Nginx reload shell command not working with in lua script - nginx

I have a dockerised Nginx server created with openresty base image. When a particular endpoint is called it need to update nginx config dynamically. For the changes to reflect I am trying to reload the nginx soon after the changes in config.
with in the container i am able to reload nginx server using /usr/local/openresty/nginx/sbin/nginx -s reload
when i try to use the same with in lua as below ,It doesn't shoot any error but the config changes aren't getting reflected.
os.execute("/usr/local/openresty/nginx/sbin/nginx -s reload ")

You can skip calling nginx altogether and just send a HUP signal to the master process using LuaJITs FFI.
local process = require 'ngx.process'
local ffi = require 'ffi'
ffi.cdef 'int kill(int pid, int sig);'
ffi.C.kill(process.get_master_pid(), 1)
However, this doesn't fix the permissions problem.
One idea that could work is:
Set up a named pipe with mkfifo and make it so your nginx-user can write to it
Enable the Priviliged Agent worker process.
Set the privileged worker up to listen for input on the named pipe (for example using the ngx.pipe module to open cat and waiting for input) and send a HUP signal to the master process
Change your os.execute code to instead write some line of text into the named pipe to have the privileged agent reload the server.
EDIT: If you dislike the cat hack, you might want to have a look at https://github.com/slact/ngx_lua_ipc
It might be possible to use IPC to keep the whole thing self-contained within a single nginx server instance, without any file access.

This command would be run with nginx worker process privileges, and you need to be a root in order to execute this command. You can try to make a particular script for this (lets assume its name would be /usr/local/openresty/nginx/sbin/reload-nginx.sh:
#!/bin/sh
/usr/local/openresty/nginx/sbin/nginx -s reload
set the owner of this script no nginx process user (lets assume its name is nginx), and set the suid bit on this script
chown nginx /usr/local/openresty/nginx/sbin/reload-nginx.sh
chmod +x /usr/local/openresty/nginx/sbin/reload-nginx.sh
chmod u+s /usr/local/openresty/nginx/sbin/reload-nginx.sh
and try to execute this script from your lua code:
os.execute("/usr/local/openresty/nginx/sbin/nginx-reload.sh")

Related

Website available even with no NGINX processes running

I have pulled into my web server so it has the latest code from my repo, i try to restart nginx - this doesnt do anything.
So I try the command
sudo nginx -s stop, and get the response that its failed because there is no such file or directory "run/nginx.pid" failed.
Trying to run the command ps aux | grep nginx gives me the response: unsupported option (BSD syntax) -- it actually comes out as ps aux > grep nginx in the digital ocean console.
Basically it seems that even though there are apparently no nginx processes running (although the command to check isnt working) my website is still running and using the old code, is there a way for me to check more definitively on the running processes?
Thanks if you can help.
Try sudo netstat -plunt to check if there's any nginx process running. See if there's anything running on port 80 or 443 and then look at the corresponding program name. You might have another server running possibly apache since it ships by default with most distributions which may be why nginx failed to start.
Another reason why it won't start might be due to faulty config. Go to /etc/nginx/ and double check that it's correct. You can also run sudo nginx -t to ensure that the config syntax is correct.
Alternatively, just check your nginx access log to see if it's actually serving any requests. You can also check the error log to see why it might fail to start. These resides in /var/log/nginx by default or check your nginx.conf for any custom path to logs.

how do I restart nginx which is install by passenger

I installed nginx by passenger-install-nginx-module , and start nginx by /opt/nginx/sbin/nginx, but I don't know how to stop or restart nginx after I update my nginx conf.
I know I can use the way ps aux | grep and kill, it there a way like services restart nginx ?
nginx is build to reload configuration without the need for a restart. The common way to restart nginx is to first do
nginx -t
Which will analyse the configuration file and tell you if there are any problems (this is very convenient since syntax errors in the configuration file means downtime). And then
nginx -s reload
Will reload the configuration and restart nginx workers one by one with the new config. This simply finds the master nginx process and sends it the right signal (this is not much different from your ps axu | grep and kill, it just uses a different signal).
There are several other useful command line options for configuration and logging. Being aware of them lets you run nginx practically without any downtime.

Kill process using Symfony

I am trying to kill a process with pid 38456 using Symfony with this code:
$process1 = new Process('kill -9 38456');
$process1->run();
Pitifully this doesn't work. I think this is due to permissions (Symfony only can kill its own process) but I am not sure about it.
Try to understand which user runs your code:
$process = new Process('whoami');
$process->run();
echo $process->getOutput();
If you are apache or www-data then most probably you have very limited rights.
Your options:
run your script from CLI (command-line) as root. This is the way I recommend
run the process you want to kill from your process
run web-server (apache or php-fpm) as root - very insecure
strange way - web-server can kill process not directly but for example create some file with process id to kill. Also there will be CLI process running by rout that will read this file and kill that process.

