Bug 2372546

Summary: Use `systemctl kill` in logrotate postrotate script
Product: [Fedora] Fedora Reporter: Marcos Mello <marcosfrm>
Component: nginxAssignee: Felix Kaechele <felix>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: unspecified    
Version: 42CC: felix, jorton, luhliari, mikel, pavel.lisy, wtogami
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: nginx-1.28.3-1.fc44 Doc Type: ---
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2026-04-25 01:24:59 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Marcos Mello 2025-06-12 19:34:34 UTC 
`systemctl kill` leverages systemd's knowledge of the daemon's main PID, eliminating the need to rely on PID files or external tools like `killall` or `pkill`. This ensures precise signal sending to the intended process, reducing the risk of errors in process identification. Additionally, using `systemctl kill` logs the signal sending in the service's journal, providing a record of actions taken. Requires selinux-policy-41.43 or higher (see https://bugzilla.redhat.com/show_bug.cgi?id=2369644), available as an update for F41, F42, and Rawhide.

https://bodhi.fedoraproject.org/updates/FEDORA-2025-eb98eb9e24 (F41 -- will go to stable in a few days)
https://bodhi.fedoraproject.org/updates/FEDORA-2025-f9f097f491 (F42 -- stable)
https://bodhi.fedoraproject.org/updates/FEDORA-2025-3db4c0ec1c (Rawhide)

The logrotate configuration snippet:

# cat /etc/logrotate.d/nginx
/var/log/nginx/*.log {
    create 0640 nginx root
    daily
    rotate 10
    missingok
    notifempty
    compress
    delaycompress
    sharedscripts
    postrotate
        /bin/kill -USR1 `cat /run/nginx.pid 2>/dev/null` 2>/dev/null || true
    endscript
}

In the postrotate script, kill can be replaced by:

/usr/bin/systemctl kill --signal=USR1 --kill-whom=main nginx.service 2>/dev/null || true

Because:

# systemctl show -P MainPID nginx.service
1056
# cat /run/nginx.pid
1056

Curiosity: this modification was attempted 10 years ago and shortly afterward reverted because the SELinux policy did not allow it:

https://src.fedoraproject.org/rpms/nginx/c/149abb601c02f1e863cd8696478aa036d80113d1
https://src.fedoraproject.org/rpms/nginx/c/68a715e76dac5ee500b7b124afeb2a8c0c752314

This time, with the updated policy, it can be implemented.

Reproducible: Always




Additional Information:
nginx-1.26.3-1.fc42.x86_64
Comment 1 Felix Kaechele 2025-06-14 14:53:55 UTC 
Nice catch! Thanks for reporting!

I'll implement this in the next update.
Which I know I'm a bit behind on.
It requires porting the custom patch Red Hat put in for password prompting when using password protected keys, a feature which I personally never used.
I reached out to my co-maintainer at Red Hat but haven't heard back, unfortunately.
Comment 2 Fedora Update System 2026-03-25 19:14:44 UTC 
FEDORA-2026-4de4d247a0 (nginx-1.28.3-1.fc44, nginx-mod-brotli-1.0.0~rc-7.fc44, and 5 more) has been submitted as an update to Fedora 44.
https://bodhi.fedoraproject.org/updates/FEDORA-2026-4de4d247a0
Comment 3 Fedora Update System 2026-03-26 04:03:02 UTC 
FEDORA-2026-4de4d247a0 has been pushed to the Fedora 44 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2026-4de4d247a0`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2026-4de4d247a0

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 4 Fedora Update System 2026-04-25 01:24:59 UTC 
FEDORA-2026-4de4d247a0 (nginx-1.28.3-1.fc44, nginx-mod-brotli-1.0.0~rc-7.fc44, and 5 more) has been pushed to the Fedora 44 stable repository.
If problem still persists, please make note of it in this bug report.