MongoDB & Backups Guide
Complete guide to the MongoDB database and backup system for UnderstandTech deployments.
Table of Contents
Architecture Overview
Connecting to MongoDB
Backup System
Restore Procedures
Maintenance Operations
Troubleshooting
1. Architecture Overview
Services
The MongoDB deployment uses a separation-of-concerns architecture built around two specialized containers working together. The first container runs MongoDB itself—the actual database engine that stores and serves your application data. The second container handles backup operations on a schedule, keeping your data safe without requiring manual intervention. By separating these responsibilities, we can restart or update the backup system without touching the database, and vice versa. This separation also means each container can be monitored, scaled, and configured independently.
┌─────────────────────────────────────────────────┐
│ │
│ ┌────────────┐ ┌──────────────────┐ │
│ │ MongoDB │◄────────│ MongoDB Backup │ │
│ │ :27017 │ │ (tiredofit) │ │
│ └─────┬──────┘ └──────────────────┘ │
│ │ │ │
│ ▼ ▼ │
│ ┌────────────┐ ┌──────────────────┐ │
│ │ mongodb- │ │ mongodb- │ │
│ │ data │ │ backups │ │
│ │ (volume) │ │ (volume) │ │
│ └────────────┘ └──────────────────┘ │
│ │
└─────────────────────────────────────────────────┘MongoDB Container (ut-mongodb)
This container runs the official MongoDB 8.2 server image, which represents the latest stable release with improvements in query performance, security, and operational features. The version choice matters because MongoDB makes backward-incompatible changes between major versions, so knowing which version you're running helps when consulting documentation or troubleshooting issues.
Image: mongo:8.2
Port: 127.0.0.1:27017 (localhost only, for security)
Storage: ut-mongodb-data volume → /data/db
Health Check: mongosh ping command every 30s
Resources: 4GB memory limit, 2 CPU cores
Backup Container (ut-mongodb-backup)
This container runs a specialized backup tool from tiredofit that handles the mechanical work of creating database backups on a schedule. The tool connects to the MongoDB container over the Docker network, exports the database contents using MongoDB's native mongodump utility, compresses the resulting backup file with gzip, and stores it in a separate volume.
The backup schedule defaults to running daily at 02:00 UTC (2 AM), which you can configure through environment variables.
Image: tiredofit/db-backup:latest
Backup Storage: ut-mongodb-backups volume → /backup
Schedule: Daily at 02:00 (configurable via BACKUP_BEGIN)
Retention: 30 days (configurable via CLEANUP_TIME)
Format: Gzipped MongoDB archives (.archive.gz)
Data Persistance
Two critical volumes store all persistent data for this deployment:
The ut-mongodb-data volume holds the live database files. This is where MongoDB stores your actual data: collections, documents, indexes, and all the metadata it needs to run. The volume lives at /var/lib/docker/volumes/ut-mongodb-data/_data/ on the host filesystem, though you rarely need to access it directly. MongoDB manages these files in a binary format optimized for performance, which is why you interact with the data through MongoDB's query language rather than by looking at the files themselves.
The ut-mongodb-backups volume stores the backup archives created by the backup container. Each backup is a complete snapshot of your database at a specific point in time, compressed into a single .archive.gz file. These backups live at /var/lib/docker/volumes/ut-mongodb-backups/_data/ and can be browsed directly from the host system. Unlike the live database volume, backup files are designed to be human-readable (when decompressed) and portable - you can copy them to other systems, archive them to cloud storage, or restore them to a completely different MongoDB installation.
ut-mongodb-data
/data/db
Live database files
Yes (automated)
ut-mongodb-backups
/backup
Backup archives
Optional (offsite copies)
Configuration
The MongoDB stack is configured entirely through environment variables stored in your .env file.
2. Connecting to MongoDB
MongoDB's network access is intentionally restricted for security. By default, the container only exposes port 27017 to the internal Docker network (ut-backend-network), making it accessible only to other containers in the stack. This isolation prevents unauthorized external access while allowing your application services to communicate with the database.
A. From the Host (DGX System)
By default, MongoDB is not accessible from the host system. The compose file uses expose: "27017" rather than ports, which means the port is only available within the Docker network.
To connect from the host, you need to temporarily modify the compose file:
Edit compose.yaml
Find the mongodb service and change:
To:
The 127.0.0.1: prefix binds the port only to localhost, preventing network-wide exposure.
Restart MongoDB
Connect from host
Revert when done (recommended for security)
Change the compose file back to expose: - "27017" and restart:
B. From a Remote Machine (MongoDB Compass)
Why MongoDB Compass?
MongoDB Compass is the official graphical user interface for MongoDB. It provides a visual way to explore your data, run queries, analyze performance, and manage your database without writing commands. This is especially useful when you need to:
Browse collections and documents visually
Debug data issues by inspecting actual database contents
Build and test queries with a visual query builder
Monitor database performance and index usage
Perform administrative tasks through a user-friendly interface
Since the DGX Spark runs ARM64 architecture and Compass doesn't have an ARM-native Linux build, you'll need to connect from a separate machine (like your Mac, Windows PC, or x86 Linux workstation).
Connection Requirements
Because MongoDB isn't exposed to the network by default, you have two options for remote access:
SSH tunnel (recommended - secure, no compose changes needed)
Temporary network exposure (testing only - requires compose file changes)
We'll cover SSH tunneling first since it's the most secure approach.
Prerequisites: SSH Access Setup
Before you can create an SSH tunnel, you need SSH access to the DGX system. If you haven't already set this up, follow these steps:
On your remote machine (Mac/Windows/Linux):
Generate an SSH key pair (skip if you already have one):
Press Enter to accept the default location (~/.ssh/id_ed25519), and optionally set a passphrase for added security.
Copy your public key to the DGX:
Test SSH connection:
You should be able to log in without being prompted for a password (unless you set a key passphrase). Type exit to close the session.
On Windows (if ssh-copy-id isn't available):
Windows 10/11 includes OpenSSH, but ssh-copy-id may not be available. Instead:
Troubleshooting SSH Access:
"Permission denied (publickey)": Your key isn't in the DGX's authorized_keys file. Repeat step 2 above.
"Host key verification failed": The DGX's SSH fingerprint changed (e.g., after OS reinstall). Run ssh-keygen -R understand.local and try again.
Connection timeout: Check network connectivity. Can you ping the DGX? ping understand.local
Once SSH access is working, you can proceed with the tunnel setup.
Option 1: SSH Tunnel (Recommended - Most Secure)
An SSH tunnel creates an encrypted connection between your local machine and the DGX, forwarding network traffic through this secure channel. This method is ideal because it keeps MongoDB unexposed and encrypts all traffic.
Step 1: Set up the SSH tunnel
On your remote machine (Mac, Windows, Linux), open a terminal and run:
Lags explained:
-L 27017:localhost:27017 - Forward local port 27017 to remote port 27017
-N - Don't open a shell, just keep the tunnel open
Keep this terminal window open while you're using Compass
Connect MongoDB Compass
With the tunnel running, configure Compass with these settings:
Connection String
mongodb://localhost:27017 (or :27018 if you changed the port)
Username
mongoadmin
Password
(your MONGODB_PASSWORD)
Authentication Database
admin
Authentication Method
Username/Password
Or use the full connection string:
Test the connection
Click "Connect" in Compass. You should see your databases:
admin - MongoDB system database
ut-db - Your application database
config, local - MongoDB internal databases
Option 2: Temporary Direct Access (Testing Only)
Only use this for temporary testing. It exposes MongoDB to your network.
This method requires modifying the compose file to expose MongoDB's port to the network. Use this only for quick testing when you can't set up an SSH tunnel.
Modify the compose file to expose MongoDB
Edit compose.yaml and find the mongodb service. Change the port configuration:
Understanding the port binding options:
expose: - "27017" - Only accessible within Docker network (default, most secure)
ports: - "127.0.0.1:27017:27017" - Accessible from DGX host only (requires SSH tunnel from remote)
ports: - "27017:27017" - Accessible from entire network (least secure, use with caution)
Restart MongoDB
Verify the port is now exposed:
Connect from Compass
If you used ports: - "27017:27017" (all interfaces), connect directly using the DGX's hostname
If you used ports: - "127.0.0.1:27017:27017" (localhost only), you still need an SSH tunnel as described in Option 1, but now the tunnel will work because MongoDB is listening on the host.
Revert the change when done
IMPORTANT: Change the compose file back to the original configuration:
mongodb:
expose:
- "27017"
Then restart MongoDB:
Verify the port is no longer exposed:
Troubleshooting SSH Tunnel Connections
"Address already in use" error
Port 27017 is already in use on your local machine (probably local MongoDB). Use a different port:
Then connect Compass to localhost:27018.
"Connection refused" error
Verify MongoDB is running on the DGX:
Verify it's listening on localhost:
Verify the port mapping
3. Backup System
The backup system uses the tiredofit/db-backup container, which provides automated MongoDB backups with built-in scheduling, compression, and retention management.
Backup Schedule
Backups run automatically based on your configuration:
Backup timing:
First backup runs at BACKUP_BEGIN time
Subsequent backups run every BACKUP_INTERVAL minutes
Old backups are automatically deleted after CLEANUP_TIME
Backup Storage
Backups are stored in the ut-mongodb-backups Docker volume:
Backup filename format:
Manual Backup Operations
Backup Configuration
To modify backup behavior, edit the compose.yaml file under the mongodb-backup service:
After changes, restart the backup container:
Backup Best Practices
Monitor backup logs:
Copy backups offsite regularly:
Set up a cron job to copy backups to NAS/cloud storage
Keep at least 3 backup copies in different locations (3-2-1 rule)
Test restores periodically
Verify you can actually restore from backups
Test at least monthly, or before major changes
Check disk space:
Document your backup schedule:
Record the backup time in your runbook
Note the retention period
Document where offsite copies are stored
4. Restore Procedures
There are two methods to restore MongoDB backups: interactive CLI (easier for beginners) and manual commands (more control for advanced users).
Prerequisites for Any Restore
MongoDB must be running and healthy:
Identify the backup to restore:
Stop application services (prevents data inconsistency):
Method 1: Interactive Restore (Recommended for Most Users)
The backup container includes an interactive restore wizard that guides you through the process.
Start the interactive restore
Select backup file
Type the number of the backup you want to restore.
Select database type
Press Enter to accept the default (F - parsed from filename).
Select hostname
Press Enter to accept the default (E - environment variable).
Select database name
Press Enter to accept the default (F).
Select database user
Type e and press Enter.
Select database password
Press Enter to accept the default (E).
Select database port
Press Enter to accept the default (E).
Confirm drop existing data
Type y for a clean restore (recommended - replaces all data)
Type n to merge with existing data (may cause conflicts)
Verify restore completion
Look for the final line showing successful document count and zero failures.
Restart application services
Method 2: Manual Restore (Advanced Users)
Use direct mongorestore commands for more control over the restore process.
Standard Restore (Drop and Replace)
Flags explained:
--host mongodb - Connect to MongoDB container
--port 27017 - MongoDB port
-u mongoadmin / -p <password> - Authentication credentials
--authenticationDatabase admin - Auth against admin database
--archive=<file> - Backup file to restore
--gzip - Decompress gzipped backup
--drop - Drop existing collections before restoring (clean restore)
Selective Restore (Specific Database)
The --nsInclude="ut-db.*" flag restores only the ut-db database, ignoring others in the backup.
Selective Restore (Specific Collection)
Restores only the users collection from the ut-db database.
Merge Restore (Without Drop)
Removes the --drop flag to merge backup data with existing data. Warning: This can cause conflicts if documents with the same _id exist.
Dry Run (Test Without Restoring)
Tests the restore process without actually modifying data. Use this to verify the backup is valid.
Disaster Recovery: Full System Restore
If you need to restore from scratch after a complete failure:
Stop all services
Remove old MongoDB data (if corrupted)
Start only MongoDB (it will initialize empty)
Wait for MongoDB to be healthy
Start backup container
Restore using either method above
Interactive:
Or manual:
Start remaining services
Verify application functionality
5. Maintenance Operations
Viewing Database Statistics
Monitoring Database Size
Compacting Database (Reclaim Space)
After deleting large amounts of data:
Replace collection_name with the actual collection name.
Changing MongoDB Password
Step 1: Update password in MongoDB
Step 2: Update .env file
Step 3: Restart services that use MongoDB
Exporting Specific Data
For ad-hoc exports or data migration:
6. Troubleshooting
Common Issues and Solutions
MongoDB Container Won't Start
Symptom: Container exits immediately or repeatedly restarts
Diagnosis:
Common causes:
Incorrect credentials in environment variables:
Check MONGODB_USERNAME and MONGODB_PASSWORD in .env
Ensure no special characters cause shell parsing issues
Corrupted data volume:
Insufficient resources:
Check available memory: free -h
Check disk space: df -h
Reduce MongoDB memory limits in compose.yaml if needed
Health Check Failing
Symptom: Container shows "unhealthy" status
Diagnosis:
Common causes:
MongoDB still starting up:
First startup takes 30-60 seconds
Check logs: docker logs ut-mongodb
Wait for "Waiting for connections" message
Authentication issues:
Backup Container Errors
Symptom: Backups not appearing or restore failing
Diagnosis:
Common causes:
Connection to MongoDB failed:
Verify MongoDB is healthy: docker compose ps mongodb
Check network: docker network inspect ut-backend-network
Test connection:
Incorrect environment variables:
Disk space full:
Restore Fails with Authentication Error
Symptom: Authentication failed during restore
Causes and solutions:
Wrong credentials:
Verify credentials in .env file
Test connection manually:
Backup container can't reach MongoDB:
Check both containers are on the same network:
Use manual restore as workaround:
Connection Timeout from Application
Symptom: API or workers can't connect to MongoDB
Diagnosis:
Solutions:
Verify connection string format:
Check network connectivity:
Restart dependent services:
SSH Tunnel Connection Problems
See the Troubleshooting SSH Tunnel Connections section under "Connecting to MongoDB."
Getting Help
If you encounter issues not covered here:
Check container logs:
Check system resources:
Verify network connectivity:
Review backup container documentation:
Contact your system administrator with:
Error messages from logs
Steps you've already tried
Output from diagnostic commands above
Quick Reference
Common Commands
Important Files and Directories
Compose file
compose.yaml
Service definitions
Environment
.env
Credentials and config
MongoDB data
/var/lib/docker/volumes/ut-mongodb-data/_data/
Live database
Backup archives
/var/lib/docker/volumes/ut-mongodb-backups/_data/
Backup files
Container logs
View with docker logs <container>
Troubleshooting
Default Settings
MongoDB Version
8.2
See compose.yaml
Backup Time
15:20 (3:20 PM)
BACKUP_BEGIN=1520
Backup Frequency
Daily
BACKUP_INTERVAL=1440
Backup Retention
30 days
CLEANUP_TIME=43200
Compression
Gzip (level 6)
GZ format
Port
127.0.0.1:27017
Localhost only
Auth Database
admin
Required for auth
Security Best Practices
Strong passwords:
Use at least 16 characters with mixed case, numbers, and symbols
Change default password immediately after deployment
Store credentials securely (password manager, secrets vault)
Network isolation:
Keep MongoDB on localhost-only binding (127.0.0.1:27017)
Use SSH tunnels for remote access, not direct port exposure
Internal Docker networks provide isolation between services
Backup security:
Store backup archives in encrypted storage for offsite copies
Restrict access to backup volume/directory
Test restore procedures regularly to ensure backups work
Access control:
Use separate MongoDB users for different services (not just mongoadmin)
Grant minimum required privileges per user
Rotate credentials periodically (e.g., every 90 days)
Monitoring:
Review MongoDB logs regularly for unusual activity
Set up alerts for failed authentication attempts
Monitor disk usage to prevent backup volume from filling
Updates:
Keep MongoDB container image updated for security patches
Review backup container updates from tiredofit repository
Test updates in non-production environment first
Additional Resources
MongoDB Official Documentation: https://www.mongodb.com/docs/manual/
MongoDB Backup Guide: https://www.mongodb.com/docs/manual/core/backups/
tiredofit/docker-db-backup: https://github.com/tiredofit/docker-db-backup
MongoDB Compass Download: https://www.mongodb.com/products/compass
UnderstandTech Main README: See README.md in repository root
Last updated