Error reading file /etc/mongodb/keys/mongo-key: Permission denied

Ops and Admin
1

Hi
I’m trying to setup a replication between 2 mongodb servers, one of the steps is to generate and share keys between mongo servers.
I did below steps

mkdir -p /etc/mongodb/keyFiles/

openssl rand -base64 756 > /etc/mongodb/keyFiles/mongo-key

chmod 400 /etc/mongodb/keyFiles/mongo-key

chown -R mongodb:mongodb /etc/mongodb

then I add below lines in /etc/mongod.conf

On node 1 => mongoDb-01

network interfaces

net:
port: 27017
bindIp: 10.0.0.11
#security:
security:
authorization: enabled
keyFile: /etc/mongodb/keyFile/mongo-key
#replication:
replication:
replSetName: " replicaset01 "

When I try to start the mongodb server, I get below error
+++++++++++++++++++++++++++++++++++
{“t”:{"$date":“2022-06-28T13:41:59.650+04:00”},“s”:“I”, “c”:“CONTROL”, “id”:20698, “ctx”:"-",“msg”:"***** SERVER RESTARTED *****"}
{“t”:{"$date":“2022-06-28T13:41:59.651+04:00”},“s”:“I”, “c”:“NETWORK”, “id”:4915701, “ctx”:"-",“msg”:“Initialized wire specification”,“attr”:{“spec”:{“incomingExternalClient”:{“minWireVersion”:0,“maxWireVersion”:13},“incomingInternalClient”:{“minWireVersion”:0,“maxWireVersion”:13},“outgoing”:{“minWireVersion”:0,“maxWireVersion”:13},“isInternalClient”:true}}}
{“t”:{"$date":“2022-06-28T13:41:59.653+04:00”},“s”:“I”, “c”:“CONTROL”, “id”:23285, “ctx”:"-",“msg”:“Automatically disabling TLS 1.0, to force-enable TLS 1.0 specify --sslDisabledProtocols ‘none’”}
{“t”:{"$date":“2022-06-28T13:41:59.655+04:00”},“s”:“W”, “c”:“ASIO”, “id”:22601, “ctx”:“main”,“msg”:“No TransportLayer configured during NetworkInterface startup”}
{“t”:{"$date":“2022-06-28T13:41:59.655+04:00”},“s”:“I”, “c”:“NETWORK”, “id”:4648601, “ctx”:“main”,“msg”:“Implicit TCP FastOpen unavailable. If TCP FastOpen is required, set tcpFastOpenServer, tcpFastOpenClient, and tcpFastOpenQueueSize.”}
{“t”:{"$date":“2022-06-28T13:41:59.656+04:00”},“s”:“I”, “c”:“ACCESS”, “id”:20254, “ctx”:“main”,“msg”:“Read security file failed”,“attr”:{“error”:{“code”:30,“codeName”:“InvalidPath”,“errmsg”:“Error reading file /etc/mongodb/keys/mongo-key: Permission denied”}}}
{“t”:{"$date":“2022-06-28T13:41:59.656+04:00”},“s”:“I”, “c”:“ASIO”, “id”:22582, “ctx”:“main”,“msg”:“Killing all outstanding egress activity.”}
{“t”:{"$date":“2022-06-28T13:41:59.656+04:00”},“s”:“F”, “c”:“CONTROL”, “id”:20575, “ctx”:“main”,“msg”:“Error creating service context”,“attr”:{“error”:“Location5579201: Unable to acquire security key[s]”}}
+++++++++++++++++++++++++++++++++++

Any Ideas??

2

Check the path of your keyfile in config file
Typo keyfile vs keyfiles

3

no typo. this is what I have in my mongod.conf file

#security:
security:
  authorization: enabled
  keyFile:  /etc/mongodb/keys/mongo-key
4

It says invalid path
Please your keyfile dirpath and what you mentioned in your config file should match

5

I fix the path in config file, no invalid path now. but I still have Permission denied issue

{"t":{"$date":"2022-06-28T14:38:05.459+04:00"},"s":"I",  "c":"CONTROL",  "id":20698,   "ctx":"-","msg":"***** SERVER RESTARTED *****"}
{"t":{"$date":"2022-06-28T14:38:05.460+04:00"},"s":"I",  "c":"CONTROL",  "id":23285,   "ctx":"-","msg":"Automatically disabling TLS 1.0, to force-enable TLS 1.0 specify --sslDisabledProtocols 'none'"}
{"t":{"$date":"2022-06-28T14:38:05.460+04:00"},"s":"I",  "c":"NETWORK",  "id":4915701, "ctx":"-","msg":"Initialized wire specification","attr":{"spec":{"incomingExternalClient":{"minWireVersion":0,"maxWireVersion":13},"incomingInternalClient":{"minWireVersion":0,"maxWireVersion":13},"outgoing":{"minWireVersion":0,"maxWireVersion":13},"isInternalClient":true}}}
{"t":{"$date":"2022-06-28T14:38:05.464+04:00"},"s":"W",  "c":"ASIO",     "id":22601,   "ctx":"main","msg":"No TransportLayer configured during NetworkInterface startup"}
{"t":{"$date":"2022-06-28T14:38:05.464+04:00"},"s":"I",  "c":"NETWORK",  "id":4648601, "ctx":"main","msg":"Implicit TCP FastOpen unavailable. If TCP FastOpen is required, set tcpFastOpenServer, tcpFastOpenClient, and tcpFastOpenQueueSize."}
{"t":{"$date":"2022-06-28T14:38:05.474+04:00"},"s":"I",  "c":"ACCESS",   "id":20254,   "ctx":"main","msg":"Read security file failed","attr":{"error":{"code":30,"codeName":"InvalidPath","errmsg":"Error reading file /etc/mongodb/keyFiles/mongo-key: Permission denied"}}}
{"t":{"$date":"2022-06-28T14:38:05.475+04:00"},"s":"I",  "c":"ASIO",     "id":22582,   "ctx":"main","msg":"Killing all outstanding egress activity."}
{"t":{"$date":"2022-06-28T14:38:05.475+04:00"},"s":"F",  "c":"CONTROL",  "id":20575,   "ctx":"main","msg":"Error creating service context","attr":{"error":"Location5579201: Unable to acquire security key[s]"}}
{"t":{"$date":"2022-06-28T14:38:31.980+04:00"},"s":"I",  "c":"-",        "id":4939300, "ctx":"monitoring-keys-for-HMAC","msg":"Failed to refresh key cache","attr":{"error":"NotYetInitialized: Cannot use non-local read concern until replica set is finished initializing.","nextWakeupMillis":5
6

Why would it say invalid path if your keyfile exists in that path
Did you do ls -lrt keyfile with full path?
As per your post above keyfile is at /etc/mongodb/keys but the directory you created is
/etc/mongodb/keyFiles
Please check again

7

I fixed the path issue

[root@alt06ymr ~]# ls -ltr /etc/mongodb/keyFiles/mongo-key
-rw-r–r-- 1 mongodb mongodb 1024 Jun 28 12:02 /etc/mongodb/keyFiles/mongo-key
[root@alt06ymr ~]#

[root@alt06ymr ~]# cat /etc/mongod.conf

#security:
security:
authorization: enabled
keyFile: /etc/mongodb/keyFiles/mongo-key

8

How are you starting mongod?

9

Maybe you can try changing permissions to fit mongodb needs, but by the looks it should be fine. And yeah, please state how are you starting mongod

Maybe you can try running it manually using " mongod --keyFile "

10

This is the way I’m starting my mongo service
systemctl start mongod.service

11

Could you please give me the full command to start the service using mongod --KeyFile? I’m little bit new here
Thx

12

I have posted a tutorial from Official Mongodb Docs in my previous reply, you can try following those 9 steps (if you are not bound by live server) - recreating your keyfile and then starting mongod manually using your config file and your keyFile:

mongod --keyFile <path-to-keyfile> --replSet <replicaSetName> --bind_ip localhost,<hostname(s)|ip address(es)>

Include additional options as required for your configuration. For instance, if you wish remote clients to connect to your deployment or your deployment members are run on different hosts, specify the
--bind_ip

Follow the steps 1. - 7.

