Z-Push 2.4.0 - nginx configuration file

milauria

You are right … to make sure that php-fpm can write its logs, I did:

semanage fcontext -a -t httpd_sys_rw_content_t /var/log/z-push
restorecon -v /var/log/z-push

Then I am still checking if the logrotate needs the var_log_t context for the same directory to be able to read/write for file rotation … and i yes I need to find a way to make both php-fpm and logrotate work with selinux on the same directory … no idea how!

milauria

Hi to all – to make z-push work with nginx and Centos 7, after each time I update or install z-push (yum install z-push-common z-push-ipc-sharedmemory) I always run a small script to make permissions suitable for nginx:

chown root:nginx /etc/z-push/* 
chown -R nginx:nginx /var/lib/z-push 
chown -R nginx:nginx /var/log/z-push

To make it work with nginx … I also edited the /etc/logrotate.d/z-push.lr to remove the line

create apache apache

Otherwise z-push creates log files owned by apache:apache that cannot be written by nginx and this permission mismatch blocks the syncing

This is just FYI in case other users are having troubles under nginx … cheers

fbartels

Hi @milauria ,

which version of z-push are you running? Z-Push 2.4 introduces a nginx config package which should make those steps obsolete https://jira.z-hub.io/browse/ZP-1162

milauria

Hi for the moment I am sticking with production version 2.3.9. I did not try the 2.4 beta yet … I was waiting to see the final release of 2.4 making sure it works with the backend I need (Zimbra)

It would be useful to know what the installation exactly does other than creating the .conf described here [https://forum.kopano.io/topic/133/nginx-configuration-file/4](link url).

My concern is to make sure that all the permissions are set properly (/etc/z-push … /var/lib/z-push … /logrotate.d/z-push.lr … etc)

Thanks

fbartels

@milauria there are quite some pull requests attached to the ticket I’ve linked you. if you login at jira.z-hub.io then you can see all the changes that have been done.

milauria

Now that Z-push 2.4 has been released as official … I may suggest that when installing the z-push-config-nginx module the following permissions are also set during installation:

/var/lib/z-push/* must be owned by nginx : z-push (not apache:z-push)
/etc/logrotate.d/z-push.lr should remove “create apache apache”

I am running on Centos 7 with Nginx
thanks

Sebastian

Hi, thanks for the report. I’ve created an issue for it https://jira.z-hub.io/browse/ZP-1375
I am not sure why we didn’t see this/create the ticket before, but we will fix asap.

Cheers, Sebastian

Sebastian

@milauria we have fixed ZP-1375 and it’s released in Z-Push 2.4.1 beta1.
Could you try to install/update to this version and report back? Thank you!

milauria

With the Z-Push 2.4.1 beta1 installed I see that now the logrotate contains “create root z-push” which also does not work for me.

I need to be “create nginx z-push” to make let z-push write its log file … or just delete the “create” statement so that it inherits the permission from its folder

Basically to make it work I need both /var/log/z-push and /var/lib/z-push to be owned by the “nginx” user

Manfred

Hi milauria,

are there any errors? z-push group does have the right permissions for both folders, doesn’t it?

Manfred

milauria

Hi manfred,
seems to be the file owner the problem, not the file group

The /var/lib/z-push owner needs to be “nginx”. The z-push install I think defaults the owner as “root” and in that case I get the below fatal error. After I did the “chown nginx” the error went away.

[FATAL] Exception: (FatalMisconfigurationException) - Not possible to write to the configured state directory.
[FATAL] FatalMisconfigurationException: Not possible to write to the configured state directory. - code: 0 - file: /usr/share/z-push/lib/default/filestatemachine.php:63

Similarly /var/log/z-push needs to owned by nginx AND needs to be writable only by the user.
The error I get: “parent directory has insecure permissions (It’s world writable or writable by group which is not “root”)”
I also removed altogether the “create” statement in the z-push.lr so that every new log is created with the same folder permission

Cheers

Manfred

Hi milauria,

could you post the output of

groups nginx

?

With the current spec file configuration it’s not so trivial to change the ownership to user nginx. That’s why we introduced the z-push group which has the right permissions.

Manfred

milauria

groups nginx
nginx : nginx z-push

thanks for looking into this

milauria

Just to report that I have installed 2.4.1 final and all works fine with the only modification needed for the /var/log that I had to change as follow:

drwxr-x—. 2 nginx z-push 4096 Apr 11 19:21 z-push