View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0001288||Rocky-Linux-9||nginx||public||2022-12-03 19:44||2022-12-09 17:43|
|Reporter||Stanis Trendelenburg||Assigned To|
|Summary||0001288: Nginx package installs a broken logrotate configuration|
|Description||When installing the nginx package via dnf, the default logrotate configuration that is installed alongside does not work, because the permissions on the log directory /var/log/nginx are too strict. This results in logs not being rotated properly: New logfiles are being created by logrotate, but nginx keeps writing to the old logfile(s).|
The directory /var/log/nginx is owned by user root, group root and has permissions "drwx------" (chmod 700). The main nginx process runs as root, but the worker processes run as the "nginx" user.
The way nginx rotates logfiles is described here: https://nginx.org/en/docs/control.html#logs
To rotate the logfiles, logrotate sends USR1 to the main process (this is correct). As described in the docs linked above, the main process then instructs the workers to reopen their log files, after making sure the logfiles belong to the nginx user. However, because of the restricitve permission on the parent directory, the workers cannot open the files.
These lines appear in the main nginx error log (/var/log/nginx/error.log) after each log rotation:
2022/12/03 19:27:47 [emerg] 1110#1110: open() "/var/log/nginx/error.log" failed (13: Permission denied)
2022/12/03 19:27:47 [emerg] 1110#1110: open() "/var/log/nginx/access.log" failed (13: Permission denied)
Suggestion: Change the permssions of the directory /var/log/nginx to this: user root, group nginx, chmod 710 (+x permission for group nginx). This is the minimal set of permissions required to make logrotate work.
|Steps To Reproduce||I've uploaded a script here to reproduce the issue on a minimal Rocky 9 installation: https://gist.github.com/trendels/b72b8ebd87fabaddd27fa6ad5b859541|
The script removes and re-installs nginx, sends an HTTP request to localhost, runs logrotate, and then sends another HTTP request. After this you can see that nginx keeps appending its logs to the same log file (the file created by logrotate stays at size 0).
|Tags||No tags attached.|
For comparison, I also tested with the nginx package from the nginx.org repo: https://nginx.org/en/linux_packages.html#RHEL
With this package log rotation works, the permission of /var/log/nginx are set to root:root, chmod 755
|This bug was fixed a while ago in Fedora: https://bugzilla.redhat.com/show_bug.cgi?id=1966367|