How to reload a spawned script for nginx fast cgi

Below is by code for spawing a fcgi script for nginx.
spawn-fcgi -d /home/ubuntu/workspace -f /home/ubuntu/workspace/index.py -a 127.0.0.1 -p 9001
Now, lets I want to make changes to the index.py script and reload with out bring down the system. How do reload the spawned program so the next connections are using the updated program while the others finish? For now I am killing the spawned process and running command again. I am hoping for something more graceful.
I tried this by the way.
sudo kill -1 `sudo lsof -t -i:9001
I have recently made something similar for node.js.
The idea is to have index.py as a very simple bootstrap script (which doesn‘t actually change much over time). It should catch SIGHUP, and reload/reread the application files (which are expected to change frequently).

Restart nginx without sudo?

So I want to be able to cap:deploy without having to type any passwords. I have setup all private keys so I can get to the remote servers fine, and am now using svn over ssh, so no passwords there.
I have one last problem, I need to be able to restart nginx. Right now I have sudo /etc/init.d/nginx reload. That is a problem b/c it uses the capistrano password, the one I just removed b/c I am using keys. Any ideas on how to restart nginx w\out a password?
I just spent a good hour looking at sudoer wildcards and the like trying to solve this exact problem. In truth, all you really need is a root executable script that restarts nginx.
Add this to the /etc/sudoers file
username hostname ALL=NOPASSWD: /path/to/script
Write script as root
#! /bin/bash
/bin/kill -HUP `cat /var/run/nginx.pid`
Make the script executable
Test.
sudo /path/to/script
There is a better answer on Stack Overflow that does not involve writing a custom script:
The best practice is to use /etc/sudoers.d/myusername
The /etc/sudoers.d/ folder can contain multiple files that allow users
to call stuff using sudo without being root.
The file usually contains a user and a list of commands that the user
can run without having to specify a password.
Instructions:
In all commands, replace myusername with the name of your user that you want to use to restart nginx without sudo.
Open sudoers file for your user:
$ sudo visudo -f /etc/sudoers.d/myusername
Editor will open. There you paste the following line. This will allow that user to run nginx start, restart, and stop:
myusername ALL=(ALL) NOPASSWD: /usr/sbin/service nginx start,/usr/sbin/service nginx stop,/usr/sbin/service nginx restart
Save by hitting ctrl+o. It will ask where you want to save, simply press enter to confirm the default. Then exit out of the editor with ctrl+x.
Now you can restart (and start and stop) nginx without password. Let's try it.
Open new session (otherwise, you might simply not be asked for your sudo password because it has not timed out):
$ ssh myusername#myserver
Stop nginx
$ sudo /usr/sbin/service nginx stop
Confirm that nginx has stopped by checking your website or running ps aux | grep nginx
Start nginx
$ sudo /usr/sbin/service nginx start
Confirm that nginx has started by checking your website or running ps aux | grep nginx
PS: Make sure to use sudo /usr/sbin/service nginx start|restart|stop, and not sudo service nginx start|restart|stop.
Run sudo visudo
Append with below lines (in this example you can add multiple scripts and services after comma)
# Run scripts without asking for pass
<your-user> ALL=(root) NOPASSWD: /opt/fixdns.sh,/usr/sbin/service nginx *,/usr/sbin/service docker *
Save and exit with :wq
Create a rake task in Rails_App/lib/capistrano/tasks/nginx.rake and paste below code.
namespace :nginx do
%w(start stop restart reload).each do |command|
desc "#{command.capitalize} Nginx"
task command do
on roles(:app) do
execute :sudo, "service nginx #{command}"
end
end
end
end
Then ssh to your remote server and open file
sudo vi /etc/sudoers
and the paste this line (after line %sudo ALL=(ALL:ALL) ALL)
deploy ALL=(ALL:ALL) NOPASSWD: /usr/sbin/service nginx *
Or, as in your case,
deploy ALL=(ALL:ALL) NOPASSWD: /etc/init.d/nginx *
Here I am assuming your deployment user is deploy.
You can add here other commands too for which you dont require to enter password. For example
deploy ALL=(ALL:ALL) NOPASSWD: /usr/sbin/service nginx *, /etc/init.d/mysqld, /etc/init.d/apache2

Resources