Project

General

Profile

Bug #11453

run RGW as root

Added by Ken Dreyer over 3 years ago. Updated 7 months ago.

Status:
Rejected
Priority:
Normal
Assignee:
Category:
-
Target version:
-
Start date:
04/22/2015
Due date:
% Done:

0%

Source:
other
Tags:
Backport:
firefly,hammer
Regression:
No
Severity:
3 - minor
Reviewed:
Affected Versions:
ceph-qa-suite:
Pull request ID:

Description

There are rumors on the ceph-users mailing list that the ceph-radosgw service fails to start if the httpd package is not installed. This is because the init.d file attempts to start the RGW process with the "apache" UID. If a user is running civetweb, there is no reason for the httpd package to be present on the system.

We should switch the init script to use "root" as is done on Debian/Ubuntu.

Version-Release number of selected component: ceph-0.94.1

See http://lists.ceph.com/pipermail/ceph-users-ceph.com/2015-April/000257.html

Associated revisions

Revision 47339c5a (diff)
Added by Ken Dreyer over 3 years ago

init-radosgw: run RGW as root

The ceph-radosgw service fails to start if the httpd package is not
installed. This is because the init.d file attempts to start the RGW
process with the "apache" UID. If a user is running civetweb, there is
no reason for the httpd or apache2 package to be present on the system.

Switch the init scripts to use "root" as is done on Ubuntu.

http://tracker.ceph.com/issues/11453 Refs: #11453

Reported-by: Vickey Singh <>
Signed-off-by: Ken Dreyer <>

Revision f30fa4a3 (diff)
Added by Ken Dreyer over 3 years ago

init-radosgw: run RGW as root

The ceph-radosgw service fails to start if the httpd package is not
installed. This is because the init.d file attempts to start the RGW
process with the "apache" UID. If a user is running civetweb, there is
no reason for the httpd or apache2 package to be present on the system.

Switch the init scripts to use "root" as is done on Ubuntu.

http://tracker.ceph.com/issues/11453 Refs: #11453

Reported-by: Vickey Singh <>
Signed-off-by: Ken Dreyer <>
(cherry picked from commit 47339c5ac352d305e68a58f3d744c3ce0fd3a2ac)

Revision a71f3091 (diff)
Added by Ken Dreyer over 3 years ago

init-radosgw: run RGW as root

The ceph-radosgw service fails to start if the httpd package is not
installed. This is because the init.d file attempts to start the RGW
process with the "apache" UID. If a user is running civetweb, there is
no reason for the httpd or apache2 package to be present on the system.

Switch the init scripts to use "root" as is done on Ubuntu.

http://tracker.ceph.com/issues/11453 Refs: #11453

Reported-by: Vickey Singh <>
Signed-off-by: Ken Dreyer <>
(cherry picked from commit 47339c5ac352d305e68a58f3d744c3ce0fd3a2ac)

History

#1 Updated by Ken Dreyer over 3 years ago

  • Status changed from New to In Progress
  • Assignee set to Ken Dreyer
  • Backport set to firefly,hammer

#2 Updated by Ken Dreyer over 3 years ago

  • Status changed from In Progress to Need Review

#4 Updated by Loic Dachary over 3 years ago

  • Status changed from Need Review to Pending Backport

#6 Updated by Guilhem Lettron over 3 years ago

Sorry but running RGW as root isn't a good option.
We have many problems with Chef Cookbook about radosgw user consistency between packages/distributions.

What I suggest is to run rgw with its own user/group. It add flexibility and security that people want (apache user can be added in "rgw" group).

I can add work for debian* packaging but it can break some behavior, for example we have to use a specific directory for log.
Here is a example of work we have to do in Chef Cookbook that I want to remove and push in packages: https://github.com/ceph/ceph-cookbook/commit/0845115b52d355e4c81eca149c81afafabdfb698

I'm available to discuss more about it, but it's a real and important question to answer (and using root is a quick and dirty solution).

#7 Updated by Ken Dreyer over 3 years ago

  • Regression set to No

Hi Guilhem,

You're right that running as root is not a good solution.

With the transition to civetweb, there is no longer a reason for the Apache package (httpd RPM, or apache2 DEB) to be present on the system, so the Apache UID ("apache" on RPM, "www-data" on Debian) is probably not going to be available going forward.

We really want to get away from running daemons as root in Ceph overall. There is a work-in-progress branch in GitHub called "wip-user" here: https://github.com/ceph/ceph/tree/wip-user . At the moment we are working with the distros to get static UIDs allocated for Ceph (eg. Fedora is here, https://fedorahosted.org/fpc/ticket/524, and there's an equivalent post to the SUSE and Debian lists archived somewhere). My plan is that we'll run all the Ceph daemons under this UID.

You're right that those items you linked in Chef really ought to be done in the packaging itself. My hope is that we can fix those things when wip-user gets closer to merging into the master branch.

#8 Updated by Ken Dreyer over 3 years ago

For reference, the issue that tracks running RGW (and the other daemons) as the new "ceph" unprivileged UID is #9133

#9 Updated by Loic Dachary over 3 years ago

  • Status changed from Pending Backport to Resolved

#10 Updated by Nathan Cutler over 3 years ago

commit:a71f309 init-radosgw: run RGW as root (in firefly), commit:f30fa4a init-radosgw: run RGW as root (in hammer),

#11 Updated by Tim Serong over 3 years ago

If RGW runs as the "ceph" user, then that process could theoretically read/write raw data on the OSDs if it were possible to exploit somehow. Mightn't it be safer to leave it running as the 'www' user, but have that user created automatically when RGW is installed, if it doesn't already exist?

#12 Updated by Nathan Cutler over 3 years ago

  • Status changed from Resolved to Feedback

#13 Updated by Nathan Cutler over 3 years ago

Adding to what Tim said, changing this to root in firefly might cause trouble in firefly-based production installations that are already committed to apache.

#14 Updated by Ken Dreyer over 3 years ago

What sort of problems do you picture occurring when switching from an unprivileged www UID to root in firefly?

#15 Updated by Sage Weil 7 months ago

  • Status changed from Feedback to Rejected

Also available in: Atom PDF