Z-Push 2.4.0 - nginx configuration file
-
Hi milauria,
@milauria said in Z-Push 2.4.0 - nginx configuration file:
I am interested in the nginx configuration that i am testing. I installed the nginx addition an wondering what does the installer do other than creating the conf file.
Right now the installer only creates a config file. The adjustments, permissions and nginx reloading have to be done manually. We are working on updating the documentation on this.
In my past experience i had to change ownership to a few directories that were owned by apache to nginx to make it work. Also the /var/log/z-push is owned by apache and i had to change to nginx or it gives error.
I’m not sure if it’s the same in CentOS, but e.g. for debian the default nginx user is www-data, the same as apache. You could check /etc/nginx/nginx.conf and what is the value of user directive. Changing it to match apache’s user (which is apache if I remember correctly) should solve at least the ownership issues for you.
As for the Z-Push nginx configuration file, I will investigate that, but it’ll might take some time as I’m not very familiar with RHEL based systems.
Thanks for your feedback so far.
Manfred
-
Hi, in my endeavour to move the z-push installation under nginx and Centos7, I had all working with the exception of the log file rotation
The email error notification I get says:
/etc/cron.daily/logrotate:
error: stat of /var/log/z-push/autodiscover-error.log failed: Permission denied
error: stat of /var/log/z-push/autodiscover.log failed: Permission denied
error: stat of /var/log/z-push/z-push-error.log failed: Permission denied
error: stat of /var/log/z-push/z-push.log failed: Permission deniedI have the following permissions set:
drwxr-x---. 2 nginx nginx 102 Oct 31 04:56 z-pushand
-rw-r--r--. 1 nginx nginx 0 Oct 31 04:56 autodiscover-error.log -rw-r--r--. 1 nginx nginx 12224 Oct 31 04:56 autodiscover.log -rw-r--r--. 1 nginx nginx 157546 Nov 1 04:57 z-push-error.log -rw-r--r--. 1 nginx nginx 2770015 Nov 1 12:36 z-push.logI also modified the /etc/logrotate.d/z-push.lr to:
/var/log/z-push/*.log { size 1k create nginx nginx compress notifempty rotate 4 }I have tried to tweak the permission to every possible value I could think of … but nothing
Also I have tried to change the destination of the log file in the z-psuh config.php, but z-push stops working for some other problems and put it back to standard, I though it might be the php-fpm permissions but seems all set as user=nginx group=nginx.
Just as a note the nginx user has been created by nginx installer as a standard user also for its main .conf and I didn’t want to touch it if not necessary.
Thanks for any advise you might have to fix the log rotation … !
-
@milauria Hosting on Centos here too … Your permissions look ok although I would highly recommend running nginx sites/services under custom assigned/created usernames and groups - better security.
The issue you are having is with the file /etc/logrotate.d/z-push.lr … you can delete that and replace it with /etc/logrotate.d/z-push with contents:
/var/log/z-push/*.log { daily copytruncate missingok notifempty compress delaycompress create nginx nginx rotate 4 }Cheers
-
Nada, not working …
- I tried to put: ‘create nginx nginx’ (was create apache apache)
- I tried also to put: ‘su nginx nginx’
… but I still get the above permission denied notification from /etc/cron.daily/logrotate
I also tried to manually test logrotate from root and it rotates the logs correctly:
logrotate -f /etc/logrotate.confSo there might some some other permissions to fix externally to the script eg in the crontab execution ? I didn’t touch that from the yum install of z-push. All the other logrotation scripts work fine
I will continue to dig into this problem, any other suggestions is mostly welcome !
-
@milauria said in Z-Push 2.4.0 - nginx configuration file:
Nada, not working …
Sounds like you have selinux enabled. If so, you will need to adjust selinux context for /etc/logrotate.d/z-push
-
You are right … to make sure that php-fpm can write its logs, I did:
semanage fcontext -a -t httpd_sys_rw_content_t /var/log/z-push restorecon -v /var/log/z-pushThen I am still checking if the logrotate needs the var_log_t context for the same directory to be able to read/write for file rotation … and i yes I need to find a way to make both php-fpm and logrotate work with selinux on the same directory … no idea how!
-
Hi to all – to make z-push work with nginx and Centos 7, after each time I update or install z-push (yum install z-push-common z-push-ipc-sharedmemory) I always run a small script to make permissions suitable for nginx:
chown root:nginx /etc/z-push/* chown -R nginx:nginx /var/lib/z-push chown -R nginx:nginx /var/log/z-pushTo make it work with nginx … I also edited the /etc/logrotate.d/z-push.lr to remove the line
create apache apacheOtherwise z-push creates log files owned by apache:apache that cannot be written by nginx and this permission mismatch blocks the syncing
This is just FYI in case other users are having troubles under nginx … cheers
-
Hi @milauria ,
which version of z-push are you running? Z-Push 2.4 introduces a nginx config package which should make those steps obsolete https://jira.z-hub.io/browse/ZP-1162
-
Hi for the moment I am sticking with production version 2.3.9. I did not try the 2.4 beta yet … I was waiting to see the final release of 2.4 making sure it works with the backend I need (Zimbra)
It would be useful to know what the installation exactly does other than creating the .conf described here [https://forum.kopano.io/topic/133/nginx-configuration-file/4](link url).
My concern is to make sure that all the permissions are set properly (/etc/z-push … /var/lib/z-push … /logrotate.d/z-push.lr … etc)
Thanks
-
@milauria there are quite some pull requests attached to the ticket I’ve linked you. if you login at jira.z-hub.io then you can see all the changes that have been done.
-
Now that Z-push 2.4 has been released as official … I may suggest that when installing the z-push-config-nginx module the following permissions are also set during installation:
/var/lib/z-push/* must be owned by nginx : z-push (not apache:z-push)
/etc/logrotate.d/z-push.lr should remove “create apache apache”I am running on Centos 7 with Nginx
thanks -
Hi, thanks for the report. I’ve created an issue for it https://jira.z-hub.io/browse/ZP-1375
I am not sure why we didn’t see this/create the ticket before, but we will fix asap.Cheers, Sebastian
-
@milauria we have fixed ZP-1375 and it’s released in Z-Push 2.4.1 beta1.
Could you try to install/update to this version and report back? Thank you! -
With the Z-Push 2.4.1 beta1 installed I see that now the logrotate contains “create root z-push” which also does not work for me.
I need to be “create nginx z-push” to make let z-push write its log file … or just delete the “create” statement so that it inherits the permission from its folder
Basically to make it work I need both /var/log/z-push and /var/lib/z-push to be owned by the “nginx” user
-
Hi milauria,
are there any errors? z-push group does have the right permissions for both folders, doesn’t it?
Manfred
-
Hi manfred,
seems to be the file owner the problem, not the file groupThe /var/lib/z-push owner needs to be “nginx”. The z-push install I think defaults the owner as “root” and in that case I get the below fatal error. After I did the “chown nginx” the error went away.
[FATAL] Exception: (FatalMisconfigurationException) - Not possible to write to the configured state directory.
[FATAL] FatalMisconfigurationException: Not possible to write to the configured state directory. - code: 0 - file: /usr/share/z-push/lib/default/filestatemachine.php:63Similarly /var/log/z-push needs to owned by nginx AND needs to be writable only by the user.
The error I get: “parent directory has insecure permissions (It’s world writable or writable by group which is not “root”)”
I also removed altogether the “create” statement in the z-push.lr so that every new log is created with the same folder permissionCheers
-
Hi milauria,
could you post the output of
groups nginx?
With the current spec file configuration it’s not so trivial to change the ownership to user nginx. That’s why we introduced the z-push group which has the right permissions.
Manfred
-
groups nginx
nginx : nginx z-pushthanks for looking into this
-
Just to report that I have installed 2.4.1 final and all works fine with the only modification needed for the /var/log that I had to change as follow:
drwxr-x—. 2 nginx z-push 4096 Apr 11 19:21 z-push
