mongod fails to read keyFile mounted via Docker volume with "InvalidPath: bad file"

[yudhees]

MongoDB Docker: keyFile bind-mounted as file fails with InvalidPath: bad file

Description

When using the official Docker image mongodb/mongodb-community-server, MongoDB fails to start if the security.keyFile is provided via a bind-mounted file, even though all documented requirements are satisfied.

MongoDB logs the following error during startup:

Read security file failed
InvalidPath: error opening file: /etc/mongo-keyfile: bad file

This happens despite the keyfile being:

• a regular file (not a directory)
• readable by the mongod process
• owned by the same UID/GID as mongod
• permission set to 400
• valid base64 content
• within the allowed size limit (≤ 1024 bytes)

---

Environment

• Operating System: Ubuntu (VPS)
• Docker: latest
• Docker Compose: v2
• MongoDB Image: mongodb/mongodb-community-server:latest
• MongoDB Version: latest (from image)

---

docker-compose.yml

services:
mongod:
image: mongodb/mongodb-community-server:latest
container_name: mongodb-server
command: >-
mongod
--config /etc/mongod.conf
--replSetMember=mongod.search-community:27017
ports:
- 27017:27017
extra_hosts:
- host.docker.internal:host-gateway
volumes:
- mongodb-data:/data/db
- /etc/mongodb/keyfile:/etc/mongo-keyfile:ro
- ./mongod.conf:/etc/mongod.conf:ro
networks:
- search-community

mongot:
image: mongodb/mongodb-community-search:latest
container_name: mongodb-search
volumes:
- mongot-data:/data/mongot
- ./mongot.conf:/mongot-community/config.default.yml
networks:
- search-community

volumes:
mongodb-data:
mongot-data:

networks:
search-community:

---

mongod.conf

storage:
dbPath: /data/db

net:
port: 27017
bindIp: 0.0.0.0

security:
authorization: enabled
keyFile: /etc/mongo-keyfile

setParameter:
searchIndexManagementHostAndPort: mongot.search-community:27028
mongotHost: mongot.search-community:27028
skipAuthenticationToSearchIndexManagementServer: false
useGrpcForSearch: true

replication:
replSetName: rs0

---

Keyfile generation

openssl rand -base64 756 > /etc/mongodb/keyfile
chmod 400 /etc/mongodb/keyfile
chown 999:999 /etc/mongodb/keyfile

---

Keyfile details (host)

-r-------- 1 999 systemd-journal 1024 Dec 16 03:33 keyfile

wc -l: 1
wc -c: 1024

---

Keyfile details (inside container)

-r-------- 1 999 999 1024 /etc/mongo-keyfile

The file is:

• a regular file (not a directory)
• not a symlink
• owned by the same UID/GID as the mongod process
• no group or world permissions

---

Error logs

Read security file failed
InvalidPath: error opening file: /etc/mongo-keyfile: bad file

---

Expected behavior

MongoDB should successfully read the keyFile and start with internal authentication enabled, as documented.

---

Actual behavior

MongoDB fails to start with InvalidPath: bad file when the keyFile is provided via a Docker bind mount.

---

Additional notes

• If the same keyfile is copied into the container filesystem using docker cp, MongoDB starts correctly.
• This suggests MongoDB may be rejecting certain bind-mounted files even when permissions and ownership are correct.

---

Question

Is MongoDB expected to support bind-mounted keyfiles inside Docker containers, or is copying the keyfile into the container the only supported approach?

[tianon]

When using the official Docker image mongodb/mongodb-community-server, ...

Unfortunately, https://hub.docker.com/r/mongodb/mongodb-community-server is not maintained in this repository (there are some potentially useful links in that image description).