Question about rotating log files with USR1 signal
Maxim Dounin
mdounin at mdounin.ru
Tue Jul 19 03:16:16 UTC 2022
Hello!
On Mon, Jul 18, 2022 at 01:37:47PM -0300, Fabiano Furtado Pessoa Coelho wrote:
> As described in the official documentation
> http://nginx.org/en/docs/control.html#logs "The master process will
> then re-open all currently open log files and assign them an
> unprivileged user under which the worker processes are running, as an
> owner.", the owner of the log file changes after the USR1 signal is
> sent to NGINX master process.
>
> Why does this behavior happen? Is there a way to keep the original
> root owner of the log file?
Log files owned by root generally cannot be open by worker
processes for writing. To make sure worker processes can reopen
the log files, master process chowns them and ensures appropriate
permissions for the owner.
Unless you are willing to run nginx worker processes under root
(which is unwise), there is no way to preserve the root as the
owner of log files during fast log rotation.
If for some reason you must keep root as the owner of log files,
using reconfiguration instead of log rotation might work.
Obviously enough, this isn't a good solution either.
A better solution for reopening log files would be to implement
file descriptor passing on systems which support it, see
https://trac.nginx.org/nginx/ticket/376. So far attempts to
implement this did not result in a reasonably reliable code.
> The "systemctl reload nginx" is capable of creating a new log file
> with the original root owner, but I think this isn't a clever
> solution.
More importantly, this won't work. By pre-creating log files you
can fine-control permissions on the files, but during log rotation
nginx will change the owner anyway.
--
Maxim Dounin
http://mdounin.ru/
More information about the nginx
mailing list