0

I have the following line (plus context) in my nginx.conf:

http {
    proxy_cache_path cache/  keys_zone=auth_cache:10m;
    ...

Since nginx.conf is in /etc/nginx, cache/ corresponds to /etc/nginx/cache. drwxr-xr-x. 5 root root 205 Jun 18 16:25/etx/nginx

( I have also tried this with absolute path /apps/nginx/cache/

drwx------. 2 nginx nginx 6 Jun 18 14:42 /apps/nginx

)

In either case, when I try to

$ sudo systemctl start nginx

it fails. journalctl -u nginx tells me the following:

... nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
... nginx: [emerg] mkdir() "/etc/nginx/cache" failed (13: Permission denied)
... nginx: configuration file /etc/nginx/nginx.conf test failed

(In the alternate scenario, it does say "/apps/nginx/cache" instead.)

I then tried to

$ sudo systemctl start nginx-debug

and this starts without any issues, error or warning logs. It creates the cache/ directory wherever specified in nginx.conf, and when I stop it and start the nginx service, this also starts normally.

I need to understand what causes this, so I can write my automation and configuration management to work out of the box. My two hypotheses are:

  1. It's a SELinux issue, and service/binary nginx-debug has different tags/restrictions to nginx.
  2. The pre-flight check when starting nginx tries to create the directory as a different. unprivileged user, but nginx-debug skips these checks and thus creates the directory as root or nginx.

Any idea how to efficiently get to the bottom of this? Thanks!

Jeff Hemmen
  • 1
  • 3

1 Answers1

0

Not sure if this is a selinux issue. Best way to check is to disable selinux and run your stuff. 

setenforce 0       //setenforce 1 (to refinforce)

If its a selinux issue then you can try setting a context for the cache folder.

sudo semanage fcontext -a -t httpd_cache_t "/etc/nginx/cache(/.*)?"
sudo restorecon -Rv /etc/nginx/

Verify the folder label.

sudo ls -lZ /etc/nginx/
SarkarG
  • 101
  • 1