nginx生产环境平滑升级版本

背景

线上系统nginx版本为1.14.0版本，因等保扫描，该版本存在漏洞，故需要对其升级到1.17.3版本，升级需保障线上业务平稳运行，需升级需要平滑升级，不对线上服务造成影响，以下记录本次升级过程

步骤

1. 升级之前先获取老版本nginx的变异参数

# /usr/local/nginx/sbin/nginx -V
nginx version: nginx/1.14.0
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-28) (GCC) 
built with OpenSSL 1.0.2k-fips  26 Jan 2017
TLS SNI support enabled
configure arguments: --with-http_stub_status_module --with-http_ssl_module --with-http_realip_module --add-module=../fastdfs-nginx-module/src

2. 下载1.17.3版本的安装包到software目录

# cd /home/software
# wget http://nginx.org/download/nginx-1.17.3.tar.gz

3. 解压新版本到program目录

# cd /home/program
# tar -zxvf /home/software/nginx-1.17.3.tar.gz

4. 编译nginx，注意不执行‘make install’

# cd /home/program/nginx-1.17.3
# ./configure --with-http_stub_status_module --with-http_ssl_module --with-http_realip_module --add-module=../fastdfs-nginx-module/src
# make

5. 备份旧版本nginx执行程序

cp -rf /usr/local/nginx/sbin/nginx /usr/local/nginx/sbin/nginx14.bak

6. 替换nginx执行程序为最新的

cp -rf objs/nginx /usr/local/nginx/sbin/

7. 发送USR2信号给旧版本主进程号,使nginx的旧版本停止接收请求，用nginx新版本接替，且老进程处理完所有请求，关闭所有连接后，停止，相关信号如下所示：
   

# cd /usr/local/nginx/logs/
[root@Gene-redis 2021-04-12 18:38:28 /usr/local/nginx/logs] 
# ls
access.log  error.log  nginx.pid
# kill -USR2 `cat /usr/local/nginx/logs/nginx.pid`

此时查看nginx进程就会有两个nginx的主进程，此时老的还在运行之前待处理的请求，新的请求将由新的进程处理请求

# ps -ef|grep nginx
root     27154     1  0 Mar25 ?        00:00:00 nginx: master process ./nginx
nobody   27492 27154  0 Mar25 ?        00:04:42 nginx: worker process
root     28681 27154  0 17:20 ?        00:00:00 nginx: master process ./nginx
nobody   28682 28681  0 17:20 ?        00:00:00 nginx: worker process
root     28684 28533  0 17:20 pts/1    00:00:00 grep --color=auto nginx

并且logs目录下会生成nginx.pid.oldbin文件，里面存放了老版本的pid号

# ll
total 1417008
-rw-r--r--. 1 root root 1234085629 Apr 12 17:21 access.log
-rw-r--r--. 1 root root   82733488 Apr 12 17:21 error.log
-rw-r--r--  1 root root          6 Apr 12 17:20 nginx.pid
-rw-r--r--  1 root root          6 Mar 25 14:59 nginx.pid.oldbin

8. 再从容优雅观察旧的主进程，它会等请求处理完成再关闭

# kill -QUIT `cat /usr/local/nginx/logs/nginx.pid.oldbin`

此时可以看到主进程的状态改变了

# ps -ef|grep nginx
root     27154     1  0 Mar25 ?        00:00:00 nginx: master process ./nginx
nobody   27492 27154  0 Mar25 ?        00:04:42 nginx: worker process is shutting down
root     28681 27154  0 17:20 ?        00:00:00 nginx: master process ./nginx
nobody   28682 28681  0 17:20 ?        00:00:00 nginx: worker process
root     28720 28533  0 17:21 pts/1    00:00:00 grep --color=auto nginx

再过一会就只剩一个主进程提供服务了

# ps -ef|grep nginx
root     28681 27154  0 17:20 ?        00:00:00 nginx: master process ./nginx
nobody   28682 28681  0 17:20 ?        00:00:00 nginx: worker process
root     28720 28533  0 17:21 pts/1    00:00:00 grep --color=auto nginx

9. 再查看nginx版本信息，可以看到nginx已经完成了升级，并且线上服务正常运行

# /usr/local/nginx/sbin/nginx -V
nginx version: nginx/1.17.3
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-28) (GCC) 
built with OpenSSL 1.0.2k-fips  26 Jan 2017
TLS SNI support enabled
configure arguments: --with-http_stub_status_module --with-http_ssl_module --with-http_realip_module --add-module=../fastdfs-nginx-module/src