FS#64683 - [php-fpm] doesn't start: failed to chown the socket /run/php-fpm/php-fpm.sock

Attached to Project: Arch Linux
Opened by Sebastiaan Lokhorst (lonaowna) - Friday, 29 November 2019, 19:06 GMT
Last edited by Doug Newgard (Scimmia) - Tuesday, 03 December 2019, 05:46 GMT
Task Type Bug Report
Category Packages: Testing
Status Closed
Assigned To Pierre Schmitz (Pierre)
Architecture All
Severity High
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 19
Private No

Details

php-fpm.service fails to start after upgrading to php 7.4.0. Using the default configuration files.

systemctl status php-fpm.service:

systemd[1]: Starting The PHP FastCGI Process Manager...
php-fpm[10704]: [ERROR] [pool www] failed to chown() the socket '/run/php-fpm/php-fpm.sock': Operation not permitted (1)
php-fpm[10704]: [ERROR] [pool www] failed to chown() the socket '/run/php-fpm/php-fpm.sock': Operation not permitted (1)
php-fpm[10704]: [ERROR] FPM initialization failed
php-fpm[10704]: [ERROR] FPM initialization failed
systemd[1]: php-fpm.service: Main process exited, code=exited, status=78/CONFIG
systemd[1]: php-fpm.service: Failed with result 'exit-code'.
systemd[1]: Failed to start The PHP FastCGI Process Manager.
This task depends upon

Closed by  Doug Newgard (Scimmia)
Tuesday, 03 December 2019, 05:46 GMT
Reason for closing:  Fixed
Comment by helle vaanzinn (glitsj16) - Friday, 29 November 2019, 21:01 GMT
Confirming this issue. Hardening in /usr/lib/systemd/system/php-fpm.service seems to be the culprit (specifically the CapabilityBoundingSet=CAP_SETGID CAP_SETUID). It lacks CAP_CHOWN. When adding that via an override conf the php-fpm service starts working again. Looks like an upstream bug.
Comment by Ivan Shapovalov (intelfx) - Friday, 29 November 2019, 21:09 GMT
> Packages: Testing

This bug has apparently just graduated to `extra`:

```
$ pacman -Si php-fpm | egrep 'Repository|Name|Version'
Repository : extra
Name : php-fpm
Version : 7.4.0-1

$ pacman -Qi php-fpm | egrep 'Name|Version'
Name : php-fpm
Version : 7.4.0-1

$ journalctl -e -u php-fpm -n8
Nov 30 00:06:53 stratofortress.nexus.i.intelfx.name systemd[1]: Starting php-fpm.service...
Nov 30 00:06:53 stratofortress.nexus.i.intelfx.name php-fpm[643236]: [ERROR] [pool www] failed to chown() the socket '/run/php-fpm/php-fpm.sock': Operation not permitted (1)
Nov 30 00:06:53 stratofortress.nexus.i.intelfx.name php-fpm[643236]: [ERROR] [pool www] failed to chown() the socket '/run/php-fpm/php-fpm.sock': Operation not permitted (1)
Nov 30 00:06:53 stratofortress.nexus.i.intelfx.name php-fpm[643236]: [ERROR] FPM initialization failed
Nov 30 00:06:53 stratofortress.nexus.i.intelfx.name php-fpm[643236]: [ERROR] FPM initialization failed
Nov 30 00:06:53 stratofortress.nexus.i.intelfx.name systemd[1]: php-fpm.service: Main process exited, code=exited, status=78/CONFIG
Nov 30 00:06:53 stratofortress.nexus.i.intelfx.name systemd[1]: php-fpm.service: Failed with result 'exit-code'.
Nov 30 00:06:53 stratofortress.nexus.i.intelfx.name systemd[1]: Failed to start php-fpm.service.
```
Comment by helle vaanzinn (glitsj16) - Friday, 29 November 2019, 21:32 GMT Comment by Olav Seyfarth (nursoda) - Friday, 29 November 2019, 21:49 GMT
Confirming the bug:
Nov 29 21:59:19 server php-fpm[1604]: [29-Nov-2019 21:59:19] NOTICE: PHP message: PHP Warning: PHP Startup: Unable to load dynamic library 'igbinary.so' (tried: /usr/lib/php/modules/igbinary.so (/usr/lib/php/modules/igbinary.so: undefined symbol: php_error_docref0), /usr/lib/php/modules/igbinary.so.so (/usr/lib/php/modules/igbinary.so.so: cannot open shared object file: No such file or directory)) in Unknown on line 0
Nov 29 21:59:19 server php-fpm[1604]: [29-Nov-2019 21:59:19] NOTICE: PHP message: PHP Warning: PHP Startup: Unable to load dynamic library 'imagick' (tried: /usr/lib/php/modules/imagick (/usr/lib/php/modules/imagick: cannot open shared object file: No such file or directory), /usr/lib/php/modules/imagick.so (/usr/lib/php/modules/imagick.so: undefined symbol: add_next_index_zval)) in Unknown on line 0
Nov 29 21:59:19 server php-fpm[1604]: [29-Nov-2019 21:59:19] NOTICE: PHP message: PHP Warning: PHP Startup: Unable to load dynamic library 'inotify.so' (tried: /usr/lib/php/modules/inotify.so (/usr/lib/php/modules/inotify.so: undefined symbol: add_next_index_zval), /usr/lib/php/modules/inotify.so.so (/usr/lib/php/modules/inotify.so.so: cannot open shared object file: No such file or directory)) in Unknown on line 0
Nov 29 21:59:19 server php-fpm[1604]: [29-Nov-2019 21:59:19] NOTICE: PHP message: PHP Warning: PHP Startup: Unable to load dynamic library 'redis' (tried: /usr/lib/php/modules/redis (/usr/lib/php/modules/redis: cannot open shared object file: No such file or directory), /usr/lib/php/modules/redis.so (/usr/lib/php/modules/redis.so: undefined symbol: add_next_index_zval)) in Unknown on line 0
Nov 29 21:59:19 server php-fpm[1604]: [ERROR] [pool www] failed to chown() the socket '/run/php-fpm/php-fpm.sock': Operation not permitted (1)
Nov 29 21:59:19 server php-fpm[1604]: [ERROR] [pool www] failed to chown() the socket '/run/php-fpm/php-fpm.sock': Operation not permitted (1)
Nov 29 21:59:19 server php-fpm[1604]: [ERROR] FPM initialization failed
Nov 29 21:59:19 server php-fpm[1604]: [ERROR] FPM initialization failed
Nov 29 21:59:19 server systemd[1]: php-fpm.service: Main process exited, code=exited, status=78/CONFIG
Nov 29 21:59:19 server systemd[1]: php-fpm.service: Failed with result 'exit-code'.
Nov 29 21:59:19 server systemd[1]: Failed to start The PHP FastCGI Process Manager.

So, apart from the socket permission/ownership issue, there are also dependencies missing if one uses modules, like for nextcloud.
Comment by Bjoern Franke (bjo) - Saturday, 30 November 2019, 00:20 GMT
Thanks for your bugreport, I got the same issue and thought I configured something wrong.
Comment by loqs (loqs) - Saturday, 30 November 2019, 00:25 GMT
What if instead of adding CAP_CHOWN you enable ACL use so chown will not be called, does that need any additional capabilities?
In /etc/php/php-fpm.d/www.conf replace
;listen.acl_users =
;listen.acl_groups =
with
listen.acl_users = http
listen.acl_groups = http
Comment by helle vaanzinn (glitsj16) - Saturday, 30 November 2019, 00:59 GMT
@loqs Enabling ACL in /etc/php/php-fpm.d/www.conf as you suggested works for me. I also commented
;listen.owner = http
;listen.group = http
to avoid
[WARNING] [pool www] ACL set, listen.owner = 'http' is ignored
[WARNING] [pool www] ACL set, listen.group = 'http' is ignored
in systemctl status php-fpm.service

This is cleaner than adding CAP_CHOWN, but I can't confirm if this fixes the additional missing dependencies issue as reported by Olav above. Thanks for your suggestion.
Comment by Bjoern Franke (bjo) - Saturday, 30 November 2019, 01:01 GMT
@glitsj16 php-redis needs a rebuild, but PHP 7.4 in general breaks Nextcloud, throwing an error "This version of Nextcloud is only compatible with PHP <= 7.3".
Comment by helle vaanzinn (glitsj16) - Saturday, 30 November 2019, 01:14 GMT
@bjo Thanks for your reply. Perhaps that should be filed as a separate bug against php instead.
Updated the upstream bug report to account for @loqs suggestion.
Comment by Bjoern Franke (bjo) - Saturday, 30 November 2019, 01:17 GMT
@glitsj16: Yep. Filed the missing rebuild into #64688 and the breakage of nextcloud into #64689.

Comment by QIAN CHEN (elgs) - Saturday, 30 November 2019, 10:20 GMT
I have the same problem. My website is completely not working now. I wonder if I can downgrade to a previous working version. Thanks.

