From patchwork Mon Jul 29 11:51:22 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: =?utf-8?b?Q3PDs2vDoXMsIEJlbmNl?= X-Patchwork-Id: 46958 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 27F98C3DA4A for ; Mon, 29 Jul 2024 11:54:46 +0000 (UTC) Received: from fw2.prolan.hu (fw2.prolan.hu [193.68.50.107]) by mx.groups.io with SMTP id smtpd.web11.54478.1722254075656351528 for ; Mon, 29 Jul 2024 04:54:36 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: body hash did not verify" header.i=@prolan.hu header.s=mail header.b=KAEeuW2g; spf=pass (domain: prolan.hu, ip: 193.68.50.107, mailfrom: csokas.bence@prolan.hu) Received: from proxmox-mailgw.intranet.prolan.hu (localhost.localdomain [127.0.0.1]) by proxmox-mailgw.intranet.prolan.hu (Proxmox) with ESMTP id EB82DA0935; Mon, 29 Jul 2024 13:54:33 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=prolan.hu; h=cc :cc:content-transfer-encoding:content-type:content-type:date :from:from:in-reply-to:message-id:mime-version:references :reply-to:subject:subject:to:to; s=mail; bh=BkTBgrwGk9jSFCmLfiZd OEJJ7AV/iy3L2kDD5/hYu2I=; b=KAEeuW2g0iLIbc/MQycuPMNEfAU0z6/qYiTX A8AoDdrMAM6q86juoydo310JEMEl6p3niUuZMrg66p8MXTOHtAcNR37SkAsEjRxp mn7iRZtDeGcmLhtTltt2uDpgRMJeCBRsYMbF8nYa+uqqQw7ZkejRf7DGT2d4UXhb Pyd6fUrPcFfrfoptn5bQ8hluQ4ql0CCyaZWBWrr/ehKX5jLnmvkP0OnUhODgzu7Z ag2Pt4CCt5/KtxIYibn9ge3wfKqoSvzM2JuJ9GEJ6JAqSGm1Wy/U0S0r+oaeOicp 9x3+aoX3EG3ORV1dlUcSQ1SGzIPs/LUNejkErgdzRfY2NITVTNpNjbZzSgWulopP bRHtN1c7BoE//dl0Cxa1T/io8Y2c+9R8v2tmu/SW6pXXg69Iva/+8OrJHAslC+1p crQxz6HYc4hfyXnMEkKB34zy1XSwqgR/SdPhY+m8u88SODyxwnFub8rrGTYvG66k d38LNlChwDsffPjjc2sDbf6sUwm1TGAL1EqBex6Nf1ZD9iM2DcnIHLZi7VHv8jKj GDLeF/0cTR+WQylOmHZkptNQdy/FBmp/2FECo1HAUmfiwNoEIlg1+pIlcwd2Bndm OKg4zJnx7WhO2+OZzJ8bYRkeb04iLVGAtRJLT6cKsa6HM8Wl+Fhjp4sv4NhPU43a XoDIE1I= From: =?utf-8?b?Q3PDs2vDoXMsIEJlbmNl?= To: CC: Emil Kronborg , Khem Raj Subject: [meta-oe][kirkstone][PATCH 2/2] php-fpm: fix systemd Date: Mon, 29 Jul 2024 13:51:22 +0200 Message-ID: <20240729115120.1375412-3-csokas.bence@prolan.hu> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240729115120.1375412-1-csokas.bence@prolan.hu> References: <20240729115120.1375412-1-csokas.bence@prolan.hu> MIME-Version: 1.0 X-ESET-AS: R=OK;S=0;OP=CALC;TIME=1722254072;VERSION=7975;MC=387049000;ID=216798;TRN=0;CRV=0;IPC=;SP=0;SIPS=0;PI=3;F=0 X-ESET-Antispam: OK X-EsetResult: clean, is OK X-EsetId: 37303A2980D94854667467 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 29 Jul 2024 11:54:46 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/111455 From: Emil Kronborg 2848cc99a186 ("php-fpm: Add support for systemd") introduced a systemd service file, where ExecStart and ExecStop uses /etc/init.d/php-fpm, which does not exist if systemd is enabled. Consequently, the php-fpm service fails to start even though it is correctly installed. This is fixed by this commit in which the service file is identical to the one from the PHP source code except for the use of BitBake variables. Also, use ${systemd_system_unitdir} instead of ${systemd_unitdir}/system. Signed-off-by: Emil Kronborg Signed-off-by: Khem Raj --- .../recipes-devtools/php/php/php-fpm.service | 57 +++++++++++++++++-- meta-oe/recipes-devtools/php/php_8.1.29.bb | 17 +++--- 2 files changed, 62 insertions(+), 12 deletions(-) diff --git a/meta-oe/recipes-devtools/php/php/php-fpm.service b/meta-oe/recipes-devtools/php/php/php-fpm.service index eec76fb56..918ffe674 100644 --- a/meta-oe/recipes-devtools/php/php/php-fpm.service +++ b/meta-oe/recipes-devtools/php/php/php-fpm.service @@ -1,10 +1,57 @@ +# It's not recommended to modify this file in-place, because it +# will be overwritten during upgrades. If you want to customize, +# the best way is to use the "systemctl edit" command. + [Unit] -Description=PHP-FPM +Description=The PHP FastCGI Process Manager After=network.target + [Service] -Type=forking -PIDFile=/run/php-fpm.pid -ExecStart=@SYSCONFDIR@/init.d/php-fpm start -ExecStop=@SYSCONFDIR@/init.d/php-fpm stop +Type=simple +PIDFile=@LOCALSTATEDIR@/run/php-fpm.pid +ExecStart=@SBINDIR@/php-fpm --nodaemonize --fpm-config /etc/php-fpm.conf +ExecReload=@BINDIR@/kill -USR2 $MAINPID + +# Set up a new file system namespace and mounts private /tmp and /var/tmp directories +# so this service cannot access the global directories and other processes cannot +# access this service's directories. +PrivateTmp=true + +# Mounts the /usr, /boot, and /etc