feat(roles/php): allow for PHP-FPM pools to be configured individually.#248
Open
ebuerki-lf wants to merge 85 commits into
Open
feat(roles/php): allow for PHP-FPM pools to be configured individually.#248ebuerki-lf wants to merge 85 commits into
ebuerki-lf wants to merge 85 commits into
Conversation
…ially finished) to allow for multiple PHP-FPM pools to be configured individually
Contributor
Author
|
…dance with example role, ensure session.save_path is now set correctly
…s (not complete), update template for RedHat-based systems.
Deploy /etc/icingaweb2/modules/pdfexport/config.ini so the module talks to the chrome-headless service over the Chrome DevTools Protocol by default (host/port), with an optional fall-back to a local Chrome binary. Move the platform-variables import into an always-tagged block so the new icingaweb2_module_pdfexport:configure tag can be run on its own. Wire the repo_epel, repo_google_chrome and google_chrome roles into both the standalone playbook and setup_icinga2_master.yml, with *__skip_* opt-outs tracking the existing pdfexport skip flag.
…d in front of Chrome
…lean Without bind_any the chrome-headless-proxy.socket cannot bind the listen port on hosts where the port carries an unexpected SELinux port type (on Rocky/RHEL 9 the default 9222 is registered as hplip_port_t).
Remove the comments and the chrome-headless-before-socket ordering that only existed to handle the cut-over from a pre-existing, non-socket- activated chrome service. With no such legacy unit in the wild, the regular notify chain (daemon-reload, restart socket, restart chrome on template change) is sufficient.
Declare the two user-facing variables (basic_auth_login as 'raw',
mirror_url as 'str'), matching the pattern repo_remi established.
Also sort entries in roles/google_chrome/{meta/argument_specs.yml,
defaults/main.yml} alphabetically per CONTRIBUTING.md.
- Split SELinux booleans into their own block, scoped to `google_chrome` only, so `google_chrome:configure` is limited to unit-file deployment as documented in the README. - Move daemon-reload from a handler into a regular task, gated by `is changed` on the three deploy tasks. The state block now runs with the freshly reloaded unit definitions without needing an intermediate `flush_handlers`, and the restart-socket handler can rely on `__google_chrome__service_state_result is not changed` (with an `is not defined` fallback for tag-restricted runs) to skip the redundant restart right after a fresh service start. - Drop the `restart chrome-headless` handler. Changes to the proxy or Chrome service unit only need a daemon-reload now; they take effect on the next socket-activation cycle. Only socket-template changes still trigger an immediate restart, because that unit holds the externally-visible listen port. - Fix descriptions for `google_chrome__service_enabled` and `google_chrome__service_state` in `meta/argument_specs.yml`: both manage the `chrome-headless-proxy.socket` unit, not `chrome-headless.service`. - Drop `mesa-libOSMesa-devel` from the runtime package list; the runtime library `mesa-libOSMesa` stays.
…251) Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner) from 2.19.1 to 2.19.3. - [Release notes](https://github.com/step-security/harden-runner/releases) - [Commits](step-security/harden-runner@a5ad31d...ab7a940) --- updated-dependencies: - dependency-name: step-security/harden-runner dependency-version: 2.19.3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…ocalhost Chromium's --remote-debugging-address now always binds 127.0.0.1 instead of chromium_headless__listen_address. Only the proxy socket is meant to be the public endpoint; binding the backend to a routable listen_address exposed Chromium's unauthenticated CDP port off-host and let clients bypass the idle-managed proxy. The proxy and the ExecStartPost health check connect to 127.0.0.1 accordingly. Also documents why MemoryDenyWriteExecute must stay false (V8 JIT) and bumps the two unit-template timestamps.
…ons on temp-file tasks
and some other minor improvements
) main() ignored the success flag returned by select(), so a failed query exited with changed=false and the error message smuggled into query_result - reporting success for a broken query. Check the flag and call fail_json with the error instead. Add a reusable Ansible module test harness (tests/ansible_harness.py: set_module_args + exit_json/fail_json patching, profile-aware so it works on ansible-core 2.15 through 2.21) and main()-level tests covering both the success and the failure path.
…ssword on None (#271) Two behavior fixes: - check_mode: the module declared supports_check_mode but wrote to the vault regardless (edit/create/add_attachment). Guard every write behind 'not module.check_mode' and return the predicted item in check mode. - None password: diff_and_update saw target password None vs an existing real password as a change and overwrote it with null. A None password now preserves the existing item's password, matching the documented behavior ('overwritten by every non-None value'). Clarify the DOCUMENTATION accordingly and add main()-level tests (fake Bitwarden client + the ansible module harness) for both paths. The get_item_by_id returns-or-raises contract is left for a separate PR.
