1966367 – nginx doesn't reopen the log file

Bug 1966367 - nginx doesn't reopen the log file

Summary: nginx doesn't reopen the log file

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	nginx
Sub Component:
Version:	33
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	---
Assignee:	Felix Kaechele
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2021-06-01 00:31 UTC by Alex
Modified:	2021-06-18 00:31 UTC (History)
CC List:	9 users (show)
Fixed In Version:	nginx-1.20.1-2.fc34 nginx-1.20.1-2.fc33 nginx-1.20.1-2.el7
Clone Of:
Environment:
Last Closed:	2021-06-11 01:12:23 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Alex 2021-06-01 00:31:38 UTC

Description of problem:

nginx 1.20 and 1.20.1 can't reopen log file. For example during logrotation.
nginx doesn't react like in previous versions to "kill -USR1..." or "nginx -s reopen".

Version-Release number of selected component (if applicable):

Fedora 33,34
nginx 1.20 and 1.20.1

nginx-mimetypes-2.1.49-2.fc33.noarch
nginx-filesystem-1.20.1-1.fc33.noarch
nginx-1.20.1-1.fc33.x86_64
nginx-mod-stream-1.20.1-1.fc33.x86_64



How reproducible:

Rename log and send USR1 or reopen


Steps to Reproduce:

# ps aux| grep nginx

root      161544  0.0  0.0  75444  1540 ?        Ss   03:15   0:00 nginx: master process /usr/sbin/nginx
nginx     161545  0.0  0.0  75696  4808 ?        S    03:15   0:00 nginx: worker process

# lsof -p 161545| grep access.log
nginx   161545 nginx    5w      REG              253,0        0 1966873 /var/log/nginx/access.log

# mv /var/log/nginx/access.log /var/log/nginx/access.log.1
# lsof -p 161545| grep access.log
nginx   161545 nginx    5w      REG              253,0        0 1966873 /var/log/nginx/access.log.1

# kill -USR1 `cat /run/nginx.pid`
# nginx -s reopen
# lsof -p 161545| grep access.log
nginx   161545 nginx    5w      REG              253,0        0 1966873 /var/log/nginx/access.log.1

and after gzip or rm
nginx   161545 nginx    5w      REG              253,0     1016 1966873 /var/log/nginx/access.log.1 (deleted)

Expected results:

Reopen /var/log/nginx/access.log

Additional info:

For master process

lsof -p 161544| grep access.log

nginx   161544 root    8w   REG              253,0        0 1966356 /var/log/nginx/access.log

Comment 1 Felix Kaechele 2021-06-01 17:44:20 UTC

Hi there. Thanks for taking the time to file this detailed report.
I assume it relates to the changes to the log file permissions in the recent update.

I have built a test version in my staging COPR: https://copr.fedorainfracloud.org/coprs/heffer/nginx-el7-staging/
Can you enable that repo, update the package and try again?

Essentially what this does is set /var/log/nginx to root:root ownership with a mode of 711 and brings back logrotate to create new log files as nginx:root in mode 640.
We do this to prevent the web user from creating files in that directory (CVE-2016-1247).

Upon install your /var/log/nginx directory should be automatically be set to the new permissions but your log files may only change permissions after either running
rpm --setperms nginx
or by rotating logs forcefully
logrotate -f /etc/logrotate.d/nginx -v

My own local testing shows that the nginx worker processes are then able to open the logfiles again.

Thanks again for your effort reporting and testing this!

Comment 2 Alex 2021-06-01 19:16:25 UTC

Hi

I installed a package from your repo, permissions for /var/log/nginx changed.
And now works again.


Thanks!

Comment 3 Fedora Update System 2021-06-02 00:26:39 UTC

FEDORA-2021-b37cffac0d has been submitted as an update to Fedora 33. https://bodhi.fedoraproject.org/updates/FEDORA-2021-b37cffac0d

Comment 4 Fedora Update System 2021-06-02 00:26:40 UTC

FEDORA-EPEL-2021-8c50b78c57 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2021-8c50b78c57

Comment 5 Fedora Update System 2021-06-03 01:11:10 UTC

FEDORA-EPEL-2021-8c50b78c57 has been pushed to the Fedora EPEL 7 testing repository.

You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2021-8c50b78c57

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 6 Fedora Update System 2021-06-03 01:30:08 UTC

FEDORA-2021-b37cffac0d has been pushed to the Fedora 33 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-b37cffac0d`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-b37cffac0d

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 7 Fedora Update System 2021-06-03 19:03:52 UTC

FEDORA-2021-393d698493 has been pushed to the Fedora 34 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-393d698493`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-393d698493

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 8 Fedora Update System 2021-06-11 01:12:23 UTC

FEDORA-2021-393d698493 has been pushed to the Fedora 34 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 9 Fedora Update System 2021-06-11 01:18:56 UTC

FEDORA-2021-b37cffac0d has been pushed to the Fedora 33 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 10 Fedora Update System 2021-06-18 00:31:33 UTC

FEDORA-EPEL-2021-8c50b78c57 has been pushed to the Fedora EPEL 7 stable repository.
If problem still persists, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.