Opened 2 weeks ago
Last modified 8 days ago
#2638 new defect
nginx fails to restart after upgrade or reinstall of nginx.org RPM package via dnf
| Reported by: | Owned by: | ||
|---|---|---|---|
| Priority: | minor | Milestone: | |
| Component: | documentation | Version: | 1.24.x |
| Keywords: | restart, dnf, rpm, postun, upgrade, reinstall, execve | Cc: | |
| uname -a: | Linux hostname 5.14.0-362.24.1.el9_3.0.1.x86_64 #1 SMP PREEMPT_DYNAMIC Thu Apr 4 00:00:00 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux | ||
| nginx -V: |
nginx version: nginx/1.26.0
built by gcc 11.3.1 20221121 (Red Hat 11.3.1-4) (GCC) built with OpenSSL 3.0.7 1 Nov 2022 TLS SNI support enabled configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-http_v3_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-O2 -flto=auto -ffat-lto-objects -fexceptions -g -grecord-gcc-switches -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -march=x86-64-v2 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -fPIC' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -pie' |
||
Description
This was observed during the upgrade from 1.24 to 1.26 on Rocky Linux 9.3, using the nginx.org nginx-stable repo.
During dnf upgrade nginx or dnf reinstall nginx, the command /sbin/service nginx upgrade is ran by the postuninstall RPM script. It fails, as can be seen by the output of "Binary upgrade failed, please check nginx's error.log" by dnf.
nginx's error.log contains this:
[alert] 10140#10140: execve() failed while executing new binary process "/usr/sbin/nginx" (13: Permission denied)
It seems to me that the %postun snippet in nginx.spec should use systemctl try-restart nginx instead?
Change History (2)
comment:1 by , 11 days ago
comment:2 by , 8 days ago
I see. Is it then a good idea to use /sbin/service nginx upgrade or scripts that do something similar as a graceful full restart in general?
It was a problem with systemd hardening: The problem goes away when ExecPaths contains the entire "/usr/sbin" (not just nginx executables). I tried some logging with auditd, but have not been able to find out which other binaries are needed by the execve() call.
Hi,
No, on %postun we explicitely want to upgrade the running nginx binary on the fly, without interruption, so a new one will be running. See https://nginx.org/en/docs/control.html#upgrade for the details. With
systemctl try-restart nginxwe will actually drop current connections and this is not something we would want.I suggest looking at the system logs on why you're getting Permission Denied, and fixing that issue.