How to ask 'nginx -t' to remove pid file it created?
Aleksandr Vinokurov
aleksandr.vin at gmail.com
Fri Jan 22 12:51:05 UTC 2016
Hi all,
I’ve met with a rather unpleasant behaviour of nginx validation process (the one triggered by '-t’ command line option): it creates a pid file at the path from the configuration it validate, and leave this file alone.
It sounds rather inoffensively until you step in a RHEL7 with SELinux and wanted to use Ansible role for installing nginx there.
If you call ‘nginx -t -c /etc/nginx/nginx.conf’, then it creates a pid file with wrong SELinux context and the presence of this pid file breaks the next call to 'systemctl start nginx’. Which while failing to start nginx service, removes the pid file. So next calls to ‘systemctl start nginx’ will succeed.
Here is the proof log:
[root at SRV2-ELOG-VM58 ~]# ls -Z /run/nginx.pid
ls: cannot access /run/nginx.pid: No such file or directory
[root at SRV2-ELOG-VM58 ~]# systemctl start nginx
[root at SRV2-ELOG-VM58 ~]# ls -Z /run/nginx.pid
-rw-r--r--. root root system_u:object_r:httpd_var_run_t:s0 /run/nginx.pid
[root at SRV2-ELOG-VM58 ~]# systemctl stop nginx
[root at SRV2-ELOG-VM58 ~]# ls -Z /run/nginx.pid
ls: cannot access /run/nginx.pid: No such file or directory
[root at SRV2-ELOG-VM58 ~]# /usr/sbin/nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
[root at SRV2-ELOG-VM58 ~]# ls -Z /run/nginx.pid
-rw-r--r--. root root unconfined_u:object_r:var_run_t:s0 /run/nginx.pid
[root at SRV2-ELOG-VM58 ~]# systemctl start nginx
Job for nginx.service failed. See 'systemctl status nginx.service' and 'journalctl -xn' for details.
[root at SRV2-ELOG-VM58 ~]# ls -Z /run/nginx.pid
ls: cannot access /run/nginx.pid: No such file or directory
[root at SRV2-ELOG-VM58 ~]# systemctl start nginx
[root at SRV2-ELOG-VM58 ~]# ls -Z /run/nginx.pid
-rw-r--r--. root root system_u:object_r:httpd_var_run_t:s0 /run/nginx.pid
[root at SRV2-ELOG-VM58 ~]#
Is there a way to ask nginx to remove the pid file it created during the validation process or not to create it at all?
Some additional info is here: https://github.com/geerlingguy/ansible-role-nginx/issues/41
With all the best,
Alex Vinokurov
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx-devel/attachments/20160122/502a40d4/attachment.html>
More information about the nginx-devel
mailing list