What's New in Percona Server for MongoDB? 2019 Q3: Enterprise Enhancements and v4.2 4:00 PM - 4:50 PM - Room B
About Adamo and Akira Two of the most experienced MongoDB field experts in the world. Adamo w/ MongoDB: 2013 ~ MongoDB: 2009 ~ vs. Akira w/ MongoDB: 2014 ~ + Akira MongoDB > MongoDB ! Adamo MongoDB 2
Talk Overview ● New in Percona Server for MongoDB (PSMDB) 4.0+ ○ Encryption at rest with Hashicorp Vault ○ All about PSMDB ● MongoDB Community / PSMDB 4.2 ○ New Primary throttle (a.k.a. "flow control") ○ New index build process ○ Cursors and user info added to $currentOp ○ Wildcard indexes ○ Modularization-friendly config files 3
Encryption at Rest with Hashicorp Vault 4
What is Encryption and How Does it Work? Encryption is the process of hiding data in such a way that only those who have the key (decrypt key) will be able to read the data. Any data - files, emails, network, individual fields - can be encrypted. For MongoDB data-at-rest encryption the collection documents and index key entries are encrypted within the WiredTiger Btree file format saved in the *.wt files. 5
Types of Encryption PSMDB has two optional encryption features: ● Encryption at Rest ● Encryption in Transit (SSL/TLS) We'll discuss both, but focus a bit more on the encryption at rest as this is a free feature only in PSMDB 6
WiredTiger Keyfile-Encryption This is the basic encryption where there is a key file that acts as an encryption and decryption key of the database. The encryption key is in the filesystem and can be read by any root user or mongod. The database is encrypted, however the secret is not that secret 7
WiredTiger Keyfile-Encryption Instance 8
WiredTiger Vault Encryption A vault is an external process capable of keeping secrets and answering API-like calls to show a secret to a client. PSMDB is fully integrated with Hashicorp Vault. 9
WiredTiger Vault Encryption Instance a8abc37456e - token secret Token can be changed Secret is not on the same disk as data 10
What is Hashicorp Vault? Vault is a tool for securely accessing secrets . A secret is anything that you want to tightly control access to, such as API keys, passwords, or certificates. Vault provides a unified interface to any secret, while providing tight access control and recording a detailed audit log. 11
How Does Hashicorp Vault Work? Vault only speaks using TLS, so we need to configure the CaFile, otherwise the client won't be able to understand the reply. This also is a security feature, as any request without SSL will fail. Clients’ request the secret to the vault using a previously-created token. This is logged in the audit log and the server replies to the client with the secret. The secret is used to decrypt the db.key database, then open the master key to encrypt/decrypt the database. 12
Parameters to Enable Vault in PSMDB --enableEncryption --encryptionCipherMode AES256-CBC --vaultServerName <vault ip> --vaultPort 8200 --vaultToken <machine token> --vaultSecret secret/data/psmdb-node1 13
Parameters to Enable Vault in PSMDB security: enableEncryption: true vault: serverName: 127.0.0.1 port: 8200 tokenFile: /home/user/path/token secret: secret/data/hello 14
Backups? ● Logical backups (mongodump) works the same as before, all the data is decrypted. ● Binary copies (percona hot backup) will need to access the vault in order to get the secret to open the key.db, otherwise the database will fail to start. Always encrypt your logical backup, the easiest way is using GPG. 15
What About the Data in Transit? ● Because the encryption is at rest all the data is transiting over the wire without encryption. That makes it really easy to intercept. ● Encryption at rest doesn't remove the necessity of using TLS/SSL (we will talk about that shortly). 16
Everything Else 17
Everything Else Percona Server for MongoDB comes with additional features such as: • LDAP Authentication • Auditing • Log Redaction • In-Memory Storage Engine • Hot Backup All free and open source!
LDAP authentication LDAP stands for Lightweight Directory Access Protocol and it is a common protocol used in companies to centralise their users in just one software. All the other connected software can validate an user and password though the LDAP client. Microsoft version of LDAP is Active Directory. PSMDB features LDAP authentication, not authorization.
Auditing For enhanced security and compliance, awareness of the operations the database is performing can be critical. With an audit, it’s possible to track operations such as user and index creation - at the database level.
