#2466 closed defect (worksforme)

I can't start nginx when 'quic_bpf on' with systemd-service

Reported by: love4taylor Owned by:
Priority: minor Milestone:
Component: nginx-core Version: 1.23.x
Keywords: Cc:
uname -a: Linux au-tokyo-n1.love4taylor.com 5.10.0-21-amd64 #1 SMP Debian 5.10.162-1 (2023-01-21) x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.23.4
built by gcc 10.2.1 20210110 (Debian 10.2.1-6)
built with OpenSSL 3.0.7+quic 1 Nov 2022
TLS SNI support enabled
configure arguments: --prefix=/usr/share/nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-log-path=/var/log/nginx/access.log --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --with-pcre-jit --with-threads --with-file-aio --with-http_ssl_module --with-http_v2_module --with-http_v3_module --with-stream_quic_module --with-http_realip_module --with-http_addition_module --with-http_xslt_module --with-http_image_filter_module --with-http_geoip_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_auth_request_module --with-http_random_index_module --with-http_secure_link_module --with-http_degradation_module --with-http_slice_module --with-http_stub_status_module --add-module=../modules/ngx_brotli --add-module=../modules/ngx_http_substitutions_filter_module --add-module=../modules/nginx-dav-ext-module --add-module=../modules/ngx-fancyindex --add-module=../modules/headers-more-nginx-module --with-zlib=../zlib --with-openssl=../quictls --with-openssl-opt='zlib -march=native -ljemalloc -Wl,-flto' --with-cc-opt=-I../quictls/.openssl/include --with-ld-opt='-ljemalloc -L../quictls/.openssl/lib'

Description

Debian 11

systemd --version

systemd 247 (247.3-7+deb11u1)
+PAM +AUDIT +SELINUX +IMA +APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +ZSTD +SECCOMP +BLKID +ELFUTILS +KMOD +IDN2 -IDN +PCRE2 default-hierarchy=unified

nginx.conf

user                 www-data;
pid                  /run/nginx.pid;
worker_processes     auto;
worker_rlimit_nofile 65535;
quic_bpf             on;

events {
    multi_accept       on;
    worker_connections 65535;
}

default

server {
    listen 443 ssl http2 default_server;
    listen [::]:443 ssl http2 default_server;
    listen 443 quic reuseport default_server;
    listen [::]:443 quic reuseport default_server;

nginx.service

[Unit]
Description=A high performance web server and a reverse proxy server
Documentation=man:nginx(8)
After=network.target nss-lookup.target

[Service]
Type=forking
PIDFile=/run/nginx.pid
ExecStartPre=/usr/sbin/nginx -t -q -g 'daemon on; master_process on;'
ExecStart=/usr/sbin/nginx -g 'daemon on; master_process on;'
ExecReload=/usr/sbin/nginx -g 'daemon on; master_process on;' -s reload
ExecStop=-/sbin/start-stop-daemon --quiet --stop --retry QUIT/5 --pidfile /run/nginx.pid
TimeoutStopSec=5
KillMode=mixed

[Install]
WantedBy=multi-user.target

When i nginx -t, its ok

love4taylor@au-tokyo-n1:~$ sudo nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

but systemctl start nginx, its failed

Mar 09 11:36:40 au-tokyo-n1.love4taylor.com nginx[695439]: nginx: [alert] failed to create BPF map (1: Operation not permitted)
Mar 09 11:36:40 au-tokyo-n1.love4taylor.com nginx[695439]: nginx: [emerg] ngx_quic_bpf_module failed to initialize, check limits

Change History (2)

comment:1 by Maxim Dounin, 19 months ago

As per 7df607cb2d11:

BPF objects are locked in RAM and are subject to RLIMIT_MEMLOCK.
The "ulimit -l" command may be used to setup proper limits, if maps
cannot be created with EPERM or updated with ETOOLONG.

The error suggests the memlock limit is reached, so nginx is not able to create a BPF map. With systemd, adjusting LimitMEMLOCK= for the particular service is probably the way to go.

comment:2 by Maxim Dounin, 18 months ago

Resolution: worksforme
Status: newclosed

Feedback timeout.

Note: See TracTickets for help on using tickets.