Project

General

Profile

Bug #44661

radosgw can't bind to reserved port (443)

Added by Chris Durham 15 days ago. Updated 6 days ago.

Status:
Triaged
Priority:
Normal
Assignee:
-
Target version:
% Done:

0%

Source:
Community (user)
Tags:
Backport:
Regression:
No
Severity:
3 - minor
Reviewed:
Affected Versions:
ceph-qa-suite:
Pull request ID:
Crash signature:

Description

Using ceph-radosgw from http://http://download.ceph.com/rpm-octopus/el8/x86_64/ceph-radosgw-15.1.1-0.el8.x86_64.rpm on CentOS 8.1

I have the following setup in /etc/ceph/ceph.conf for radosgw:

[client.rgw.node1]
host = node1
rgw frontends = beast ssl_endpoint=0.0.0.0 ssl_certificate=/etc/ceph/cert.pem

The gateway does not startup. I have, in the log (debug rgw = 20) the following:

2020-03-17T14:10:11.249-0400 7f96f9c4e280 -1 failed to bind address 0.0.0.0:443: Permission denied

If I change to a port > 1024, such as:

rgw frontends = beast ssl_endpoint=0.0.0.0:7480 ssl_certificate=/etc/ceph/cert.pem

That works fine.

Same error if use the local IP address in ssl_endpoint instead of 0.0.0.0. The same error occurs if I use civetweb instead

This has worked fine on earlier releases with the exact same configuration file.

No, nothing else is running on 443 :-).

selinux is ceph-selinux-15.1.1-0.el8.x86_64 from the same repo if that matters

History

#1 Updated by Chris Durham 15 days ago

same error if I explicitly set port 443, i.e ssl_endpoint = 0.0.0.0:443 or the localIP:443

#2 Updated by Chris Durham 6 days ago

It may be that you are doing setuid()/setgid() or seteuid()/setegid() before bind(), which would preclude you from binding to a port < 1024. Normally radosgw runs s ceph:ceph after starting up.

If I run it by hand (not systemctl) with ssl_endpoint=0.0.0.0 (so it uses 443 by default):

/usr/bin/radosgw -f --cluster ceph --name client.rgw.server-name --setuser root --setgroup root

It binds to port 443 and starts up, which leads me to think that the setuid() is in the wrong place.

#3 Updated by Casey Bodley 6 days ago

radosgw is expected to /start/ as a privileged user to bind these ports, and then setuid to a non-privileged user. for example, systemd will run it as root and setuid to 'ceph'. we bind ports before the setuid to make this work

#4 Updated by Casey Bodley 6 days ago

  • Status changed from New to Triaged

#5 Updated by Chris Durham 6 days ago

Thanks Casey, exactly my point.

When I run it from systemd, it cannot bind to 443 if I have ssl_endpoint set to use 443. If I run it by hand as I specified, it works fine. If I set ssl_endpoint to use 7480, that works too in systemd. Thus it appears you are doing bind() after setuid() or seteuid(), as systemd has it configured to run with --setuser ceph and --setgroup ceph

Also available in: Atom PDF