Opened 3 weeks ago

Last modified 11 days ago

#2638 new defect

nginx fails to restart after upgrade or reinstall of nginx.org RPM package via dnf

Reported by: CEbhNwPM@… Owned by:
Priority: minor Milestone:
Component: documentation Version: 1.24.x
Keywords: restart, dnf, rpm, postun, upgrade, reinstall, execve Cc:
uname -a: Linux hostname 5.14.0-362.24.1.el9_3.0.1.x86_64 #1 SMP PREEMPT_DYNAMIC Thu Apr 4 00:00:00 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.26.0
built by gcc 11.3.1 20221121 (Red Hat 11.3.1-4) (GCC)
built with OpenSSL 3.0.7 1 Nov 2022
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-http_v3_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-O2 -flto=auto -ffat-lto-objects -fexceptions -g -grecord-gcc-switches -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -march=x86-64-v2 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -fPIC' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -pie'

Description

This was observed during the upgrade from 1.24 to 1.26 on Rocky Linux 9.3, using the nginx.org nginx-stable repo.

During dnf upgrade nginx or dnf reinstall nginx, the command /sbin/service nginx upgrade is ran by the postuninstall RPM script. It fails, as can be seen by the output of "Binary upgrade failed, please check nginx's error.log" by dnf.

nginx's error.log contains this:

[alert] 10140#10140: execve() failed while executing new binary process "/usr/sbin/nginx" (13: Permission denied)

It seems to me that the %postun snippet in nginx.spec should use systemctl try-restart nginx instead?

Change History (2)

comment:1 by thresh, 2 weeks ago

Hi,

No, on %postun we explicitely want to upgrade the running nginx binary on the fly, without interruption, so a new one will be running. See https://nginx.org/en/docs/control.html#upgrade for the details. With systemctl try-restart nginx we will actually drop current connections and this is not something we would want.

I suggest looking at the system logs on why you're getting Permission Denied, and fixing that issue.

comment:2 by CEbhNwPM@…, 11 days ago

I see. Is it then a good idea to use /sbin/service nginx upgrade or scripts that do something similar as a graceful full restart in general?

It was a problem with systemd hardening: The problem goes away when ExecPaths contains the entire "/usr/sbin" (not just nginx executables). I tried some logging with auditd, but have not been able to find out which other binaries are needed by the execve() call.

Note: See TracTickets for help on using tickets.