Linux, FreeBSD, Juniper, Cisco / Network security articles and troubleshooting guides

FAQ
It is currently Sat Aug 19, 2017 2:44 am


FreeBSD ports and pkg, Linux rpm yum and apt, AIX lpp discussions

Author Message
mandrei99
Post  Post subject: PHP-FPM 5.6 from source \w Suhosin & xcache in Debian Linux  |  Posted: Wed Jan 14, 2015 8:44 am

Joined: Tue Aug 04, 2009 9:16 am
Posts: 245

Offline
 

PHP-FPM 5.6 from source \w Suhosin & xcache in Debian Linux

php-fpm is an alternative way of running php as fast cgi script, instead of, let's say, a module of apache.

Visit http://php-fpm.org/ for more information on php-fpm.

Xcache is a very powerful opcache engine (along with builtin opcache, APC and others). It brings significant boost to busy sites and where many php scripts are executed, the opcache engine compiles these scripts and stores them in ram memory, instead of compiling the scripts for every visitor.

Suhosin is a 3rd party patch for php that has been active ever since php 4 iirc. It provides many security enhancements that no php site should run without. More info on suhosin website http://www.suhosin.org/stories/install.html.

Installing prerequisites to compile php-fpm, xcache and suhosin patch:
Code:
root@linux:/usr/src# apt-get install gcc
root@linux:/usr/src# apt-get install build-essential
root@linux:/usr/src# apt-get install autoconf

Fetching and installing php-fpm 5.6.4:
Code:
root@linux:/usr/src/# wget http://au1.php.net/get/php-5.6.4.tar.gz/from/this/mirror
root@linux:/usr/src/# tar zxvf php-5.6.4.tar.gz
root@linux:/usr/src/# cd /php-5.6.4
root@linux:/usr/src/php-5.6.4#

root@linux:/usr/src/php-5.6.4# ./configure --prefix=/opt/php-5.6.4 --enable-fpm
...
checking libxml2 install dir... no
checking for xml2-config path...
configure: error: xml2-config not found. Please check your libxml2 installation.
!!!!!!!!!!!! UPS !!!!!!!!!!!!
Code:
root@linux:/usr/src/php-5.6.4# apt-get install libxml2-dev
root@linux:/usr/src/php-5.6.4# ./configure --prefix=/opt/php-5.6.4 --enable-fpm
...
creating libtool
appending configuration tag "CXX" to libtool

Generating files
configure: creating ./config.status
creating main/internal_functions.c
creating main/internal_functions_cli.c
+--------------------------------------------------------------------+
| License:                                                           |
| This software is subject to the PHP License, available in this     |
| distribution in the file LICENSE.  By continuing this installation |
| process, you are bound by the terms of this license agreement.     |
| If you do not agree with the terms of this license, you must abort |
| the installation process at this point.                            |
+--------------------------------------------------------------------+

Thank you for using PHP.

config.status: creating php5.spec
config.status: creating main/build-defs.h
config.status: creating scripts/phpize
config.status: creating scripts/man1/phpize.1
config.status: creating scripts/php-config
config.status: creating scripts/man1/php-config.1
config.status: creating sapi/cli/php.1
config.status: creating sapi/fpm/php-fpm.conf
config.status: creating sapi/fpm/init.d.php-fpm
config.status: creating sapi/fpm/php-fpm.service
config.status: creating sapi/fpm/php-fpm.8
config.status: creating sapi/fpm/status.html
config.status: creating sapi/cgi/php-cgi.1
config.status: creating ext/phar/phar.1
config.status: creating ext/phar/phar.phar.1
config.status: creating main/php_config.h
config.status: executing default commands

root@linux:/usr/src/php-5.6.4# make
root@linux:/usr/src/php-5.6.4# make install
root@linux:/usr/src/php-5.6.4# cd ext

The configure switch "--enable-fpm" will enable fpm functionality.
Copying the configuration files php.ini and php-fpm.conf to correct destinations:
Code:
root@linux:~# find /usr/src/ | grep -E "php\.ini|php-fpm.conf"
/usr/src/php-5.6.4/php.ini-production
/usr/src/php-5.6.4/php.ini-development
/usr/src/php-5.6.4/sapi/fpm/php-fpm.conf
/usr/src/php-5.6.4/sapi/fpm/php-fpm.conf.in
root@linux:~# cp /usr/src/php-5.6.4/php.ini-production /opt/php-5.6.4/etc/php.ini
root@linux:~# cp /usr/src/php-5.6.4/sapi/fpm/php-fpm.conf /opt/php-5.6.4/etc/

Editing fpm configuration according to our needs. I will leave defaults:
Code:
root@linux:~# grep -v ^\; /opt/php-5.6.4/etc/php-fpm.conf | grep [a-z]
[global]
pid = run/php-fpm.pid
[www]
user = www-data
group = www-data
listen = 127.0.0.1:9000
pm = dynamic
pm.max_children = 5
pm.start_servers = 2
pm.min_spare_servers = 1
pm.max_spare_servers = 3

Make sure you use user and group that exist on the system. Some users will have "nobody" and others might have "www-data".

