mirror
/
mongo
mirror of https://github.com/mongodb/mongo
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

SERVER-46321 update man pages for 4.4

This commit is contained in:
Zakhar Kleyman 2020-07-30 13:59:51 -04:00 committed by Evergreen Agent
parent e62f90245b
commit 122e9e8fe5
10 changed files with 3355 additions and 608 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

405
debian/mongo.1 vendored
View File

@ -1,6 +1,6 @@
.\" Man page generated from reStructuredText.
.
.TH "MONGO" "1" "Aug 16, 2019" "4.2" "mongodb-manual"
.TH "MONGO" "1" "Jun 23, 2020" "4.4" "mongodb-manual"
.SH NAME
mongo \- MongoDB Shell
.
@ -54,14 +54,65 @@ MongoDB, which provides a powerful interface for system
administrators as well as a way for developers to test queries and
operations directly with the database. \fI\%mongo\fP also provides
a fully functional JavaScript environment for use with a MongoDB.
The \fI\%mongo\fP shell is part of the \fI\%MongoDB distributions\fP\&.
.sp
The \fI\%mongo\fP shell is included as part of the MongoDB Server installation. MongoDB also provides the \fI\%mongo\fP
shell as a standalone package. To download the standalone \fI\%mongo\fP
shell package:
.INDENT 0.0
.IP 1. 3
Access the Download Center for your Edition of MongoDB:
.INDENT 3.0
.IP \(bu 2
\fI\%MongoDB Community Download Center\fP
.IP \(bu 2
\fI\%MongoDB Enterprise Download Center\fP
.UNINDENT
.IP 2. 3
Select your preferred Version and Platform
from the dropdowns.
.IP 3. 3
Select the Package to download according to your
platform:
.TS
center;
|l|l|.
_
T{
Platform
T} T{
Download Package
T}
_
T{
\fIWindows\fP
T} T{
Select the \fBzip\fP package to download an archive which
includes the \fI\%mongo\fP shell.
T}
_
T{
\fImacOS\fP
T} T{
Select the \fBtgz\fP package to download an archive which
includes the \fI\%mongo\fP shell.
T}
_
T{
\fILinux\fP
T} T{
Select the \fBshell\fP package to download the
\fI\%mongo\fP shell.
T}
_
.TE
.UNINDENT
.sp
\fBNOTE:\fP
.INDENT 0.0
.INDENT 3.5
.INDENT 0.0
.IP \(bu 2
Starting in MongoDB 4.2, the \fI\%mongo\fP shell displays a
Starting in MongoDB 4.2 (and 4.0.13), the \fI\%mongo\fP shell displays a
warning message when connected to non\-genuine MongoDB instances as
these instances may behave differently from the official MongoDB
instances; e.g. missing or incomplete features, different feature
@ -260,6 +311,12 @@ As a result many options of the shell environment are not available.
Specifies a username with which to authenticate to a MongoDB database
that uses authentication. Use in conjunction with the \fI\%\-\-password\fP and
\fI\%\-\-authenticationDatabase\fP options.
.sp
If connecting to a \fI\%MongoDB Atlas\fP cluster
using the \fBMONGODB\-AWS\fP \fI\%authentication mechanism\fP, specify your AWS access key ID in this
field, or in the connection string\&. Alternatively, this value may
also be supplied as the environment variable \fBAWS_ACCESS_KEY_ID\fP\&.
See \fI\%Connect to a MongoDB Atlas Cluster using AWS IAM Credentials\fP\&.
.UNINDENT
.INDENT 0.0
.TP
@ -269,6 +326,27 @@ that uses authentication. Use in conjunction with the \fI\%\-\-username\fP
and \fI\%\-\-authenticationDatabase\fP options. To force \fBmongo\fP to
prompt for a password, enter the \fI\%\-\-password\fP option as the
last option and leave out the argument.
.sp
If connecting to a \fI\%MongoDB Atlas\fP cluster
using the \fBMONGODB\-AWS\fP \fI\%authentication mechanism\fP, specify your AWS secret access key in
this field, or in the connection string\&. Alternatively, this value may
also be supplied as the environment variable
\fBAWS_SECRET_ACCESS_KEY\fP\&. See
\fI\%Connect to a MongoDB Atlas Cluster using AWS IAM Credentials\fP\&.
.UNINDENT
.INDENT 0.0
.TP
.B \-\-awsIamSessionToken <aws session token>
If connecting to a \fI\%MongoDB Atlas\fP cluster
using the \fBMONGODB\-AWS\fP \fI\%authentication mechanism\fP and using session tokens in addition to
your AWS access key ID and secret access key, specify your AWS
session token in this field, or in the connection string\&. Alternatively, this value may
also be supplied as the environment variable
\fBAWS_SESSION_TOKEN\fP\&. See
\fI\%Connect to a MongoDB Atlas Cluster using AWS IAM Credentials\fP\&.
.sp
Only valid when using the \fBMONGODB\-AWS\fP
\fI\%authentication mechanism\fP\&.
.UNINDENT
.INDENT 0.0
.TP
@ -411,7 +489,7 @@ New in version 3.4.
.sp
Allows fields of type javascript and
javascriptWithScope to be automatically
javascriptWithScope (*Deprecated*) to be automatically
marshalled to JavaScript functions in the \fI\%mongo\fP
shell.
.sp
@ -457,7 +535,7 @@ object
> doc.func instanceof Code
true
> doc.jsFunc()
2016\-11\-09T12:30:36.808\-0800 E QUERY [thread1] TypeError: doc.jsFunc is
2016\-11\-09T12:30:36.808\-08:00 E QUERY [thread1] TypeError: doc.jsFunc is
not a function :
@(shell):1:1
.ft P
@ -504,6 +582,11 @@ See user\-authentication\-database\&.
.sp
If you do not specify a value for \fI\%\-\-authenticationDatabase\fP, \fBmongo\fP uses the database
specified in the connection string.
.sp
If using the GSSAPI (Kerberos),
PLAIN (LDAP SASL), or \fBMONGODB\-AWS\fP
\fI\%authentication mechanisms\fP, you
must set \fI\%\-\-authenticationDatabase\fP to \fB$external\fP\&.
.UNINDENT
.INDENT 0.0
.TP
@ -513,11 +596,9 @@ specified in the connection string.
Specifies the authentication mechanism the \fBmongo\fP instance uses to
authenticate to the \fBmongod\fP or \fBmongos\fP\&.
.sp
Changed in version 4.0: MongoDB removes support for the deprecated MongoDB
Challenge\-Response (\fBMONGODB\-CR\fP) authentication mechanism.
.sp
MongoDB adds support for SCRAM mechanism using the SHA\-256 hash
function (\fBSCRAM\-SHA\-256\fP).
Changed in version 4.4: With MongoDB 4.4, the \fBmongo\fP shell adds support for the
new \fBMONGODB\-AWS\fP authentication mechanism when connecting to a
\fI\%MongoDB Atlas\fP cluster.
.TS
center;
@ -556,6 +637,17 @@ MongoDB TLS/SSL certificate authentication.
T}
_
T{
\fBMONGODB\-AWS\fP
T} T{
External authentication using AWS IAM credentials for use in
connecting to a
\fI\%MongoDB Atlas\fP
cluster. See \fI\%Connect to a MongoDB Atlas Cluster using AWS IAM Credentials\fP\&.
.sp
New in version 4.4.
T}
_
T{
GSSAPI (Kerberos)
T} T{
External authentication using Kerberos. This mechanism is
@ -576,9 +668,6 @@ _
.INDENT 0.0
.TP
.B \-\-gssapiHostName
New in version 2.6.
.sp
Specify the hostname of a service using GSSAPI/Kerberos\&. \fIOnly\fP required if the hostname of a machine does
not match the hostname resolved by DNS.
.sp
@ -587,9 +676,6 @@ This option is available only in MongoDB Enterprise.
.INDENT 0.0
.TP
.B \-\-gssapiServiceName
New in version 2.6.
.sp
Specify the name of the service using GSSAPI/Kerberos\&. Only required if the service does not use the
default name of \fBmongodb\fP\&.
.sp
@ -653,6 +739,13 @@ This option is required when using the \fI\%\-\-tls\fP
option to connect to a \fBmongod\fP or \fBmongos\fP
instance that requires client certificates\&. That is, the
\fI\%mongo\fP shell present this certificate to the server.
.sp
Changed in version 4.4: \fBmongod\fP / \fBmongos\fP logs a warning on
connection if the presented x.509 certificate expires within \fB30\fP
days of the \fBmongod/mongos\fP host system time. See
4.4\-rel\-notes\-certificate\-expiration\-warning for more
information.
.sp
For more information about TLS/SSL and MongoDB, see
/tutorial/configure\-ssl and
@ -713,7 +806,7 @@ For more information about TLS/SSL and MongoDB, see
.INDENT 0.0
.TP
.B \-\-tlsCRLFile <filename>
New in version 4.2.
New in version 4.2: In MongoDB 4.0 and earlier, see \fI\%\-\-sslCRLFile\fP\&.
.sp
Specifies the \fB\&.pem\fP file that contains the Certificate Revocation
@ -723,6 +816,17 @@ absolute paths.
For more information about TLS/SSL and MongoDB, see
/tutorial/configure\-ssl and
/tutorial/configure\-ssl\-clients .
.sp
\fBNOTE:\fP
.INDENT 7.0
.INDENT 3.5
Starting in version 4.4, to check for certificate revocation,
MongoDB \fBenables\fP the use of OCSP
(Online Certificate Status Protocol) by default as an alternative
to specifying a CRL file or using the system SSL certificate
store.
.UNINDENT
.UNINDENT
.UNINDENT
.INDENT 0.0
.TP
@ -763,8 +867,6 @@ authentication.
.UNINDENT
.UNINDENT
.sp
# We created a separate blurb for tls in the ssl\-clients page.
.sp
\fBWARNING:\fP
.INDENT 7.0
.INDENT 3.5
@ -864,6 +966,13 @@ _
When using the system SSL certificate store, OCSP (Online
Certificate Status Protocol) is used to validate the revocation
status of certificates.
.sp
Changed in version 4.4: \fBmongod\fP / \fBmongos\fP logs a warning on
connection if the presented x.509 certificate expires within \fB30\fP
days of the \fBmongod/mongos\fP host system time. See
4.4\-rel\-notes\-certificate\-expiration\-warning for more
information.
.UNINDENT
.INDENT 0.0
.TP
@ -873,7 +982,7 @@ New in version 4.2.
.sp
Disables the specified TLS protocols. The option recognizes the
following protocols: \fBTLS1_0\fP, \fBTLS1_1\fP, \fBTLS1_2\fP, and
starting in version 4.0.4 (and 3.6.9), \fBTLS1_3\fP\&.
starting in version 4.0.4 (and 3.6.9 and 3.4.24), \fBTLS1_3\fP\&.
.INDENT 7.0
.IP \(bu 2
On macOS, you cannot disable \fBTLS1_1\fP and leave both \fBTLS1_0\fP and
@ -1066,6 +1175,17 @@ Specifies the \fB\&.pem\fP file that contains the Certificate Revocation
List. Specify the file name of the \fB\&.pem\fP file using relative or
absolute paths.
.sp
\fBNOTE:\fP
.INDENT 7.0
