[Bug 1822872] Re: Bionic: Luminous radosgw incompatible with libssl1.1
Eric Desrochers
eric.desrochers at canonical.com
Wed May 1 20:04:08 UTC 2019
[VERIFICATION BIONIC]
I have deployed a Ceph cluster using juju deploy and then have updated
the entire cluster[1] to the ceph packages found in bionic-proposed
(built against libssl1.0.0).
On the rgw node, I have setup a ssl certificate, and instruct civetweb
in /etc/ceph/ceph.conf to use ssl[2].
radosgw is now running just fine[3][4] and civetweb LISTEN on port 443
as it should[5].
[1] Ceph cluster:
.......
Unit Workload Agent Machine Public address Ports Message
ceph-mon/0* active idle 0 10.5.0.4 Unit is ready and clustered
ceph-osd/0* active idle 1 10.5.0.5 Unit is ready (1 OSD)
ceph-osd/1 active idle 2 10.5.0.27 Unit is ready (1 OSD)
ceph-osd/2 active idle 3 10.5.0.6 Unit is ready (1 OSD)
ceph-rgw/0* active idle 4 10.5.0.18 80/tcp Unit is ready
......
[2] /etc/ceph/ceph.conf
[client.rgw.<HOSTNAME>]
......
rgw_frontends = civetweb port=443s ssl_certificate=/etc/ssl/server.pem
.......
[3] sudo systemctl status ceph-radosgw at rgw.`hostname -s`
● ceph-radosgw at rgw.juju-521d82-default-4.service - Ceph rados gateway
Loaded: loaded (/lib/systemd/system/ceph-radosgw at .service; indirect; vendor preset: enabled)
Active: active (running) since Wed 2019-05-01 19:51:55 UTC; 10min ago
Main PID: 4225 (radosgw)
Tasks: 580
CGroup: /system.slice/system-ceph\x2dradosgw.slice/ceph-radosgw at rgw.juju-521d82-default-4.service
└─4225 /usr/bin/radosgw -f --cluster ceph --name client.rgw.juju-521d82-default-4 --setuser ceph --setgroup
May 01 19:59:59 juju-521d82-default-4 radosgw[4225]: 2019-05-01 19:59:59.208671 7f19095f0700 2 RGWDataChangesLog::Cha
May 01 20:00:21 juju-521d82-default-4 radosgw[4225]: 2019-05-01 20:00:21.208946 7f19095f0700 2 RGWDataChangesLog::Cha
May 01 20:00:43 juju-521d82-default-4 radosgw[4225]: 2019-05-01 20:00:43.209214 7f19095f0700 2 RGWDataChangesLog::Cha
May 01 20:01:05 juju-521d82-default-4 radosgw[4225]: 2019-05-01 20:01:05.209332 7f19095f0700 2 RGWDataChangesLog::Cha
May 01 20:01:27 juju-521d82-default-4 radosgw[4225]: 2019-05-01 20:01:27.209500 7f19095f0700 2 RGWDataChangesLog::Cha
May 01 20:01:49 juju-521d82-default-4 radosgw[4225]: 2019-05-01 20:01:49.209716 7f19095f0700 2 RGWDataChangesLog::Cha
May 01 20:01:56 juju-521d82-default-4 radosgw[4225]: 2019-05-01 20:01:56.129879 7f1907ded700 2 object expiration: sta
May 01 20:02:11 juju-521d82-default-4 radosgw[4225]: 2019-05-01 20:02:11.209902 7f19095f0700 2 RGWDataChangesLog::Cha
May 01 20:02:12 juju-521d82-default-4 radosgw[4225]: 2019-05-01 20:02:12.346598 7f1907ded700 2 object expiration: sto
May 01 20:02:33 juju-521d82-default-4 radosgw[4225]: 2019-05-01 20:02:33.210102 7f19095f0700 2 RGWDataChangesLog::Cha
[4] logs
May 1 19:51:56 juju-521d82-default-4 radosgw: 2019-05-01 19:51:56.115874 7f1924299000 0 starting handler: civetweb
May 1 19:51:56 juju-521d82-default-4 radosgw: 2019-05-01 19:51:56.186842 7f1924299000 1 mgrc service_daemon_register rgw.juju-521d82-default-4 metadata {arch=x86_64,ceph_version=ceph version 12.2.11 (26dc3775efc7bb286a1d6d66faee0ba30ea23eee) luminous (stable),cpu=Intel Xeon E312xx (Sandy Bridge, IBRS update),distro=ubuntu,distro_description=Ubuntu 18.04.2 LTS,distro_version=18.04,frontend_config#0=civetweb port=443s ssl_certificate=/etc/ssl/server.pem,frontend_type#0=civetweb,hostname=juju-521d82-default-4,kernel_description=#50-Ubuntu SMP Wed Mar 13 10:44:52 UTC 2019,kernel_version=4.15.0-47-generic,mem_swap_kb=0,mem_total_kb=2041224,num_handles=1,os=Linux,pid=4225,zone_id=be9d4d4f-725f-490d-acf6-c0a713e03da4,zone_name=default,zonegroup_id=ab35965a-0856-4671-906a-fe7aedcb92ca,zonegroup_name=default}
[5] netstat -anputa | grep -i radosgw | grep 443
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 4225/radosgw
- Eric
** Description changed:
[Impact]
Since the introduction of OpenSSL 1.1.1 in 18.04 LTS:
https://launchpad.net/bugs/1797386
This is breaking Ceph cluster https service.
