Project

General

Profile

Feature #9133

create ceph user/group; run daemons as ceph (non-root)

Added by Sage Weil about 8 years ago. Updated over 4 years ago.

Status:
Rejected
Priority:
High
Assignee:
Category:
-
Target version:
% Done:

0%

Source:
Development
Tags:
Backport:
Reviewed:
Affected Versions:
Pull request ID:

Description

this will involve lots of updates to packaging.

History

#1 Updated by S├ębastien Han about 8 years ago

Indeed a lot of packaging updates and probably many difficulties to properly upgrade daemons :/

Anyone working on that yet?

#2 Updated by Sage Weil almost 8 years ago

  • Priority changed from Normal to High

#3 Updated by Danny Al-Gaaf over 7 years ago

@Sebastien: I plan to work on this issue (if nobody is currently working on this one) since it's related to my blueprint: https://wiki.ceph.com/Planning/Blueprints/Hammer/Ceph_Security_hardening

#4 Updated by Danny Al-Gaaf over 7 years ago

  • Assignee set to Danny Al-Gaaf

#5 Updated by Vasu Kulkarni over 7 years ago

We should also change the references in the document that tell to create "ceph" user using ceph-deploy
http://ceph.com/docs/master/rados/deployment/preflight-checklist/#create-a-user

#6 Updated by Ken Dreyer over 7 years ago

  • Status changed from New to In Progress

The wip-user branch in GitHub has the work done so far. See also https://github.com/ceph/ceph/pull/4456

#7 Updated by Sage Weil over 7 years ago

  • Target version set to v9.0.2

#8 Updated by Ken Dreyer over 7 years ago

Fedora BZ for uid/gid numbers: https://bugzilla.redhat.com/1220846

#9 Updated by Vladislav Odintsov over 6 years ago

@S├ębastien, @Danny, what do you think about radosgw daemon? It still runs as root.
I've got my own draft for switching to non-root user for RGW:
https://github.com/odivlad/ceph/commit/1914e5f5bd20b6d6bb2da1260e3bd77d419784e9

I think, RGW should use its own user, for instance, radosgw, because ceph user has raw access to filesystem and RGW doesn't need it.

I suggest:
1. On package installation: check if radosgw user exists and create it in ceph group in case of absence.
2. On package removal: try to remove radosgw user.
3. Change DEFAULT_USER in RGW initscript to radosgw

What do you think about it? Should I change something and pull request, or somebody already did this better, and I just haven't found it?
Also these scripts should be added to deb post and pre scripts, but it was not a goal for me.

#10 Updated by Sage Weil over 4 years ago

  • Status changed from In Progress to Rejected

Also available in: Atom PDF