`mongod`

Synopsis

mongod is the primary daemon process for the MongoDBsystem. It handles data requests, manages data access, and performsbackground management operations.

This document provides a complete overview of all command line optionsformongod. These command line options are primarily usefulfor testing: In common operation, use theconfiguration fileoptions to control the behavior ofyour database.

Tip

Self-Managed Configuration File Settings and Command-Line Options Mapping

Note

MongoDB disables support for TLS 1.0encryption on systems where TLS 1.1+ is available.

Compatibility

Deployments hosted in the following environments usemongod:

MongoDB Atlas: The fullymanaged service for MongoDB deployments in the cloud

Note

MongoDB Atlas manages themongod for all MongoDB Atlas deployments.

MongoDB Enterprise: Thesubscription-based, self-managed version of MongoDB
MongoDB Community: Thesource-available, free-to-use, and self-managed version of MongoDB

Considerations

mongod includes aFull Time Diagnostic Data Capture mechanism to assist MongoDB engineers with troubleshootingdeployments. If this thread fails, it terminates the originating process.To avoid the most common failures, confirm that the user running theprocess has permissions to create the FTDCdiagnostic.datadirectory. Formongod the directory is withinstorage.dbPath. Formongos it is parallel tosystemLog.path.

Options

Changed in version 6.1:

MongoDB always enables journaling. As a result, MongoDB removes thestorage.journal.enabled option and the corresponding--journal and--nojournal command-line options.

Changed in version 5.2:

MongoDB removes the--cpu command-line option.

Changed in version 5.0:

MongoDB removes the--serviceExecutor command-line option and thecorrespondingnet.serviceExecutor configuration option.

Core Options

--auth

Enables authorization to control user's access to database resourcesand operations. When authorization is enabled, MongoDB requires allclients to authenticate themselves first in order to determine theaccess for the client.

To configure users, use themongosh client. If no usersexist, the localhost interface has access to thedatabase until you create the first user.

SeeSecurity for more information.

--bind_ip <hostnames|ipaddresses|Unix domain socket paths>

Default: localhost

The hostnames and/or IP addresses and/or full Unix domain socketpaths on whichmongod should listen for client connections. Youmay attachmongod to any interface. To bind to multipleaddresses, enter a list of comma-separated values.

Example

localhost,/tmp/mongod.sock

You can specify both IPv4 and IPv6 addresses, or hostnames thatresolve to an IPv4 or IPv6 address.

Example

localhost, 2001:0DB8:e132:ba26:0d5c:2774:e7f9:d513

Note

If specifying an IPv6 addressor a hostname that resolves to anIPv6 address to--bind_ip, you must startmongod with--ipv6 to enable IPv6 support. Specifying an IPv6 addressto--bind_ip does not enable IPv6 support.

If specifying alink-local IPv6 address(fe80::/10), you must append thezone indexto that address (i.e.fe80::<address>%<adapter-name>).

Example

localhost,fe80::a00:27ff:fee0:1fcf%enp0s3

Important

To avoid configuration updates due to IP address changes, use DNShostnames instead of IP addresses. It is particularly important touse a DNS hostname instead of an IP address when configuring replicaset members or sharded cluster members.

Use hostnames instead of IP addresses to configure clusters across asplit network horizon. Starting in MongoDB 5.0, nodes that are onlyconfigured with an IP address fail startup validation and do not start.

Warning

Before you bind your instance to a publicly-accessible IP address,you must secure your cluster from unauthorized access. For a completelist of security recommendations, seeSecurity Checklist for Self-Managed Deployments. At minimum, considerenabling authentication andhardeningnetwork infrastructure.

For more information about IP Binding, refer to theIP Binding in Self-Managed Deployments documentation.

To bind to all IPv4 addresses, enter0.0.0.0.

To bind to all IPv4 and IPv6 addresses, enter::,0.0.0.0 oran asterisk"*" (enclose the asterisk in quotes to avoid filenamepattern expansion). Alternatively, use thenet.bindIpAll setting.

Note

--bind_ip and--bind_ip_all are mutually exclusive.Specifying both options causesmongod to throw an error andterminate.
The command-line option--bind overrides the configurationfile settingnet.bindIp.

--bind_ip_all

If specified, themongod instance binds to all IPv4addresses (i.e.0.0.0.0). Ifmongod starts with--ipv6,--bind_ip_all also binds to all IPv6 addresses(i.e.::).

mongod only supports IPv6 if started with--ipv6. Specifying--bind_ip_all alone does not enable IPv6 support.

Warning

For more information about IP Binding, refer to theIP Binding in Self-Managed Deployments documentation.

Alternatively, you can set the--bind_ip option to::,0.0.0.0or to an asterisk"*" (enclose the asterisk in quotes to avoid filenamepattern expansion).

Note

--bind_ip and--bind_ip_all are mutually exclusive. Thatis, you can specify one or the other, but not both.

--clusterIpSourceAllowlist <string>

New in version 5.0.

A list of IP addresses/CIDR (Classless Inter-Domain Routing) ranges against which themongod validates authentication requests from other members ofthe replica set and, if part of a sharded cluster, themongosinstances. Themongod verifies that the originating IP iseither explicitly in the list or belongs to a CIDR range in the list. If theIP address is not present, the server does not authenticate themongod ormongos.

--clusterIpSourceAllowlist has no effect on amongod started withoutauthentication.

--clusterIpSourceAllowlist accepts multiple comma-separated IPv4/6 addresses or ClasslessInter-Domain Routing (CIDR) ranges:

mongod --clusterIpSourceAllowlist 192.0.2.0/24,127.0.0.1,::1

Important

Ensure--clusterIpSourceAllowlist includes the IP addressor CIDR ranges that include theIP address of each replica set member ormongos in thedeployment to ensure healthy communication between cluster components.

--config <filename>, -f <filename>

Specifies a configuration file for runtime configuration options. Theconfiguration file is the preferred method for runtime configuration ofmongod. The options are equivalent to the command-lineconfiguration options. SeeSelf-Managed Configuration File Options formore information.

Ensure the configuration file uses ASCII encoding. Themongodinstance does not support configuration files with non-ASCII encoding,including UTF-8.

--configExpand <none|rest|exec>

Default: none

Enables usingExpansion Directivesin configuration files. Expansion directives allow you to setexternally sourced values for configuration file options.

--configExpand supports the following expansion directives:

Value	Description
`none`	Default.`mongod` does not expand expansion directives.`mongod` fails to start if any configuration file settingsuse expansion directives.
`rest`	`mongod` expands`__rest` expansion directives whenparsing the configuration file.
`exec`	`mongod` expands`__exec` expansion directives whenparsing the configuration file.

You can specify multiple expansion directives as a comma-separatedlist, for example:rest, exec. If the configuration file containsexpansion directives not specified to--configExpand, themongodreturns an error and terminates.

SeeExternally Sourced Configuration File Values for Self-Managed Deployments for configuration filesfor more information on expansion directives.

--filePermissions <path>

Default:0700

Sets the permission for the UNIX domain socket file.

--filePermissions applies only to Unix-based systems.

--fork

Enables adaemon mode that runs themongod process in thebackground. The--fork option is not supported on Windows.

By defaultmongod does not run as a daemon. You runmongod asa daemon by using either--fork or a controlling processthat handles daemonization, such asupstart orsystemd.

To use--fork, configure log output for themongod with one of the following:

--help, -h: Returns information on the options and use ofmongod.

--ipv6

Enables IPv6 support.mongod disables IPv6 support by default.

Setting--ipv6 doesnot direct themongod to listen on anylocal IPv6 addresses or interfaces. To configure themongod tolisten on an IPv6 interface, you must either:

Configure--bind_ip with one or more IPv6 addresses orhostnames that resolve to IPv6 addresses,or
Set--bind_ip_all totrue.

--keyFile <file>

Specifies the path to a key file that stores the shared secretthat MongoDB instances use to authenticate to each other in asharded cluster orreplica set.--keyFile implies--auth. SeeSelf-Managed Internal/Membership Authentication for moreinformation.

Keyfiles for internal membership authentication use YAML format to allow for multiple keys in akeyfile. The YAML format accepts either:

A single key string (same as in earlier versions)
A sequence of key strings

The YAML format is compatible with the existing single-keykeyfiles that use the text file format.

--listenBacklog <number>

Default: Target systemSOMAXCONN constant

The maximum number of connections that can exist in the listenqueue.

Warning

Consult your local system's documentation to understand thelimitations and configuration requirements before using thisparameter.

Important

To prevent undefined behavior, specify a value for thisparameter between1 and the local systemSOMAXCONNconstant.

The default value for thelistenBacklog parameter depends on thetarget system. On Linux, MongoDB uses/proc/sys/net/core/somaxconn.On all other target systems, MongoDB uses the compile time constantSOMAXCONN.

Some systems may interpretSOMAXCONN symbolically, and othersnumerically. The actuallisten backlog applied in practice maydiffer from any numeric interpretation of theSOMAXCONN constantor argument to--listenBacklog.

Passing a value for thelistenBacklog parameter that exceeds theSOMAXCONN constant for the local system is, by the letter of thestandards, undefined behavior. Higher values may be silently integertruncated, may be ignored, may cause unexpected resourceconsumption, or have other adverse consequences.

--logappend: Appends new entries to the end of the existing log file when themongodinstance restarts. Without this option,mongod backs up theexisting log and create a new file.

--logpath <path>

Sends all diagnostic logging information to a log file instead of tostandard output or to the host'ssyslog system. MongoDB createsthe log file at the path you specify.

By default, MongoDB moves any existing log file rather than overwritingit. To instead append to the log file, set the--logappend option.

