php-fpm: fix systemd

2848cc99a186 ("php-fpm: Add support for systemd") introduced a systemd service file, where ExecStart and ExecStop uses /etc/init.d/php-fpm, which does not exist if systemd is enabled. Consequently, the php-fpm service fails to start even though it is correctly installed. This is fixed by this commit in which the service file is identical to the one from the PHP source code except for the use of BitBake variables. Also, use ${systemd_system_unitdir} instead of ${systemd_unitdir}/system. Signed-off-by: Emil Kronborg <emil.kronborg@protonmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
author: Emil Kronborg <emil.kronborg@protonmail.com> 2024-07-29 13:51:22 +0200
committer: Armin Kuster <akuster808@gmail.com> 2024-07-30 09:43:01 -0400
commit: 69d1121922be7550264fef545db1343b7ec08bf4 (patch)
tree: 7a274901ce4cd363de8fdd664ac3dd409fbb0c43 /meta-oe
parent: 0fdc4a63579c2ca67ef8438800e0596086a562dd (diff)
download: meta-openembedded-69d1121922be7550264fef545db1343b7ec08bf4.tar.gz
2 files changed, 62 insertions, 12 deletions
diff --git a/meta-oe/recipes-devtools/php/php/php-fpm.service b/meta-oe/recipes-devtools/php/php/php-fpm.service
index eec76fb563..918ffe6749 100644
--- a/meta-oe/recipes-devtools/php/php/php-fpm.service
+++ b/meta-oe/recipes-devtools/php/php/php-fpm.service
@@ -1,10 +1,57 @@
+# It's not recommended to modify this file in-place, because it
+# will be overwritten during upgrades.  If you want to customize,
+# the best way is to use the "systemctl edit" command.
 [Unit]
-Description=PHP-FPM
+Description=The PHP FastCGI Process Manager
 After=network.target
 [Service]
-Type=forking
+Type=simple
-PIDFile=/run/php-fpm.pid
+PIDFile=@LOCALSTATEDIR@/run/php-fpm.pid
-ExecStart=@SYSCONFDIR@/init.d/php-fpm start
+ExecStart=@SBINDIR@/php-fpm --nodaemonize --fpm-config /etc/php-fpm.conf
-ExecStop=@SYSCONFDIR@/init.d/php-fpm stop
+ExecReload=@BINDIR@/kill -USR2 $MAINPID
+# Set up a new file system namespace and mounts private /tmp and /var/tmp directories
+# so this service cannot access the global directories and other processes cannot
+# access this service's directories.
+PrivateTmp=true
+# Mounts the /usr, /boot, and /etc directories read-only for processes invoked by this unit.
+ProtectSystem=full
+# Sets up a new /dev namespace for the executed processes and only adds API pseudo devices
+# such as /dev/null, /dev/zero or /dev/random (as well as the pseudo TTY subsystem) to it,
+# but no physical devices such as /dev/sda.
+PrivateDevices=true
+# Explicit module loading will be denied. This allows to turn off module load and unload
+# operations on modular kernels. It is recommended to turn this on for most services that
+# do not need special file systems or extra kernel modules to work.
+ProtectKernelModules=true
+# Kernel variables accessible through /proc/sys, /sys, /proc/sysrq-trigger, /proc/latency_stats,
+# /proc/acpi, /proc/timer_stats, /proc/fs and /proc/irq will be made read-only to all processes
+# of the unit. Usually, tunable kernel variables should only be written at boot-time, with the
+# sysctl.d(5) mechanism. Almost no services need to write to these at runtime; it is hence
+# recommended to turn this on for most services.
+ProtectKernelTunables=true
+# The Linux Control Groups (cgroups(7)) hierarchies accessible through /sys/fs/cgroup will be
+# made read-only to all processes of the unit. Except for container managers no services should
+# require write access to the control groups hierarchies; it is hence recommended to turn this on
+# for most services
+ProtectControlGroups=true
+# Any attempts to enable realtime scheduling in a process of the unit are refused.
+RestrictRealtime=true
+# Restricts the set of socket address families accessible to the processes of this unit.
+# Protects against vulnerabilities such as CVE-2016-8655
+RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX
+# Takes away the ability to create or manage any kind of namespace
+RestrictNamespaces=true
 [Install]
 WantedBy=multi-user.target
diff --git a/meta-oe/recipes-devtools/php/php_8.1.29.bb b/meta-oe/recipes-devtools/php/php_8.1.29.bb
index 2b3cfd58c5..ec86ce0886 100644
--- a/meta-oe/recipes-devtools/php/php_8.1.29.bb
+++ b/meta-oe/recipes-devtools/php/php_8.1.29.bb
@@ -41,7 +41,7 @@ CVE_CHECK_IGNORE += "\
    CVE-2007-4596 \
 "
-inherit autotools pkgconfig python3native gettext multilib_header multilib_script
+inherit autotools pkgconfig python3native gettext multilib_header multilib_script systemd
 # phpize is not scanned for absolute paths by default (but php-config is).
 #
@@ -182,11 +182,11 @@ do_install:append:class-target() {
    install -m 0644 ${WORKDIR}/php-fpm-apache.conf ${D}/${sysconfdir}/apache2/conf.d/php-fpm.conf
    if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)};then
-        install -d ${D}${systemd_unitdir}/system
+        install -d ${D}${systemd_system_unitdir}
-        install -m 0644 ${WORKDIR}/php-fpm.service ${D}${systemd_unitdir}/system/
+        install -m 0644 ${WORKDIR}/php-fpm.service ${D}${systemd_system_unitdir}/php-fpm.service
-        sed -i -e 's,@SYSCONFDIR@,${sysconfdir},g' \
+        sed -i -e 's,@LOCALSTATEDIR@,${localstatedir},g' ${D}${systemd_system_unitdir}/php-fpm.service
-            -e 's,@LOCALSTATEDIR@,${localstatedir},g' \
+        sed -i -e 's,@SBINDIR@,${sbindir},g' ${D}${systemd_system_unitdir}/php-fpm.service
-            ${D}${systemd_unitdir}/system/php-fpm.service
+        sed -i -e 's,@BINDIR@,${bindir},g' ${D}${systemd_system_unitdir}/php-fpm.service
    fi
    if ${@bb.utils.contains('PACKAGECONFIG', 'apache2', 'true', 'false', d)}; then
@@ -248,7 +248,7 @@ FILES:${PN}-cli = "${bindir}/php"
 FILES:${PN}-phpdbg = "${bindir}/phpdbg"
 FILES:${PN}-phar = "${bindir}/phar*"
 FILES:${PN}-cgi = "${bindir}/php-cgi"
-FILES:${PN}-fpm = "${sbindir}/php-fpm ${sysconfdir}/php-fpm.conf ${datadir}/fpm ${sysconfdir}/init.d/php-fpm ${systemd_unitdir}/system/php-fpm.service ${sysconfdir}/php-fpm.d/www.conf.default"
+FILES:${PN}-fpm = "${sbindir}/php-fpm ${sysconfdir}/php-fpm.conf ${datadir}/fpm ${sysconfdir}/init.d/php-fpm ${sysconfdir}/php-fpm.d/www.conf.default"
 FILES:${PN}-fpm-apache2 = "${sysconfdir}/apache2/conf.d/php-fpm.conf"
 CONFFILES:${PN}-fpm = "${sysconfdir}/php-fpm.conf"
 CONFFILES:${PN}-fpm-apache2 = "${sysconfdir}/apache2/conf.d/php-fpm.conf"
@@ -279,6 +279,9 @@ RPROVIDES:${PN}-modphp = "${MODPHP_OLDPACKAGE}"
 RREPLACES:${PN}-modphp = "${MODPHP_OLDPACKAGE}"
 RCONFLICTS:${PN}-modphp = "${MODPHP_OLDPACKAGE}"
+SYSTEMD_SERVICE:${PN}-fpm = "php-fpm.service"
+SYSTEMD_PACKAGES += "${PN}-fpm"
 do_install:append:class-native() {
    create_wrapper ${D}${bindir}/php \
        PHP_PEAR_SYSCONF_DIR=${sysconfdir}/
author	Emil Kronborg <emil.kronborg@protonmail.com>	2024-07-29 13:51:22 +0200
committer	Armin Kuster <akuster808@gmail.com>	2024-07-30 09:43:01 -0400
commit	69d1121922be7550264fef545db1343b7ec08bf4 (patch)
tree	7a274901ce4cd363de8fdd664ac3dd409fbb0c43 /meta-oe
parent	0fdc4a63579c2ca67ef8438800e0596086a562dd (diff)
download	meta-openembedded-69d1121922be7550264fef545db1343b7ec08bf4.tar.gz

diff --git a/meta-oe/recipes-devtools/php/php/php-fpm.service b/meta-oe/recipes-devtools/php/php/php-fpm.service index eec76fb563..918ffe6749 100644 --- a/meta-oe/recipes-devtools/php/php/php-fpm.service +++ b/meta-oe/recipes-devtools/php/php/php-fpm.service
@@ -1,10 +1,57 @@
		1	# It's not recommended to modify this file in-place, because it
		2	# will be overwritten during upgrades. If you want to customize,
		3	# the best way is to use the "systemctl edit" command.
		4
1	[Unit]	5	[Unit]
2	Description=PHP-FPM	6	Description=The PHP FastCGI Process Manager
3	After=network.target	7	After=network.target
		8
4	[Service]	9	[Service]
5	Type=forking	10	Type=simple
6	PIDFile=/run/php-fpm.pid	11	PIDFile=@LOCALSTATEDIR@/run/php-fpm.pid
7	ExecStart=@SYSCONFDIR@/init.d/php-fpm start	12	ExecStart=@SBINDIR@/php-fpm --nodaemonize --fpm-config /etc/php-fpm.conf
8	ExecStop=@SYSCONFDIR@/init.d/php-fpm stop	13	ExecReload=@BINDIR@/kill -USR2 $MAINPID
		14
		15	# Set up a new file system namespace and mounts private /tmp and /var/tmp directories
		16	# so this service cannot access the global directories and other processes cannot
		17	# access this service's directories.
		18	PrivateTmp=true
		19
		20	# Mounts the /usr, /boot, and /etc directories read-only for processes invoked by this unit.
		21	ProtectSystem=full
		22
		23	# Sets up a new /dev namespace for the executed processes and only adds API pseudo devices
		24	# such as /dev/null, /dev/zero or /dev/random (as well as the pseudo TTY subsystem) to it,
		25	# but no physical devices such as /dev/sda.
		26	PrivateDevices=true
		27
		28	# Explicit module loading will be denied. This allows to turn off module load and unload
		29	# operations on modular kernels. It is recommended to turn this on for most services that
		30	# do not need special file systems or extra kernel modules to work.
		31	ProtectKernelModules=true
		32
		33	# Kernel variables accessible through /proc/sys, /sys, /proc/sysrq-trigger, /proc/latency_stats,
		34	# /proc/acpi, /proc/timer_stats, /proc/fs and /proc/irq will be made read-only to all processes
		35	# of the unit. Usually, tunable kernel variables should only be written at boot-time, with the
		36	# sysctl.d(5) mechanism. Almost no services need to write to these at runtime; it is hence
		37	# recommended to turn this on for most services.
		38	ProtectKernelTunables=true
		39
		40	# The Linux Control Groups (cgroups(7)) hierarchies accessible through /sys/fs/cgroup will be
		41	# made read-only to all processes of the unit. Except for container managers no services should
		42	# require write access to the control groups hierarchies; it is hence recommended to turn this on
		43	# for most services
		44	ProtectControlGroups=true
		45
		46	# Any attempts to enable realtime scheduling in a process of the unit are refused.
		47	RestrictRealtime=true
		48
		49	# Restricts the set of socket address families accessible to the processes of this unit.
		50	# Protects against vulnerabilities such as CVE-2016-8655
		51	RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX
		52
		53	# Takes away the ability to create or manage any kind of namespace
		54	RestrictNamespaces=true
		55
9	[Install]	56	[Install]
10	WantedBy=multi-user.target	57	WantedBy=multi-user.target


diff --git a/meta-oe/recipes-devtools/php/php_8.1.29.bb b/meta-oe/recipes-devtools/php/php_8.1.29.bb index 2b3cfd58c5..ec86ce0886 100644 --- a/meta-oe/recipes-devtools/php/php_8.1.29.bb +++ b/meta-oe/recipes-devtools/php/php_8.1.29.bb
@@ -41,7 +41,7 @@ CVE_CHECK_IGNORE += "\
41	CVE-2007-4596 \	41	CVE-2007-4596 \
42	"	42	"
43		43
44	inherit autotools pkgconfig python3native gettext multilib_header multilib_script	44	inherit autotools pkgconfig python3native gettext multilib_header multilib_script systemd
45		45
46	# phpize is not scanned for absolute paths by default (but php-config is).	46	# phpize is not scanned for absolute paths by default (but php-config is).