# logs:
2019-04-02 16:40:14.846313 7ff8c1736000 0 starting handler: civetweb
2019-04-02 16:40:14.846397 7ff8c1736000 0 civetweb: 0x56114520d620: load_dll: libcrypto.so.1.1: cannot find CRYPTO_num_locks
2019-04-02 16:40:14.846424 7ff8c1736000 -1 ERROR: failed run
[Test Case]
1) Generate a self-signed certificate or use whatever existing SSL
certificate already in place.
If one want to create a PEM file for civetweb, instructions can be found here :
https://github.com/civetweb/civetweb/blob/master/docs/OpenSSL.md
** Note: "CivetWeb requires one certificate file in PEM format" **
2) Enable logging and debugging in "/etc/ceph/ceph.conf"
Example:
------
log to syslog = true
err to syslog = true
clog to syslog = true
debug rgw = 10/5
debug civetweb = 1/10
------
http://docs.ceph.com/docs/mimic/rados/troubleshooting/log-and-debug/
3) From the radosgw node, modify "/etc/ceph/ceph.conf" as follow:
rgw_frontends = civetweb port=443s ssl_certificate=/<path_to_PEM_FILE>/<PEM_FILE>
4) Restart the daemon:
systemctl restart ceph-radosgw at rgw.`hostname -s`
5) Look logs:
2019-04-10 12:02:53.535133 7fcd20c4e000 0 civetweb: 0x562d710ed620: load_dll: libcrypto.so.1.1: cannot find CRYPTO_num_locks
6) Look radosgw which should FAILED to start.
systemctl status ceph-radosgw at rgw.`hostname -s`
What we are looking for here is radosgw to be 'Active' and to have a
LISTEN port on 443 as follow :
$ netstat -anputa | grep LISTEN | grep 443 # or any port mentioned in the configuration above.
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 10153/radosgw
[Potential Regression]
* Same downgrade approach has been made for 'nodejs' via LP: #1798367
+ * The proposed packages has been tested on at least 2 different Ceph
+ clusters impacted by the issue, and have been tested at various level
+ (no package update problem, radosgw is now working fine when civetweb is
+ configure over ssl, ...)
+
* Nothing can be worst than current situation, considering that civetweb
- is non-functionnal when SSL is in used due to the incompatibility with
+ is non-functional when SSL is in used due to the incompatibility with
1.1 and make radosgw daemon to fail.
* libssl1.0 and libssl1.1 are coinstallable ABIs so it shouldn't be a
problem here.
* See discussion IRC discussion (xnox/jamespage) on comment #11
* All autopkgtest 'passed'
http://autopkgtest.ubuntu.com/packages/ceph
[Other Information]
* Adding the OpenSSL 1.1 support has been explored and revealed to be non-trivial :
https://github.com/civetweb/civetweb/pull/384/commits
https://github.com/civetweb/civetweb/commit/adac9c916fa892ec5edce7b565803f1e62d304a2
https://github.com/civetweb/civetweb/commit/5d83900fd29fb6fa1cd604676cb0562dc984dcc9
http://docs.ceph.com/docs/bobtail/radosgw/troubleshooting/
See discussion IRC discussion on comment #11
[Original Description]
Bionic's radosgw package (Version 12.2.11-0ubuntu0.18.04.1 ) can't run
on Bionic, because the version of civetweb in Luminous is incompatible
with libssl1.1, but it's built against libssl1.1.