--logRotate <string>

Default: rename

Determines the behavior for thelogRotate command whenrotating the server log and/or the audit log. Specify eitherrename orreopen:

rename renames the log file.
reopen closes and reopens the log file following the typicalLinux/Unix log rotate behavior. Usereopen when using theLinux/Unix logrotate utility to avoid log loss.
If you specifyreopen, you must also use--logappend.

--maxConns <number>

The maximum number of simultaneous connections thatmongodaccepts. This setting has no effect if it is higher than your operatingsystem's configured maximum connection tracking threshold.

Do not assign too low of a value to this option, or you willencounter errors during normal application operation.

--networkMessageCompressors <string>

Default: snappy,zstd,zlib

Specifies the default compressor(s) to use forcommunication between thismongod instance and:

other members of the deployment if the instance is part of a replica set or a sharded cluster
mongosh
drivers that support theOP_COMPRESSED message format.

MongoDB supports the following compressors:

Note

Bothmongod andmongos instances default tosnappy,zstd,zlib compressors, in that order.

To disable network compression, set the value todisabled.

Important

Messages are compressed when both parties enable networkcompression. Otherwise, messages between the parties areuncompressed.

If you specify multiple compressors, then the order in which you listthe compressors matter as well as the communication initiator. Forexample, ifmongosh specifies the following networkcompressorszlib,snappy and themongod specifiessnappy,zlib, messages betweenmongosh andmongod useszlib.

If the parties do not share at least one common compressor, messagesbetween the parties are uncompressed. For example, ifmongosh specifies the network compressorzlib andmongod specifiessnappy, messagesbetweenmongosh andmongod are notcompressed.

--noauth: Disables authentication. Currently the default. Exists for futurecompatibility and clarity.

--noscripting: Disables the scripting engine.

--notablescan: Forbids operations that require a collection scan. Seenotablescan for additional information.

--nounixsocket

Disables listening on the UNIX domain socket.--nounixsocket applies onlyto Unix-based systems.

Themongod processalways listens on the UNIX socket unless one of the following is true:

--nounixsocket is set
net.bindIp is not set
net.bindIp does not specifylocalhost or its associated IP address

mongod installed from officialInstall MongoDB Community Edition on DebianandInstall MongoDB Community Edition on Red Hat or CentOS packageshave thebind_ip configuration set to127.0.0.1 bydefault.

--outputConfig

Outputs themongod instance's configuration options, formattedin YAML, tostdout and exits themongod instance. Forconfiguration options that usesExternally Sourced Configuration File Values for Self-Managed Deployments,--outputConfig returns the resolved value for those options.

Warning

This may include any configured passwords or secrets previouslyobfuscated through the external source.

For usage examples, see:

--pidfilepath <path>: Specifies a file location to store the process ID (PID) of themongodprocess. The user running themongod ormongosprocess must be able to write to this path. If the--pidfilepath option is notspecified, the process does not create a PID file. This option is generallyonly useful in combination with the--fork option.
Note
Linux
On Linux, PID file management is generally the responsibility ofyour distro's init system: usually a service file in the/etc/init.ddirectory, or a systemd unit file registered withsystemctl. Onlyuse the--pidfilepath option if you are not using one of these initsystems. For more information, please see the respectiveInstallation Guide for your operating system.
Note
macOS
On macOS, PID file management is generally handled bybrew. Only usethe--pidfilepath option if you are not usingbrew on your macOS system.For more information, please see the respective InstallationGuide for your operating system.

--port <port>

Default:

27017 ifmongod is not a shard member or a config server member
27018 ifmongod is ashard member
27019 ifmongod is aconfig server member

The TCP port on which the MongoDB instance listens forclient connections.

The--port option accepts a range of values between0 and65535.Setting the port to0 configuresmongod to use an arbitrary portassigned by the operating system.

--quiet

Runsmongod in a quiet mode that attempts to limit the amountof output.

This option suppresses:

output fromdatabase commands
replication activity
connection accepted events
connection closed events
client metadata

--redactClientLogData

Available in MongoDB Enterprise only.

Amongod running with--redactClientLogData redacts any message accompanying a givenlog event before logging. This prevents themongod from writingpotentially sensitive data stored on the database to the diagnostic log.Metadata such as error or operation codes, line numbers, and source filenames are still visible in the logs.

Use--redactClientLogData in conjunction withEncryption at Rest andTLS/SSL (Transport Encryption) to assist compliance withregulatory requirements.

For example, a MongoDB deployment might store Personally IdentifiableInformation (PII) in one or more collections. Themongod logs eventssuch as those related to CRUD operations, sharding metadata, etc. It ispossible that themongod may expose PII as a part of these loggingoperations. Amongod running with--redactClientLogData removes any messageaccompanying these events before being output to the log, effectivelyremoving the PII.

Diagnostics on amongod running with--redactClientLogData may be more difficultdue to the lack of data related to a log event. See theprocess logging manual page for anexample of the effect of--redactClientLogData on log output.

On a runningmongod, usesetParameter with theredactClientLogData parameter to configure this setting.

--setParameter <options>: Specifies one of the MongoDB parameters described inMongoDB Server Parameters for a Self-Managed Deployment. You can specify multiplesetParameterfields.

--shutdown

The--shutdown option cleanly and safely terminates themongodprocess. When invokingmongod with this option you must set the--dbpath option either directly or by way of theconfiguration file and the--config option.

The--shutdown option is available only on Linux systems.

For additional ways to shut down, see alsoStopmongod Processes.

--sysinfo: Returns diagnostic system information and then exits. Theinformation provides the page size, the number of physical pages,and the number of available physical pages.

--syslog

Sends all logging output to the host'ssyslog system ratherthan to standard output or to a log file (--logpath).

The--syslog option is not supported on Windows.

Warning

Thesyslog daemon generates timestamps when it logs a message, notwhen MongoDB issues the message. This can lead to misleading timestampsfor log entries, especially when the system is under heavy load. Werecommend using the--logpath option for production systems toensure accurate timestamps.

MongoDB includes thecomponent in its logmessages tosyslog.

...  ACCESS   [repl writer worker 5] Unsupported modification to roles collection ...

--syslogFacility <string>

Default: user

Specifies the facility level used when logging messages to syslog.The value you specify must be supported by youroperating system's implementation of syslog. To use this option, youmust enable the--syslog option.

--timeStampFormat <string>

Default: iso8601-local

The time format for timestamps in log messages. Specify one of thefollowing values:

Value	Description
`iso8601-utc`	Displays timestamps in Coordinated Universal Time (UTC) in theISO-8601 format. For example, for New York at the start of theEpoch:`1970-01-01T00:00:00.000Z`
`iso8601-local`	Displays timestamps in local time in the ISO-8601format. For example, for New York at the start of the Epoch:`1969-12-31T19:00:00.000-05:00`

Note

--timeStampFormat no longer supportsctime. An example ofctimeformatted date is:Wed Dec 31 18:17:54.811.

--timeZoneInfo <path>

The full path from which to load the time zone database. If this optionis not provided, then MongoDB uses its built-in time zone database.

The configuration file included with Linux and macOS packages sets thetime zone database path to/usr/share/zoneinfo by default.

The built-in time zone database is a copy of theOlson/IANA time zonedatabase. It is updated along withMongoDB releases, but the time zone database release cyclediffers from the MongoDB release cycle. The most recent release ofthe time zone database is available on ourdownload site.

wget https://downloads.mongodb.org/olson_tz_db/timezonedb-latest.zip
unzip timezonedb-latest.zip
mongod --timeZoneInfo timezonedb-2017b/

Warning

MongoDB uses the third partytimelib library to provide accurateconversions between timezones. Due to a recent update,timelibcould create inaccurate time zone conversions in older versions ofMongoDB.

To explicitly link to the time zone database in versions of MongoDBprior to 5.0, download thetime zone database.and use thetimeZoneInfo parameter.

Tip

processManagement.timeZoneInfo.

--traceExceptions: For internal diagnostic use only.

--transitionToAuth

Allows themongod to accept and create authenticated andnon-authenticated connections to and from othermongodandmongos instances in the deployment. Used forperforming rolling transition of replica sets or sharded clustersfrom a no-auth configuration tointernal authentication. Requires specifying ainternalauthentication mechanism such as--keyFile.

For example, if usingkeyfiles forinternal authentication, themongod createsan authenticated connection with anymongod ormongosin the deployment using a matching keyfile. If the security mechanisms donot match, themongod utilizes a non-authenticated connection instead.

Amongod running with--transitionToAuth does not enforceuser accesscontrols. Users may connect to your deployment without anyaccess control checks and perform read, write, and administrative operations.

Note

Amongod running withinternal authentication andwithout--transitionToAuth requires clients to connectusinguser access controls. Update clients toconnect to themongod using the appropriateuserprior to restartingmongod without--transitionToAuth.

--unixSocketPrefix <path>

Default: /tmp

The path for the UNIX socket.--unixSocketPrefix applies onlyto Unix-based systems.

If this option has no value, themongod process creates a socket with/tmp as a prefix. MongoDBcreates and listens on a UNIX socket unless one of the following is true:

net.unixDomainSocket.enabled isfalse
--nounixsocket is set
net.bindIp is not set
net.bindIp does not specifylocalhost or its associated IP address

--verbose, -v: Increases the amount of internal reporting returned on standard outputor in log files. Increase the verbosity with the-v form byincluding the option multiple times, for example:-vvvvv.
Note
Starting in version 4.2, MongoDB includes the Debug verbosity level(1-5) in thelog messages. For example,if the verbosity level is 2, MongoDB logsD2. In previousversions, MongoDB log messages only specifiedD for Debug level.

