radosgw can't bind to reserved port (443)
Using ceph-radosgw from http://http://download.ceph.com/rpm-octopus/el8/x86_64/ceph-radosgw-15.1.1-0.el8.x86_64.rpm on CentOS 8.1
I have the following setup in /etc/ceph/ceph.conf for radosgw:
host = node1
rgw frontends = beast ssl_endpoint=0.0.0.0 ssl_certificate=/etc/ceph/cert.pem
The gateway does not startup. I have, in the log (debug rgw = 20) the following:
2020-03-17T14:10:11.249-0400 7f96f9c4e280 -1 failed to bind address 0.0.0.0:443: Permission denied
If I change to a port > 1024, such as:
rgw frontends = beast ssl_endpoint=0.0.0.0:7480 ssl_certificate=/etc/ceph/cert.pem
That works fine.
Same error if use the local IP address in ssl_endpoint instead of 0.0.0.0. The same error occurs if I use civetweb instead
This has worked fine on earlier releases with the exact same configuration file.
No, nothing else is running on 443 :-).
selinux is ceph-selinux-15.1.1-0.el8.x86_64 from the same repo if that matters
#2 Updated by Chris Durham about 1 year ago
It may be that you are doing setuid()/setgid() or seteuid()/setegid() before bind(), which would preclude you from binding to a port < 1024. Normally radosgw runs s ceph:ceph after starting up.
If I run it by hand (not systemctl) with ssl_endpoint=0.0.0.0 (so it uses 443 by default):
/usr/bin/radosgw -f --cluster ceph --name client.rgw.server-name --setuser root --setgroup root
It binds to port 443 and starts up, which leads me to think that the setuid() is in the wrong place.
#5 Updated by Chris Durham about 1 year ago
Thanks Casey, exactly my point.
When I run it from systemd, it cannot bind to 443 if I have ssl_endpoint set to use 443. If I run it by hand as I specified, it works fine. If I set ssl_endpoint to use 7480, that works too in systemd. Thus it appears you are doing bind() after setuid() or seteuid(), as systemd has it configured to run with --setuser ceph and --setgroup ceph
#7 Updated by Chris Durham about 1 year ago
I've now verified this with 15.2.0 as well, (currently available on download.ceph.com, on two separate centos8.1 installations
If I disable systemd and run it by hand as follows as root....
- /usr/bin/radosgw -f --cluster ceph --name client-rgw.servername --setuser ceph --setgroup ceph
It immediately comes back with:
-1 failed to bind address a.b.c.d:443 : Permission denied
-1 ERROR: failed initializing frontend
This is with ceph.conf having:
host = servername
rgw frontends = beast ssl_endpoint=a.b.c.d ssl_certificate=.....
If I add :7480 to the above line in ceph,conf, all is well
I've gotten around this for now by adding a local port redirect from 443 to 7480
I agree that I may have done something silly, but this doesn't make sense
#9 Updated by James Page about 1 year ago
https://github.com/ceph/ceph/commit/e28718eaa18e49c770db45820b591088ea92846b moves the creation of the global ceph context to before the determination of the frontend for the rgw so the flag that defers the privileged drop in the context setup is not set at the right point in time:
so privs are dropped before the frontend has been determined and the appropriate defer flag set.