the default WiredTiger internal cache size is the larger of either:从MongoDB 3.4开始,默认WiredTiger内部缓存大小为以下两个值中的较大值:

  • 50% of (RAM - 1 GB), or
  • 256 MB.

For example, on a system with a total of 4GB of RAM the WiredTiger cache will use 1.5GB of RAM (0.5 * (4 GB - 1 GB) = 1.5 GB). 例如,在总内存为4GB的系统上,WiredTiger缓存将使用1.5GB的RAM(0.5 * (4 GB - 1 GB) = 1.5 GB)。Conversely, a system with a total of 1.25 GB of RAM will allocate 256 MB to the WiredTiger cache because that is more than half of the total RAM minus one gigabyte (0.5 * (1.25 GB - 1 GB) = 128 MB < 256 MB).相反,总RAM为1.25 GB的系统将向WiredTiger缓存分配256 MB,因为这是总RAM减去1 GB(0.5 * (1.25 GB - 1 GB) = 128 MB < 256 MB)的一半以上。

Note注意

In some instances, such as when running in a container, the database can have memory constraints that are lower than the total system memory. 在某些情况下,例如在容器中运行时,数据库的内存约束可能低于系统总内存。In such instances, this memory limit, rather than the total system memory, is used as the maximum RAM available.在这种情况下,这个内存限制,而不是总的系统内存,被用作可用的最大RAM。

To see the memory limit, see hostInfo.system.memLimitMB.要查看内存限制,请参阅hostInfo.system.memLimitMB

Avoid increasing the WiredTiger internal cache size above its default value.避免将WiredTiger内部缓存大小增加到其默认值以上。

With WiredTiger, MongoDB utilizes both the WiredTiger internal cache and the filesystem cache.对于WiredTiger,MongoDB利用WiredTiger内部缓存和文件系统缓存。

Via the filesystem cache, MongoDB automatically uses all free memory that is not used by the WiredTiger cache or by other processes.通过文件系统缓存,MongoDB自动使用WiredTiger缓存或其他进程未使用的所有可用内存。

Note注意

The storage.wiredTiger.engineConfig.cacheSizeGB limits the size of the WiredTiger internal cache. storage.wiredTiger.engineConfig.cacheSizeGB限制WiredTiger内部缓存的大小。The operating system will use the available free memory for filesystem cache, which allows the compressed MongoDB data files to stay in memory. 操作系统将使用可用的空闲内存进行文件系统缓存,从而允许压缩的MongoDB数据文件留在内存中。In addition, the operating system will use any free RAM to buffer file system blocks and file system cache.此外,操作系统将使用任何可用RAM来缓冲文件系统块和文件系统缓存。

To accommodate the additional consumers of RAM, you may have to decrease WiredTiger internal cache size.为了适应RAM的额外消耗,您可能必须减小WiredTiger内部缓存的大小。

The default WiredTiger internal cache size value assumes that there is a single mongod instance per machine. 默认的WiredTiger内部缓存大小值假定每台机器有一个mongod实例。If a single machine contains multiple MongoDB instances, then you should decrease the setting to accommodate the other mongod instances.如果一台机器包含多个MongoDB实例,则应减少设置以适应其他MongoDB实例。

If you run mongod in a container (e.g. lxc, cgroups, Docker, etc.) that does not have access to all of the RAM available in a system, you must set storage.wiredTiger.engineConfig.cacheSizeGB to a value less than the amount of RAM available in the container. 如果在无法访问系统中所有可用RAM的容器(如lxccgroups、Docker等)中运行mongod,则必须将storage.wiredTiger.engineConfig.cacheSizeGB设置为小于容器中可用RAM数量的值。The exact amount depends on the other processes running in the container. 具体数量取决于容器中运行的其他进程。See memLimitMB.请参阅memLimitMB

storage.wiredTiger.engineConfig.journalCompressor

Default默认值: snappy

Specifies the type of compression to use to compress WiredTiger journal data.指定用于压缩WiredTiger日志数据的压缩类型。

Available compressors are:可用的压缩机有:

  • none
  • snappy
  • zlib
  • zstd (Available starting in MongoDB 4.2)(从MongoDB 4.2开始提供)
storage.wiredTiger.engineConfig.directoryForIndexes

Type类型: boolean

Default默认值: false

When storage.wiredTiger.engineConfig.directoryForIndexes is true, mongod stores indexes and collections in separate subdirectories under the data (i.e. storage.dbPath) directory. storage.wiredTiger.engineConfig.directoryForIndexestrue时,mongod将索引和集合存储在数据(即storage.dbPath)目录下的单独子目录中。Specifically, mongod stores the indexes in a subdirectory named index and the collection data in a subdirectory named collection.具体来说,mongod将索引存储在名为index的子目录中,将集合数据存储在名为collection的子目录中。

By using a symbolic link, you can specify a different location for the indexes. 通过使用符号链接,可以为索引指定不同的位置。Specifically, when mongod instance is notrunning, move the index subdirectory to the destination and create a symbolic link named index under the data directory to the new destination.具体来说,当mongod实例未运行时,将index子目录移动到目标,并在数据目录下创建一个名为index的符号链接到新的目标。

storage.wiredTiger.engineConfig.maxCacheOverflowFileSizeGB

Type类型: float

Note注意
Deprecated in MongoDB 4.4MongoDB 4.4中已弃用

MongoDB deprecates the storage.wiredTiger.engineConfig.maxCacheOverflowFileSizeGB option. MongoDB不推荐storage.wiredTiger.engineConfig.maxCacheOverflowFileSizeGB选项。The option has no effect starting in MongoDB 4.4.从MongoDB 4.4开始,该选项无效。

Specifies the maximum size (in GB) for the "lookaside (or cache overflow) table" file WiredTigerLAS.wt for MongoDB 4.2.1-4.2.x and 4.0.12-4.0.x. 指定MongoDB 4.2.1-4.2x和4.0.12-4.0x的“lookaside(或缓存溢出)表”文件WiredTigerLAS.wt的最大大小(GB)。The file no longer exists starting in version 4.4.从版本4.4开始,该文件不再存在。

The setting can accept the following values:该设置可以接受以下值:

ValueDescription描述
0The default value. 默认值。If set to 0, the file size is unbounded.如果设置为0,则文件大小是无限制的。
number >= 0.1The maximum size (in GB). 最大大小(以GB为单位)。If the WiredTigerLAS.wt file exceeds this size, mongod exits with a fatal assertion. 如果WiredTigerLAS.wt文件超过此大小,mongod将以致命断言退出。You can clear the WiredTigerLAS.wt file and restart mongod.您可以清除WiredTigerLAS.wt文件并重新启动mongod

To change the maximum size during runtime, use the wiredTigerMaxCacheOverflowSizeGB parameter.要在运行时更改最大大小,请使用wiredTigerMaxCacheOverflowSizeGB参数。

Available starting in MongoDB 4.2.1 (and 4.0.12)从MongoDB 4.2.1(和4.0.12)开始提供

storage.wiredTiger.engineConfig.zstdCompressionLevel

Type类型: integer

Default默认值: 6

Specifies the level of compression applied when using the zstd compressor.指定使用zstd压缩器时应用的压缩级别。

Values can range from 1 to 22.值的范围从1到22。

The higher the specified value for zstdCompressionLevel the higher the compression which is applied.zstdCompressionLevel的指定值越高,应用的压缩越高。

Only applicable when blockCompressor is set to zstd.

Available starting in MongoDB 5.0从MongoDB 5.0开始提供

storage.wiredTiger.collectionConfig.blockCompressor

Default默认值: snappy

Specifies the default compression for collection data. 指定集合数据的默认压缩。You can override this on a per-collection basis when creating collections.在创建集合时,可以基于每个集合覆盖此选项。

Available compressors are:可用的压缩机有:

  • none
  • snappy
  • zlib
  • zstd (Available starting MongoDB 4.2)(从MongoDB 4.2开始提供)

storage.wiredTiger.collectionConfig.blockCompressor affects all collections created. 影响创建的所有集合。If you change the value of storage.wiredTiger.collectionConfig.blockCompressor on an existing MongoDB deployment, all new collections will use the specified compressor. 如果在现有MongoDB部署上更改storage.wiredTiger.collectionConfig.blockCompressor的值,则所有新集合都将使用指定的压缩器。Existing collections will continue to use the compressor specified when they were created, or the default compressor at that time.现有集合将继续使用创建时指定的压缩器,或使用当时的默认压缩器。

storage.wiredTiger.indexConfig.prefixCompression

Default默认值: true

Enables or disables prefix compression for index data.启用或禁用索引数据的前缀压缩

Specify true for storage.wiredTiger.indexConfig.prefixCompression to enable prefix compression for index data, or false to disable prefix compression for index data.storage.wiredTiger.indexConfig.prefixCompression指定true以启用索引数据的前缀压缩,或为false以禁用索引数据的前缀压缩。

