Ceph » rgw

same error if I explicitly set port 443, i.e ssl_endpoint = 0.0.0.0:443 or the localIP:443

It may be that you are doing setuid()/setgid() or seteuid()/setegid() before bind(), which would preclude you from binding to a port < 1024. Normally radosgw runs s ceph:ceph after starting up.

If I run it by hand (not systemctl) with ssl_endpoint=0.0.0.0 (so it uses 443 by default):

/usr/bin/radosgw -f --cluster ceph --name client.rgw.server-name --setuser root --setgroup root

It binds to port 443 and starts up, which leads me to think that the setuid() is in the wrong place.

radosgw is expected to /start/ as a privileged user to bind these ports, and then setuid to a non-privileged user. for example, systemd will run it as root and setuid to 'ceph'. we bind ports before the setuid to make this work

Thanks Casey, exactly my point.

When I run it from systemd, it cannot bind to 443 if I have ssl_endpoint set to use 443. If I run it by hand as I specified, it works fine. If I set ssl_endpoint to use 7480, that works too in systemd. Thus it appears you are doing bind() after setuid() or seteuid(), as systemd has it configured to run with --setuser ceph and --setgroup ceph

Not sure what broke there. Radosgw hasn't changed any of this setuid code in either beast or civetweb. We have test coverage that runs radosgw as root with '--setuid ceph --setgid ceph', and it succeeds in binding ports 80 and 443.

I've now verified this with 15.2.0 as well, (currently available on download.ceph.com, on two separate centos8.1 installations

If I disable systemd and run it by hand as follows as root....

1. /usr/bin/radosgw -f --cluster ceph --name client-rgw.servername --setuser ceph --setgroup ceph

It immediately comes back with:

-1 failed to bind address a.b.c.d:443 : Permission denied
-1 ERROR: failed initializing frontend

This is with ceph.conf having:

[client.rgw,servername]
host = servername
rgw frontends = beast ssl_endpoint=a.b.c.d ssl_certificate=.....

If I add :7480 to the above line in ceph,conf, all is well

I've gotten around this for now by adding a local port redirect from 443 to 7480

I agree that I may have done something silly, but this doesn't make sense

I see this change in Ceph RadosGW behavior on Ubuntu too, bug reference: https://bugs.launchpad.net/ceph/+bug/1869324

https://github.com/ceph/ceph/commit/e28718eaa18e49c770db45820b591088ea92846b moves the creation of the global ceph context to before the determination of the frontend for the rgw so the flag that defers the privileged drop in the context setup is not set at the right point in time:

https://github.com/ceph/ceph/blob/master/src/rgw/rgw_main.cc#L234

so privs are dropped before the frontend has been determined and the appropriate defer flag set.