ISSUE SUMMARY
MongoDB checks the readahead settings on startup from the /sys/dev/block directory. If the permissions to these files are restricted so that MongoDB cannot open them, it terminates with an exception.
USER IMPACT
Some systems with heightened security settings (for example hardened Gentoo with grSecurity extension) restrict access to the required file by default.
SOLUTION
The solution is to ignore any error due to restricted file permissions and skip the readahead check in such a case.
WORKAROUNDS
Ensure that the user running the mongod process has read access access to the files under /sys/dev/block.
AFFECTED VERSIONS
All release versions from 2.4.0 to 2.4.9 are affected.
PATCHES
The fix is included in the 2.4.10 production release and the 2.5.3 development version, which will evolve into the 2.6.0 production release.
Original Description
MongoDB try to check if the file '/sys/dev/block/x:x/queue/read_ahead_kb' exists on startup.
When the MongoDB's user have not the permission access to a parent directory, it throw an exception and stop the server:
[initandlisten] exception in initAndListen std::exception: boost::filesystem::status: Permission denied: "/sys/dev/block/253:1/queue/read_ahead_kb", terminating
Code:
https://github.com/mongodb/mongo/blob/master/src/mongo/db/db.cpp#L538
GRSEC sysfs restrict results:
bdd ~ # ls -al /sys/
total 4
dr-xr-xr-x 11 root root 0 Mar 27 20:39 .
drwxr-xr-x 21 root root 4096 Nov 16 00:02 ..
drwx------ 2 root root 0 Apr 4 19:34 block
drwx------ 19 root root 0 Apr 4 19:34 bus
drwx------ 59 root root 0 Apr 4 19:22 class
drwx------ 4 root root 0 Apr 4 19:20 dev
drwxr-xr-x 10 root root 0 Mar 31 09:12 devices
drwx------ 4 root root 0 Apr 4 19:34 firmware
drwxr-xr-x 5 root root 0 Mar 27 20:39 fs
drwx------ 8 root root 0 Mar 27 20:39 kernel
drwx------ 144 root root 0 Apr 4 19:34 module
MongoDB log file:
Thu Apr 4 22:09:42.701 [initandlisten] MongoDB starting : pid=19263 port=27017 dbpath=/var/lib/mongodb 64-bit host=bdd
Thu Apr 4 22:09:42.701 [initandlisten] db version v2.4.1
Thu Apr 4 22:09:42.701 [initandlisten] git version: nogitversion
Thu Apr 4 22:09:42.701 [initandlisten] build info: Linux bdd 3.7.5-hardened-r1-xxxx-grs-ipv6-64 #1 SMP Sun Mar 10 16:55:21 CET 2013 x86_64 BOOST_LIB_VERSION=1_52
Thu Apr 4 22:09:42.701 [initandlisten] allocator: tcmalloc
Thu Apr 4 22:09:42.701 [initandlisten] options:
Thu Apr 4 22:09:42.701 [initandlisten] exception in initAndListen std::exception: boost::filesystem::status: Permission denied: "/sys/dev/block/253:1/queue/read_ahead_kb", terminating
Thu Apr 4 22:09:42.701 dbexit:
Thu Apr 4 22:09:42.701 [initandlisten] shutdown: going to close listening sockets...
Thu Apr 4 22:09:42.701 [initandlisten] shutdown: going to flush diaglog...
Thu Apr 4 22:09:42.701 [initandlisten] shutdown: going to close sockets...
Thu Apr 4 22:09:42.701 [initandlisten] shutdown: waiting for fs preallocator...
Thu Apr 4 22:09:42.701 [initandlisten] shutdown: lock for final commit...
Thu Apr 4 22:09:42.701 [initandlisten] shutdown: final commit...
Thu Apr 4 22:09:42.701 [initandlisten] shutdown: closing all files...
Thu Apr 4 22:09:42.701 [initandlisten] closeAllFiles() finished
Thu Apr 4 22:09:42.701 dbexit: really exiting now
Kernel configuration:
Symbol: GRKERNSEC_SYSFS_RESTRICT [=y]
Type : boolean
Prompt: Sysfs/debugfs restriction
Defined at grsecurity/Kconfig:354
Depends on: GRKERNSEC [=y] && SYSFS [=y]
Location:
-> Security options
-> Grsecurity
-> Grsecurity (GRKERNSEC [=y])
-> Customize Configuration
-> Filesystem Protections