.INDENT 3.5
Starting in version 4.4, to check for certificate revocation,
MongoDB \fBenables\fP the use of OCSP
(Online Certificate Status Protocol) by default as an alternative
to specifying a CRL file or using the system SSL certificate
store.
.UNINDENT
.UNINDENT
.sp
For more information about TLS/SSL and MongoDB, see
/tutorial/configure\-ssl and
/tutorial/configure\-ssl\-clients .
@ -1112,8 +1232,6 @@ authentication.
.UNINDENT
.UNINDENT
.sp
# We created a separate blurb for tls in the ssl\-clients page.
.sp
\fBWARNING:\fP
.INDENT 7.0
.INDENT 3.5
@ -1198,6 +1316,98 @@ Enables retryable writes as the default for sessions in the
.sp
For more information on sessions, see sessions\&.
.UNINDENT
.SS Client\-Side Field Level Encryption Options
.INDENT 0.0
.TP
.B \-\-awsAccessKeyId <string>
An AWS \fI\%Access Key\fP
associated to an IAM user with \fBList\fP and \fBRead\fP permissions for the
AWS Key Management Service (KMS). The \fBmongo\fP shell uses the specified
\fI\%\-\-awsAccessKeyId\fP to access the KMS.
.sp
\fI\%\-\-awsAccessKeyId\fP is required for enabling /core/security\-client\-side\-encryption
for the \fBmongo\fP shell session. \fI\%\-\-awsAccessKeyId\fP requires \fIall\fP of the following
command line options:
.INDENT 7.0
.IP \(bu 2
\fI\%\-\-awsSecretAccessKey\fP
.IP \(bu 2
\fI\%\-\-keyVaultNamespace\fP
.UNINDENT
.sp
If \fI\%\-\-awsAccessKeyId\fP is omitted, use the \fBMongo()\fP constructor within the shell
session to enable client\-side field level encryption.
.sp
To mitigate the risk of leaking access keys into logs, consider specifying
an environmental variable to \fI\%\-\-awsAccessKeyId\fP\&.
.UNINDENT
.INDENT 0.0
.TP
.B \-\-awsSecretAccessKey <string>
An AWS \fI\%Secret Key\fP
associated to the specified \fI\%\-\-awsAccessKeyId\fP\&.
.sp
\fI\%\-\-awsSecretAccessKey\fP is required for enabling /core/security\-client\-side\-encryption
for the \fBmongo\fP shell session. \fI\%\-\-awsSecretAccessKey\fP requires \fIall\fP of the following
command line options:
.INDENT 7.0
.IP \(bu 2
\fI\%\-\-awsAccessKeyId\fP
.IP \(bu 2
\fI\%\-\-keyVaultNamespace\fP
.UNINDENT
.sp
If \fI\%\-\-awsSecretAccessKey\fP and its supporting options are omitted, use \fBMongo()\fP
within the shell session to enable client\-side field level encryption.
.sp
To mitigate the risk of leaking access keys into logs, consider specifying
an environmental variable to \fI\%\-\-awsSecretAccessKey\fP\&.
.UNINDENT
.INDENT 0.0
.TP
.B \-\-awsSessionToken <string>
An AWS \fI\%Session Token\fP
associated to the specified \fI\%\-\-awsAccessKeyId\fP\&.
.sp
\fI\%\-\-awsSessionToken\fP is required for enabling /core/security\-client\-side\-encryption
for the \fBmongo\fP shell session. \fI\%\-\-awsSessionToken\fP requires \fIall\fP of the following
command line options:
.INDENT 7.0
.IP \(bu 2
\fI\%\-\-awsAccessKeyId\fP
.IP \(bu 2
\fI\%\-\-awsSecretAccessKey\fP
.IP \(bu 2
\fI\%\-\-keyVaultNamespace\fP
.UNINDENT
.sp
If \fI\%\-\-awsSessionToken\fP and its supporting options are omitted, use \fBMongo()\fP
within the shell session to enable client\-side field level encryption.
.sp
To mitigate the risk of leaking access keys into logs, consider specifying
an environmental variable to \fI\%\-\-awsSessionToken\fP\&.
.UNINDENT
.INDENT 0.0
.TP
.B \-\-keyVaultNamespace <string>
The full namespace (\fB<database>.<collection>\fP) of the collection used as a
key vault for /core/security\-client\-side\-encryption\&. \fI\%\-\-keyVaultNamespace\fP is
required for enabling client\-side field level encryption. for the \fBmongo\fP
shell session. \fBmongo\fP creates the specified namespace if it does not
exist.
.sp
\fI\%\-\-keyVaultNamespace\fP requires \fIall\fP of the following command line options:
.INDENT 7.0
.IP \(bu 2
\fI\%\-\-awsAccessKeyId\fP
.IP \(bu 2
\fI\%\-\-awsSecretAccessKey\fP
.UNINDENT
.sp
If \fI\%\-\-keyVaultNamespace\fP and its supporting options are omitted, use the \fBMongo()\fP
constructor within the shell session to enable client\-side field level
encryption.
.UNINDENT
.SH FILES
.INDENT 0.0
.TP
@ -1650,6 +1860,129 @@ mongo \-\-host "mongodb+srv://server.example.com/?username=allison"
.sp
The \fI\%mongo\fP shell will automatically prompt you to provide
the password for the user specified in the \fBusername\fP option.
.SS Connect to a MongoDB Atlas Cluster using AWS IAM Credentials
.sp
New in version 4.4.
.sp
To connect to a \fI\%MongoDB Atlas\fP cluster which
has been configured to support authentication via \fI\%AWS IAM credentials\fP,
provide a connection string to
the \fI\%mongo\fP shell similar to the following:
.INDENT 0.0
.INDENT 3.5
.sp
.nf
.ft C
mongo \(aqmongodb+srv://<aws access key id>:<aws secret access key>@cluster0.example.com/testdb?authSource=$external&authMechanism=MONGODB\-AWS\(aq
.ft P
.fi
.UNINDENT
.UNINDENT
.sp
Connecting to Atlas using AWS IAM credentials in this manner uses the
\fBMONGODB\-AWS\fP \fBauthentication mechanism\fP
and the \fB$external\fP \fBauthSource\fP, as shown in this example.
.sp
If using an \fI\%AWS session token\fP
as well, provide it with the \fBAWS_SESSION_TOKEN\fP
\fBauthMechanismProperties\fP value in your
connection string, as follows:
.INDENT 0.0
.INDENT 3.5
.sp
.nf
.ft C
mongo \(aqmongodb+srv://<aws access key id>:<aws secret access key>@cluster0.example.com/testdb?authSource=$external&authMechanism=MONGODB\-AWS&authMechanismProperties=AWS_SESSION_TOKEN:<aws session token>\(aq
.ft P
.fi
.UNINDENT
.UNINDENT
.sp
If the AWS access key ID, secret access key, or session token include
the \(aqat\(aq sign \fB@\fP, colon \fB:\fP, slash \fB/\fP, or the percent sign \fB%\fP
characters, those characters must be converted using \fI\%percent encoding\fP\&.
.sp
Alternatively, the AWS access key ID, and secret access key, and
optionally session token can each be provided outside of the connection
string using the \fI\%\-\-username\fP, \fI\%\-\-password\fP, and
\fI\%\-\-awsIamSessionToken\fP options instead, like so:
.INDENT 0.0
.INDENT 3.5
.sp
.nf
.ft C
mongo \(aqmongodb+srv://cluster0.example.com/testdb?authSource=$external&authMechanism=MONGODB\-AWS\(aq \-\-username <aws access key id> \-\-password <aws secret access key> \-\-awsIamSessionToken <aws session token>
.ft P
.fi
.UNINDENT
.UNINDENT
.sp
When provided as command line parameters, these three options do not
require percent encoding.
.sp
You may also set these credentials on your platform using standard
\fI\%AWS IAM environment variables\fP\&.
The \fI\%mongo\fP shell checks for the following environment
variables when you use the \fBMONGODB\-AWS\fP
\fBauthentication mechanism\fP:
.INDENT 0.0
.IP \(bu 2
\fBAWS_ACCESS_KEY_ID\fP
.IP \(bu 2
\fBAWS_SECRET_ACCESS_KEY\fP
.IP \(bu 2
\fBAWS_SESSION_TOKEN\fP
.UNINDENT
.sp
If set, these credentials do not need to be specified in the connection
string or via the explicit options to the \fI\%mongo\fP shell
(i.e. \fI\%\-\-username\fP and \fI\%\-\-password\fP).
.sp
The following example sets these environment variables in the \fBbash\fP
shell:
.INDENT 0.0
.INDENT 3.5
.sp
.nf
.ft C
export AWS_ACCESS_KEY_ID=\(aq<aws access key id>\(aq
export AWS_SECRET_ACCESS_KEY=\(aq<aws secret access key>\(aq
export AWS_SESSION_TOKEN=\(aq<aws session token>\(aq
.ft P
.fi
.UNINDENT
.UNINDENT
.sp
Syntax for setting environment variables in other shells will be
different. Consult the documentation for your platform for more
information.
.sp
You can verify that these environment variables have been set with the
following command:
.INDENT 0.0
.INDENT 3.5
.sp
.nf
.ft C
env | grep AWS
.ft P
.fi
.UNINDENT
.UNINDENT
.sp
Once set, the following example connects to a MongoDB Atlas cluster
using these environment variables:
.INDENT 0.0
.INDENT 3.5
.sp
.nf
.ft C
mongo \(aqmongodb+srv://cluster0.example.com/testdb?authSource=$external&authMechanism=MONGODB\-AWS\(aq
.ft P
.fi
.UNINDENT
.UNINDENT
.SS Execute JavaScript Against the \fI\%mongo\fP Shell
.sp
To execute a JavaScript file without evaluating the \fB~/.mongorc.js\fP
@ -1684,10 +2017,16 @@ mongo script\-file.js \-u <user> \-p
\fBisInteractive()\fP
.UNINDENT
.UNINDENT
.SS Use \fI\%\-\-eval\fP to Print Query Results as JSON
.SS Use \fI\%\-\-eval\fP to Execute JavaScript Code
.sp
To print return a query as JSON, from the system prompt using
the \fI\%\-\-eval\fP option, use the following form:
You may use the \fI\%\-\-eval\fP option to execute
JavaScript directly from the command line.
.sp
For example, the following operation evaluates a JavaScript string
which queries a collection and prints the results as JSON.
.sp
On Linux and macOS, you will need to use single quotes (e.g. \fB\(aq\fP)
to enclose the JavaScript, using the following form:
.INDENT 0.0
.INDENT 3.5
.sp
@ -1699,8 +2038,18 @@ mongo \-\-eval \(aqdb.collection.find().forEach(printjson)\(aq
.UNINDENT
.UNINDENT
.sp
Use single quotes (e.g. \fB\(aq\fP) to enclose the JavaScript, as well as
the additional JavaScript required to generate this output.
On Windows, you will need to use double quotes (e.g. \fB"\fP)
to enclose the JavaScript, using the following form:
.INDENT 0.0
.INDENT 3.5
.sp
.nf
.ft C
mongo \-\-eval "db.collection.find().forEach(printjson)"
.ft P
.fi
.UNINDENT
.UNINDENT
.sp
\fBSEE ALSO:\fP
.INDENT 0.0
@ -1720,6 +2069,6 @@ the additional JavaScript required to generate this output.
.SH AUTHOR
MongoDB Documentation Project
.SH COPYRIGHT
2008-2019
2008-2020
.\" Generated by docutils manpage writer.
.

