Bug 2372546 - Use `systemctl kill` in logrotate postrotate script
Summary: Use `systemctl kill` in logrotate postrotate script
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: nginx
Version: 42
Hardware: Unspecified
OS: Linux
unspecified
low
Target Milestone: ---
Assignee: Felix Kaechele
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-06-12 19:34 UTC by Marcos Mello
Modified: 2026-04-25 01:24 UTC (History)
6 users (show)

Fixed In Version: nginx-1.28.3-1.fc44
Clone Of:
Environment:
Last Closed: 2026-04-25 01:24:59 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Marcos Mello 2025-06-12 19:34:34 UTC 
`systemctl kill` leverages systemd's knowledge of the daemon's main PID, eliminating the need to rely on PID files or external tools like `killall` or `pkill`. This ensures precise signal sending to the intended process, reducing the risk of errors in process identification. Additionally, using `systemctl kill` logs the signal sending in the service's journal, providing a record of actions taken. Requires selinux-policy-41.43 or higher (see https://bugzilla.redhat.com/show_bug.cgi?id=2369644), available as an update for F41, F42, and Rawhide.

https://bodhi.fedoraproject.org/updates/FEDORA-2025-eb98eb9e24 (F41 -- will go to stable in a few days)
https://bodhi.fedoraproject.org/updates/FEDORA-2025-f9f097f491 (F42 -- stable)
https://bodhi.fedoraproject.org/updates/FEDORA-2025-3db4c0ec1c (Rawhide)

The logrotate configuration snippet:

# cat /etc/logrotate.d/nginx
/var/log/nginx/*.log {
    create 0640 nginx root
    daily
    rotate 10
    missingok
    notifempty
    compress
    delaycompress
    sharedscripts
    postrotate
        /bin/kill -USR1 `cat /run/nginx.pid 2>/dev/null` 2>/dev/null || true
    endscript
}

In the postrotate script, kill can be replaced by:

/usr/bin/systemctl kill --signal=USR1 --kill-whom=main nginx.service 2>/dev/null || true

Because:

# systemctl show -P MainPID nginx.service
1056
# cat /run/nginx.pid
1056

Curiosity: this modification was attempted 10 years ago and shortly afterward reverted because the SELinux policy did not allow it:

https://src.fedoraproject.org/rpms/nginx/c/149abb601c02f1e863cd8696478aa036d80113d1
https://src.fedoraproject.org/rpms/nginx/c/68a715e76dac5ee500b7b124afeb2a8c0c752314

This time, with the updated policy, it can be implemented.

Reproducible: Always




Additional Information:
nginx-1.26.3-1.fc42.x86_64
Comment 1 Felix Kaechele 2025-06-14 14:53:55 UTC 
Nice catch! Thanks for reporting!

I'll implement this in the next update.
Which I know I'm a bit behind on.
It requires porting the custom patch Red Hat put in for password prompting when using password protected keys, a feature which I personally never used.
I reached out to my co-maintainer at Red Hat but haven't heard back, unfortunately.
Comment 2 Fedora Update System 2026-03-25 19:14:44 UTC 
FEDORA-2026-4de4d247a0 (nginx-1.28.3-1.fc44, nginx-mod-brotli-1.0.0~rc-7.fc44, and 5 more) has been submitted as an update to Fedora 44.
https://bodhi.fedoraproject.org/updates/FEDORA-2026-4de4d247a0
Comment 3 Fedora Update System 2026-03-26 04:03:02 UTC 
FEDORA-2026-4de4d247a0 has been pushed to the Fedora 44 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2026-4de4d247a0`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2026-4de4d247a0

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 4 Fedora Update System 2026-04-25 01:24:59 UTC 
FEDORA-2026-4de4d247a0 (nginx-1.28.3-1.fc44, nginx-mod-brotli-1.0.0~rc-7.fc44, and 5 more) has been pushed to the Fedora 44 stable repository.
If problem still persists, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.