Bug 1258961

Summary: [RFE] Enable SSL support in RHCS RadosGW
Product: [Red Hat Storage] Red Hat Ceph Storage Reporter: Vimal Kumar <vikumar>
Component: RGWAssignee: Marcus Watts <mwatts>
Status: CLOSED ERRATA QA Contact: shilpa <smanjara>
Severity: medium Docs Contact: Bara Ancincova <bancinco>
Priority: high    
Version: 1.3.0CC: ahoness, bancinco, cbodley, ceph-eng-bugs, ealcaniz, hnallurv, jowilkin, jwilkins, kbader, kdreyer, mbenjamin, mwatts, nlevine, owasserm, smanjara, sweil, tserlin, uboppana, vikumar, vumrao, yehuda, yweinste
Target Milestone: rcKeywords: FutureFeature, Triaged
Target Release: 2.2   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: RHEL: ceph-10.2.5-11.el7cp Ubuntu: ceph_10.2.5-5redhat1xenial Doc Type: Enhancement
Doc Text:
.Support for the SSL protocol has been added The Ceph Object Gateway now supports the SSL protocol. Previously, a reverse proxy server with SSL had to be set up to dispatch HTTPS requests. For details, see the https://access.redhat.com/documentation/en-us/red_hat_ceph_storage/2/html-single/object_gateway_guide_for_red_hat_enterprise_linux/#using_ssl_with_civetweb[Using SSL with Civetweb] chapter in the Ceph Object Gateway Guide.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2017-03-14 15:43:10 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1258382, 1327100, 1412948    

Description Vimal Kumar 2015-09-01 15:30:32 UTC 
1) Description of problem:

The RadosGW implementation in RHCS1.3 doesn't support SSL as of now. The suggested method in the RadosGW documentation is to use a reverse proxy.

From the RHCS1.3 documentation of RadosGW:

~~~
In version 1.3, the Ceph Object Gateway does not support SSL. You may setup a reverse proxy server with SSL to dispatch HTTPS requests as HTTP requests to CivetWeb. 
~~~

This is a feature request to enable SSL support in RadosGW.

2) Version-Release number of selected component (if applicable):

RHCS1.3
ceph-0.94

3) Actual results:

RadosGW in RHCS1.3 doesn't support SSL. 

4) Expected results:

RadosGW should support SSL due to the importance of data encryption needed in enterprise environments. This should be available without the need of setting up a proxy server.
Comment 9 Marcus Watts 2016-03-14 21:57:14 UTC 
This change is in master, and it's also in v10.0.4.

I don't yet have any documentation on it, I'll try to get to that RSN.

Matt has a tweak to this to actually check if "openssl-devel" is installed - one of us will make sure that gets pushed out.
Comment 21 shilpa 2016-08-12 11:13:21 UTC 
Hi Bara,

I see Civetweb with SSL section in the doc https://access.qa.redhat.com/documentation/en/red-hat-ceph-storage/2/single/object-gateway-guide-for-red-hat-enterprise-linux#using_ssl_with_civetweb

Since it is not supported in 2.0, I think we need to remove this reference.
Comment 23 Edu Alcaniz 2016-09-16 06:46:04 UTC 
Hi, could you update the status of the BZ please
Comment 24 Matt Benjamin (redhat) 2016-09-20 17:43:30 UTC 
(In reply to Edu Alcaniz from comment #23)
> Hi, could you update the status of the BZ please

Status unchange, looking for -needinfo from John.
Comment 25 John Wilkins 2016-09-23 16:02:42 UTC 
Topics were removed, but Pantheon is not behaving. See https://gitlab.cee.redhat.com/red-hat-ceph-storage-documentation/doc-Red_Hat_Ceph_Storage_2-Object_Gateway/commit/e6052472480d0084b95a3ffce6bd20d25fca2c8d
Comment 26 Edu Alcaniz 2016-09-27 15:28:41 UTC 
hi, any luck in QA to move forward? Thanks very much.
Comment 27 shilpa 2016-10-18 09:36:00 UTC 
Followed the doc available offline:

https://gitlab.cee.redhat.com/red-hat-ceph-storage-documentation/doc-Red_Hat_Ceph_Storage_2-Object_Gateway/commit/48a9d7b66406123519d2175951dfeb30c9bb9553

After generating the self-signed cert and adding to ceph.conf, rgw crashes.

[client.rgw.magna047]
rgw_frontends = civetweb port=443s ssl_certificate=/root/selfcert.pem


2016-10-18 09:30:14.109302 7efdcf2889c0  0 ceph version 10.2.3-7.el7cp (f69f9569b426f45d948df4be635aa92f4d656654), process radosgw, pid 8145
2016-10-18 09:30:14.185347 7efd4ffff700  0 RGWGC::process() failed to acquire lock on gc.4
2016-10-18 09:30:14.185884 7efd4ffff700  0 RGWGC::process() failed to acquire lock on gc.5
2016-10-18 09:30:14.186366 7efd4ffff700  0 RGWGC::process() failed to acquire lock on gc.6
2016-10-18 09:30:14.187322 7efdcf2889c0  0 starting handler: civetweb
2016-10-18 09:30:14.187432 7efdcf2889c0  0 civetweb: 0x7efdcf4e2dc0: load_dll: cannot load libssl.so
2016-10-18 09:30:14.187475 7efdcf2889c0  0 civetweb: 0x7efdcf4e2dc0: load_dll: cannot load libcrypto.so
2016-10-18 09:30:14.187485 7efdcf2889c0 -1 ERROR: failed run
2016-10-18 09:30:14.189308 7efd4f7fe700 -1 *** Caught signal (Aborted) **
 in thread 7efd4f7fe700 thread_name:rgw_obj_expirer

 ceph version 10.2.3-7.el7cp (f69f9569b426f45d948df4be635aa92f4d656654)
 1: (()+0x56f89a) [0x7efdc59a189a]
 2: (()+0xf370) [0x7efdc4db1370]
 3: (gsignal()+0x37) [0x7efdc42f41d7]
 4: (abort()+0x148) [0x7efdc42f58c8]
 5: (__gnu_cxx::__verbose_terminate_handler()+0x165) [0x7efdc48f6ab5]
 6: (()+0x5ea26) [0x7efdc48f4a26]
 7: (()+0x5ea53) [0x7efdc48f4a53]
 8: (()+0x5ec73) [0x7efdc48f4c73]
 9: (operator new(unsigned long)+0x7d) [0x7efdc48f520d]
 10: (std::string::_Rep::_S_create(unsigned long, unsigned long, std::allocator<char> const&)+0x59) [0x7efdc4953ce9]
 11: (std::string::_Rep::_M_clone(std::allocator<char> const&, unsigned long)+0x1b) [0x7efdc49548fb]
 12: (std::basic_string<char, std::char_traits<char>, std::allocator<char> >::basic_string(std::string const&)+0x5c) [0x7efdc4954fcc]
 13: (RGWObjectExpirer::process_single_shard(std::string const&, utime_t const&, utime_t const&)+0x133) [0x7efdc57d9943]
 14: (RGWObjectExpirer::inspect_all_shards(utime_t const&, utime_t const&)+0xb2) [0x7efdc57d9fb2]
 15: (RGWObjectExpirer::OEWorker::entry()+0x7f) [0x7efdc57da25f]
 16: (()+0x7dc5) [0x7efdc4da9dc5]
 17: (clone()+0x6d) [0x7efdc43b673d]


-- Unit ceph-radosgw.service has begun starting up.
Oct 18 09:30:56 magna047 radosgw[8575]: error parsing int: 443s: The option value '443s' seems to be invalid
Oct 18 09:30:56 magna047 radosgw[8575]: 2016-10-18 09:30:56.185159 7fad36c479c0 -1 ERROR: failed run
Oct 18 09:30:56 magna047 radosgw[8575]: terminate called after throwing an instance of 'std::bad_alloc'
Oct 18 09:30:56 magna047 radosgw[8575]: what():  std::bad_alloc
Oct 18 09:30:56 magna047 radosgw[8575]: *** Caught signal (Aborted) **
Oct 18 09:30:56 magna047 radosgw[8575]: in thread 7facc74fb700 thread_name:rgw_obj_expirer
Comment 29 Ken Dreyer (Red Hat) 2016-10-20 17:05:38 UTC 
This is going to need more work upstream (and more Teuthology tests) before we can safely support it for RHCS 2 users.
Comment 42 shilpa 2017-03-03 09:08:34 UTC 
Verified
Comment 45 errata-xmlrpc 2017-03-14 15:43:10 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2017-0514.html
Comment 46 Red Hat Bugzilla 2023-09-14 03:04:38 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days