Syntax check fail if SELinux is Enforcing

[onemanstartup]

I have an error after that step when starting nginx, without this step nginx is starting ok

- name: Check nginx syntax of configuration files
  shell: nginx -t
  register: result
  changed_when: "result.rc != 0"
  always_run: yes
  when: nginx_installation_type in nginx_installation_types_using_service
  tags: [configuration,nginx]

With this i see

msg: Job for nginx.service failed. See 'systemctl status nginx.service' and 'journalctl -xn' for details.

and when I'm check failed status it is

nginx: [emerg] open() "/var/run/nginx.pid" failed (13: Permission denied)

I don't know why this happen, but anyway, without this step restart or reload will failed anyway, so why this step is needed?

[jdauphant]

It's strange to have this error with this step

-t Don't run, just test the configuration file. The
nginx checks configuration for correct syntax and
then tries to open files referred in configuration.

It looks like "nginx -t" launch a deamon on your system.
If you change "shell: nginx -t" by "command: nginx -t" have you the same problem ?
If yes, what's the result of "nginx -t" on your system ?

[jdauphant]

Hey @jrobeson , have you this problem with Centos 7 ?

[ghost]

nope. but i only did a check to make sure it worked. I dont' usually use centos, i definitely didn't have this problem in fedora 19 from which centos 7 is based on. I also didn't have selinux enabled (as it defaults to off in digitalocean droplets).

I'd suggest that @onemanstartup tries to login to the centos machine and execute it as normal without this role, to see if it can be replicated there.

[onemanstartup]

Sorry for delay.
This is errors when I'm running nginx -t without sudo. So I think systemctl starting with sudo but nginx -t without.

nginx: [alert] could not open error log file: open() "/var/log/nginx/error.log" failed (13: Permission denied)
2015/01/04 22:34:31 [warn] 4519#0: the "user" directive makes sense only if the master process runs with super-user privileges, ignored in /etc/nginx/nginx.conf:2
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
2015/01/04 22:34:31 [emerg] 4519#0: open() "/var/run/nginx.pid" failed (13: Permission denied)
nginx: configuration file /etc/nginx/nginx.conf test failed

[ghost]

yes, you do need to start it with super user privs. It's the same as with fedora 19/20/21.

http://pkgs.fedoraproject.org/cgit/nginx.git/tree/nginx.service?h=epel7

[jdauphant]

It's the same for Debian also :
https://travis-ci.org/jdauphant/ansible-role-nginx/builds/45886088#L797

[onemanstartup]

I am starting it with sudo, problem is nginx -t is runs without sudo and fails.

[jdauphant]

That strange, if you run ansible-playbooks with sudo activated it should work.
I suppose you have no error by running manually "nginx -t" with sudo ?

[onemanstartup]

Yes I'm talking exactly about this.
I have this in playbook

  user: root
  sudo: True

sudo nginx -t - works fine
nginx -t - fails
nginx starts when I'm running playbook without checking config.

[jdauphant]

I am not sure that "user: root" exist or do what you think.
Also have you try to use ansible.cfg instead ?

/home/user/playbook_dir/ansible.cfg or ~/.ansible.cfg

[defaults]
sudo = yes
remote_user = onemanstartup # could be not necessary in your situation

[onemanstartup]

Damn. I don't know why. It's very strange why nginx starts without this task, but after i read this http://kb.sp.parallels.com/en/121838 and switch SELinux to permissive mode it works.

[jdauphant]

I have change the title to correspond to the error.

[ghost]

Had the same issue with Centos7,

• nginx -t, Logged in as user I get permission denied error, worked fine via sudo.
• Changed check syntax from shell to command, still failed but with file not found.
• Changed nginx -t to full path and it worked fine - /use/sbin/nginx -t
• SElinux was disabled.

[ghost]

logged in a user? which one?

[ghost]

the fedora 21 digital ocean droplets have enabled selinux by default. I can now replicate this behaviour.

EDIT: it says the syntax check passed, but in the systemd journal it says:

Jan 13 05:53:54 demo.ht.lazerbal.com nginx[2881]: nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
Jan 13 05:53:54 demo.ht.lazerbal.com nginx[2881]: nginx: [emerg] open() "/var/run/nginx.pid" failed (13: Permission denied)
Jan 13 05:53:54 demo.ht.lazerbal.com nginx[2881]: nginx: configuration file /etc/nginx/nginx.conf test failed

[jdauphant]

Thanks for the details, the role need a fix

Solution 1

• check if SELinux is enabled ( see don't install SELinux related packages if SELinux is disabled #28 )
• if yes : skip the check validation

Solution 2 (need validation)

• check if SELinux is enabled
• if yes : shell: restorecon -R -v /var/run/nginx*
• Source : ( https://bugzilla.redhat.com/show_bug.cgi?id=1055346 )

Solution of @beardyjay problem

• Changed nginx -t to full path /use/sbin/nginx -t
• Need the good path for all supported system.
• We could investigate more to see the real source of the problem.

Don't hesitate to send pull request to correct these problems (separated for each problem).
Thanks to @onemanstartup , @jrobeson and @beardyjay for your help to find and correct problems

[ghost]

solution 2 sounds pretty good to me.

[ghost]

as far as the good path, couldn't we just default to calling: which nginx ?

[jdauphant]

We could call "/usr/bin/env nginx -t" also ( have you try that @beardyjay ? )
It's looks like an environment problem or maybe an another security check (apparmor ?), we could have the same problem to use env and which.
It could be interesting to have the exact output, to see if something differs from this issue.

[basnijholt]

Also having this issue, I just disabled SELinux, but a better fix would be nice :)

[okuramasafumi]

I fixed this issue by adding become: true to the handler. The weird thing is that I've already added become: true when including this role. Does adding become: true ( or become: root ) to the handler have any bad side effect?