Mods to make php-fpm work on PHP 5.2.x

[dayo]

***EDITED 16/10/2010***
For Nginx users interested in running php directly instead of proxying to apache, the version of PHP 5.2.14 on the atomic repo while including components aiming to introduce PHP-FPM, does not actually have a functioning PHP-FPM component and there is no intention to change this for various reasons.

Manually fixing this involves the following actions:

• Download the ART PHP 5.2.14 SRPM package
• Download the PHP 5.2.14 PHP-FPM patch file from the php-fpm website
• Fix the PHP 5.2.14 PHP-FPM patch file to make it install into /usr/bin instead of /usr/sbin
• Patch the ART spec file so that it uses your new fpm patch file instead current one in the package
• Build the RPMs and install
• Configure PHP-FPM and start the service
• Configure Nginx to run php fastcgi
• Restart Nginx

Note that you only need this if you want Nginx to run php directly. The common configuration of proxying php to Apache does not require this.

01. Create a holding folder and install/update required utilities

Code: Select all

$ mkdir /usr/local/sbin/php-5.2.14-da
$ yum --exclude=subversion --exclude=cvs groupinstall 'Development Tools'
$ yum install autoconf patch curl-devel gmp-devel pam-devel openssl-devel sqlite-devel zlib-devel pcre-devel readline-devel krb5-devel libc-client-devel mysql-devel postgresql-devel unixODBC-devel libxml2-devel net-snmp-devel lm_sensors-devel libxslt-devel ncurses-devel libpng-devel freetype-devel t1lib-devel libXaw-devel libmcrypt-devel mhash-devel libtidy-devel freetds-devel aspell-devel recode-devel

02. Download the Atomic PHP 5.2.14 SRPM package into your sources folder and unpack it.
You will get warnings about mock if you have not set up mockbuild (See http://fedoraproject.org/wiki/Projects/Mock). I ignored these and pressed on.

Code: Select all

$ cd /usr/local/sbin/php-5.2.14-da
$ wget http://www4.atomicorp.com/channels/source/php/php-5.2.14-2.art.src.rpm
$ rpm -ivv php-5.2.14-2.art.src.rpm

03. Patch the Atomic spec file

• Go to the specs folder

  Code: Select all

  $ cd /usr/src/redhat/SPECS

• Edit "php-art.spec"

  Code: Select all

  $ nano php-art.spec

• Find...

  Code: Select all

  Patch1003: php-fpm-0.6~5.2.patch

  ... (around Line 50) and edit it to read...

  Code: Select all

  #Patch1003: php-fpm-0.6~5.2.patch

• Add a new line below this with...

  Code: Select all

  Patch1003: php-5.2.14-fpm-0.5.14.patch

• Find...

  Code: Select all

  --enable-fpm \

  ... (around Line 604) and add four new lines below this with...

  Code: Select all

  --with-fpm-conf=/etc/php-fpm.conf \
  --with-fpm-init=/etc/init.d/php-fpm \
  --with-fpm-log=/var/log/php-fpm.log \
  --with-fpm-pid=/var/run/php-fpm.pid \
  

• Find...

  Code: Select all

  #%{_bindir}/php-fpm

  ... (around Line 795) and edit it to read...

  Code: Select all

  %{_bindir}/php-fpm

• Find...

  Code: Select all

  #%config(noreplace) %{_sysconfdir}/php-fpm.conf

  ... (around Line 805) and edit it to read...

  Code: Select all

  %config(noreplace) %{_sysconfdir}/php-fpm.conf

04. Download, unpack the PHP 5.2.14 patch from the php.fpm website and copy it to your sources folder
(Note the change of extention from ".diff" to ".patch" when copying)

Code: Select all

$ cd /usr/local/sbin/php-5.2.14-da
$ wget http://php-fpm.org/downloads/php-5.2.14-fpm-0.5.14.diff.gz
$ gunzip php-5.2.14-fpm-0.5.14.diff.gz
$ cp php-5.2.14-fpm-0.5.14.diff /usr/src/redhat/SOURCES/php-5.2.14-fpm-0.5.14.patch

05. Patch the PHP 5.2.14 diff file
Find every instance of...

Code: Select all

$(INSTALL_ROOT)$(prefix)/sbin

... and edit to read...

Code: Select all

$(INSTALL_ROOT)$(prefix)/bin

06. Build the RPMs
This takes a while so go get a cup of tea.
You might want to delay leaving for the first three minutes as this is when it is most likely to fall over due to missing requirements

Code: Select all

$ rpmbuild -ba /usr/src/redhat/SPECS/php-art.spec

07. Install the RPMs
Change the path depending on whether you use 64 or 32 bits systems.

Code: Select all

$ rpm -Uvh /usr/src/redhat/RPMS/x86_64/php*5.2.14*.rpm

OR

$ rpm -Uvh /usr/src/redhat/RPMS/i386/php*5.2.14*.rpm

08. Open /etc/php-fpm.conf and at a minimum, change "Unix user of processes" and "Unix group of processes" to your php username and group. Remember to remove the "<!--" and "-->" tags around each. You might also want to tweak some of the params such as startservers etc.

09. Prep and start up PHP-FPM

• Create a symlink to the init script: "$ ln -s /usr/bin/php-fpm /etc/rc.d/init.d/php-fpm"
• To start up at boot, add "service php-fpm start" to your "/etc/rc.d/rc.local" file
• Fire it up: "$ service php-fpm start"

10. Configure Nginx to run Fastcgi
Note that that Nginx is just a webserver and thus, serves whatever it is asked to serve without trying to second guess anything and the common php fastcgi configuration for Nginx found on the web does this exactly. However since many applications have sloppy security, it is best to put a safety net in by excluding some common means of delivering php payloads (the common online config does not do this). See http://forum.nginx.org/read.php?2,88845,88996 for more information.

11. Restart Nginx

Code: Select all

$ service nginx restart

Notes:

• If there is ever a new PHP 5.2.x package from ART, check to make sure that PHP-FPM is working first (not likely) before updating. Otherwise, rebuild and patch accordingly.
• Consider upgrading to PHP 5.3.3+ which includes native PHP-FPM

[dayo]

It seems Scott has not been able to do a Release 3 of PHP 5.2.13 with php-fpm as set out above. Anyway, here is my follow up.

The previous post I made here gives a basic simple implementation. It proxies all requests to Apache running on Port 8080.

Benchmarking using AB with this setting does not give a major advantage to Nginx against my optimised Apache and actually oft times, Apache comes out tops.

After running fixing the ART PHP 5.2.13-2 to actually work with php-fpm as above and getting Nginx to run php directly, all I can say is wow!

Here is a comparison of the commands, "ab -n 1000 -c 50 http://MySite.com:8080/path/to/gallery2/file.php" and "ab -n 1000 -c 50 http://MySite.com/path/to/gallery2/file.php" (1000 requests for the php file from 50 concurrent connections to a small 448 mb VPS).

Code: Select all

Server Software:        nginx/0.7.65......................................................Server Software:        Apache
Server Hostname:        MySite.com........................................................Server Hostname:        MySite.com
Server Port:            80................................................................Server Port:            8080

Document Path:          /path/to/gallery2/file.php........................................Document Path:          /path/to/gallery2/file.php
Document Length:        22619 bytes.......................................................Document Length:        22619 bytes

Concurrency Level:      50................................................................50
Time taken for tests:   22.146852 seconds.................................................92.60094 seconds
Complete requests:      1000..............................................................1000
Failed requests:        0.................................................................0
Write errors:           0.................................................................0
Total transferred:      22855848 bytes....................................................22776207 bytes
HTML transferred:       22692196 bytes....................................................22619000 bytes
Requests per second:    45.15 [#/sec] (mean)..............................................10.86 [#/sec] (mean)
Time per request:       1107.343 [ms] (mean)..............................................4603.005 [ms] (mean)
Time per request:       22.147 [ms] (mean, across all concurrent requests)................92.060 [ms] (mean, across all concurrent requests)
Transfer rate:          1007.82 [Kbytes/sec] received.....................................241.60 [Kbytes/sec] received

Connection Times (ms).....................................................................Connection Times (ms)
              min  mean[+/-sd] median   max...............................................              min  mean[+/-sd] median   max
Connect:       16  143 365.9     97    3111...............................................Connect:       15   16   2.5     17      69
Processing:   115  936 511.3    776    4153...............................................Processing:   393 4492 688.7   4433    8264
Waiting:       39  148 114.0    109     821...............................................Waiting:      341 4423 680.3   4361    7702
Total:        133 1080 628.5    885    6538...............................................Total:        409 4508 688.6   4452    8282