--version: Returns themongod release number.

LDAP Authentication or Authorization Options

Note

Starting in MongoDB 8.0, LDAP authentication and authorization isdeprecated. LDAP is available and will continue to operate withoutchanges throughout the lifetime of MongoDB 8. LDAP will be removed in afuture major release.

For details, seeLDAP Deprecation.

--ldapServers <host1>:<port>,<host2>:<port>,...,<hostN>:<port>

Available in MongoDB Enterprise only.

The LDAP server against which themongod authenticates users ordetermines what actions a user is authorized to perform on a givendatabase. If the LDAP server specified has any replicated instances,you may specify the host and port of each replicated server in acomma-delimited list.

If your LDAP infrastructure partitions the LDAP directory over multiple LDAPservers, specifyone LDAP server or any of its replicated instances to--ldapServers. MongoDB supports following LDAP referrals as defined inRFC 45114.1.10. Do not use--ldapServersfor listing every LDAP server in your infrastructure.

This setting can be configured on a runningmongod usingsetParameter.

If unset,mongod cannot useLDAP authentication or authorization.

--ldapValidateLDAPServerConfig <boolean>

Available in MongoDB Enterprise

A flag that determines if themongod instance checksthe availability of theLDAP server(s) as part of its startup:

Iftrue, themongod instance performs theavailability check and only continues to start up if the LDAPserver is available.
Iffalse, themongod instance skips theavailability check; i.e. the instance starts up even if the LDAPserver is unavailable.

--ldapQueryUser <string>

Available in MongoDB Enterprise only.

The identity with whichmongod binds as, when connecting to orperforming queries on an LDAP server.

Only required if any of the following are true:

UsingLDAP authorization.
Using an LDAP query forusername transformation.
The LDAP server disallows anonymous binds

You must use--ldapQueryUser with--ldapQueryPassword.

If unset,mongod doesn't attempt to bind to the LDAP server.

This setting can be configured on a runningmongod usingsetParameter.

Note

Windows MongoDB deployments can use--ldapBindWithOSDefaultsinstead of--ldapQueryUser and--ldapQueryPassword. You cannot specifyboth--ldapQueryUser and--ldapBindWithOSDefaults at the same time.

--ldapQueryPassword <string | array>

Available in MongoDB Enterprise only.

The password used to bind to an LDAP server when using--ldapQueryUser. You must use--ldapQueryPassword with--ldapQueryUser.

If not set,mongod does not attempt to bind to the LDAP server.

You can configure this setting on a runningmongod usingsetParameter.

TheldapQueryPasswordsetParameter command accepts either astring or an array of strings. IfldapQueryPassword is set to an array,MongoDB tries each password in order until one succeeds. Use a password arrayto roll over the LDAP account password without downtime.

Note

Windows MongoDB deployments can use--ldapBindWithOSDefaultsinstead of--ldapQueryUser and--ldapQueryPassword.You cannot specify both--ldapQueryPassword and--ldapBindWithOSDefaults at the same time.

--ldapBindWithOSDefaults <bool>

Default: false

Available in MongoDB Enterprise for the Windows platform only.

Allowsmongod to authenticate, or bind, using your Windows logincredentials when connecting to the LDAP server.

Only required if:

UsingLDAP authorization.
Using an LDAP query forusername transformation.
The LDAP server disallows anonymous binds

Use--ldapBindWithOSDefaults to replace--ldapQueryUser and--ldapQueryPassword.

--ldapBindMethod <string>

Default: simple

Available in MongoDB Enterprise only.

The methodmongod uses to authenticate to an LDAP server.Use with--ldapQueryUser and--ldapQueryPassword toconnect to the LDAP server.

--ldapBindMethod supports the following values:

simple -mongod uses simple authentication.
sasl -mongod uses SASL protocol for authentication

If you specifysasl, you can configure the available SASL mechanismsusing--ldapBindSaslMechanisms.mongod defaults tousingDIGEST-MD5 mechanism.

--ldapBindSaslMechanisms <string>

Default: DIGEST-MD5

Available in MongoDB Enterprise only.

A comma-separated list of SASL mechanismsmongod canuse when authenticating to the LDAP server. Themongod and theLDAP server must agree on at least one mechanism. Themongoddynamically loads any SASL mechanism libraries installed on the hostmachine at runtime.

Install and configure the appropriate libraries for the selectedSASL mechanism(s) on both themongod host and the remoteLDAP server host. Your operating system may include certain SASLlibraries by default. Defer to the documentation associated with eachSASL mechanism for guidance on installation and configuration.

If using theGSSAPI SASL mechanism for use withKerberos Authentication on Self-Managed Deployments, verify the following for themongod host machine:

Linux

TheKRB5_CLIENT_KTNAME environmentvariable resolves to the name of the clientLinux Keytab Filesfor the host machine. For more on Kerberos environmentvariables, please defer to theKerberos documentation.
The client keytab includes aUser Principal for themongod to use whenconnecting to the LDAP server and execute LDAP queries.

Windows

If connecting to an Active Directory server, the WindowsKerberos configuration automatically generates aTicket-Granting-Ticketwhen the user logs onto the system. Set--ldapBindWithOSDefaults totrue to allowmongod to use the generated credentials whenconnecting to the Active Directory server and execute queries.

Set--ldapBindMethod tosasl to use this option.

Note

For a complete list of SASL mechanisms see theIANA listing.Defer to the documentation for your LDAP or Active Directoryservice for identifying the SASL mechanisms compatible with theservice.

MongoDB is not a source of SASL mechanism libraries, noris the MongoDB documentation a definitive source forinstalling or configuring any given SASL mechanism. Fordocumentation and support, defer to the SASL mechanismlibrary vendor or owner.

For more information on SASL, defer to the following resources:

For Linux, please see theCyrus SASL documentation.
For Windows, please see theWindows SASL documentation.

--ldapTransportSecurity <string>

Default: tls

Available in MongoDB Enterprise only.

By default,mongod creates a TLS/SSL secured connection to the LDAPserver.

For Linux deployments, you must configure the appropriate TLS Options in/etc/openldap/ldap.conf file. Your operating system's package managercreates this file as part of the MongoDB Enterprise installation, via thelibldap dependency. See the documentation forTLS Options in theldap.conf OpenLDAP documentationfor more complete instructions.

For Windows deployment, you must add the LDAP server CA certificates to theWindows certificate management tool. The exact name and functionality of thetool may vary depending on operating system version. Please see thedocumentation for your version of Windows for more information oncertificate management.

Set--ldapTransportSecurity tonone to disable TLS/SSL betweenmongod and the LDAPserver.

Warning

Setting--ldapTransportSecurity tonone transmits plaintext information and possiblycredentials betweenmongod and the LDAP server.

--ldapTimeoutMS <int>

Default: 10000

Available in MongoDB Enterprise only.

The amount of time in millisecondsmongod should wait for an LDAP serverto respond to a request.

Increasing the value of--ldapTimeoutMS may prevent connection failure between theMongoDB server and the LDAP server, if the source of the failure is aconnection timeout. Decreasing the value of--ldapTimeoutMS reduces the timeMongoDB waits for a response from the LDAP server.

This setting can be configured on a runningmongod usingsetParameter.

--ldapRetryCount <int>

New in version 6.1.

Default: 0

Available in MongoDB Enterprise only.

Number of operation retries by the server LDAP manager after anetwork error.

--ldapUserToDNMapping <string>

Available in MongoDB Enterprise only.

Maps the username provided tomongod for authentication to a LDAPDistinguished Name (DN). You may need to use--ldapUserToDNMapping to transform ausername into an LDAP DN in the following scenarios:

Performing LDAP authentication with simple LDAP binding, where usersauthenticate to MongoDB with usernames that are not full LDAP DNs.
Using anLDAP authorization query template that requires a DN.
Transforming the usernames of clients authenticating to Mongo DBusing different authentication mechanisms, such as x.509 orkerberos, to a full LDAP DN for authorization.

--ldapUserToDNMapping expects a quote-enclosed JSON-string representing an ordered arrayof documents. Each document contains a regular expressionmatch andeither asubstitution orldapQuery template used for transforming theincoming username.

Each document in the array has the following form:

{
match:"<regex>"
substitution:"<LDAP DN>" |ldapQuery:"<LDAP Query>"
}

Field	Description	Example
`match`	An ECMAScript-formatted regular expression (regex) to match against aprovided username. Each parenthesis-enclosed section represents aregex capture group used by`substitution` or`ldapQuery`.	`"(.+)ENGINEERING""(.+)DBA"`
`substitution`	An LDAP distinguished name (DN) formatting template that converts theauthentication name matched by the`match` regex into a LDAP DN.Each curly bracket-enclosed numeric value is replaced by thecorrespondingregex capture group extractedfrom the authentication username via the`match` regex. The result of the substitution must be anRFC4514 escaped string.	`"cn={0},ou=engineering,dc=example,dc=com"`
`ldapQuery`	A LDAP query formatting template that inserts the authenticationname matched by the`match` regex into an LDAP query URI encodedrespecting RFC4515 and RFC4516. Each curly bracket-enclosed numericvalue is replaced by the correspondingregex capture group extractedfrom the authentication username via the`match` expression.`mongod` executes the query against the LDAP server to retrievethe LDAP DN for the authenticated user.`mongod` requiresexactly one returned result for the transformation to besuccessful, or`mongod` skips this transformation.	`"ou=engineering,dc=example,dc=com??one?(user={0})"`

Note

An explanation ofRFC4514,RFC4515,RFC4516, or LDAP queries is outof scope for the MongoDB Documentation. Please review the RFC directly oruse your preferred LDAP resource.

