Installing dynamic modules when Nginx itself is installed via yum/dnf (Linux)
Phoenix Kiula
phoenix.kiula at gmail.com
Fri Jan 8 03:38:50 UTC 2021
Just to add to this, despite having compiled it inside a freshly downloaded
folder of nginx 1.18.0, somehow it seems the modules were compiled with
1.16.1? How does this happen?
# nginx -t
nginx: [emerg] module
"/usr/share/nginx/modules/ngx_http_security_headers_module.so" version
1016001 instead of 1018000 in /etc/nginx/nginx.conf:16
nginx: configuration file /etc/nginx/nginx.conf test failed
On Thu, Jan 7, 2021 at 8:56 PM Phoenix Kiula <phoenix.kiula at gmail.com>
wrote:
> Thank you. So I tried this. It's not as straightforward as it sounds.
>
> Many issues with the ./configure step. If I include the "nginx -V" compile
> options from my dnf repo install, it gives this stuff below, to which I add
> the "--add-compat" with the modules to add (last four lines)--
>
>
> ./configure --prefix=/usr/share/nginx --sbin-path=/usr/sbin/nginx
> --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf
> --error-log-path=/var/log/nginx/error.log
> --http-log-path=/var/log/nginx/access.log
> --http-client-body-temp-path=/var/lib/nginx/tmp/client_body
> --http-proxy-temp-path=/var/lib/nginx/tmp/proxy
> --http-fastcgi-temp-path=/var/lib/nginx/tmp/fastcgi
> --http-uwsgi-temp-path=/var/lib/nginx/tmp/uwsgi
> --http-scgi-temp-path=/var/lib/nginx/tmp/scgi --pid-path=/run/nginx.pid
> --lock-path=/run/lock/subsys/nginx --user=nginx --group=nginx
> --with-file-aio --with-ipv6 --with-http_ssl_module --with-http_v2_module
> --with-http_realip_module --with-stream_ssl_preread_module
> --with-http_addition_module --with-http_xslt_module=dynamic
> --with-http_image_filter_module=dynamic --with-http_sub_module
> --with-http_dav_module --with-http_flv_module --with-http_mp4_module
> --with-http_gunzip_module --with-http_gzip_static_module
> --with-http_random_index_module --with-http_secure_link_module
> --with-http_degradation_module --with-http_slice_module
> --with-http_stub_status_module --with-http_perl_module=dynamic
> --with-http_auth_request_module --with-mail=dynamic --with-mail_ssl_module
> --with-pcre --with-pcre-jit --with-stream=dynamic --with-stream_ssl_module
> --with-google_perftools_module --with-debug --with-cc-opt='-O2 -flto
> -ffat-lto-objects -fexceptions -g -grecord-gcc-switches -pipe -Wall
> -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS
> -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong
> -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic
> -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection'
> --with-ld-opt='-Wl,-z,relro -Wl,--as-needed -Wl,-z,now
> -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -Wl,-E' \
> --with-compat \
> --add-dynamic-module=../ngx_brotli \
> --add-dynamic-module=../headers-more-nginx-module \
> --add-dynamic-module=../ngx_security_headers
>
>
>
> This gives the first error:
>
> error: the invalid value in --with-ld-opt="-Wl,-z,relro -Wl,--as-needed
> -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -Wl,-E"
>
> Not super informative. So I just remove this "--with-ld-opt" parameter.
>
> Next error:
>
> ./configure: no supported file AIO was found
>
> Currently file AIO is supported on FreeBSD 4.3+ and Linux 2.6.22+ only
>
> So I try to do a "yum install libaio".
>
> # yum install libaio
>
> Last metadata expiration check: 0:00:22 ago on Thu 07 Jan 2021 08:44:10 PM
> EST.
>
> Package libaio-0.3.111-10.fc33.x86_64 is already installed.
>
> Dependencies resolved.
>
> Nothing to do.
>
> Complete!
>
>
> What do I need instead of this installed lib in the system? Anyway, I just
> delete this option then. Try again the ./configure:
>
> Next error:
>
> ./configure: error: can not detect int size
>
> Googling for this suggests on stackoverflow that the "--with-cc-opt" is
> the culprit. Not sure what precisely in this is the "int size" that it was
> trying to detect. So I delete this whole parameter to try:
>
> --with-cc-opt='-O2 -flto -ffat-lto-objects -fexceptions -g
> -grecord-gcc-switches -pipe -Wall -Werror=format-security
> -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS
> -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong
> -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic
> -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection'
>
>
> This entire thing is gone.
