php-fpm: socket activation, instance units, journal, default params

43477406 · Lars Beckers · 25280a51 · 43477406 · 43477406 · 43477406
Commit 43477406 authored Aug 1, 2019 by Lars Beckers
--- a/php-fpm/defaults/main.yml
+++ b/php-fpm/defaults/main.yml
 ---
-# file: php-fpm/defaults/mail.yml

 fpm_pools: []
+
+fpm_default_params:
+  intl.default_locale: en_US
+  date.timezone: "Europe/Berlin"
+fpm_default_flags:
+  session.cookie_secure: true
+  session.cookie_httponly: true
--- a/php-fpm/handlers/main.yml
+++ b/php-fpm/handlers/main.yml
 ---
-# file: php-fpm/handlers/main.yml

 - name: restart php-fpm
-  service: name="php{{php_version}}-fpm.service" state=restarted
+  systemd:
+    name: "php-fpm@{{ item.name }}"
+    state: restarted
+  with_items: "{{ fpm_pools|default([]) }}"
+
+- name: reload systemd service files
+  systemd:
+    daemon_reload: true
--- a/php-fpm/tasks/main.yml
+++ b/php-fpm/tasks/main.yml
 ---
-# file: php-fpm/tasks/main.yml

 - include_vars: "{{ debian_version }}.yml"

@@ -40,3 +39,48 @@
  tags:
    - php-fpm
    - webservices
+
+- name: ensure systemd can start php instances
+  template:
+    src: "{{ item }}.j2"
+    dest: "/etc/systemd/system/{{ item }}"
+    owner: root
+    group: root
+    mode: '0644'
+  with_items:
+    - php-fpm@.socket
+    - php-fpm@.service
+  notify:
+    - reload systemd service files
+    - restart php-fpm
+  tags:
+    - php-fpm
+    - webservices
+
+- name: get remote active php pools
+  shell: "systemctl list-units --state=loaded | grep uwsgi@ | sed -E 's/.*uwsgi@(.*)\.service.*/\1/'"
+  changed_when: false
+  register: running_pools
+  tags:
+    - php-fpm
+    - webservices
+
+- name: deactivate inactive pools via systemd
+  systemd:
+    name: "php-fpm@{{ item }}"
+    enabled: false
+    state: stopped
+  with_items: "{{ running_pools.stdout_lines|difference(fpm_pools|map(attribute=name))|list }}"
+  tags:
+    - php-fpm
+    - webservices
+
+- name: ensure active pools are enabled in systemd
+  systemd:
+    name: "php-fpm@{{ item.name }}"
+    enabled: true
+    state: started
+  with_items: "{{ fpm_pools|default([]) }}"
+  tags:
+    - php-fpm
+    - webservices
--- a/php-fpm/templates/php-fpm.conf.j2
+++ b/php-fpm/templates/php-fpm.conf.j2
@@ -21,7 +21,8 @@ pid = /run/php/php{{ php_version }}-fpm.pid
 ; into a local file.
 ; Note: the default prefix is /var
 ; Default Value: log/php-fpm.log
-error_log = /var/log/php{{ php_version }}-fpm.log
+;error_log = /var/log/php{{ php_version }}-fpm.log
+error_log = syslog

 ; syslog_facility is used to specify what type of program is logging the
 ; message. This lets syslogd specify that messages from different facilities
@@ -96,7 +97,7 @@ error_log = /var/log/php{{ php_version }}-fpm.log

 ; Send FPM to background. Set to 'no' to keep FPM in foreground for debugging.
 ; Default Value: yes
-;daemonize = yes
+daemonize = no

 ; Set open file descriptor rlimit for the master process.
 ; Default Value: system defined value
@@ -140,4 +141,6 @@ error_log = /var/log/php{{ php_version }}-fpm.log
 ; Relative path can also be used. They will be prefixed by:
 ;  - the global prefix if it's been set (-p argument)
 ;  - /usr otherwise
-include=/etc/php/7.3/fpm/pool.d/*.conf
+
+; We do it the other way round.
+;include=/etc/php/{{ php_version }}/fpm/pool.d/*.conf
--- a/php-fpm/templates/php-fpm@.service.j2
+++ b/php-fpm/templates/php-fpm@.service.j2
+[Unit]
+Description=PHP-FPM service for %i
+After=syslog.target network.target
+After=mysqld.service postfix.service
+Requires=php-fpm@.socket
+
+[Service]
+Type=notify
+
+PrivateTmp=true
+NoNewPrivileges=true
+;PrivateNetwork=true
+PrivateDevices=true
+
+ProtectHome=true
+ProtectSystem=full
+InaccessiblePaths=-/var/lib/mysql
+
+MemoryAccounting=yes
+CPUAccounting=yes
+IOAccounting=yes
+
+User=%i
+Group=%i
+Environment="FPM_SOCKETS=/run/php/%i-fpm.sock=3"
+ExecStart=/usr/bin/php-fpm --nodaemonize --fpm-config /etc/php/{{ php_version }}/fpm/pool.d/%i.conf
+ExecReload=/bin/kill -USR2 $MAINPID
+
+[Install]
+WantedBy=multi-user.target
--- a/php-fpm/templates/php-fpm@.socket.j2
+++ b/php-fpm/templates/php-fpm@.socket.j2
+[Unit]
+Description=PHP-FPM socket for %i
+
+[Socket]
+ListenStream=/run/php/%i-fpm.sock
+SocketMode=0660
+SocketUser=%i
+SocketGroup=www-data
+
+[Install] 
+WantedBy=sockets.target
--- a/php-fpm/templates/pool.conf.j2
+++ b/php-fpm/templates/pool.conf.j2
+include=/etc/php/{{ php_version }}/fpm/php-fpm.conf
+
 {% if item is not defined %}
-{% set item = {"name": fpm_pool, "user": fpm_user, "group": fpm_group, "socket_user": fpm_socket_user, "socket_group": fpm_socket_group, "params": fpm_params|default({})} %}
+{% set item = {"name": fpm_pool, "params": fpm_params|default({})} %}
 {% endif %}
 [{{item.name}}]
-user = {{item.user}}
-group = {{item.group}}
+user = {{item.name}}
+group = {{item.name}}

 listen = /run/php/{{item.name}}-fpm.sock

-listen.owner = {{item.socket_user}}
-listen.group = {{item.socket_group}}
+listen.owner = {{item.name}}
+listen.group = www-data

 pm = {{ item.pm|default('ondemand') }}
 {% if item.pm|default('ondemand') == 'static' %}
@@ -25,14 +27,10 @@ pm.process_idle_timeout = {{ item.pm_process_idle_timeout|default(15) }}s
 {% endif %}
 pm.max_requests = {{ item.pm_max_requests|default(500) }}

-{% if item.params is defined and item.params %}
-{% for key, value in item.params.items() %}
+{% for key, value in fpm_default_params|combine(item.params|default({})).items() %}
 php_admin_value[{{key}}] = {{value}}
 {% endfor %}
-{% endif %}

-{% if item.flags is defined and item.flags %}
-{% for key, value in item.flags.items() %}
+{% for key, value in fpm_default_flags|combine(item.flags|default({})).items() %}
 php_admin_flag[{{key}}] = {{'on' if value else 'off'}}
 {% endfor %}
-{% endif %}