BestHub
Sign in
Operations 15 min read

Production-Ready MongoDB 7.0: Single-Node, Replica Set, and Security Hardening Guide

This step‑by‑step guide shows how to install MongoDB 7.0 on Linux, configure a production‑grade replica set, enable keyfile‑based internal authentication, create RBAC users, restrict network access, set system limits, schedule backups, and apply performance‑tuning and monitoring practices to keep the database secure and reliable.

AI Agent Super App
AI Agent Super App
AI Agent Super App
Production-Ready MongoDB 7.0: Single-Node, Replica Set, and Security Hardening Guide

Single‑Node Installation

MongoDB 7.0 can be installed on RHEL/CentOS/AlmaLinux 9, 8, 7 or Ubuntu/Debian via the official repository. Create /etc/yum.repos.d/mongodb-org-7.0.repo with the appropriate baseurl for the OS version, then run:

# Install MongoDB 7.0 (mongod, mongosh, mongodump)
 yum install -y mongodb-org
# Start and enable the service
 systemctl start mongod
 systemctl enable mongod
 systemctl status mongod

After installation the default data directory is /var/lib/mongo, logs are written to /var/log/mongodb/mongod.log, and the service runs as the mongod user.

Core Configuration for Production

Edit /etc/mongod.conf to adjust storage, network, logging, and resource limits.

Storage : enable journaling, use the WiredTiger engine, set cacheSizeGB (default 50 % of RAM ‑ 1 GB; for a 16 GB server the default is ~7.5 GB). Minimum 256 MB, adjust down if other services share memory.

Network : bind only to internal IPs, e.g. 127.0.0.1,192.168.1.100, instead of 0.0.0.0, to avoid exposing port 27017.

Logging : write logs to a file, enable logAppend and logRotate: reopen.

ulimit : set nofile and nproc to 64000 for the mongod user (see /etc/security/limits.d/99-mongodb.conf).

A complete production mongod.conf example combines the above sections and adds processManagement.timeZoneInfo and maxIncomingConnections: 65536.

Replica Set Deployment (High Availability)

Use three nodes (odd number) with DNS hostnames. On each node add to /etc/mongod.conf:

replication:
  replSetName: "rs0"
net:
  bindIp: 127.0.0.1,<code>hostname</code>
  port: 27017

Start MongoDB on all nodes, then on one node run:

mongosh --host mongo1.example.net
rs.initiate({
  _id: "rs0",
  members: [
    { _id: 0, host: "mongo1.example.net:27017" },
    { _id: 1, host: "mongo2.example.net:27017" },
    { _id: 2, host: "mongo3.example.net:27017" }
  ]
})

After initiation rs.status() shows one PRIMARY and two SECONDARY members. Applications connect using a replica‑set connection string that lists all members; the driver automatically discovers the primary.

Security Hardening

Keyfile (internal authentication) : generate with openssl rand -base64 756 > /etc/mongodb-keyfile, set permissions to 400, copy the identical file to every node, and reference it in security.keyFile.

RBAC users : create the first admin user via the localhost exception, then create a cluster admin and an application user with appropriate roles.

# Connect to primary before auth
mongosh --host mongo1.example.net
use admin
db.createUser({
  user: "dba_admin",
  pwd: passwordPrompt(),
  roles: [{ role: "userAdminAnyDatabase", db: "admin" }]
})
db.createUser({
  user: "cluster_admin",
  pwd: passwordPrompt(),
  roles: [{ role: "clusterAdmin", db: "admin" }]
})
db.createUser({
  user: "app_user",
  pwd: passwordPrompt(),
  roles: [{ role: "readWrite", db: "myapp_db" }]
})

Enable authorization : add security.authorization: enabled (implicit when keyFile is set) to /etc/mongod.conf on each node and restart nodes in order (secondaries first, then primary) to avoid service interruption.

Firewall : restrict port 27017 to the internal subnet using firewall-cmd rich rules, e.g.

firewall-cmd --permanent --add-rich-rule='
 rule family="ipv4"
 source address="192.168.1.0/24"
 port protocol="tcp" port="27017" accept'
firewall-cmd --reload

Backup, Monitoring, and Performance Tuning

Indexing : create single‑field and compound indexes for high‑frequency queries and verify with explain("executionStats").

# Example indexes
use myapp_db
db.users.createIndex({ email: 1 }, { unique: true })
db.orders.createIndex({ user_id: 1, created_at: -1 })
# Verify usage
db.users.find({ email: "[email protected]" }).explain("executionStats")

Backup : use mongodump with authentication; schedule daily backups via a cron script that retains the last 7 days.

# Full instance backup
mongodump --uri="mongodb://dba_admin:***@localhost:27017/" \
  --authenticationDatabase=admin \
  --out=/backup/mongodb/$(date +%Y%m%d)
# Restore example
mongorestore --uri="mongodb://dba_admin:***@localhost:27017/" \
  --authenticationDatabase=admin \
  /backup/mongodb/myapp_20250101/myapp_db

Monitoring : run real‑time tools and enable slow‑query profiling.

# Real‑time stats
mongostat 5
mongotop 10
# Replication lag
rs.printReplicationInfo()
# Slow query logging (>100 ms)
db.setProfilingLevel(1, { slowms: 100 })
# Check logs for errors
tail -100 /var/log/mongodb/mongod.log | grep -i "error\|warning"
# Server uptime
db.serverStatus().uptime
Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Sign in to view source
Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactadmin@besthub.devand we will review it promptly.

opsbackupmongodbsecurity-hardeningreplica-setperformance-tuningmongodb-7.0
AI Agent Super App
Written by

AI Agent Super App

AI agent applications, installation, large-model testing, computer fundamentals, IT operations and maintenance exchange, network technology exchange, Linux learning

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment