Carbonio 23.5.0 upd...
 
Notifications
Clear all

Carbonio 23.5.0 update from 23.3.0 on RHEL8/Oracle 8

5 Posts
2 Users
2 Likes
463 Views
Jim Dunphy
(@jdunphy)
Joined: 6 years ago
Posts: 25
Topic starter  

Update was fairly straightforward with one oddity with respect to nginx where this was found. I was updating 23.3.0 on Oracle 8 to 23.5.0

# su - zextras

% zmproxyctl restart
Stopping proxy...nginx: [alert] kill(2232379, 15) failed (1: Operation not permitted)
failed.
Starting proxy...proxy is already running.

Investigation found that this was the stop for zmproxyctl meaning it was running as the zextras user:

/opt/zextras/common/sbin/nginx -c /opt/zextras/conf/nginx.conf -s stop

Don't know what the idea is here but I don't see anything suid and nginx is running as root and zextras doesn't have permission to send that signal with the above -s stop. I added sudo and updated /etc/sudoers.d/carbonio so zmproxyctl would work as expected again.  Given this use to work on the last update I did which was 23.3.0, I am guessing there is something that was expected on my end during the update.

% zmcontrol -v
Carbonio Release 23.5.0

% zmcontrol status
Host mail.example.com
amavis Running
antispam Running
antivirus Running
directory-server Running
mailbox Running
memcached Running
mta Running
opendkim Running
proxy Running
service webapp Running
service-discover Running
stats Running
config service Running

Jim


   
Quote
(@stefanodavid)
Joined: 3 years ago
Posts: 139
 

@jdunphy

to be honest, I have no idea why nginx is running as root user, but this should not happen, AFAIK... I will pass this information to our developers, to see if it is a known problem (but I don't think it's the case) or if they can shed some light.

 


   
ReplyQuote
Jim Dunphy
(@jdunphy)
Joined: 6 years ago
Posts: 25
Topic starter  

@stefanodavid My guess is historic because to bind to any port below 1024, one needed to be root. The workers are running as zextras but the main process is still root on my install. A recent change and what was done for ldap for instance in carbonio is to use extended file system capabilities to get around this historic problem. Perhaps the upgrade process that I did was missing this option or I missed something in the update instructions if that was the direction they went. I didn't look very hard TBH.  For instance, this may resolve the issue of needing to be root if it was the bind issue:

% setcap cap_net_bind_service=+ep /opt/zextras/common/sbin/nginx

Jim


   
ReplyQuote
(@stefanodavid)
Joined: 3 years ago
Posts: 139
 

@jdunphy thanks, appreciate the additional information. What I can say is that I tried myself the upgrade procedure but I did not see any (disruptive?) changes like this. I will add this to my checklist after the next upgrade. If I happen to discover some more, I'll be happy to share my findings.

Cheers,

Stefano


   
ReplyQuote
Jim Dunphy
(@jdunphy)
Joined: 6 years ago
Posts: 25
Topic starter  

@stefanodavid Now that I know that was not normal, I looked for root cause and sure enough they are using extended attributes for nginx now...

relay4:common/sbin:42> getcap nginx
nginx cap_net_bind_service=ep

I think what happened is the upgrade which does run as root does not stop an already running nginx which was still running as root from carbonio 23.3.0. After the dnf update, I did this:

# su - zextras

% zmcontrol restart

That would fail on the zmproxyctl stop because it could not stop nginx with the new code in place that stops nginx as the zextras user. The solution is to either reboot after the update or issue that nginx stop as root one last time. I removed my changes, sent the stop as root. After that, everything works as expected and nginx master isn't running as root here anymore.

Thanks for letting me know.

Jim


   
ReplyQuote