Two more slight modifications:

* Replace Restart=always with a more measured Restart=on-abort
* Removed SyslogLevelPrefix=off. I feared that a remotely supplied string could set the syslog level, but that's impossible because of the way ngx_log_error_core() structures the messages.

If PrivateDevices doesn't work, then it sounds like you've found a bug. However, it *will* need to be disabled if you want to log to syslog because nginx lacks direct journald support (so it needs /dev/log).

Hmm, PrivateDevices not working is probably due to my unofficial kernel. Adding it back into the .service would be good.

The free version of nginx does not seem to support syslog at all: http://nginx.org/en/docs/ngx_core_module.html says "Logging to syslog is available as part of our commercial subscription." But this does not a apply to error_log, which can log to file descriptor 2.

As to access_log (which cannot use an fd, go figure...), I hack it into journald using a second .service:

mkfifo /var/log/nginx/access.log
systemctl enable nginx-access
journalctl -f --unit nginx-access

(And while we're at it, my reasoning for removing the ExecStartPre config check is that it would only make sense as a hypothetical ExecRestartPre. As it stands right now, "systemctl restart nginx" checks the config *after* stopping nginx...)

Automatic restart of daemons is not a good default.
Using Type=daemon and PID file allow correct nginx startup detection, as nginx doesn't support Type=nofify or Type=dbus.

I'm mostly neutral to these changes. I don't think that logging to journald is a good idea, it will break at least two tools I'm aware of that can parse nginx logs. It will also unnecessarily change current behavior, forcing as to put a note at least in post_upgrade. It's something that we really should avoid.

PrivateDevices is indeed causing more trouble that I expected and I'm likely to revert it and set PrivateTmp instead. I plan to simplify ExecStartPre to something like /usr/sbin/nginx -t and ExecStart to /usr/sbin/nginx. We can handle ExecReload and ExecStop by sending HUP and QUIT signals respectively.

What trouble is PrivateDevices causing? The issue reporter just has a very broken kernel. If syslog support was going to be enabled, it would make sense to disable PrivateDevices - however, it doesn't seem that it's even available.

See the last comment on  FS#39873 .

@Bartłomiej:

Do these tools parse the *error*_log? Because that's what would be redirected into journald. (nginx-access.service wasn't really intended to be packaged, just for context.)

ExecStartPre AFAIK only makes sense to initialize something, or to run a configuration check that the daemon itself neglects to do. Neither applies to nginx. If systemd ever implements ExecRestartPre, that would be the right place for nginx -t.

@Daniel:
I'm not 100% sure if my kernel is to blame. It's actually the Arch Linux ARM linux-am33x-3.14.1-1 package, which of course is unsupported from the point of view of Arch Linux proper, but it has all the relevant CONFIG_*_NS=y options.

Ah, sorry then, I was talking only about access logs. Running nginx -t indeed makes little to no sense now. I'll push modified nginx.service to trunk today.

I have pushed nginx 1.6.0-2 to [testing]. The only thing I didn't include is Restart=on-abort. If a service fails, I really want it to stay down.

Hello,
one suggestion wasn't applied:
Type=simple
with 'daemon off'

nginx-1.6.0-3 dont' start properly if
Type=forking
is used with 'daemon off' in nginx.service, it simply fails without any valuable information ('systemctl status nginx' or 'journalctl -xn' don't give any hint). I changed nginx.service as it was suggested:

Type=simple
with 'daemon off'
and nginx starts fine.

I removed daemon off in -4. It's better to use Type=daemon than Type=simple. See https://wiki.archlinux.org/index.php/systemd#Type.