Skip to content

Instantly share code, notes, and snippets.

@ytingyeu

ytingyeu/1-mongo-docker-tls-snyology.md

Last active January 27, 2025 03:28
Show Gist options
  • Save ytingyeu/975497841614658984f9a7d555304f20 to your computer and use it in GitHub Desktop.
Save ytingyeu/975497841614658984f9a7d555304f20 to your computer and use it in GitHub Desktop.
Download ZIP
Run MongoDB with TLS in Docker on Synology NAS
Raw
1-mongo-docker-tls-snyology.md

Summary

A note to run MongoDB with TLS in Docker on Synology NAS.

Pre-setup

Ignore any step if you have already done.

Install Docker via DSM Packages

Do I need to explain?

Allow SSH connection

  1. Go to Synology DSM > Control Panel > Terminal & SNMP > Terminal
  2. Check Enable SSH service and modify port if desired.

Create Let's Encrypt certificate

  1. Go to Synology DSM > Control Panel > Certificate
  2. Click Add > Select Add a new certificate
  3. Select Get a certificate from Let's Encrypt
  4. Enter required information
  5. Click Apply

Important directories

  • /volume1/docker/<container_name>: the real path of a container. The name of volume1 might have a different postfix number if you have multiple NAS volumes. You need to find it out by yourself.
  • /usr/syno/etc/certificate/_archive: where Synology stores certificates.
Raw
2-bundle-certificates.md

Bundle certificate files

Find your certificate pem files

  1. SSH to your NAS with an admin account.
  2. Navigate to /usr/syno/etc/certificate/_archive
  3. Use cat DEFAULT and cat INFO to find out which folder include the certificate you are going to use. In my case, the sub-folder name is RyVRRS.

Create shell script to bundle pem files

  1. Go to your MongoDB container folder, /volume1/docker/mongo for example. If not exists yet, make one.
  2. Create folder ssl and data inside mongo.
  3. Create a file bundle-mongo-pem.sh in mongo.
  4. Add following shell script into bundle-mongo-pem.sh and modify path as per your system.
#!/bin/bash

# path to certificate files
KEY="/usr/syno/etc/certificate/_archive/RyVRRS/privkey.pem"
CERT="/usr/syno/etc/certificate/_archive/RyVRRS/fullchain.pem"

# bundle pem files
cat $KEY $CERT > /volume1/docker/mongo/ssl/mongo.pem

# setup access permission
sudo chmod 600 /volume1/docker/mongo/ssl/mongo.pem

# change the owner
# I'm not sure if the username of docker are the same for every machine.
# Check the owner of folder `docker`, mine is `999`.
sudo chown 999 /volume1/docker/mongo/ssl/mongo.pem
  1. Make shell executable chmod +x bundle-mongo-pem.sh
  2. Execute shell ./bundle-mongo-pem.sh

This should create a bundled pem file in /volume1/docker/mongo/ssl.

Once the certificates get auto-renewed by Synology, you have to execute bundle-mongo-pem.sh again and restart mongo. For sure you can implement some automation process, or modify volumes and command in docker-compose.yaml to the original certificate folder to avoid manual renew.

Raw
3-docker-compose.md

Create MongoDB container

Docker compose

  1. Inside /volume1/docker/mongo, create a file docker-compose.yaml, copy&paste following content, and modify as per your environment.
version: '3'

services:
    mongo:
        # https://hub.docker.com/_/mongo/tags
        image: mongo:<desired_tag>
        
        container_name: <container_name>
        
        # pick your desired restart policy
        # https://docs.docker.com/config/containers/start-containers-automatically/
        restart: always
        
        environment:
            MONGO_INITDB_ROOT_USERNAME: "admin"
            MONGO_INITDB_ROOT_PASSWORD: "my-strong-password"
 
        ports:
            # 27017 is the default port that MongoDB uses
            - "<public_port>:27017"

        volumes:
            - /volume1/docker/<container_name>/data:/data/db
            - /volume1/docker/<container_name>/ssl:/data/ssl
            
        command:         
            [
                "--tlsMode", "requireTLS", 
                "--tlsDisabledProtocols", "TLS1_0,TLS1_1",
                "--tlsCertificateKeyFile", "/data/ssl/mongo.pem",
                "--tlsAllowConnectionsWithoutCertificates",
            ]
  1. Execute docker-compose up -d to create the container and that's it.

The connection URI should be

mongodb://<username>:<password>@<server-domain-name>:<public_port>/<database-name>?tls=true

Things you want to notice

  • volumes binding

Split each value by the colon, the left part is the absolute path on NAS system, the right part is what MongoDB sees inside container.

volumes:
    - /volume1/docker/<container_name>/data:/data/db
    - /volume1/docker/<container_name>/ssl:/data/ssl
  • command parameters

The path of key should be what MongoDB sees inside container, not the real absolute path on NAS system.

command:
  [
    "--tlsCertificateKeyFile", "/data/ssl/mongo.pem",
  ]

As mentioned before, you probably could modify these two sections to point to where Synology stores cert pem to avoid manual renew. Check official doc for more details.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment