Hello, As I understand it, with the release of infernalis, ceph daemons are no longer being run as root. Thus, rgw/civetweb is unable to bind to privileged ports: http://tracker.ceph.com/issues/13600 We encountered this problem as well in our downstream (hammer based) product, where we run rgw/civetweb as "wwwuser". To allow privileged port binding, we used file caps (setcap from the spec file). Going forward, however, we were thinking of taking one of two approaches: 1. Start rgw/civetweb as root and utilize an existing civetweb config option (run_as_user) to drop permissions _after_ the port bind and after certificate files have been read. 2. Utilize systemd socket activation, and allow systemd to bind to the necessary port. Once rgw/civetweb is started, civetweb can pull the listening socket from systemd. Is this something you folks upstream have given some thought to? -- Regards, Karol
Attachment:
signature.asc
Description: Digital signature
