@wenjian I also use Percona image and facing an issue when mounting secret from outside to docker container. I believe mongo db run with the mongodb user and the encrypt I created has different user. How did it work for you ?
I am having a similar issue, trying to use docker compose with percona and vault and running to all sorts of permissions issues no matter what I do; is there any good guide out there ?
Can you share any more details so we can help you troubleshoot? What errors do you see?
Okay so I have been bouncing back and forth between multiple attempts each one leads to a different kind of error essentially what Iâm trying to do is just setup a simple Percona docker that works with Vault but that path is not detailed in documentation and I had to closely follow this blog so here is what I did :
docker-compose.yml :
services:
mongodb:
image: percona/percona-server-mongodb:8.0
restart: unless-stopped
user: root # Run the container as the root user
command: >
/bin/sh -c "
echo 'Creating Vault token file...' &&
echo 'MY_TOKEN_VALUE' > /etc/mongodb-token &&
chown mongod:mongod /etc/mongodb-token &&
chmod 400 /etc/mongodb-token &&
ls -l /etc/db/key.db &&
echo 'Token file created. Starting MongoDB...' &&
exec /entrypoint.sh mongod --config /etc/mongod.conf
"
environment:
MONGO_INITDB_ROOT_USERNAME: DBUSERNAME
MONGO_INITDB_ROOT_PASSWORD: DBPASSWORD
MONGO_INITDB_DATABASE: DBDATABASE
volumes:
- mongodb_appdata:/data/db
- ./mongodb-config/mongod.conf:/etc/mongod.conf:ro
healthcheck:
test: echo 'db.runCommand("ping").ok' | mongosh localhost:27017/test --quiet
interval: 10s
timeout: 10s
retries: 5
start_period: 40s
ports:
- "27017:27017"
networks:
- ***_network
# More services here
mongod.conf
# mongod.conf
# Network interfaces
net:
port: 27017
bindIpAll: true
# Security settings for encryption
security:
enableEncryption: true
vault:
serverName: vault.***.com
port: 8200
tokenFile: /etc/mongodb-token
secret: mongodb-keys/etc/mydatabase
disableTLSForTesting: true
And here is the output :
PS C:\Users\MSI\workstation-noblemind\***> docker compose up -d mongodb --build && docker logs -f ***-mongodb-1
[+] Running 3/3
â Network ***_network Created 0.0s
â Volume "***_mongodb_appdata" Created 0.0s
â Container ***-mongodb-1 Started 0.4s
+ '[' '!' -z '' ']'
+ '[' '!' -z '' ']'
+ '[' '!' -z https://check.percona.com/v1/telemetry/GenericReport ']'
+ CALL_HOME_OPTIONAL_PARAMS+=' -u https://check.percona.com/v1/telemetry/GenericReport'
+ '[' '!' -z '' ']'
+ CALL_HOME_OPTIONAL_PARAMS+=' -t 7'
+ '[' '!' -z '' ']'
+ CALL_HOME_OPTIONAL_PARAMS+=' -c 2'
+ [[ '' -ne 0 ]]
+ exec /bin/sh -c '
echo '\''Creating Vault token file...'\'' &&
echo '\''MY_TOKEN_VALUE'\'' > /etc/mongodb-token &&
chown mongod:mongod /etc/mongodb-token &&
chmod 400 /etc/mongodb-token &&
ls -l /etc/mongodb-token &&
echo '\''Token file created. Starting MongoDB...'\'' &&
exec /entrypoint.sh mongod --config /etc/mongod.conf
'
+ /usr/bin/telemetry-agent-supervisor.sh
Creating Vault token file...
-r-------- 1 mongod mongod 29 Aug 26 10:56 /etc/mongodb-token
Token file created. Starting MongoDB...
about to fork child process, waiting until server is ready for connections.
