You need MongoDB and the default repos fall short
You just installed Fedora 40 and your application requires MongoDB. You run dnf install mongodb and get No match for argument: mongodb. You find a tutorial telling you to download a tarball from the MongoDB website and extract it to /opt. That approach breaks package management, bypasses SELinux policies, and leaves you with no automatic updates. You need a working database that integrates with dnf, respects Fedora's security model, and updates cleanly.
How the repository and service model work
Fedora's default repositories contain packages that align with the Fedora release cycle and licensing guidelines. MongoDB releases frequently and uses a license that requires a separate repository. The official MongoDB repository provides RPMs signed by MongoDB's GPG key. Adding this repository allows dnf to manage MongoDB alongside the rest of your system.
SELinux enforces mandatory access control on Fedora. If MongoDB tries to write to a directory with the wrong security context, the kernel blocks the operation. The default installation sets the correct context for /var/lib/mongodb. If you change the data directory or move files, you must restore the context or SELinux will deny access.
Firewalld blocks incoming connections by default. MongoDB listens on port 27017. You must open this port in the firewall configuration to allow clients to connect. The firewall distinguishes between runtime rules and persistent rules. Changes made with --permanent survive a reboot but do not apply until you reload the firewall.
Trust the GPG key. If the signature fails, the package is corrupted or tampered with.
Install the repository and packages
Here's how to add the official MongoDB repository so dnf can find the correct packages.
sudo tee /etc/yum.repos.d/mongodb-org-8.0.repo > /dev/null <<EOF
[mongodb-org-8.0]
name=MongoDB Repository
baseurl=https://repo.mongodb.org/yum/redhat/\$releasever/mongodb-org/8.0/\$basearch/
gpgcheck=1
enabled=1
gpgkey=https://www.mongodb.org/static/pgp/server-8.0.asc
EOF
The tee command writes the heredoc to the file as root without opening an editor. The $releasever variable expands automatically to your current Fedora version. The gpgcheck flag ensures dnf validates package signatures before installation. The gpgkey line points to the public key MongoDB uses to sign their RPMs. Repository files belong in /etc/yum.repos.d. This is the standard location for all third-party sources.
Here's how to install the meta-package and enable the service to start on boot.
sudo dnf install mongodb-org -y
sudo systemctl enable --now mongod
The mongodb-org package is a meta-package that pulls in the server, shell, and tools in one transaction. The enable --now flag starts the service immediately and registers it to start at boot. This is the standard pattern for enabling daemons on Fedora.
Run dnf upgrade --refresh weekly to keep the repository metadata current. The --refresh flag forces dnf to check for new package versions instead of using cached data.
Configure the firewall and SELinux
Here's how to open the default MongoDB port in firewalld so clients can connect.
sudo firewall-cmd --permanent --add-port=27017/tcp
sudo firewall-cmd --reload
The --permanent flag saves the rule to the persistent configuration file. The --reload command applies the permanent rules to the running firewall. Without the reload, the runtime configuration and persistent configuration diverge. Always reload after adding or removing rules.
Here's how to verify SELinux contexts on the data directory to prevent access denials.
ls -Z /var/lib/mongodb
sudo restorecon -Rv /var/lib/mongodb
The ls -Z command shows the SELinux security context attached to files. The restorecon command resets contexts to the defaults defined in the policy files. If you moved the data directory or copied files from another location, the context might be wrong. restorecon reads the policy database and fixes the labels automatically.
Read the denial in journalctl -t setroubleshoot before disabling SELinux. The context fix takes ten seconds. The security hole lasts forever.
Verify the installation
Here's how to confirm the daemon is running and the shell can query the database version.
systemctl status mongod
mongosh --eval "db.version()"
The status command shows the active state and recent log lines from the unit. The mongosh command connects to the local instance and runs the JavaScript expression. A successful connection returns the version string, such as 8.0.5.
Check systemctl status before restarting the service. The status output tells you if the service is already running or if it failed recently.
Here's how to check the journal for detailed logs if the service fails to start.
journalctl -xeu mongod
The -x flag adds explanatory text to error messages. The -e flag jumps to the end of the log. The -u flag filters for the mongod unit. This combination gives you the most relevant context for debugging service failures.
Run mongosh to confirm the connection. A running service is useless if the shell can't talk to it.
Common pitfalls and error messages
If you see Error: GPG check FAILED during installation, the repository key is missing or the package signature is invalid. Verify the gpgkey URL in the repo file matches the official MongoDB documentation. Do not disable GPG checking to bypass this error.
If mongod fails to start, check the journal for Permission denied errors. This usually indicates a SELinux context issue or incorrect file ownership. Run restorecon -Rv /var/lib/mongodb to fix the context. Check the ownership with ls -ld /var/lib/mongodb. The directory should be owned by mongod:mongod.
If your application cannot connect but mongosh works locally, the firewall is blocking the connection. Verify the port is open with firewall-cmd --list-ports. If the port is missing, add it and reload the firewall.
If you change the configuration file, the service does not pick up the changes until you restart. Edit /etc/mongod.conf to modify settings. Never edit files in /usr/lib/. Those files ship with the package and get overwritten on updates. Changes in /etc/ persist across upgrades.
Here's how to allow remote connections by modifying the bind address in the configuration file.
# /etc/mongod.conf
net:
bindIp: 0.0.0.0
The bindIp setting controls which network interfaces the daemon listens on. The default is 127.0.0.1, which restricts access to localhost only. Setting bindIp to 0.0.0.0 allows connections from any interface. This exposes the database to the network. Ensure authentication is enabled and the firewall restricts access to trusted hosts before making this change.
Check journalctl -xeu mongod. The error message tells you exactly what went wrong.
Choose your deployment method
Use the official MongoDB repository when you need the latest stable release and standard package management. Use a container runtime like Podman when you want isolation and easy rollback without touching host packages. Use the Fedora Copr repository when you need a specific version that the official repo hasn't packaged yet and you trust the maintainer. Stay on the default Fedora packages only if you can accept an older version that matches the Fedora release cycle.
Choose the tool that matches your deployment risk. Containers isolate. Packages integrate.