feat: start mgo with arg to use CA cert#21563
Merged
Conversation
wallyworld
force-pushed
the
add-mongo-4.4.30-support
branch
2 times, most recently
from
f47ee3e to
aa47584
Compare
wallyworld
force-pushed
the
add-mongo-4.4.30-support
branch
from
aa47584 to
2882471
Compare
Member
There was a problem hiding this comment.
Code looks good, though I can't replicated the PR steps because when I attempt to bootstrap I get:
root@juju-92f03c-0:~# systemctl status snap.juju-db.*
● snap.juju-db.logrotate.timer - Timer logrotate for snap application juju-db.logrotate
Loaded: loaded (/etc/systemd/system/snap.juju-db.logrotate.timer; disabled; vendor preset: enabled)
Active: active (waiting) since Mon 2026-01-12 09:17:41 UTC; 3min 58s ago
Trigger: Tue 2026-01-13 00:00:00 UTC; 14h left
Triggers: ● snap.juju-db.logrotate.service
Jan 12 09:17:41 juju-92f03c-0 systemd[1]: Started Timer logrotate for snap application juju-db.logrotate.
● snap.juju-db.daemon.service - Service for snap application juju-db.daemon
Loaded: loaded (/etc/systemd/system/snap.juju-db.daemon.service; enabled; vendor preset: enabled)
Drop-In: /etc/systemd/system/snap.juju-db.daemon.service.d
└─overrides.conf
Active: failed (Result: exit-code) since Mon 2026-01-12 09:17:43 UTC; 3min 56s ago
Process: 5060 ExecStart=/usr/bin/snap run juju-db.daemon (code=exited, status=14)
Main PID: 5060 (code=exited, status=14)
CPU: 175ms
Jan 12 09:17:43 juju-92f03c-0 systemd[1]: snap.juju-db.daemon.service: Scheduled restart job, restart counter is at 4.
Jan 12 09:17:43 juju-92f03c-0 systemd[1]: Stopped Service for snap application juju-db.daemon.
Jan 12 09:17:43 juju-92f03c-0 systemd[1]: snap.juju-db.daemon.service: Start request repeated too quickly.
Jan 12 09:17:43 juju-92f03c-0 systemd[1]: snap.juju-db.daemon.service: Failed with result 'exit-code'.
Jan 12 09:17:43 juju-92f03c-0 systemd[1]: Failed to start Service for snap application juju-db.daemon.
Here is the output from the bootstrap:
Installing Juju machine agent
2026-01-12 09:17:35 INFO juju.cmd supercommand.go:56 running jujud [2.9.54.1 2882471b366bfaabdd1f26fb04c5f2ecf7b58321 gc go1.25.5]
2026-01-12 09:17:35 INFO juju.agent identity.go:22 writing system identity file
2026-01-12 09:17:35 ERROR juju.mongo mongo.go:654 could not set the value of "/sys/kernel/mm/transparent_hugepage/defrag" to "never" because of: open /sys/kernel/mm/transparent_hugepage/defrag: permission denied
2026-01-12 09:17:35 ERROR juju.mongo mongo.go:654 could not set the value of "/proc/sys/net/core/netdev_max_backlog" to "1000" because of: "/proc/sys/net/core/netdev_max_backlog" does not exist, will not set "1000"
2026-01-12 09:17:35 ERROR juju.mongo mongo.go:654 could not set the value of "/sys/kernel/mm/transparent_hugepage/enabled" to "never" because of: open /sys/kernel/mm/transparent_hugepage/enabled: permission denied
2026-01-12 09:17:35 WARNING juju.mongo mongo.go:484 overwriting args.dataDir (set to /var/lib/juju) to /var/snap/juju-db/common
2026-01-12 09:17:35 INFO juju.mongo mongo.go:489 Ensuring mongo server is running; data directory /var/snap/juju-db/common; port 37017
2026-01-12 09:17:35 WARNING juju.mongo service.go:338 configuring mongod with --noauth flag enabled
2026-01-12 09:17:35 INFO juju.packaging manager.go:103 installing "juju-db" via "snap"
2026-01-12 09:17:35 INFO juju.packaging.manager run.go:88 Running: snap install --channel 4.4/candidate juju-db
2026-01-12 09:22:47 INFO juju.worker.peergrouper initiate.go:68 finished InitiateMongoServer
ERROR failed to start mongo: cannot initiate replica set: cannot dial mongo to initiate replicaset: no reachable servers
ERROR failed to bootstrap model: subprocess encountered error code 1
Member
Author
I just tested again with no issue. |
hpidcock
reviewed
Jan 13, 2026
wallyworld
force-pushed
the
add-mongo-4.4.30-support
branch
4 times, most recently
from
a80725a to
394d39f
Compare
Mongo 4.4.30 requires client connections be properly authenticated. The mongo service needs to be started with a CA cert to use and client connections need to be configured with certificates.
wallyworld
force-pushed
the
add-mongo-4.4.30-support
branch
from
394d39f to
dff2ab4
Compare
wallyworld
force-pushed
the
add-mongo-4.4.30-support
branch
from
5fa6379 to
e21db72
Compare
Member
Author
|
/build |
wallyworld
force-pushed
the
add-mongo-4.4.30-support
branch
from
c6e681e to
6979e99
Compare
Contributor
|
@SimonRichardson Please take another look, you and @hpidcock are reviewing this. |
SimonRichardson
approved these changes
Jan 20, 2026
Member
SimonRichardson
left a comment
SimonRichardson
left a comment
There was a problem hiding this comment.
