Bug 1966367

Summary: nginx doesn't reopen the log file
Product: [Fedora] Fedora Reporter: Alex <redhat>
Component: nginxAssignee: Felix Kaechele <felix>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 33CC: felix, jeremy, jkaluza, jorton, luhliari, ollie.yeoh, pavel.lisy, peter.borsa, wtogami
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: nginx-1.20.1-2.fc34 nginx-1.20.1-2.fc33 nginx-1.20.1-2.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-06-11 01:12:23 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Alex 2021-06-01 00:31:38 UTC 
Description of problem:

nginx 1.20 and 1.20.1 can't reopen log file. For example during logrotation.
nginx doesn't react like in previous versions to "kill -USR1..." or "nginx -s reopen".

Version-Release number of selected component (if applicable):

Fedora 33,34
nginx 1.20 and 1.20.1

nginx-mimetypes-2.1.49-2.fc33.noarch
nginx-filesystem-1.20.1-1.fc33.noarch
nginx-1.20.1-1.fc33.x86_64
nginx-mod-stream-1.20.1-1.fc33.x86_64



How reproducible:

Rename log and send USR1 or reopen


Steps to Reproduce:

# ps aux| grep nginx

root      161544  0.0  0.0  75444  1540 ?        Ss   03:15   0:00 nginx: master process /usr/sbin/nginx
nginx     161545  0.0  0.0  75696  4808 ?        S    03:15   0:00 nginx: worker process

# lsof -p 161545| grep access.log
nginx   161545 nginx    5w      REG              253,0        0 1966873 /var/log/nginx/access.log

# mv /var/log/nginx/access.log /var/log/nginx/access.log.1
# lsof -p 161545| grep access.log
nginx   161545 nginx    5w      REG              253,0        0 1966873 /var/log/nginx/access.log.1

# kill -USR1 `cat /run/nginx.pid`
# nginx -s reopen
# lsof -p 161545| grep access.log
nginx   161545 nginx    5w      REG              253,0        0 1966873 /var/log/nginx/access.log.1

and after gzip or rm
nginx   161545 nginx    5w      REG              253,0     1016 1966873 /var/log/nginx/access.log.1 (deleted)

Expected results:

Reopen /var/log/nginx/access.log

Additional info:

For master process

lsof -p 161544| grep access.log

nginx   161544 root    8w   REG              253,0        0 1966356 /var/log/nginx/access.log
Comment 1 Felix Kaechele 2021-06-01 17:44:20 UTC 
Hi there. Thanks for taking the time to file this detailed report.
I assume it relates to the changes to the log file permissions in the recent update.

I have built a test version in my staging COPR: https://copr.fedorainfracloud.org/coprs/heffer/nginx-el7-staging/
Can you enable that repo, update the package and try again?

Essentially what this does is set /var/log/nginx to root:root ownership with a mode of 711 and brings back logrotate to create new log files as nginx:root in mode 640.
We do this to prevent the web user from creating files in that directory (CVE-2016-1247).

Upon install your /var/log/nginx directory should be automatically be set to the new permissions but your log files may only change permissions after either running
rpm --setperms nginx
or by rotating logs forcefully
logrotate -f /etc/logrotate.d/nginx -v

My own local testing shows that the nginx worker processes are then able to open the logfiles again.

Thanks again for your effort reporting and testing this!
Comment 2 Alex 2021-06-01 19:16:25 UTC 
Hi

I installed a package from your repo, permissions for /var/log/nginx changed.
And now works again.


Thanks!
Comment 3 Fedora Update System 2021-06-02 00:26:39 UTC 
FEDORA-2021-b37cffac0d has been submitted as an update to Fedora 33. https://bodhi.fedoraproject.org/updates/FEDORA-2021-b37cffac0d
Comment 4 Fedora Update System 2021-06-02 00:26:40 UTC 
FEDORA-EPEL-2021-8c50b78c57 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2021-8c50b78c57
Comment 5 Fedora Update System 2021-06-03 01:11:10 UTC 
FEDORA-EPEL-2021-8c50b78c57 has been pushed to the Fedora EPEL 7 testing repository.

You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2021-8c50b78c57

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 6 Fedora Update System 2021-06-03 01:30:08 UTC 
FEDORA-2021-b37cffac0d has been pushed to the Fedora 33 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-b37cffac0d`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-b37cffac0d

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 7 Fedora Update System 2021-06-03 19:03:52 UTC 
FEDORA-2021-393d698493 has been pushed to the Fedora 34 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-393d698493`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-393d698493

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 8 Fedora Update System 2021-06-11 01:12:23 UTC 
FEDORA-2021-393d698493 has been pushed to the Fedora 34 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 9 Fedora Update System 2021-06-11 01:18:56 UTC 
FEDORA-2021-b37cffac0d has been pushed to the Fedora 33 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 10 Fedora Update System 2021-06-18 00:31:33 UTC 
FEDORA-EPEL-2021-8c50b78c57 has been pushed to the Fedora EPEL 7 stable repository.
If problem still persists, please make note of it in this bug report.