Z-Push 2.4.0 - nginx configuration file


  • Kopano

    Hi milauria,

    @milauria said in Z-Push 2.4.0 - nginx configuration file:

    I am interested in the nginx configuration that i am testing. I installed the nginx addition an wondering what does the installer do other than creating the conf file.

    Right now the installer only creates a config file. The adjustments, permissions and nginx reloading have to be done manually. We are working on updating the documentation on this.

    In my past experience i had to change ownership to a few directories that were owned by apache to nginx to make it work. Also the /var/log/z-push is owned by apache and i had to change to nginx or it gives error.

    I’m not sure if it’s the same in CentOS, but e.g. for debian the default nginx user is www-data, the same as apache. You could check /etc/nginx/nginx.conf and what is the value of user directive. Changing it to match apache’s user (which is apache if I remember correctly) should solve at least the ownership issues for you.

    As for the Z-Push nginx configuration file, I will investigate that, but it’ll might take some time as I’m not very familiar with RHEL based systems.

    Thanks for your feedback so far.

    Manfred



  • Hi, in my endeavour to move the z-push installation under nginx and Centos7, I had all working with the exception of the log file rotation

    The email error notification I get says:
    ​​​​​/etc/cron.daily/logrotate:
    error: stat of /var/log/z-push/autodiscover-error.log failed: Permission denied
    error: stat of /var/log/z-push/autodiscover.log failed: Permission denied
    error: stat of /var/log/z-push/z-push-error.log failed: Permission denied
    error: stat of /var/log/z-push/z-push.log failed: Permission denied

    I have the following permissions set:

    drwxr-x---. 2 nginx  nginx     102 Oct 31 04:56 z-push
    

    and

    -rw-r--r--. 1 nginx nginx       0 Oct 31 04:56 autodiscover-error.log
    -rw-r--r--. 1 nginx nginx   12224 Oct 31 04:56 autodiscover.log
    -rw-r--r--. 1 nginx nginx  157546 Nov  1 04:57 z-push-error.log
    -rw-r--r--. 1 nginx nginx 2770015 Nov  1 12:36 z-push.log
    

    I also modified the /etc/logrotate.d/z-push.lr to:

    /var/log/z-push/*.log {
            size 1k
            create nginx nginx
    	compress
            notifempty
            rotate 4
    }
    

    I have tried to tweak the permission to every possible value I could think of … but nothing

    Also I have tried to change the destination of the log file in the z-psuh config.php, but z-push stops working for some other problems and put it back to standard, I though it might be the php-fpm permissions but seems all set as user=nginx group=nginx.

    Just as a note the nginx user has been created by nginx installer as a standard user also for its main .conf and I didn’t want to touch it if not necessary.

    Thanks for any advise you might have to fix the log rotation … !



  • @milauria Hosting on Centos here too … Your permissions look ok although I would highly recommend running nginx sites/services under custom assigned/created usernames and groups - better security.

    The issue you are having is with the file /etc/logrotate.d/z-push.lr … you can delete that and replace it with /etc/logrotate.d/z-push with contents:

    /var/log/z-push/*.log {
    	daily
    	copytruncate
            missingok
            notifempty
            compress
            delaycompress
    	create nginx nginx
    	rotate 4
    }
    

    Cheers



  • Nada, not working …

    • I tried to put: ‘create nginx nginx’ (was create apache apache)
    • I tried also to put: ‘su nginx nginx

    … but I still get the above permission denied notification from ​​​​​/etc/cron.daily/logrotate

    I also tried to manually test logrotate from root and it rotates the logs correctly:

    logrotate -f  /etc/logrotate.conf
    

    So there might some some other permissions to fix externally to the script eg in the crontab execution ? I didn’t touch that from the yum install of z-push. All the other logrotation scripts work fine

    I will continue to dig into this problem, any other suggestions is mostly welcome !



  • @milauria said in Z-Push 2.4.0 - nginx configuration file:

    Nada, not working …

    Sounds like you have selinux enabled. If so, you will need to adjust selinux context for /etc/logrotate.d/z-push



  • You are right … to make sure that php-fpm can write its logs, I did:

    semanage fcontext -a -t httpd_sys_rw_content_t /var/log/z-push
    restorecon -v /var/log/z-push
    

    Then I am still checking if the logrotate needs the var_log_t context for the same directory to be able to read/write for file rotation … and i yes I need to find a way to make both php-fpm and logrotate work with selinux on the same directory … no idea how!



  • Hi to all – to make z-push work with nginx and Centos 7, after each time I update or install z-push (yum install z-push-common z-push-ipc-sharedmemory) I always run a small script to make permissions suitable for nginx:

    chown root:nginx /etc/z-push/* 
    chown -R nginx:nginx /var/lib/z-push 
    chown -R nginx:nginx /var/log/z-push
    

    To make it work with nginx … I also edited the /etc/logrotate.d/z-push.lr to remove the line

    create apache apache
    

    Otherwise z-push creates log files owned by apache:apache that cannot be written by nginx and this permission mismatch blocks the syncing

    This is just FYI in case other users are having troubles under nginx … cheers


  • Kopano

    Hi @milauria ,

    which version of z-push are you running? Z-Push 2.4 introduces a nginx config package which should make those steps obsolete https://jira.z-hub.io/browse/ZP-1162



  • Hi for the moment I am sticking with production version 2.3.9. I did not try the 2.4 beta yet … I was waiting to see the final release of 2.4 making sure it works with the backend I need (Zimbra)

    It would be useful to know what the installation exactly does other than creating the .conf described here [https://forum.kopano.io/topic/133/nginx-configuration-file/4](link url).

    My concern is to make sure that all the permissions are set properly (/etc/z-push … /var/lib/z-push … /logrotate.d/z-push.lr … etc)

    Thanks


  • Kopano

    @milauria there are quite some pull requests attached to the ticket I’ve linked you. if you login at jira.z-hub.io then you can see all the changes that have been done.



  • Now that Z-push 2.4 has been released as official … I may suggest that when installing the z-push-config-nginx module the following permissions are also set during installation:

    /var/lib/z-push/* must be owned by nginx : z-push (not apache:z-push)
    /etc/logrotate.d/z-push.lr should remove “create apache apache”

    I am running on Centos 7 with Nginx
    thanks


  • Kopano

    Hi, thanks for the report. I’ve created an issue for it https://jira.z-hub.io/browse/ZP-1375
    I am not sure why we didn’t see this/create the ticket before, but we will fix asap.

    Cheers, Sebastian


  • Kopano

    @milauria we have fixed ZP-1375 and it’s released in Z-Push 2.4.1 beta1.
    Could you try to install/update to this version and report back? Thank you!



  • With the Z-Push 2.4.1 beta1 installed I see that now the logrotate contains “create root z-push” which also does not work for me.

    I need to be “create nginx z-push” to make let z-push write its log file … or just delete the “create” statement so that it inherits the permission from its folder

    Basically to make it work I need both /var/log/z-push and /var/lib/z-push to be owned by the “nginx” user


  • Kopano

    Hi milauria,

    are there any errors? z-push group does have the right permissions for both folders, doesn’t it?

    Manfred



  • Hi manfred,
    seems to be the file owner the problem, not the file group

    The /var/lib/z-push owner needs to be “nginx”. The z-push install I think defaults the owner as “root” and in that case I get the below fatal error. After I did the “chown nginx” the error went away.

    [FATAL] Exception: (FatalMisconfigurationException) - Not possible to write to the configured state directory.
    [FATAL] FatalMisconfigurationException: Not possible to write to the configured state directory. - code: 0 - file: /usr/share/z-push/lib/default/filestatemachine.php:63

    Similarly /var/log/z-push needs to owned by nginx AND needs to be writable only by the user.
    The error I get: “parent directory has insecure permissions (It’s world writable or writable by group which is not “root”)”
    I also removed altogether the “create” statement in the z-push.lr so that every new log is created with the same folder permission

    Cheers


  • Kopano

    Hi milauria,

    could you post the output of

    groups nginx
    

    ?

    With the current spec file configuration it’s not so trivial to change the ownership to user nginx. That’s why we introduced the z-push group which has the right permissions.

    Manfred



  • groups nginx
    nginx : nginx z-push

    thanks for looking into this



  • Just to report that I have installed 2.4.1 final and all works fine with the only modification needed for the /var/log that I had to change as follow:

    drwxr-x—. 2 nginx z-push 4096 Apr 11 19:21 z-push