No security whatsoever

[niekoost]

I don't like that there is no mentioning of security for this repository. For testing purposes I had started an autopilotpattern/mongodb instance on Joyent Triton and after a couple of days, my database had disappeared ....

{ 
  "_id" : ObjectId("59d5347ed08e60d4ef9f62ec"), 
  "BitCoin" : "1Jqw2tHBkUAGY32YzettJiDAwe8A9mUzok", 
  "eMail" : "[email protected]", 
  "Exchange" : "https://localbitcoins.com", 
  "Solution" : "Your DataBase is downloaded and backed up on our secured servers. To recover your lost 
    data: Send 0.2 BTC to our BitCoin Address and Contact us by eMail with your MongoDB server IP 
    Address and a Proof of Payment. Any eMail without your MongoDB server IP Address and a Proof of 
    Payment together will be ignored. You are welcome!"
 }

I think that it would be wise to add some security information:

• create container
• go to the container docker exec -it mongodb_1 bash
• start mongo client mongo
• initiate the cluster rs.initiate()
• go to admin database use admin
• create admin user db.createUser({user: "USERNAME",pwd: "PASSWORD",roles: [ { role: "userAdminAnyDatabase", db: "admin" } ]})
• ... do some other security stuff that actually enforces using the user/pwd combination ...

Inspiration:

• http://rancher.com/securing-containerized-instance-mongodb/
• https://stackoverflow.com/questions/31387053/cant-create-user (the second answer)

[yosifkit]

I believe this would be fixed by #11. In the interim, you could add a firewall to not expose the database to the public internet.

[RahulMR42]

I had this earlier for fully open system to internet and I tried with mongokey /with kvm it worked well