Hide Forgot
Description of problem: nginx 1.20 and 1.20.1 can't reopen log file. For example during logrotation. nginx doesn't react like in previous versions to "kill -USR1..." or "nginx -s reopen". Version-Release number of selected component (if applicable): Fedora 33,34 nginx 1.20 and 1.20.1 nginx-mimetypes-2.1.49-2.fc33.noarch nginx-filesystem-1.20.1-1.fc33.noarch nginx-1.20.1-1.fc33.x86_64 nginx-mod-stream-1.20.1-1.fc33.x86_64 How reproducible: Rename log and send USR1 or reopen Steps to Reproduce: # ps aux| grep nginx root 161544 0.0 0.0 75444 1540 ? Ss 03:15 0:00 nginx: master process /usr/sbin/nginx nginx 161545 0.0 0.0 75696 4808 ? S 03:15 0:00 nginx: worker process # lsof -p 161545| grep access.log nginx 161545 nginx 5w REG 253,0 0 1966873 /var/log/nginx/access.log # mv /var/log/nginx/access.log /var/log/nginx/access.log.1 # lsof -p 161545| grep access.log nginx 161545 nginx 5w REG 253,0 0 1966873 /var/log/nginx/access.log.1 # kill -USR1 `cat /run/nginx.pid` # nginx -s reopen # lsof -p 161545| grep access.log nginx 161545 nginx 5w REG 253,0 0 1966873 /var/log/nginx/access.log.1 and after gzip or rm nginx 161545 nginx 5w REG 253,0 1016 1966873 /var/log/nginx/access.log.1 (deleted) Expected results: Reopen /var/log/nginx/access.log Additional info: For master process lsof -p 161544| grep access.log nginx 161544 root 8w REG 253,0 0 1966356 /var/log/nginx/access.log
Hi there. Thanks for taking the time to file this detailed report. I assume it relates to the changes to the log file permissions in the recent update. I have built a test version in my staging COPR: https://copr.fedorainfracloud.org/coprs/heffer/nginx-el7-staging/ Can you enable that repo, update the package and try again? Essentially what this does is set /var/log/nginx to root:root ownership with a mode of 711 and brings back logrotate to create new log files as nginx:root in mode 640. We do this to prevent the web user from creating files in that directory (CVE-2016-1247). Upon install your /var/log/nginx directory should be automatically be set to the new permissions but your log files may only change permissions after either running rpm --setperms nginx or by rotating logs forcefully logrotate -f /etc/logrotate.d/nginx -v My own local testing shows that the nginx worker processes are then able to open the logfiles again. Thanks again for your effort reporting and testing this!
Hi I installed a package from your repo, permissions for /var/log/nginx changed. And now works again. Thanks!
FEDORA-2021-b37cffac0d has been submitted as an update to Fedora 33. https://bodhi.fedoraproject.org/updates/FEDORA-2021-b37cffac0d
FEDORA-EPEL-2021-8c50b78c57 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2021-8c50b78c57
FEDORA-EPEL-2021-8c50b78c57 has been pushed to the Fedora EPEL 7 testing repository. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2021-8c50b78c57 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2021-b37cffac0d has been pushed to the Fedora 33 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-b37cffac0d` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-b37cffac0d See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2021-393d698493 has been pushed to the Fedora 34 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-393d698493` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-393d698493 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2021-393d698493 has been pushed to the Fedora 34 stable repository. If problem still persists, please make note of it in this bug report.
FEDORA-2021-b37cffac0d has been pushed to the Fedora 33 stable repository. If problem still persists, please make note of it in this bug report.
FEDORA-EPEL-2021-8c50b78c57 has been pushed to the Fedora EPEL 7 stable repository. If problem still persists, please make note of it in this bug report.