Create a symlink to /opt/php - this is for future upgrades of php, allows to easily switch to upgraded version of php since init script will point to /opt/php instead of /opt/php-version.
Code:
root@linux:/usr/src/php-5.6.4/ext/suhosin-0.9.37.1# ln -sf /opt/php-5.6.4 /opt/php

Since php uses "lib/php.ini" config file by default, let's create a symlink to point to /opt/php/etc/php.ini:
Code:
root@linux:~# ln -sf /opt/php-5.6.4/etc/php.ini /opt/php-5.6.4/lib/

Create following php-fpm init script (taken from repository and modified to match this custom php installation):
Code:
root@linux:~# cat /etc/init.d/php5-fpm
#!/bin/sh
### BEGIN INIT INFO
# Provides:          php-fpm php5.6-fpm
# Required-Start:    $remote_fs $network
# Required-Stop:     $remote_fs $network
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: starts php5-fpm
# Description:       Starts PHP5 FastCGI Process Manager Daemon
### END INIT INFO

# Author: Ondrej Sury <ondrej@debian.org>

#PATH=/sbin:/usr/sbin:/bin:/usr/bin
PATH=/opt/php/sbin:/sbin:/usr/sbin:/bin:/usr/bin
DESC="PHP5 FastCGI Process Manager"
#NAME=php5-fpm
NAME=php-fpm
DAEMON=/opt/php/sbin/$NAME
#DAEMON_ARGS="--fpm-config /etc/php5/fpm/php-fpm.conf"
DAEMON_ARGS="--fpm-config /opt/php/etc/php-fpm.conf"PIDFILE=/var/run/php5-fpm.pid
TIMEOUT=30
SCRIPTNAME=/etc/init.d/$NAME

# Exit if the package is not installed
[ -x "$DAEMON" ] || exit 0

# Read configuration variable file if it is present
[ -r /etc/default/$NAME ] && . /etc/default/$NAME

# Load the VERBOSE setting and other rcS variables
. /lib/init/vars.sh

# Define LSB log_* functions.
# Depend on lsb-base (>= 3.0-6) to ensure that this file is present.
. /lib/lsb/init-functions

#
# Function to check the correctness of the config file
#
do_check()
{
    [ "$1" != "no" ] && $DAEMON $DAEMON_ARGS -t 2>&1 | grep -v "\[ERROR\]"
    FPM_ERROR=$($DAEMON $DAEMON_ARGS -t 2>&1 | grep "\[ERROR\]")

    if [ -n "${FPM_ERROR}" ]; then
        echo "Please fix your configuration file..."
        $DAEMON $DAEMON_ARGS -t 2>&1 | grep "\[ERROR\]"
        return 1
    fi
    return 0
}

#
# Function that starts the daemon/service
#
do_start()
{
        # Return
        #   0 if daemon has been started
        #   1 if daemon was already running
        #   2 if daemon could not be started
        start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON --test > /dev/null \
                || return 1
        start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON -- \
                $DAEMON_ARGS 2>/dev/null \
                || return 2
        # Add code here, if necessary, that waits for the process to be ready
        # to handle requests from services started subsequently which depend
        # on this one.  As a last resort, sleep for some time.
}

#
# Function that stops the daemon/service
#
do_stop()
{
        # Return
        #   0 if daemon has been stopped
        #   1 if daemon was already stopped
        #   2 if daemon could not be stopped
        #   other if a failure occurred
        start-stop-daemon --stop --quiet --retry=QUIT/$TIMEOUT/TERM/5/KILL/5 --pidfile $PIDFILE --name $NAME
        RETVAL="$?"
        [ "$RETVAL" = 2 ] && return 2
        # Wait for children to finish too if this is a daemon that forks
        # and if the daemon is only ever run from this initscript.
        # If the above conditions are not satisfied then add some other code
        # that waits for the process to drop all resources that could be
        # needed by services started subsequently.  A last resort is to
        # sleep for some time.
        start-stop-daemon --stop --quiet --oknodo --retry=0/30/TERM/5/KILL/5 --exec $DAEMON
        [ "$?" = 2 ] && return 2
        # Many daemons don't delete their pidfiles when they exit.
        rm -f $PIDFILE
        return "$RETVAL"
}

