Update: Please read the instructions provided by the Phusion Passenger developers for a detailed and updated how-to.
Today, I’m sharing with you how I’ve installed NGINX and Phusion Passenger in my CentOS 7 lab using the RPM packages provided kindly by Ulyaoth. Β Phusion Passenger offers an installer (passenger-install-nginx-module) that helps you to install NGINX and Passenger easily and in five minutes, but Ulyaoth’s sbagmeijer does an impressive work packaging so many useful tools and servers and it’s always a good idea to use RPMs.
We’ll start configuring the EPEL and Ulyaoth repositories:
cat <<EOT > /etc/yum.repos.d/uylaoth.repo
[ulyaoth]
name=Ulyaoth Repository
baseurl=https://repos.ulyaoth.net/CentOS/\$releasever/\$basearch/
enabled=1
gpgcheck=1
gpgkey=https://raw.githubusercontent.com/sbagmeijer/ulyaoth/master/Repository/ulyaoth/SOURCES/RPM-GPG-KEY-ulyaoth
EOT
yum install -y epel-release
Now we’ll install the nginx-passenger package from the Ulyaoth repository:
yum install -y ulyaoth-nginx-passenger5
We’ll set the server name in the /etc/nginx/conf.d/default.conf file:
server_name tornasol.artemit.local;
We’ll change the following line in the /etc/nginx/conf.d/passenger.conf
passenger_instance_registry_dir /var/run/passenger;
We’ll add the following line in the /root/.bash_profile file to add a new environment var needed by passenger-status (remember to open a new session to load the new var :-D):
echo 'export PASSENGER_INSTANCE_REGISTRY_DIR=/var/run/passenger' >> /root/.bash_profile
We’ll create the /var/run/passenger directory and set permissions and ownership:
mkdir /var/run/passenger
chmod -R 755 /var/run/passenger
chown -R nginx:nginx /var/run/passenger
We’ll add the following config file so /var/run/passenger temporary directory is created after a system restart:
cat <<EOT > /etc/tmpfiles.d/passenger.conf
d /var/run/passenger 0755 nginx nginx
EOT
We should add a rule to the firewall allowing http traffic:
firewall-cmd --permanent --add-rich-rule='rule family="ipv4" port port="80" protocol="tcp" accept'
firewall-cmd --reload
We should enable the service to start at boot time:
systemctl enable nginx.service
Finally we’ll start the service and check that it’s running (we’ll see nginx and Passenger binaries):
systemctl start nginx.service
systemctl status nginx.service
[...]
nginx.service - nginx - high performance web server
Loaded: loaded (/usr/lib/systemd/system/nginx.service; disabled)
Active: active (running) since vie 2015-04-03 12:41:52 CEST; 8s ago
...
CGroup: /system.slice/nginx.service
ββ20924 PassengerAgent watchdog
ββ20927 PassengerAgent server
ββ20932 PassengerAgent logger
ββ20942 nginx: master process /usr/sbin/nginx -c /etc/nginx/nginx.conf
ββ20944 nginx: worker process
[...]
And don’t forget to test your NGINX server listening by default in port 80:
Of course if you’re using SELinux you may run the following commands.
yum install -y policycoreutils-python
We’ll change the context for the root html directory (we set read and write permissions, you can set readonly permissiones using httpd_sys_content_t instead) :
semanage fcontext -a -t httpd_sys_rw_content_t "/usr/share/nginx/html(/.*)?"
restorecon -Rv /usr/share/nginx/html
We’ll change the context for the passenger log directory :
semanage fcontext -a -t httpd_log_t "/var/log/passenger(/.*)?"
restorecon -Rv /var/log/passenger
We’ll change the context for the PassengerAgent binary:
semanage fcontext -a -t httpd_exec_t "/etc/nginx/modules/passenger/buildout/support-binaries/PassengerAgent"
restorecon -v /etc/nginx/modules/passenger/buildout/support-binaries/PassengerAgent
We’ll change the context for Passenger’s native support:
semanage fcontext -a -t httpd_exec_t /etc/nginx/modules/passenger/buildout/ruby/ruby-2.0.0-x86_64-linux/passenger_native_support.so
restorecon -v /etc/nginx/modules/passenger/buildout/ruby/ruby-2.0.0-x86_64-linux/passenger_native_support.so
We’ll change the context for passenger-status and passenger-memory-stats:
semanage fcontext -a -t bin_t "/etc/nginx/modules/passenger/bin/passenger-memory-stats"
semanage fcontext -a -t bin_t "/etc/nginx/modules/passenger/bin/passenger-status"
restorecon -v /etc/nginx/modules/passenger/bin/passenger-memory-stats
restorecon -v /etc/nginx/modules/passenger/bin/passenger-status
We’ll set the following SELinux boolean variables:
setsebool -P httpd_run_stickshift 1
setsebool -P httpd_setrlimit 1
setsebool -P httpd_tmp_exec 1
We’ll add an SELinux policy so PassengerAgent runs fine:
yum install -y policycoreutils-devel
mkdir /root/policy
cd /root/policy
cat < /root/policy/passengeragent.te
policy_module(passengeragent, 1.0)
gen_require(\`
type httpd_t;
type httpd_tmp_t;
type httpd_var_run_t;
type kernel_t;
class capability2 block_suspend;
class capability sys_ptrace;')
allow httpd_t self:capability2 block_suspend;
allow httpd_t self:capability sys_ptrace;
allow httpd_t httpd_tmp_t:file execute;
allow httpd_t httpd_var_run_t:file execute;
EOT
make -f /usr/share/selinux/devel/Makefile passengeragent.pp
semodule -i passengeragent.pp
And that’s all, I hope this post helps you and I wait for your feedback about errors and suggestions.
Thanks for reading!
n40lab 