Navigation
This version of the documentation is archived and no longer supported.

mongooplog

On this page

Deprecated since version 3.2.

Mac OSX Sierra and Go 1.6 Incompatibility

Users running on Mac OSX Sierra require the 3.2.10 or newer version of mongooplog.

Synopsis

mongooplog is a simple tool that polls operations from the replication oplog of a remote server, and applies them to the local server. This capability supports certain classes of real-time migrations that require that the source server remain online and in operation throughout the migration process.

Typically this command will take the following form:

mongooplog  --from mongodb0.example.net --host mongodb1.example.net

This command copies oplog entries from the mongod instance running on the host mongodb0.example.net and duplicates operations to the host mongodb1.example.net. If you do not need to keep the --from host running during the migration, consider using mongodump and mongorestore or another backup operation, which may be better suited to your operation.

Note

If the mongod instance specified by the --from argument is running with authentication, then mongooplog will not be able to copy oplog entries.

Options

Changed in version 3.0.0: mongooplog removed the --dbpath as well as related --directoryperdb and --journal options. To use mongooplog, you must run mongooplog against a running mongod or mongos instance as appropriate.

mongooplog
--help

Returns information on the options and use of mongooplog.

--verbose, -v

Increases the amount of internal reporting returned on standard output or in log files. Increase the verbosity with the -v form by including the option multiple times, (e.g. -vvvvv.)

--quiet

Runs the mongooplog in a quiet mode that attempts to limit the amount of output.

This option suppresses:

  • connection accepted events
  • connection closed events
--version

Returns the mongooplog release number.

--host <hostname><:port>, -h <hostname><:port>

Specifies a resolvable hostname for the mongod instance to which mongooplog will apply oplog operations retrieved from the server specified by the --from option.

By default mongooplog attempts to connect to a MongoDB instance running on the localhost on port number 27017.

To connect to a replica set, specify the replica set name and a seed list of set members. Use the following form:

<replSetName>/<hostname1><:port>,<hostname2><:port>,<...>

You can always connect directly to a single MongoDB instance by specifying the host and port number directly.

--port

Specifies the port number of the mongod instance where mongooplog will apply oplog entries. Specify this option only if the MongoDB instance to connect to is not running on the standard port of 27017. You may also specify a port number using the --host command.

--ipv6

Removed in version 3.0.

Enables IPv6 support and allows mongooplog to connect to the MongoDB instance using an IPv6 network. Prior to MongoDB 3.0, you had to specify --ipv6 to use IPv6. In MongoDB 3.0 and later, IPv6 is always enabled.

--ssl

New in version 2.6.

Enables connection to a mongod or mongos that has TLS/SSL support enabled.

For more information about TLS/SSL and MongoDB, see Configure mongod and mongos for TLS/SSL and TLS/SSL Configuration for Clients .

--sslCAFile <filename>

New in version 2.6.

Specifies the .pem file that contains the root certificate chain from the Certificate Authority. Specify the file name of the .pem file using relative or absolute paths.

Warning

For TLS/SSL connections (--ssl) to mongod and mongos, if the mongooplog runs without the --sslCAFile, mongooplog will not attempt to validate the server certificates. This creates a vulnerability to expired mongod and mongos certificates as well as to foreign processes posing as valid mongod or mongos instances. Ensure that you always specify the CA file to validate the server certificates in cases where intrusion is a possibility.

For more information about TLS/SSL and MongoDB, see Configure mongod and mongos for TLS/SSL and TLS/SSL Configuration for Clients .

--sslPEMKeyFile <filename>

New in version 2.6.

Specifies the .pem file that contains both the TLS/SSL certificate and key. Specify the file name of the .pem file using relative or absolute paths.

This option is required when using the --ssl option to connect to a mongod or mongos that has CAFile enabled without allowConnectionsWithoutCertificates.

For more information about TLS/SSL and MongoDB, see Configure mongod and mongos for TLS/SSL and TLS/SSL Configuration for Clients .

--sslPEMKeyPassword <value>

New in version 2.6.

Specifies the password to de-crypt the certificate-key file (i.e. --sslPEMKeyFile). Use the --sslPEMKeyPassword option only if the certificate-key file is encrypted. In all cases, the mongooplog will redact the password from all logging and reporting output.

If the private key in the PEM file is encrypted and you do not specify the --sslPEMKeyPassword option, the mongooplog will prompt for a passphrase. See TLS/SSL Certificate Passphrase.

For more information about TLS/SSL and MongoDB, see Configure mongod and mongos for TLS/SSL and TLS/SSL Configuration for Clients .

--sslCRLFile <filename>

New in version 2.6.

Specifies the .pem file that contains the Certificate Revocation List. Specify the file name of the .pem file using relative or absolute paths.

For more information about TLS/SSL and MongoDB, see Configure mongod and mongos for TLS/SSL and TLS/SSL Configuration for Clients .

--sslAllowInvalidCertificates

New in version 2.6.

Bypasses the validation checks for server certificates and allows the use of invalid certificates. When using the allowInvalidCertificates setting, MongoDB logs as a warning the use of the invalid certificate.