@loqs's way works for me. Thanks.
Comment by Pierre Schmitz (Pierre) - Saturday, 30 November 2019, 10:46 GMT
Thanks for digging into this. For now I'll configure ACL usage for our package by default.
Comment by Serge S (serge479) - Sunday, 01 December 2019, 05:11 GMT
  • Field changed: Percent Complete (100% → 0%)
this upgrade breaks nginx

2019/12/01 02:22:46 [error] 323#323: *11 FastCGI sent in stderr: "Primary script unknown" while reading response header from upstream
Comment by Pierre Schmitz (Pierre) - Sunday, 01 December 2019, 09:31 GMT
Could you elaborate how nginx is broken and how this can be reproduced? Also have a look into your fpm logs. You might run into permission issues due to the new restrictions configured in the upstream php-fpm.service.
Comment by Serge S (serge479) - Sunday, 01 December 2019, 10:32 GMT
http://cms.local/pma/

worked and no errors



http://cms.local/

2019/12/01 13:22:05 [error] 1665#1665: *21 FastCGI sent in stderr: "Primary script unknown" while reading response header from upstream, client: 127.0.0.1, server: cms.local, request: "GET / HTTP/1.1", upstream: "fastcgi://unix:/run/php-fpm/php-fpm.sock:", host: "cms.local"

# ls -l /run/php-fpm/php-fpm.sock
srw-rw----+ 1 root root 0 Dec 1 13:04 /run/php-fpm/php-fpm.sock

# getfacl /run/php-fpm/php-fpm.sock
getfacl: Removing leading '/' from absolute path names
# file: run/php-fpm/php-fpm.sock
# owner: root
# group: root
user::rw-
user:http:rw-
group::rw-
group:http:rw-
mask::rw-
other::---



/etc/nginx/nginx.conf

server {
listen 80 http2;
server_name cms.local;
root /home/www/cms.local/htdocs;
error_log /home/www/cms.local/error.log warn;
access_log /home/www/cms.local/access.log;
expires 365d;
gzip on;
gzip_types text/plain text/css application/json application/javascript;

location / {
index index.html /.cms/index.php;
default_type text/html;
try_files $uri $uri/ /.cms/index.php?$query_string;
}

location ~ \.php$ {
expires off;
fastcgi_pass unix:/run/php-fpm/php-fpm.sock;
fastcgi_buffering off;
fastcgi_request_buffering off;
fastcgi_index index.php;
include fastcgi.conf;
}

location ~ /\. {
deny all;
}

location /favicon.ico {
return 204;
access_log off;
log_not_found off;
}

location /pma/ {
alias /usr/share/webapps/phpMyAdmin/;
index index.php;
client_max_body_size 200m;
location ~ /pma/(.+\.php) {
root /usr/share/webapps/phpMyAdmin;
fastcgi_pass unix:/run/php-fpm/php-fpm.sock;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME /usr/share/webapps/phpMyAdmin/$1;
}
}
}
   root.png (93.5 KiB)
   pma.png (156.7 KiB)
Comment by Serge S (serge479) - Sunday, 01 December 2019, 10:41 GMT
/etc/php/php-fpm.conf:
error_log = log/php-fpm.log

# tail -f /var/log/php-fpm.log
[01-Dec-2019 13:38:32] NOTICE: fpm is running, pid 1933
[01-Dec-2019 13:38:32] NOTICE: ready to handle connections
[01-Dec-2019 13:38:32] NOTICE: systemd monitor interval set to 10000ms

... no errors
Comment by Pierre Schmitz (Pierre) - Sunday, 01 December 2019, 10:43 GMT
The new service file has set ProtectHome which prevents access to /home. Either disable this feature or move your document root.
Comment by Francois (francoism90) - Sunday, 01 December 2019, 11:23 GMT
@ Pierre Schmitz (Pierre)

Thanks! I was wondering why my sites stopped working. :/
They are indeed listed in the /home/.. directory.
Comment by Serge S (serge479) - Sunday, 01 December 2019, 11:44 GMT
now it work. thanks!
Comment by Ouack Ouack (B3l3tte) - Tuesday, 03 December 2019, 05:45 GMT
  • Field changed: Percent Complete (100% → 0%)
The PostfixAdmin PHP-FPM pool configuration from https://wiki.archlinux.org/index.php/PostfixAdmin#php-fpm is broken by this update. Following settings in /etc/php/php-fpm.d/postfixadmin.conf aren't sufficient to solve the bug :
;listen.owner = http
;listen.group = http
listen.acl_users = http
listen.acl_groups = http

See bug https://bugs.archlinux.org/task/64717

Loading...