Question

How to fix permission error for /tmp/mongodb-27107.sock for Docker container running in AWS

Posted November 3, 2020 252 views
MongoDBCentOSDocker

I am starting up MongoDB in a docker container running in an AWS EC2 instance. By company policy, the instance cannot connect to the internet, so I have created a custom Amazon Machine Image that has docker and two images of mongo (3.4 and latest as of the second-to-last week of October 2020). Docker seems to be installed and working fine when I bring up a new EC2 instance, but whenever I run
docker run -d -p 27017:27017 -v bigid-mongo-data:/data/db --name bigid-mongo mongo:3.4
I get the following line in the log

2020-11-02T16:14:55.138+0000 E NETWORK [initandlisten] listen(): bind() failed Permission denied for socket: /tmp/mongodb-27017.sock
2020-11-02T16:14:55.138+0000 E NETWORK [initandlisten] Failed to set up sockets during startup.
2020-11-02T16:14:55.138+0000 E STORAGE [initandlisten] Failed to set up listener: InternalError: Failed to set up sockets

which is followed by exit code 48.
Similarly, when I run
docker run -d -p 27017:27017 -v bigid-mongo-data:/data/db --name bigid-mongo mongo
to use the latest image, I see

{“t”:{“$date”:“2020-11-02T16:43:19.058+00:00”},“s”:“E”, “c”:“STORAGE”, “id”:20568, “ctx”:“initandlisten”,“msg”:“Error setting up listener”,“attr”:{“error”:{“code”:9001,“codeName”:“SocketException”,“errmsg”:“Permission denied”}}}

instead.
Docker works when I use the hello-world image that I pulled and I have already tried changing the permissions of /tmp using
chmod 1777 /tmp
so I am not sure what further steps to take to resolve this issue.

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

×
2 answers

Hi there @mrmardis93,

I could suggest changing the owner of the socket to the MongoDB user:

  • sudo chown mongodb:mongodb /tmp/mongodb-27017.sock

Let me know how it goes!
Regards,
Bobby

  • Thank you, Bobby!

    However, I can’t believe that I forgot to include that there is no mongodb-27017.sock in /tmp. It was not created with either image.

    Also, mongodb was not among my users when I ran
    cat /etc/passwd
    which I feel is related.

    Best,
    Mr. M

    • Hi there @mrmardis93,

      The error that you are seeing is referring to the /tmp folder inside the Mongo Container rather than the /tmp folder on your server.

      Have you checked if the /tmp folder inside the container has the correct permissions?

      You can do that with the following command:

      docker exec your_contianer_id ls -l /tmp
      

      If this is not the case, you need to change the permissions of that folder inside the container directly or build an updated image with the correct permissions.

      Let me know how it goes!
      Regards,
      Bobby

      • Hello again, @bobbyiliev,

        Is there another way to check the permissions? My container is not up long enough to run the command that you provided.

        Also, sorry, I’m pretty new, how would I change the permissions of the image?

        Thank you very much for your help,
        Mr. M

        • Hi there @mrmardis93,

          After looking closer into the error that you’ve shared, the problem might be that there is already a Mongo service listening on that port so that could be the reason why the container is not starting.

          You can check if this is the case with the following command:

          • netstat -plant | grep "27017"

          Basically, you can only have 1 service listening on the same port on your host. If this is the case and if you need a second Mongo container, you would need to change the -p parameter so that you bind the port on your host to a different one.

          Let me know how it goes!
          Regards,
          Bobby

          • Hello @bobbyiliev,

            That command returned nothing, so there is nothing listening on that port, correct?

            My manager had looked into this with me last week and we could not find anything else on the same port like the exit code of 48 seemed to imply.

            This is also a fresh instance running user data and I do not believe that anything else is specified to run on port 27107 until the container is started.

            I wonder if I could start the Mongo container in the Custom AMI creation instead when ingress traffic is allowed? I plan to give that a try and report back on its success.

            (Edit: Nevermind, the volume that Mongo uses isn’t attached until runtime as part of the user data.)

            Thanks,
            Mr. M

          • Hi there @mrmardis93,

            This is quite interesting, I tested the same command on a fresh new Ubuntu Droplet and it works well.

            It could be something on the host that is blocking the port binding like SELinux for example.

            I could suggest checking your system logs to see if you could get some more information on what could be wrong.

            Let me know how it goes.
            Regards,
            Bobby

(Starting a new chain because I cannot reply to the old one.)

Thank you for the help, @bobbyiliev!

I am still unsure about what is causing the problem, but I am going to create a new Custom AMI. An instance using a previous AMI worked one time and then had the same error, so I hope that another new AMI can fix this.

I will report back here if it is successful or ask a new question if I encounter a different problem.

Best,
Mr. M

Submit an Answer