Comments (11)
Reading some more configs it might be worth to try setting worker_shutdown_timeout, it seems to give the workers a hard deadline before they are killed. It will cause some minor hiccups for the connected clients, but if they handle reconnects properly it should not be an issue.
from docker-nginx-certbot.
Nginx has one "main" process, and then one worker per CPU (if set to automatic).
This is how it looks on my 8 core machine:
ps fax | grep nginx
1 pts/0 Ss+ 0:00 /bin/bash /scripts/start_nginx_certbot.sh
38 pts/0 S+ 0:00 nginx: master process nginx -g daemon off;
411 pts/0 S+ 0:00 \_ nginx: worker process
412 pts/0 S+ 0:00 \_ nginx: worker process
413 pts/0 S+ 0:00 \_ nginx: worker process
414 pts/0 S+ 0:00 \_ nginx: worker process
415 pts/0 S+ 0:00 \_ nginx: worker process
417 pts/0 S+ 0:00 \_ nginx: worker process
418 pts/0 S+ 0:00 \_ nginx: worker process
419 pts/0 S+ 0:00 \_ nginx: worker process
39 pts/0 S+ 0:00 /bin/bash /scripts/start_nginx_certbot.sh
After a reload Nginx starts new worker processes with the new configuration settings, but lets the old processes shut down in a controlled fashion. This means that if there are clients that holds a TCP connection open the old worker will remain active until all of its connections are terminated: https://www.ruby-forum.com/t/memory-usage-doubles-on-reload/239590/2
from docker-nginx-certbot.
How often do you reload, and what type of clients connect to you?
Because it seems weird if they hold a connection open for the 8 days reload cycle that is default.
from docker-nginx-certbot.
Ah yes that would explain the behavior to me. We are controlling a huge amount of sensors that maintain a persistent connection (Websocket) to our service (trough NGINX). These connections remain open as long as the VM is available (until restart/crash or whatever).
What do you think, would it make sense in this case to increase the renewal interval? Or do you see some other solution?
from docker-nginx-certbot.
Or would it be possible to force the termination of the "old" process?
from docker-nginx-certbot.
Depends on what you value here.
Let's Encrypt certificates are valid for 90 days, so you could probably set it to 85 days or so, but read this first.
However, this still has the issue that your clients will continue to hold that connection open, so if they do not restart/reconnect during another 80 days you will run in to the same issue again.
I don't find any information on how to "forcefully" reload Nginx, so the next best thing would perhaps be to restart the container, which terminates everything and starts up again with new certificates. This means that you will have some downtime (seconds) but if your clients can handle that, then it would work.
from docker-nginx-certbot.
You could probably write some own logic which tries to kill long lived processes, but I believe that is out of scope of the scripts I provide.
from docker-nginx-certbot.
Makes totally sense to me, thanks a lot for your help Jonas! Btw. I really appreciate your work! Thanks a lot and have a good day.
from docker-nginx-certbot.
Thanks again, I will definitely give that setting a try. And if not working, I will ensure to restart the container once per month.
from docker-nginx-certbot.
Just as an information, I tested the worker_shutdown_timeout and it works perfectly. The devices are disconnected as desired and the memory 'leak' is gone. Everything fine, thanks a lot for your help!
from docker-nginx-certbot.
Glad to hear that!
from docker-nginx-certbot.
Related Issues (20)
- How is log rotation handled? HOT 2
- Publish v5.0.1 to address CVE-2024-24989 and CVE-2024-24990 HOT 2
- Reload nginx config without forced certificat renewal? HOT 7
- no alternative certificate subject name matches target host name HOT 3
- High CVE present on latest (jonasal/nginx-certbot:5.0.1-nginx1.25.4) HOT 1
- adding additional info in the http directive HOT 5
- Unable to enable specific ciphers HOT 19
- How to add a wildcard SAN to a certificate of a domain? HOT 2
- Error when running service 'Important file(s) for '/etc/nginx/conf.d/default.conf' are missing or empty' HOT 3
- map variable for server_name HOT 2
- How to create certificates? HOT 7
- Any kind of subdomain HOT 7
- how to use subdomain wildcard? HOT 4
- How to set second default_server? HOT 4
- Unable to renew certificates HOT 4
- How can i define a renew hook in docker-compose environment? HOT 3
- Medium CVEs present on latest image CVE-2023-42363/6 HOT 2
- How to add new config in running container? HOT 2
- Avoid redirecting http -> https? HOT 2
- Consider using Freenginx HOT 6
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from docker-nginx-certbot.