nginx-agent.service using deprecated options

[UnwashedMeme]

Bug Overview

When I install nginx-agent v3 on Ubuntu 24.04 I expect it to work smoothly. While it does work it gives off a number of concerning errors

Expected Behavior

I expect agent to run without filling my system journal with warnings.

Steps to Reproduce the Bug

1. Install agent on Ubuntu 24.04.
2. Run systemctl status nginx-agent

nbird@dpvm-tf2k:~$ journalctl -u nginx-agent.service | head
Aug 11 20:54:43 dpvm-tf2k systemd[1]: /etc/systemd/system/nginx-agent.service:23: PIDFile= references a path below legacy directory /var/run/, updating /var/run/nginx-agent/nginx-agent.pid → /run/nginx-agent/nginx-agent.pid; please update the unit file accordingly.
Aug 11 20:54:43 dpvm-tf2k systemd[1]: /etc/systemd/system/nginx-agent.service:26: Standard output type syslog is obsolete, automatically updating to journal. Please update your unit file, and consider removing the setting altogether.
Aug 11 20:54:43 dpvm-tf2k systemd[1]: /etc/systemd/system/nginx-agent.service:27: Standard output type syslog is obsolete, automatically updating to journal. Please update your unit file, and consider removing the setting altogether.

Environment Details

nbird@dpvm-tf2k:~$ nginx-agent --version
nginx-agent version v3.1.0-2b6a9f2
nbird@dpvm-tf2k:~$ lsb_release  -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 24.04.3 LTS
Release:        24.04
Codename:       noble

Additional Context

A broader perspective is that I suspect the packaging template needs to be refreshed.

Looking at https://github.com/nginx/agent/blob/31f9ef0717a810253bdc61dd9acb6bc0cc43dd35/scripts/packages/nginx-agent.service there's some oddness in here:

• Why is a Type=simple service have a pidfile directive at all?
• StandardOutput/StandardError should probably be journal (or omitted to use system default, which is normally journal)
• SyslogIdentifier is not necessary? This should be the default value already since the service is named nginx-agent
• ExecStop= would probably be better to be omitted and rely on KillMode=, KillSignal=, and TimeoutStopSec=
  • If all of these were removed it would get a SIGTERM and shutdown fine.
• Can we add any sandboxing directives to help give confidence nginx-agent isn't going to do more than it should to the system?
  • E.g. ProtectSystem=. Should nginx-agent ever be writing to /usr/? Writing to /etc/ probably makes sense (e.g. /etc/nginx)
  • Would a PrivateTmp= make sense? Where does agent write temporary files to during configuration; this could help ensure they get cleaned up so there aren't orphans being left behind.

[UnwashedMeme]

An important question to consider while working on this is what versions of Ubuntu/RHEL/Arch/BSD does agent need to support? Some of the above suggestions rely on newer directives; but the Kill stuff dates back to August 2012. Journald was introduced in 2010. ProtectSystem dates from systemd214 in 2014.

Some history findings:

• Ubuntu 18.04 included systemd 237
• Arch 2018.10.01 included systemd 239
• RedHat bug report from 2020 says StandardOutput=syslog was reporting deprecated

[nginx-seanmoloney]

Thanks @UnwashedMeme, I will ask the team to review this issue.