BUG: NGINX doesnt start

Started by seed, March 27, 2023, 07:55:41 PM

Previous topic - Next topic
Hello.

My Setup:

OPNsense 23.1.4_1-amd64
FreeBSD 13.1-RELEASE-p7
OpenSSL 1.1.1t 7 Feb 2023

My setup is using some /32 ipv4s on my WAN and nginx is configured to bind to it.
After rebooting the opnsense. Nginx wont start.


Quote2023/03/27    19:50:00    error    40394#100667    invalid PID number "" in "/var/run/nginx.pid"
2023/03/27    19:50:00    notice    40394#100667    signal process started
2023/03/27    19:49:10    emerg    86356#100227    bind() to XXX.XX.XXX.XX:80 failed (49: Can't assign requested address)
2023/03/27    19:49:10    emerg    86281#100227    bind() to XXX.XX.XXX.XX:80 failed (49: Can't assign requested address)

I must remove the .sock by hand: "rm -f /var/run/nginx_status.sock" and click on start again.

This must be a bug
i want all services to run with wirespeed and therefore run this dedicated hardware configuration:

AMD Ryzen 7 9700x
ASUS Pro B650M-CT-CSM
64GB DDR5 ECC (2x KSM56E46BD8KM-32HA)
Intel XL710-BM1
Intel i350-T4
2x SSD with ZFS mirror
PiKVM for remote maintenance

private user, no business use

Web GUI runs a redirect from port 80 by default. Not a bug and you can disable it. ;)


Cheers,
Franco

QuoteDisable web GUI redirect rule

is enabled and the web ui port is on 4444.
i want all services to run with wirespeed and therefore run this dedicated hardware configuration:

AMD Ryzen 7 9700x
ASUS Pro B650M-CT-CSM
64GB DDR5 ECC (2x KSM56E46BD8KM-32HA)
Intel XL710-BM1
Intel i350-T4
2x SSD with ZFS mirror
PiKVM for remote maintenance

private user, no business use

Hi
XXX.XX.XXX.XX is not there when nginx starts?
really need to bind to exact ip and not just "80"?

I must bind Nginx on the specific IP. On one the other ips im running other services like haproxy.

So this is very likely a bug.
i want all services to run with wirespeed and therefore run this dedicated hardware configuration:

AMD Ryzen 7 9700x
ASUS Pro B650M-CT-CSM
64GB DDR5 ECC (2x KSM56E46BD8KM-32HA)
Intel XL710-BM1
Intel i350-T4
2x SSD with ZFS mirror
PiKVM for remote maintenance

private user, no business use

With the little information given and the error message it looks like a limitation of the system or configuration mistake, but not a bug.


Cheers,
Franco

Ok thats fair. What other information should i provide?


I hope this helps:
I have multiple /32 v4s and multiple /128 v6 configured on my wan interface.

One v4 and one v6 are ment to be dedicated for nginx as reverse Proxy.
This runs normaly fine. But after a opnsense reboot nginx doesnt like to start.
When i check with netstat for running services on port 80 i dont see any service on port 80.

In the logfile i just see the error:   "bind() to XXX.XX.XXX.XX:80 failed (49: Can't assign requested address)" (redacted ip)

after removing the sock (/var/run/nginx_status.sock) and clicking on start service nginx runs fine.
i want all services to run with wirespeed and therefore run this dedicated hardware configuration:

AMD Ryzen 7 9700x
ASUS Pro B650M-CT-CSM
64GB DDR5 ECC (2x KSM56E46BD8KM-32HA)
Intel XL710-BM1
Intel i350-T4
2x SSD with ZFS mirror
PiKVM for remote maintenance

private user, no business use

At the time of nginx start the IP address in question does not seem to be available on the interface if we want to rule out a conflict between services already binding on it. What WAN modes have you set for IPv4 and IPv6?


Cheers,
Franco

March 30, 2023, 10:17:55 AM #8 Last Edit: March 30, 2023, 10:20:54 AM by Fright
since it "Can't assign requested address" and not "48: Address already in use" i think its not a bind conflict (as i said earlier).its an address absence i think. so may be interface address is not ready when nginx tries to start at boot. but you did not provide more info.
/var/run/nginx_status.sock binding error is a consequence of the first error, because nginx leaves the sockets in this case

@franco
how bad is idea to exit on _setup fail at
https://github.com/opnsense/src/blob/stable/23.1/libexec/rc/rc.subr#L1110
? (this should prevent start if config broken. sounds logical?)

Bad, because a badly written script wil wreck it. Remember that last command sets error condition on script exit. Besides, which command should actually fail in setup script?

_precmd is implemented to do config checks in rc.d files sometimes, but the result is the same: Service doesn't work and no step further.

If anything we are missing a restart to be back running, but the question still is why the virtual IP is not there (if it really isn't).

Quoteis why the virtual IP is not there
yep, this is the most interesting for now
Quote_precmd is implemented to do config checks in rc.d files sometimes
yes. but in nginx case it may return 1 for "reload" if config broken. but not for "start"..
Quotewhich command should actually fail in setup script?
https://github.com/opnsense/plugins/blob/c08a2ea1771b8243f8f28de27c3f2286b2beb4af/www/nginx/src/opnsense/scripts/nginx/setup.php#L339  ;)
Quotebecause a badly written script wil wreck it
hm. understood

/var/run/nginx_status.sock is not unlinked after an unsuccessful start attempt and it prevents next runs. looks like it fixed at
https://trac.nginx.org/nginx/changeset/7cbf6389194b9170514e514ca7ee495369c9c8ac/nginx but it doesn't seem to be backported

Ah you are talking about your latest addition and not about the situation with the user. I saw it as a means to get startup errors to syslog, not to stop well-defined startup sequence.

I'd extend setup.php to remove the socket(s) when the nginx pid is not there. That's why we have it. :)

Alternatively ask Jochen via FreeBSD ports to add this patch to the port.


Cheers,
Franco

QuoteI'd extend setup.php to
sounds like a plan. already running on test vm )
thanks

March 30, 2023, 07:28:29 PM #14 Last Edit: March 30, 2023, 07:30:25 PM by benyamin
I'm not running the plugin myself, but if it is using the rc.d system to start, does the REQUIRE: keyword include the NETWORKING option.

For comparison inetd has: # REQUIRE: DAEMON LOGIN FILESYSTEMS