Systemctl start mongod keyFile Permission denied

I am trying to add security in /etc/mongo.conf. After I added keyFile in con, systemctl can’t start mongod anymore and generate permission denied error in the log. However, it works at commend line under root user

mongod --keyFile /usr/share/mongodb/certs/authkeyfile.pem --dbpath /var/lib/mongo

Here are some details,

  1. Server: self-hosted on Rocky Linux release 8.6 (Green Obsidian)
  2. mongod --version
db version v5.0.9
Build Info: {
    "version": "5.0.9",
    "gitVersion": "6f7dae919422dcd7f4892c10ff20cdc721ad00e6",
    "openSSLVersion": "OpenSSL 1.1.1k  FIPS 25 Mar 2021",
    "modules": [],
    "allocator": "tcmalloc",
    "environment": {
        "distmod": "rhel80",
        "distarch": "x86_64",
        "target_arch": "x86_64"
    }
}
  1. /etc/mongod.conf
systemLog:
  destination: file
  logAppend: true
  path: /var/log/mongodb/mongod.log

storage:
  dbPath: /var/lib/mongo
  journal:
    enabled: true

processManagement:
  fork: true  
  pidFilePath: /var/run/mongodb/mongod.pid 
  timeZoneInfo: /usr/share/zoneinfo

net:
  port: 27017
  bindIp: localhost,127.0.0.1  
  net.bindIpAll setting.
  bindIpAll: true

security:
  authorization: enabled
  keyFile: /usr/share/mongodb/certs/authkeyfile.pem

replication:
   replSetName: "rs0"
  1. run systemctl start mongod, error tail -f /var/log/mongodb/mongod.log
{"t":{"$date":"2022-10-17T09:24:22.878+01:00"},"s":"I",  "c":"ACCESS",   "id":20254,   "ctx":"main","msg":"Read security file failed","attr":{"error":{"code":30,"codeName":"InvalidPath","errmsg":"Error reading file /usr/share/mongodb/certs/authkeyfile.pem: Permission denied"}}}
  1. keyfile permission
ls -lahZ /usr/share/mongodb/certs/authkeyfile.pem
-r--------. 1 mongod mongod system_u:object_r:mongod_var_lib_t:s0 1.0K Oct 15 20:35 /usr/share/mongodb/certs/authkeyfile.pem
  1. It works fine when I run following commend under root
mongod --keyFile /usr/share/mongodb/certs/authkeyfile.pem --dbpath /var/lib/mongo

My question is why systemctl can’t work, since all keyfile permissions are in place.

Thanks

Please share the log file.

The extract you supplied is an informational message (marked as "s":"I") and probably not the reason why it does fail with systemctl.

Since it works starting as root, I suspect that you might have other files/directories that are now owned by root and cannot be modified/deleted by mongod user.

Share the output of

ls -al /var/lib/mongo/
ls -al /var/run/mongodb/
ls -al /tmp/mongodb-*
ps -aef | grep [m]ongo
ss -tlnp

How do you terminate mongod that was started as root?

I suspect that the following might cause some error

The line net.bindIfAll setting. seems out of place.

1 Like

Thanks for replying Steeve, the net.BindIPAll settings is ok, I actually missed a comment line when I copy and paste here.

I still don’t know where the problem is, and I end up with re-install the rocky linux system and did the same configuration again, and it works fine now.

1 Like