How to setup radosgw with https on pacific?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello everybody,

I'm quite new to ceph and I'm facing a myriad of issues trying to use it. So I've subscribed to this mailing list. Hopefully you guys can help me with some of those issues.

My current goal is to setup a local S3 storage -- i.e. a ceph "cluster" with radosgw. In my test environment this is the only purpose of ceph so I get along with a single ceph node.

I failed to setup ceph with cephadm (maybe I file an additional request for this) so I've installed proxmox, using its built-in ceph support. This works nicely.
As proxmox does not feature radosgw support I've followed this procedure to set it up: https://pve.proxmox.com/wiki/User:Grin/Ceph_Object_Gateway
Because I'm running a single node cluster I had to modify the crushmap: https://www.cnblogs.com/boshen-hzb/p/13305560.html

Now I have a running radosgw listening on port 7480. This is the actual starting point of this request.

The next step would be to setup https on the radosgw. I followed this procedure: https://greenstatic.dev/posts/2020/ssl-tls-rgw-ceph-config/
My current radosgw settings are:

[client.radosgw.pve]
        host = pve
        keyring = /var/lib/ceph/radosgw/ceph-pve/keyring
        log file = /var/log/ceph/client.radosgw.$host.log
        rgw_frontends = beast ssl_endpoint=0.0.0.0:7480 ssl_certificate=config://rgw/cert/terraform/default.crt ssl_private_key=config://rgw/cert/terraform/default.key

This is the result in the logs:

2021-11-04T18:05:35.668+0100 7fdf8d2ce6c0  0 framework: beast
2021-11-04T18:05:35.668+0100 7fdf8d2ce6c0  0 framework conf key: ssl_certificate, val: config://rgw/cert/$realm/$zone.crt
2021-11-04T18:05:35.668+0100 7fdf8d2ce6c0  0 framework conf key: ssl_private_key, val: config://rgw/cert/$realm/$zone.key
2021-11-04T18:05:35.668+0100 7fdf8d2ce6c0  0 starting handler: beast
2021-11-04T18:05:35.668+0100 7fdf8d2ce6c0 -1 ssl_private_key was not found: rgw/cert/terraform/default.key
2021-11-04T18:05:35.668+0100 7fdf8d2ce6c0 -1 ssl_private_key was not found: rgw/cert/terraform/default.crt
2021-11-04T18:05:35.668+0100 7fdf8d2ce6c0 -1 no ssl_certificate configured for ssl_endpoint
2021-11-04T18:05:35.668+0100 7fdf8d2ce6c0 -1 ERROR: failed initializing frontend

The referenced config keys do exist:

root@pve:~# ceph config-key get rgw/cert/terraform/default.crt
-----BEGIN CERTIFICATE-----
...

root@pve:~# ceph config-key get rgw/cert/terraform/default.key
-----BEGIN RSA PRIVATE KEY-----
...

Trying to use local files does not improve things:

2021-11-04T18:13:41.680+0100 7f05df2f46c0  0 framework: beast
2021-11-04T18:13:41.680+0100 7f05df2f46c0  0 framework conf key: ssl_certificate, val: config://rgw/cert/$realm/$zone.crt
2021-11-04T18:13:41.680+0100 7f05df2f46c0  0 framework conf key: ssl_private_key, val: config://rgw/cert/$realm/$zone.key
2021-11-04T18:13:41.680+0100 7f05df2f46c0  0 starting handler: beast
2021-11-04T18:13:41.680+0100 7f0575feb700  0 INFO: RGWReshardLock::lock found lock on reshard.0000000002 to be held by another RGW process; skipping for now
2021-11-04T18:13:41.680+0100 7f05df2f46c0 -1 failed to add ssl_private_key=/root/default.key: No such file or directory
2021-11-04T18:13:41.680+0100 7f05df2f46c0 -1 failed to use ssl_certificate=/root/default.crt as a private key: No such file or directory
2021-11-04T18:13:41.680+0100 7f05df2f46c0 -1 no ssl_certificate configured for ssl_endpoint
2021-11-04T18:13:41.680+0100 7f05df2f46c0 -1 ERROR: failed initializing frontend

With:, s

root@pve:~# cat /root/default.crt
-----BEGIN CERTIFICATE-----
...

root@pve:~# cat /root/default.key
-----BEGIN RSA PRIVATE KEY-----
...

For me this behavior looks like a bug, but please correct me if I'm wrong.
So how would I setup https for radosgw?



I've also tried out to setup apache as TLS endpoint by following these instructions: https://docs.ceph.com/en/pacific/man/8/radosgw/
Communication is expected to take place via unix domain sockets. But... radosgw does not create the socket file, so it does not work either.
Of course the next attempt would be to skip unix domain sockets and listen on localhost instead...

BTW: I'm using this software setup:

  *   Proxmox 7.0-11, based on

  *   Debian 11.0 bullseye
  *   Ceph 16.2.6 pacific


I hope anybody can help me.
Regards,

Carsten
_______________________________________________
ceph-users mailing list -- ceph-users@xxxxxxx
To unsubscribe send an email to ceph-users-leave@xxxxxxx



[Index of Archives]     [Information on CEPH]     [Linux Filesystem Development]     [Ceph Development]     [Ceph Large]     [Ceph Dev]     [Linux USB Development]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]     [xfs]


  Powered by Linux