Skip to content

mongod fails to read keyFile mounted via Docker volume with "InvalidPath: bad file" #739

New issue
New issue
Closed
Closed
mongod fails to read keyFile mounted via Docker volume with "InvalidPath: bad file"#739
@yudhees

Description

@yudhees
yudhees
opened on Dec 16, 2025

MongoDB Docker: keyFile bind-mounted as file fails with InvalidPath: bad file

Description

When using the official Docker image mongodb/mongodb-community-server, MongoDB fails to start if the security.keyFile is provided via a bind-mounted file, even though all documented requirements are satisfied.

MongoDB logs the following error during startup:

Read security file failed
InvalidPath: error opening file: /etc/mongo-keyfile: bad file

This happens despite the keyfile being:

  • a regular file (not a directory)
  • readable by the mongod process
  • owned by the same UID/GID as mongod
  • permission set to 400
  • valid base64 content
  • within the allowed size limit (≤ 1024 bytes)

Environment

  • Operating System: Ubuntu (VPS)
  • Docker: latest
  • Docker Compose: v2
  • MongoDB Image: mongodb/mongodb-community-server:latest
  • MongoDB Version: latest (from image)

docker-compose.yml

services:
mongod:
image: mongodb/mongodb-community-server:latest
container_name: mongodb-server
command: >-
mongod
--config /etc/mongod.conf
--replSetMember=mongod.search-community:27017
ports:
- 27017:27017
extra_hosts:
- host.docker.internal:host-gateway
volumes:
- mongodb-data:/data/db
- /etc/mongodb/keyfile:/etc/mongo-keyfile:ro
- ./mongod.conf:/etc/mongod.conf:ro
networks:
- search-community

mongot:
image: mongodb/mongodb-community-search:latest
container_name: mongodb-search
volumes:
- mongot-data:/data/mongot
- ./mongot.conf:/mongot-community/config.default.yml
networks:
- search-community

volumes:
mongodb-data:
mongot-data:

networks:
search-community:

mongod.conf

storage:
dbPath: /data/db

net:
port: 27017
bindIp: 0.0.0.0

security:
authorization: enabled
keyFile: /etc/mongo-keyfile

setParameter:
searchIndexManagementHostAndPort: mongot.search-community:27028
mongotHost: mongot.search-community:27028
skipAuthenticationToSearchIndexManagementServer: false
useGrpcForSearch: true

replication:
replSetName: rs0

Keyfile generation

openssl rand -base64 756 > /etc/mongodb/keyfile
chmod 400 /etc/mongodb/keyfile
chown 999:999 /etc/mongodb/keyfile

Keyfile details (host)

-r-------- 1 999 systemd-journal 1024 Dec 16 03:33 keyfile

wc -l: 1
wc -c: 1024

Keyfile details (inside container)

-r-------- 1 999 999 1024 /etc/mongo-keyfile

The file is:

  • a regular file (not a directory)
  • not a symlink
  • owned by the same UID/GID as the mongod process
  • no group or world permissions

Error logs

Read security file failed
InvalidPath: error opening file: /etc/mongo-keyfile: bad file

Expected behavior

MongoDB should successfully read the keyFile and start with internal authentication enabled, as documented.

Actual behavior

MongoDB fails to start with InvalidPath: bad file when the keyFile is provided via a Docker bind mount.

Additional notes

  • If the same keyfile is copied into the container filesystem using docker cp, MongoDB starts correctly.
  • This suggests MongoDB may be rejecting certain bind-mounted files even when permissions and ownership are correct.

Question

Is MongoDB expected to support bind-mounted keyfiles inside Docker containers, or is copying the keyfile into the container the only supported approach?

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions