Caught off guard by installation documentation (Ubuntu 18)

[thbar]

Gathering of information (the whole story)

I'm in the process of moving servers from Ubuntu 16 to Ubuntu 18.

On Ubuntu 16, Passenger was providing both nginx-extras and passenger together.

Readjusting for Ubuntu 18 (following the official guide for Ubuntu 18), I read:

At this point we assume that you already have Nginx installed from your system repository. If not, you should install Nginx with the following command sudo-apt-get install nginx

If we read the NGINX installation documentation for Ubuntu, we can read (emphasis mine):

The package can be installed from:

• A default Ubuntu repository. This is the quickest way, but generally the provided package is outdated.
• The official repo at nginx.org. You have to set up the apt-get repository the first time, but after that the provided package is always up to date.

NGINX is here explicitly recommending to use their official repo and not the default Ubuntu repository (the documentation for that can be found here).

If we use the official NGINX repository to install nginx, and then follow the Passenger guide, we'll get that error installing ibnginx-mod-http-passenger=1:6.0.4-1~bionic1:

Reading package lists...
    Building dependency tree...
    Reading state information...
    Some packages could not be installed. This may mean that you have
    requested an impossible situation or if you are using the unstable
    distribution that some required packages have not yet been created
    or been moved out of Incoming.
    The following information may help to resolve the situation:

    The following packages have unmet dependencies:
     nginx : Conflicts: nginx-common but 1.14.0-0ubuntu1.7 is to be installed
             Conflicts: nginx-common:i386

In the Passenger 6.0.3 release notes, it is written:

[Nginx] Bumps the preferred Nginx version to 1.17.3 (previously 1.15.8).

This point has been addressed a bit at https://github.com/phusion/passenger/issues/2122#issuecomment-452082803, and the answer at https://github.com/phusion/passenger/issues/2122#issuecomment-454477833 indicates:

if you're using a non system nginx, then you'll want to use these instructions to compile the passenger dynamic module against your nginx sources: https://www.phusionpassenger.com/library/install/nginx/install_as_nginx_module.html

My opinion

• Documentation should very clearly state (if I'm correct!) that using NGINX provided repository won't work (if that's indeed confirmed and there is no workaround!). Going through the various issues, a number of people are tripped out by this.
• While I believe Ubuntu nginx 1.14.0 is in main and therefore should have security fixes, I think it's a bit sad to install by default such an outdated version.
• Installing the dynamic module (the workaround for this, documented in https://www.phusionpassenger.com/library/install/nginx/install_as_nginx_module.html) is more complicated than what the situation was for Ubuntu xenial.
• It would be great to support the NGINX repository by default, without having to use a dynamic module (but I understand that there is probably a lot of work to get this, otherwise you would have done it!)

Note that I'm not requesting/being entitled to anything (I'm a OSS maintainer myself), merely documenting my surprise.

I've been using Passenger happily since 2008 (I gave a donation back then), but the upgrade from Ubuntu xenial to Ubuntu bionic is more work than my clients would have expected. We are considering migrating to Puma instead, which makes me a bit sad.

Again, not requesting anything - just documenting what I thought would be easier, in hope it will help others, and maybe improve the documentation on that part.

[CamJN]

It looks like you've correctly summed up the situation. I'm doing some work on the documentation now, so if folks have suggestions I'll take them into account.

So far the following changes have been made: https://github.com/phusion/passenger_library/commit/7dce91cfc05a27dbe004e7437cd1583405a2b837

[thbar]

@CamJN a question that has popped up while discussing this with a client is the following: how secure is the Ubuntu provided nginx package, compared to the version provided by nginx themselves? Apart from the features difference, are all the CVE patches applied, and also is there a lag in those patches between what nginx provides and what ubuntu will ultimately bundles?

I think it could be useful to add a note on that, because people currently installing 1.14.0 by default on Ubuntu could wonder.

Thanks otherwise for your update, appreciated. I will provide more input if I have more later!

[CamJN]

Ubuntu back-ports security patches to their supported versions of packages. I don't have a good link to their policy to provide, unfortunately. But that's why there is a -#ubuntu style suffix on their packages.