The storage.wiredTiger.indexConfig.prefixCompression setting affects all indexes created. storage.wiredTiger.indexConfig.prefixCompression设置会影响创建的所有索引。If you change the value of storage.wiredTiger.indexConfig.prefixCompression on an existing MongoDB deployment, all new indexes will use prefix compression. 如果在现有MongoDB部署上更改storage.wiredTiger.indexConfig.prefixCompression的值,所有新索引都将使用前缀压缩。Existing indexes are not affected.现有索引不受影响。

storage.inmemory Options选项

storage:
   inMemory:
      engineConfig:
         inMemorySizeGB: <number>
storage.inMemory.engineConfig.inMemorySizeGB

Type类型: float

Default默认值: 50% of physical RAM less 1 GB:50%的物理RAM小于1 GB

Changed in version 3.4.在版本3.4中更改

Values can range from 256MB to 10TB and can be a float.值的范围从256MB到10TB,可以是浮点数。

Maximum amount of memory to allocate for in-memory storage engine data, including indexes, oplog if the mongod is part of replica set, replica set or sharded cluster metadata, etc.内存中存储引擎数据分配的最大内存量,包括索引、oplog(如果mongod是副本集、副本集或分片群集元数据的一部分),等等。

By default, the in-memory storage engine uses 50% of physical RAM minus 1 GB.默认情况下,内存存储引擎使用50%的物理RAM减去1 GB。

Note注意
Enterprise Feature企业版功能

Available in MongoDB Enterprise only.仅在MongoDB Enterprise中提供。

operationProfiling Options选项

operationProfiling:
   mode: <string>
   slowOpThresholdMs: <int>
   slowOpSampleRate: <double>
   filter: <string>
operationProfiling.mode

Type类型: string

Default默认值: off

Specifies which operations should be profiled. 指定应分析哪些操作。The following profiler levels are available:以下探查器级别可用:

LevelDescription描述
offThe profiler is off and does not collect any data. 探查器已关闭,不集合任何数据。This is the default profiler level.这是默认的探查器级别。
slowOpThe profiler collects data for operations that take longer than the value of slowms.探查器为耗时超过slowms值的操作集合数据。
allThe profiler collects data for all operations.探查器集合所有操作的数据。
Important重要

Profiling can impact performance and shares settings with the system log. 分析可能会影响性能,并与系统日志共享设置。Carefully consider any performance and security implications before configuring and enabling the profiler on a production deployment.在生产部署中配置和启用剖析器之前,仔细考虑任何性能和安全含义。

See Profiler Overhead for more information on potential performance degradation.有关潜在性能下降的更多信息,请参阅探查器开销

operationProfiling.slowOpThresholdMs

Type类型: integer

Default默认值: 100

The slow operation time threshold, in milliseconds. 慢速操作时间阈值,以毫秒为单位。Operations that run for longer than this threshold are considered slow.运行时间超过此阈值的操作被认为是缓慢的。

When logLevel is set to 0, MongoDB records slowoperations to the diagnostic log at a rate determined by slowOpSampleRate.logLevel设置为0时,MongoDB将以slowOpSampleRate确定的速率将SloWo操作记录到诊断日志中。

At higher logLevel settings, all operations appear in the diagnostic log regardless of their latency with the following exception: the logging of slow oplog entry messages by the secondaries. 在更高的logLevel设置下,所有操作都会显示在诊断日志中,而不管它们的延迟如何,但以下例外情况除外:辅助设备记录慢速oplog条目消息The secondaries log only the slow oplog entries; increasing the logLevel does not log all oplog entries.二级仅记录慢速oplog条目;增加logLevel不会记录所有oplog条目。

Changed in version 4.0.在版本4.0中更改

The slowOpThresholdMs setting is available for mongod and mongos. slowOpThresholdMs设置可用于mongodmongosIn earlier versions, slowOpThresholdMs is available for mongod only.在早期版本中,slowOpThresholdMs仅适用于mongod

  • For mongod instances, the setting affects both the diagnostic log and, if enabled, the profiler.对于mongod实例,该设置会影响诊断日志和探查器(如果启用)。
  • For mongos instances, the setting affects the diagnostic log only and not the profiler since profiling is not available on mongos.对于mongos实例,该设置仅影响诊断日志,而不影响探查器,因为在mongos上无法进行评测。
operationProfiling.slowOpSampleRate