1097
debian/mongod.1 vendored
View File

File diff suppressed because it is too large Load Diff

1460
debian/mongodb-parameters.5 vendored
View File

File diff suppressed because it is too large Load Diff

489
debian/mongokerberos.1 vendored Normal file
View File

@ -0,0 +1,489 @@
.\" Man page generated from reStructuredText.
.
.TH "MONGOKERBEROS" "1" "Jun 23, 2020" "4.4" "mongodb-manual"
.SH NAME
mongokerberos \- MongoDB Kerberos Validation Utility
.
.nr rst2man-indent-level 0
.
.de1 rstReportMargin
\\$1 \\n[an-margin]
level \\n[rst2man-indent-level]
level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
-
\\n[rst2man-indent0]
\\n[rst2man-indent1]
\\n[rst2man-indent2]
..
.de1 INDENT
.\" .rstReportMargin pre:
. RS \\$1
. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
. nr rst2man-indent-level +1
.\" .rstReportMargin post:
..
.de UNINDENT
. RE
.\" indent \\n[an-margin]
.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
.nr rst2man-indent-level -1
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
..
.SS On this page
.INDENT 0.0
.IP \(bu 2
\fI\%Synopsis\fP
.IP \(bu 2
\fI\%Installation\fP
.IP \(bu 2
\fI\%Usage\fP
.IP \(bu 2
\fI\%Options\fP
.UNINDENT
.sp
New in version 4.4: MongoDB Enterprise
.SH SYNOPSIS
.sp
Starting in version 4.4, MongoDB Enterprise provides
\fI\%mongokerberos\fP for testing MongoDB\(aqs Kerberos and GSSAPI
configuration options against a
running Kerberos deployment. \fI\%mongokerberos\fP can be used
in one of two modes: \fIserver\fP and \fIclient\fP\&.
.TS
center;
|l|l|.
_
T{
Mode
T} T{
Description
T}
_
T{
Server
T} T{
In \fIserver mode\fP, \fI\%mongokerberos\fP analyzes
Kerberos\-related configurations on the server, and returns a
report which includes error messages for any configurations that
are problematic. For usage, see \fI\%Server Mode\fP
T}
_
T{
Client
T} T{
In \fIclient mode\fP, \fI\%mongokerberos\fP tests Kerberos
authentication for a provided username, and returns a report
which includes the success or failure of each step in the
Kerberos authentication procedure. For usage, see
\fI\%Client Mode\fP
T}
_
.TE
.sp
Error messages for both modes include information on specific errors
encountered and potential advice for resolving the error.
.sp
\fI\%mongokerberos\fP supports the following deployment types,
in both server and client modes:
.INDENT 0.0
.IP \(bu 2
Linux MongoDB clients authenticating to MIT Kerberos deployments on
supported Linux platforms\&.
.IP \(bu 2
Windows MongoDB clients authenticating to Windows Active Directory
deployments on
supported Windows platforms\&.
.IP \(bu 2
Linux MongoDB clients authenticating to Windows Active Directory
deployments.
.UNINDENT
.sp
\fBNOTE:\fP
.INDENT 0.0
.INDENT 3.5
MongoDB Enterprise and \fI\%mongokerberos\fP only support the
\fI\%MIT implementation\fP
of Kerberos.
.UNINDENT
.UNINDENT
.sp
Generally, when configuring options related to
Kerberos authentication, it is good practice
to verify your configuration with \fI\%mongokerberos\fP\&.
.sp
\fI\%mongokerberos\fP is a testing and verification tool; it does not
edit any files or configure any services. For configuring Kerberos on
your platform please consult the \fI\%MIT Kerberos documentation\fP, or your platform\(aqs
documentation. For configuring MongoDB to authenticate using Kerberos,
please reference the following tutorials:
.INDENT 0.0
.IP \(bu 2
/tutorial/control\-access\-to\-mongodb\-with\-kerberos\-authentication
.IP \(bu 2
/tutorial/control\-access\-to\-mongodb\-windows\-with\-kerberos\-authentication\&.
.UNINDENT
.sp
This document provides a complete overview of all command line options
for \fI\%mongokerberos\fP\&.
.SH INSTALLATION
.sp
The \fI\%mongokerberos\fP tool is part of the \fIMongoDB Database Tools Extra\fP
package, and can be \fI\%installed with the MongoDB Server\fP or as a
\fI\%standalone installation\fP\&.
.SS Install with Server
.sp
To install \fI\%mongokerberos\fP as part of a MongoDB Enterprise Server
installation:
.INDENT 0.0
.IP \(bu 2
Follow the instructions for your platform:
Install MongoDB Enterprise Server
.IP \(bu 2
After completing the installation, \fI\%mongokerberos\fP and the other
included tools are available in the same location as the Server.
.sp
\fBNOTE:\fP
.INDENT 2.0
.INDENT 3.5
For the Windows \fB\&.msi\fP installer wizard, the
Complete installation option includes \fI\%mongokerberos\fP\&.
.UNINDENT
.UNINDENT
.UNINDENT
.SS Install as Standalone
.sp
To install \fI\%mongokerberos\fP as a standalone installation:
.INDENT 0.0
.IP \(bu 2
Follow the download link for MongoDB Enterprise Edition:
\fI\%MongoDB Enterprise Download Center\fP
.IP \(bu 2
Select your Platform (operating system) from the dropdown
menu, then select the appropriate Package for your
platform according to the following chart:
.TS
center;
|l|l|.
_
T{
OS
T} T{
Package
T}
_
T{
\fILinux\fP
T} T{
\fBtgz\fP package
T}
_
T{
\fIWindows\fP
T} T{
\fBzip\fP package
T}
_
T{
\fImacOS\fP
T} T{
\fBtgz\fP package
T}
_
.TE
.IP \(bu 2
Once downloaded, unpack the archive and copy \fI\%mongokerberos\fP to a
location on your hard drive.
.INDENT 2.0
.INDENT 3.5
.SS Tip
.sp
Linux and macOS users may wish to copy \fI\%mongokerberos\fP to a filesystem
location that is defined in the \fB$PATH\fP environment variable, such
as \fB/usr/bin\fP\&. Doing so allows referencing \fI\%mongokerberos\fP directly
on the command line by name, without needing to specify its full
path, or first navigating to its parent directory. See the
installation guide for your platform
for more information.
.UNINDENT
.UNINDENT
.UNINDENT
.SH USAGE
.sp
\fI\%mongokerberos\fP can be run in two modes: \fIserver\fP and
\fIclient\fP\&.
.sp
Run \fI\%mongokerberos\fP from the system command line, not the \fBmongo\fP shell.
.SS Server Mode
.sp
Running \fI\%mongokerberos\fP in server mode performs a series of
verification steps against your system\(aqs Kerberos configuration,
including checking for proper DNS resolution, validation of the Kerberos
system keytab file, and testing against the MongoDB service principal
for your \fBmongod\fP or \fBmongos\fP instance.
.sp
Before you can use \fI\%mongokerberos\fP in server mode, you must:
.INDENT 0.0
.IP 1. 3
Configure Kerberos on your platform according to your platform\(aqs
documentation.
.IP 2. 3
Create the MongoDB service principal for use with your
\fBmongod\fP or \fBmongos\fP instance, as described
in the following steps:
.INDENT 3.0
.IP \(bu 2
Configure Service Principal on Linux
.IP \(bu 2
Configure Service Principal on Windows
.UNINDENT
.UNINDENT
.sp
Once you have completed these steps, you can run
\fI\%mongokerberos\fP in server mode using the
\fB\-\-server\fP flag as follows:
.INDENT 0.0
.INDENT 3.5
.sp
.nf
.ft C
mongokerberos \-\-server
.ft P
.fi
.UNINDENT
.UNINDENT
.sp
If Kerberos has been configured properly on the server, and the service
principal created successfully, the output might resemble the following:
.INDENT 0.0
.INDENT 3.5
.sp
.nf
.ft C