>
> Trying again without this above param:
>
>
> ./configure: error: the HTTP image filter module requires the GD library.
>
>
> Seriously, what amazing engineer has made this stuff? The GD library is
> already installed on my system, but I check some variations:
>
>
> # yum install libgd
>
> Last metadata expiration check: 0:00:05 ago on Thu 07 Jan 2021 08:50:20 PM
> EST.
>
> No match for argument: *libgd*
>
> Error: Unable to find a match: libgd
>
>
>
> # yum install libgd-dev
>
>
> Last metadata expiration check: 0:00:16 ago on Thu 07 Jan 2021 08:50:20 PM
> EST.
>
> No match for argument:
> *libgd-dev*
>
> Error: Unable to find a match: libgd-dev
>
>
>
> # yum install gd
>
> Last metadata expiration check: 0:00:51 ago on Thu 07 Jan 2021 08:50:20 PM
> EST.
>
> Package gd-2.3.0-3.fc33.x86_64 is already installed.
>
> Dependencies resolved.
>
> Nothing to do.
>
> Complete!
>
>
>
> At this point I basically give up? What the heck?
>
> So I compiled the modules without all of these. Removed XSLT, removed
> image filters, everything. The .so modules thus created of course don't do
> much. When they're copied to the /etc/nginx/modules/ folder, and nginx
> reloaded, they create an issue.
>
>
> # systemctl status nginx.service
>
>
> Jan 07 20:54:00 SERVER systemd[1]: Starting The nginx HTTP and reverse
> proxy server...
> Jan 07 20:54:00 SERVER nginx[39083]: nginx: [emerg] module
> "/usr/share/nginx/modules/ngx_http_security_headers_module.so">
> Jan 07 20:54:00 SERVER nginx[39083]: nginx: configuration file
> /etc/nginx/nginx.conf test failed
> Jan 07 20:54:00 SERVER systemd[1]: nginx.service: Control process exited,
> code=exited, status=1/FAILURE
> Jan 07 20:54:00 SERVER systemd[1]: nginx.service: Failed with result
> 'exit-code'.
> Jan 07 20:54:00 SERVER systemd[1]: Failed to start The nginx HTTP and
> reverse proxy server.
>
>
>
> This doesn't give any meaningful error. Nor does "journalctl -xe".
>
> Any suggestions to make this somewhat more sensible than this utterly
> mediocre experience?
>
> Thanks.
>
>
>
>
>
>
>
> On Thu, Jan 7, 2021 at 1:35 AM Thomas Ward <teward at thomas-ward.net> wrote:
>
>> You should, yes, to make sure your build as closely mirrors what is in
>> the Fedora repos.
>>
>>
>> Thomas
>>
>>
>> On 1/6/21 11:19 PM, Phoenix Kiula wrote:
>>
>> Perfect. This is clear Thomas. Much appreciated...between Miguel's
>> original pointer and this clarity from you I think it solves what I'm
>> looking for. One last question: the `nginx -T` options...I'll add those to
>> the ./configure command, yes?
>>
>>
>>
>> On Wed, Jan 6, 2021 at 10:55 PM Thomas Ward <teward at thomas-ward.net>
>> wrote:
>>
>>> This is where **manually compiling by hand** is the problem. You would
>>> do the compilation in a separate directory **NOT** inside the space of the
>>> system's control - usually I spawn new `/tmp` directories or destructable
>>> directories in my home space.
>>>
>>> I'm not familiar with Fedora and the `dnf` command - but `dnf install`
>>> installs the repositories-available-version of NGINX for Fedora's repos.
>>>
>>> The next steps you would take by hand are:
>>>
>>> (1) Install **all build dependencies and runtime dependencies** for
>>> NGINX and the modules you're compiling dynamically.
>>>
>>> (2) Download the tarball to temporary space.
>>>
>>> (3) At the *very* least (though I suggest you go digging in the source
>>> of Fedora's repos to get their build options, you can find them with `nginx
>>> -T` output though) you need to do this:
>>>
>>> ./configure
>>> --add-dynamic-module=/path/to/third/party/module/source/directory
>>> make
>>>
>>> **This does not install nginx, this is the compiling of the binaries.**
>>>
>>> (4) Dig in the completed compile and find your .so file and put it in
>>> /etc/nginx/modules (I believe that's where it is on your system, but I
>>> can't validate that - again I'm not a Fedora user so I can't verify that's
>>> exactly where you drop the module files themselves.
