Unable to start daemon from a non-root user over a privileged port

[Rajesh M]

Hi,

I am trying to start the gerrit application from a non-root user. I need use 443 port for HTTPs, but the port number is a privileged one and daemon is failing to start.

I have overcome this by adding the JAVA application in CAP Read... "setcap cap_net_bind_service=+epi /opt/jdk1.8.0_121/bin/java"

Now not getting permission denied errors for HTTP socket creation, but still daemon failing with below error. /proc is having 700 permission with only "root" as owner.

So, please suggest me to fix this error.

[2017-01-24 07:21:44,799] [main] ERROR com.google.gerrit.pgm.Daemon : Unable to start daemon

java.lang.InternalError: errno: 13 error: Unable to open directory /proc/self/fd

        at sun.management.OperatingSystemImpl.getOpenFileDescriptorCount(Native Method)

        at com.google.gerrit.metrics.proc.ProcMetricModule.procCpuUsage(ProcMetricModule.java:98)

        at com.google.gerrit.metrics.proc.ProcMetricModule.configure(ProcMetricModule.java:45)

        at com.google.gerrit.metrics.proc.MetricModule$1.start(MetricModule.java:35)

        at com.google.gerrit.lifecycle.LifecycleManager.start(LifecycleManager.java:89)

        at com.google.gerrit.pgm.Daemon.start(Daemon.java:311)

        at com.google.gerrit.pgm.Daemon.run(Daemon.java:212)

        at com.google.gerrit.pgm.util.AbstractProgram.main(AbstractProgram.java:64)

        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)

        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)

        at java.lang.reflect.Method.invoke(Method.java:498)

        at com.google.gerrit.launcher.GerritLauncher.invokeProgram(GerritLauncher.java:161)

        at com.google.gerrit.launcher.GerritLauncher.mainImpl(GerritLauncher.java:102)

        at com.google.gerrit.launcher.GerritLauncher.main(GerritLauncher.java:59)

        at Main.main(Main.java:25)

Thanks,

Rajesh M

[Remy Bohmer]

Hi,

Als alternative solution you can also configure port forwarding in iptables from this privileged port to an unprivileged one, and then bind gerrit to that port.

Or run a regular webserver like apache and connect Gerrit through reverse proxy configuration.

Kind regards,

Remy

Op 24 jan. 2017 08:35 schreef "Rajesh M" <rajesh....@gmail.com>:

--
--
To unsubscribe, email repo-discuss+unsubscribe@googlegroups.com
More info at http://groups.google.com/group/repo-discuss?hl=en

---
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to repo-discuss+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Rajesh M]

Hi Remy,

I have tried the apache reverse proxy already, but it didn't help.

Below are my Gerrit and apache confs.

gerrit.config

[gerrit]

        basePath = /opt/gerrit/git

        canonicalWebUrl = https://<hostname>/

[httpd]

        listenUrl = proxy-https://127.0.0.1:8080/

http.conf

NameVirtualHost *:443

<VirtualHost *:443>

   ServerName <hostname>

   SSLEngine on

   SSLCertificateFile    /opt/server_keys/server.crt

   SSLCertificateKeyFile /opt/server_keys/server.key

   ProxyRequests Off

   ProxyVia Off

   ProxyPreserveHost On

   <Proxy *>

     Order deny,allow

     Allow from all

   </Proxy>

   AllowEncodedSlashes On

   ProxyPass / http://127.0.0.1:8080/ nocanon

</VirtualHost>

With these configs, I am getting below error. There is no iptables/ip6tables service running on the server and FW ports are opened already.

While configuring gerrit without reverse proxy, everything fine.

This site can’t be reached

<hostname> refused to connect."

Please correct me, if the config is wrong.

Thanks,

Rajesh M

To unsubscribe, email repo-discuss...@googlegroups.com

More info at http://groups.google.com/group/repo-discuss?hl=en

---
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.

To unsubscribe from this group and stop receiving emails from it, send an email to repo-discuss...@googlegroups.com.