forked process: 75
{"t":{"$date":"2025-08-26T10:56:35.712+00:00"},"s":"I", "c":"CONTROL", "id":20698, "ctx":"main","msg":"***** SERVER RESTARTED *****"}
{"t":{"$date":"2025-08-26T10:56:35.721+00:00"},"s":"I", "c":"CONTROL", "id":23285, "ctx":"main","msg":"Automatically disabling TLS 1.0, to force-enable TLS 1.0 specify --sslDisabledProtocols 'none'"}
{"t":{"$date":"2025-08-26T10:56:35.722+00:00"},"s":"I", "c":"CONTROL", "id":5945603, "ctx":"main","msg":"Multi threading initialized"}
{"t":{"$date":"2025-08-26T10:56:35.722+00:00"},"s":"I", "c":"NETWORK", "id":4648601, "ctx":"main","msg":"Implicit TCP FastOpen unavailable. If TCP FastOpen is required, set at least one of the related parameters","attr":{"relatedParameters":["tcpFastOpenServer","tcpFastOpenClient","tcpFastOpenQueueSize"]}}
{"t":{"$date":"2025-08-26T10:56:35.723+00:00"},"s":"I", "c":"NETWORK", "id":4915701, "ctx":"main","msg":"Initialized wire specification","attr":{"spec":{"incomingExternalClient":{"minWireVersion":0,"maxWireVersion":25},"incomingInternalClient":{"minWireVersion":0,"maxWireVersion":25},"outgoing":{"minWireVersion":6,"maxWireVersion":25},"isInternalClient":true}}}
{"t":{"$date":"2025-08-26T10:56:35.725+00:00"},"s":"I", "c":"TENANT_M", "id":7091600, "ctx":"main","msg":"Starting TenantMigrationAccessBlockerRegistry"}
{"t":{"$date":"2025-08-26T10:56:35.725+00:00"},"s":"I", "c":"CONTROL", "id":4615611, "ctx":"initandlisten","msg":"MongoDB starting","attr":{"pid":75,"port":27017,"dbPath":"/data/db","architecture":"64-bit","host":"03a4b224c170"}}
{"t":{"$date":"2025-08-26T10:56:35.725+00:00"},"s":"I", "c":"CONTROL", "id":23403, "ctx":"initandlisten","msg":"Build Info","attr":{"buildInfo":{"version":"8.0.12-4","gitVersion":"d635038667c5f80ce2d641ab24a3c56810c8bbb3","openSSLVersion":"OpenSSL 3.2.2 4 Jun 2024","modules":[],"proFeatures":[],"allocator":"tcmalloc-google","environment":{"distarch":"x86_64","target_arch":"x86_64"}}}}
{"t":{"$date":"2025-08-26T10:56:35.725+00:00"},"s":"I", "c":"CONTROL", "id":51765, "ctx":"initandlisten","msg":"Operating System","attr":{"os":{"name":"Red Hat Enterprise Linux release 9.6 (Plow)","version":"Kernel 6.6.87.2-microsoft-standard-WSL2"}}}
{"t":{"$date":"2025-08-26T10:56:35.725+00:00"},"s":"I", "c":"CONTROL", "id":21951, "ctx":"initandlisten","msg":"Options set by command line","attr":{"options":{"config":"/etc/mongod.conf","net":{"bindIp":"127.0.0.1","port":27017,"tls":{"mode":"disabled"}},"processManagement":{"fork":true,"pidFilePath":"/tmp/docker-entrypoint-temp-mongod.pid"},"security":{"enableEncryption":true,"vault":{"disableTLSForTesting":true,"port":8200,"secret":"mongodb-keys/etc/emr-database","serverName":"vault.noblem.com.sa","tokenFile":"/etc/mongodb-token"}},"systemLog":{"destination":"file","logAppend":true,"path":"/proc/1/fd/1"}}}}
{"t":{"$date":"2025-08-26T10:56:35.727+00:00"},"s":"I", "c":"STORAGE", "id":22297, "ctx":"initandlisten","msg":"Using the XFS filesystem is strongly recommended with the WiredTiger storage engine. See http://dochub.mongodb.org/core/prodnotes-filesystem","tags":["startupWarnings"]}
{"t":{"$date":"2025-08-26T10:56:35.728+00:00"},"s":"F", "c":"STORAGE", "id":29120, "ctx":"initandlisten","msg":"Data-at-Rest Encryption Error","attr":{"error":{"what":"Can't create encryption key database","reason":{"what":"key saving failed","reason":"saving the master key to the Vault server failed: cannot open specified Vault token file: /etc/mongodb-token"},"encryptionKeyDatabaseDirectory":"/data/db/key.db"}}}
{"t":{"$date":"2025-08-26T10:56:35.728+00:00"},"s":"I", "c":"REPL", "id":4784900, "ctx":"initandlisten","msg":"Stepping down the ReplicationCoordinator for shutdown","attr":{"waitTimeMillis":15000}}
{"t":{"$date":"2025-08-26T10:56:35.728+00:00"},"s":"I", "c":"REPL", "id":4794602, "ctx":"initandlisten","msg":"Attempting to enter quiesce mode"}
{"t":{"$date":"2025-08-26T10:56:35.728+00:00"},"s":"I", "c":"-", "id":6371601, "ctx":"initandlisten","msg":"Shutting down the FLE Crud thread pool"}
{"t":{"$date":"2025-08-26T10:56:35.728+00:00"},"s":"I", "c":"COMMAND", "id":4784901, "ctx":"initandlisten","msg":"Shutting down the MirrorMaestro"}
{"t":{"$date":"2025-08-26T10:56:35.728+00:00"},"s":"I", "c":"SHARDING", "id":4784902, "ctx":"initandlisten","msg":"Shutting down the WaitForMajorityService"}
{"t":{"$date":"2025-08-26T10:56:35.728+00:00"},"s":"I", "c":"NETWORK", "id":8314100, "ctx":"initandlisten","msg":"Shutdown: Closing listener sockets"}
{"t":{"$date":"2025-08-26T10:56:35.728+00:00"},"s":"I", "c":"NETWORK", "id":4784905, "ctx":"initandlisten","msg":"Shutting down the global connection pool"}
{"t":{"$date":"2025-08-26T10:56:35.728+00:00"},"s":"I", "c":"CONTROL", "id":4784906, "ctx":"initandlisten","msg":"Shutting down the FlowControlTicketholder"}
{"t":{"$date":"2025-08-26T10:56:35.728+00:00"},"s":"I", "c":"-", "id":20520, "ctx":"initandlisten","msg":"Stopping further Flow Control ticket acquisitions."}
{"t":{"$date":"2025-08-26T10:56:35.728+00:00"},"s":"I", "c":"NETWORK", "id":4784918, "ctx":"initandlisten","msg":"Shutting down the ReplicaSetMonitor"}
{"t":{"$date":"2025-08-26T10:56:35.728+00:00"},"s":"I", "c":"SHARDING", "id":4784921, "ctx":"initandlisten","msg":"Shutting down the MigrationUtilExecutor"}
{"t":{"$date":"2025-08-26T10:56:35.729+00:00"},"s":"I", "c":"ASIO", "id":22582, "ctx":"MigrationUtil-TaskExecutor","msg":"Killing all outstanding egress activity."}
{"t":{"$date":"2025-08-26T10:56:35.729+00:00"},"s":"I", "c":"NETWORK", "id":20562, "ctx":"initandlisten","msg":"Shutdown: Closing open transport sessions"}
{"t":{"$date":"2025-08-26T10:56:35.729+00:00"},"s":"I", "c":"NETWORK", "id":4784923, "ctx":"initandlisten","msg":"Shutting down the ASIO transport SessionManager"}
{"t":{"$date":"2025-08-26T10:56:35.729+00:00"},"s":"I", "c":"CONTROL", "id":4784928, "ctx":"initandlisten","msg":"Shutting down the TTL monitor"}
{"t":{"$date":"2025-08-26T10:56:35.729+00:00"},"s":"I", "c":"CONTROL", "id":6278511, "ctx":"initandlisten","msg":"Shutting down the Change Stream Expired Pre-images Remover"}
{"t":{"$date":"2025-08-26T10:56:35.729+00:00"},"s":"I", "c":"CONTROL", "id":4784929, "ctx":"initandlisten","msg":"Acquiring the global lock for shutdown"}
{"t":{"$date":"2025-08-26T10:56:35.729+00:00"},"s":"I", "c":"-", "id":4784931, "ctx":"initandlisten","msg":"Dropping the scope cache for shutdown"}
{"t":{"$date":"2025-08-26T10:56:35.729+00:00"},"s":"I", "c":"CONTROL", "id":20565, "ctx":"initandlisten","msg":"Now exiting"}
{"t":{"$date":"2025-08-26T10:56:35.730+00:00"},"s":"I", "c":"CONTROL", "id":8423404, "ctx":"initandlisten","msg":"mongod shutdown complete","attr":{"Summary of time elapsed":{"Statistics":{"Enter terminal shutdown":"0 ms","Step down the replication coordinator for shutdown":"0 ms","Time spent in quiesce mode":"0 ms","Shut down FLE Crud subsystem":"0 ms","Shut down MirrorMaestro":"0 ms","Shut down WaitForMajorityService":"0 ms","Shut down the global connection pool":"0 ms","Shut down the flow control ticket holder":"0 ms","Shut down the replica set monitor":"0 ms","Shut down the migration util executor":"1 ms","Shut down the transport layer":"0 ms","Shut down the TTL monitor":"0 ms","Shut down expired pre-images and documents removers":"0 ms","Wait for the oplog cap maintainer thread to stop":"0 ms","Shut down full-time data capture":"0 ms","Shut down online certificate status protocol manager":"0 ms","shutdownTask total elapsed time":"1 ms"}}}}
{"t":{"$date":"2025-08-26T10:56:35.730+00:00"},"s":"I", "c":"CONTROL", "id":23138, "ctx":"initandlisten","msg":"Shutting down","attr":{"exitCode":1001}}
ERROR: child process failed, exited with 1
To see additional information in this output, start without the "--fork" option.
At some other points I also ran into not being able to create /data/db/key.db or I mounted the file that has the token in multiple ways using docker secrets or volume mounting and then modifying the permissions through command and in pretty much every attempt it fails
I just wish you could just pass env variables to the docker image and it takes care of the rest; but so far itâs so hard to get it right especially since thereâs no guide out there showing it how itâs done
I can provide any other logs if needed; I just want Percona up and running with EncryptionAtRest and Vault key management
Isnât it the same problem as you posted here?