I am trying to add security in /etc/mongo.conf. After I added keyFile in con, systemctl can’t start mongod anymore and generate permission denied error in the log. However, it works at commend line under root user
mongod --keyFile /usr/share/mongodb/certs/authkeyfile.pem --dbpath /var/lib/mongo
Here are some details,
- Server: self-hosted on Rocky Linux release 8.6 (Green Obsidian)
- mongod --version
db version v5.0.9
Build Info: {
"version": "5.0.9",
"gitVersion": "6f7dae919422dcd7f4892c10ff20cdc721ad00e6",
"openSSLVersion": "OpenSSL 1.1.1k FIPS 25 Mar 2021",
"modules": [],
"allocator": "tcmalloc",
"environment": {
"distmod": "rhel80",
"distarch": "x86_64",
"target_arch": "x86_64"
}
}
- /etc/mongod.conf
systemLog:
destination: file
logAppend: true
path: /var/log/mongodb/mongod.log
storage:
dbPath: /var/lib/mongo
journal:
enabled: true
processManagement:
fork: true
pidFilePath: /var/run/mongodb/mongod.pid
timeZoneInfo: /usr/share/zoneinfo
net:
port: 27017
bindIp: localhost,127.0.0.1
net.bindIpAll setting.
bindIpAll: true
security:
authorization: enabled
keyFile: /usr/share/mongodb/certs/authkeyfile.pem
replication:
replSetName: "rs0"
- run
systemctl start mongod
, error tail -f /var/log/mongodb/mongod.log
{"t":{"$date":"2022-10-17T09:24:22.878+01:00"},"s":"I", "c":"ACCESS", "id":20254, "ctx":"main","msg":"Read security file failed","attr":{"error":{"code":30,"codeName":"InvalidPath","errmsg":"Error reading file /usr/share/mongodb/certs/authkeyfile.pem: Permission denied"}}}
- keyfile permission
ls -lahZ /usr/share/mongodb/certs/authkeyfile.pem
-r--------. 1 mongod mongod system_u:object_r:mongod_var_lib_t:s0 1.0K Oct 15 20:35 /usr/share/mongodb/certs/authkeyfile.pem
- It works fine when I run following commend under root
mongod --keyFile /usr/share/mongodb/certs/authkeyfile.pem --dbpath /var/lib/mongo
My question is why systemctl can’t work, since all keyfile permissions are in place.
Thanks