47	#	47	#
@@ -182,11 +182,11 @@ do_install:append:class-target() {
182	install -m 0644 ${WORKDIR}/php-fpm-apache.conf ${D}/${sysconfdir}/apache2/conf.d/php-fpm.conf	182	install -m 0644 ${WORKDIR}/php-fpm-apache.conf ${D}/${sysconfdir}/apache2/conf.d/php-fpm.conf
183		183
184	if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)};then	184	if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)};then
185	install -d ${D}${systemd_unitdir}/system	185	install -d ${D}${systemd_system_unitdir}
186	install -m 0644 ${WORKDIR}/php-fpm.service ${D}${systemd_unitdir}/system/	186	install -m 0644 ${WORKDIR}/php-fpm.service ${D}${systemd_system_unitdir}/php-fpm.service
187	sed -i -e 's,@SYSCONFDIR@,${sysconfdir},g' \	187	sed -i -e 's,@LOCALSTATEDIR@,${localstatedir},g' ${D}${systemd_system_unitdir}/php-fpm.service
188	-e 's,@LOCALSTATEDIR@,${localstatedir},g' \	188	sed -i -e 's,@SBINDIR@,${sbindir},g' ${D}${systemd_system_unitdir}/php-fpm.service
189	${D}${systemd_unitdir}/system/php-fpm.service	189	sed -i -e 's,@BINDIR@,${bindir},g' ${D}${systemd_system_unitdir}/php-fpm.service
190	fi	190	fi
191		191
192	if ${@bb.utils.contains('PACKAGECONFIG', 'apache2', 'true', 'false', d)}; then	192	if ${@bb.utils.contains('PACKAGECONFIG', 'apache2', 'true', 'false', d)}; then
@@ -248,7 +248,7 @@ FILES:${PN}-cli = "${bindir}/php"
248	FILES:${PN}-phpdbg = "${bindir}/phpdbg"	248	FILES:${PN}-phpdbg = "${bindir}/phpdbg"
249	FILES:${PN}-phar = "${bindir}/phar*"	249	FILES:${PN}-phar = "${bindir}/phar*"
250	FILES:${PN}-cgi = "${bindir}/php-cgi"	250	FILES:${PN}-cgi = "${bindir}/php-cgi"
251	FILES:${PN}-fpm = "${sbindir}/php-fpm ${sysconfdir}/php-fpm.conf ${datadir}/fpm ${sysconfdir}/init.d/php-fpm ${systemd_unitdir}/system/php-fpm.service ${sysconfdir}/php-fpm.d/www.conf.default"	251	FILES:${PN}-fpm = "${sbindir}/php-fpm ${sysconfdir}/php-fpm.conf ${datadir}/fpm ${sysconfdir}/init.d/php-fpm ${sysconfdir}/php-fpm.d/www.conf.default"
252	FILES:${PN}-fpm-apache2 = "${sysconfdir}/apache2/conf.d/php-fpm.conf"	252	FILES:${PN}-fpm-apache2 = "${sysconfdir}/apache2/conf.d/php-fpm.conf"
253	CONFFILES:${PN}-fpm = "${sysconfdir}/php-fpm.conf"	253	CONFFILES:${PN}-fpm = "${sysconfdir}/php-fpm.conf"
254	CONFFILES:${PN}-fpm-apache2 = "${sysconfdir}/apache2/conf.d/php-fpm.conf"	254	CONFFILES:${PN}-fpm-apache2 = "${sysconfdir}/apache2/conf.d/php-fpm.conf"
@@ -279,6 +279,9 @@ RPROVIDES:${PN}-modphp = "${MODPHP_OLDPACKAGE}"
279	RREPLACES:${PN}-modphp = "${MODPHP_OLDPACKAGE}"	279	RREPLACES:${PN}-modphp = "${MODPHP_OLDPACKAGE}"
280	RCONFLICTS:${PN}-modphp = "${MODPHP_OLDPACKAGE}"	280	RCONFLICTS:${PN}-modphp = "${MODPHP_OLDPACKAGE}"
281		281
		282	SYSTEMD_SERVICE:${PN}-fpm = "php-fpm.service"
		283	SYSTEMD_PACKAGES += "${PN}-fpm"
		284
282	do_install:append:class-native() {	285	do_install:append:class-native() {
283	create_wrapper ${D}${bindir}/php \	286	create_wrapper ${D}${bindir}/php \
284	PHP_PEAR_SYSCONF_DIR=${sysconfdir}/	287	PHP_PEAR_SYSCONF_DIR=${sysconfdir}/