Resolving kerberos environment...
[OK] Kerberos environment resolved without errors.
Verifying DNS resolution works with Kerberos service at <hostname>...
[OK] DNS test successful.
Getting MIT Kerberos KRB5 environment variables...
* KRB5CCNAME: not set.
* KRB5_CLIENT_KTNAME: not set.
* KRB5_CONFIG: not set.
* KRB5_KTNAME: not set.
* KRB5_TRACE: not set.
[OK]
Verifying existence of KRB5 keytab FILE:/etc/krb5.keytab...
[OK] KRB5 keytab exists and is populated.
Checking principal(s) in KRB5 keytab...
Found the following principals for MongoDB service mongodb:
* mongodb/server.example.com@SERVER.EXAMPLE.COM
Found the following kvnos in keytab entries for service mongodb:
* 3
[OK] KRB5 keytab is valid.
Fetching KRB5 Config...
KRB5 config profile resolved as:
<Your Kerberos profile file will be output here>
[OK] KRB5 config profile resolved without errors.
Attempting to initiate security context with service credentials...
[OK] Security context initiated successfully.
.ft P
.fi
.UNINDENT
.UNINDENT
.sp
The final message indicates that the system\(aqs Kerberos configuration is
ready to be used with MongoDB. If any errors are encountered with
the configuration, they will be presented as part of the above output.
.SS Client Mode
.sp
Running \fI\%mongokerberos\fP in client mode tests authentication
against your system\(aqs Kerberos environment, performing each step in the
Kerberos authentication process, including checking for proper DNS
resolution, verification of the Kerberos client keytab file, and testing
whether a ticket can be successfully granted. Running
\fI\%mongokerberos\fP in client mode simulates the client
authentication procedure of the \fBmongo\fP shell.
.sp
Before you can use \fI\%mongokerberos\fP in client mode, you must
first have configured Kerberos on your platform according to your
platform\(aqs documentation. Optionally, you may also choose to run
\fI\%mongokerberos\fP in
\fI\%server mode\fP first to verify that your
platform\(aqs Kerberos configuration is valid before using client mode.
.sp
Once you have completed these steps, you can run
\fI\%mongokerberos\fP in client mode to test user authentication,
using the \fB\-\-client\fP flag as follows:
.INDENT 0.0
.INDENT 3.5
.sp
.nf
.ft C
mongokerberos \-\-client \-\-username <username>
.ft P
.fi
.UNINDENT
.UNINDENT
.sp
You must provide a valid username, which is used to request a Kerberos
ticket as part of the authentication procedure. Your platform\(aqs
Kerberos infrastructure must be aware of this user.
.sp
If the provided credentials are valid, and the Kerberos options in the
configuration files are valid, the output might resemble the following:
.INDENT 0.0
.INDENT 3.5
.sp
.nf
.ft C
Resolving kerberos environment...
[OK] Kerberos environment resolved without errors.
Verifying DNS resolution works with Kerberos service at <hostname>...
[OK] DNS test successful.
Getting MIT Kerberos KRB5 environment variables...
* KRB5CCNAME: not set.
* KRB5_CLIENT_KTNAME: not set.
* KRB5_CONFIG: not set.
* KRB5_KTNAME: not set.
* KRB5_TRACE: not set.
[OK]
Verifying existence of KRB5 client keytab FILE:/path/to/client.keytab...
[OK] KRB5 client keytab exists and is populated.
Checking principal(s) in KRB5 keytab...
[OK] KRB5 keytab is valid.
Fetching KRB5 Config...
KRB5 config profile resolved as:
<Your Kerberos profile file will be output here>
[OK] KRB5 config profile resolved without errors.
Attempting client half of GSSAPI conversation...
[OK] Client half of GSSAPI conversation completed successfully.
.ft P
.fi
.UNINDENT
.UNINDENT
.sp
The final message indicates that client authentication completed
successfully for the user provided. If any errors are encountered
during the authentication steps, they will be presented as part of the
above output.
.SH OPTIONS
.INDENT 0.0
.TP
.B \-\-server
Runs \fI\%mongokerberos\fP in server mode to test that your
platform\(aqs Kerberos configuration is valid for use with MongoDB.
.sp
See \fI\%Server Mode\fP for example usage and expected
output.
.UNINDENT
.INDENT 0.0
.TP
.B \-\-client
Runs \fI\%mongokerberos\fP in client mode to test client
authentication against your system\(aqs Kerberos environment. Requires
specifying a valid username with \fI\%\-\-username\fP when running in
client mode. \fI\%mongokerberos\fP will request a Kerberos ticket
for this username as part of the validation procedure. Running
\fI\%mongokerberos\fP in client mode simulates the client
authentication procedure of the \fBmongo\fP shell.
.sp
See \fI\%Client Mode\fP for example usage and expected
output.
.UNINDENT
.INDENT 0.0
.TP
.B \-\-config <filename>, \-f <filename>
Specifies a configuration file for runtime configuration options.
The options are equivalent to the command\-line
configuration options. See /reference/configuration\-options for
more information.
.sp
\fI\%mongokerberos\fP will read the values for
\fBsaslHostName\fP and \fBsaslServiceName\fP from this
file if present. These values can alteratively be specified with the
\fI\%\-\-setParameter\fP option instead.
.sp
Ensure the configuration file uses ASCII encoding. The
\fI\%mongokerberos\fP instance does not support configuration
files with non\-ASCII encoding, including UTF\-8.
.sp
Only valid in \fI\%server mode\fP\&.
.UNINDENT
.INDENT 0.0
.TP
.B \-\-setParameter <options>
Sets a configurable parameter. You can specify multiple
\fBsetParameter\fP fields.
.sp
While you can use any supported parameters with \fBsetParameter\fP,
\fI\%mongokerberos\fP only checks for the value of the following:
.INDENT 7.0
.IP \(bu 2
\fBsaslHostName\fP
.IP \(bu 2
\fBsaslServiceName\fP
.UNINDENT
.sp
If using the \fI\%\-\-config\fP option with a configuration file that
also contains these values, the \fBsetParameter\fP values will
override the values from the configuration file.
.sp
Valid in both \fI\%server mode\fP
and \fI\%client mode\fP\&.
.UNINDENT
.INDENT 0.0
.TP
.B \-\-host <hostname>
Specify the hostname of the MongoDB server to connect to when testing
authentication.
.sp
If \fI\%\-\-host\fP is not specified, \fI\%mongokerberos\fP does
not perform any DNS validation of the hostname (i.e. PTR record
verification)
.sp
Only valid in \fI\%client mode\fP\&.
.UNINDENT
.INDENT 0.0
.TP
.B \-\-username <username>, \-u <username>
Username for \fI\%mongokerberos\fP to use when attempting Kerberos
authentication. This value is required when running in
\fI\%client mode\fP\&.
.sp
Only valid in \fI\%client mode\fP\&.
.UNINDENT
.INDENT 0.0
.TP
.B \-\-gssapiServiceName <servicename>
\fIdefault: \(aqmongodb\(aq\fP
.sp
Service principal name to use when authenticating using
GSSAPI/Kerberos.
.sp
Only valid in \fI\%client mode\fP\&.
.UNINDENT
.INDENT 0.0
.TP
.B \-\-gssapiHostName <hostname>
Remote hostname to use for purpose of GSSAPI/Kerberos authentication.
.sp
Only valid in \fI\%client mode\fP\&.
.UNINDENT
.SH AUTHOR
MongoDB Documentation Project
.SH COPYRIGHT
2008-2020
.\" Generated by docutils manpage writer.
.

191
debian/mongoldap.1 vendored
View File

@ -1,6 +1,6 @@
.\" Man page generated from reStructuredText.
.
.TH "MONGOLDAP" "1" "Aug 16, 2019" "4.2" "mongodb-manual"
.TH "MONGOLDAP" "1" "Jun 23, 2020" "4.4" "mongodb-manual"
.SH NAME
mongoldap \- MongoDB LDAP Configuration Testing Utility
.
@ -35,6 +35,8 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
.IP \(bu 2
\fI\%Synopsis\fP
.IP \(bu 2
\fI\%Installation\fP
.IP \(bu 2
\fI\%Usage\fP
.IP \(bu 2
\fI\%Options\fP
@ -80,6 +82,88 @@ Run \fI\%mongoldap\fP from the system command line, not the \fBmongo\fP shell.
.sp
This document provides a complete overview of all command line options for
\fI\%mongoldap\fP\&.
.SH INSTALLATION
.sp
The \fI\%mongoldap\fP tool is part of the \fIMongoDB Database Tools Extra\fP
package, and can be \fI\%installed with the MongoDB Server\fP or as a
\fI\%standalone installation\fP\&.
.SS Install with Server
.sp
To install \fI\%mongoldap\fP as part of a MongoDB Enterprise Server
installation:
.INDENT 0.0
.IP \(bu 2
Follow the instructions for your platform:
Install MongoDB Enterprise Server
.IP \(bu 2
After completing the installation, \fI\%mongoldap\fP and the other
included tools are available in the same location as the Server.
.sp
\fBNOTE:\fP
.INDENT 2.0
.INDENT 3.5
For the Windows \fB\&.msi\fP installer wizard, the
Complete installation option includes \fI\%mongoldap\fP\&.
.UNINDENT
.UNINDENT
.UNINDENT
.SS Install as Standalone
.sp
To install \fI\%mongoldap\fP as a standalone installation:
.INDENT 0.0
.IP \(bu 2
Follow the download link for MongoDB Enterprise Edition:
\fI\%MongoDB Enterprise Download Center\fP
.IP \(bu 2
Select your Platform (operating system) from the dropdown
menu, then select the appropriate Package for your
platform according to the following chart:
.TS
center;
|l|l|.
_
T{
OS
T} T{
Package
T}
_
T{
\fILinux\fP
T} T{
\fBtgz\fP package
T}
_
T{
\fIWindows\fP
T} T{
\fBzip\fP package
T}
_
T{
\fImacOS\fP
T} T{
\fBtgz\fP package
T}
_
.TE
.IP \(bu 2
Once downloaded, unpack the archive and copy \fI\%mongoldap\fP to a
location on your hard drive.
.INDENT 2.0
.INDENT 3.5
.SS Tip
.sp
Linux and macOS users may wish to copy \fI\%mongoldap\fP to a filesystem
location that is defined in the \fB$PATH\fP environment variable, such
as \fB/usr/bin\fP\&. Doing so allows referencing \fI\%mongoldap\fP directly
on the command line by name, without needing to specify its full
path, or first navigating to its parent directory. See the
installation guide for your platform
for more information.
.UNINDENT
.UNINDENT
.UNINDENT
.SH USAGE
.sp
\fBNOTE:\fP
@ -128,7 +212,7 @@ for \fI\%mongoldap\fP\&.
.sp
.nf
.ft C
mongoldap \-\-config <path\-to\-config> \-\-user "bob@dba.example.com" \-\-password "secret123"
mongoldap \-\-config=<path\-to\-config> \-\-user="bob@dba.example.com" \-\-password="secret123"
.ft P
.fi
.UNINDENT
@ -169,7 +253,7 @@ Executing query against LDAP server...
.SH OPTIONS
.INDENT 0.0
.TP
.B \-\-config <filename>, \-f <filename>
.B \-\-config=<filename>, \-f=<filename>
Specifies a configuration file for runtime configuration options.
The options are equivalent to the command\-line
configuration options. See /reference/configuration\-options for
@ -188,30 +272,31 @@ including UTF\-8.
.UNINDENT
.INDENT 0.0
.TP
.B \-\-user <string>
.B \-\-user=<string>
Username for \fBmongoldap\fP to use when attempting LDAP authentication or
authorization.
.UNINDENT
.INDENT 0.0
.TP
.B \-\-password <string>
Password of the \fB\-\-user\fP for \fBmongoldap\fP to use when attempting LDAP
authentication. Not required for LDAP authorization.
.B \-\-password=<string>
Password of the \fI\%\-\-user\fP for
\fBmongoldap\fP to use when attempting LDAP authentication. Not
required for LDAP authorization.
.UNINDENT
.INDENT 0.0
.TP
.B \-\-ldapServers <host1>:<port>,<host2>:<port>,...,<hostN>:<port>
.B \-\-ldapServers=<host1>:<port>,<host2>:<port>,...,<hostN>:<port>
New in version 3.4: Available in MongoDB Enterprise only.
.sp
The LDAP server against which the \fBmongoldap\fP executes LDAP operations
against to authenticate users or determine what actions a user is authorized
to perform on a given database. If the LDAP server specified has any
replicated instances, you may specify the host and port of each replicated
server in a comma\-delimited list.
The LDAP server against which the \fBmongoldap\fP authenticates users or
determines what actions a user is authorized to perform on a given
database. If the LDAP server specified has any replicated instances,
you may specify the host and port of each replicated server in a
comma\-delimited list.
.sp
If your LDAP infrastrucure partitions the LDAP directory over multiple LDAP
servers, specify \fIone\fP LDAP server any of its replicated instances to
If your LDAP infrastructure partitions the LDAP directory over multiple LDAP
servers, specify \fIone\fP LDAP server or any of its replicated instances to
\fI\%\-\-ldapServers\fP\&. MongoDB supports following LDAP referrals as defined in \fI\%RFC 4511
4.1.10\fP\&. Do not use \fI\%\-\-ldapServers\fP
for listing every LDAP server in your infrastructure.
@ -223,7 +308,7 @@ If unset, \fBmongoldap\fP cannot use LDAP authentication or authorization\&.
.UNINDENT
.INDENT 0.0
.TP
.B \-\-ldapQueryUser <string>
.B \-\-ldapQueryUser=<string>
New in version 3.4: Available in MongoDB Enterprise only.
.sp
@ -258,7 +343,7 @@ both \fI\%\-\-ldapQueryUser\fP and \fI\%\-\-ldapBindWithOSDefaults\fP at the sam
.UNINDENT
.INDENT 0.0
.TP
.B \-\-ldapQueryPassword <string>
.B \-\-ldapQueryPassword=<string>
New in version 3.4: Available in MongoDB Enterprise only.
.sp
The password used to bind to an LDAP server when using
@ -282,8 +367,8 @@ both \fI\%\-\-ldapQueryPassword\fP and \fI\%\-\-ldapBindWithOSDefaults\fP at the
.UNINDENT
.INDENT 0.0
.TP
.B \-\-ldapBindWithOSDefaults <bool>
\fIDefault\fP: False
.B \-\-ldapBindWithOSDefaults=<bool>
\fIDefault\fP: false
.sp
New in version 3.4: Available in MongoDB Enterprise for the Windows platform only.
@ -306,31 +391,48 @@ Use \fI\%\-\-ldapBindWithOSDefaults\fP to replace \fI\%\-\-ldapQueryUser\fP and
.UNINDENT
.INDENT 0.0
.TP
.B \-\-ldapBindMethod <string>
.B \-\-ldapBindMethod=<string>
\fIDefault\fP: simple
.sp
New in version 3.4: Available in MongoDB Enterprise only.
.sp
The method \fBmongoldap\fP uses to authenticate to an LDAP server.
Use with \fI\%\-\-ldapQueryUser\fP and \fI\%\-\-ldapQueryPassword\fP to
connect to the LDAP server.
The method \fBmongoldap\fP uses to authenticate to an LDAP
server. Use with \fI\%\-\-ldapQueryUser\fP and \fI\%\-\-ldapQueryPassword\fP to connect to the LDAP server.
.sp
\fI\%\-\-ldapBindMethod\fP supports the following values:
.INDENT 7.0
.IP \(bu 2
\fBsimple\fP \- \fBmongoldap\fP uses simple authentication.
.IP \(bu 2
\fBsasl\fP \- \fBmongoldap\fP uses SASL protocol for authentication
.UNINDENT
\fI\%\-\-ldapBindMethod\fP supports
the following values:
.TS
center;
|l|l|.
_
T{
Value
T} T{
Description
T}
_
T{
\fBsimple\fP
T} T{
\fBmongoldap\fP uses simple authentication.
T}
_
T{
\fBsasl\fP
T} T{
\fBmongoldap\fP uses SASL protocol for authentication.
T}
_
.TE
.sp
If you specify \fBsasl\fP, you can configure the available SASL mechanisms
using \fI\%\-\-ldapBindSASLMechanisms\fP\&. \fBmongoldap\fP defaults to
using \fI\%\-\-ldapBindSaslMechanisms\fP\&. \fBmongoldap\fP defaults to
using \fBDIGEST\-MD5\fP mechanism.
.UNINDENT
.INDENT 0.0
.TP
.B \-\-ldapBindSASLMechanisms <string>
.B \-\-ldapBindSaslMechanisms=<string>
\fIDefault\fP: DIGEST\-MD5
.sp
New in version 3.4: Available in MongoDB Enterprise only.
@ -405,7 +507,7 @@ For Windows, please see the \fI\%Windows SASL documentation\fP\&.
.UNINDENT
.INDENT 0.0
.TP
.B \-\-ldapTransportSecurity <string>
.B \-\-ldapTransportSecurity=<string>
\fIDefault\fP: tls
.sp
New in version 3.4: Available in MongoDB Enterprise only.
@ -440,7 +542,7 @@ credentials between \fBmongoldap\fP and the LDAP server.
.UNINDENT
.INDENT 0.0
.TP
.B \-\-ldapTimeoutMS <long>
.B \-\-ldapTimeoutMS=<long>
\fIDefault\fP: 10000
.sp
New in version 3.4: Available in MongoDB Enterprise only.
@ -459,7 +561,7 @@ This setting can be configured on a running \fBmongoldap\fP using
.UNINDENT
.INDENT 0.0
.TP
.B \-\-ldapUserToDNMapping <string>
.B \-\-ldapUserToDNMapping=<string>
New in version 3.4: Available in MongoDB Enterprise only.
.sp
@ -575,10 +677,17 @@ username against the \fBmatch\fP filter. If a match is found,
authenticating the user. \fBmongoldap\fP does not check the remaining documents
in the array.
.sp
If the given document does not match the provided authentication name, or
the transformation described by the document fails, \fBmongoldap\fP continues
through the list of documents to find additional matches. If no matches are
found in any document, \fBmongoldap\fP returns an error.
If the given document does not match the provided authentication
name, \fBmongoldap\fP continues through the list of documents
to find additional matches. If no matches are found in any document,
or the transformation the document describes fails,
\fBmongoldap\fP returns an error.
.sp
Starting in MongoDB 4.4, \fBmongoldap\fP also returns an error
if one of the transformations cannot be evaluated due to networking
or authentication failures to the LDAP server. \fBmongoldap\fP
rejects the connection request and does not check the remaining
documents in the array.
.INDENT 7.0
.INDENT 3.5
.SH EXAMPLE
@ -639,7 +748,7 @@ This setting can be configured on a running \fBmongoldap\fP using the
.UNINDENT
.INDENT 0.0
.TP
.B \-\-ldapAuthzQueryTemplate <string>
.B \-\-ldapAuthzQueryTemplate=<string>
New in version 3.4: Available in MongoDB Enterprise only.
.sp
@ -743,6 +852,6 @@ use your preferred LDAP resource.
.SH AUTHOR
MongoDB Documentation Project
.SH COPYRIGHT
2008-2019
2008-2020
.\" Generated by docutils manpage writer.
.