For each document in the array, you must use eithersubstitution orldapQuery. Youcannot specify both in the same document.

When performing authentication or authorization,mongod steps througheach document in the array in the given order, checking the authenticationusername against thematch filter. If a match is found,mongod applies the transformation and uses the output forauthenticating the user.mongod does not check the remaining documentsin the array.

If the given document does not match the provided authenticationname,mongod continues through the list of documentsto find additional matches. If no matches are found in any document,or the transformation the document describes fails,mongod returns an error.

mongod also returns an error if one of the transformations cannot beevaluated due to networking or authentication failures to the LDAP server.mongod rejects the connection request and does not check the remainingdocuments in the array.

Starting in MongoDB 5.0,--ldapUserToDNMappingaccepts an empty string"" or empty array[ ] in place of amapping documnent. If providing an empty string or empty array to--ldapUserToDNMapping, MongoDB maps theauthenticated username as the LDAP DN. In earlier versions, providingan empty mapping document causes mapping to fail.

Example

The following shows two transformation documents. The firstdocument matches against any string ending in@ENGINEERING, placinganything preceeding the suffix into a regex capture group. Thesecond document matches against any string ending in@DBA, placinganything preceeding the suffix into a regex capture group.

Important

You must pass the array to --ldapUserToDNMapping as a string.

"[
   {
      match: "(.+)@ENGINEERING.EXAMPLE.COM",
      substitution: "cn={0},ou=engineering,dc=example,dc=com"
   },
   {
      match: "(.+)@DBA.EXAMPLE.COM",
      ldapQuery: "ou=dba,dc=example,dc=com??one?(user={0})"
   }
]"

A user with usernamealice@ENGINEERING.EXAMPLE.COM matches the firstdocument. The regex capture group{0} corresponds to the stringalice. The resulting output is the DN"cn=alice,ou=engineering,dc=example,dc=com".

A user with usernamebob@DBA.EXAMPLE.COM matches the second document.The regex capture group{0} corresponds to the stringbob. Theresulting output is the LDAP query"ou=dba,dc=example,dc=com??one?(user=bob)".mongod executes thisquery against the LDAP server, returning the result"cn=bob,ou=dba,dc=example,dc=com".

If--ldapUserToDNMapping is unset,mongod applies no transformations to the usernamewhen attempting to authenticate or authorize a user against the LDAP server.

This setting can be configured on a runningmongod using thesetParameter database command.

--ldapAuthzQueryTemplate <string>

Available in MongoDB Enterprise only.

A relative LDAP query URL formatted conforming toRFC4515 andRFC4516 thatmongod executes to obtainthe LDAP groups to which the authenticated user belongs to. The query isrelative to the host or hosts specified in--ldapServers.

In the URL, you can use the following substituion tokens:

Substitution Token	Description
`{USER}`	Substitutes the authenticated username, or the`transformed`username if a`username mapping` is specified.
`{PROVIDED_USER}`	Substitutes the supplied username, i.e. before eitherauthentication or`LDAP transformation`.

When constructing the query URL, ensure that the order of LDAP parametersrespects RFC4516:

[ dn  [ ? [attributes] [ ? [scope] [ ? [filter] [ ? [Extensions] ] ] ] ] ]

If your query includes an attribute,mongod assumes that the queryretrieves a the DNs which this entity is member of.

If your query does not include an attribute,mongod assumesthe query retrieves all entities which the user is member of.

For each LDAP DN returned by the query,mongod assigns the authorizeduser a corresponding role on theadmin database. If a role on the on theadmin database exactly matches the DN,mongod grants the user theroles and privileges assigned to that role. See thedb.createRole() method for more information on creating roles.

Example

This LDAP query returns any groups listed in the LDAP user object'smemberOf attribute.

"{USER}?memberOf?base"

Your LDAP configuration may not include thememberOf attribute as partof the user schema, may possess a different attribute for reporting groupmembership, or may not track group membership through attributes.Configure your query with respect to your own unique LDAP configuration.

If unset,mongod cannot authorize users using LDAP.

This setting can be configured on a runningmongod using thesetParameter database command.

Note

An explanation ofRFC4515,RFC4516 or LDAP queries is outof scope for the MongoDB Documentation. Please review the RFC directly oruse your preferred LDAP resource.

Storage Options

--storageEngine string

Default:wiredTiger

Specifies the storage engine for themongod database. Availablevalues include:

Value	Description
`wiredTiger`	To specify theWiredTiger Storage Engine.
`inMemory`	To specify theIn-Memory Storage Engine for Self-Managed Deployments. Available in MongoDB Enterprise only.

If you attempt to start amongod with a--dbpath that contains data files produced by astorage engine other than the one specified by--storageEngine,mongod doesn't start.

--dbpath <path>

Default:/data/db on Linux and macOS,\data\db on Windows

The directory where themongod instance stores its data.

If using the defaultConfiguration Fileincluded with a package manager installation of MongoDB, thecorrespondingstorage.dbPath setting uses a differentdefault.

The files in--dbpath must correspond to the storage enginespecified in--storageEngine. If the data files do notcorrespond to--storageEngine,mongod doesn't start.

--directoryperdb

Uses a separate directory to store data for each database. Thedirectories are under the--dbpath directory, and each subdirectoryname corresponds to the database name.

Not available formongod instances that use thein-memory storage engine.

Starting in MongoDB 5.0, dropping the final collection in a database(or dropping the database itself) when--directoryperdb isenabled deletes the newly empty subdirectory for that database.

To change the--directoryperdb option for existingdeployments:

For standalone instances:
1. Usemongodump on the existingmongod instance to generate a backup.
2. Stop themongod instance.
3. Add the--directoryperdb valueandconfigure a new data directory
4. Restart themongod instance.
5. Usemongorestore to populate the new datadirectory.
For replica sets:
1. Stop a secondary member.
2. Add the--directoryperdb valueandconfigure a new data directory to that secondary member.
3. Restart that secondary.
4. Useinitial sync to populatethe new data directory.
5. Update remaining secondaries in the same fashion.
6. Step down the primary, and update the stepped-down member in thesame fashion.

--syncdelay <value>

Default: 60

Controls how much time can pass before MongoDB flushes data to the datafiles.

Do not set this value onproduction systems. In almost every situation, you should use thedefault setting.

Themongod process writes data very quickly to the journal andlazily to the data files.--syncdelay has no effect onjournaling, but if--syncdelay is set to0 the journal eventually consumes all available disk space.

Not available formongod instances that use thein-memory storage engine.

To providedurable data,WiredTigerusescheckpoints. For moredetails, seeJournaling and the WiredTiger Storage Engine.

--upgrade

Upgrades the on-disk data format of the files specified by the--dbpath to the latest version, if needed.

This option only affects the operation of themongod if the datafiles are in an old format.

In most cases you should not set this value, so you can exercise themost control over your upgrade process. See the MongoDB release notesfor more information about the upgrade process.

--repair

Runs a repair routine on all databases for amongodinstance.

Starting in MongoDB 5.0:

The repair operation validates the collections to find anyinconsistencies and fixes them if possible, which avoidsrebuilding the indexes.
If a collection's data file is salvaged or if the collection hasinconsistencies that the validate step is unable to fix, then allindexes are rebuilt.

Tip

If you are running withjournaling enabled, there isalmost never any need to run repair since the server can use thejournal files to restore the data files to a clean state automatically.However, you may need to run repair in cases where you need to recoverfrom a disk-level data corruption.

Warning

Only usemongod --repair if you have no other options.The operation removes and does not save any corrupt data duringthe repair process.
Avoid running--repair againsta replica set member:
- To repair areplica set member, if you have an intactcopy of your data available (e.g. a recent backup or an intactmember of thereplica set), restore from that intactcopy instead. To learn more, seeResync a Member of a Self-Managed Replica Set.
- If you choose to runmongod --repair against areplica set member and the operation modifies the data or themetadata, you must still perform a full resync in order for themember to rejoin the replica set.
Before using--repair, make a backupcopy of thedbpath directory.
If repair fails to complete for any reason, you must restart theinstance using the--repair option.

--journalCommitInterval <value>

Default: 100

The maximum amount of time in milliseconds thatthemongod process allows betweenjournal operations. Values can range from 1 to 500 milliseconds. Lowervalues increase the durability of the journal, at the expense of diskperformance.

On WiredTiger, the default journal commit interval is 100milliseconds. A write that includes or impliesj:true causes an immediate sync of the journal. For detailsand additional conditions that affect the frequency of the sync, seeJournaling Process.

Not available formongod instances that use thein-memory storage engine.

WiredTiger Options

--wiredTigerCacheSizeGB <float>

Defines the maximum size of the internal cache that WiredTigeruses for all data. The memory consumed by an index build (seemaxIndexBuildMemoryUsageMegabytes) is separate from theWiredTiger cache memory.

Avoid increasing the WiredTiger internal cache size above itsdefault value. If your use case requires to do so, you can use--wiredTigerCacheSizePct to specify a percentage of up to 80% of availablememory. Values can range from0.25 GB to10000 GB.

The default WiredTiger internal cache size is the larger of either:

50% of (RAM - 1 GB), or
256 MB.

For example, on a system with a total of 4GB of RAM theWiredTiger cache uses 1.5GB of RAM (0.5 * (4 GB - 1 GB) =1.5 GB). Conversely, on a system with a total of 1.25 GB ofRAM WiredTiger allocates 256 MB to the WiredTiger cachebecause that is more than half of the total RAM minus onegigabyte (0.5 * (1.25 GB - 1 GB) = 128 MB < 256 MB).

Note

In some instances, such as when running in a container, the databasecan have memory constraints that are lower than the total systemmemory. In such instances, this memory limit, rather than the totalsystem memory, is used as the maximum RAM available.

To see the memory limit, seehostInfo.system.memLimitMB.

With WiredTiger, MongoDB utilizes both the WiredTiger internal cacheand the filesystem cache.

With the filesystem cache, MongoDB automatically uses all free memorythat is not used by the WiredTiger cache or by other processes.

Note

The--wiredTigerCacheSizeGB limits the size of the WiredTiger internalcache. The operating system uses the available free memoryfor filesystem cache, which allows the compressed MongoDB datafiles to stay in memory. In addition, the operating systemuses any free RAM to buffer file system blocks and file systemcache.

To accommodate the additional consumers of RAM, you may have todecrease WiredTiger internal cache size.

The default WiredTiger internal cache size value assumes that there is asinglemongod instance per machine. If a single machinecontains multiple MongoDB instances, decrease the setting to accommodatethe othermongod instances.

If you runmongod in a container (for example,lxc,cgroups, Docker, etc.) that doesnot have access to all of theRAM available in a system, you must set--wiredTigerCacheSizeGB to a valueless than the amount of RAM available in the container. The exactamount depends on the other processes running in the container. SeememLimitMB.

You can only provide one of either--wiredTigerCacheSizeGB or--wiredTigerCacheSizePct.

--wiredTigerCacheSizePct <float>

Defines the maximum amount of memory to allocate for cache as apercentage of physical RAM. The memory that an index build consumes (seemaxIndexBuildMemoryUsageMegabytes) is separate from theWiredTiger cache memory.

You can specify a percentage of up to 80% of available memory.Values range from0.25 GB to10000 GB.

The default WiredTiger internal cache size is the larger of either:

50% of (RAM - 1 GB), or
256 MB.

Note

To see the memory limit, seehostInfo.system.memLimitMB.

With WiredTiger, MongoDB utilizes both the WiredTiger internal cacheand the filesystem cache.

With the filesystem cache, MongoDB automatically uses all free memorythat is not used by the WiredTiger cache or by other processes.

Note

The--wiredTigerCacheSizePct limits the size of the WiredTiger internalcache. The operating system uses the available free memoryfor filesystem cache, which allows the compressed MongoDB datafiles to stay in memory. In addition, the operating systemuses any free RAM to buffer file system blocks and file systemcache.

To accommodate the additional consumers of RAM, you may have todecrease WiredTiger internal cache size.

If you runmongod in a container (for example,lxc,cgroups, Docker, etc.) that doesnot have access to all of theRAM available in a system, you must set--wiredTigerCacheSizePct to a valueless than the amount of RAM available in the container. The exactamount depends on the other processes running in the container. SeememLimitMB.

You can only provide one of either--wiredTigerCacheSizePct or--wiredTigerCacheSizeGB.

--wiredTigerJournalCompressor <compressor>

Default: snappy

Specifies the type of compression to use to compress WiredTigerjournal data.

Available compressors are:

--wiredTigerDirectoryForIndexes

When you startmongod with--wiredTigerDirectoryForIndexes,mongod stores indexes and collections in separatesubdirectories under the data (i.e.--dbpath) directory.Specifically,mongod stores the indexes in a subdirectory namedindex and the collection data in a subdirectory namedcollection.

By using a symbolic link, you can specify a different location forthe indexes. Specifically, whenmongod instance isnotrunning, move theindex subdirectory to the destination andcreate a symbolic link namedindex under the data directory tothe new destination.

--wiredTigerCollectionBlockCompressor <compressor>

Default: snappy

Specifies the default compression for collection data. You canoverride this on a per-collection basis when creating collections.

Available compressors are:

--wiredTigerCollectionBlockCompressor affects all collections created. If you changethe value of--wiredTigerCollectionBlockCompressor on an existing MongoDB deployment, all newcollections use the specified compressor. Existing collectionscontinue to use the compressor specified when they werecreated, or the default compressor at that time.

--wiredTigerIndexPrefixCompression <boolean>

Default: true

Enables or disablesprefix compression for index data.

Specifytrue for--wiredTigerIndexPrefixCompression to enableprefix compression forindex data, orfalse to disable prefix compression for index data.

The--wiredTigerIndexPrefixCompression setting affects all indexes created. If you changethe value of--wiredTigerIndexPrefixCompression on an existing MongoDB deployment, all newindexes use prefix compression. Existing indexesare not affected.

Replication Options

--replSet <setname>

Configures replication. Specify a replica set name as an argument tothis set. All hosts in the replica set must have the same set name.

If your application connects to more than one replica set, each set musthave a distinct name. Some drivers group replica set connections byreplica set name.

--oplogSize <value>

The maximum size in megabytes for theoplog. TheoplogSize setting configures the uncompressed size of theoplog, not the size on disk.

Note

The oplog can grow past its configured sizelimit to avoid deleting themajority commit point.

By default, themongod process creates anoplog based onthe maximum amount of space available. For 64-bit systems, the oplogis typically 5% of available disk space.

Once themongod has created the oplog for the first time,changing the--oplogSize option doesn't affect the size ofthe oplog. To change the minimum oplog retention period afterstarting themongod, usereplSetResizeOplog.replSetResizeOplogenables you to resize the oplog dynamically without restarting themongod process. To persist the changes made usingreplSetResizeOplog through a restart, update the valueof--oplogSize.

SeeOplog Size for more information.

--oplogMinRetentionHours <value>

Specifies the minimum number of hours to preserve an oplog entry,where the decimal values represent the fractions of an hour. Forexample, a value of1.5 represents one hour and thirtyminutes.

The value must be greater than or equal to0. A value of0indicates that themongod should truncate the oplogstarting with the oldest entries to maintain the configuredmaximum oplog size.

Defaults to0.

Amongod started with--oplogMinRetentionHoursonly removes an oplog entryif:

The oplog has reached the maximum configured oplog sizeand
The oplog entry is older than the configured number of hours basedon the host system clock.

Themongod has the following behavior when configuredwith a minimum oplog retention period:

The oplog can grow without constraint so as to retain oplog entriesfor the configured number of hours. This may result in reduction orexhaustion of system disk space due to a combination of high writevolume and large retention period.
If the oplog grows beyond its maximum size, themongod may continue to hold that disk space even ifthe oplog returns to its maximum sizeor is configured for asmaller maximum size. SeeReducing Oplog Size Does Not Immediately Return Disk Space.
Themongod compares the system wall clock to anoplog entries creation wall clock time when enforcing oplog entryretention. Clock drift between cluster components may result inunexpected oplog retention behavior. SeeClock Synchronization for more information onclock synchronization across cluster members.

To change the minimum oplog retention period after starting themongod, usereplSetResizeOplog.replSetResizeOplog enables you to resize the oplogdynamically without restarting themongod process. Topersist the changes made usingreplSetResizeOplogthrough a restart, update the value of--oplogMinRetentionHours.

--enableMajorityReadConcern

Default: true

Configures support for"majority" read concern.

Starting in MongoDB 5.0,--enableMajorityReadConcern cannot be changedand is always set totrue. In earlier versions of MongoDB,--enableMajorityReadConcern was configurable.

Warning

If you are using a three-member primary-secondary-arbiter (PSA)architecture, consider the following:

The write concern"majority" can causeperformance issues if a secondary is unavailable or lagging. Foradvice on how to mitigate these issues, seeMitigate Performance Issues with a Self-Managed PSA Replica Set.
If you are using a global default"majority"and the write concern is less than the size of the majority,your queries may return stale (not fully replicated) data.

Sharded Cluster Options

--configsvr

Required if starting a config server.

Declares that thismongod instance serves as theconfigserver of a sharded cluster. Whenrunning with this option, clients (i.e. other cluster components)cannot write data to any database other thanconfigandadmin. The default port for amongod with this option is27019 and the default--dbpath directory is/data/configdb, unless specified.

Important

When starting a MongoDB server with--configsvr, you must alsospecify a--replSet.

The use of the deprecated mirroredmongod instances asconfig servers (SCCC) is no longer supported.

The replica set config servers (CSRS) must run theWiredTiger storage engine.

The--configsvr option creates a localoplog.

Do not use the--configsvr option with--shardsvr. Configservers cannot be a shard server.

Do not use the--configsvr with theskipShardingConfigurationChecks parameter. That is, ifyou are temporarily starting themongod as astandalone for maintenance operations, include the parameterskipShardingConfigurationChecks and exclude--configsvr.Once maintenance has completed, remove theskipShardingConfigurationChecks parameter and restartwith--configsvr.

--shardsvr

Required if starting a shard server.

Configures thismongod instance as a shard in asharded cluster. The default port for these instances is27018.

Important

When starting a MongoDB server with--shardsvr, you must alsospecify a--replSet.

Do not use the--shardsvr with theskipShardingConfigurationChecks parameter. That is, ifyou are temporarily starting themongod as astandalone for maintenance operations, include the parameterskipShardingConfigurationChecks and exclude--shardsvr.Once maintenance has completed, remove theskipShardingConfigurationChecks parameter and restartwith--shardsvr.

TLS Options

Tip

See:

Configuremongod andmongos for TLS/SSL on Self-Managed Deployments for fulldocumentation of MongoDB's support.

--tlsMode <mode>

Enables TLS used for all network connections. Theargument to the--tlsMode option can be one of the following:

Value	Description
`disabled`	The server does not use TLS.
`allowTLS`	Connections between servers do not use TLS. For incomingconnections, the server accepts both TLS and non-TLS.
`preferTLS`	Connections between servers use TLS. For incomingconnections, the server accepts both TLS and non-TLS.
`requireTLS`	The server uses and accepts only TLS encrypted connections.