directories read-only for processes invoked by this unit. +ProtectSystem=full + +# Sets up a new /dev namespace for the executed processes and only adds API pseudo devices +# such as /dev/null, /dev/zero or /dev/random (as well as the pseudo TTY subsystem) to it, +# but no physical devices such as /dev/sda. +PrivateDevices=true + +# Explicit module loading will be denied. This allows to turn off module load and unload +# operations on modular kernels. It is recommended to turn this on for most services that +# do not need special file systems or extra kernel modules to work. +ProtectKernelModules=true + +# Kernel variables accessible through /proc/sys, /sys, /proc/sysrq-trigger, /proc/latency_stats, +# /proc/acpi, /proc/timer_stats, /proc/fs and /proc/irq will be made read-only to all processes +# of the unit. Usually, tunable kernel variables should only be written at boot-time, with the +# sysctl.d(5) mechanism. Almost no services need to write to these at runtime; it is hence +# recommended to turn this on for most services. +ProtectKernelTunables=true + +# The Linux Control Groups (cgroups(7)) hierarchies accessible through /sys/fs/cgroup will be +# made read-only to all processes of the unit. Except for container managers no services should +# require write access to the control groups hierarchies; it is hence recommended to turn this on +# for most services +ProtectControlGroups=true + +# Any attempts to enable realtime scheduling in a process of the unit are refused. +RestrictRealtime=true + +# Restricts the set of socket address families accessible to the processes of this unit. +# Protects against vulnerabilities such as CVE-2016-8655 +RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX + +# Takes away the ability to create or manage any kind of namespace +RestrictNamespaces=true + [Install] WantedBy=multi-user.target diff --git a/meta-oe/recipes-devtools/php/php_8.1.29.bb b/meta-oe/recipes-devtools/php/php_8.1.29.bb index 2b3cfd58c..ec86ce088 100644 --- a/meta-oe/recipes-devtools/php/php_8.1.29.bb +++ b/meta-oe/recipes-devtools/php/php_8.1.29.bb @@ -41,7 +41,7 @@ CVE_CHECK_IGNORE += "\ CVE-2007-4596 \ " -inherit autotools pkgconfig python3native gettext multilib_header multilib_script +inherit autotools pkgconfig python3native gettext multilib_header multilib_script systemd # phpize is not scanned for absolute paths by default (but php-config is). # @@ -182,11 +182,11 @@ do_install:append:class-target() { install -m 0644 ${WORKDIR}/php-fpm-apache.conf ${D}/${sysconfdir}/apache2/conf.d/php-fpm.conf if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)};then - install -d ${D}${systemd_unitdir}/system - install -m 0644 ${WORKDIR}/php-fpm.service ${D}${systemd_unitdir}/system/ - sed -i -e 's,@SYSCONFDIR@,${sysconfdir},g' \ - -e 's,@LOCALSTATEDIR@,${localstatedir},g' \ - ${D}${systemd_unitdir}/system/php-fpm.service + install -d ${D}${systemd_system_unitdir} + install -m 0644 ${WORKDIR}/php-fpm.service ${D}${systemd_system_unitdir}/php-fpm.service + sed -i -e 's,@LOCALSTATEDIR@,${localstatedir},g' ${D}${systemd_system_unitdir}/php-fpm.service + sed -i -e 's,@SBINDIR@,${sbindir},g' ${D}${systemd_system_unitdir}/php-fpm.service + sed -i -e 's,@BINDIR@,${bindir},g' ${D}${systemd_system_unitdir}/php-fpm.service fi if ${@bb.utils.contains('PACKAGECONFIG', 'apache2', 'true', 'false', d)}; then @@ -248,7 +248,7 @@ FILES:${PN}-cli = "${bindir}/php" FILES:${PN}-phpdbg = "${bindir}/phpdbg" FILES:${PN}-phar = "${bindir}/phar*" FILES:${PN}-cgi = "${bindir}/php-cgi" -FILES:${PN}-fpm = "${sbindir}/php-fpm ${sysconfdir}/php-fpm.conf ${datadir}/fpm ${sysconfdir}/init.d/php-fpm ${systemd_unitdir}/system/php-fpm.service ${sysconfdir}/php-fpm.d/www.conf.default" +FILES:${PN}-fpm = "${sbindir}/php-fpm ${sysconfdir}/php-fpm.conf ${datadir}/fpm ${sysconfdir}/init.d/php-fpm ${sysconfdir}/php-fpm.d/www.conf.default" FILES:${PN}-fpm-apache2 = "${sysconfdir}/apache2/conf.d/php-fpm.conf" CONFFILES:${PN}-fpm = "${sysconfdir}/php-fpm.conf" CONFFILES:${PN}-fpm-apache2 = "${sysconfdir}/apache2/conf.d/php-fpm.conf" @@ -279,6 +279,9 @@ RPROVIDES:${PN}-modphp = "${MODPHP_OLDPACKAGE}" RREPLACES:${PN}-modphp = "${MODPHP_OLDPACKAGE}" RCONFLICTS:${PN}-modphp = "${MODPHP_OLDPACKAGE}" +SYSTEMD_SERVICE:${PN}-fpm = "php-fpm.service" +SYSTEMD_PACKAGES += "${PN}-fpm" + do_install:append:class-native() { create_wrapper ${D}${bindir}/php \ PHP_PEAR_SYSCONF_DIR=${sysconfdir}/