#
# Function that sends a SIGHUP to the daemon/service
#
do_reload() {
        #
        # If the daemon can reload its configuration without
        # restarting (for example, when it is sent a SIGHUP),
        # then implement that here.
        #
        start-stop-daemon --stop --signal USR2 --quiet --pidfile $PIDFILE --name $NAME
        return 0
}

case "$1" in
    start)
        [ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME"
        do_check $VERBOSE
        case "$?" in
            0)
                do_start
                case "$?" in
                    0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
                    2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
                esac
                ;;
            1) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
        esac
        ;;
    stop)
        [ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME"
        do_stop
        case "$?" in
                0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
                2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
        esac
        ;;
    status)
        status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $?
        ;;
    check)
        do_check yes
        ;;
    reload|force-reload)
        log_daemon_msg "Reloading $DESC" "$NAME"
        do_reload
        log_end_msg $?
        ;;
    reopen-logs)
        log_daemon_msg "Reopening $DESC logs" $NAME
        if start-stop-daemon --stop --signal USR1 --oknodo --quiet \
            --pidfile $PIDFILE --exec $DAEMON
        then
            log_end_msg 0
        else
            log_end_msg 1
        fi
        ;;
    restart)
        log_daemon_msg "Restarting $DESC" "$NAME"
        do_stop
        case "$?" in
          0|1)
                do_start
                case "$?" in
                        0) log_end_msg 0 ;;
                        1) log_end_msg 1 ;; # Old process is still running
                        *) log_end_msg 1 ;; # Failed to start
                esac
                ;;
          *)
                # Failed to stop
                log_end_msg 1
                ;;
        esac
        ;;
    *)
        echo "Usage: $SCRIPTNAME {start|stop|status|restart|reload|force-reload}" >&2
        exit 1
    ;;
esac

:

Now we create startup links for all runlevels and make the script executable:
Code:
root@linux:~# chmod 755 /etc/init.d/php5-fpm
root@linux:~1# insserv php5-fpm

Let's start php-fpm:
Code:
root@linux:~# /etc/init.d/php5-fpm start                   
root@linux:~# ps alxw | grep php               
1     0 30013     1  20   0  15956  2116 -      Ss   ?          0:00 php-fpm: master process (/opt/php/etc/php-fpm.conf)         
5    33 30014 30013  20   0  15956  1676 -      S    ?          0:00 php-fpm: pool www                                           
5    33 30015 30013  20   0  15956  1676 -      S    ?          0:00 php-fpm: pool www                                           
0     0 30017  2651  20   0   3556   760 -      S+   pts/1      0:00 grep php

Downloading and installing xcache and suhosin php extensions:
Code:
root@linux:/usr/src# cd /usr/src/php-5.6.4/ext/
root@linux:/usr/src/php-5.6.4/ext# wget https://xcache.lighttpd.net/pub/Releases/3.2.0/xcache-3.2.0.tar.gz

root@linux:/usr/src/php-5.6.4/ext# tar zxvf xcache-3.2.0.tar.gz
root@linux:/usr/src/php-5.6.4/ext# cd xcache-3.2.0

root@linux:/usr/src/php-5.6.4/ext/xcache-3.2.0# /opt/php-5.6.4/bin/phpize
Configuring for:
PHP Api Version:         20131106
Zend Module Api No:      20131226
Zend Extension Api No:   220131226
Cannot find autoconf. Please check your autoconf installation and the
$PHP_AUTOCONF environment variable. Then, rerun this script.

root@linux:/usr/src/php-5.6.4/ext/xcache-3.2.0# apt-get install autoconf

root@linux:/usr/src/php-5.6.4/ext/xcache-3.2.0# /opt/php-5.6.4/bin/phpize
Configuring for:
PHP Api Version:         20131106
Zend Module Api No:      20131226
Zend Extension Api No:   220131226

root@linux:/usr/src/php-5.6.4/ext/xcache-3.2.0# ./configure --with-php-config=/opt/php-5.6.4/bin/php-config
root@linux:/usr/src/php-5.6.4/ext/xcache-3.2.0# make && make install

Installing suhosin 0.9.37 for php 5.6.4.
root@linux:/usr/src/php-5.6.4/ext/xcache-3.2.0# cd ..
root@linux:/usr/src/php-5.6.4/ext# tar zxvf suhosin-0.9.37.1.tar.gz
root@linux:/usr/src/php-5.6.4/ext/suhosin-0.9.37.1# /opt/php-5.6.4/bin/phpize                                                                 
Configuring for:
PHP Api Version:         20131106
Zend Module Api No:      20131226
Zend Extension Api No:   220131226
root@linux:/usr/src/php-5.6.4/ext/suhosin-0.9.37.1# ./configure --with-php-config=/opt/php-5.6.4/bin/php-config
root@linux:/usr/src/php-5.6.4/ext/suhosin-0.9.37.1# make && make install


