Problem Description:
On the newly installed CentOS7, install the MongoDB3.4, mount a large data disk, modify the/etc/mongo.conf, the log and data directories in the configuration file are placed under the new data disk, and modify the file access rights. Mongo.conf after the change:
# mongod.conf
# for documentation of all options, see:
# http://docs.mongodb.org/manual/reference/configuration-options/
# where to write logging data.
systemLog:
destination: file
logAppend: true
path: /data/mongodb/log/mongod.log
# Where and how to store data.
storage:
dbPath: / data / mongodb / data
.....
file permission:
# ls -alh
drwxr-xr-x. 5 mongod mongod 4.0K Nov 1 14:53 mongodb
# cd mongodb
# ls -alh
drwxr-xr-x. 3 mongod mongod 4.0K Nov 9 19:08 data
drwxr-xr-x. 2 mongod mongod 4.0K Nov 9 19:06 log
drwxr-xr-x. 2 mongod mongod 4.0K Nov 1 14:54 run
After running the systemctl start mongod command, check the status and find that it has not started. Check / var / log / message and find the following error
Nov 9 06:06:44 [localhost] setroubleshoot: failed to retrieve rpm info for /data/mongodb/run/mongod.pid
Nov 9 06:06:44 [localhost] setroubleshoot: SELinux is preventing / usr / bin / mongod from write access on the file /data/mongodb/run/mongod.pid. For complete SELinux messages run: sealert -l f7148e11-b126 -401e-ba9f-a9a87c1e54ae
Nov 9 06:06:44 [localhost] python: SELinux is preventing / usr / bin / mongod from write access on the file /data/mongodb/run/mongod.pid.#012#012***** Plugin restorecon ( 94.8 confidence) suggests ************************ # 012 # 012If you want to fix the label. # 012 / data / mongodb / run / mongod. pid default label should be default_t. # 012Then you can run restorecon. # 012Do # 012 # / sbin / restorecon -v /data/mongodb/run/mongod.pid#012#012***** Plugin catchall_labels (5.21 confidence) suggests ******************* # 012 # 012If you want to allow mongod to have write access on the mongod.pid file # 012Then you need to change the label on / data /mongodb/run/mongod.pid#012Do#012# semanage fcontext -a -t FILE_TYPE '/data/mongodb/run/mongod.pid'#012where FILE_TYPE is one of the following: afs_cache_t, initrc_tmp_t, mongod_log_t, mongod_tmp_t, mongod_td_t , mongod_var_run_t, puppet_tmp_t, user_cron_spool_t. # 012Then execute: # 012restorecon -v '/data/mongodb/run/mongod.pid'#012#012#012***** Plugin catchal l (1.44 confidence) suggests ************************** # 012 # 012If you believe that mongod should be allowed write access on the mongod.pid file by default. # 012Then you should report this as a bug. # 012You can generate a local policy module to allow this access. # 012Do # 012allow this access for now by executing: # 012 # ausearch -c 'mongod' --raw | audit2allow -M my-mongod # 012 # semodule -i my-mongod.pp # 012
It can be seen from the prompt that the protection function of SELinux prevents access.
Resolution process:
The information in / var / log / message looks more laborious, and there is a hint inside:
For complete SELinux messages run: sealert -l e73ba9e8-f74d-4835-9b53-85667546b28c
Follow the prompts:
# sealert -l e73ba9e8-f74d-4835-9b53-85667546b28c
SELinux is preventing / usr / bin / mongod from write access on the directory / data / mongodb / log.
***** Plugin catchall_labels (83.8 confidence) suggests *******************
If you want to allow mongod to have write access on the log directory
Then the labels in / data / mongodb / log must be changed
Do
# semanage fcontext -a -t FILE_TYPE ‘/ data / mongodb / log’
Where FILE_TYPE is one of: mongod_log_t, mongod_tmp_t, mongod_var_lib_t, mongod_var_run_t, tmp_t, var_lib_t, var_log_t, var_run_t.
Then execute:
restorecon -v ‘/ data / mongodb / log’
***** Plugin catchall (17.1 confidence) suggests **************************
...
The above prompt output is already included, the solution:
# semanage fcontext -a -t mongo_log_t ‘/ data / mongodb / log’
# restorecon -v ‘/ data / mongodb / log’
restorecon reset / data / mongodb / log context unconfined_u: object_r: unlabeled_t: s0-> unconfined_u: object_r: mongod_log_t: s0
After the above command is executed, the file permission problem of the / data / mongodb / log directory is resolved.
In the same way, solve the problem of the / data / mongodb / data and / data / mongodb / run directories.
Start mongod and the problem is solved.
Nov 9 06:08:51 [localhost] systemd: Starting High-performance, schema-free document-oriented database ...
Nov 9 06:08:51 [localhost] systemd: Started High-performance, schema-free document-oriented database.
Nov 9 06:08:51 [localhost] mongod: about to fork child process, waiting until server is ready for connections.
Nov 9 06:08:51 [localhost] mongod: forked process: 18218
Nov 9 06:08:51 [localhost] mongod: child process started successfully, parent exiting
P.S. In addition to the above information to solve the problem, there is a more violent way to directly close SELinux, but it is not recommended.
# setenforce 0
# getenforce
Permissive
The above is temporarily closed. If it is permanently closed, you need to edit the / etc / selinux / config file and change SELINUX = enforcing to SELINUX = disabled, but it will only take effect after restarting.
CentOS7 SELinux issues preventing MongoDB from starting