Log Redaction Logs can have sensitive data. Depending on regulations, certain information may not be allowed to be saved in a log file. Log redaction hides sensitive information, changing the values to a different character.
In Memory Storage Engine Low latency storage engine that doesn't interact with the disk subsystem. Completely ephemeral, once the database stops all the data is gone. Sub-millisecond latency, only for specific use cases.
PSMDB only features Hot Backup: This is a backup command that will generate an exact copy of the database (binary copy) in a different folder, in a very lightweight fashion. > use admin switched to db admin > db.runCommand({createBackup: 1, backupDir: "/my/backup/data/path"}) { "ok" : 1 }
Migration to PSMDB PSMDB is compatible with MongoDB Enterprise and Community. Just replace MongoDB Community binaries with PSMDB and you'll be all set. PSMDB can replace MongoDB Enterprise in place except when config file has enabled: * security.kmip.* options (PSMDB uses security.vault.* instead) * security.ldap.* options (PSMDB supports only saslauthd LDAP authentication as of v4.0.12-6)
PMM PMM is an open-source platform for managing and monitoring MySQL and MongoDB performance and metrics. It is based on Docker, virtual appliances and AWS AMI and it is self hosted. https://www.percona.com/blog/2018/07/05/configuring-pmm-monitoring-mongodb-cluster/
PMM 2 is GA! https://pmmdemo.percona.com/graph/
New in 4.2 27
Primary Throttle "Flow control" 28
Primary Throttle What happens when a Replica set has: ● Uneven hardware? ● 'Noisy neighbours' in VM servers? Primary server's capacity > Secondary's capacity No problem so long as Load < Secondary's capacity But replication lag will grow when load goes above secondary's capacity 29
Long Replication Lag OK? Not OK? Yes, if: ● You want fastest-possible writes at any time. (Use w:1 ) But: ● Recognize high-load, server capacity-saturating times are the most likely times to have failovers. ● Accept that writes will be rolled-back in those failovers A lot of replication lag == a lot of rolled-back documents. ● If you use secondary reads – very stale data. 30
Long Replication Lag OK? Not OK? "And if I say; 'No thanks?’" A. Use w:majority Write Concern ● Latency for client increased ● More connections open simultaneously, awaiting client ⇄ P ⇄ S confirmations. ● Capacity effectively throttled to weakest server in the w:majority subset of the replicaset. 31
MVCC, Transactions, Replication WiredTiger is an MVCC architecture. It supports transactions. Make new version of document + MVCC Update Pin old version document until no client needs it. Clean-up performed asynchronously by storage engine. 32
MVCC, Transactions, Replication MongoDB 4.0 added multi-document, user-level transactions. ● Multiple clients can attempt to read or modify the same doc. ● The old document version is pinned until the slowest/latest client request referencing it finishes. MongoDB 4.2 enable cluster-wide transactions. Long transactions == Long pin time == Larger active cache. When app client requests have conflicts: double-work (or worse) 33
MVCC, Transactions, Replication A secondary reading from the primary == Another client. Pins old versions whilst its replication optime is older. At checkpoint time newest, committed docs saved to Primary's disk. Unreplicated old document versions go into a separate " Cache overflow " datastructure (a.k.a. Lookaside table ). Cost: Lift-and-move ( + disk flush ) on a fraction of the per-minute write volume. 34
Impact of Secondary Lag on the Primary Costs: Amount of cache active increases proportional to pin time. ● Transaction pinning: ○ Best-case: Linear increase. ○ High doc conflicts: Exponential increase. ● Replication lag factor at checkpoint: ○ Old doc versions go into "Cache overflow." ○ Linear but high cost for proportion of writes each min. ○ Proportion ~= replication-lag / flush interval (default 60s). 35
Impact of Secondary Lag on the Primary If a checkpoint takes too long, latency suffers. ● No software 'locks'. ● But hardware resources are heavily utilized. E.g. five second checkpoint could easily cause 1.0+ sec latency for clients. 36
Primary Throttle Software throttle to prevent replication lag. Capping "cache overflow" work == Capping worst-case conflicts for I/O resources during checkpoints 37
Recommend
More recommend