Commit 8adf8a32 authored by mh's avatar mh
Browse files

make fpm work with systemd and everything

parent 01469404
# an abstracted way of setting the same options for all
define php::apc::settings(){
require ::php::apc::base
augeas{"apc_settings_${name}":
file_line{
"comment file apc file mask - ${name}":
line => ';apc.mmap_file_mask=',
match => '.*apc\.mmap_file_mask',
path => $name,
require => File[$php::apc::base::dir],
} -> augeas{"apc_settings_${name}":
context => "/files${name}/.anon",
changes => [
# http://chrisgilligan.com/wordpress/how-to-configure-apc-cache-on-virtual-servers-with-php-running-under-fcgid/
'set apc.shm_size 64M',
'set apc.ttl 0',
"set apc.mmap_file_mask ${php::apc::base::dir}/apc.XXXXXX",
# partially because of http://lists.horde.org/archives/horde/Week-of-Mon-20140414/051263.html
'set apc.enable_cli 1',
],
require => File[$php::apc::base::dir],
}
}
# fcgid on centos
class php::mod_fcgid::centos {
# make sure we disable mod_php
class php::disable_mod_php {
# overwrite standard file for mod_php
# which is obsolete here, but we want
# to keep the file so an update of the
......
......@@ -9,20 +9,23 @@ define php::fpm(
Hash $php_settings = {},
String $run_user = "${name}_run",
String $run_group = $name,
String $scl_prefix = '',
Array[Stdlib::Compat::Absolute_Path]
$writable_dirs = [],
){
include ::systemd::systemctl::daemon_reload
include ::php::disable_mod_php
if $php_inst_class {
require "::php::scl::${php_inst_class}"
$etcdir = getvar("php::scl::${php_inst_class}::etcdir")
$basedir = getvar("php::scl::${php_inst_class}::basedir")
$scl_name = "${scl_prefix}${php_inst_class}"
$scl_name = getvar("php::scl::${php_inst_class}::scl_name")
$php_name = $php_inst_class
$binary = "${basedir}/root/usr/sbin/php-fpm"
} else {
$etcdir = '/etc'
$basedir = '/'
$scl_name = false
$php_name = 'php'
$binary = "/usr/sbin/php-fpm"
}
......@@ -34,31 +37,34 @@ define php::fpm(
[ "${etcdir}/php-fpm.d/${name}.conf",
"/etc/systemd/system/fpm-${name}.socket",
"/etc/systemd/system/fpm-${name}.service",
]:;
]:
owner => root,
mode => '0640',
} ~> Exec['systemctl-daemon-reload']
if $ensure == 'present' {
File[ "${etcdir}/php-fpm.d/${name}.conf",
"/etc/systemd/system/fpm-${name}.socket",
"/etc/systemd/system/fpm-${name}.service"] {
owner => root,
File[ "${etcdir}/php-fpm.d/${name}.conf"]{
group => $run_group,
}
File["/etc/systemd/system/fpm-${name}.socket",
"/etc/systemd/system/fpm-${name}.service"]{
group => 0,
mode => '0640',
}
File[ "${etcdir}/php-fpm.d/${name}.conf"]{
content => template('php/fpm/conf.erb'),
}
File["/etc/systemd/system/fpm-${name}.socket"]{
content => template('php/fpm/systemd-socket.erb'),
notify => Service["fpm-${name}.socket"],
}
File["/etc/systemd/system/fpm-${name}.service"] {
content => template('php/fpm/systemd-service.erb'),
notify => Service["fpm-${name}"],
}
Exec['systemctl-daemon-reload'] -> Service["fpm-${name}.socket"]{
enable => false
} -> Service["fpm-${name}"]{
ensure => 'running',
enable => true,
} ~> Service["fpm-${name}"]{
tag => "systemd-${php_name}-fpm"
} -> Service<| title == 'apache' |>
} else {
......@@ -66,6 +72,7 @@ define php::fpm(
ensure => stopped,
enable => false,
} -> Service["fpm-${name}.socket"]{
ensure => stopped,
enable => false
} -> File[ "${etcdir}/php-fpm.d/${name}.conf",
"/etc/systemd/system/fpm-${name}.socket",
......@@ -73,5 +80,4 @@ define php::fpm(
ensure => absent,
}
}
}
# things we need for mod_fcgid & php
class php::mod_fcgid inherits php {
require ::php::cli
case $facts['os']['family'] {
'RedHat': { include ::php::mod_fcgid::centos }
}
include ::php::disable_mod_php
}
......@@ -23,6 +23,9 @@ class php::params(
'mail function' => {
'mail.add_x_header' => 'Off',
},
'Session' => {
'session.use_strict_mode' => 'On',
},
},
$suhosin_settings = {},
$suhosin_default_settings = {
......@@ -32,7 +35,6 @@ class php::params(
'suhosin.disable.display_errors' => 'On',
'suhosin.executor.include.max_traversal' => '5',
'suhosin.executor.disable_emodifier' => 'On',
'session.use_strict_mode' => 'On',
},
$suhosin_cryptkey = undef,
) {
......
