Project

General

Profile

Actions
Copy link

Documentation #37958

open

Risk:imperceptible permissions&owner change of '/var/run/ceph' result in rgw(with fastcgi frontend) 503(service unavailable)

Added by mingshuai wang about 5 years ago. Updated about 5 years ago.

Status:
New
Priority:
Normal
Assignee:
-
Target version:
-
% Done:

0%

Tags:
Backport:
Reviewed:
Affected Versions:
Pull request ID:

Description

ceph use systemd to install directory '/var/run/ceph', conf file is '/usr/lib/tmpfiles.d/ceph-common.conf', rule is:

d /run/ceph 0777 ceph ceph -

as doc 'http://docs.ceph.com/docs/kraken/radosgw/config-fcgi/' says:

ADJUST SOCKET DIRECTORY PERMISSIONS
On some distros, the radosgw daemon runs as the unprivileged apache UID, and this UID must have write access to the location where it will write its socket file.
To grant permissions to the default socket location, execute the following on the gateway host:
sudo chown apache:apache /var/run/ceph

in systemd's post install scripts, there is a cmd as:

systemd-tmpfiles --create >/dev/null 2>&1 || :

after update systemd rpm, this cmd will execute, result in directory(/var/run/ceph)'s owner&group be changed to ceph, and permission be changed to 0770, then apache will has no permission to access sock file. then got 503(service unavailable).

Actions
Copy link
 #1

Updated by mingshuai wang about 5 years ago

sorry, content of file '/usr/lib/tmpfiles.d/ceph-common.conf' is 'd /run/ceph 0770 ceph ceph -' not 'd /run/ceph 0777 ceph ceph -'

Actions
Copy link
 #2

Updated by Greg Farnum about 5 years ago

  • Project changed from Ceph to rgw
Actions
Copy link

Also available in: Atom PDF