All the previous blogs in this Chef cookbook series have been leading up to using zNcrypt to encrypt BigData. In this blog we will see how with Chef we can easily install MongoDB and use zNcrypt to encrypt and protect Mongodb data.

The mongodb recipe is divided into 4 basic steps:

1. Setup the mongodb deb/rpm repositories from 10gen
2. Assemble the mongodb-10gen packages
3. Install the mongo packages
4. Setup zNcrypt with with mongodb using the ezncrypt and ezncrypt-access-control commands

In the first section of the recipe we use the apt cookbook to setup the 10gen apt repository for mongodb.

 # use the apt cookbook
 include_recipe "apt::default"
 # Add the 10gen repo, ubuntu debian
 apt_repository "10gen" do
  uri "http://downloads-distro.mongodb.org/repo/ubuntu-upstart"
  distribution "dist"
  components ["10gen"]
  key "http://docs.mongodb.org/10gen-gpg-key.asc"
  action :add 

In this second section we call apt::default to update apt and setup the list of packages to be installed.

 include_recipe "apt::default"
 %w{mongodb-10gen}

Then to install the package(s) we simple iterate over the list of packages and call the install action

# loop to install packages
mongo_packages.each do |mongo_pack|
  package mongo_pack do
    action :install
  end
end

With mongodb now installed, the last step is to encrypt the mongodb data files, which by default are in /var/lib/mongodb and setup the zNcrypt ACL. As you can see below we re-use the data bag (we created in the prior blog) to retrieve the passphrase which is required to make any ACL updates and passed to the ezncrypt-access-control command.

# Mongo is installed, we proceed to set up the encryption
# the path here is hardcoded, if it does not match yours edit here
acl_rule1="/usr/bin/mongod"
acl_rule2="/bin/mkdir"

# before anything we stop mongodb
# create the ACLs
passphrase=data_bag_item('license_pool', 'license1')['passphrase']
passphrase2=data_bag_item('license_pool', 'license1')['passphrase2']
script "create ACL" do
 interpreter "bash"
 user "root"
 cwd "/tmp"
 code <<-eoh service="" service_name="" stop="" ezncrypt-service="" start="" ezncrypt-access-control="" -a="" allow="" mongodb="" acl_rule1="" -p="" passphrase="" -s="" passphrase2="" acl_rule2="" ezncrypt="" -e="" data_dir="" eoh="" end="" pre="">

Using Chef and the zNcrypt cookbook most of the configuration work is done for you to install MongoDB with transparent data encryption. To run this recipe on your chef client, just download the zNcrypt cookbook and add the zncrypt::default and zncrypt::mongodb recipes to the run list of your chef-client.