mongo 5.0.8 crash - Unable to acquire security key[s]

[linydquantil]

Hi：
i deploy mongo rs on kubernetes. when the mongo image is 4.4.14, it works well, but when the image is 5.0.8, it crashs
this is the yaml file:

     containers:
        - name: mongo
          image: "mongo:5.0.8"   # 4.4.14 or 5.0.8
          imagePullPolicy: IfNotPresent
          args:
            - "--replSet"
            - "rs0"
            - "--bind_ip"
            - "0.0.0.0"
            - "--wiredTigerCacheSizeGB"
            - "0.5"
            - "--clusterAuthMode"
            - "keyFile"
            - "--keyFile"
            - "/secret/keyfile"
            - "--setParameter"
            - "authenticationMechanisms=SCRAM-SHA-1"
            - "--logpath=/data/db/mongodb.log"
            - "--tlsMode=requireTLS"
            - "--tlsCertificateKeyFile=/data/ssl/server.pem"
            - "--tlsCAFile=/data/ssl/ca.pem"
            - "--tlsClusterFile=/data/ssl/server.pem"
          env:
          - name: MONGO_INITDB_ROOT_USERNAME
            valueFrom:
              secretKeyRef:
                name: mongo-secrets
                key: username
          - name: MONGO_INITDB_ROOT_PASSWORD
            valueFrom:
              secretKeyRef:
                name: mongo-secrets
                key: password

the crash mongod.log is

about to fork child process, waiting until server is ready for connections.
forked process: 28

{"t":{"$date":"2022-05-18T08:47:06.231+00:00"},"s":"I",  "c":"CONTROL",  "id":20698,   "ctx":"-","msg":"***** SERVER RESTARTED *****"}
{"t":{"$date":"2022-05-18T08:47:06.233+00:00"},"s":"I",  "c":"CONTROL",  "id":23285,   "ctx":"-","msg":"Automatically disabling TLS 1.0, to force-enable TLS 1.0 specify --sslDisabledProtocols 'none'"}
{"t":{"$date":"2022-05-18T08:47:06.241+00:00"},"s":"I",  "c":"NETWORK",  "id":4913010, "ctx":"-","msg":"Certificate information","attr":{"subject":"CN=localhost,emailAddress=xxx.com,OU=xxx,O=xxxx.COM,L=xxx,ST=xxx,C=xx","issuer":"CN=localhost,OU=xxx,O=xxx.COM,C=xx","thumbprint":"xxx","notValidBefore":{"$date":"2022-05-17T06:29:01.000Z"},"notValidAfter":{"$date":"2032-05-14T06:29:01.000Z"},"keyFile":"/data/ssl/server.pem","type":"Server"}}
{"t":{"$date":"2022-05-18T08:47:06.241+00:00"},"s":"I",  "c":"NETWORK",  "id":4913011, "ctx":"-","msg":"Certificate information","attr":{"subject":"CN=localhost,emailAddress=xxx.com,OU=xxx,O=xxxx.COM,L=xxx,ST=xxx,C=xx","issuer":"CN=localhost,OU=xxx,O=xxx.COM,C=xx","thumbprint":"xxxxx","notValidBefore":{"$date":"2022-05-17T06:29:01.000Z"},"notValidAfter":{"$date":"2032-05-14T06:29:01.000Z"},"keyFile":"/data/ssl/server.pem","type":"Cluster"}}
{"t":{"$date":"2022-05-18T08:47:06.241+00:00"},"s":"I",  "c":"NETWORK",  "id":4915701, "ctx":"-","msg":"Initialized wire specification","attr":{"spec":{"incomingExternalClient":{"minWireVersion":0,"maxWireVersion":13},"incomingInternalClient":{"minWireVersion":0,"maxWireVersion":13},"outgoing":{"minWireVersion":0,"maxWireVersion":13},"isInternalClient":true}}}
{"t":{"$date":"2022-05-18T08:47:06.243+00:00"},"s":"W",  "c":"ASIO",     "id":22601,   "ctx":"main","msg":"No TransportLayer configured during NetworkInterface startup"}
{"t":{"$date":"2022-05-18T08:47:06.243+00:00"},"s":"I",  "c":"NETWORK",  "id":4648601, "ctx":"main","msg":"Implicit TCP FastOpen unavailable. If TCP FastOpen is required, set tcpFastOpenServer, tcpFastOpenClient, and tcpFastOpenQueueSize."}
{"t":{"$date":"2022-05-18T08:47:06.244+00:00"},"s":"I",  "c":"ACCESS",   "id":20254,   "ctx":"main","msg":"Read security file failed","attr":{"error":{"code":30,"codeName":"InvalidPath","errmsg":"Error reading file : No such file or directory"}}}
{"t":{"$date":"2022-05-18T08:47:06.245+00:00"},"s":"I",  "c":"ASIO",     "id":22582,   "ctx":"main","msg":"Killing all outstanding egress activity."}
{"t":{"$date":"2022-05-18T08:47:06.245+00:00"},"s":"F",  "c":"CONTROL",  "id":20575,   "ctx":"main","msg":"Error creating service context","attr":{"error":"Location5579201: Unable to acquire security key[s]"}}
ERROR: child process failed, exited with 1
To see additional information in this output, start without the "--fork" option.

and the File Permissions(keyfile/tls) is:

on the other hand， When I replace args with command in yaml file, mongo 5.0.8 works well, the yaml file like this:

     containers:
        - name: mongo
          image: "mongo:5.0.8"
          imagePullPolicy: IfNotPresent
          command:
            - "numactl"
            - "--interleave=all"
            - "mongod"
            - "--replSet"
            - "rs0"
            - "--bind_ip"
            - "0.0.0.0"
            - "--wiredTigerCacheSizeGB"
            - "0.5"
            - "--auth"
            - "--clusterAuthMode"
            - "keyFile"
            - "--keyFile"
            - "/secret/keyfile"
            - "--setParameter"
            - "authenticationMechanisms=SCRAM-SHA-1"
            - "--logpath=/data/db/mongodb.log"
            - "--tlsMode=requireTLS"
            - "--tlsCertificateKeyFile=/data/ssl/server.pem"
            - "--tlsCAFile=/data/ssl/ca.pem"
            - "--tlsClusterFile=/data/ssl/server.pem"

Maybe I am missing something here, So how to solve it ?
Thanks

[wglambert]

It has an issue with the path "Error reading file : No such file or directory" it could be permissions related to the /secret/ directory
It could also be that the file needs to drop the write permission, so a chmod 400 might work

You could also try asking over at the Docker Community Forums, Docker Community Slack, or Stack Overflow. Since these repos aren't really a user-help forum