Enable xcache in php: the xcache.so extension needs to be added to php.ini and also xcache configuration appended at the end of php.ini.
Code:
root@linux:~# cat /usr/src/php-5.6.4/ext/xcache-3.2.0/xcache.ini >>/opt/php/etc/php.ini
root@linux:~# grep xcache.so /opt/php/etc/php.ini
extension = xcache.so
root@linux:~# /etc/init.d/php5-fpm restart


Testing xcache is loaded in php-fpm from cli (not via phpinfo()):
Code:
root@linux:~# /opt/php/sbin/php-fpm -i 2>/dev/null | grep xcache
xcache.coredump_directory => no value => no value
xcache.disable_on_crash => Off => Off
xcache.experimental => Off => Off
xcache.test => Off => Off
xcache.admin.enable_auth => On => On
xcache.allocator => bestfit => bestfit
xcache.cacher => On => On
xcache.count => 1 => 1
xcache.gc_interval => 0 => 0
xcache.mmap_path => /dev/zero => /dev/zero
xcache.readonly_protection => Off => Off
xcache.shm_scheme => mmap => mmap
xcache.size => 60M => 60M
xcache.slots => 8K => 8K
xcache.stat => On => On
xcache.ttl => 0 => 0
xcache.var_allocator => bestfit => bestfit
xcache.var_count => 1 => 1
xcache.var_gc_interval => 300 => 300
xcache.var_maxttl => 0 => 0
xcache.var_namespace => no value => no value
xcache.var_namespace_mode => 0 => 0
xcache.var_size => 4M => 4M
xcache.var_slots => 8K => 8K
xcache.var_ttl => 0 => 0


Enabling Suhosin patch in php-fpm 5.6
First we configm suhosin is not enabled in php and then enable suhosin.so extension in php.ini:
Code:
root@linux:~# /opt/php/sbin/php-fpm -i 2>/dev/null | grep suhosin
root@linux:~# vim /opt/php/etc/php.ini
...
extension=suhosin.so
...
root@linux:~# /opt/php/sbin/php-fpm -i 2>/dev/null | grep suhosin         
suhosin
suhosin.apc_bug_workaround => Off => Off
suhosin.cookie.checkraddr => 0 => 0
suhosin.cookie.cryptdocroot => On => On
suhosin.cookie.cryptkey => [ protected ] => [ protected ]
suhosin.cookie.cryptlist => no value => no value
suhosin.cookie.cryptraddr => 0 => 0
suhosin.cookie.cryptua => On => On
suhosin.cookie.disallow_nul => 1 => 1
suhosin.cookie.disallow_ws => 1 => 1
suhosin.cookie.encrypt => Off => Off
suhosin.cookie.max_array_depth => 50 => 50
suhosin.cookie.max_array_index_length => 64 => 64
suhosin.cookie.max_name_length => 64 => 64
suhosin.cookie.max_totalname_length => 256 => 256
suhosin.cookie.max_value_length => 10000 => 10000
suhosin.cookie.max_vars => 100 => 100
suhosin.cookie.plainlist => no value => no value
...


So far so good. Xcache and suhosin are enabled and php-fpm 5.6.4 is running. Next steps are to configure nginx to operate with php on the selected port (9000). Coming soon.





Top
Display posts from previous:  Sort by  
E-mail friendPrint view

Topics related to - "PHP-FPM 5.6 from source \w Suhosin & xcache in Debian Linux"
 Topics   Author   Replies   Views   Last post 
There are no new unread posts for this topic. ipsec-tools-0.8.2 with radius support from source on CentOS 6.5 32bit

mandrei99

0

1169

Sun Dec 28, 2014 6:14 pm

mandrei99 View the latest post

There are no new unread posts for this topic. Debian: -bash: dig: command not found - Installing dig tool

mandrei99

0

3053

Tue Jan 13, 2015 12:13 pm

mandrei99 View the latest post

There are no new unread posts for this topic. PHP 5.6 & Debian - easy.h should be in <curl-dir>/include/curl/

mandrei99

0

2354

Thu Jan 15, 2015 6:53 pm

mandrei99 View the latest post

 

Who is online
Users browsing this forum: No registered users and 0 guests
You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum
Jump to:  
News News Site map Site map SitemapIndex SitemapIndex RSS Feed RSS Feed Channel list Channel list


Delete all board cookies | The team | All times are UTC - 5 hours [ DST ]



phpBB SEO