Systemctl start mongod keyFile Permission denied

Ops and Admin
1

I am trying to add security in /etc/mongo.conf. After I added keyFile in con, systemctl can’t start mongod anymore and generate permission denied error in the log. However, it works at commend line under root user

mongod --keyFile /usr/share/mongodb/certs/authkeyfile.pem --dbpath /var/lib/mongo

Here are some details,

  1. Server: self-hosted on Rocky Linux release 8.6 (Green Obsidian)
  2. mongod --version
db version v5.0.9
Build Info: {
    "version": "5.0.9",
    "gitVersion": "6f7dae919422dcd7f4892c10ff20cdc721ad00e6",
    "openSSLVersion": "OpenSSL 1.1.1k  FIPS 25 Mar 2021",
    "modules": [],
    "allocator": "tcmalloc",
    "environment": {
        "distmod": "rhel80",
        "distarch": "x86_64",
        "target_arch": "x86_64"
    }
}
  1. /etc/mongod.conf
systemLog:
  destination: file
  logAppend: true
  path: /var/log/mongodb/mongod.log

storage:
  dbPath: /var/lib/mongo
  journal:
    enabled: true

processManagement:
  fork: true  
  pidFilePath: /var/run/mongodb/mongod.pid 
  timeZoneInfo: /usr/share/zoneinfo

net:
  port: 27017
  bindIp: localhost,127.0.0.1  
  net.bindIpAll setting.
  bindIpAll: true

security:
  authorization: enabled
  keyFile: /usr/share/mongodb/certs/authkeyfile.pem

replication:
   replSetName: "rs0"
  1. run systemctl start mongod, error tail -f /var/log/mongodb/mongod.log
{"t":{"$date":"2022-10-17T09:24:22.878+01:00"},"s":"I",  "c":"ACCESS",   "id":20254,   "ctx":"main","msg":"Read security file failed","attr":{"error":{"code":30,"codeName":"InvalidPath","errmsg":"Error reading file /usr/share/mongodb/certs/authkeyfile.pem: Permission denied"}}}
  1. keyfile permission
ls -lahZ /usr/share/mongodb/certs/authkeyfile.pem
-r--------. 1 mongod mongod system_u:object_r:mongod_var_lib_t:s0 1.0K Oct 15 20:35 /usr/share/mongodb/certs/authkeyfile.pem
  1. It works fine when I run following commend under root
mongod --keyFile /usr/share/mongodb/certs/authkeyfile.pem --dbpath /var/lib/mongo

My question is why systemctl can’t work, since all keyfile permissions are in place.

Thanks

2

Please share the log file.

The extract you supplied is an informational message (marked as “s”:“I”) and probably not the reason why it does fail with systemctl.

Since it works starting as root, I suspect that you might have other files/directories that are now owned by root and cannot be modified/deleted by mongod user.

Share the output of

ls -al /var/lib/mongo/
ls -al /var/run/mongodb/
ls -al /tmp/mongodb-*
ps -aef | grep [m]ongo
ss -tlnp

How do you terminate mongod that was started as root?

I suspect that the following might cause some error

The line net.bindIfAll setting. seems out of place.

1 Like
3

Thanks for replying Steeve, the net.BindIPAll settings is ok, I actually missed a comment line when I copy and paste here.

I still don’t know where the problem is, and I end up with re-install the rocky linux system and did the same configuration again, and it works fine now.

1 Like