Installing dynamic modules when Nginx itself is installed via yum/dnf (Linux)

Phoenix Kiula phoenix.kiula at gmail.com
Fri Jan 8 01:56:21 UTC 2021


Thank you. So I tried this. It's not as straightforward as it sounds.

Many issues with the ./configure step. If I include the "nginx -V" compile
options from my dnf repo install, it gives this stuff below, to which I add
the "--add-compat" with the modules to add (last four lines)--


./configure  --prefix=/usr/share/nginx --sbin-path=/usr/sbin/nginx
--modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf
--error-log-path=/var/log/nginx/error.log
--http-log-path=/var/log/nginx/access.log
--http-client-body-temp-path=/var/lib/nginx/tmp/client_body
--http-proxy-temp-path=/var/lib/nginx/tmp/proxy
--http-fastcgi-temp-path=/var/lib/nginx/tmp/fastcgi
--http-uwsgi-temp-path=/var/lib/nginx/tmp/uwsgi
--http-scgi-temp-path=/var/lib/nginx/tmp/scgi --pid-path=/run/nginx.pid
--lock-path=/run/lock/subsys/nginx --user=nginx --group=nginx
--with-file-aio --with-ipv6 --with-http_ssl_module --with-http_v2_module
--with-http_realip_module --with-stream_ssl_preread_module
--with-http_addition_module --with-http_xslt_module=dynamic
--with-http_image_filter_module=dynamic --with-http_sub_module
--with-http_dav_module --with-http_flv_module --with-http_mp4_module
--with-http_gunzip_module --with-http_gzip_static_module
--with-http_random_index_module --with-http_secure_link_module
--with-http_degradation_module --with-http_slice_module
--with-http_stub_status_module --with-http_perl_module=dynamic
--with-http_auth_request_module --with-mail=dynamic --with-mail_ssl_module
--with-pcre --with-pcre-jit --with-stream=dynamic --with-stream_ssl_module
--with-google_perftools_module --with-debug --with-cc-opt='-O2 -flto
-ffat-lto-objects -fexceptions -g -grecord-gcc-switches -pipe -Wall
-Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS
-specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong
-specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic
-fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection'
--with-ld-opt='-Wl,-z,relro -Wl,--as-needed -Wl,-z,now
-specs=/usr/lib/rpm/redhat/redhat-hardened-ld -Wl,-E' \
    --with-compat \
        --add-dynamic-module=../ngx_brotli                      \
        --add-dynamic-module=../headers-more-nginx-module       \
        --add-dynamic-module=../ngx_security_headers



This gives the first error:

error: the invalid value in --with-ld-opt="-Wl,-z,relro -Wl,--as-needed
-Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -Wl,-E"

Not super informative. So I just remove this "--with-ld-opt" parameter.

Next error:

./configure: no supported file AIO was found

Currently file AIO is supported on FreeBSD 4.3+ and Linux 2.6.22+ only

So I try to do a "yum install libaio".

# yum install libaio

Last metadata expiration check: 0:00:22 ago on Thu 07 Jan 2021 08:44:10 PM
EST.

Package libaio-0.3.111-10.fc33.x86_64 is already installed.

Dependencies resolved.

Nothing to do.

Complete!


What do I need instead of this installed lib in the system? Anyway, I just
delete this option then. Try again the ./configure:

Next error:

./configure: error: can not detect int size

Googling for this suggests on stackoverflow that the "--with-cc-opt" is the
culprit. Not sure what precisely in this is the "int size" that it was
trying to detect. So I delete this whole parameter to try:

--with-cc-opt='-O2 -flto -ffat-lto-objects -fexceptions -g
-grecord-gcc-switches -pipe -Wall -Werror=format-security
-Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS
-specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong
-specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic
-fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection'


This entire thing is gone.

Trying again without this above param:


./configure: error: the HTTP image filter module requires the GD library.


Seriously, what amazing engineer has made this stuff? The GD library is
already installed on my system, but I check some variations:


# yum install libgd

Last metadata expiration check: 0:00:05 ago on Thu 07 Jan 2021 08:50:20 PM
EST.

