|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #81704 opcache.restrict_api not working with PHP-FPM
Submitted: 2021-12-22 09:01 UTC Modified: 2021-12-22 21:58 UTC
Avg. Score:3.0 ± 0.0
Reproduced:0 of 1 (0.0%)
From: mr-manuel at outlook dot it Assigned: bukka (profile)
Status: Assigned Package: opcache
PHP Version: Irrelevant OS: Debian 11
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2021-12-22 09:01 UTC] mr-manuel at outlook dot it
# actual behaviour
OPcache shows all cached files from all PHP-FPM pools using the same PHP version. In addition it shows a negative used_memory value, since it counts somehow all pools and not only the pool in which the script is executed.

# expected behaviour
OPcache in PHP-FPM should show only the scripts cached within the same pool.

# stept to reproduce
Use Apache with mpm_event module and PHP-FPM installation. Create per domain a separate PHP-FPM pool and execute the pools with different users.

Relevant pool settings:
# /etc/php/7.4/fpm/pool.d/domain-1.conf
php_admin_flag[opcache.enable] = 1
php_admin_value[opcache.memory_consumption] = 128
php_admin_value[opcache.interned_strings_buffer] = 8
php_admin_value[opcache.max_accelerated_files] = 16229
php_admin_flag[opcache.validate_timestamps] = 1
php_admin_flag[opcache.save_comments] = 1
php_admin_value[opcache.revalidate_freq] = 1
php_admin_flag[opcache.fast_shutdown] = 1
php_admin_value[opcache.restrict_api] = "/var/www/html/"
... rest is default

The settings for all domains are the same, except the domain path and config file name.

Execute the test script below on every pool/domain and check the scripts. You should see all scripts from all pools which are cached from the same PHP-FPM version.

Apache: 2.4.51
PHP versions used: 7.4.26, 8.0.13, 8.1.0

Test script:

Expected result:
OPcache in PHP-FPM should show only the scripts cached within the same pool.

Actual result:
OPcache in PHP-FPM shows all scripts that are cached within the same PHP-FPM version.


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2021-12-22 13:46 UTC]
-Assigned To: +Assigned To: bukka
 [2021-12-22 13:46 UTC]
Looks like there is only one OPcache SHM for all FPM pools.

Jakub, could you please have a look at this?
 [2021-12-22 20:44 UTC]
This is known issue and it's a current design of FPM where MINIT is done on master level and the shared memory is allocated just once. I think the best solution for that would be introducing a process manager that would control pool process and do MINIT but that's quite a lot of work so it will take some time.

In any case this is not a security issue because pools are not considered as a security mechanism (read they don't provide full separtion). It is certainly not anything that we can change in the bug fixing release as it will require significant refactoring. This is a feature request though.
 [2021-12-22 21:58 UTC]
-Type: Security +Type: Feature/Change Request
 [2021-12-22 21:58 UTC]
Thanks for the clarification!  I added that info to the PHP

[1] <>
PHP Copyright © 2001-2022 The PHP Group
All rights reserved.
Last updated: Wed May 18 13:05:45 2022 UTC