FS#64781 - [php-fpm] Please add CapabilityBoundingSet=CAP_KILL

Attached to Project: Arch Linux
Opened by xyz (sjon) - Monday, 09 December 2019, 12:39 GMT
Last edited by Pierre Schmitz (Pierre) - Wednesday, 18 December 2019, 14:08 GMT
Task Type Bug Report
Category Packages: Extra
Status Closed
Assigned To Pierre Schmitz (Pierre)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Description:

without CAP_KILL `systemctl reload php-fpm` fails because the fpm master is not allowed to kill it's children (since they run as http, not root)
if this reload is triggered by logrotate (which sends USR2 to fpm) the consequences are more severe - all children will effectively hang, while not being able to serve requests
This task depends upon

Closed by  Pierre Schmitz (Pierre)
Wednesday, 18 December 2019, 14:08 GMT
Reason for closing:  Fixed
Comment by nl6720 (nl6720) - Monday, 09 December 2019, 12:56 GMT
Wouldn't it be simpler to just add "+" to ExecReload?

ExecReload=+/bin/kill -USR2 $MAINPID

Edit: Ignore me. fpm itself probably does the killing.
Comment by loqs (loqs) - Monday, 09 December 2019, 20:32 GMT
As the service file that comes from upstream breaks with systemctl reload have you reported the issue upstream?
Comment by Pierre Schmitz (Pierre) - Tuesday, 10 December 2019, 18:33 GMT
This will be fixed in PHP 7.4.1. "fixed" as in the restrictions were removed as they were causing all kinds of problems: https://github.com/php/php-src/commit/67cd4271e922ee3082b416a7563598274d13a1e5#diff-c0605c0e7e1db864472acf66a9812d33

Loading...