Feature #9133
closedcreate ceph user/group; run daemons as ceph (non-root)
0%
Description
this will involve lots of updates to packaging.
Updated by Sébastien Han over 9 years ago
Indeed a lot of packaging updates and probably many difficulties to properly upgrade daemons :/
Anyone working on that yet?
Updated by Danny Al-Gaaf about 9 years ago
@Sebastien: I plan to work on this issue (if nobody is currently working on this one) since it's related to my blueprint: https://wiki.ceph.com/Planning/Blueprints/Hammer/Ceph_Security_hardening
Updated by Vasu Kulkarni about 9 years ago
We should also change the references in the document that tell to create "ceph" user using ceph-deploy
http://ceph.com/docs/master/rados/deployment/preflight-checklist/#create-a-user
Updated by Ken Dreyer about 9 years ago
- Status changed from New to In Progress
The wip-user branch in GitHub has the work done so far. See also https://github.com/ceph/ceph/pull/4456
Updated by Ken Dreyer almost 9 years ago
Fedora BZ for uid/gid numbers: https://bugzilla.redhat.com/1220846
Updated by Vladislav Odintsov about 8 years ago
@Sébastien, @Danny, what do you think about radosgw daemon? It still runs as root.
I've got my own draft for switching to non-root user for RGW:
https://github.com/odivlad/ceph/commit/1914e5f5bd20b6d6bb2da1260e3bd77d419784e9
I think, RGW should use its own user, for instance, radosgw, because ceph user has raw access to filesystem and RGW doesn't need it.
I suggest:
1. On package installation: check if radosgw user exists and create it in ceph group in case of absence.
2. On package removal: try to remove radosgw user.
3. Change DEFAULT_USER in RGW initscript to radosgw
What do you think about it? Should I change something and pull request, or somebody already did this better, and I just haven't found it?
Also these scripts should be added to deb post and pre scripts, but it was not a goal for me.
Updated by Sage Weil about 6 years ago
- Status changed from In Progress to Rejected