No match for argument: *libgd*

Error: Unable to find a match: libgd



# yum install libgd-dev


Last metadata expiration check: 0:00:16 ago on Thu 07 Jan 2021 08:50:20 PM
EST.

No match for argument:
*libgd-dev*

Error: Unable to find a match: libgd-dev



# yum install gd

Last metadata expiration check: 0:00:51 ago on Thu 07 Jan 2021 08:50:20 PM
EST.

Package gd-2.3.0-3.fc33.x86_64 is already installed.

Dependencies resolved.

Nothing to do.

Complete!



At this point I basically give up? What the heck?

So I compiled the modules without all of these. Removed XSLT, removed image
filters, everything. The .so modules thus created of course don't do much.
When they're copied to the /etc/nginx/modules/ folder, and nginx reloaded,
they create an issue.


# systemctl status nginx.service


Jan 07 20:54:00 SERVER systemd[1]: Starting The nginx HTTP and reverse
proxy server...
Jan 07 20:54:00 SERVER nginx[39083]: nginx: [emerg] module
"/usr/share/nginx/modules/ngx_http_security_headers_module.so">
Jan 07 20:54:00 SERVER nginx[39083]: nginx: configuration file
/etc/nginx/nginx.conf test failed
Jan 07 20:54:00 SERVER systemd[1]: nginx.service: Control process exited,
code=exited, status=1/FAILURE
Jan 07 20:54:00 SERVER systemd[1]: nginx.service: Failed with result
'exit-code'.
Jan 07 20:54:00 SERVER systemd[1]: Failed to start The nginx HTTP and
reverse proxy server.



This doesn't give any meaningful error. Nor does "journalctl -xe".

Any suggestions to make this somewhat more sensible than this utterly
mediocre experience?

Thanks.







On Thu, Jan 7, 2021 at 1:35 AM Thomas Ward <teward at thomas-ward.net> wrote:

> You should, yes, to make sure your build as closely mirrors what is in the
> Fedora repos.
>
>
> Thomas
>
>
> On 1/6/21 11:19 PM, Phoenix Kiula wrote:
>
> Perfect. This is clear Thomas. Much appreciated...between Miguel's
> original pointer and this clarity from you I think it solves what I'm
> looking for. One last question: the `nginx -T` options...I'll add those to
> the ./configure command, yes?
>
>
>
> On Wed, Jan 6, 2021 at 10:55 PM Thomas Ward <teward at thomas-ward.net>
> wrote:
>
>> This is where **manually compiling by hand** is the problem.  You would
>> do the compilation in a separate directory **NOT** inside the space of the
>> system's control - usually I spawn new `/tmp` directories or destructable
>> directories in my home space.
>>
>> I'm not familiar with Fedora and the `dnf` command - but `dnf install`
>> installs the repositories-available-version of NGINX for Fedora's repos.
>>
>> The next steps you would take by hand are:
>>
>> (1) Install **all build dependencies and runtime dependencies** for NGINX
>> and the modules you're compiling dynamically.
>>
>> (2) Download the tarball to temporary space.
>>
>> (3) At the *very* least (though I suggest you go digging in the source of
>> Fedora's repos to get their build options, you can find them with `nginx
>> -T` output though) you need to do this:
>>
>> ./configure
>> --add-dynamic-module=/path/to/third/party/module/source/directory
>> make
>>
>> **This does not install nginx, this is the compiling of the binaries.**
>>
>> (4) Dig in the completed compile and find your .so file and put it in
>> /etc/nginx/modules (I believe that's where it is on your system, but I
>> can't validate that - again I'm not a Fedora user so I can't verify that's
>> exactly where you drop the module files themselves.
>>
>>
>> These're the *basic* steps - but again this will **not** install your
>> manually compiled nginx to overwrite what `dnf` installs - this simply
>> compiles everything and it's up to you to go digging to get the components
>> you need and put them where you need them to be for your system to
>> recognize them.
>>
>>
>> Thomas
>> On 1/6/21 10:47 PM, Phoenix Kiula wrote:
>>
>> Thank you Thomas. Much appreciate this, it sounds promising. Appreciate
>> your clarity.
>>
>> So if I:
>>
>> 1. Compile nginx via `dnf install nginx` and that becomes my system's
>> Nginx, installed usually in `/etc/nginx`
>>
>> 2. In a totally separate folder, say, `/usr/src`, I then download a
>> tarball of Nginx and compile it along with the dynamic modules -- which
>> will produce the .so files for said modules
>>
>> 3. Copy over the modules into the usual `/etc/nginx/modules` folder from
>> Step 1
>>
>>
>> ....in this sequence of steps, how do I make sure that:
>>
>>
>> A. The compilation in Step 2 does not become my "system's nginx" (so when
>> I do an `nginx -v` at the command prompt it should be refer to the nginx
>> installed in Step 1 above, and *not* the one compiled via Step 2)
>>
>> B. The compile in Step 2 will use the "same libraries" that DNF used? In
>> the DNF version of life I didn't pick any libraries manually...DNF found
>> what was on my system. Will the manual compile not do the same?
>>
>> Many thanks!
>>
>>
>>
>>
>> On Wed, Jan 6, 2021 at 10:19 PM Thomas Ward <teward at thomas-ward.net>
>> wrote:
>>
>>> I'm fairly familiar with the 'compiling process' for dynamic modules -
>>> the process is the same for NGINX Open Source as wel as NGINX Plus.
>>>
>>> You would need to compile the modules alongside NGINX and then harvest
>>> the compiled .so files and put them into corresponding locations on the
>>> system you want to load the dynamic modules.  In Ubuntu, we do this (or at
>>> least, I do) by using the same OS and libraries as installed on the target
>>> system (as well as the same NGINX version).
>>>
>>> This being said, **compiling** NGINX is different than **installing**
>>> NGINX - you can *compile* the nginx version 1.18.0 with the dynamic modules
>>> and the same configuration as the Fedora version, and then **take the
>>> compiled module** and load it up in your installed nginx instance.
>>> Compiling NGINX to make the dynamic module does NOT require you to then
>>> install that NGINX version, provided that you match the `make` steps and
>>> installed/available libraries to those used in the original nginx compile
>>> done in Fedora.
>>>
>>>
>>> Thomas
>>>
>>>
>>> On 1/6/21 5:30 PM, Phoenix Kiula wrote:
>>>
>>> Thank you Miguel. But you misunderstood the question. This suggestion...
>>>
>>>
>>>
>>>> nginx blog as a great guide on it though
>>>> https://www.nginx.com/blog/compiling-dynamic-modules-nginx-plus/
>>>>
>>>>
>>>
>>>
>>> ...misses the very first question in this thread: we cannot compile
>>> nginx from source on our server. At least not in a way that that compiled
>>> version would become the nginx installed in our *system*. We need to
>>> install nginx via the default Fedora dnf package manager, which at this
>>> time installs 1.18.0.
>>>
>>> Now, what I don't mind doing is to compile nginx in some self-contained
>>> folder somewhere, then use that compilation to create the .so or whatever
>>> the module file for that version is....if all of this module compiling does
>>> *not* affect the system-installed dnf version of nginx. Is this possible?
>>>
>>> If so, the instructions do not help with this. The first step in that
>>> official tutorial is to compile nginx and that compiled nginx then becomes
>>> the system's main nginx. It replaces whatever was installed via "dnf
>>> install nginx". Yes?
>>>
>>> Hope this makes sense. Have I correctly understood how nginx compilation
>>> works? Appreciate any pointers.
>>>
>>> Thank you.
>>>
>>>
>>> _______________________________________________
>>> nginx mailing listnginx at nginx.orghttp://mailman.nginx.org/mailman/listinfo/nginx
>>>
>>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20210107/af14a792/attachment-0001.htm>


More information about the nginx mailing list