Bug 2372546 - Use `systemctl kill` in logrotate postrotate script
Summary: Use `systemctl kill` in logrotate postrotate script
Keywords:
Status: ASSIGNED
Alias: None
Product: Fedora
Classification: Fedora
Component: nginx
Version: 42
Hardware: Unspecified
OS: Linux
unspecified
low
Target Milestone: ---
Assignee: Felix Kaechele
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-06-12 19:34 UTC by Marcos Mello
Modified: 2025-06-14 14:53 UTC (History)
6 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Marcos Mello 2025-06-12 19:34:34 UTC
`systemctl kill` leverages systemd's knowledge of the daemon's main PID, eliminating the need to rely on PID files or external tools like `killall` or `pkill`. This ensures precise signal sending to the intended process, reducing the risk of errors in process identification. Additionally, using `systemctl kill` logs the signal sending in the service's journal, providing a record of actions taken. Requires selinux-policy-41.43 or higher (see https://bugzilla.redhat.com/show_bug.cgi?id=2369644), available as an update for F41, F42, and Rawhide.

https://bodhi.fedoraproject.org/updates/FEDORA-2025-eb98eb9e24 (F41 -- will go to stable in a few days)
https://bodhi.fedoraproject.org/updates/FEDORA-2025-f9f097f491 (F42 -- stable)
https://bodhi.fedoraproject.org/updates/FEDORA-2025-3db4c0ec1c (Rawhide)

The logrotate configuration snippet:

# cat /etc/logrotate.d/nginx
/var/log/nginx/*.log {
    create 0640 nginx root
    daily
    rotate 10
    missingok
    notifempty
    compress
    delaycompress
    sharedscripts
    postrotate
        /bin/kill -USR1 `cat /run/nginx.pid 2>/dev/null` 2>/dev/null || true
    endscript
}

In the postrotate script, kill can be replaced by:

/usr/bin/systemctl kill --signal=USR1 --kill-whom=main nginx.service 2>/dev/null || true

Because:

# systemctl show -P MainPID nginx.service
1056
# cat /run/nginx.pid
1056

Curiosity: this modification was attempted 10 years ago and shortly afterward reverted because the SELinux policy did not allow it:

https://src.fedoraproject.org/rpms/nginx/c/149abb601c02f1e863cd8696478aa036d80113d1
https://src.fedoraproject.org/rpms/nginx/c/68a715e76dac5ee500b7b124afeb2a8c0c752314

This time, with the updated policy, it can be implemented.

Reproducible: Always




Additional Information:
nginx-1.26.3-1.fc42.x86_64

Comment 1 Felix Kaechele 2025-06-14 14:53:55 UTC
Nice catch! Thanks for reporting!

I'll implement this in the next update.
Which I know I'm a bit behind on.
It requires porting the custom patch Red Hat put in for password prompting when using password protected keys, a feature which I personally never used.
I reached out to my co-maintainer at Red Hat but haven't heard back, unfortunately.


Note You need to log in before you can comment on or make changes to this bug.