Starting in MongoDB 3.2.21, if you specify --sslAllowInvalidCertificates or ssl.allowInvalidCertificates: true when using x.509 authentication, an invalid certificate is only sufficient to establish a TLS/SSL connection but is insufficient for authentication.

Warning

For TLS/SSL connections to mongod and mongos, avoid using --sslAllowInvalidCertificates if possible and only use --sslAllowInvalidCertificates on systems where intrusion is not possible.

If the mongo shell (and other MongoDB Tools) runs with the --sslAllowInvalidCertificates option, the mongo shell (and other MongoDB Tools) will not attempt to validate the server certificates. This creates a vulnerability to expired mongod and mongos certificates as well as to foreign processes posing as valid mongod or mongos instances.

For more information about TLS/SSL and MongoDB, see Configure mongod and mongos for TLS/SSL and TLS/SSL Configuration for Clients .

--sslAllowInvalidHostnames

New in version 3.0.

Disables the validation of the hostnames in TLS/SSL certificates. Allows mongooplog to connect to MongoDB instances even if the hostname in their certificates do not match the specified hostname.

For more information about TLS/SSL and MongoDB, see Configure mongod and mongos for TLS/SSL and TLS/SSL Configuration for Clients .

--sslFIPSMode

New in version 2.6.

Directs the mongooplog to use the FIPS mode of the installed OpenSSL library. Your system must have a FIPS compliant OpenSSL library to use the --sslFIPSMode option.

Note

FIPS-compatible TLS/SSL is available only in MongoDB Enterprise. See Configure MongoDB for FIPS for more information.

--username <username>, -u <username>

Specifies a username with which to authenticate to a MongoDB database that uses authentication. Use in conjunction with the --password and --authenticationDatabase options.

--password <password>, -p <password>

Specifies a password with which to authenticate to a MongoDB database that uses authentication. Use in conjunction with the --username and --authenticationDatabase options.

Changed in version 3.0.0: If you do not specify an argument for --password, mongooplog returns an error.

Changed in version 3.0.2: If you wish mongooplog to prompt the user for the password, pass the --username option without --password or specify an empty string as the --password value, as in --password "" .

--authenticationDatabase <dbname>

Specifies the database in which the user is created. See Authentication Database.

--authenticationMechanism <name>

Default: SCRAM-SHA-1

Changed in version 2.6: Added support for the PLAIN and MONGODB-X509 authentication mechanisms.

Changed in version 3.0: Added support for the SCRAM-SHA-1 authentication mechanism. Changed default mechanism to SCRAM-SHA-1.

Specifies the authentication mechanism the mongooplog instance uses to authenticate to the mongod or mongos.

Value Description
SCRAM-SHA-1 RFC 5802 standard Salted Challenge Response Authentication Mechanism using the SHA1 hash function.
MONGODB-CR MongoDB challenge/response authentication.
MONGODB-X509 MongoDB TLS/SSL certificate authentication.
GSSAPI (Kerberos) External authentication using Kerberos. This mechanism is available only in MongoDB Enterprise.
PLAIN (LDAP SASL) External authentication using LDAP. You can also use PLAIN for authenticating in-database users. PLAIN transmits passwords in plain text. This mechanism is available only in MongoDB Enterprise.
--gssapiServiceName

New in version 2.6.

Specify the name of the service using GSSAPI/Kerberos. Only required if the service does not use the default name of mongodb.

This option is available only in MongoDB Enterprise.

--gssapiHostName

New in version 2.6.

Specify the hostname of a service using GSSAPI/Kerberos. Only required if the hostname of a machine does not match the hostname resolved by DNS.

This option is available only in MongoDB Enterprise.

--seconds <number>, -s <number>

Specify a number of seconds of operations for mongooplog to pull from the remote host. Unless specified the default value is 86400 seconds, or 24 hours.

--from <host[:port]>

Specify the host for mongooplog to retrieve oplog operations from. mongooplog requires this option.

Unless you specify the --host option, mongooplog will apply the operations collected with this option to the oplog of the mongod instance running on the localhost interface connected to port 27017.

--oplogns <namespace>

Specify a namespace in the --from host where the oplog resides. The default value is local.oplog.rs, which is the where replica set members store their operation log. However, if you’ve copied oplog entries into another database or collection or are pulling oplog entries from a master-slave deployment, use --oplogns to apply oplog entries stored in another location. Namespaces take the form of [database].[collection].

Use

Consider the following prototype mongooplog command:

mongooplog  --from mongodb0.example.net --host mongodb1.example.net

Here, entries from the oplog of the mongod running on port 27017. This only pull entries from the last 24 hours.

Use the --seconds argument to capture a greater or smaller amount of time. Consider the following example:

mongooplog  --from mongodb0.example.net --seconds 172800

In this operation, mongooplog captures 2 full days of operations. To migrate 12 hours of oplog entries, use the following form:

mongooplog  --from mongodb0.example.net --seconds 43200
←   bsondump mongoimport  →