Type类型: double

Default默认值: 1.0

The fraction of slow operations that should be profiled or logged. 应分析或记录的慢速操作的分数。operationProfiling.slowOpSampleRate accepts values between 0 and 1, inclusive.接受介于0和1之间的值(包括0和1)。

Changed in version 4.0.在版本4.0中更改

The slowOpSampleRate setting is available for mongod and mongos. slowOpSampleRate设置适用于mongodmongosIn earlier versions, slowOpSampleRate is available for mongod only.在早期版本中,slowOpSampleRate仅适用于mongod

  • For mongod instances, the setting affects both the diagnostic log and, if enabled, the profiler.对于mongod实例,该设置会影响诊断日志和探查器(如果启用)。
  • For mongos instances, the setting affects the diagnostic log only and not the profiler since profiling is not available on mongos.对于mongos实例,该设置仅影响诊断日志,而不影响探查器,因为在mongos上无法进行评测。
operationProfiling.filter

Type类型: string representation of a query document查询文档的字符串表示形式

A filter expression that controls which operations are profiled and logged.一个筛选器表达式,用于控制分析和记录哪些操作。

When filter is set, slowOpThresholdMs and slowOpSampleRate are not used for profiling and slow-query log lines.设置filter时,slowOpThresholdMsslowOpSampleRate不用于分析和慢速查询日志行。

When you set a profile filter in the configuration file, the filter applies to all databases in the deployment. 在配置文件中设置配置文件筛选器时,该筛选器将应用于部署中的所有数据库。To set a profile filter for a specific database, use the db.setProfilingLevel() method.要为特定数据库设置配置文件筛选器,请使用db.setProfilingLevel()方法。

The option takes a string representation of a query document of the form:该选项采用以下形式的查询文档的字符串表示:

{ <field1>: <expression1>, ... }

The <field> can be any field in the profiler output. <field>可以是探查器输出中的任何字段The <expression> is a query condition expression.<expression>查询条件表达式

To specify a profiling filter in a configuration file, you must:要在配置文件中指定分析筛选器,必须:

  • Enclose the filter document in single quotes to pass the document as a string.用单引号将筛选文档括起来,以字符串形式传递文档。
  • Use the YAML format of the configuration file.使用配置文件的YAML格式。

For example, the following filter configures the profiler to log query operations that take longer than 2 seconds:例如,以下filter将探查器配置为记录耗时超过2秒的query操作:

operationProfiling:
   mode: all
   filter: '{ op: "query", millis: { $gt: 2000 } }'

New in version 4.4.2.在版本4.4.2中新增

replication Options选项

replication:
   oplogSizeMB: <int>
   replSetName: <string>
   enableMajorityReadConcern: <boolean>
replication.oplogSizeMB

Type类型: integer

The maximum size in megabytes for the replication operation log (i.e., the oplog).复制操作日志(即oplog)的最大大小(以MB为单位)。

Note注意

Starting in MongoDB 4.0, the oplog can grow past its configured size limit to avoid deleting the majority commit point.从MongoDB 4.0开始,oplog可以增长到超过其配置的大小限制,以避免删除多数提交点

By default, the mongod process creates an oplog based on the maximum amount of space available. 默认情况下,mongod进程根据可用的最大空间量创建oplog。For 64-bit systems, the oplog is typically 5% of available disk space.对于64位系统,oplog通常占可用磁盘空间的5%。

Once the mongod has created the oplog for the first time, changing the replication.oplogSizeMB option will not affect the size of the oplog. 一旦mongod第一次创建了oplog,更改replication.oplogSizeMB选项将不会影响oplog的大小。To change the maximum oplog size after starting the mongod, use replSetResizeOplog. 要在启动mongod后更改最大oplog大小,请使用replSetResizeOplogreplSetResizeOplog enables you to resize the oplog dynamically without restarting the mongod process. 允许您在不重新启动mongod进程的情况下动态调整oplog的大小。To persist the changes made using replSetResizeOplog through a restart, update the value of oplogSizeMB.要通过重新启动来持久化使用replSetResizeOplog所做的更改,请更新oplogSizeMB的值。

See Oplog Size for more information.有关更多信息,请参阅Oplog大小

The replication.oplogSizeMB setting is available only for mongod.replication.oplogSizeMB设置仅适用于mongod

replication.replSetName

Type类型: string

The name of the replica set that the mongod is part of. All hosts in the replica set must have the same set name.mongod所属的副本集的名称。副本集中的所有主机必须具有相同的集名称。

If your application connects to more than one replica set, each set must have a distinct name. Some drivers group replica set connections by replica set name.如果应用程序连接到多个副本集,则每个副本集必须具有不同的名称。一些驱动程序按副本集名称对副本集连接进行分组。

The replication.replSetName setting is available only for mongod.replication.replSetName设置仅适用于mongod

Starting in MongoDB 4.0:从MongoDB 4.0开始:

replication.enableMajorityReadConcern

Default默认值: true

Configures support for "majority" read concern.配置对"majority"读关注点的支持。

Starting in MongoDB 5.0, enableMajorityReadConcern cannot be changed and is always set to true. 从MongoDB 5.0开始,enableMajorityReadConcern不能更改,并且始终设置为trueAttempting to start a storage engine that does not support majority read concern with the --enableMajorityReadConcern option will fail and return an error message.尝试使用--enableMajorityReadConcern选项启动不支持多数读取问题的存储引擎将失败并返回错误消息。

In earlier versions of MongoDB, enableMajorityReadConcern was configurable.在早期版本的MongoDB中,enableMajorityReadConcern是可配置的。

Warning警告

If you are using a three-member primary-secondary-arbiter (PSA) architecture, the write concern "majority" can cause performance issues if a secondary is unavailable or lagging. 如果您使用的是三成员主从仲裁器(PSA)体系结构,那么如果次要仲裁器不可用或滞后,写入关注点"majority"可能会导致性能问题。See Mitigate Performance Issues with PSA Replica Set for advice on how to mitigate these issues.有关如何缓解这些问题的建议,请参阅缓解PSA副本集的性能问题

sharding Options选项

sharding:
   clusterRole: <string>
   archiveMovedChunks: <boolean>
sharding.clusterRole

Type类型: string

The role that the mongod instance has in the sharded cluster. mongod实例在分片集群中的角色。Set this setting to one of the following:将此设置设置为以下选项之一:

ValueDescription描述
configsvr

Start this instance as a config server. 将此实例作为配置服务器启动。The instance starts on port 27019 by default.默认情况下,该实例在端口27019上启动。

When you configure a MongoDB instance as clusterRole configsvr you must also specify a replSetName.将MongoDB实例配置为clusterRole configsvr时,还必须指定replSetName

shardsvr

Start this instance as a shard. 将此实例作为分片启动。The instance starts on port 27018 by default.默认情况下,该实例在端口27018上启动。

When you configure a MongoDB instance as a a clusterRole shardsvr you must also specify a replSetName.将MongoDB实例配置为某个群集角色shardsvr时,还必须指定replSetName

Note注意

Setting sharding.clusterRole requires the mongod instance to be running with replication. 设置sharding.clusterRole要求mongod实例与复制一起运行。To deploy the instance as a replica set member, use the replSetName setting and specify the name of the replica set.要将实例部署为副本集成员,请使用replSetName设置并指定副本集的名称。

The sharding.clusterRole setting is available only for mongod.sharding.clusterRole设置仅适用于mongod

sharding.archiveMovedChunks

Type类型: boolean

Changed in version 3.2.在版本3.2中更改

Starting in 3.2, MongoDB uses false as the default.从3.2开始,MongoDB使用false作为默认值。

During chunk migration, a shard does not save documents migrated from the shard.在区块迁移期间,分片不会保存从分片迁移的文档。

auditLog Options选项

Note注意

Available only in MongoDB Enterprise and MongoDB Atlas.仅在MongoDB EnterpriseMongoDB Atlas中可用。

auditLog:
   destination: <string>
   format: <string>
   path: <string>
   filter: <string>
auditLog.auditEncryptionKeyIdentifier

Type类型: string

New in version 5.3.在版本5.3中新增

Specifies the unique identifier of the Key Management Interoperability Protocol (KMIP) key for audit log encryption.指定用于审核日志加密的密钥管理互操作性协议(KMIP)密钥的唯一标识符。

You cannot use auditLog.auditEncryptionKeyIdentifier and auditLog.localAuditKeyFile together.不能同时使用auditLog.auditEncryptionKeyIdentifierauditLog.localAuditKeyFile

Note注意

Available only in MongoDB Enterprise. 仅在MongoDB企业版中可用。MongoDB Enterprise and Atlas have different configuration requirements.MongoDB Enterprise和Atlas有不同的配置要求。

auditLog.compressionMode

Type类型: string

New in version 5.3.在版本5.3中新增

Specifies the compression mode for audit log encryption. 指定审核日志加密的压缩模式。You must also enable audit log encryption using either auditLog.auditEncryptionKeyIdentifier or auditLog.localAuditKeyFile.还必须使用auditLog.auditEncryptionKeyIdentifierauditLog.localAuditKeyFile启用审核日志加密。

auditLog.compressionMode can be set to one of these values:可以设置为以下值之一:

ValueDescription描述
zstdUse the zstd algorithm to compress the audit log.使用zstd算法压缩审核日志。
none (default)Do not compress the audit log.不要压缩审核日志。
Note注意

Available only in MongoDB Enterprise. 仅在MongoDB 企业版中可用。MongoDB Enterprise and Atlas have different configuration requirements.MongoDB Enterprise和Atlas有不同的配置要求。

auditLog.destination

Type类型: string

When set, auditLog.destination enables auditing and specifies where mongos or mongod sends all audit events.设置后,auditLog.destination将启用审核,并指定mongosmongod发送所有审核事件的位置。

auditLog.destination can have one of the following values:可以具有以下值之一:

ValueDescription描述
syslog

Output the audit events to syslog in JSON format. 以JSON格式将审核事件输出到syslog。Not available on Windows. Windows上不可用。Audit messages have a syslog severity level of info and a facility level of user.审核消息的系统日志严重性级别为info,设备级别为user

The syslog message limit can result in the truncation of audit messages. syslog消息限制可能会导致审计消息被截断。The auditing system will neither detect the truncation nor error upon its occurrence.审计系统不会在截断或错误发生时检测到它。

consoleOutput the audit events to stdout in JSON format.以JSON格式将审核事件输出到stdout
fileOutput the audit events to the file specified in auditLog.path in the format specified in auditLog.format.auditLog.format中指定的格式将审核事件输出到auditLog.path中指定的文件。
Note注意

Available only in MongoDB Enterprise and MongoDB Atlas.仅在MongoDB EnterpriseMongoDB Atlas中可用。

auditLog.filter

Type类型: string representation of a document:文档的字符串表示形式

The filter to limit the types of operations the audit system records. 用于限制审核系统记录的操作类型的筛选器。The option takes a string representation of a query document of the form:该选项采用以下形式的查询文档的字符串表示:

{ <field1>: <expression1>, ... }

The <field> can be any field in the audit message, including fields returned in the param document. <field>可以是审核消息中的任何字段,包括param文档中返回的字段。The <expression> is a query condition expression.<expression>是一个查询条件表达式

To specify an audit filter, enclose the filter document in single quotes to pass the document as a string.要指定审核筛选器,请将筛选器文档括在单引号中,以字符串形式传递文档。

To specify the audit filter in a configuration file, you must use the YAML format of the configuration file.要在配置文件中指定审核筛选器,必须使用配置文件的YAML格式。

Note注意

Available only in MongoDB Enterprise and MongoDB Atlas.仅在MongoDB EnterpriseMongoDB Atlas中可用。

auditLog.format

Type类型: string

The format of the output file for auditing if destination is file. 用于审核destination是否为file的输出文件的格式。The auditLog.format option can have one of the following values:auditLog.format选项可以具有以下值之一:

ValueDescription描述
JSONOutput the audit events in JSON format to the file specified in auditLog.path.将JSON格式的审核事件输出到auditLog.path中指定的文件。
BSONOutput the audit events in BSON binary format to the file specified in auditLog.path.将BSON二进制格式的审核事件输出到auditLog.path中指定的文件。

Printing audit events to a file in JSON format degrades server performance more than printing to a file in BSON format.将审核事件打印到JSON格式的文件比打印到BSON格式的文件更会降低服务器性能。

Note注意

Available only in MongoDB Enterprise and MongoDB Atlas.仅在MongoDB EnterpriseMongoDB Atlas中可用。

auditLog.localAuditKeyFile

Type类型: string

New in version 5.3.在版本5.3中新增

Specifies the path and file name for a local audit key file for audit log encryption.指定用于审核日志加密的本地审核密钥文件的路径和文件名。

Note注意

Only use auditLog.localAuditKeyFile for testing because the key is not secured. 仅使用auditLog.localAuditKeyFile进行测试,因为密钥不安全。To secure the key, use auditLog.auditEncryptionKeyIdentifier and an external Key Management Interoperability Protocol (KMIP) server.要保护密钥,请使用auditLog.auditEncryptionKeyIdentifier和外部密钥管理互操作性协议(KMIP)服务器。

You cannot use auditLog.localAuditKeyFile and auditLog.auditEncryptionKeyIdentifier together.不能同时使用auditLog.localAuditKeyFileauditLog.auditEncryptionKeyIdentifier

Note注意

Available only in MongoDB Enterprise. 仅在MongoDB Enterprise中可用。MongoDB Enterprise and Atlas have different configuration requirements.MongoDB Enterprise和Atlas有不同的配置要求。

auditLog.path

Type类型: string

The output file for auditing if destination has value of file. 用于审核destination是否具有file值的输出文件。The auditLog.path option can take either a full path name or a relative path name.auditLog.path选项可以采用完整路径名或相对路径名。

auditLog.runtimeConfiguration

Type类型: boolean

Specifies if a node allows runtime configuration of audit filters and the auditAuthorizationSuccess variable. 指定节点是否允许运行时配置审核筛选器和auditAuthorizationSuccess变量。If true the node can take part in Online Audit Filter Management.如果为true,则节点可以参与在线审核筛选器管理。

Note注意

Available only in MongoDB Enterprise and MongoDB Atlas.仅在MongoDB EnterpriseMongoDB Atlas中可用。

snmp Options选项

Note注意

MongoDB Enterprise on macOS does not include support for SNMP due to SERVER-29352.由于SERVER-29352,macOS上的MongoDB Enterprise不支持SNMP。

snmp:
   disabled: <boolean>
   subagent: <boolean>
   master: <boolean>
snmp.disabled

Type类型: boolean

Default默认值: false

Disables SNMP access to mongod. 禁用对mongod的SNMP访问。The option is incompatible with snmp.subagent and snmp.master.该选项与snmp.subagentsnmp.master不兼容。

Set to true to disable SNMP access.设置为true可禁用SNMP访问。

The snmp.disabled setting is available only for mongod.snmp.disabled设置仅适用于mongod

New in version 4.0.6.在版本4.0.6中新增

snmp.subagent

Type类型: boolean

When snmp.subagent is true, SNMP runs as a subagent. snmp.subagenttrue时,SNMP将作为子代理运行。The option is incompatible with snmp.disabled set to true.该选项与设置为truesnmp.disabled不兼容。

The snmp.subagent setting is available only for mongod.ssnmp.subagent设置仅适用于mongod

snmp.master

Type类型: boolean

When snmp.master is true, SNMP runs as a master. snmp.mastertrue时,SNMP将作为主机运行。The option is incompatible with snmp.disabled set to true.该选项与设置为truesnmp.disabled不兼容。

The snmp.master setting is available only for mongod.snmp.master设置仅适用于mongod

Tip提示

mongos -only Options

Changed in version 3.4.在版本3.4中更改

MongoDB 3.4 removes sharding.chunkSize and sharding.autoSplit settings.MongoDB 3.4删除了sharding.chunkSizesharding.autoSplit设置。

replication:
   localPingThresholdMs: <int>
sharding:
   configDB: <string>
replication.localPingThresholdMs

Type类型: integer

Default默认值: 15

The ping time, in milliseconds, that mongos uses to determine which secondary replica set members to pass read operations from clients. mongos用于确定要从客户端传递读取操作的辅助副本集成员的ping时间(以毫秒为单位)。The default value of 15 corresponds to the default value in all of the client drivers.默认值15对应于所有客户端驱动程序中的默认值。

When mongos receives a request that permits reads to secondary members, the mongos will:mongos收到允许读取secondary成员的请求时,mongos将:

  • Find the member of the set with the lowest ping time.查找ping时间最少的集合成员。

  • Construct a list of replica set members that is within a ping time of 15 milliseconds of the nearest suitable member of the set.构建一个副本集成员的列表,该列表在距离该集最近的合适成员15毫秒的ping时间内。

    If you specify a value for the replication.localPingThresholdMs option, mongos will construct the list of replica members that are within the latency allowed by this value.如果为replication.localPingThresholdMs选项指定一个值,mongos将构建在该值允许的延迟范围内的副本成员列表。

  • Select a member to read from at random from this list.从该列表中随机选择要读取的成员。

The ping time used for a member compared by the replication.localPingThresholdMs setting is a moving average of recent ping times, calculated at most every 10 seconds. replication.localPingThresholdMs设置比较的成员使用的ping时间是最近ping时间的移动平均值,最多每10秒计算一次。As a result, some queries may reach members above the threshold until the mongos recalculates the average.因此,在mongos重新计算平均值之前,一些查询可能会到达阈值以上的成员。

See the Read Preference for Replica Sets section of the read preference documentation for more information.有关更多信息,请参阅读取首选项文档中副本集的读取首选项部分。

sharding.configDB

Type类型: string

Changed in version 3.2.在版本3.2中更改

The configuration servers for the sharded cluster.分片群集配置服务器

Starting in MongoDB 3.2, config servers for sharded clusters can be deployed as a replica set. 从MongoDB 3.2开始,可以将分片集群的配置服务器部署为副本集The replica set config servers must run the WiredTiger storage engine. 副本集配置服务器必须运行WiredTiger存储引擎MongoDB 3.2 deprecates the use of three mirrored mongod instances for config servers.MongoDB 3.2反对在配置服务器上使用三个镜像mongod实例。

Specify the config server replica set name and the hostname and port of at least one of the members of the config server replica set.指定配置服务器副本集名称以及至少一个配置服务器副本集成员的主机名和端口。

sharding:
  configDB: <configReplSetName>/cfg1.example.net:27019, cfg2.example.net:27019,...

The mongos instances for the sharded cluster must specify the same config server replica set name but can specify hostname and port of different members of the replica set.分片集群的mongos实例必须指定相同的配置服务器副本集名称,但可以指定副本集不同成员的主机名和端口。

Windows Service OptionsWindows服务选项

processManagement:
   windowsService:
      serviceName: <string>
      displayName: <string>
      description: <string>
      serviceUser: <string>
      servicePassword: <string>
processManagement.windowsService.serviceName

Type类型: string

Default默认值: MongoDB

The service name of mongos or mongod when running as a Windows Service. 作为Windows服务运行时mongosmongod的服务名称。Use this name with the net start <name> and net stop <name> operations.将此名称用于net start <name>net stop <name>操作。

You must use processManagement.windowsService.serviceName in conjunction with either the --install or --remove option.必须将processManagement.windowsService.serviceName--install--remove选项结合使用。

processManagement.windowsService.displayName

Type类型: string

Default默认值: MongoDB

The name listed for MongoDB on the Services administrative application.服务管理应用程序中为MongoDB列出的名称。

processManagement.windowsService.description

Type类型: string

Default默认值: MongoDB Server

Run mongos or mongod service description.运行mongosmongod服务描述。

You must use processManagement.windowsService.description in conjunction with the --install option.必须将processManagement.windowsService.description--install选项结合使用。

For descriptions that contain spaces, you must enclose the description in quotes.对于包含空格的描述,必须将描述括在引号中。

processManagement.windowsService.serviceUser

Type类型: string

The mongos or mongod service in the context of a certain user. 特定用户上下文中的mongosmongod服务。This user must have "Log on as a service" privileges.此用户必须具有“作为服务登录”权限。

You must use processManagement.windowsService.serviceUser in conjunction with the --install option.必须将processManagement.windowsService.serviceUser--install选项结合使用。

processManagement.windowsService.servicePassword

Type类型: string

The password for <user> for mongos or mongod when running with the processManagement.windowsService.serviceUser option.使用processManagement.windowsService.serviceUser选项运行时,mongosmongod<user>密码。

You must use processManagement.windowsService.servicePassword in conjunction with the --install option.必须将processManagement.windowsService.servicePassword--install选项结合使用。

Removed MMAPv1 Options已删除的MMAPv1选项

Starting in version 4.2, MongoDB removes the deprecated MMAPv1 storage engine and the MMAPv1-specific configuration options:从4.2版开始,MongoDB删除了不推荐使用的MMAPv1存储引擎和特定于MMAPv1的配置选项:

Removed Configuration File Setting已删除配置文件设置Removed Command-line Option已删除命令行选项
storage.mmapv1.journal.commitIntervalMs
storage.mmapv1.journal.debugFlagsmongod --journalOptions
storage.mmapv1.nsSizemongod --nssize
storage.mmapv1.preallocDataFilesmongod --noprealloc
storage.mmapv1.quota.enforcedmongod --quota
storage.mmapv1.quota.maxFilesPerDBmongod --quotaFiles
storage.mmapv1.smallFilesmongod --smallfiles
storage.repairPathmongod --repairpath
replication.secondaryIndexPrefetchmongod --replIndexPrefetch

For earlier versions of MongoDB, refer to the corresponding version of the manual. For example:有关MongoDB的早期版本,请参阅相应版本的手册。例如:

←  install_compassExternally Sourced Configuration File Values →