rgw/civetweb privileged port bind

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Karol Mroz <kmroz@suse.com>
To: ceph-devel@vger.kernel.org
Subject: rgw/civetweb privileged port bind
Date: Thu, 26 Nov 2015 11:25:48 -0800	[thread overview]
Message-ID: <20151126192548.GA27729@oak.lan> (raw)

[-- Attachment #1: Type: text/plain, Size: 938 bytes --]

Hello,

As I understand it, with the release of infernalis, ceph
daemons are no longer being run as root. Thus, rgw/civetweb
is unable to bind to privileged ports:

http://tracker.ceph.com/issues/13600

We encountered this problem as well in our downstream (hammer
based) product, where we run rgw/civetweb as "wwwuser". To allow
privileged port binding, we used file caps (setcap from the spec file).
Going forward, however, we were thinking of taking one of two
approaches:

1. Start rgw/civetweb as root and utilize an existing civetweb
config option (run_as_user) to drop permissions _after_
the port bind and after certificate files have been read.

2. Utilize systemd socket activation, and allow systemd to bind
to the necessary port. Once rgw/civetweb is started, civetweb
can pull the listening socket from systemd.

Is this something you folks upstream have given some thought to?

-- 
Regards,
Karol

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 473 bytes --]

next             reply	other threads:[~2015-11-26 19:25 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-11-26 19:25 Karol Mroz [this message]
2015-11-26 19:38 ` rgw/civetweb privileged port bind Sage Weil
2015-11-26 21:11   ` Karol Mroz

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20151126192548.GA27729@oak.lan \
    --to=kmroz@suse.com \
    --cc=ceph-devel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.