Opened 19 months ago
Closed 18 months ago
#2466 closed defect (worksforme)
I can't start nginx when 'quic_bpf on' with systemd-service
Reported by: | love4taylor | Owned by: | |
---|---|---|---|
Priority: | minor | Milestone: | |
Component: | nginx-core | Version: | 1.23.x |
Keywords: | Cc: | ||
uname -a: | Linux au-tokyo-n1.love4taylor.com 5.10.0-21-amd64 #1 SMP Debian 5.10.162-1 (2023-01-21) x86_64 GNU/Linux | ||
nginx -V: |
nginx version: nginx/1.23.4
built by gcc 10.2.1 20210110 (Debian 10.2.1-6) built with OpenSSL 3.0.7+quic 1 Nov 2022 TLS SNI support enabled configure arguments: --prefix=/usr/share/nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-log-path=/var/log/nginx/access.log --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --with-pcre-jit --with-threads --with-file-aio --with-http_ssl_module --with-http_v2_module --with-http_v3_module --with-stream_quic_module --with-http_realip_module --with-http_addition_module --with-http_xslt_module --with-http_image_filter_module --with-http_geoip_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_auth_request_module --with-http_random_index_module --with-http_secure_link_module --with-http_degradation_module --with-http_slice_module --with-http_stub_status_module --add-module=../modules/ngx_brotli --add-module=../modules/ngx_http_substitutions_filter_module --add-module=../modules/nginx-dav-ext-module --add-module=../modules/ngx-fancyindex --add-module=../modules/headers-more-nginx-module --with-zlib=../zlib --with-openssl=../quictls --with-openssl-opt='zlib -march=native -ljemalloc -Wl,-flto' --with-cc-opt=-I../quictls/.openssl/include --with-ld-opt='-ljemalloc -L../quictls/.openssl/lib' |
Description
Debian 11
systemd --version
systemd 247 (247.3-7+deb11u1) +PAM +AUDIT +SELINUX +IMA +APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +ZSTD +SECCOMP +BLKID +ELFUTILS +KMOD +IDN2 -IDN +PCRE2 default-hierarchy=unified
nginx.conf
user www-data; pid /run/nginx.pid; worker_processes auto; worker_rlimit_nofile 65535; quic_bpf on; events { multi_accept on; worker_connections 65535; }
default
server { listen 443 ssl http2 default_server; listen [::]:443 ssl http2 default_server; listen 443 quic reuseport default_server; listen [::]:443 quic reuseport default_server;
nginx.service
[Unit] Description=A high performance web server and a reverse proxy server Documentation=man:nginx(8) After=network.target nss-lookup.target [Service] Type=forking PIDFile=/run/nginx.pid ExecStartPre=/usr/sbin/nginx -t -q -g 'daemon on; master_process on;' ExecStart=/usr/sbin/nginx -g 'daemon on; master_process on;' ExecReload=/usr/sbin/nginx -g 'daemon on; master_process on;' -s reload ExecStop=-/sbin/start-stop-daemon --quiet --stop --retry QUIT/5 --pidfile /run/nginx.pid TimeoutStopSec=5 KillMode=mixed [Install] WantedBy=multi-user.target
When i nginx -t, its ok
love4taylor@au-tokyo-n1:~$ sudo nginx -t nginx: the configuration file /etc/nginx/nginx.conf syntax is ok nginx: configuration file /etc/nginx/nginx.conf test is successful
but systemctl start nginx, its failed
Mar 09 11:36:40 au-tokyo-n1.love4taylor.com nginx[695439]: nginx: [alert] failed to create BPF map (1: Operation not permitted) Mar 09 11:36:40 au-tokyo-n1.love4taylor.com nginx[695439]: nginx: [emerg] ngx_quic_bpf_module failed to initialize, check limits
Note:
See TracTickets
for help on using tickets.
As per 7df607cb2d11:
The error suggests the memlock limit is reached, so nginx is not able to create a BPF map. With systemd, adjusting
LimitMEMLOCK=
for the particular service is probably the way to go.