QA for bootstrap correctly works now. So something had changed between when I originally tested it and now.
wallyworld
force-pushed
the
add-mongo-4.4.30-support
branch
2 times, most recently
from
e724025 to
0163274
Compare
Small efficiency fixes also.
wallyworld
force-pushed
the
add-mongo-4.4.30-support
branch
2 times, most recently
from
d937168 to
2868511
Compare
wallyworld
force-pushed
the
add-mongo-4.4.30-support
branch
from
2868511 to
7b07e88
Compare
manadart
approved these changes
Jan 27, 2026
Member
manadart
left a comment
manadart
left a comment
There was a problem hiding this comment.
Looks like we're safe with this, at least as far as 2.9 upgrades go.
We should check 3.6 carefully when it merges forward.
Member
Author
|
/merge |
Merged
jujubot
added a commit
that referenced
this pull request
Feb 5, 2026
#21675 Merge 2.9 Brings in several dependabot updates, plus: #21644 [from wallyworld/fix-ociimage-pagination](facb908) #21563 [from wallyworld/add-mongo-4.4.30-support](fd845a0) Drops 2.9 only fixes: #21570 [from wallyworld/fix-noble-support](f4c0be5) #21494 [from wallyworld/fix-charmci-tests](589b0ac) We also use podman to build and push test images for the k8s upgrade smoke test. We need to be able to force these images to use the docker v2 format. Sadly juju can't handle the oci format and that's what we now get using docker cli. This PR adds support for the oci format so we're ok moving forward. We also drop the use of skopeo to push the test images since podman does the job. Most conflicts due to dropped commits. ``` # Conflicts: # .github/workflows/update-brew-formulae.yml # .github/workflows/upgrade.yml # CONTRIBUTING.md # agent/agent_test.go # agent/agentbootstrap/bootstrap_test.go # apiserver/facades/client/application/application.go # apiserver/facades/client/client/client.go # apiserver/facades/client/client/client_test.go # apiserver/facades/client/modelupgrader/findtools.go # apiserver/facades/client/modelupgrader/upgrader_test.go # cloudconfig/podcfg/image.go # cloudconfig/podcfg/podcfg_test.go # cmd/containeragent/initialize/package_test.go # cmd/juju/application/deploy_test.go # cmd/juju/application/deployer/bundlehandler.go # cmd/juju/application/deployer/charm.go # cmd/juju/application/deployer/charm_test.go # cmd/juju/application/deployer/deployer.go # cmd/juju/application/deployer/deployer_test.go # cmd/juju/application/unexpose_test.go # cmd/juju/commands/bootstrap.go # cmd/juju/commands/bootstrap_test.go # cmd/juju/machine/upgrademachine.go # cmd/jujud/agent/bootstrap_test.go # cmd/jujud/agent/machine.go # controller/config.go # core/arch/arches.go # core/series/supportedseries.go # core/series/supportedseries_test.go # docker/registry/internal/acr_test.go # docker/registry/internal/base_client.go # docker/registry/internal/base_manifests_test.go # docker/registry/internal/ecr_test.go # docker/registry/mocks/registry_mock.go # go.mod # go.sum # internal/provider/kubernetes/bootstrap.go # internal/provider/kubernetes/bootstrap_test.go # mongo/mongo.go # mongo/mongodfinder_test.go # mongo/service.go # mongo/service_test.go # service/snap/snap_test.go # snap/local/wrappers/fetch-oci # state/backups/restore.go # state/backups/restore_test.go # upgrades/upgradevalidation/upgrade_test.go ```
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
6 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Mongo 4.4.30 requires client connections be properly authenticated.
Some enablement work is need to make juju compatibile with this mongo release.
The mongo service needs to be started with a CA cert to use and client connections need to be configured with certificates.
We'll use the controller's CA cert when starting mongo.
For client connections, issue a new certificate off the CA cert. The client cert is valid for 15 minutes. Once the connection is created, it stays open. If a new connection is needed and the cert has expired, a new one is generated.
Also update the mongo args to use the new "tls" terminology, but only where the mongo version is 4.4. Juju 2.8 uses an older deb mongo version and early 2.9 uses 4.0 and the newer "tls" args were introduced in mongodb 4.1. So we need to stick with the old "ssl" args for those mongo versions.
For pre merge tests, the seed-repository target needed to optionally push the old juju-db 4.4 image so the older juju could bootstrap.
Drive by: remove obsolete client pre-merge tests.
QA steps
You can exec into the controller and
snap info juju-dbshows4.4.30is installed.Check upgrades from a juju version using mongodb
4.4.24The juju-db snap config in
/var/snap/juju-db/common/juju-=db.configgets regenerated with the new auth related config which is compatible with mongodb4.4.24On k8s
On older mongo
Get a juju 2.8 cli client
Links
Jira card: JUJU-9072