…s JSON (#272) Nextcloud stores an array config value and returns it as a parsed JSON array (verified against Nextcloud 33: config:list yields ["alpha", "beta"]). The module stringified that list with str() (Python repr, single quotes) and compared it against the user's array literal, which never matched - so the module reported a change and re-ran config:app:set on every run. Compare array values as parsed JSON instead (values_match()), and store the cached current value as canonical JSON. Add unit tests for the helper and for the cached (installed_config_json) idempotency path. The occ output formats were verified empirically in a Nextcloud podman container.
…ct docs - Sync plugins/module_utils/gnupg.py with upstream python-gnupg 0.5.6 (byte-identical), keeping the module working on current Python and GnuPG. - gnupghome is now type=path (expands ~, resolves relative paths). - Drop the misleading "python-gnupg required on the controller" requirement; the library ships with the collection. Document the returned field as uids. - Document the vendored module_util in CONTRIBUTING and exclude it from bandit, consistent with the vendored ipa*.py modules.
…ially finished) to allow for multiple PHP-FPM pools to be configured individually
![github-code-quality[bot]](https://avatars.githubusercontent.com/u/9919?s=60&v=4){kind=small}
…mong php-fpm instances, use one pool.conf template for both RedHat and Debian os families, update docs.
Contributor
Author
|
the systemd service on debian (php 8.4, sury repo) contains Debian
[Unit]
Description=The PHP 8.4 FastCGI Process Manager
Documentation=man:php-fpm8.4(8)
After=network.target
[Service]
Type=notify
ExecStart=/usr/sbin/php-fpm8.4 --nodaemonize --fpm-config /etc/php/8.4/fpm/php-fpm.conf
ExecStartPost=-/usr/lib/php/php-fpm-socket-helper install /run/php/php-fpm.sock /etc/php/8.4/fpm/pool.d/www.conf 84
ExecStopPost=-/usr/lib/php/php-fpm-socket-helper remove /run/php/php-fpm.sock /etc/php/8.4/fpm/pool.d/www.conf 84
ExecReload=/bin/kill -USR2 $MAINPID
Restart=on-failure
[Install]
WantedBy=multi-user.targetRocky
# It's not recommended to modify this file in-place, because it
# will be overwritten during upgrades. If you want to customize,
# the best way is to use the "systemctl edit" command.
[Unit]
Description=The PHP FastCGI Process Manager
After=network.target
[Service]
Type=notify
ExecStart=/usr/sbin/php-fpm --nodaemonize
ExecReload=/bin/kill -USR2 $MAINPID
PrivateTmp=true
RuntimeDirectory=php-fpm
RuntimeDirectoryMode=0755
[Install]
WantedBy=multi-user.target |
…efaults Create a per-pool session.save_path directory (owned by the pool user/group, mode 0700) and a shared opcache directory; run restorecon on RedHat so the httpd_var_run_t / httpd_var_lib_t SELinux labels apply. Default the pool process-manager and timeout subkeys to the php__fpm_pool_conf_* combined vars in the unified pool.conf.j2. Rename role-internal variables to the __php__ prefix (__php__conf_dest, __php__fpm_opcache_path, __php__fpm_pools_path, __php__fpm_runtime_path, __php__fpm_service_name, __php__fpm_session_path, __php__installed_version); they live in vars/ and were never inventory-overridable. Fix README defaults to match the code, document repo_sury as the Debian counterpart to repo_remi, and document the breaking changes (per-pool session path, php_admin_value enforcement, pm.max_requests=500, status path, soap.wsdl_cache_dir).
…g template
Switch pool.conf.j2 from the custom [% %] block delimiters back to the
default {% %} to match roles/example. The custom delimiters were only
needed because the access.format comments contain literal %{%Y...%z}t
strftime examples; those two lines are now wrapped in {% raw -%} ...
{% endraw %} instead. Rendered output is byte-identical.
…lates The php__ini_*__combined_var values always resolve via vars/<version>.yml (loaded with include_vars before the template runs), so the | default(...) / | d(...) fallbacks in the .ini templates never fired. Several of them also contradicted the version defaults, which was misleading. Remove all 251 dead fallbacks; rendered output is unchanged.
…n Debian php-fpm writes each pool's error_log and slowlog into a per-service log directory but does not create it itself. On RedHat the package ships /var/log/php-fpm; on Debian the package only ships a single global log file, so the role now creates the directory for parity. Debian's packaged logrotate config only covers that single global file, not the per-pool logs, so ship /etc/logrotate.d/linuxfabrik-php-fpm on Debian. On RedHat the package's logrotate already rotates /var/log/php-fpm/*log.
Converges the php playbook with a default www pool and a second app1 pool (static pm, 256M), then asks each running pool over its FastCGI socket whether it enforces its own config: the live pm mode, and a probe proving php_admin_value[memory_limit] cannot be raised via ini_set() and that the session path is per-pool. The remove sub-scenario flips app1 to absent and checks php-fpm survives with the www socket intact.
…gs URL for the module tarball
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
6 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.