View Issue Details

IDProjectCategoryView StatusLast Update
0001288Rocky-Linux-9nginxpublic2022-12-09 17:43
ReporterStanis Trendelenburg Assigned To 
Status newResolutionopen 
Summary0001288: Nginx package installs a broken logrotate configuration
DescriptionWhen installing the nginx package via dnf, the default logrotate configuration that is installed alongside does not work, because the permissions on the log directory /var/log/nginx are too strict. This results in logs not being rotated properly: New logfiles are being created by logrotate, but nginx keeps writing to the old logfile(s).

The directory /var/log/nginx is owned by user root, group root and has permissions "drwx------" (chmod 700). The main nginx process runs as root, but the worker processes run as the "nginx" user.

The way nginx rotates logfiles is described here:

To rotate the logfiles, logrotate sends USR1 to the main process (this is correct). As described in the docs linked above, the main process then instructs the workers to reopen their log files, after making sure the logfiles belong to the nginx user. However, because of the restricitve permission on the parent directory, the workers cannot open the files.

These lines appear in the main nginx error log (/var/log/nginx/error.log) after each log rotation:

2022/12/03 19:27:47 [emerg] 1110#1110: open() "/var/log/nginx/error.log" failed (13: Permission denied)
2022/12/03 19:27:47 [emerg] 1110#1110: open() "/var/log/nginx/access.log" failed (13: Permission denied)

Suggestion: Change the permssions of the directory /var/log/nginx to this: user root, group nginx, chmod 710 (+x permission for group nginx). This is the minimal set of permissions required to make logrotate work.
Steps To ReproduceI've uploaded a script here to reproduce the issue on a minimal Rocky 9 installation:

The script removes and re-installs nginx, sends an HTTP request to localhost, runs logrotate, and then sends another HTTP request. After this you can see that nginx keeps appending its logs to the same log file (the file created by logrotate stays at size 0).
TagsNo tags attached.


Stanis Trendelenburg

Stanis Trendelenburg

2022-12-03 20:05

reporter   ~0001585

For comparison, I also tested with the nginx package from the repo:

With this package log rotation works, the permission of /var/log/nginx are set to root:root, chmod 755
Stanis Trendelenburg

Stanis Trendelenburg

2022-12-09 17:43

reporter   ~0001684

This bug was fixed a while ago in Fedora:

Issue History

Date Modified Username Field Change
2022-12-03 19:44 Stanis Trendelenburg New Issue
2022-12-03 20:05 Stanis Trendelenburg Note Added: 0001585
2022-12-09 17:43 Stanis Trendelenburg Note Added: 0001684