......@@ -7,11 +7,13 @@ class php::scl::php54(
) inherits php::scl::params {
$basedir = '/opt/rh/php54'
$etcdir = "${basedir}/root/etc"
$scl_name = 'php54'
php::scl::phpx{'54':
etcdir => $etcdir,
timezone => $timezone,
settings => $settings,
suhosin_cryptkey => $suhosin_cryptkey,
suhosin_settings => $suhosin_settings,
etcdir => $etcdir,
timezone => $timezone,
settings => $settings,
suhosin_cryptkey => $suhosin_cryptkey,
suhosin_settings => $suhosin_settings,
apc_config_preifx => '',
}
}
......@@ -7,11 +7,13 @@ class php::scl::php55(
) inherits php::scl::params {
$basedir = '/opt/rh/php55'
$etcdir = "${basedir}/root/etc"
$scl_name = 'php55'
php::scl::phpx{'55':
etcdir => $etcdir,
timezone => $timezone,
settings => $settings,
suhosin_cryptkey => $suhosin_cryptkey,
suhosin_settings => $suhosin_settings,
etcdir => $etcdir,
timezone => $timezone,
settings => $settings,
suhosin_cryptkey => $suhosin_cryptkey,
suhosin_settings => $suhosin_settings,
apc_config_preifx => '',
}
}
......@@ -7,6 +7,7 @@ class php::scl::php56(
) inherits php::scl::params {
$basedir = '/opt/rh/rh-php56'
$etcdir = '/etc/opt/rh/rh-php56'
$scl_name = 'rh-php56'
php::scl::phpx{'56':
etcdir => $etcdir,
timezone => $timezone,
......
......@@ -3,16 +3,15 @@ class php::scl::php72(
$timezone = $php::scl::params::timezone,
$settings = $php::scl::params::settings,
) inherits php::scl::params {
$basedir = '/opt/remi/php72'
$etcdir = '/etc/opt/remi/php72'
$basedir = '/opt/remi/php72'
$etcdir = '/etc/opt/remi/php72'
$scl_name = 'php72'
php::scl::phpx{'72':
etcdir => $etcdir,
timezone => $timezone,
settings => $settings,
suhosin_settings => false, # gone with >= php7
}
php::snuffleupagus::base{
} -> php::snuffleupagus::base{
'72':
etcdir => $etcdir,
}
......
......@@ -2,11 +2,12 @@
# this should do everything you need
# for an scl installation
define php::scl::phpx(
$etcdir = "/opt/rh/php${name}/root/etc",
$timezone = 'Europe/Berlin',
$settings = {},
$suhosin_cryptkey = undef,
$suhosin_settings = {}
$etcdir = "/opt/rh/php${name}/root/etc",
$timezone = 'Europe/Berlin',
$settings = {},
$suhosin_cryptkey = undef,
$suhosin_settings = {},
$apc_config_preifx = '40-',
) {
require "::scl::php${name}"
file{
......@@ -48,7 +49,7 @@ define php::scl::phpx(
}
create_ini_settings({'' => $php_suhosin_settings},$suhosin_defaults)
}
php::apc::settings{"${etcdir}/php.d/apcu.ini": }
php::apc::settings{"${etcdir}/php.d/${apc_config_preifx}apcu.ini": }
file{
"${etcdir}/php-fpm.d":
ensure => directory,
......
......@@ -11,7 +11,7 @@ define php::snuffleupagus::base(
owner => root,
group => 0,
mode => '0644';
"${etcdir}/snuffleupagus.d/snuffleupagus-base.rules":
"${etcdir}/snuffleupagus.d/base.rules":
source => 'puppet:///modules/php/snuffleupagus/base.rules',
ensure => directory,
owner => root,
......
......@@ -4,7 +4,7 @@ error_log = <%= @logdir %>/fpm-error.log
daemonize = no
[<%= @name %>-0]
listen = /run/fpm-<%= @name %>/0.socket
listen = /run/fpm-<%= @name %>-socket/0.socket
pm = ondemand
pm.max_children = 10
slowlog = <%= @logdir %>/fpm-slow-0.log
......
......@@ -3,12 +3,39 @@ Description=<%= @name %>'s FastCGI Process Manager
After=syslog.target network.target
[Service]
<% if @scl_name -%>
ExecStart=/usr/bin/scl enable <%= @scl_name %> -- <%= @binary %> --fpm-config=<%= @etcdir %>/php-fpm.d/<%= @name %>.conf
<% else -%>
ExecStart=<%= @binary %> --fpm-config=<%= @etcdir %>/php-fpm.d/<%= @name %>.conf
<% end -%>
WorkingDirectory=<%= @workdir %>
User=<%= @run_user %>
Group=<%= @run_group %>
Environment="FPM_SOCKETS=/run/fpm-<%= @name %>/0.socket=3"
Environment="FPM_SOCKETS=/run/fpm-<%= @name %>-socket/0.socket=3"
RuntimeDirectory=fpm-<%= @name %>
PrivateTmp=true
SyslogIdentifier=fpm-<%= @name %>
# security settings
PrivateTmp=true
NoNewPrivileges=true
ProtectSystem=full
# to be migrated once in EL7
# ProtectSystem=strict
ReadOnlyDirectories=/
InaccessibleDirectories=/home
ReadWriteDirectories=<%= @workdir %>
ReadWriteDirectories=/run/fpm-<%= @name %>-socket
ReadWriteDirectories=/run/fpm-<%= @name %>
<% (@writable_dirs - [@workdir, @logdir, "/run/fpm-#{@name}-socket", "/run/fpm-#{@name}" ]).each do |d| -%>
ReadWriteDirectories=<%= d %>
<% end
unless @logdir.start_with?("#{@workdir}/") -%>
ReadWriteDirectories=<%= @logdir %>
<% end -%>
ProtectHome=true
PrivateDevices=true
# not yet available
# to be migrated once in EL7
#PrivateUsers=true
#ProtectKernelTunables=true
#ProtectKernelModules=true
#ProtectControlGroups=yes
[Socket]
ListenStream=/run/fpm-<%= @name %>/0.socket
ListenStream=/run/fpm-<%= @name %>-socket/0.socket
SocketUser=<%= @run_user %>
SocketGroup=<%= @run_group %>
SocketMode=0660
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment