We are hiring - Come work with us at Phusion to help create awesome server tools to power the modern web. Learn more.

Passenger 5.1: a new milestone in robustness, security and efficiency

It’s been a little over a year-and-a-half since we released the first version of Passenger 5, the application server for Ruby, Python, Node.js and Meteor. It brought a large amount of major improvements.

Since then we have introduced many more major improvements. To celebrate this fact, we bumped the minor version number and are happy to announce version 5.1.1! It is the culmination of all the work that has gone into Passenger, with bugfixes, many big and small improvements, and is fully compatible with the 5.0.x line (no breaking changes).

The same period has also seen the growth of the Passenger team, as well as a significant expansion of the Passenger documentation with the introduction of the Passenger Library.

Looking back at improvements since 5.0

In this blog post we’re looking back at the improvements we’ve introduced in Passenger since 5.0.1. The regular description of changes since 5.0.30 can be found at the end, and includes two notable security fixes.

In an upcoming blog post we will look to the future and describe some of the exciting ideas we have in store for this year, so stay tuned!

A plethora of improvements

There are too many improvements to Passenger since version 5.0 to go into them all in-depth, so we've gathered and categorized them by how they help you to manage and run your application harder, better, faster, stronger.

Minimizing and preventing down time

Passenger has a lot of features for minimizing and preventing downtime in apps, such as rolling restarts and deployment error resistance.

After 5.0.1 we’ve further improved the robustness in challenging situations like running out of memory or crashing application code. Rolling restarts were changed to maintain an even more resource-friendly load profile.

Improvements after 5.0.1
Protection from response body processing crashes
Prevent the connection from stalling if the Ruby handler crashes while processing a Rack response body.
Resource friendly rolling restart (Enterprise)
Passenger Enterprise avoids system overload from processes that use a lot of resources during shutdown by waiting for total process exit before rolling restarting the next process.
Robust log file reopening
Passenger processes now avoid failure to open the log file by re-inheriting from the Watchdog when passenger-config reopen-logs is called.
Robustness when out-of-memory
Improved out-of-memory detection in various subroutines.
Clock time-stepping robustness
Improved Passenger Core robustness against significant system wallclock changes while Passenger is running, by switching to a monotonic clock.

Secure defaults and defense in depth

Passenger does the heavy lifting to provide a secure platform from which you can serve your app with confidence.

In this category one of the most notable improvements after 5.0.1 is the new Passenger security update check. This (optional) feature allows users to be notified in case there are any important Passenger-related security updates so that they can take timely action to keep their systems secure.

Security is high on our priority list and we constantly watch for potential vulnerabilities. For example, when Rails 5 was released, we did a number of tests that revealed a DoS vulnerability. Although Passenger’s design already protects users from this type of issue, we are happy the issue has been fixed in Rails.

Improvements after 5.0.1
Passenger security update check
Daily Passenger security update check to log a warning if there is a newer Passenger version with important security fixes.
Administrative tools can be used without sudo
Admin commands like passenger-status, passenger-config restart-app can be run without sudo, and operate only on apps that are owned by admin command user.
Secure HTTP header support (Node.js)
Our new “Secure HTTP headers” mechanism allows Passenger to send per-request information to the application that cannot be spoofed by the client. Supported in all modes.
CloudLinux LVE and CageFS integration
Users of Passenger + CloudLinux LVE and CageFS benefit from extra security checks and a new control option (PassengerLveMinUid). Contributor: Oleksiy Shchukin, CloudLinux Inc.
Secure error pages
  • New secure defaults for friendly error pages: off unless the environment is development.
  • When friendly error pages are set to off, Passenger never displays any backtraces.
Especially for the Nginx integration mode
Latest stable Nginx
Passenger packages include the latest Nginx stable version, so that you benefit from all the awesome improvements in Nginx as well. Currently this is Nginx 1.10.2 (versus 1.6.0 at the time of Passenger 5.0.1).

Faster & more efficient resource use

Passenger’s design and relentless optimization enables developers and administrators to get the most performance out of their hardware.

With a couple of new options, Passenger helps high-performance servers and applications shine even when under extremely demanding loads. Conditions on a single server such as hundreds of workers, 100K+ RPM with traffic bursts can be handled flawlessly. Another interesting option is that Node.js applications can now be autoscaled; similar to what was already possible for Ruby apps.

Improvements after 5.0.1
Massive concurrency
Three new options to help configure extremely high concurrency: socket_backlog, core_file_descriptor_ulimit and app_file_descriptor_ulimit.
Modernized performance & scaling defaults
  • Speed up disk buffering and request handling with larger mbuf block size (512 to 4096).
  • Handle higher concurrency by default with larger socket backlog size (1024 to 2048).
Fast fail (Node.js, Meteor)
Passenger now signals Node.js and Meteor apps when the client has disconnected during a request so they can stop spending resources on the response.
Dynamic process scaling (Node.js, Meteor)
Node.js and Meteor apps can now benefit from dynamic process scaling with the new force_max_concurrent_requests_per_process option.

Improve development efficiency

Passenger gives developers and administrators super powers so that they can do their jobs more efficiently.

We’ve added a ton of improvements in this category, such as new options and tools for diagnostics, validation and troubleshooting of configurations, applications and connections (e.g. Websockets). Configuration ease and flexibility, as well as maintenance-friendliness have been improved in various ways, like the possibility to configure Passenger Standalone through environment variables or via a refactored configuration template. This makes Passenger integrate better than ever with Heroku, Docker and 12-factor principles.

There are also special improvements like support for the Nginx dynamic module system, installation validation for Passenger + Apache and Docker-friendly logging for Passenger Standalone.

The list below shows the first few items, but you can expand it with the link below that to see all of the improvements.

Improvements after 5.0.1
Analyzing stuck applications or websockets
passenger-status --show=server now reports last_data_send_time and last_data_receive_time which can be used to troubleshoot long-running requests (for example, to see if a websocket heartbeat is stuck).
Diagnostics for stuck processes (Enterprise)
The max_request_time_reached hook allows you to run diagnostics on a process that that took too long to respond to a request.
Thread ID in logging (Enterprise)
When running a Rails app in multithreaded mode, Rails logs are automatically tagged with the current thread number to distinguish logs generated by different threads.
Rails server integration
Passenger can now be started with rails server just like other Rails servers.
Minimum Kernel requirement lifted
RPM packages no longer require kernel 2.6.39 on RHEL 6 / CentOS 6, and are compatible with the latest SELinux changes.
Application restarting convenience & Capistrano
passenger-config restart-app received several improvements:
  • parameter . can be used to restart the app in the current working directory.
  • (Capistrano) new option --ignore-passenger-not-running that allows the command to exit without signaling an error if Passenger is not yet running, or none of the running apps belong to the invoking user.
  • interactive menu allowing you to select the app to restart.

Staying ahead of the curve

Passenger embraces modern technologies and multiple platforms to prevent lock-in and to stay ahead of the curve.

As technology moves forward through time, Passenger keeps up. For example, you can use our Passenger APT/RPM packages for the latest couple of versions of Debian, Ubuntu, Red Hat Enterprise Linux and CentOS; which includes the recently released Ubuntu 16.10 and RHEL 7.3. Passenger also supports the newly released JRuby 9.0.0.0 as well as Rails 5 + Action Cable, and a number of smaller improvements like support for IPv6 across all the different integration modes.

Improvements after 5.0.1
Packages for Debian, Ubuntu, CentOS, Red Hat Enterprise Linux
  • Debian 8 "Jessie"
  • Ubuntu 15.04 "Vivid Vervet", Ubuntu 16.04 “Xenial Xerus”, Ubuntu 16.10 “Yakkety Yak”
  • CentOS 6, 7
  • RHEL 6, 7
RHEL 7.3 / SELinux compatibility
The RPM package builder was updated to support (breaking) SELinux changes in RHEL 7.3.
Passing settings to non-bundled Meteor apps
Meteor’s new way of specifying settings for (non-bundled) apps is now supported.
Support SHA256 digests for the Rails asset pipeline
This means that software like the new Sprockets 3.x works seamlessly.
Platform build support
  • OS X 10.11 "El Capitan", macOS 10.12 "Sierra"
  • Debian GNU/kFreeBSD (contributor: stevenc99)
  • IBM power 8 (libev config.sub and config.guess updated)
Support added for JRuby 9.0.0.0
Node.js graceful shutdown
Passenger now calls process.emit('message', 'shutdown') before it shuts down an application process, allowing some compatibility with the Cluster module API.

Changes from 5.0.30 to 5.1.1

For your convenience we've listed the improvements and bugfixes specifically since version 5.0.30 below. This includes two notable vulnerabilities that were addressed in 5.1.0. Version 5.1.0 and 5.1.1 were released in short succession due to a fix for Rails 5.0.1 Action Cable, so we’re covering them both in one blogpost.

CVE-2016-1247

On the 25th of October, an issue with the default permissions in the upstream Nginx APT package was made public. It allows local users with access to the web server user account to gain root privileges via a symlink attack on the error log. The fix has been applied to the Phusion Nginx APT-package.

Predictable tmp File Path Vulnerability

On the 1st of November, Jeremy Evans reported a file overwrite vulnerability caused by a predictable temporary file being written by passenger-install-nginx-module. With access to the system, a user could plant a symlink in /tmp that resulted in a chosen-file overwrite attempt whenever passenger-install-nginx-module was run, using the access rights of the executing user, potentially even with chosen content. Files written to the tmp directory now have randomized path components to fix this vulnerability.

Update: this vulnerability was assigned CVE-2016-10345.

Other bugfixes

Passenger 5.1.0
Fixes a file overwrite vulnerability caused by a predictable temporary file being written by passenger-install-nginx-module. Thanks to Jeremy Evans for reporting this.
Fixes permissions issue on Linux when setting OOM score after lowering privileges. Closes GH-1858.
Fixes unaligned memory access in base64 decoder on platforms that have strict aliasing requirements (non x86/x86_64). Closes GH-1646.
passenger-install-apache-module now suggests the correct apache package on Ubuntu Xenial. Closes GH-1884.
Fixes compilation on Linux when a non-glibc C library is in use. Closes GH-1870.
Fixes an issue where passenger-config couldn't restart an app if the TMPDIR variable was set to /tmp
Especially for the Nginx mode
Updates to APT package builder (Debian & Ubuntu) with fix for www-data to root privilege escalation via log file handling (CVE-2016-1247/USN-3114-1).
Updates to RPM package builder (CentOS & RHEL) with fix for 1.10.x system nginx package overriding the nginx from the Passenger repo. Closes GH-1895.
Especially for the Apache mode
Fixes PassengerShowVersionInHeader option. Thanks to Sebastian Welther for contributing this.
Especially for the Standalone mode
The TempDirToucher will now spend most of its time with reduced privileges, except when it's actively touching files. This allows it to be killed when Passenger is quit in most circumstances. Closes GH-1678.
Fixes starting Passenger as a non-extant user. Closes GH-1849.
Passenger 5.1.1
The precompiled version of the PassengerAgent binary (used for e.g. gem installs) now configures (statically linked) libcurl with system keystore, so that the new security update check can successfully validate certs.
Fixes some false positives (logging) from the new Node and Meteor cluster warning system. Logging is less repetitive and has extra debug info. Closes GH-1905.
Updates the upload-progress module in the Nginx Debian package. The module version that we linked against in 5.1.0 was 0.9.2, but due to a bug in that version the module didn't work.
Especially for Passenger Enterprise
Add missing flying-passenger integration mode to security update check.
Especially for the Apache mode
Introduces a small delay to prevent running the Security Update Checker twice at startup.

Improvements

Passenger 5.1.0
Introduces daily Passenger security update check to warn (error log) if there are newer Passenger versions with important security fixes (describing what was discovered, what is affected, which version has the fix).
Passenger now reports when you try to use Node.js or Meteor clustering, and tries to continue with just a nonfunctional shim in place, so that if your code uses the clustering APIs your app may still work.
Improved look of the error pages for failing to spawn an application (development & production mode), and Error ID is now also shown in production mode.
Ubuntu 16.10 (Yakkety) support.
passenger-install-nginx-module and the standalone compiler now add the http v2, realip and addition module flags for Nginx (just like the APT/RPM/autobuilder already had). Closes GH-1788.
RPM package builder now compatible with (breaking) SELinux change in RHEL 7.3.
RPM packages no longer require kernel 2.6.39 on RHEL 6 / CentOS 6, and are compatible with SELinux changes.
Updates libev config.sub and config.guess to support newer platforms such as the IBM power 8.
Upgrades union_station_hooks_core to version 2.1.2.
Especially for Passenger Enterprise
When running a Rails app in multithreaded mode, Passenger Enterprise automatically tags Rails logs with the current thread number. This makes it possible to distinguish logs generated by different threads.
Especially for the Nginx mode
The preferred Nginx version is now 1.10.2 (previously 1.10.1).
Especially for the Standalone mode
Allows raw json envvars in Passengerfile.json. Closes GH-1837.
Enable ipv6 support by default in builtin nginx. Closes GH-1873.
Make the max_requests option available on the command line as well.
Passenger 5.1.1
The security update check now reports whether libcurl + SSL backend are statically linked to Passenger, in which case the check also needs to warn about relevant OpenSSL vulnerabilities in the linked library.
Increases the allowed line lengths emitted by apps at startup.
Adds support for the unary 'not' operator in the Union Station filter language.
Fixes support for Rails 5.0.1 Action Cable. Specifically, we now support the options argument in the write_nonblock method in hijacked Rack IO sockets.

Installing 5.1.1

Please see the installation guide.

Upgrading to 5.1.1

We strongly advise staying up to date with the latest version.

macOS
macOS
Debian
Debian
Ubuntu
Ubuntu
Heroku
Heroku
Red Hat
Red Hat
CentOS
CentOS
Ruby gem
Ruby gem
Tarball
Tarball
Ruby gem
Docker

Upgrade notes

  • If you are upgrading from version 4, please see the Passenger 5 upgrade notes for potential caveats.

  • If you are getting a download error during a gem install, ensure you have a version of gem >= 2.2.0 (2013), for instance by running gem install rubygems-update; update_rubygems.

  • If you are using Capistrano and capistrano-passenger, please ensure that capistrano-passenger is upgraded to 0.2.0 or newer to avoid "NoMethodError: undefined method `[]' for nil:NilClass".

Final

Passenger's core is open source. Please fork or watch us on Github. :)

Passenger logo

Passenger ensures that your Ruby, Python, Node.js and Meteor apps, microservices, and APIs are served with outstanding reliability, performance and control. For additional features and premium support, check out the enterprise edition.

comments powered by Disqus