Percentage of the requests served within a certain time (ms)..............................Percentage of the requests served within a certain time (ms)				
  50%    885..............................................................................  50%   4452
  66%   1120..............................................................................  66%   4715
  75%   1301..............................................................................  75%   4892
  80%   1443..............................................................................  80%   4997
  90%   1831..............................................................................  90%   5306
  95%   2166..............................................................................  95%   5524
  98%   3029..............................................................................  98%   5823
  99%   3723..............................................................................  99%   6130
 100%   6538 (longest request)............................................................ 100%   8282 (longest request)

Max Load Average:	0.42..................................................................Max Load Average:	7.91

Says it all. Now have to fine tune the nginx fastcgi settings to squeeze even more out it.

[faris]

Wow. Thanks for all the details. At some point I will get to grips with this and have a go on a test machine. Looks like fun

[scott]

Epic negative here with nginx, it does not support mod_security.

[dayo]

I am sure this can be changed if you apply your talented mind to it

Anyway, this should not stop a fpm fix to Release 2 since that is what that was supposed to address but doesn't work.

With the fpm fix, people running Apache would run it as usual even if they use fastcgi as they would not be forced to run php-fpm and can use mod_sec etc.

It would make life easy for those of us that want to use Nginx and keep us in line with future ART releases of php and as you know, we love ART.

Please do the release ... you can even use my srpm as a jump off point.

Thanks

[mikeshinn]

Keep in mind that if you are running PHP out of nginx you have no protection against web attacks. As Scott said, there is no WAF plugin for nginx, so you are wide open. We do not recommend you do this.

[dayo]

Keep in mind that if you are running PHP out of nginx you have no protection against web attacks. As Scott said, there is no WAF plugin for nginx, so you are wide open. We do not recommend you do this.

Thanks Mike. I fully understand what is involved. Likewise, I understand that security is a matter of layers of which mod_sec and your excellent rules make up one layer.

Letting Nginx run my PHP is no different to how I run it with Apache on my VPS except that it is faster and uses a fraction of the resources even though I subscribe to ASL as it uses up too much resources for the VPS to handle.

I had a choice between a rock solidly secure (save for not having the kernel) but unusable deployment or shedding one layer of security which I had shed long before I started looking into Nginx. BTW, I ran ASL on a proper server but I no longer run a server.

Anyway, all I am asking is that the php-fpm fix applied to PHP 5.2.13-2 which doesn't work be fixed and released as 5.13-3.

This will not affect those running Apache in any way whatsoever (the php-cgi binary would run as usual if called by Apache or if they prefer, the standard php binary would be called) and would allow those of us that want to go a different way to do so by invoking fpm knowing that when PHP 5.2.14-1 is released, we would not have to go through the whole rebuild business again.

I see no conflict here. Give us the choice of staying in step with your excellent stuff even if we want to do a few things differently.

Thanks again

[scott]

The focus is really on 5.3 now, when there is time away from ASL.

[dayo]

Fair enough and even better as PHP 5.3 is even more php-fpm friendly although the expected inclusion into the core has apparently been moved back to 5.4.

Notice there have no Yum Announcements lately although I saw a PHP 5.3.x version in the sources channel (noticed the spec file didn't show fpm though ). Not sure how to get hold of it though ... or is it ASL only for now?

[scott]

No its just not done yet, there are a lot of changes with it over 5.2

[dayo]

OK cool. Keep up the good work.

PS. Seems there is still a very, very faint hope php-fpm could still appear in PHP 5.3.3 core (adding it doesn't break or change anything) and the FPM SAPI is now already an official php distribution.

Go with the flow

[dayo]

Now officially added to the 5.3 branch ... will appear in 5.3.3. Hooray!

Shame I am still on 5.2.13 lol.

[dayo]

PHP 5.3.3 released with native fpm.

Looking forward to the ART Release

PHP 5.2.14 also released ... will need patching to use fpm.

[barabashko]

dayo results is realy awesome ! there no solution as mod_security in nginx? googled only this https://calomel.org/nginx.html and they say "rules"

Now i have Apache 2 + Nginx 0.7.65 as proxy + php 5.2.14 from atomic

Apache2 gets

child pid 4411 exit signal Segmentation fault (11)