远程管理openresty的reload
Posted Ceph对象存储方案
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了远程管理openresty的reload相关的知识,希望对你有一定的参考价值。
远程管理openresty的reload
背景介绍
默认情况下,nginx/openresty会启动一个root权限运行的master进程,之后再用指定的普通用户权限启动对应的worker,如果需要对整个openresty进行reload或者重启操作,则必须使用root权限才行,为了解决普通worker的提权问题,openresty提供了一个privileged agent的patch来对这些提权操作进行处理,本文就是利用privileged agent来实现对nginx进程状态的控制,最终来实现远程reload。
基本思路
在openresty的init_by_lua_block阶段启动privileged agent,之后再init_worker_by_lua_block阶段针对privileged agent设置其具体需要执行的reload操作,最终在content_by_lua_block中通过改变共享内存的dict字段的内容触发对应的reload操作。
操作流程
使用的openresty版本信息如下
[root@demo]# openresty -V
nginx version: openresty/1.13.6.2
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-16) (GCC)
built with OpenSSL 1.1.0h 27 Mar 2018
TLS SNI support enabled
configure arguments: --prefix=/usr/local/openresty/nginx --with-cc-opt='-O2 -DNGX_LUA_ABORT_AT_PANIC -I/usr/local/openresty/zlib/include -I/usr/local/openresty/pcre/include -I/usr/local/openresty/openssl/include' --add-module=../ngx_devel_kit-0.3.0 --add-module=../echo-nginx-module-0.61 --add-module=../xss-nginx-module-0.06 --add-module=../ngx_coolkit-0.2rc3 --add-module=../set-misc-nginx-module-0.32 --add-module=../form-input-nginx-module-0.12 --add-module=../encrypted-session-nginx-module-0.08 --add-module=../srcache-nginx-module-0.31 --add-module=../ngx_lua-0.10.13 --add-module=../ngx_lua_upstream-0.07 --add-module=../headers-more-nginx-module-0.33 --add-module=../array-var-nginx-module-0.05 --add-module=../memc-nginx-module-0.19 --add-module=../redis2-nginx-module-0.15 --add-module=../redis-nginx-module-0.3.7 --add-module=../ngx_stream_lua-0.0.5 --with-ld-opt='-Wl,-rpath,/usr/local/openresty/luajit/lib -L/usr/local/openresty/zlib/lib -L/usr/local/openresty/pcre/lib -L/usr/local/openresty/openssl/lib -Wl,-rpath,/usr/local/openresty/zlib/lib:/usr/local/openresty/pcre/lib:/usr/local/openresty/openssl/lib' --with-pcre-jit --with-stream --with-stream_ssl_module --with-stream_ssl_preread_module --with-http_v2_module --without-mail_pop3_module --without-mail_imap_module --without-mail_smtp_module --with-http_stub_status_module --with-http_realip_module --with-http_addition_module --with-http_auth_request_module --with-http_secure_link_module --with-http_random_index_module --with-http_gzip_static_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-threads --with-dtrace-probes --with-stream --with-stream_ssl_module --with-http_ssl_module
[root@demo]# cat /usr/local/openresty/nginx/conf/nginx.conf
...
user ceph; #普通用户启动worker
...
http {
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
fastcgi_request_buffering off;
lua_shared_dict reload_status 1m; #共享内存dict
include /usr/local/openresty/nginx/conf/mime.types;
default_type application/octet-stream;
init_by_lua_block {
local process = require "ngx.process"
-- 启用特权代理privileged agent
local ok, err = process.enable_privileged_agent()
if not ok then
ngx.log(ngx.ERR, "enables privileged agent failed error:", err)
end
ngx.log(ngx.ERR, "1process type: ", process.type())
}
init_worker_by_lua_block {
local process = require "ngx.process"
if process.type() ~= "privileged agent" then
return
end
local function do_reload()
while true do
ngx.sleep(3) #每3秒检查一次
local reload_s = ngx.shared.reload_status
local value, flags = reload_s:get("reload")
if value == 1 then
ngx.log(ngx.ERR, "reloading ")
os.execute([[kill -HUP `ps -ef|grep "nginx: master process" |grep -v grep |awk '{print $2}'`]]) #严谨一点,最好在reload之前加上nginx配置的检查
local value, flags = reload_s:set("reload",0)
end
end
end
ngx.timer.at(0, do_reload)
}
server {
listen 80 default;
server_tokens off;
server_name demo;
location = /t {
#如果是生产环境,这里需要加上IP白名单和auth认证来提高安全性
content_by_lua_block {
local process = require "ngx.process"
ngx.say("process type: ", process.type())
ngx.say("master process pid: ", process.get_master_pid() or "-")
local reload_s = ngx.shared.reload_status
reload_s:set("reload", 1)
ngx.say("reload sucessful")
}
}
}
}
[root@demo]# ps axu|grep nginx #重启nginx/openresty后,检查进程状态
root 913116 0.0 0.0 37996 3324 ? Ss 09:42 0:00 nginx: master process /usr/local/openresty/bin/openresty
ceph 913360 0.0 0.0 40528 3128 ? S 09:51 0:00 nginx: worker process
ceph 913361 0.0 0.0 40528 3128 ? S 09:51 0:00 nginx: worker process
ceph 913362 0.0 0.0 40528 3128 ? S 09:51 0:00 nginx: worker process
ceph 913363 0.0 0.0 40528 3128 ? S 09:51 0:00 nginx: worker process
ceph 913364 0.0 0.0 40528 3128 ? S 09:51 0:00 nginx: worker process
ceph 913365 0.0 0.0 40528 3128 ? S 09:51 0:00 nginx: worker process
ceph 913366 0.0 0.0 40528 3128 ? S 09:51 0:00 nginx: worker process
ceph 913367 0.0 0.0 40528 3128 ? S 09:51 0:00 nginx: worker process
ceph 913368 0.0 0.0 40528 3128 ? S 09:51 0:00 nginx: worker process
ceph 913369 0.0 0.0 40528 3128 ? S 09:51 0:00 nginx: worker process
ceph 913370 0.0 0.0 40528 3128 ? S 09:51 0:00 nginx: worker process
ceph 913371 0.0 0.0 40528 3128 ? S 09:51 0:00 nginx: worker process
ceph 913372 0.0 0.0 40528 3128 ? S 09:51 0:00 nginx: worker process
ceph 913373 0.0 0.0 40528 3128 ? S 09:51 0:00 nginx: worker process
ceph 913374 0.0 0.0 40528 3128 ? S 09:51 0:00 nginx: worker process
ceph 913375 0.0 0.0 40528 3128 ? S 09:51 0:00 nginx: worker process
root 913376 0.0 0.0 38288 2644 ? S 09:51 0:00 nginx: privileged agent process #privileged agent启动成功,注意权限为root
[root@demo]# curl localhost/t #测试
process type: worker
master process pid: -
reload sucessful #reload成功
[root@demo]# tailf /var/log/nginx/error.log
2018/09/18 09:51:33 [error] 913255#913255: *58 [lua] init_worker_by_lua:12: reloading , context: ngx.timer #reload成功
总结
通过上面的操作可以很方便的给openresty植入后门,从而….
所以,熊孩子不要拿这个搞破坏,特此申明因此引发的所有违法犯罪行为本人概不负责!
以上是关于远程管理openresty的reload的主要内容,如果未能解决你的问题,请参考以下文章