The latest articles on DEV Community by Seangles (@seangles). https://dev.to/seangles https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3780601%2F937fcf38-9492-4e4e-94dc-eea6900e645e.jpg https://dev.to/seangles en Seangles Mon, 16 Mar 2026 21:58:58 +0000 https://dev.to/seangles/the-30-second-death-a-memoir-3gc https://dev.to/seangles/the-30-second-death-a-memoir-3gc <blockquote> <p>A true story about a database that died on a schedule, a developer who tried everything, and a CPU security feature nobody told anyone about.</p> </blockquote> <p>My database kept dying. Every. Thirty. Seconds.</p> <p>Not crashing with an error. Not leaving a note. Just... gone. Exit code 139. No explanation. No apology.</p> <p>I checked the logs. MongoDB had started successfully. Recovered from the previous unclean shutdown. Accepted connections. Everything looked fine.</p> <p>Then it died.</p> <h2> Act I: Blame the Obvious Thing </h2> <p><strong>Me:</strong> Why is the DB crashing?</p> <p><strong>MongoDB:</strong> <em>dies</em></p> <p><strong>Me:</strong> Okay, unclean shutdown, probably just needs to recover—</p> <p><strong>MongoDB:</strong> <em>recovers successfully, then dies again</em></p> <p>I did what any reasonable engineer does. I blamed the obvious thing.</p> <p>"It's <code>mongo:latest</code>," I said confidently. "Never trust <code>latest</code>." I pinned the version. <code>mongo:8.0.14-noble</code>. Stable. Specific. Professional.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">image</span><span class="pi">:</span> <span class="s">mongo:8.0.14-noble</span> </code></pre> </div> <p><strong>MongoDB:</strong> <em>dies at exactly 30 seconds</em></p> <h2> Act II: Disable Everything </h2> <p>Fine. The diagnostics collector — FTDC. It reads <code>/proc</code> files in the background. Kernel 6.19 is brand new. Maybe something changed.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">command</span><span class="pi">:</span> <span class="s">mongod --setParameter diagnosticDataCollectionEnabled=false</span> </code></pre> </div> <p><strong>MongoDB:</strong> <em>dies at exactly 30 seconds</em></p> <p>Seccomp, then. Docker's syscall filter. A classic gotcha. I ran the container with <code>--security-opt seccomp=unconfined</code>, essentially handing it a skeleton key to the entire kernel.</p> <p><strong>MongoDB:</strong> <em>dies at exactly 30 seconds</em></p> <p>The audacity.</p> <h2> Act III: The Nuclear Option </h2> <p>At this point I had one move left: <code>mongo:7</code>. Downgrade. Accept defeat. Move on with my life.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">image</span><span class="pi">:</span> <span class="s">mongo:7</span> </code></pre> </div> <p><strong>MongoDB 7:</strong> <em>reads the data files MongoDB 8 wrote</em></p> <p><strong>MongoDB 7:</strong> these are not my files</p> <p><strong>MongoDB 7:</strong> <em>exits with code 62</em></p> <p>Two databases. Zero working. Outstanding.</p> <h2> Act IV: The Internet Knows </h2> <p>I went searching. I found <a href="https://github.com/Sky1-Linux/linux-sky1/issues/15" rel="noopener noreferrer">a GitHub issue</a> titled:</p> <blockquote> <p><em>"[arm64] MongoDB 8.x crashes ~30s after startup on 6.19.0-sky1-latest.r5"</em></p> </blockquote> <p>ARM64. I am on x86_64. I kept reading anyway.</p> <p>Then, buried in <a href="https://www.findbugzero.com/operational-defect-database/vendors/mongodb/defects/3392546" rel="noopener noreferrer">a bug report</a>, the answer:</p> <blockquote> <p><em>"SIGSEGV exactly 30s after start on AMD Zen 5 due to hardware Shadow Stacks (user_shstk) clashing with coroutines."</em></p> </blockquote> <h2> The Actual Explanation (I Promise It Makes Sense) </h2> <p>Let me walk you through what actually happened here, because I need you to appreciate the full chain of events.</p> <p><strong>Intel</strong> invented a security feature called <strong>Control-flow Enforcement Technology (CET)</strong>. The idea: add a second, hardware-enforced call stack that runs in parallel with the normal one. Every time a function returns, the CPU checks that the return address matches what the shadow stack recorded. Exploits that hijack return addresses — like ROP chains — get caught at the hardware level before they can do anything. It's genuinely clever engineering.</p> <p><strong>AMD</strong> implemented it too, under the name <strong>Shadow Stacks</strong>.</p> <p><strong>Linux kernel 6.19</strong> decided to <strong>enable it by default</strong> for user processes.</p> <p>Now. <strong>MongoDB 8.0</strong> uses coroutines. Coroutines do context switching by manually swapping stack pointers — they save the current stack state and jump to a different one. This is a completely normal thing coroutines do.</p> <p>The shadow stack looked at this manual stack swap and said:</p> <blockquote> <p><em>"That return address does not match what I recorded. This is a security violation."</em></p> </blockquote> <p>Then it fired a <code>SIGSEGV</code>. Signal 11. Exit code 139.</p> <p>After exactly 30 seconds — the interval at which MongoDB's coroutine scheduler runs a particular background task.</p> <p>Every time. Like clockwork.</p> <h2> The Fix </h2> <p>One line:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">environment</span><span class="pi">:</span> <span class="na">GLIBC_TUNABLES</span><span class="pi">:</span> <span class="s">glibc.cpu.hwcaps=-SHSTK</span> </code></pre> </div> <p>This tells glibc to disable Shadow Stacks for the process before it starts. MongoDB's coroutines do their stack swaps unmolested. The database lives.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Status: running, ExitCode: 0, Restarts: 0 </code></pre> </div> <h2> Post-Mortem </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th></th> <th></th> </tr> </thead> <tbody> <tr> <td><strong>Time spent</strong></td> <td>too long</td> </tr> <tr> <td><strong>Lines of code changed</strong></td> <td>1</td> </tr> <tr> <td><strong>Red herrings investigated</strong></td> <td> <code>mongo:latest</code> tag, FTDC, Docker seccomp, data file incompatibility</td> </tr> <tr> <td><strong>Actual cause</strong></td> <td>AMD Zen 5 + Linux 6.19 + CET Shadow Stacks + MongoDB coroutines</td> </tr> <tr> <td><strong>What I should have searched first</strong></td> <td>literally anything other than what I searched</td> </tr> </tbody> </table></div> <h2> Takeaway </h2> <p>If you're running <strong>MongoDB 8.0</strong> in Docker on a <strong>Linux 6.19+ kernel</strong> with a <strong>newer AMD CPU</strong> and your container dies silently every ~30 seconds with exit code 139 — this is your fix:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">environment</span><span class="pi">:</span> <span class="na">GLIBC_TUNABLES</span><span class="pi">:</span> <span class="s">glibc.cpu.hwcaps=-SHSTK</span> </code></pre> </div> <p>You're welcome. I suffered so you don't have to.</p> <p><em>Dedicated to everyone who has ever watched a container die on a 30-second interval and felt their personality change. Yes the article is written with the help of an LLM. I spent too much time on this already, it's genuinely one of the weirdest issues of the month that I faced :p</em></p> mongodb linux devops database