PHP :: Request #81704 :: opcache.restrict_api not working with PHP-FPM

opcache.restrict_api not working with PHP-FPM

Submitted:

2021-12-22 09:01 UTC

Modified:

2021-12-22 21:58 UTC

Votes:	2
Avg. Score:	4.0 ± 1.0
Reproduced:	1 of 2 (50.0%)
Same Version:	1 (100.0%)
Same OS:	1 (100.0%)

From:

mr-manuel at outlook dot it

Assigned:

bukka (profile)

Status:

Assigned

Package:

opcache

PHP Version:

Irrelevant

OS:

Debian 11

Private report:

CVE-ID:

None

View Developer Edit

Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.

php.net Username: php.net Password:

Quick Fix:	(description)
	Block user comment
Status:		Assign to:
Package:
Bug Type:
Summary:
From:	mr-manuel at outlook dot it
New email:
PHP Version:		OS:

New/Additional Comment:

[2021-12-22 09:01 UTC] mr-manuel at outlook dot it

Description:
------------
# actual behaviour
OPcache shows all cached files from all PHP-FPM pools using the same PHP version. In addition it shows a negative used_memory value, since it counts somehow all pools and not only the pool in which the script is executed.

# expected behaviour
OPcache in PHP-FPM should show only the scripts cached within the same pool.

# stept to reproduce
Use Apache with mpm_event module and PHP-FPM installation. Create per domain a separate PHP-FPM pool and execute the pools with different users.

Relevant pool settings:
# /etc/php/7.4/fpm/pool.d/domain-1.conf
php_admin_flag[opcache.enable] = 1
php_admin_value[opcache.memory_consumption] = 128
php_admin_value[opcache.interned_strings_buffer] = 8
php_admin_value[opcache.max_accelerated_files] = 16229
php_admin_flag[opcache.validate_timestamps] = 1
php_admin_flag[opcache.save_comments] = 1
php_admin_value[opcache.revalidate_freq] = 1
php_admin_flag[opcache.fast_shutdown] = 1
php_admin_value[opcache.restrict_api] = "/var/www/html/domain-1.com"
... rest is default

The settings for all domains are the same, except the domain path and config file name.

Execute the test script below on every pool/domain and check the scripts. You should see all scripts from all pools which are cached from the same PHP-FPM version.

Apache: 2.4.51
PHP versions used: 7.4.26, 8.0.13, 8.1.0

Test script:
---------------
https://github.com/rlerdorf/opcache-status/blob/master/opcache.php

Expected result:
----------------
OPcache in PHP-FPM should show only the scripts cached within the same pool.

Actual result:
--------------
OPcache in PHP-FPM shows all scripts that are cached within the same PHP-FPM version.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2021-12-22 13:46 UTC] cmb@php.net

-Assigned To: +Assigned To: bukka

[2021-12-22 13:46 UTC] cmb@php.net

Looks like there is only one OPcache SHM for all FPM pools.

Jakub, could you please have a look at this?

[2021-12-22 20:44 UTC] bukka@php.net

This is known issue and it's a current design of FPM where MINIT is done on master level and the shared memory is allocated just once. I think the best solution for that would be introducing a process manager that would control pool process and do MINIT but that's quite a lot of work so it will take some time.

In any case this is not a security issue because pools are not considered as a security mechanism (read they don't provide full separtion). It is certainly not anything that we can change in the bug fixing release as it will require significant refactoring. This is a feature request though.

[2021-12-22 21:58 UTC] cmb@php.net

-Type: Security +Type: Feature/Change Request

[2021-12-22 21:58 UTC] cmb@php.net

Thanks for the clarification!  I added that info to the PHP
manual[1].

[1] <https://github.com/php/doc-en/commit/88333c7e4faf04190cf783247b470c7ea8b54196>

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Fri Mar 21 23:01:28 2025 UTC