13

I used this command
[root@alt06ymr ~]# mongod --keyFile /etc/mongodb/keyFiles/mongo-key --replSet replicaset01 --bind_ip 0.0.0.0

No I’m getting this

{“t”:{"$date":“2022-06-28T16:16:11.450+04:00”},“s”:“I”, “c”:"-", “id”:4939300, “ctx”:“monitoring-keys-for-HMAC”,“msg”:“Failed to refresh key cache”,“attr”:{“error”:“NotYetInitialized: Cannot use non-local read concern until replica set is finished initializing.”,“nextWakeupMillis”:4000}}

14

Hello @Ahmed_Hosni , are you planning on establishing a replica set as it is, or you are running a singleton mongodb ? In case you are using only one instance of mongodb you should not be running a mongod using “–replSet” command line argument. Instead just try running with

mongod --keyFile <path-to-keyfile>

Also, in your /etc/mongod.conf file you should check spacing, as mongod.conf file uses YAML file format and you should have properly written your configuration, again please refer to the Official Docs i have linked above.

15

Hi @Tin_Cvitkovic

I plan to use 1 primary server + 1 replica server
I did not do anything on primary server yet to not disturb the business, but I have to do the same configuration in primary server as well.
So, you tell me I can ignore starting up mongodb service using systemctl and use mongod command?

16

Yes you can! You can just enable the mongod service to be enabled at all times, and starting mongod through command line is sufficent. You should only enable the mongod.service itself:

sudo systemctl enable mongod.service

In that case, if you ask me, I would test the singleton’s auth first and make sure it’s working properly before bringing down the primary for re-config. I will be available for you, have you managed to run mongod with authentication enabled ?

17

Could you advice how to do that?
I have the server ready now and this is my mongod.conf

[root@alt06ymr ~]# cat /etc/mongod.conf

mongod.conf

for documentation of all options, see:

http://docs.mongodb.org/manual/reference/configuration-options/

where to write logging data.

systemLog:
destination: file
logAppend: true
path: /var/log/mongodb/mongod.log

Where and how to store data.

storage:
dbPath: /var/lib/mongo
journal:
enabled: true

engine:

wiredTiger:

how the process runs

processManagement:
fork: true # fork and run in background
pidFilePath: /var/run/mongodb/mongod.pid # location of pidfile
timeZoneInfo: /usr/share/zoneinfo

network interfaces

net:
port: 27017
bindIp: 0.0.0.0 # Enter 0.0.0.0,:: to bind to all IPv4 and IPv6 addresses or, alternatively, use the net.bindIpAll setting.

#security:
security:
authorization: enabled
keyFile: /etc/mongodb/keyFiles/mongo-key

#operationProfiling:

#replication:
replication:
replSetName: “replicaset01”

#sharding:

Enterprise-Only Options

#auditLog:

#snmp:
[root@alt06ymr ~]#

18

I believe your mongod service should already be enabled , you can check it using:

sudo systemctl status mongod.service
19

[root@alt06ymr ~]# sudo systemctl status mongod.service
● mongod.service - MongoDB Database Server
Loaded: loaded (/usr/lib/systemd/system/mongod.service; enabled; vendor preset: disabled)
Active: failed (Result: exit-code) since Tue 2022-06-28 15:48:08 +04; 1h 25min ago
Docs: https://docs.mongodb.org/manual

Jun 28 15:48:08 alt06ymr systemd[1]: Starting MongoDB Database Server…
Jun 28 15:48:08 alt06ymr mongod[1214]: about to fork child process, waiting until server is ready for connections.
Jun 28 15:48:08 alt06ymr mongod[1331]: forked process: 1331
Jun 28 15:48:08 alt06ymr mongod[1214]: ERROR: child process failed, exited with 1
Jun 28 15:48:08 alt06ymr mongod[1214]: To see additional information in this output, start without the “–fork” option.
Jun 28 15:48:08 alt06ymr systemd[1]: mongod.service: Control process exited, code=exited status=1
Jun 28 15:48:08 alt06ymr systemd[1]: mongod.service: Failed with result ‘exit-code’.
Jun 28 15:48:08 alt06ymr systemd[1]: Failed to start MongoDB Database Server.
[root@alt06ymr ~]#

20

Now you can try running this on your command line.