php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #81704 opcache.restrict_api not working with PHP-FPM
Submitted: 2021-12-22 09:01 UTC Modified: 2021-12-22 21:58 UTC
Votes:2
Avg. Score:4.0 ± 1.0
Reproduced:1 of 2 (50.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: mr-manuel at outlook dot it Assigned: bukka (profile)
Status: Assigned Package: opcache
PHP Version: Irrelevant OS: Debian 11
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: mr-manuel at outlook dot it
New email:
PHP Version: OS:

 

 [2021-12-22 09:01 UTC] mr-manuel at outlook dot it
Description:
------------
# actual behaviour
OPcache shows all cached files from all PHP-FPM pools using the same PHP version. In addition it shows a negative used_memory value, since it counts somehow all pools and not only the pool in which the script is executed.

# expected behaviour
OPcache in PHP-FPM should show only the scripts cached within the same pool.

# stept to reproduce
Use Apache with mpm_event module and PHP-FPM installation. Create per domain a separate PHP-FPM pool and execute the pools with different users.

Relevant pool settings:
# /etc/php/7.4/fpm/pool.d/domain-1.conf
php_admin_flag[opcache.enable] = 1
php_admin_value[opcache.memory_consumption] = 128
php_admin_value[opcache.interned_strings_buffer] = 8
php_admin_value[opcache.max_accelerated_files] = 16229
php_admin_flag[opcache.validate_timestamps] = 1
php_admin_flag[opcache.save_comments] = 1
php_admin_value[opcache.revalidate_freq] = 1
php_admin_flag[opcache.fast_shutdown] = 1
php_admin_value[opcache.restrict_api] = "/var/www/html/domain-1.com"
... rest is default

The settings for all domains are the same, except the domain path and config file name.

Execute the test script below on every pool/domain and check the scripts. You should see all scripts from all pools which are cached from the same PHP-FPM version.

Apache: 2.4.51
PHP versions used: 7.4.26, 8.0.13, 8.1.0

Test script:
---------------
https://github.com/rlerdorf/opcache-status/blob/master/opcache.php

Expected result:
----------------
OPcache in PHP-FPM should show only the scripts cached within the same pool.

Actual result:
--------------
OPcache in PHP-FPM shows all scripts that are cached within the same PHP-FPM version.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2021-12-22 13:46 UTC] cmb@php.net
-Assigned To: +Assigned To: bukka
 [2021-12-22 13:46 UTC] cmb@php.net
Looks like there is only one OPcache SHM for all FPM pools.

Jakub, could you please have a look at this?
 [2021-12-22 20:44 UTC] bukka@php.net
This is known issue and it's a current design of FPM where MINIT is done on master level and the shared memory is allocated just once. I think the best solution for that would be introducing a process manager that would control pool process and do MINIT but that's quite a lot of work so it will take some time.

In any case this is not a security issue because pools are not considered as a security mechanism (read they don't provide full separtion). It is certainly not anything that we can change in the bug fixing release as it will require significant refactoring. This is a feature request though.
 [2021-12-22 21:58 UTC] cmb@php.net
-Type: Security +Type: Feature/Change Request
 [2021-12-22 21:58 UTC] cmb@php.net
Thanks for the clarification!  I added that info to the PHP
manual[1].

[1] <https://github.com/php/doc-en/commit/88333c7e4faf04190cf783247b470c7ea8b54196>
 [2023-08-23 11:15 UTC] truongthaietc50 at gmail dot com
The opcache.restrict_api directive in PHP's OPCache extension is designed to limit the exposure of OPCache management functions to specific scripts, enhancing security. However, as of my last update in September 2021, there were instances where this directive might not function as expected when used with PHP-FPM (FastCGI Process Manager). 

In some setups, especially with multiple PHP-FPM pools or versions, the restriction might not take effect due to how PHP-FPM processes are managed and how OPCache contexts are shared. If you're encountering issues with opcache.restrict_api and PHP-FPM, consider updating PHP to the latest version, checking for any reported bugs or patches, and reviewing the PHP-FPM and OPCache configuration interactions.  (https://github.com)(https://www.mayoclinicpatientportals.com/)
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Mar 02 20:01:29 2024 UTC