** Description changed: [Impact] This is breaking Ceph cluster https service. # logs: 2019-04-02 16:40:14.846313 7ff8c1736000 0 starting handler: civetweb 2019-04-02 16:40:14.846397 7ff8c1736000 0 civetweb: 0x56114520d620: load_dll: libcrypto.so.1.1: cannot find CRYPTO_num_locks 2019-04-02 16:40:14.846424 7ff8c1736000 -1 ERROR: failed run [Test Case] 1) Generate a self-signed certificate or use whatever existing SSL certificate already in place. If one want to create a PEM file for civetweb, instructions can be found here : https://github.com/civetweb/civetweb/blob/master/docs/OpenSSL.md ** Note: "CivetWeb requires one certificate file in PEM format" ** 2) Enable logging and debugging in "/etc/ceph/ceph.conf" Example: ------ log to syslog = true err to syslog = true clog to syslog = true debug rgw = 10/5 debug civetweb = 1/10 ------ http://docs.ceph.com/docs/mimic/rados/troubleshooting/log-and-debug/ 3) From the radosgw node, modify "/etc/ceph/ceph.conf" as follow: rgw_frontends = civetweb port=443s ssl_certificate=/<path_to_PEM_FILE>/<PEM_FILE> 4) Restart the daemon: systemctl restart ceph-radosgw@rgw.`hostname -s` 5) Look logs: 2019-04-10 12:02:53.535133 7fcd20c4e000 0 civetweb: 0x562d710ed620: load_dll: libcrypto.so.1.1: cannot find CRYPTO_num_locks 6) Look radosgw which should FAILED to start. systemctl status ceph-radosgw@rgw.`hostname -s` What we are looking for here is radosgw to be 'Active' and to have a LISTEN port on 443 as follow : - $ netstat -anputa | grep LISTEN | grep 443 + $ netstat -anputa | grep LISTEN | grep 443 # or any port mentioned in the configuration above. tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 10153/radosgw [Potential Regression] * Same downgrade approach has been made for 'nodejs' via LP: #1798367 * Seems like civetweb is all that does SSL there, so it should be fine. * Nothing can be worst than current situation, considering that civetweb is non-functionnal when SSL is in used due to the incompatibility with 1.1 and make radosgw daemon to fail. * libssl1.0 and libssl1.1 are coinstallable ABIs so it shouldn't be a problem here. * See discussion IRC discussion on comment #11 [Other Information] * Adding the OpenSSL 1.1 support has been explored and revealed to be non-trivial : https://github.com/civetweb/civetweb/pull/384/commits https://github.com/civetweb/civetweb/commit/adac9c916fa892ec5edce7b565803f1e62d304a2 https://github.com/civetweb/civetweb/commit/5d83900fd29fb6fa1cd604676cb0562dc984dcc9 http://docs.ceph.com/docs/bobtail/radosgw/troubleshooting/ See discussion IRC discussion on comment #11 [Original Description] Bionic's radosgw package (Version 12.2.11-0ubuntu0.18.04.1 ) can't run on Bionic, because the version of civetweb in Luminous is incompatible with libssl1.1, but it's built against libssl1.1. This has been known about upstream for a while now, and as noted in the bug-tracker (https://tracker.ceph.com/issues/20696), it can be fixed by building Luminous in an environment that has only libssl1.0 available (or, in a more invasive manner, by incorporating a newer civetweb). A patch is in the tracker.ceph.com issue.
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1822872 Title: Bionic: Luminous radosgw incompatible with libssl1.1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ceph/+bug/1822872/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