309
debian/mongos.1 vendored
View File

@ -1,6 +1,6 @@
.\" Man page generated from reStructuredText.
.
.TH "MONGOS" "1" "Aug 16, 2019" "4.2" "mongodb-manual"
.TH "MONGOS" "1" "Jun 23, 2020" "4.4" "mongodb-manual"
.SH NAME
mongos \- MongoDB Sharded Cluster Query Router
.
@ -52,6 +52,10 @@ any other MongoDB instance.
.IP \(bu 2
Never change the name of the \fI\%mongos\fP binary.
.IP \(bu 2
Starting in version 4.4, \fI\%mongos\fP
can support hedged reads to minimize
latencies.
.IP \(bu 2
Starting in version 4.0, MongoDB disables support for TLS 1.0
encryption on systems where TLS 1.1+ is available. For
more details, see 4.0\-disable\-tls\&.
@ -366,15 +370,16 @@ maximum size of the connection pool.
This setting prevents the \fI\%mongos\fP from causing connection spikes on
the individual shards\&. Spikes like these may disrupt the
operation and memory allocation of the sharded cluster\&.
.UNINDENT
.INDENT 0.0
.TP
.B \-\-logpath <path>
Sends all diagnostic logging information to a log file instead of to
standard output or to the host\(aqs syslog system. MongoDB creates
the log file at the path you specify.
.sp
\fBNOTE:\fP
.INDENT 7.0
.INDENT 3.5
Changed in version 2.6: MongoDB removed the upward limit on the \fBmaxIncomingConnections\fP
setting.
.UNINDENT
.UNINDENT
By default, MongoDB will move any existing log file rather than overwrite
it. To instead append to the log file, set the \fI\%\-\-logappend\fP option.
.UNINDENT
.INDENT 0.0
.TP
@ -419,16 +424,6 @@ must enable the \fI\%\-\-syslog\fP option.
.UNINDENT
.INDENT 0.0
.TP
.B \-\-logpath <path>
Sends all diagnostic logging information to a log file instead of to
standard output or to the host\(aqs syslog system. MongoDB creates
the log file at the path you specify.
.sp
By default, MongoDB will move any existing log file rather than overwrite
it. To instead append to the log file, set the \fI\%\-\-logappend\fP option.
.UNINDENT
.INDENT 0.0
.TP
.B \-\-logappend
Appends new entries to the end of the existing log file when the \fBmongos\fP
instance restarts. Without this option, \fBmongod\fP will back up the
@ -436,6 +431,24 @@ existing log and create a new file.
.UNINDENT
.INDENT 0.0
.TP
.B \-\-logRotate <string>
\fIDefault\fP: rename
.sp
Determines the behavior for the \fBlogRotate\fP command.
Specify either \fBrename\fP or \fBreopen\fP:
.INDENT 7.0
.IP \(bu 2
\fBrename\fP renames the log file.
.IP \(bu 2
\fBreopen\fP closes and reopens the log file following the typical
Linux/Unix log rotate behavior. Use \fBreopen\fP when using the
Linux/Unix logrotate utility to avoid log loss.
.sp
If you specify \fBreopen\fP, you must also use \fI\%\-\-logappend\fP\&.
.UNINDENT
.UNINDENT
.INDENT 0.0
.TP
.B \-\-redactClientLogData
New in version 3.4: Available in MongoDB Enterprise only.
@ -464,20 +477,8 @@ due to the lack of data related to a log event. See the
process logging manual page for an
example of the effect of \fI\%\-\-redactClientLogData\fP on log output.
.sp
You can enable or disable log redaction on a running \fBmongos\fP
using the \fBsetParameter\fP database command.
.INDENT 7.0
.INDENT 3.5
.sp
.nf
.ft C
db.adminCommand(
{ setParameter: 1, redactClientLogData : true | false }
)
.ft P
.fi
.UNINDENT
.UNINDENT
On a running \fBmongos\fP, use \fBsetParameter\fP with the
\fBredactClientLogData\fP parameter to configure this setting.
.UNINDENT
.INDENT 0.0
.TP
@ -497,13 +498,6 @@ Description
T}
_
T{
\fBctime\fP
T} T{
Displays timestamps as \fBWed Dec 31
18:17:54.811\fP\&.
T}
_
T{
\fBiso8601\-utc\fP
T} T{
Displays timestamps in Coordinated Universal Time (UTC) in the
@ -516,19 +510,50 @@ T{
T} T{
Displays timestamps in local time in the ISO\-8601
format. For example, for New York at the start of the Epoch:
\fB1969\-12\-31T19:00:00.000\-0500\fP
\fB1969\-12\-31T19:00:00.000\-05:00\fP
T}
_
.TE
.sp
\fBNOTE:\fP
.INDENT 7.0
.INDENT 3.5
Starting in MongoDB 4.4, \fI\%\-\-timeStampFormat\fP no longer supports \fBctime\fP\&.
An example of \fBctime\fP formatted date is: \fBWed Dec 31
18:17:54.811\fP\&.
.UNINDENT
.UNINDENT
.UNINDENT
.INDENT 0.0
.TP
.B \-\-pidfilepath <path>
Specifies a file location to hold the process ID of the \fBmongos\fP
process where \fBmongos\fP will write its PID. This is useful for
tracking the \fBmongos\fP process in combination with
the \fI\%\-\-fork\fP option. Without a specified \fI\%\-\-pidfilepath\fP option, the
process creates no PID file.
Specifies a file location to store the process ID (PID) of the \fBmongos\fP
process. The user running the \fBmongod\fP or \fBmongos\fP
process must be able to write to this path. If the \fI\%\-\-pidfilepath\fP option is not
specified, the process does not create a PID file. This option is generally
only useful in combination with the \fI\%\-\-fork\fP option.
.INDENT 7.0
.INDENT 3.5
.IP "Linux"
.sp
On Linux, PID file management is generally the responsibility of
your distro\(aqs init system: usually a service file in the \fB/etc/init.d\fP
directory, or a systemd unit file registered with \fBsystemctl\fP\&. Only
use the \fI\%\-\-pidfilepath\fP option if you are not using one of these init
systems. For more information, please see the respective
Installation Guide for your operating system.
.UNINDENT
.UNINDENT
.INDENT 7.0
.INDENT 3.5
.IP "macOS"
.sp
On macOS, PID file management is generally handled by \fBbrew\fP\&. Only use
the \fI\%\-\-pidfilepath\fP option if you are not using \fBbrew\fP on your macOS system.
For more information, please see the respective
Installation Guide for your operating system.
.UNINDENT
.UNINDENT
.UNINDENT
.INDENT 0.0
.TP
@ -560,6 +585,19 @@ keyfiles that use the text file format.
Specifies one of the MongoDB parameters described in
/reference/parameters\&. You can specify multiple \fBsetParameter\fP
fields.
.UNINDENT
.INDENT 0.0
.TP
.B \-\-noscripting
Disables the scripting engine. When disabled, you cannot use
operations that perform server\-side execution of JavaScript code,
such as the \fB$where\fP query operator, \fBmapReduce\fP
command, \fB$accumulator\fP, and \fB$function\fP\&.
.sp
If you do not use these operations, disable server\-side scripting.
.sp
New in version 4.4.
.UNINDENT
.INDENT 0.0
.TP
@ -578,10 +616,9 @@ always listens on the UNIX socket unless one of the following is true:
\fBnet.bindIp\fP does not specify \fBlocalhost\fP or its associated IP address
.UNINDENT
.sp
New in version 2.6: \fBmongos\fP installed from official \&.deb and \&.rpm packages
\fBmongos\fP installed from official \&.deb and \&.rpm packages
have the \fBbind_ip\fP configuration set to \fB127.0.0.1\fP by
default.
.UNINDENT
.INDENT 0.0
.TP
@ -622,6 +659,8 @@ background. By default \fBmongos\fP does not run as a daemon:
typically you will run \fBmongos\fP as a daemon, either by using
\fI\%\-\-fork\fP or by using a controlling process that handles the
daemonization process (e.g. as with \fBupstart\fP and \fBsystemd\fP).
.sp
The \fI\%\-\-fork\fP option is not supported on Windows.
.UNINDENT
.INDENT 0.0
.TP
@ -718,6 +757,47 @@ between \fBmongo\fP shell and \fBmongod\fP are not compressed.
.UNINDENT
.INDENT 0.0
.TP
.B \-\-serviceExecutor <string>
\fIDefault\fP: synchronous
.sp
New in version 3.6.
.sp
Determines the threading and execution model \fBmongos\fP uses to
execute client requests. The \fB\-\-serviceExecutor\fP option accepts one
of the following values:
.TS
center;
|l|l|.
_
T{
Value
T} T{
Description
T}
_
T{
\fBsynchronous\fP
T} T{
The \fBmongos\fP uses synchronous networking and manages its
networking thread pool on a per connection basis. Previous
versions of MongoDB managed threads in this way.
T}
_
T{
\fBadaptive\fP
T} T{
The \fBmongos\fP uses the new experimental asynchronous
networking mode with an adaptive thread pool which manages
threads on a per request basis. This mode should have more
consistent performance and use less resources when there are
more inactive connections than database requests.
T}
_
.TE
.UNINDENT
.INDENT 0.0
.TP
.B \-\-timeZoneInfo <path>
The full path from which to load the time zone database. If this option
is not provided, then MongoDB will use its built\-in time zone database.
@ -968,9 +1048,6 @@ For more information about TLS and MongoDB, see
.TP
.B \-\-clusterAuthMode <option>
\fIDefault\fP: keyFile
.sp
New in version 2.6.
.sp
The authentication mode used for cluster authentication. If you use
internal x.509 authentication,
@ -1056,6 +1133,13 @@ the certificate returned by the \fI\%\-\-tlsCertificateSelector\fP\&.
.sp
If using x.509 authentication, \fB\-\-tlsCAFile\fP or \fBtls.CAFile\fP
must be specified unless using \fB\-\-tlsCertificateSelector\fP\&.
.sp
Changed in version 4.4: \fBmongod\fP / \fI\%mongos\fP logs a warning on
connection if the presented x.509 certificate expires within \fB30\fP
days of the \fBmongod/mongos\fP host system time. See
4.4\-rel\-notes\-certificate\-expiration\-warning for more
information.
.sp
For more information about TLS and MongoDB, see
/tutorial/configure\-ssl and
@ -1239,21 +1323,43 @@ The \fBthumbprint\fP is sometimes referred to as a
T}
_
.TE
.sp
Changed in version 4.4: \fBmongod\fP / \fI\%mongos\fP logs a warning on
connection if the presented x.509 certificate expires within \fB30\fP
days of the \fBmongod/mongos\fP host system time. See
4.4\-rel\-notes\-certificate\-expiration\-warning for more
information.
.UNINDENT
.INDENT 0.0
.TP
.B \-\-tlsCRLFile <filename>
New in version 4.2.
New in version 4.2: For MongoDB 4.0 and earlier, see \fI\%\-\-sslCRLFile\fP\&.
.sp
Specifies the the \fB\&.pem\fP file that contains the Certificate Revocation
Specifies the \fB\&.pem\fP file that contains the Certificate Revocation
List. Specify the file name of the \fB\&.pem\fP file using relative or
absolute paths.
.sp
\fBNOTE:\fP
.INDENT 7.0
.INDENT 3.5
Starting in MongoDB 4.0, you cannot specify \fI\%\-\-tlsCRLFile\fP on macOS. Use \fI\%\-\-tlsCertificateSelector\fP instead.
.INDENT 0.0
.IP \(bu 2
Starting in MongoDB 4.0, you cannot specify a CRL file on
macOS. Instead, you can use the system SSL certificate store,
which uses OCSP (Online Certificate Status Protocol) to
validate the revocation status of certificates. See
\fI\%\-\-sslCertificateSelector\fP in MongoDB 4.0 and
\fI\%\-\-tlsCertificateSelector\fP in MongoDB 4.2+ to use the
system SSL certificate store.
.IP \(bu 2
Starting in version 4.4, to check for certificate revocation,
MongoDB \fBenables\fP the use of OCSP
(Online Certificate Status Protocol) by default as an
alternative to specifying a CRL file or using the system SSL
certificate store.
.UNINDENT
.UNINDENT
.UNINDENT
.sp
@ -1427,9 +1533,6 @@ For more information about TLS/SSL and MongoDB, see
.B \-\-sslMode <mode>
Deprecated since version 4.2: Use \fI\%\-\-tlsMode\fP instead.
.sp
New in version 2.6.
.sp
Enables TLS/SSL or mixed TLS/SSL used for all network connections. The
argument to the \fI\%\-\-sslMode\fP option can be one of the following:
@ -1585,9 +1688,6 @@ For more information about TLS/SSL and MongoDB, see
.B \-\-sslClusterPassword <value>
Deprecated since version 4.2: Use \fI\%\-\-tlsClusterPassword\fP instead.
.sp
New in version 2.6.
.sp
Specifies the password to de\-crypt the x.509 certificate\-key file
specified with \fB\-\-sslClusterFile\fP\&. Use the \fI\%\-\-sslClusterPassword\fP option only
@ -1774,14 +1874,29 @@ _
Deprecated since version 4.2: Use \fI\%\-\-tlsCRLFile\fP instead.
.sp
Specifies the the \fB\&.pem\fP file that contains the Certificate Revocation
Specifies the \fB\&.pem\fP file that contains the Certificate Revocation
List. Specify the file name of the \fB\&.pem\fP file using relative or
absolute paths.
.sp
\fBNOTE:\fP
.INDENT 7.0
.INDENT 3.5
Starting in MongoDB 4.0, you cannot specify \fI\%\-\-sslCRLFile\fP on macOS. Use \fI\%\-\-sslCertificateSelector\fP instead.
.INDENT 0.0
.IP \(bu 2
Starting in MongoDB 4.0, you cannot specify a CRL file on
macOS. Instead, you can use the system SSL certificate store,
which uses OCSP (Online Certificate Status Protocol) to
validate the revocation status of certificates. See
\fI\%\-\-sslCertificateSelector\fP in MongoDB 4.0 and
\fI\%\-\-tlsCertificateSelector\fP in MongoDB 4.2+ to use the
system SSL certificate store.
.IP \(bu 2
Starting in version 4.4, to check for certificate revocation,
MongoDB \fBenables\fP the use of OCSP
(Online Certificate Status Protocol) by default as an
alternative to specifying a CRL file or using the system SSL
certificate store.
.UNINDENT
.UNINDENT
.UNINDENT
.sp
@ -1846,9 +1961,6 @@ For more information about TLS/SSL and MongoDB, see
.B \-\-sslAllowInvalidHostnames
Deprecated since version 4.2: Use \fI\%\-\-tlsAllowInvalidHostnames\fP instead.
.sp
New in version 3.0.
.sp
Disables the validation of the hostnames in TLS/SSL certificates,
when connecting to other members of the replica set or sharded cluster
@ -1865,9 +1977,6 @@ For more information about TLS/SSL and MongoDB, see
.B \-\-sslDisabledProtocols <protocol(s)>
Deprecated since version 4.2: Use \fI\%\-\-tlsDisabledProtocols\fP instead.
.sp
New in version 3.0.7.
.sp
Prevents a MongoDB server running with TLS/SSL from accepting
incoming connections that use a specific protocol or protocols. To
@ -1981,9 +2090,6 @@ and \fI\%MongoDB Atlas\fP\&.
.INDENT 0.0
.TP
.B \-\-auditFormat
New in version 2.6.
.sp
Specifies the format of the output file for auditing if \fI\%\-\-auditDestination\fP is \fBfile\fP\&. The
\fI\%\-\-auditFormat\fP option can have one of the following values:
.TS
@ -2026,9 +2132,6 @@ and \fI\%MongoDB Atlas\fP\&.
.INDENT 0.0
.TP
.B \-\-auditPath
New in version 2.6.
.sp
Specifies the output file for auditing if
\fI\%\-\-auditDestination\fP has value of \fBfile\fP\&. The \fI\%\-\-auditPath\fP
option can take either a full path name or a relative path name.
@ -2044,9 +2147,6 @@ and \fI\%MongoDB Atlas\fP\&.
.INDENT 0.0
.TP
.B \-\-auditFilter
New in version 2.6.
.sp
Specifies the filter to limit the types of operations the audit system records. The option takes a string representation
of a query document of the form:
.INDENT 7.0
@ -2126,14 +2226,14 @@ New in version 4.0.
New in version 3.4: Available in MongoDB Enterprise only.
.sp
The LDAP server against which the \fBmongos\fP executes LDAP operations
against to authenticate users or determine what actions a user is authorized
to perform on a given database. If the LDAP server specified has any
replicated instances, you may specify the host and port of each replicated
server in a comma\-delimited list.
The LDAP server against which the \fBmongos\fP authenticates users or
determines what actions a user is authorized to perform on a given
database. If the LDAP server specified has any replicated instances,
you may specify the host and port of each replicated server in a
comma\-delimited list.
.sp
If your LDAP infrastrucure partitions the LDAP directory over multiple LDAP
servers, specify \fIone\fP LDAP server any of its replicated instances to
If your LDAP infrastructure partitions the LDAP directory over multiple LDAP
servers, specify \fIone\fP LDAP server or any of its replicated instances to
\fI\%\-\-ldapServers\fP\&. MongoDB supports following LDAP referrals as defined in \fI\%RFC 4511
4.1.10\fP\&. Do not use \fI\%\-\-ldapServers\fP
for listing every LDAP server in your infrastructure.
@ -2145,6 +2245,24 @@ If unset, \fBmongos\fP cannot use LDAP authentication or authorization\&.
.UNINDENT
.INDENT 0.0
.TP
.B \-\-ldapValidateLDAPServerConfig <boolean>
\fIAvailable in MongoDB Enterprise\fP
.sp
A flag that determines if the \fI\%mongos\fP instance checks
the availability of the \fI\%LDAP server(s)\fP as part of its startup:
.INDENT 7.0
.IP \(bu 2
If \fBtrue\fP, the \fI\%mongos\fP instance performs the
availability check and only continues to start up if the LDAP
server is available.
.IP \(bu 2
If \fBfalse\fP, the \fI\%mongos\fP instance skips the
availability check; i.e. the instance starts up even if the LDAP
server is unavailable.
.UNINDENT
.UNINDENT
.INDENT 0.0
.TP
.B \-\-ldapQueryUser <string>
New in version 3.4: Available in MongoDB Enterprise only.
@ -2205,7 +2323,7 @@ both \fI\%\-\-ldapQueryPassword\fP and \fI\%\-\-ldapBindWithOSDefaults\fP at the
.INDENT 0.0
.TP
.B \-\-ldapBindWithOSDefaults <bool>
\fIDefault\fP: False
\fIDefault\fP: false
.sp
New in version 3.4: Available in MongoDB Enterprise for the Windows platform only.
@ -2247,12 +2365,12 @@ connect to the LDAP server.
.UNINDENT
.sp
If you specify \fBsasl\fP, you can configure the available SASL mechanisms
using \fI\%\-\-ldapBindSASLMechanisms\fP\&. \fBmongos\fP defaults to
using \fI\%\-\-ldapBindSaslMechanisms\fP\&. \fBmongos\fP defaults to
using \fBDIGEST\-MD5\fP mechanism.
.UNINDENT
.INDENT 0.0
.TP
.B \-\-ldapBindSASLMechanisms <string>
.B \-\-ldapBindSaslMechanisms <string>
\fIDefault\fP: DIGEST\-MD5
.sp
New in version 3.4: Available in MongoDB Enterprise only.
@ -2497,10 +2615,17 @@ username against the \fBmatch\fP filter. If a match is found,
authenticating the user. \fBmongos\fP does not check the remaining documents
in the array.
.sp
If the given document does not match the provided authentication name, or
the transformation described by the document fails, \fBmongos\fP continues
through the list of documents to find additional matches. If no matches are
found in any document, \fBmongos\fP returns an error.
If the given document does not match the provided authentication
name, \fI\%mongos\fP continues through the list of documents
to find additional matches. If no matches are found in any document,
or the transformation the document describes fails,
\fI\%mongos\fP returns an error.
.sp
Starting in MongoDB 4.4, \fI\%mongos\fP also returns an error
if one of the transformations cannot be evaluated due to networking
or authentication failures to the LDAP server. \fI\%mongos\fP
rejects the connection request and does not check the remaining
documents in the array.
.INDENT 7.0
.INDENT 3.5
.SS Example
@ -2579,6 +2704,6 @@ Set \fI\%\-\-bind_ip_all\fP to \fBtrue\fP\&.
.SH AUTHOR
MongoDB Documentation Project
.SH COPYRIGHT
2008-2019
2008-2020
.\" Generated by docutils manpage writer.
.

3
rpm/mongodb-enterprise-init.spec
View File

@ -224,7 +224,7 @@ This package provides the MongoDB static library and header files needed to deve
mkdir -p $RPM_BUILD_ROOT/usr
cp -rv bin $RPM_BUILD_ROOT/usr
mkdir -p $RPM_BUILD_ROOT/usr/share/man/man1
cp debian/mongo{,d,s,ldap}.1 $RPM_BUILD_ROOT/usr/share/man/man1/
cp debian/mongo{,d,s,ldap,kerberos}.1 $RPM_BUILD_ROOT/usr/share/man/man1/
mkdir -p $RPM_BUILD_ROOT/etc/init.d
cp -v rpm/init.d-mongod $RPM_BUILD_ROOT/etc/init.d/mongod
chmod a+x $RPM_BUILD_ROOT/etc/init.d/mongod
@ -312,6 +312,7 @@ fi
%{_bindir}/mongokerberos
%{_mandir}/man1/mongoldap.1*
%{_mandir}/man1/mongokerberos.1*
%files cryptd
%defattr(-,root,root,-)

3
rpm/mongodb-enterprise-unstable-init.spec
View File

@ -213,7 +213,7 @@ This package provides the MongoDB static library and header files needed to deve
mkdir -p $RPM_BUILD_ROOT/usr
cp -rv bin $RPM_BUILD_ROOT/usr
mkdir -p $RPM_BUILD_ROOT/usr/share/man/man1
cp debian/mongo{,d,s,ldap}.1 $RPM_BUILD_ROOT/usr/share/man/man1/
cp debian/mongo{,d,s,ldap,kerberos}.1 $RPM_BUILD_ROOT/usr/share/man/man1/
mkdir -p $RPM_BUILD_ROOT/etc/init.d
cp -v rpm/init.d-mongod $RPM_BUILD_ROOT/etc/init.d/mongod
chmod a+x $RPM_BUILD_ROOT/etc/init.d/mongod
@ -301,6 +301,7 @@ fi
%{_bindir}/mongokerberos
%{_mandir}/man1/mongoldap.1*
%{_mandir}/man1/mongokerberos.1*
%files cryptd
%defattr(-,root,root,-)

3
rpm/mongodb-enterprise-unstable.spec
View File

@ -216,7 +216,7 @@ This package provides the MongoDB static library and header files needed to deve
mkdir -p $RPM_BUILD_ROOT/usr
cp -rv bin $RPM_BUILD_ROOT/usr
mkdir -p $RPM_BUILD_ROOT/usr/share/man/man1
cp debian/mongo{,d,s,ldap}.1 $RPM_BUILD_ROOT/usr/share/man/man1/
cp debian/mongo{,d,s,ldap,kerberos}.1 $RPM_BUILD_ROOT/usr/share/man/man1/
mkdir -p $RPM_BUILD_ROOT/etc
cp -v rpm/mongod.conf $RPM_BUILD_ROOT/etc/mongod.conf
mkdir -p $RPM_BUILD_ROOT/lib/systemd/system
@ -305,6 +305,7 @@ fi
%{_bindir}/mongokerberos
%{_mandir}/man1/mongoldap.1*
%{_mandir}/man1/mongokerberos.1*
%files cryptd
%defattr(-,root,root,-)

3
rpm/mongodb-enterprise.spec
View File

@ -226,7 +226,7 @@ This package provides the MongoDB static library and header files needed to deve
mkdir -p $RPM_BUILD_ROOT/usr
cp -rv bin $RPM_BUILD_ROOT/usr
mkdir -p $RPM_BUILD_ROOT/usr/share/man/man1
cp debian/mongo{,d,s,ldap}.1 $RPM_BUILD_ROOT/usr/share/man/man1/
cp debian/mongo{,d,s,ldap,kerberos}.1 $RPM_BUILD_ROOT/usr/share/man/man1/
mkdir -p $RPM_BUILD_ROOT/etc
cp -v rpm/mongod.conf $RPM_BUILD_ROOT/etc/mongod.conf
mkdir -p $RPM_BUILD_ROOT/lib/systemd/system
@ -314,6 +314,7 @@ fi
%{_bindir}/mongokerberos
%{_mandir}/man1/mongoldap.1*
%{_mandir}/man1/mongokerberos.1*
%files cryptd
%defattr(-,root,root,-)