radosgw can't bind to reserved port (443)
Using ceph-radosgw from http://http://download.ceph.com/rpm-octopus/el8/x86_64/ceph-radosgw-15.1.1-0.el8.x86_64.rpm on CentOS 8.1
I have the following setup in /etc/ceph/ceph.conf for radosgw:
host = node1
rgw frontends = beast ssl_endpoint=0.0.0.0 ssl_certificate=/etc/ceph/cert.pem
The gateway does not startup. I have, in the log (debug rgw = 20) the following:
2020-03-17T14:10:11.249-0400 7f96f9c4e280 -1 failed to bind address 0.0.0.0:443: Permission denied
If I change to a port > 1024, such as:
rgw frontends = beast ssl_endpoint=0.0.0.0:7480 ssl_certificate=/etc/ceph/cert.pem
That works fine.
Same error if use the local IP address in ssl_endpoint instead of 0.0.0.0. The same error occurs if I use civetweb instead
This has worked fine on earlier releases with the exact same configuration file.
No, nothing else is running on 443 :-).
selinux is ceph-selinux-15.1.1-0.el8.x86_64 from the same repo if that matters
#2 Updated by Chris Durham 6 days ago
It may be that you are doing setuid()/setgid() or seteuid()/setegid() before bind(), which would preclude you from binding to a port < 1024. Normally radosgw runs s ceph:ceph after starting up.
If I run it by hand (not systemctl) with ssl_endpoint=0.0.0.0 (so it uses 443 by default):
/usr/bin/radosgw -f --cluster ceph --name client.rgw.server-name --setuser root --setgroup root
It binds to port 443 and starts up, which leads me to think that the setuid() is in the wrong place.
#5 Updated by Chris Durham 6 days ago
Thanks Casey, exactly my point.
When I run it from systemd, it cannot bind to 443 if I have ssl_endpoint set to use 443. If I run it by hand as I specified, it works fine. If I set ssl_endpoint to use 7480, that works too in systemd. Thus it appears you are doing bind() after setuid() or seteuid(), as systemd has it configured to run with --setuser ceph and --setgroup ceph