New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
nginx fails after downgrade from 2.7 to 2.6 #3564
Comments
The underlying problems seems to be that the /etc/ssl/certs/nginx directory is only installed when the 2.6 image is installed from scratch (not from code update). Two approaches to fix the problem are:
|
This would seem to be related to our use of @joseph-reynolds were you able to recreate this behavior on your own downgrade, or could there be hidden state here? Another approach would be to factory-reset and/or |
I re-created this issue by installing an image based on the OpenBMC 2.7 development branch, then used code update to downgrade to the older release (exactly similar to the scenario above). I tested the workaround "creating the directory after the downgrade" and it worked. I don't fully understand everything that's going on. |
The direction I am getting is to fix this in the 2.7 release. That is, have the 2.7 firmware create the /etc/ssl/certs/nginx directory (which is needed in case the system is downgraded to 2.6). I think the right way to do that is a new service, something like "nginx-prep-downgrade" which will create the directory. In this way, the service can be cleanly deleted when it is no longer needed, for example, when a downgrade directly to 2.6 is not supported. I believe the right place to do this is in https://github.com/openbmc/meta-ibm - meta-ibm/meta-ibm/recipes-httpd/nginx/nginx-prep-downgrade.bb |
Nginx on OpenBMC has a number of issues that matter to openbmc. 1. It increases the binary size. This is an issue given that OpenBMC targets a relatively minimal flash footprint. 2. It increases the runtime overhead. Running nginx as a reverse proxy to the application servers causes a runtime overhead, and context switch for every single page load, as well as an extra socket. 3. nginx doesn't implement any kind of authentication, so auth needs to be implemented in every application server. This removes a lot of the advantages of the reverse proxy, and duplicates a lot of code amongst multiple application servers 4. A number of nginx parameters run from the nginx config file. Some of these parameters (like cipher suite support) are desired to be changed at runtime, rather than fixed at compile time. Related to commit here to move system to bmcweb: https://gerrit.openbmc-project.xyz/#/c/openbmc/meta-phosphor/+/12933/ Change-Id: I988fce8dae565808bd0eeacd8b7a71f3cc06d98f Signed-off-by: Ed Tanous <ed.tanous@intel.com> (cherry picked from commit 699e296)
It seems the nginx directory is marked as opaque for some reason and only the upper dir of the overlay is shown. If the overlay is mounted read-only, the nginx dir shows up:
It'd be interesting to check if non-witherspoon systems using the overlay from the initramfs have the same issue or not. |
Pushed a mitigation for this: https://gerrit.openbmc-project.xyz/c/openbmc/meta-ibm/+/23203 |
@joseph-reynolds That commit got abandoned. Leave this issue open in case someone else hits and we can close after some time has passed? Close now? |
This issue has been automatically marked as stale because no activity has occurred in the last 6 months. It will be closed if no activity occurs in the next 30 days. If this issue should not be closed please add a comment. Thank you for your understanding and contributions. |
This issue has been closed because no activity has occurred in the last 7 months. Please reopen if this issue should not have been closed. Thank you for your contributions. |
The nginx service fails to start on 2.6 and earlier systems in the following scenario:
Note that OpenBMC 2.6 and earlier used the nginx web server; OpenBMC 2.7 is the first release that used the BMCWeb web server.
The nginx service attempts to create certificates in the
/etc/ssl/certs/nginx
directory, but only/etc/ssl/certs
exists, so the service fails, and the web server is not available.The workaround and recovery is to ssh to the BMC, create the directory (for example, via
mkdir -p /etc/ssl/certs/nginx
), and start nginx (systemctl start nginx
). This only needs to be performed once at the time of downgrade, and it can be performed either before or after the downgrade.The text was updated successfully, but these errors were encountered: