MongoDB won't run if dbPath is symlinked

Question

I have installed MongoDB 4.0.4 from the official repo. I followed these instructions. My OS is CentOS 7 and SELinux is in enforcing mode. If I use a dbPath value which is a symlink to another directory, I get the following error in the log:

exception in initAndListen: Location28596: Unable to determine status of lock file in the data directory /var/lib/mongo_test: boost::filesystem::status: Permission denied: "/var/lib/mongo_test/mongod.lock", terminating

If I change the dbPath to any other directory which is not symlinked, it will work fine.

This is my current test setup and it will give an error:

# ln -s /var/lib/mongo /var/lib/mongo_test

# chcon -u system_u -t mongod_var_lib_t -h /var/lib/mongo_test

# cat /etc/mongod.conf | grep -v '^$\|^\s*\#'
systemLog:
  destination: file
  logAppend: true
  path: /var/log/mongodb/mongod.log
storage:
  dbPath: /var/lib/mongo_test
  journal:
    enabled: true
processManagement:
  fork: true
  pidFilePath: /var/run/mongodb/mongod.pid
  timeZoneInfo: /usr/share/zoneinfo
net:
  port: 27017
  bindIp: 127.0.0.1

# ls -alZ /var/lib/ | grep mongo
drwxr-xr-x. mongod    mongod    system_u:object_r:mongod_var_lib_t:s0 mongo
lrwxrwxrwx. root      root      system_u:object_r:mongod_var_lib_t:s0 mongo_test -> /var/lib/mongo

# namei -l /var/lib/mongo_test/mongod.lock
f: /var/lib/mongo_test/mongod.lock
dr-xr-xr-x root   root   /
drwxr-xr-x root   root   var
drwxr-xr-x root   root   lib
lrwxrwxrwx root   root   mongo_test -> /var/lib/mongo
dr-xr-xr-x root   root     /
drwxr-xr-x root   root     var
drwxr-xr-x root   root     lib
drwxr-xr-x mongod mongod   mongo
-rw------- mongod mongod mongod.lock

Michael Hampton · Answer 1 · 2018-12-08T20:00:40.290

3

You're almost certainly running into SELinux here. While it expects and permits access to the data directory /var/lib/mongo, or more specifically files and directories having the SELinux type mongod_var_lib_t, it knows nothing of your symbolic link, as it probably doesn't have this type.

If you change the SELinux type of the symlink, you may find that MongoDB is able to acceess the database again.

chcon -h -t mongod_var_lib_t /var/lib/mongo_test

Note that you probably aren't done at this point. If you're messing with symlinks like this, you probably intend to do something like putting all your data on some other disk. In that case, you also need to make the contexts persistent (see here).

edited Dec 08 '18 at 20:00

answered Dec 08 '18 at 13:58

Michael Hampton

244,070
43
506
972

I forgot to mention the exact command but I did run this: `chcon -u system_u -t mongod_var_lib_t -h /var/lib/mongo_test`. I had to add `-h` so that it would affect the symlink itself. You can see the result in the `ls -alZ` listing. It didn't help though and I still got the same error. – Steve Dec 08 '18 at 19:45
OK, then check the audit log. – Michael Hampton Dec 08 '18 at 20:00
Seems to be SELinux related indeed. `aureport -a` gives me `mongod system_u:system_r:mongod_t:s0 4 lnk_file read system_u:object_r:mongod_var_lib_t:s0 denied 8124754` every time I try to start MongoDB. I'm not sure how to fix this. – Steve Dec 08 '18 at 20:29
1

Aha. So SELinux is complaining precisely because it's a symlink and not a directory. Of course, as I said before, using a symlink is not the best way to go about it... – Michael Hampton Dec 08 '18 at 20:40
Alright. My original idea was to move the data directory to another disk and just symlink to it from the default path but since it won't work I'll just change the config file then. Thanks for your help. – Steve Dec 08 '18 at 21:29
1

Just mount the new disk at the existing path. You probably don't need symlinks or config file changes. – Michael Hampton Dec 09 '18 at 02:32

score 0 · Answer 2 · edited Nov 02 '20 at 19:26

I found an issue using symlinks.. the symlinks pointed to a different filesystem and the mongodb (user) did not have permission to browse the folder that the symlink referred.
So /var/log/mongodb was changed to a symlink following a standard install on ubuntu

For example:

$ ll /media/ziggy/
drwx------  5 ziggy ziggy  4096 Oct 28 21:49 XFS_DB/

But I had checked before:

$ ll /var/log/mongodb
lrwxrwxrwx 1 mongodb mongodb 38 Oct 28 21:58 /var/log/mongodb -> /media/ziggy/XFS_DB/mongodb/log/

so it seemed to make no sense.. of course user mongodb had rwx access to the folder and to the file mongodb.log .. but it couldnt find it via the symlink because the base folder of the media couldnt be searched by mongodb.

Seems stupid in hindsight but no searches turned up anything useful.

as the owner (ziggy) I was able to start

mongod --config /etc/mongodb.conf

but it failed if I started the service

sudo systemctl start mongod

fails with a message no permission to update mongodb.log

MongoDB won't run if dbPath is symlinked

2 Answers2