When setting up Nginx on Ubuntu through Puppet, you may encounter permission errors related to log files. Specifically, you might see messages indicating that Nginx cannot access the error and access log files due to permission issues. Here’s how to resolve these errors by configuring the appropriate permissions in your Puppet manifest.

Understanding the Errors

The typical errors you might see include:

[alert] could not open error log file: open() "/var/log/nginx/error.log" failed (13: Permission denied)
[warn] 1898#0: the "user" directive makes sense only if the master process runs with super-user privileges, ignored in /etc/nginx/nginx.conf:1
[emerg] 1898#0: open() "/var/log/nginx/access.log" failed (13: Permission denied)

These messages indicate that the Nginx process does not have the necessary permissions to write to the log files located in /var/log/nginx/. To avoid manually changing permissions with chown or chmod each time you deploy a new server, you can automate this process using Puppet.

Puppet Manifest Configuration

To ensure that Nginx has the correct permissions for its log directory, you can add the following configuration to your Puppet manifest:

file { '/var/log/nginx':
    ensure => directory,
    mode    => '0755',
    owner   => 'www-data',
    group   => 'www-data',
    recurse => true,
}

Best Practices for Log Permissions

When configuring permissions, it is generally advisable to set the owner of the log directory to www-data, which is the default user under which Nginx runs. The permissions 0755 allow the owner to read, write, and execute, while others can only read and execute. This setup ensures that Nginx can write logs while maintaining a level of security.

Verifying the Configuration

After applying the Puppet manifest, you can verify that Nginx is running correctly and has access to the log files by checking the process list:

ps aux | grep [n]ginx

You should see the Nginx master process running as root and worker processes as www-data. If the permission issues persist, double-check your Puppet configuration and ensure that the Nginx service has been restarted after making changes.

By following these steps, you can effectively manage Nginx log permissions using Puppet, streamlining your server setup process and avoiding repetitive manual adjustments.