After upgrade from leap 15.3 to 15.4, nginx can't start

I upgraded leap153 to 154,now the nginx can’t start or restart, please help:

navid@dongip:~> sudo systemctl start nginx
× nginx.service - The nginx HTTP and reverse proxy server
Loaded: loaded (/usr/lib/systemd/system/nginx.service; disabled; vendor preset: disabled)
Active: failed (Result: exit-code) since Tue 2022-07-12 04:47:50 +0430; 9h ago
Process: 30210 ExecStartPre=/usr/sbin/nginx -t (code=exited, status=1/FAILURE)
navid@dongip:~> sudo systemctl start nginx
[sudo] password for root:
Job for nginx.service failed because the control process exited with error code.
See “systemctl status nginx.service” and “journalctl -xeu nginx.service” for details.
navid@dongip:~> sudo journalctl -xeu nginx.service
░░ The process’ exit code is ‘exited’ and its exit status is 1.
Jul 12 04:47:50 dongip systemd[1]: nginx.service: Failed with result ‘exit-code’.
░░ Subject: Unit failed
░░ Defined-By: systemd
░░ Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
░░
░░ The unit nginx.service has entered the ‘failed’ state with result ‘exit-code’.
Jul 12 04:47:50 dongip systemd[1]: Failed to start The nginx HTTP and reverse proxy server.
░░ Subject: A start job for unit nginx.service has failed
░░ Defined-By: systemd
░░ Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
░░
░░ A start job for unit nginx.service has finished with a failure.
░░
░░ The job identifier is 11230 and the job result is failed.
Jul 12 14:29:17 dongip systemd[1]: Starting The nginx HTTP and reverse proxy server…
░░ Subject: A start job for unit nginx.service has begun execution
░░ Defined-By: systemd
░░ Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
░░
░░ A start job for unit nginx.service has begun execution.
░░
░░ The job identifier is 14872.
Jul 12 14:29:17 dongip nginx[12547]: nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
Jul 12 14:29:17 dongip nginx[12547]: nginx: [emerg] open() “/usr//logger” failed (30: Read-only file system)
Jul 12 14:29:17 dongip nginx[12547]: nginx: configuration file /etc/nginx/nginx.conf test failed
Jul 12 14:29:17 dongip systemd[1]: nginx.service: Control process exited, code=exited, status=1/FAILURE
░░ Subject: Unit process exited
░░ Defined-By: systemd
░░ Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
░░
░░ An ExecStartPre= process belonging to unit nginx.service has exited.
░░
░░ The process’ exit code is ‘exited’ and its exit status is 1.
Jul 12 14:29:17 dongip systemd[1]: nginx.service: Failed with result ‘exit-code’.
░░ Subject: Unit failed
░░ Defined-By: systemd
░░ Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
░░
░░ The unit nginx.service has entered the ‘failed’ state with result ‘exit-code’.
Jul 12 14:29:17 dongip systemd[1]: Failed to start The nginx HTTP and reverse proxy server.
░░ Subject: A start job for unit nginx.service has failed
░░ Defined-By: systemd
░░ Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
░░
░░ A start job for unit nginx.service has finished with a failure.
░░
░░ The job identifier is 14872 and the job result is failed.
lines 1019-1066/1066 (END)

I do not see any problem with nginx in Leap 15.4 in the default configuration. But from the line


...
**Jul 12 14:29:17 dongip nginx[12547]: nginx: [emerg] open() "/usr//logger" failed (30: Read-only file system) 
**...

i would conclude that you have configured something that need read/write access in directory /usr/logger. In Leap 15.4 nginx.service has now set ProtectSystem=full. That means that /usr and /etc and who knows what else are mounted read-only for nginx. See man systemd.exec for details. And as you can see here there are a lot of new security settings in ngingx.service:


> sudo systemctl cat nginx.service  
**# /usr/lib/systemd/system/nginx.service**
[Unit] 
Description=The nginx HTTP and reverse proxy server 
After=network-online.target remote-fs.target nss-lookup.target 
Wants=network-online.target 

[Service] 
PIDFile=/run/nginx.pid 
ExecStartPre=/usr/sbin/nginx -t 
ExecStart=/usr/sbin/nginx -g "daemon off;" 
ExecReload=/bin/kill -s HUP $MAINPID 
KillSignal=SIGQUIT 
TimeoutStopSec=5 
KillMode=mixed 
PrivateTmp=true 
# added automatically, for details please see 
# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort 
**ProtectSystem=full** 
ProtectHome=read-only 
PrivateDevices=true 
ProtectHostname=true 
ProtectClock=true 
ProtectKernelTunables=true 
ProtectKernelModules=true 
ProtectKernelLogs=true 
ProtectControlGroups=true 
RestrictRealtime=true 
# end of automatic additions  

[Install] 
WantedBy=multi-user.target



Yes Resolved

One of the config file need this permission.

Thank you,

Hi,

I have just updated 15.3 to 15,4 and I have the same/similar problem. I have read the content above, but I cannot understand what action I need to take.

Can anyone help?

Kind regards
Pedro

I stumbled on this old and already solved thread by incident.

When you want to draw attention to your problem, best is to start a new thread (those are the ones that people will look at!)with a good telling title and with the information that belongs to your problem on your system.