SOLVED: zmproxyctl failed, initial nginx process is owned by root

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
Post Reply
tsimmons
Posts: 4
Joined: Wed May 11, 2016 4:09 pm

SOLVED: zmproxyctl failed, initial nginx process is owned by root

Post by tsimmons »

Running Zimbra 8.8.15_P22 on fully patched Ubuntu 18.04.5 LTS; lately I cannot reliably stop (and hence either restart) the proxy using:

Code: Select all

sudo su - zimbra
zmproxyctl stop
Stopping proxy...failed.
If you check the running nginx processes, you see that the initial nginx process is owned by root:

Code: Select all

ps aux | grep nginx
root     22633  0.0  0.0  47272  1792 ?        Ss   10:16   0:00 nginx: master process /opt/zimbra/common/sbin/nginx -c /opt/zimbra/conf/nginx.conf
zimbra   22635  0.0  0.0  56268 12092 ?        S    10:16   0:00 nginx: worker process
zimbra   22636  0.0  0.0  56048 11896 ?        S    10:16   0:00 nginx: worker process
zimbra   22637  0.0  0.0  55820  8508 ?        S    10:16   0:00 nginx: worker process
zimbra   22638  0.0  0.0  56384 12808 ?        S    10:16   0:00 nginx: worker process
I see on line 119 of /opt/zimbra/bin/zmproxyctl in the stop routine, it will first will test if it can send a signal to the nginx process. This is failing when run as the zimbra user because, I assume, the process is owned by root:

Code: Select all

sudo su - zimbra
kill -0 22633
-su: kill: (22633) - Operation not permitted
Hence the reason it bails out with the "failed" warning and never tries to stop the process.

I have killed nginx AS root (using sudo) and then as the zimbra user started the proxy with

Code: Select all

sudo su - zimbra
zmproxyctl start
Starting proxy...nginx: [warn] the "ssl" directive is deprecated, use the "listen ... ssl" directive instead in /opt/zimbra/conf/nginx/includes/nginx.conf.mail.imaps.default:13
nginx: [warn] the "ssl" directive is deprecated, use the "listen ... ssl" directive instead in /opt/zimbra/conf/nginx/includes/nginx.conf.mail.pop3s.default:13
nginx: [warn] the "ssl" directive is deprecated, use the "listen ... ssl" directive instead in /opt/zimbra/conf/nginx/includes/nginx.conf.web.https.default:40
done.
Which seems to work but again the initial nginx process is owned by root, because on line 92 of /opt/zimbra/bin/zmproxyctl it is started by zimbra using the "sudo" keyword, which is permitted without a password by /etc/sudoers.d/02_zimbra-proxy ...

My question is: What is the correct way to repair this? I am using LetsEncrypt scripts that need to restart the proxy automatically and this is now failing most of the time.
Last edited by tsimmons on Mon Jun 28, 2021 4:18 pm, edited 1 time in total.
tsimmons
Posts: 4
Joined: Wed May 11, 2016 4:09 pm

Re: zmproxyctl failed, initial nginx process is owned by root

Post by tsimmons »

In case someone else runs into this, the fix is to modify /opt/zimbra/bin/zmproxyctl to match https://github.com/Zimbra/zm-core-utils ... zmproxyctl (as of the time of this post) which means the old method of the for loop/testing if a kill can be sent is replaced with using the nginx -s parameter to send a signal to nginx.

So, the first part of the stop routine goes from this:

Code: Select all

 stop)
    checkrunning
    echo -n "Stopping ${servicename}..."
    if [ $running = 0 ]; then
      echo "${servicename} is not running."
      exit 0
    else
      for ((i = 0; i < 30; i++)); do
        kill -0 $pid 2> /dev/null
        if [ $? != 0 ]; then
          break
        fi
        kill -TERM $pid
        sleep 1
      done
    fi
To this

Code: Select all

stop)
    checkrunning
    echo -n "Stopping ${servicename}..."
    if [ $running = 0 ]; then
      echo "${servicename} is not running."
      exit 0
    else
      sudo /opt/zimbra/common/sbin/nginx -c ${configfile} -s stop
      sleep 1
    fi
In addition, the reload process is changed from using

Code: Select all

kill -HUP $pid
to simply

Code: Select all

/sudo /opt/zimbra/common/sbin/nginx -c ${configfile} -s reload
Post Reply