Update: Please read the instructions provided by the Phusion Passenger developers for a detailed and updated how-to.
Today, I’m sharing with you how I’ve installed NGINX and Phusion Passenger in my CentOS 7 lab using the RPM packages provided kindly by Ulyaoth. Phusion Passenger offers an installer (passenger-install-nginx-module) that helps you to install NGINX and Passenger easily and in five minutes, but Ulyaoth’s sbagmeijer does an impressive work packaging so many useful tools and servers and it’s always a good idea to use RPMs.
We’ll start configuring the EPEL and Ulyaoth repositories:
cat <<EO
T
> /
etc
/
yum.repos.d
/
uylaoth.repo
[ulyaoth] name=Ulyaoth Repository baseurl=https://repos.ulyaoth.net/CentOS/\$releasever/\$basearch/ enabled=1 gpgcheck=1 gpgkey=https://raw.githubusercontent.com/sbagmeijer/ulyaoth/master/Repository/ulyaoth/SOURCES/RPM-GPG-KEY-ulyaoth EOT yum install -y epel-release
Now we’ll install the nginx-passenger package from the Ulyaoth repository:
yum install -y ulyaoth-nginx-passenger5
We’ll set the server name in the /etc/nginx/conf.d/default.conf file:
server_name tornasol.artemit.local;
We’ll change the following line in the /etc/nginx/conf.d/passenger.conf
passenger_instance_registry_dir /var/run/passenger;
We’ll add the following line in the /root/.bash_profile file to add a new environment var needed by passenger-status (remember to open a new session to load the new var :-D):
echo 'export PASSENGER_INSTANCE_REGISTRY_DIR=/var/run/passenger' >> /root/.bash_profile
We’ll create the /var/run/passenger directory and set permissions and ownership:
mkdir /var/run/passenger chmod -R 755 /var/run/passenger chown -R nginx:nginx /var/run/passenger
We’ll add the following config file so /var/run/passenger temporary directory is created after a system restart:
cat <<EOT > /etc/tmpfiles.d/passenger.conf d /var/run/passenger 0755 nginx nginx EOT
We should add a rule to the firewall allowing http traffic:
firewall-cmd --permanent --add-rich-rule='rule family="ipv4" port port="80" protocol="tcp" accept' firewall-cmd --reload
We should enable the service to start at boot time:
systemctl enable nginx.service
Finally we’ll start the service and check that it’s running (we’ll see nginx and Passenger binaries):
systemctl start nginx.service
systemctl status nginx.service [...] nginx.service - nginx - high performance web server Loaded: loaded (/usr/lib/systemd/system/nginx.service; disabled) Active: active (running) since vie 2015-04-03 12:41:52 CEST; 8s ago ... CGroup: /system.slice/nginx.service├─
20924 PassengerAgent watchdog
├─
20927 PassengerAgent server
├─
20932 PassengerAgent logger
├─
20942 nginx: master process /usr/sbin/nginx -c /etc/nginx/nginx.conf
└─
20944 nginx: worker process [...]
And don’t forget to test your NGINX server listening by default in port 80:
Of course if you’re using SELinux you may run the following commands.
yum install -y policycoreutils-python
We’ll change the context for the root html directory (we set read and write permissions, you can set readonly permissiones using httpd_sys_content_t instead) :
semanage fcontext -a -t httpd_sys_rw_content_t "/usr/share/nginx/html(/.*)?" restorecon -Rv /usr/share/nginx/html
We’ll change the context for the passenger log directory :
semanage fcontext -a -t httpd_log_t "/var/log/passenger(/.*)?" restorecon -Rv /var/log/passenger
We’ll change the context for the PassengerAgent binary:
semanage fcontext -a -t httpd_exec_t "/etc/nginx/modules/passenger/buildout/support-binaries/PassengerAgent" restorecon -v /etc/nginx/modules/passenger/buildout/support-binaries/PassengerAgent
We’ll change the context for Passenger’s native support:
semanage fcontext -a -t httpd_exec_t /etc/nginx/modules/passenger/buildout/ruby/ruby-2.0.0-x86_64-linux/passenger_native_support.so restorecon -v /etc/nginx/modules/passenger/buildout/ruby/ruby-2.0.0-x86_64-linux/passenger_native_support.so
We’ll change the context for passenger-status and passenger-memory-stats:
semanage fcontext -a -t bin_t "/etc/nginx/modules/passenger/bin/passenger-memory-stats" semanage fcontext -a -t bin_t "/etc/nginx/modules/passenger/bin/passenger-status" restorecon -v /etc/nginx/modules/passenger/bin/passenger-memory-stats restorecon -v /etc/nginx/modules/passenger/bin/passenger-status
We’ll set the following SELinux boolean variables:
setsebool -P httpd_run_stickshift 1 setsebool -P httpd_setrlimit 1 setsebool -P httpd_tmp_exec 1
We’ll add an SELinux policy so PassengerAgent runs fine:
yum install -y policycoreutils-devel mkdir /root/policy cd /root/policy cat < /root/policy/passengeragent.te policy_module(passengeragent, 1.0) gen_require(\` type httpd_t; type httpd_tmp_t; type httpd_var_run_t; type kernel_t; class capability2 block_suspend; class capability sys_ptrace;') allow httpd_t self:capability2 block_suspend; allow httpd_t self:capability sys_ptrace; allow httpd_t httpd_tmp_t:file execute; allow httpd_t httpd_var_run_t:file execute; EOT make -f /usr/share/selinux/devel/Makefile passengeragent.pp semodule -i passengeragent.pp
And that’s all, I hope this post helps you and I wait for your feedback about errors and suggestions.
Thanks for reading!
Change:
cat < /root/policy/passengeragent.tepolicy_module(passengeragent, 1.0)
to
cat < /root/policy/passengeragent.te
policy_module(passengeragent, 1.0)
LikeLike
Thanks, I’ll solve the typo right away
LikeLike