This page provides a comprehensive, real-world MongoDB configuration baseline for current Debian and RHEL releases, covering both standalone and replica set deployments.
/etc/mongod.conf
~/.mongodb/mongod.conf--config option when starting MongoDB# mongod.conf
# Storage Configuration
storage:
dbPath: /var/lib/mongo
journal:
enabled: true
# Engine-specific options
wiredTiger:
engineConfig:
cacheSizeGB: 1 # Adjust based on available RAM (default: 50% of RAM minus 1GB)
journalCompressor: snappy
collectionConfig:
blockCompressor: snappy # Options: snappy, zlib, zstd
indexConfig:
prefixCompression: true
# System Logging
systemLog:
destination: file
logAppend: true
path: /var/log/mongodb/mongod.log
logRotate: reopen # Options: reopen, rename
verbosity: 0 # 0=normal, 1=verbose, 2+=very verbose
quiet: false
traceAllExceptions: false
# Network Configuration
net:
port: 27017
bindIp: 127.0.0.1 # Restrict to localhost for security
# bindIp: 127.0.0.1,10.0.0.10 # Add specific IPs as needed
maxIncomingConnections: 65536
wireObjectCheck: true
ipv6: false # Enable only if IPv6 is required
# Process Management
processManagement:
fork: true # Run as a daemon (false for Docker)
pidFilePath: /var/run/mongodb/mongod.pid
timeZoneInfo: /usr/share/zoneinfo
# Security Configuration
security:
# Enable authorization
authorization: enabled
# Enable/disable security features
clusterAuthMode: keyFile # Options: keyFile, sendKeyFile, sendX509, x509
# Key file for internal authentication (for replica sets/sharding)
# keyFile: /path/to/keyfile
# Encryption at rest
# enableEncryption: true
# encryptionKeyFile: /path/to/encryption/key
# redactClientLogData: false
# Operation Profiling
operationProfiling:
mode: slowOp # Options: off, slowOp, all
slowOpThresholdMs: 100 # Log operations slower than this threshold
rateLimit: 100 # Limit logging to this many operations per second
# Replica Set Configuration
replication:
replSetName: rs0 # Name of the replica set
oplogSizeMB: 1024 # Size of the oplog in MB (for 3.6+)
# Sharding Configuration (if using sharding)
# sharding:
# clusterRole: shardsvr # For shard servers
# # clusterRole: configsvr # For config servers
# Set Parameter Configuration
setParameter:
# Disable localhost exception after initial setup
enableLocalhostAuthBypass: false
# Additional parameters
# connPoolMaxShardedConnsPerHost: 200
# connPoolMaxConnsPerHost: 100
storage:
dbPath: /var/lib/mongo
journal:
enabled: true
wiredTiger:
engineConfig:
cacheSizeGB: 4 # Adjust based on your RAM
systemLog:
destination: file
logAppend: true
path: /var/log/mongodb/mongod.log
logRotate: reopen
net:
port: 27017
bindIp: 127.0.0.1,10.0.10.10 # Add your private IP
maxIncomingConnections: 65536
processManagement:
fork: true
pidFilePath: /var/run/mongodb/mongod.pid
timeZoneInfo: /usr/share/zoneinfo
security:
authorization: enabled
operationProfiling:
mode: slowOp
slowOpThresholdMs: 100
setParameter:
enableLocalhostAuthBypass: false
storage:
dbPath: /var/lib/mongo
journal:
enabled: true
wiredTiger:
engineConfig:
cacheSizeGB: 8
systemLog:
destination: file
logAppend: true
path: /var/log/mongodb/mongod.log
net:
port: 27017
bindIp: 0.0.0.0 # For replica sets, bind to all interfaces
maxIncomingConnections: 65536
processManagement:
fork: true
pidFilePath: /var/run/mongodb/mongod.pid
timeZoneInfo: /usr/share/zoneinfo
security:
authorization: enabled
replication:
replSetName: rs0
oplogSizeMB: 2048 # Larger oplog for busy systems
operationProfiling:
mode: slowOp
slowOpThresholdMs: 100
setParameter:
enableLocalhostAuthBypass: false