>>>
>>>
>>> These're the *basic* steps - but again this will **not** install your
>>> manually compiled nginx to overwrite what `dnf` installs - this simply
>>> compiles everything and it's up to you to go digging to get the components
>>> you need and put them where you need them to be for your system to
>>> recognize them.
>>>
>>>
>>> Thomas
>>> On 1/6/21 10:47 PM, Phoenix Kiula wrote:
>>>
>>> Thank you Thomas. Much appreciate this, it sounds promising. Appreciate
>>> your clarity.
>>>
>>> So if I:
>>>
>>> 1. Compile nginx via `dnf install nginx` and that becomes my system's
>>> Nginx, installed usually in `/etc/nginx`
>>>
>>> 2. In a totally separate folder, say, `/usr/src`, I then download a
>>> tarball of Nginx and compile it along with the dynamic modules -- which
>>> will produce the .so files for said modules
>>>
>>> 3. Copy over the modules into the usual `/etc/nginx/modules` folder from
>>> Step 1
>>>
>>>
>>> ....in this sequence of steps, how do I make sure that:
>>>
>>>
>>> A. The compilation in Step 2 does not become my "system's nginx" (so
>>> when I do an `nginx -v` at the command prompt it should be refer to the
>>> nginx installed in Step 1 above, and *not* the one compiled via Step 2)
>>>
>>> B. The compile in Step 2 will use the "same libraries" that DNF used? In
>>> the DNF version of life I didn't pick any libraries manually...DNF found
>>> what was on my system. Will the manual compile not do the same?
>>>
>>> Many thanks!
>>>
>>>
>>>
>>>
>>> On Wed, Jan 6, 2021 at 10:19 PM Thomas Ward <teward at thomas-ward.net>
>>> wrote:
>>>
>>>> I'm fairly familiar with the 'compiling process' for dynamic modules -
>>>> the process is the same for NGINX Open Source as wel as NGINX Plus.
>>>>
>>>> You would need to compile the modules alongside NGINX and then harvest
>>>> the compiled .so files and put them into corresponding locations on the
>>>> system you want to load the dynamic modules. In Ubuntu, we do this (or at
>>>> least, I do) by using the same OS and libraries as installed on the target
>>>> system (as well as the same NGINX version).
>>>>
>>>> This being said, **compiling** NGINX is different than **installing**
>>>> NGINX - you can *compile* the nginx version 1.18.0 with the dynamic modules
>>>> and the same configuration as the Fedora version, and then **take the
>>>> compiled module** and load it up in your installed nginx instance.
>>>> Compiling NGINX to make the dynamic module does NOT require you to then
>>>> install that NGINX version, provided that you match the `make` steps and
>>>> installed/available libraries to those used in the original nginx compile
>>>> done in Fedora.
>>>>
>>>>
>>>> Thomas
>>>>
>>>>
>>>> On 1/6/21 5:30 PM, Phoenix Kiula wrote:
>>>>
>>>> Thank you Miguel. But you misunderstood the question. This suggestion...
>>>>
>>>>
>>>>
>>>>> nginx blog as a great guide on it though
>>>>> https://www.nginx.com/blog/compiling-dynamic-modules-nginx-plus/
>>>>>
>>>>>
>>>>
>>>>
>>>> ...misses the very first question in this thread: we cannot compile
>>>> nginx from source on our server. At least not in a way that that compiled
>>>> version would become the nginx installed in our *system*. We need to
>>>> install nginx via the default Fedora dnf package manager, which at this
>>>> time installs 1.18.0.
>>>>
>>>> Now, what I don't mind doing is to compile nginx in some self-contained
>>>> folder somewhere, then use that compilation to create the .so or whatever
>>>> the module file for that version is....if all of this module compiling does
>>>> *not* affect the system-installed dnf version of nginx. Is this possible?
>>>>
>>>> If so, the instructions do not help with this. The first step in that
>>>> official tutorial is to compile nginx and that compiled nginx then becomes
>>>> the system's main nginx. It replaces whatever was installed via "dnf
>>>> install nginx". Yes?
>>>>
>>>> Hope this makes sense. Have I correctly understood how nginx
>>>> compilation works? Appreciate any pointers.
>>>>
>>>> Thank you.
>>>>
>>>>
>>>> _______________________________________________
>>>> nginx mailing listnginx at nginx.orghttp://mailman.nginx.org/mailman/listinfo/nginx
>>>>
>>>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20210107/cd011974/attachment-0001.htm>
More information about the nginx
mailing list