If--tlsCAFile ortls.CAFile is notspecified and you are not using X.509 authentication, you must set thetlsUseSystemCA parameter totrue. This makes MongoDB usethe system-wide CA certificate store when connecting to a TLS-enabled server.

If using X.509 authentication,--tlsCAFile ortls.CAFilemust be specified unless using--tlsCertificateSelector.

For more information about TLS and MongoDB, seeConfiguremongod andmongos for TLS/SSL on Self-Managed Deployments andTLS/SSL Configuration for Clients .

--tlsCertificateKeyFile <filename>

Specifies the.pem file that contains both the TLS certificate andkey.

On macOS or Windows, you can use the--tlsCertificateSelector option to specify acertificate from the operating system's secure certificate storeinstead of a PEM key file.--tlsCertificateKeyFile and--tlsCertificateSelector options are mutually exclusive.You can only specify one.

On Linux/BSD, you must specify--tlsCertificateKeyFilewhen TLS/SSL is enabled.
On Windows or macOS, you must specify either--tlsCertificateKeyFile or--tlsCertificateSelector when TLS/SSL is enabled.
Important
For Windowsonly, MongoDB does not supportencrypted PEM files. Themongod fails to start ifit encounters an encrypted PEM file. To securely store andaccess a certificate for use with TLS on Windows,use--tlsCertificateSelector.

For more information about TLS and MongoDB, seeConfiguremongod andmongos for TLS/SSL on Self-Managed Deployments andTLS/SSL Configuration for Clients .

--tlsCertificateKeyFilePassword <value>

Specifies the password to decrypt the certificate-key file (i.e.--tlsCertificateKeyFile). Use the--tlsCertificateKeyFilePassword option only if thecertificate-key file is encrypted. In all cases, themongod redacts the password from all logging andreporting output.

On Linux/BSD, if the private key in the PEM file is encrypted andyou do not specify the--tlsCertificateKeyFilePassword option, MongoDB prompts for apassphrase. SeeTLS/SSL Certificate Passphrase.
On macOS, if the private key in the PEM file isencrypted, you must explicitly specify the--tlsCertificateKeyFilePassword option. Alternatively,you can use a certificate from the secure system store (see--tlsCertificateSelector) instead of a PEM file or use anunencrypted PEM file.
On Windows, MongoDB does not support encrypted certificates.Themongod fails if it encounters an encryptedPEM file. Use--tlsCertificateSelector instead.

For more information about TLS and MongoDB, seeConfiguremongod andmongos for TLS/SSL on Self-Managed Deployments andTLS/SSL Configuration for Clients .

--clusterAuthMode <option>

Default: keyFile

The authentication mode used for cluster authentication. If you useinternal X.509 authentication,specify so here. This option can have one of the following values:

Value	Description
`keyFile`	Use a keyfile for authentication.Accept only keyfiles.
`sendKeyFile`	For rolling upgrade purposes. Send a keyfile forauthentication but can accept both keyfiles and X.509certificates.
`sendX509`	For rolling upgrade purposes. Send the X.509 certificate forauthentication but can accept both keyfiles and X.509certificates.
`x509`	Recommended. Send the X.509 certificate for authentication andaccept only X.509 certificates.

If using X.509 authentication,--tlsCAFile ortls.CAFilemust be specified unless using--tlsCertificateSelector.

For more information about TLS and MongoDB, seeConfiguremongod andmongos for TLS/SSL on Self-Managed Deployments andTLS/SSL Configuration for Clients .

--tlsClusterFile <filename>

Specifies the.pem file that contains the X.509certificate-key file formembership authentication for the cluster or replica set.

On macOS or Windows, you can use the--tlsClusterCertificateSelector option to specify acertificate from the operating system's secure certificate storeinstead of a PEM key file.--tlsClusterFile and--tlsClusterCertificateSelector options are mutuallyexclusive. You can only specify one.

If--tlsClusterFile does not specify the.pem file forinternal cluster authentication or the alternative--tlsClusterCertificateSelector, the cluster uses the.pem file specified in the--tlsCertificateKeyFileoption or the certificate returned by the--tlsCertificateSelector.

If using X.509 authentication,--tlsCAFile ortls.CAFilemust be specified unless using--tlsCertificateSelector.

mongod /mongos logs a warning onconnection if the presented X.509 certificate expires within30days of themongod/mongos host system time.

For more information about TLS and MongoDB, seeConfiguremongod andmongos for TLS/SSL on Self-Managed Deployments andTLS/SSL Configuration for Clients .

Important

For Windowsonly, MongoDB does not supportencrypted PEM files. Themongod fails to start ifit encounters an encrypted PEM file. To securely store andaccess a certificate for use with membership authentication onWindows, use--tlsClusterCertificateSelector.

--tlsCertificateSelector <parameter>=<value>

Note

Available on Windows and macOS as an alternative to--tlsCertificateKeyFile.

Specifies a certificate property in order to select a matchingcertificate from the operating system's certificate store to use forTLS.

The--tlsCertificateKeyFile and--tlsCertificateSelector options are mutually exclusive.You can only specify one.

--tlsCertificateSelector accepts an argument of the format<property>=<value> where the property can be one of thefollowing:

Property	Value type	Description
`subject`	ASCII string	Subject name or common name on certificate
`thumbprint`	hex string	A sequence of bytes, expressed as hexadecimal, used toidentify a public key by its SHA-1 digest. The`thumbprint` is sometimes referred to as a`fingerprint`.

When using the system SSL certificate store, OCSP (OnlineCertificate Status Protocol) is used to validate the revocationstatus of certificates.

Themongod searches the operating system's securecertificate store for the CA certificates required to validate thefull certificate chain of the specified TLS certificate.Specifically, the secure certificate store must contain the root CAand any intermediate CA certificates required to build the fullcertificate chain to the TLS certificate. Donot use--tlsCAFile or--tlsClusterCAFile to specify theroot and intermediate CA certificate

For example, if the TLS/SSL certificate was signed with a single rootCA certificate, the secure certificate store must contain that rootCA certificate. If the TLS/SSL certificate was signed with anintermediate CA certificate, the secure certificate store mustcontain the intermedia CA certificateand the root CA certificate.

Note

You cannot use therotateCertificates command or thedb.rotateCertificates() shell method when usingnet.tls.certificateSelector or--tlsCertificateSelectorset tothumbprint

--tlsClusterCertificateSelector <parameter>=<value>

Note

Available on Windows and macOS as an alternative to--tlsClusterFile.

Specifies a certificate property in order to select a matchingcertificate from the operating system's certificate storeforinternal X.509 membership authentication.

--tlsClusterFile and--tlsClusterCertificateSelector options are mutuallyexclusive. You can only specify one.

--tlsClusterCertificateSelector accepts an argument of theformat<property>=<value> where the property can be one of thefollowing:

Property	Value type	Description
`subject`	ASCII string	Subject name or common name on certificate
`thumbprint`	hex string	A sequence of bytes, expressed as hexadecimal, used toidentify a public key by its SHA-1 digest. The`thumbprint` is sometimes referred to as a`fingerprint`.

Themongod searches the operating system's securecertificate store for the CA certificates required to validate thefull certificate chain of the specified cluster certificate.Specifically, the secure certificate store must contain the root CAand any intermediate CA certificates required to build the fullcertificate chain to the cluster certificate. Donot use--tlsCAFile or--tlsClusterCAFile to specify theroot and intermediate CA certificate.

For example, if the cluster certificate was signed with a single rootCA certificate, the secure certificate store must contain that rootCA certificate. If the cluster certificate was signed with anintermediate CA certificate, the secure certificate store mustcontain the intermedia CA certificateand the root CA certificate.

mongod /mongos logs a warning onconnection if the presented X.509 certificate expires within30days of themongod/mongos host system time.

--tlsClusterPassword <value>

Specifies the password to decrypt the X.509 certificate-key filespecified with--tlsClusterFile. Use the--tlsClusterPassword option only if the certificate-keyfile is encrypted. In all cases, themongod redactsthe password from all logging and reporting output.

On Linux/BSD, if the private key in the X.509 file is encrypted andyou do not specify the--tlsClusterPassword option,MongoDB prompts for a passphrase. SeeTLS/SSL Certificate Passphrase.
On macOS, if the private key in the X.509 file isencrypted, you must explicitly specify the--tlsClusterPassword option. Alternatively, you caneither use a certificate from the secure system store (see--tlsClusterCertificateSelector) instead of a cluster PEMfile or use an unencrypted PEM file.
On Windows, MongoDB does not support encrypted certificates.Themongod fails if it encounters an encryptedPEM file. Use--tlsClusterCertificateSelector instead.

For more information about TLS and MongoDB, seeConfiguremongod andmongos for TLS/SSL on Self-Managed Deployments andTLS/SSL Configuration for Clients .

--tlsCAFile <filename>

Specifies the.pem file that contains the root certificatechain from the Certificate Authority. Specify the file name of the.pem file using relative or absolute paths.

Important

When starting amongod instance withTLS/SSL enabled, you mustspecify a value for the--tlsCAFile flag, thenet.tls.CAFile configuration option, or thetlsUseSystemCAparameter.

--tlsCAFile,tls.CAFile, andtlsUseSystemCA are all mutuallyexclusive.

Windows/macOS Only: If using--tlsCertificateSelector and/or--tlsClusterCertificateSelector, donot use--tlsCAFile to specify the root and intermediate CAcertificates. Store all CA certificates required to validate thefull trust chain of the--tlsCertificateSelector and/or--tlsClusterCertificateSelector certificates in thesecure certificate store.

For more information about TLS and MongoDB, seeConfiguremongod andmongos for TLS/SSL on Self-Managed Deployments andTLS/SSL Configuration for Clients .

--tlsClusterCAFile <filename>

Specifies the.pem file that contains the root certificatechain from the Certificate Authority used to validate the certificatepresented by a client establishing a connection. Specify the filename of the.pem file using relative or absolute paths.--tlsClusterCAFile requires that--tlsCAFile is set.

If--tlsClusterCAFile does not specify the.pemfile for validating the certificate from a client establishing aconnection, the cluster uses the.pem file specified in the--tlsCAFile option.

--tlsClusterCAFile lets you use separate CertificateAuthorities to verify the client to server and server to clientportions of the TLS handshake.

Windows/macOS Only: If using--tlsCertificateSelector and/or--tlsClusterCertificateSelector, donot use--tlsClusterCAFile to specify the root andintermediate CA certificates. Store all CA certificates required tovalidate the full trust chain of the--tlsCertificateSelector and/or--tlsClusterCertificateSelector certificates in thesecure certificate store.

For more information about TLS and MongoDB, seeConfiguremongod andmongos for TLS/SSL on Self-Managed Deployments andTLS/SSL Configuration for Clients .

--tlsCRLFile <filename>

Specifies the.pem file that contains the Certificate RevocationList. Specify the file name of the.pem file using relative orabsolute paths.

Note

You cannot specify a CRL file onmacOS. Instead, you can use the system SSL certificate store,which uses OCSP (Online Certificate Status Protocol) tovalidate the revocation status of certificates. See--tlsCertificateSelector to use thesystem SSL certificate store.
To check for certificate revocation,MongoDBenables the use of OCSP(Online Certificate Status Protocol) by default as analternative to specifying a CRL file or using the system SSLcertificate store.

For more information about TLS and MongoDB, seeConfiguremongod andmongos for TLS/SSL on Self-Managed Deployments andTLS/SSL Configuration for Clients .

--tlsAllowInvalidCertificates

Bypasses the validation checks for TLS certificates on otherservers in the cluster and allows the use of invalid certificates toconnect.

Note

If you specify--tlsAllowInvalidCertificates ortls.allowInvalidCertificates:true when using X.509 authentication, an invalid certificate isonly sufficient to establish a TLS connection but isinsufficient for authentication.

When usingthe--tlsAllowInvalidCertificates setting, MongoDBlogs a warning regarding the use of the invalid certificate.

For more information about TLS and MongoDB, seeConfiguremongod andmongos for TLS/SSL on Self-Managed Deployments andTLS/SSL Configuration for Clients .

--tlsAllowInvalidHostnames

Disables the validation of the hostnames in TLS certificates,when connecting to other members of the replica set or sharded clusterfor inter-process authentication. This allowsmongod to connectto other members if the hostnames in their certificates do not matchtheir configured hostname.

For more information about TLS and MongoDB, seeConfiguremongod andmongos for TLS/SSL on Self-Managed Deployments andTLS/SSL Configuration for Clients .

--tlsAllowConnectionsWithoutCertificates

By default, the server bypasses client certificate validation unlessthe server is configured to use a CA file. If a CA file is provided, thefollowing rules apply:

For clients that don't provide certificates,mongod ormongos encrypts the TLS/SSL connection, assuming theconnection is successfully made.
For clients that present a certificate,mongod performscertificate validation using the root certificate chain specified by--tlsCAFile and reject clients with invalidcertificates.

Use the--tlsAllowConnectionsWithoutCertificates option if you havea mixed deployment that includes clients that do not or cannot presentcertificates to themongod.

For more information about TLS and MongoDB, seeConfiguremongod andmongos for TLS/SSL on Self-Managed Deployments andTLS/SSL Configuration for Clients .

--tlsDisabledProtocols <protocol(s)>

Prevents a MongoDB server running with TLS from acceptingincoming connections that use a specific protocol or protocols. Tospecify multiple protocols, use a comma separated list of protocols.

--tlsDisabledProtocols recognizes the following protocols:TLS1_0,TLS1_1,TLS1_2, andTLS1_3.

On macOS, you cannot disableTLS1_1 and leave bothTLS1_0 andTLS1_2 enabled. You must disable at least one of the othertwo, for example,TLS1_0,TLS1_1.
To list multiple protocols, specify as a comma separated list ofprotocols. For exampleTLS1_0,TLS1_1.
Specifying an unrecognized protocol prevents the server fromstarting.
The specified disabled protocols overrides any default disabledprotocols.

MongoDB disables the use of TLS 1.0 if TLS1.1+ is available on the system. To enable the disabled TLS 1.0,specifynone to--tlsDisabledProtocols.

Members of replica sets and sharded clusters must speak at least oneprotocol in common.

Tip

Disallow Protocols

--tlsFIPSMode: Directs themongod to use the FIPS mode of the TLSlibrary. Your system must have a FIPScompliant library to use the--tlsFIPSMode option.
Note
FIPS-compatible TLS/SSL isavailable only inMongoDB Enterprise. SeeConfigure MongoDB for FIPS for more information.

Profiler Options

--profile <level>

Default: 0

Configures thedatabase profiler level.The following profiler levels are available:

0

The profiler is off and does not collect any data.This is the default profiler level.

1

The profiler collects data for operations that exceed theslowms threshold or match a specifiedfilter.

When a filter is set:

Theslowms andsampleRate options are not used forprofiling.
The profiler only captures operations that match thefilter.

2

The profiler collects data for all operations.

Warning

Profiling can degrade performance and expose unencrypted query data in thesystem log. Carefully consider any performance and security implicationsbefore configuring and enabling the profiler on a production deployment.

SeeProfiler Overhead for more information onpotential performance degradation.

--slowms <integer>

Default: 100

The slow operation time threshold, in milliseconds. Operations that runfor longer than this threshold are consideredslow.

Slow operations are logged based onworkingMillis, which is theamount of time that MongoDB spends working on that operation. This meansthat factors such as waiting for locks and flow control do not affectwhether an operation exceeds the slow operation threshold.

WhenlogLevel is set to0, MongoDB recordsslowoperations to the diagnostic log at a rate determined byslowOpSampleRate.

At higherlogLevel settings, all operations appear inthe diagnostic log regardless of their latency with the followingexception: the logging of slow oplog entry messages by thesecondaries. The secondaries log only the slow oplogentries; increasing thelogLevel does not log alloplog entries.

Formongod instances,--slowms affects the diagnostic logand, if enabled, the profiler.

Tip

Database Profiler

--slowOpSampleRate <double>

Default: 1.0

The fraction ofslow operations that should be profiled or logged.--slowOpSampleRate accepts values between 0 and 1, inclusive.

--slowOpSampleRate does not affect the slow oplog entry loggingby the secondary members of a replica set. Secondarymembers log all oplog entries that take longer than the slowoperation threshold regardless of the--slowOpSampleRate.

Formongod instances,--slowOpSampleRate affects thediagnostic log and, if enabled, the profiler.

Audit Options

--auditCompressionMode

New in version 5.3.

Specifies the compression mode foraudit log encryption. You must also enable audit logencryption using either--auditEncryptionKeyUID or--auditLocalKeyFile.

--auditCompressionMode can be set to one of these values:

Value	Description
`zstd`	Use thezstd algorithm to compress the audit log.
`none`(default)	Do not compress the audit log.

Note

Available only inMongoDB Enterprise.MongoDB Enterprise and Atlas have different configurationrequirements.

--auditDestination

Enablesauditing and specifies wheremongod sends all audit events.

--auditDestination can have one of the following values:

Value	Description
`syslog`	Output the audit events to syslog in JSON format. Not available onWindows. Audit messages have a syslog severity level of`info`and a facility level of`user`. The syslog message limit can result in the truncation ofaudit messages. The auditing system neither detects thetruncation nor errors upon its occurrence.
`console`	Output the audit events to`stdout` in JSON format.
`file`	Output the audit events to the file specified in`--auditPath` in the format specified in`--auditFormat`.

Note

Available only inMongoDB EnterpriseandMongoDB Atlas.

--auditEncryptionKeyUID

New in version 6.0.

Specifies the unique identifier of the Key ManagementInteroperability Protocol (KMIP) key foraudit log encryption.

You cannot use--auditEncryptionKeyUID and--auditLocalKeyFile together.

Note

Available only inMongoDB Enterprise.MongoDB Enterprise and Atlas have different configurationrequirements.

--auditFormat

Specifies the format of the output file forauditing if--auditDestination isfile. The--auditFormat option can have one of the following values:

Value	Description
`JSON`	Output the audit events in JSON format to the file specifiedin`--auditPath`.
`BSON`	Output the audit events in BSON binary format to the filespecified in`--auditPath`.

Printing audit events to a file in JSON format degrades serverperformance more than printing to a file in BSON format.

Note

Available only inMongoDB EnterpriseandMongoDB Atlas.

--auditLocalKeyFile

New in version 5.3.

Specifies the path and file name for a local audit key file foraudit log encryption.

Note

Only use--auditLocalKeyFile for testing because the key isnot secured. To secure the key, use--auditEncryptionKeyUID and an external KeyManagement Interoperability Protocol (KMIP) server.

You cannot use--auditLocalKeyFile and--auditEncryptionKeyUID together.

Note

Available only inMongoDB Enterprise.MongoDB Enterprise and Atlas have different configurationrequirements.

--auditPath: Specifies the output file for auditing if--auditDestination has value offile. The--auditPath option can take either a full path name or arelative path name.
Note
Available only inMongoDB EnterpriseandMongoDB Atlas.

--auditFilter

Specifies the filter to limit thetypes of operations theaudit system records. The option takes a string representationof a query document of the form:

{ <field1>: <expression1>, ... }

The<field> can beany field in the audit message, including fields returned in theparam document. The<expression> is aquery condition expression.

To specify an audit filter, enclose the filter document in singlequotes to pass the document as a string.

To specify the audit filter in aconfiguration file, you must use the YAML formatof the configuration file.

Note

Available only inMongoDB EnterpriseandMongoDB Atlas.

--auditSchema

Default:mongo

New in version 8.0.

Specifies the format used for audit logs. You can specify one of thefollowing values for--auditSchema:

Value	Description
`mongo`	Logs are written in a format designed by MongoDB. For example log messages, seemongo Schema Audit Messages.
`OCSF`	Logs are written inOCSF format. This option provides logs in a standardizedformat compatible with log processors. For example log messages, seeOCSF Schema Audit Messages.

inMemory Options

--inMemorySizeGB <float>

Default: 50% of physical RAM minus 1 GB.

Maximum amount of memory to allocate for thein-memory storageengine data, including indexes, the oplog (if themongod is part of a replica set), shardedcluster metadata, etc.

Values can range from 256MB to 10TB and can be a float.

By default, the in-memory storage engine uses 50% of physical RAM minus1 GB.

Note

Enterprise Feature

Available in MongoDB Enterprise only.

Encryption Key Management Options

--enableEncryption

Default: false

Enables encryption for the WiredTiger storage engine. This optionmust be enabled in order to pass in encryption keys andconfigurations.

Note

Enterprise Feature

Available in MongoDB Enterprise only.

--encryptionCipherMode <string>

Default: AES256-CBC

The cipher mode to use for encryption at rest:

Mode	Description
`AES256-CBC`	256-bit Advanced Encryption Standard in Cipher Block Chaining Mode
`AES256-GCM`	256-bit Advanced Encryption Standard in Galois/Counter Mode Available only on Linux. MongoDB Enterprise on Windows no longer supports`AES256-GCM` as ablock cipher for encryption at rest. This usage is only supported on Linux.

Note

Enterprise Feature

Available in MongoDB Enterprise only.

--encryptionKeyFile <string>

The path to the local keyfile when managing keys via processotherthan KMIP. Only set when managing keys via process other than KMIP.If data is already encrypted using KMIP, MongoDB throws an error.

The keyfile can contain only a single key. The key is either a 16 or32 character string.

Requires--enableEncryption.

Note

Enterprise Feature

Available in MongoDB Enterprise only.

--kmipKeyIdentifier <string>

Unique KMIP identifier for an existing key within the KMIP server.Include to use the key associated with the identifier as the systemkey. You can only use the setting the first time you enableencryption for themongod instance. Requires--enableEncryption.

If unspecified, MongoDB requests that the KMIP server create anew key to utilize as the system key.

If the KMIP server cannot locate a key with the specified identifieror the data is already encrypted with a key, MongoDB throws anerror

Note

Enterprise Feature

Available in MongoDB Enterprise only.

--kmipRotateMasterKey <boolean>

Default: false

If true, rotate the master key and re-encrypt the internalkeystore.

Note

Enterprise Feature

Available in MongoDB Enterprise only.

Tip

KMIP Master Key Rotation

--kmipServerName <string>

Hostname or IP address of the KMIP server to connect to. Requires--enableEncryption.

You can specify multiple KMIP servers as a comma-separated list, for example:server1.example.com,server2.example.com. On startup, themongod attempts to establish a connection to eachserver in the order listed, and selects the first server towhich it can successfully establish a connection. KMIP serverselection occurs only at startup.

When connecting to a KMIP server, themongodverifies that the specified--kmipServerName matches theSubject Alternative NameSAN (or, ifSAN is not present, theCommon NameCN) in the certificate presented by the KMIP server.IfSAN is present,mongod does not match againsttheCN. If the hostname does not match theSAN (orCN),themongod fails to connect.

Starting in MongoDB 4.2, when performing comparison of SAN, MongoDBsupports comparison of DNS names or IP addresses. In previous versions,MongoDB only supports comparisons of DNS names.

Note

Enterprise Feature

Available in MongoDB Enterprise only.

--kmipPort <number>

Default: 5696

Port number to use to communicate with the KMIP server.Requires--kmipServerName. Requires--enableEncryption.

If specifying multiple KMIP servers with--kmipServerName,themongod uses the port specified with--kmipPort for all provided KMIP servers.

Note

Enterprise Feature

Available in MongoDB Enterprise only.

--kmipConnectRetries <number>

Default: 0

How many times to retry the initial connection to the KMIP server.Use together with--kmipConnectTimeoutMS tocontrol how long themongod waits for a responsebetween each retry.

Note

Enterprise Feature

Available in MongoDB Enterprise only.

--kmipConnectTimeoutMS <number>

Default: 5000

Timeout in milliseconds to wait for a response from the KMIP server.If the--kmipConnectRetries setting is specified,themongod waits for the specified interval between retries.

Value must be1000 or greater.

Note

Enterprise Feature

Available in MongoDB Enterprise only.

--kmipClientCertificateSelector <string>

New in version 5.0: Available on Windows and macOS as an alternative to--kmipClientCertificateFile.

--kmipClientCertificateFile and--kmipClientCertificateSelector options are mutually exclusive. You can onlyspecify one.

Specifies a certificate property in order to select a matchingcertificate from the operating system's certificate store toauthenticate MongoDB to the KMIP server.

--kmipClientCertificateSelector accepts an argument of the format<property>=<value>where the property can be one of the following:

Property	Value type	Description
`subject`	ASCII string	Subject name or common name on certificate
`thumbprint`	hex string	A sequence of bytes, expressed as hexadecimal, used toidentify a public key by its SHA-1 digest. The`thumbprint` is sometimes referred to as a`fingerprint`.

Note

Enterprise Feature

Available in MongoDB Enterprise only.

--kmipClientCertificateFile <string>

Path to the.pem file used to authenticate MongoDB to the KMIPserver. The specified.pem file must contain both the TLS/SSLcertificate and key.

To use this option, you must also specify the--kmipServerName option.

Important

Enabling encryption using a KMIP server on Windows fails when using--kmipClientCertificateFile and the KMIP server enforces TLS 1.2.

To enable encryption at rest with KMIP on Windows, you must:

Import the client certificate into the Windows Certificate Store.
Use the--kmipClientCertificateSelector option.

Note

On macOS or Windows, you can use a certificatefrom the operating system's secure store instead of a PEM keyfile. See--kmipClientCertificateSelector.

Note

Enterprise Feature

Available in MongoDB Enterprise only.

--kmipClientCertificatePassword <string>: The password to decrypt the Private Key of the Client Certificate thatconnects to the KMIP server. This option authenticatesMongoDB to the KMIP server and requires that you provide a--kmipClientCertificateFile.
Note
Enterprise Feature
Available in MongoDB Enterprise only.

--kmipServerCAFile <string>: Path to CA File. Used for validating secure client connection toKMIP server.
Note
On macOS or Windows, you can use a certificatefrom the operating system's secure store instead of a PEM keyfile. See--kmipClientCertificateSelector. When using the securestore, you do not need to, but can, also specify the--kmipServerCAFile.

--kmipActivateKeys <boolean>

Default: true

New in version 5.3.

Activates all newly created KMIP keys upon creation and then periodicallychecks those keys are in an active state.

When--kmipActivateKeys istrue and you have existing keys on aKMIP server, the key must be activated first or themongodnode fails to start.

If the key being used by the mongod transitions into a non-active state,themongod node shuts down unlesskmipActivateKeys isfalse. To ensure you have an active key, rotate the KMIP master key byusing--kmipRotateMasterKey.

--kmipKeyStatePollingSeconds <integer>

Default: 900 seconds

New in version 5.3.

Frequency in seconds at whichmongod polls the KMIP server foractive keys.

To disable disable polling, set the value to-1.

--kmipUseLegacyProtocol <boolean>

Default: false

New in version 7.0: (and 6.0.6)

Whentrue,mongod uses KMIP protocol version 1.0 or 1.1 insteadof the default version. The default KMIP protocol is version 1.2.

To useaudit log encryptionwith KMIP version 1.0 or 1.1, you must specifyauditEncryptKeyWithKMIPGet at startup.

--eseDatabaseKeyRollover

Roll over theencrypted storage engine database keys configured withAES256-GCM cipher.

Whenmongod instance is started with this option, theinstance rotates the keys and exits.

Note

Enterprise Feature

Available in MongoDB Enterprise only.

Back

MongoDB Package Components

mongos

Movatterモバイル変換

mongod

Synopsis

Tip

Note

Compatibility

Note

Considerations

Options

Core Options

Example

localhost,/tmp/mongod.sock

Example

localhost, 2001:0DB8:e132:ba26:0d5c:2774:e7f9:d513

Note

Example

localhost,fe80::a00:27ff:fee0:1fcf%enp0s3

Important

Warning

Note

Warning

Note

Important

Warning

Important

Note

Important

Warning

Note

Linux

Note

macOS

Warning

Note

Warning

Tip

Note

Note

LDAP Authentication or Authorization Options

Note

Note

Note

Note

Warning

Note

Example

Important

You must pass the array to --ldapUserToDNMapping as a string.

Example

Note

Storage Options

Tip

Warning

WiredTiger Options

Note

Note

Note

Note

Replication Options

Note

Warning

Sharded Cluster Options

Important

Important

TLS Options

Tip

See:

Important

Important

Note

Note

Note

Important

Note

Note

Tip

Note

Profiler Options

Warning

Tip

`mongod`