dbPath: Data location; place on reliable persistent storage with adequate spacejournal.enabled: true: Required for durability and crash recoverycacheSizeGB: WiredTiger cache size (default: 50% of RAM minus 1GB)bindIp: Restrict listener to specific interfaces (never use 0.0.0.0 in production)maxIncomingConnections: Limit concurrent connections to prevent resource exhaustionauthorization: enabled: Enforces authenticated access and role checksenableLocalhostAuthBypass: false: Prevents unauthorized access even from localhost after initial setupreplSetName: Enables replica set mode (recommended even for single nodes)oplogSizeMB: Size of the operation log for replicationAfter enabling security, create an admin user:
use admin
db.createUser({
user: "admin",
pwd: passwordPrompt(), // Prompts for password securely
roles: [
{ role: "userAdminAnyDatabase", db: "admin" },
{ role: "readWriteAnyDatabase", db: "admin" },
{ role: "dbAdminAnyDatabase", db: "admin" },
{ role: "clusterAdmin", db: "admin" }
]
})
Create users with minimal required privileges:
use application_db
db.createUser({
user: "app_user",
pwd: passwordPrompt(),
roles: [
{ role: "readWrite", db: "application_db" },
{ role: "dbAdmin", db: "application_db" }
]
})
storage:
wiredTiger:
engineConfig:
cacheSizeGB: 8 # Adjust to ~50% of available RAM for dedicated MongoDB server
storage:
journal:
enabled: true
# Commit interval in milliseconds (default: 100ms, range: 1-500)
# commitIntervalMs: 100
setParameter:
connPoolMaxShardedConnsPerHost: 200
connPoolMaxConnsPerHost: 100
net:
ssl:
mode: requireSSL
PEMKeyFile: /etc/ssl/mongodb/server.pem
PEMKeyPassword: password
CAFile: /etc/ssl/mongodb/ca.pem
clusterFile: /etc/ssl/mongodb/server.pem
clusterPassword: password
allowConnectionsWithoutCertificates: false
allowInvalidCertificates: false
allowInvalidHostnames: false
FIPSMode: false
auditLog:
destination: file
format: JSON
path: /var/log/mongodb/auditLog.json
filter: '{ atype: { $in: [ "createUser", "dropUser", "authCheck", "authenticate" ] } }'
# Check configuration syntax
mongod --config /etc/mongod.conf --configtest
# Restart service
sudo systemctl restart mongod
# Check status
sudo systemctl status mongod
# Check active configuration
mongosh --eval "db.adminCommand({ getCmdLineOpts: 1 })"
# Test connectivity
mongosh --eval "db.adminCommand({ ping: 1 })"
# Check authentication (after enabling)
mongosh -u admin -p --authenticationDatabase admin --eval "db.runCommand({ connectionStatus: 1 })"
If using replica sets:
// Initialize replica set (run once after first startup)
mongosh --eval "
rs.initiate({
_id: 'rs0',
members: [
{ _id: 0, host: 'localhost:27017' }
]
})"
Create a script to validate your MongoDB configuration:
#!/bin/bash
# validate-mongodb-config.sh
echo "Validating MongoDB configuration..."
# Check if config file is syntactically correct
if mongod --config /etc/mongod.conf --configtest; then
echo "✓ Configuration syntax is valid"
else
echo "✗ Configuration syntax error"
exit 1
fi
# Check if MongoDB service is running
if sudo systemctl is-active --quiet mongod; then
echo "✓ MongoDB service is running"
else
echo "✗ MongoDB service is not running"
exit 1
fi
# Test basic connectivity
if mongosh --eval "db.adminCommand({ ping: 1 })" | grep -q '"ok" : 1'; then
echo "✓ MongoDB connectivity OK"
else
echo "✗ MongoDB connectivity failed"
exit 1
fi
echo "All configuration checks passed!"
Permission Denied: Ensure MongoDB user owns the data directory
sudo chown -R mongod:mongod /var/lib/mongo
sudo chown -R mongod:mongod /var/log/mongodb
Port Already in Use: Check for conflicting services
sudo netstat -tlnp | grep :27017
Insufficient Memory: Adjust WiredTiger cache size in configuration
Authentication Failures: Verify user creation and role assignments