Documentation #37958
openRisk:imperceptible permissions&owner change of '/var/run/ceph' result in rgw(with fastcgi frontend) 503(service unavailable)
0%
Description
ceph use systemd to install directory '/var/run/ceph', conf file is '/usr/lib/tmpfiles.d/ceph-common.conf', rule is:
d /run/ceph 0777 ceph ceph -
as doc 'http://docs.ceph.com/docs/kraken/radosgw/config-fcgi/' says:
ADJUST SOCKET DIRECTORY PERMISSIONS
On some distros, the radosgw daemon runs as the unprivileged apache UID, and this UID must have write access to the location where it will write its socket file.
To grant permissions to the default socket location, execute the following on the gateway host:
sudo chown apache:apache /var/run/ceph
in systemd's post install scripts, there is a cmd as:
systemd-tmpfiles --create >/dev/null 2>&1 || :
after update systemd rpm, this cmd will execute, result in directory(/var/run/ceph)'s owner&group be changed to ceph, and permission be changed to 0770, then apache will has no permission to access sock file. then got 503(service unavailable).
Updated by mingshuai wang about 5 years ago
sorry, content of file '/usr/lib/tmpfiles.d/ceph-common.conf' is 'd /run/ceph 0770 ceph ceph -' not 'd /run/ceph 0777 ceph ceph -'