AWS Thinkbox Discussion Forums

Mongodump syntax help

Hello, recently installed Deadline 10.1.9.2 on an OSX server. It is working great. Was preparing to make a database backup but am having trouble connecting to mongoDB via mongodump or even mongo shell.

I used defaults for the installer, but used port 27192 and enabled SSL / TLS with client certificate.

Following this blogpost: https://www.awsthinkbox.com/blog/deadline-database-backup-strategy

This syntax failed with the error “no reachable servers”:
./mongodump -d DATABASE_NAME -o PATH_TO_BACKUP_FOLDER /
./mongodump -d deadline10db -o ~/backupfolder

I’m new to MongoDB but figured it was due to SSL being enabled so I tried this:
./mongodump --host 127.0.0.1:27192 --db deadline10db --ssl --sslCAFile /Applications/Thinkbox/DeadlineDatabase10/certs/ca.crt --sslPEMKeyFile /Applications/Thinkbox/DeadlineDatabase10/certs/hostname.local.pem --sslAllowInvalidHostnames --out ~/mongodump

This failed as well.

What’s the proper syntax for doing a mongodump on a deadline server with ssl / tsl enabled?

Thanks!

The sample syntax I refer to for OSX is below:

/Applications/DeadlineDatabase10/mongo/application/bin/mongodump /host:[hostname] /port:27100 /db:deadline10db /ssl /sslPEMKeyFile:"/Applications/DeadlineDatabase10/certs/mongo_client.pem" /sslCAFile:"/Applications/DeadlineDatabase10/certs/ca.crt" /authenticationDatabase:"$external" /authenticationMechanism:"MONGODB-X509" /username:"OU=Deadline10Client,O=Deadline10Installer,CN=Deadline10Client"

Looking at differences, my version passes the port as its own flag, and uses the hostname instead of the loopback address. It also includes the username credentials.

Try using that syntax sample and let us know!

Thanks for the reply! With your exact syntax get a “positional arguments not allowed”. I think the syntax there is not valid. I modified it to work here:

./mongodump --host *hostname --port 27192 --db deadline10db --ssl --sslPEMKeyFile "/Applications/Thinkbox/DeadlineDatabase10/certs/mongo_client.pem" --sslCAFile /Applications/Thinkbox/DeadlineDatabase10/certs/ca.crt --authenticationDatabase "$external" --authenticationMechanism "MONGODB-X509" --username "OU=Deadline10Client,O=Deadline10Installer,CN=Deadline10Client]"

where hostname is the correct hostname, that resolves properly.

I can now reference this and use it to connect via mongoshell which is a start!

…but when run with mongodump I get this error:

Failed: can't create session: error configuring the connector: PKCS#8 encrypted private keys are not supported

Just wanted to say. I did a clean install on a separate OSX machine (both machines are at Catalina 10.15.6) as a test and received the same error… so I think that rules out any kind of configuration error.

Failed: can't create session: error configuring the connector: PKCS#8 encrypted private keys are not supported

Please let me know what information I can provide to help us move forward. Thanks!

I want to assume that’s something between Catalina and Mongodb. Is this other DB also installed by our Repository installer? If so we’ve clearly got to try duplicating this on our end.

Thanks for the reply.

Here’s more info to help reproduce:
Both installs are on freshly reformatted machines using Deadline 10.1.9.2
MongoDB is installed using Deadline Installer. SSL / TSL is enabled, certificates are generated using Deadline installer, and we elected to have password set.

To me it seems to be something about the version of MongoDB installed by Deadline not accepting the format of the certs, but I’m unsure. It’s weird because I am able to connect via mongo shell.

Hello, just following up. Have you been able to recreate?

Still looking for correct syntax for backing up our MongoDB Database when set up using Deadline installer.

I’ve done additional research:
I believe this may be an issue with the version of mongoDB Deadline requires (3.6.16) not supporting password protected pem certs. I found references to this error on GitHub saying it was fixed in mongoDB 4.0.1 and later…

https://jira.mongodb.org/browse/SERVER-35541

Is there a reason for the restriction of mongodb versions?

Hello!

I haven’t re-created that, though the Jira issue you linked looks like our smoking gun.

There shouldn’t be an issue with you installing and running 4.0 but we haven’t tested it. Let us know if you do!

I’d expect a pretty immediate failure if Deadline can’t use 4.0.

Installer fails immediately unfortunately… so still at a loss on how to solve this.

How did you try to install? By giving the installer the 4.0 files or by connecting to a 4.0 database?

Could you share the installer log from that failure? It should be in /tmp with a name starting with bitrock_installer. There will be one from each install attempt.

In case it’s helpful, our steps for manual database install are here, in case that’s not the option you tried.

Do you have any additional install instructions for manually setting up a database so it will still work with TLS / SSL? I can’t seem to get it to work.
I see that Deadline installer tries to authenticate and fails from these errors:

An error occurred while configuring the database:

Could not connect to any of the specified Mongo DB servers defined in the "Hostname" parameter of the "settings/connection.ini" file in the root of the Repository.

The following errors were encountered:

* 10.23.160.37: Unable to authenticate username 'OU=Deadline10Client,O=Deadline10Installer,CN=Deadline10Client' using protocol 'MONGODB-X509'.
* computer.local: Unable to authenticate username 'OU=Deadline10Client,O=Deadline10Installer,CN=Deadline10Client' using protocol 'MONGODB-X509'.

Do I need to add a x.509 user using OU setting that installer is looking for to a mongoDB database I create named deadline10db?

To keep it simple and ensure that SSL certs are in proper format for Deadline installer I saved certs generated from installer on a previous install attempt and point installer to that, I’m also using a config.conf generated by installer.

I also tried pointing Deadline Installer to a database with authentication disabled, still using those certs in hopes that it would auto configure what was needed.

Any additional install tips would be greatly appreciated.

Really just not sure what configuration I need to do to a new mongoDB installation to fulfill whatever the Deadline Installer is looking for.

Could you share the config.conf file you’re using? Assuming Deadline is able to get to the SSL cert that should be working.

I can’t think of a better place to look for help with SSL than the MongoDB docs. They’ll be more complete than ours if the link I shared isn’t cutting it.

It might be simpler install the MongoDB without TLS and configure it afterwords with those steps.

I’m interested in these errors here, since I get the exact same thing when trying to do an automated install and generate my own certificates.

this repo can reproduce the error here exactly:
git clone --branch v0.0.3 https://github.com/firehawkvfx/packer-firehawk-amis.git

This script does a full install for an ubuntu 18 ec2 instance, and generates certs after the install. it fails if I should try to reboot and manually run deadlinercs in the same way you describe.

packer-firehawk-amis/modules/firehawk-ami/scripts/deadlinedb_install_post_gen_certs.sh

This script has no problem, but it uses the installer to generate the certs (but I want to avoid doing it this way):

packer-firehawk-amis/modules/firehawk-ami/scripts/deadlinedb_install_with_certs.sh

I wanted to produce both to hopefully provide a useful diff so that Thinkbox might identify what is wrong.

Privacy | Site terms | Cookie preferences