Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

nixos/nginx: run config test as nginx user #95249

Closed
wants to merge 1 commit into from
Closed

nixos/nginx: run config test as nginx user #95249

wants to merge 1 commit into from

Conversation

Mic92
Copy link
Member

@Mic92 Mic92 commented Aug 12, 2020
edited

Otherwise this changes ownership of /var/cache/nginx/ to nobody
which makes the normal execution fail.

Motivation for this change
Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits CONTRIBUTING.md.

@Mic92
nixos/nginx: run config test as nginx user
87b7527 
Otherwise this changes ownership of /var/cache/nginx/ to nobody
which makes the normal execution fail.
This was referenced Aug 12, 2020
Closed
Merged
@flokli
Copy link
Contributor

flokli commented Aug 12, 2020

Can we move the check command into an additional ExecReload line of the main unit (which should already run as the right user)?

@Izorkin
Copy link
Contributor

Izorkin commented Aug 12, 2020

This option works for me.

@Mic92
Copy link
Member Author

Mic92 commented Aug 12, 2020

Can we move the check command into an additional ExecReload line of the main unit (which should already run as the right user)?

No because than I cannot add it nginx to the keys group and still have the needed privileges. This solution is simpler.

@flokli
Copy link
Contributor

flokli commented Aug 12, 2020

No because than I cannot add it nginx to the keys group and still have the needed privileges. This solution is simpler.

I don't understand. The configuration check would need to run with the same permissions, groups etc. as the main unit, so having reload logic inside the main unit should be exactly what we need, shouldn't it?

@Mic92
Copy link
Member Author

Mic92 commented Aug 12, 2020

No because than I cannot add it nginx to the keys group and still have the needed privileges. This solution is simpler.

I don't understand. The configuration check would need to run with the same permissions, groups etc. as the main unit, so having reload logic inside the main unit should be exactly what we need, shouldn't it?

There is already nginx -t in the main unit. However the purpose of having it in here is to have better error messages when the reload failed.

@flokli
Copy link
Contributor

flokli commented Aug 12, 2020

No because than I cannot add it nginx to the keys group and still have the needed privileges. This solution is simpler.

I don't understand. The configuration check would need to run with the same permissions, groups etc. as the main unit, so having reload logic inside the main unit should be exactly what we need, shouldn't it?

There is already nginx -t in the main unit. However the purpose of having it in here is to have better error messages when the reload failed.

Not for the reload command, only the start command. I'd assume if we add it to the reload commands, we'd get the same (better) error messages.

@Mic92
Copy link
Member Author

Mic92 commented Aug 12, 2020
edited

No because than I cannot add it nginx to the keys group and still have the needed privileges. This solution is simpler.

I don't understand. The configuration check would need to run with the same permissions, groups etc. as the main unit, so having reload logic inside the main unit should be exactly what we need, shouldn't it?

There is already nginx -t in the main unit. However the purpose of having it in here is to have better error messages when the reload failed.

Not for the reload command, only the start command. I'd assume if we add it to the reload commands, we'd get the same (better) error messages.

I don't think the error is shown because the nginx.service is not reloaded from the activation script point of view.

@flokli
Copy link
Contributor

flokli commented Aug 12, 2020

I did the following patch:

From f694fc3d1003d1343dcb32e10dcb9e7a3eddf700 Mon Sep 17 00:00:00 2001
From: Florian Klink <flokli@flokli.de>
Date: Wed, 12 Aug 2020 15:37:20 +0200
Subject: [PATCH] nixos/nginx: move configuration testing script into reload
 command

We want to check the configuration also when running
`systemctl reload nginx`, not only when restarting the dummy
`nginx-config-reload` unit (which is mostly a workaround for missing
features in our activation script anyways).
---
 nixos/modules/services/web-servers/nginx/default.nix | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/nixos/modules/services/web-servers/nginx/default.nix b/nixos/modules/services/web-servers/nginx/default.nix
index 6e0d60a110d..461888c4cc4 100644
--- a/nixos/modules/services/web-servers/nginx/default.nix
+++ b/nixos/modules/services/web-servers/nginx/default.nix
@@ -704,7 +704,10 @@ in
       '';
       serviceConfig = {
         ExecStart = execCommand;
-        ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
+        ExecReload = [
+          "${execCommand} -t"
+          "${pkgs.coreutils}/bin/kill -HUP $MAINPID"
+        ];
         Restart = "always";
         RestartSec = "10s";
         StartLimitInterval = "1min";
@@ -761,8 +764,7 @@ in
       serviceConfig.TimeoutSec = 60;
       script = ''
         if /run/current-system/systemd/bin/systemctl -q is-active nginx.service ; then
-          ${execCommand} -g "user ${cfg.user} ${cfg.group};" -t && \
-            /run/current-system/systemd/bin/systemctl reload nginx.service
+          /run/current-system/systemd/bin/systemctl reload nginx.service
         fi
       '';
       serviceConfig.RemainAfterExit = true;
-- 
2.28.0

And re-ran the nginx VM test, which also tries to switch to a configuration with a broken nginx config. The failing ExecReload command propagates to the systemctl reload, which propagates to the nginx-config-reload unit, which I think would be preferrable.

@Mic92
Copy link
Member Author

Mic92 commented Aug 12, 2020

Feel to make a PR.

@Mic92 Mic92 closed this Aug 12, 2020
@Mic92 Mic92 deleted the nginx-config-reload branch August 12, 2020 16:04
@flokli flokli mentioned this pull request Aug 12, 2020
Merged
10 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
6.topic: nixos 8.has: module (update) 10.rebuild-darwin: 0 10.rebuild-linux: 0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@Mic92 @flokli @Izorkin