This has been known about upstream for a while now, and as noted in the
bug-tracker (https://tracker.ceph.com/issues/20696), it can be fixed by
building Luminous in an environment that has only libssl1.0 available
(or, in a more invasive manner, by incorporating a newer civetweb). A
patch is in the tracker.ceph.com issue.
--
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to ceph in Ubuntu.
https://bugs.launchpad.net/bugs/1822872
Title:
Bionic: Luminous radosgw incompatible with libssl1.1
Status in ceph package in Ubuntu:
Fix Released
Status in ceph source package in Bionic:
Fix Committed
Bug description:
[Impact]
Since the introduction of OpenSSL 1.1.1 in 18.04 LTS:
https://launchpad.net/bugs/1797386
This is breaking Ceph cluster https service.
# logs:
2019-04-02 16:40:14.846313 7ff8c1736000 0 starting handler: civetweb
2019-04-02 16:40:14.846397 7ff8c1736000 0 civetweb: 0x56114520d620: load_dll: libcrypto.so.1.1: cannot find CRYPTO_num_locks
2019-04-02 16:40:14.846424 7ff8c1736000 -1 ERROR: failed run
[Test Case]
1) Generate a self-signed certificate or use whatever existing SSL
certificate already in place.
If one want to create a PEM file for civetweb, instructions can be found here :
https://github.com/civetweb/civetweb/blob/master/docs/OpenSSL.md
** Note: "CivetWeb requires one certificate file in PEM format" **
2) Enable logging and debugging in "/etc/ceph/ceph.conf"
Example:
------
log to syslog = true
err to syslog = true
clog to syslog = true
debug rgw = 10/5
debug civetweb = 1/10
------
http://docs.ceph.com/docs/mimic/rados/troubleshooting/log-and-debug/
3) From the radosgw node, modify "/etc/ceph/ceph.conf" as follow:
rgw_frontends = civetweb port=443s ssl_certificate=/<path_to_PEM_FILE>/<PEM_FILE>
4) Restart the daemon:
systemctl restart ceph-radosgw at rgw.`hostname -s`
5) Look logs:
2019-04-10 12:02:53.535133 7fcd20c4e000 0 civetweb: 0x562d710ed620: load_dll: libcrypto.so.1.1: cannot find CRYPTO_num_locks
6) Look radosgw which should FAILED to start.
systemctl status ceph-radosgw at rgw.`hostname -s`
What we are looking for here is radosgw to be 'Active' and to have a
LISTEN port on 443 as follow :
$ netstat -anputa | grep LISTEN | grep 443 # or any port mentioned in the configuration above.
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 10153/radosgw
[Potential Regression]
* Same downgrade approach has been made for 'nodejs' via LP: #1798367
* The proposed packages has been tested on at least 2 different Ceph
clusters impacted by the issue, and have been tested at various level
(no package update problem, radosgw is now working fine when civetweb
is configure over ssl, ...)
* Nothing can be worst than current situation, considering that
civetweb is non-functional when SSL is in used due to the
incompatibility with 1.1 and make radosgw daemon to fail.
* libssl1.0 and libssl1.1 are coinstallable ABIs so it shouldn't be a
problem here.
* See discussion IRC discussion (xnox/jamespage) on comment #11
* All autopkgtest 'passed'
http://autopkgtest.ubuntu.com/packages/ceph
[Other Information]
* Adding the OpenSSL 1.1 support has been explored and revealed to be non-trivial :
https://github.com/civetweb/civetweb/pull/384/commits
https://github.com/civetweb/civetweb/commit/adac9c916fa892ec5edce7b565803f1e62d304a2
https://github.com/civetweb/civetweb/commit/5d83900fd29fb6fa1cd604676cb0562dc984dcc9
http://docs.ceph.com/docs/bobtail/radosgw/troubleshooting/
See discussion IRC discussion on comment #11
[Original Description]
Bionic's radosgw package (Version 12.2.11-0ubuntu0.18.04.1 ) can't run
on Bionic, because the version of civetweb in Luminous is incompatible
with libssl1.1, but it's built against libssl1.1.
This has been known about upstream for a while now, and as noted in
the bug-tracker (https://tracker.ceph.com/issues/20696), it can be
fixed by building Luminous in an environment that has only libssl1.0
available (or, in a more invasive manner, by incorporating a newer
civetweb). A patch is in the tracker.ceph.com issue.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ceph/+bug/1822872/+subscriptions
More information about the Ubuntu-openstack-bugs
mailing list