This role allows you to to configure php-fpm pools for both PHP 5.6 and 7.0 on the same system.
This role has been tested with PHP installed either from dotdeb in Debian or Ondřej Surý's PPA on Ubuntu. Other setups may work aswell.
php_fpm_pools
: The list of pools for php-fpm, each pool is a hash with aname
entry (used for filename),home
entry, and an optionalversion
entry. All the other entries in the hash are pool directives (see http://php.net/manual/en/install.fpm.configuration.php).version
: the php version this pool should use.- Default:
php_fpm_default_version
- Default:
php_admin_value[opcache.file_cache]
: Set path to the opcache dir for this pool.- Example:
/var/www/site1/.opcache
. This folder should not be accessible to the public!
- Example:
php_fpm_pool_defaults
: A list of default directives used for all php-fpm poolsphp_fpm_ini
: Customization for php-fpm's php.ini as a list of options, each option is a hash using the following structure:option
: The name of the optionvalue
: The value of the optionsection
: INI section nameversions
: Optional list of versions to apply the ini option on. By default, the option is applied to all php versions inphp_fpm_installed_versions
.- Example:
['7.0']
- Example:
state
:present
orabsent
- Default:
present
- Default:
php_fpm_default_version
: The default php version for pools- Default:
'5.6'
- Default:
php_fpm_installed_versions
: This is an list of installed php versions which is used to set php.ini values in all installed versions.- Default:
['5.6', '7.0']
- Default:
Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
- hosts: servers
roles:
- role: Yannik.php-fpm
php_fpm_ini:
- option: "date.timezone"
section: "PHP"
value: "Europe/Berlin"
- option: "opcache.validate_permission"
section: "PHP"
value: "1"
php_fpm_pools:
- name: website
user: website
group: website
listen: 127.0.0.1:9105
- name: website2
user: website2
group: website2
php_admin_value[opcache.file_cache]: /var/www/website3/.opcache
version: "7.0"
Check your running php-fpm pools using ps -eH x|grep php
.
With the default Ubuntu/Debian php-fpm packages, there is one php-fpm masterprocess for each php-version. The opcache and apc are held by the master process. Due to this all sites for a certain php version share the same opcache/apc and the opcache has to have a size big enough for all the sites. This also has major security implications:
- https://web.archive.org/web/20150905223439/https://ikanobori.jp/php55-opcache-shared-hosting.html
- https://bugs.php.net/bug.php?id=69090
- https://weizenspr.eu/2014/php-fpm-chroot-zend-opcache-problem/
I tested this and it is still possible with PHP 7.0! (Tried without chroot but instead just included /var/www/site1/secure.php from /var/www/site2/ while only site1 had read permissions. Was able to extract variables from /var/www/site1/secure.php this way.)
Running a separate master process for each site would be a good solution (normally, all pools share all the opcache memory, which is another problem):
- https://ma.ttias.be/a-better-way-to-run-php-fpm/
- https://regilero.github.io/drupal/english/2013/05/16/Warning_chrooted_php_fpm_and_apc/
This is quite cumbersome to do though.
What many shared hosting providers do is disable opcache on php 5.6 and only offer it
on php >= 7.0, which has the opcache.file_cache_only
and use that. This way the opcache
is file-based and created with the pool user as owner.
In december 2017, a separate security fix has been issued for PHP 5.6 and newer:
With opcache.validate_permission
enabled, this issue is fixed. However, this is not a default!
The opcache must be enabled in the php.ini of the master process, it is not possible to selectively enable it.
It is however possible (and advised) to disable the opcache using php_admin_value[opcache.enable] = 0
for
all pools which are not specially configured to use the opcache with either file_cache_only
or opcache.validate_permission
.
This role does this by default.
Additionally, you should either disable opcache_get_status
(exposes file names of other users) and opcache_reset
(resets the cache) using disable_functions
or opcache.restrict_api
(see http://massivescale.blogspot.de/2013/06/zend-opcode-cacher-in-php-55-security.html)
opcache.restrict_api
is therefore used by default.
GPLv2
Yannik Sembritzki