diff --git a/cfe_internal/enterprise/mission_portal.cf b/cfe_internal/enterprise/mission_portal.cf
index fe69ef62f7..af93a93b54 100644
--- a/cfe_internal/enterprise/mission_portal.cf
+++ b/cfe_internal/enterprise/mission_portal.cf
@@ -1,9 +1,58 @@
bundle agent cfe_internal_enterprise_mission_portal
{
meta:
-
"description" string => "Manage mission portal configuration";
+classes:
+ "mission_portal_http2_enabled"
+ expression => and(
+ fileexists("$(sys.workdir)/httpd/php/sbin/php-fpm"),
+ fileexists("$(sys.workdir)/httpd/modules/mod_http2.so")
+ ),
+ scope => "namespace", # so it is visible in datastate() used in httpd.conf template rendering in bundle cfe_internal_enterprise_mission_portal_apache
+ comment => "If php-fpm and mod_http2.so are present then http2 is enabled
+ and we use this class in httpd.conf to configure accordingly.";
+ vars:
+ policy_server.enterprise_edition.mission_portal_http2_enabled::
+ "php_fpm_pid_file" string => "$(sys.workdir)/httpd/php-fpm.pid";
+
+ # Note that the fpm settings below should be synchronized between here and buildscripts/deps-packaging/php/php-fpm.conf
+ "php_fpm_www_pool_max_children" string => ifelse(
+ isvariable("default:def.php_fpm_www_pool_max_children"),
+ "$(default:def.php_fpm_www_pool_max_children)",
+ "50");
+ "php_fpm_www_pool_start_servers" string => ifelse(
+ isvariable("default:def.php_fpm_www_pool_start_servers"),
+ "$(default:def.php_fpm_www_pool_start_servers)",
+ "40");
+ "php_fpm_www_pool_min_spare_servers" string => ifelse(
+ isvariable("default:def.php_fpm_www_pool_min_spare_servers"),
+ "$(default:def.php_fpm_www_pool_min_spare_servers)",
+ "35");
+ "php_fpm_www_pool_max_spare_servers" string => ifelse(
+ isvariable("default:def.php_fpm_www_pool_max_spare_servers"),
+ "$(default:def.php_fpm_www_pool_max_spare_servers)",
+ "45");
+ "php_fpm_state" data => mergedata(
+ '{"vars": { "sys": { "workdir": "${default:sys.workdir}" } } }',
+ '{
+ "max_children":"${php_fpm_www_pool_max_children}",
+ "start_servers":"${php_fpm_www_pool_start_servers}",
+ "min_spare_servers":"${php_fpm_www_pool_min_spare_servers}",
+ "max_spare_servers":"${php_fpm_www_pool_max_spare_servers}"
+ }');
+
+ reports:
+ DEBUG::
+ "Using variable default:def.php_fpm_www_pool_max_children: ${default:def.php_fpm_www_pool_max_children} instead of built-in default"
+ if => isvariable("default:def.php_fpm_www_pool_max_children");
+ "Using variable default:def.php_fpm_www_pool_start_servers: ${default:def.php_fpm_www_pool_start_servers} instead of built-in default"
+ if => isvariable("default:def.php_fpm_www_pool_start_servers");
+ "Using variable default:def.php_fpm_www_pool_min_spare_servers: ${default:def.php_fpm_www_pool_min_spare_servers} instead of built-in default"
+ if => isvariable("default:def.php_fpm_www_pool_min_spare_servers");
+ "Using variable default:def.php_fpm_www_pool_max_spare_servers: ${default:def.php_fpm_www_pool_max_spare_servers} instead of built-in default"
+ if => isvariable("default:def.php_fpm_www_pool_max_spare_servers");
+
methods:
policy_server::
@@ -15,7 +64,23 @@ bundle agent cfe_internal_enterprise_mission_portal
handle => "cfe_internal_management_web_server",
comment => "Manage Apache Web server (on/off)";
+ policy_server.mission_portal_http2_enabled::
+ "PHP FastCGI process manager"
+ usebundle => service_config(
+ "cf-php-fpm",
+ "$(this.promise_dirname)/templates/php-fpm.conf.mustache",
+ "$(sys.workdir)/httpd/php/etc/php-fpm.conf",
+ "$(sys.workdir)/httpd/php/sbin/php-fpm -t --fpm-config ",
+ @(php_fpm_state),
+ "$(php_fpm_pid_file)"
+ );
+
+ services:
+ policy_server.mission_portal_http2_enabled::
+ "cf-php-fpm"
+ service_policy => "start";
}
+
bundle agent apachectl_patched_for_upgrade
# @brief Ensure that apacehctl is patched so that it is able to re-start services
#
diff --git a/cfe_internal/enterprise/templates/httpd.conf.mustache b/cfe_internal/enterprise/templates/httpd.conf.mustache
index 83d9de5594..0953959adf 100644
--- a/cfe_internal/enterprise/templates/httpd.conf.mustache
+++ b/cfe_internal/enterprise/templates/httpd.conf.mustache
@@ -110,7 +110,12 @@ DocumentRoot "{{{vars.cfe_internal_hub_vars.public_docroot}}}"
ErrorLog "logs/error_log"
+{{#data:cfengine_enterprise_mission_portal_debug_php_fpm}}
+LogLevel warn rewrite:trace6 proxy:debug proxy_fcgi:debug dir:debug
+{{/data:cfengine_enterprise_mission_portal_debug_php_fpm}}
+{{^data:cfengine_enterprise_mission_portal_debug_php_fpm}}
LogLevel warn
+{{/data:cfengine_enterprise_mission_portal_debug_php_fpm}}
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
@@ -244,10 +249,26 @@ LogLevel warn
+{{#classes.mission_portal_http2_enabled}}
+# Use mod_http2
+LoadModule http2_module modules/mod_http2.so
+# Prefer http2 protocol
+Protocols h2 h2c http/1.1
+
+# Setup php to be handled by php-fpm. Required for use of mod_http2 due to threading issues in php.
+LoadModule proxy_module modules/mod_proxy.so
+LoadModule proxy_fcgi_module modules/mod_proxy_fcgi.so
+# Need to pass auth headers to fpm
+SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1
+
+SetHandler "proxy:fcgi://127.0.0.1:9000"
+
+{{/classes.mission_portal_http2_enabled}}
+{{^classes.mission_portal_http2_enabled}}
LoadModule php{{{vars.cfe_internal_hub_vars.php_version}}}_module modules/libphp{{{vars.cfe_internal_hub_vars.php_version}}}.so
AddHandler php{{{vars.cfe_internal_hub_vars.php_version}}}-script .php
AddType application/x-httpd-php-source php{{{vars.cfe_internal_hub_vars.php_version}}}
-
+{{/classes.mission_portal_http2_enabled}}
diff --git a/cfe_internal/enterprise/templates/php-fpm.conf.mustache b/cfe_internal/enterprise/templates/php-fpm.conf.mustache
new file mode 100644
index 0000000000..3a1ba166b4
--- /dev/null
+++ b/cfe_internal/enterprise/templates/php-fpm.conf.mustache
@@ -0,0 +1,634 @@
+;;;;;;;;;;;;;;;;;;;;;
+; FPM Configuration ;
+;;;;;;;;;;;;;;;;;;;;;
+
+; All relative paths in this configuration file are relative to PHP's install
+; prefix (/var/cfengine/httpd/php). This prefix can be dynamically changed by using the
+; '-p' argument from the command line.
+
+;;;;;;;;;;;;;;;;;;
+; Global Options ;
+;;;;;;;;;;;;;;;;;;
+
+[global]
+; Pid file
+; Note: the default prefix is /var/cfengine/httpd/php/var
+; Default Value: none
+;pid = run/php-fpm.pid
+pid = {{{vars.sys.workdir}}}/httpd/php-fpm.pid
+
+; Error log file
+; If it's set to "syslog", log is sent to syslogd instead of being written
+; into a local file.
+; Note: the default prefix is /var/cfengine/httpd/php/var
+; Default Value: log/php-fpm.log
+;error_log = log/php-fpm.log
+error_log = syslog
+
+; syslog_facility is used to specify what type of program is logging the
+; message. This lets syslogd specify that messages from different facilities
+; will be handled differently.
+; See syslog(3) for possible values (ex daemon equiv LOG_DAEMON)
+; Default Value: daemon
+;syslog.facility = daemon
+
+; syslog_ident is prepended to every message. If you have multiple FPM
+; instances running on the same server, you can change the default value
+; which must suit common needs.
+; Default Value: php-fpm
+;syslog.ident = php-fpm
+
+; Log level
+; Possible Values: alert, error, warning, notice, debug
+; Default Value: notice
+;log_level = notice
+{{#data:cfengine_enterprise_mission_portal_debug_php_fpm}}
+log_level = debug
+{{/data:cfengine_enterprise_mission_portal_debug_php_fpm}}
+
+; Log limit on number of characters in the single line (log entry). If the
+; line is over the limit, it is wrapped on multiple lines. The limit is for
+; all logged characters including message prefix and suffix if present. However
+; the new line character does not count into it as it is present only when
+; logging to a file descriptor. It means the new line character is not present
+; when logging to syslog.
+; Default Value: 1024
+;log_limit = 4096
+
+; Log buffering specifies if the log line is buffered which means that the
+; line is written in a single write operation. If the value is false, then the
+; data is written directly into the file descriptor. It is an experimental
+; option that can potentially improve logging performance and memory usage
+; for some heavy logging scenarios. This option is ignored if logging to syslog
+; as it has to be always buffered.
+; Default value: yes
+;log_buffering = no
+
+; If this number of child processes exit with SIGSEGV or SIGBUS within the time
+; interval set by emergency_restart_interval then FPM will restart. A value
+; of '0' means 'Off'.
+; Default Value: 0
+;emergency_restart_threshold = 0
+
+; Interval of time used by emergency_restart_interval to determine when
+; a graceful restart will be initiated. This can be useful to work around
+; accidental corruptions in an accelerator's shared memory.
+; Available Units: s(econds), m(inutes), h(ours), or d(ays)
+; Default Unit: seconds
+; Default Value: 0
+;emergency_restart_interval = 0
+
+; Time limit for child processes to wait for a reaction on signals from master.
+; Available units: s(econds), m(inutes), h(ours), or d(ays)
+; Default Unit: seconds
+; Default Value: 0
+;process_control_timeout = 0
+
+; The maximum number of processes FPM will fork. This has been designed to control
+; the global number of processes when using dynamic PM within a lot of pools.
+; Use it with caution.
+; Note: A value of 0 indicates no limit
+; Default Value: 0
+; process.max = 128
+
+; Specify the nice(2) priority to apply to the master process (only if set)
+; The value can vary from -19 (highest priority) to 20 (lowest priority)
+; Note: - It will only work if the FPM master process is launched as root
+; - The pool process will inherit the master process priority
+; unless specified otherwise
+; Default Value: no set
+; process.priority = -19
+
+; Send FPM to background. Set to 'no' to keep FPM in foreground for debugging.
+; Default Value: yes
+;daemonize = yes
+
+; Set open file descriptor rlimit for the master process.
+; Default Value: system defined value
+;rlimit_files = 1024
+
+; Set max core size rlimit for the master process.
+; Possible Values: 'unlimited' or an integer greater or equal to 0
+; Default Value: system defined value
+;rlimit_core = 0
+
+; Specify the event mechanism FPM will use. The following is available:
+; - select (any POSIX os)
+; - poll (any POSIX os)
+; - epoll (linux >= 2.5.44)
+; - kqueue (FreeBSD >= 4.1, OpenBSD >= 2.9, NetBSD >= 2.0)
+; - /dev/poll (Solaris >= 7)
+; - port (Solaris >= 10)
+; Default Value: not set (auto detection)
+;events.mechanism = epoll
+
+; When FPM is built with systemd integration, specify the interval,
+; in seconds, between health report notification to systemd.
+; Set to 0 to disable.
+; Available Units: s(econds), m(inutes), h(ours)
+; Default Unit: seconds
+; Default value: 10
+;systemd_interval = 10
+
+;;;;;;;;;;;;;;;;;;;;
+; Pool Definitions ;
+;;;;;;;;;;;;;;;;;;;;
+
+; Multiple pools of child processes may be started with different listening
+; ports and different management options. The name of the pool will be
+; used in logs and stats. There is no limitation on the number of pools which
+; FPM can handle. Your system will tell you anyway :)
+
+; Start a new pool named 'www'.
+; the variable $pool can be used in any directive and will be replaced by the
+; pool name ('www' here)
+[www]
+
+; Per pool prefix
+; It only applies on the following directives:
+; - 'access.log'
+; - 'slowlog'
+; - 'listen' (unixsocket)
+; - 'chroot'
+; - 'chdir'
+; - 'php_values'
+; - 'php_admin_values'
+; When not set, the global prefix (or /var/cfengine/httpd/php) applies instead.
+; Note: This directive can also be relative to the global prefix.
+; Default Value: none
+;prefix = /path/to/pools/$pool
+
+; Unix user/group of the child processes. This can be used only if the master
+; process running user is root. It is set after the child process is created.
+; The user and group can be specified either by their name or by their numeric
+; IDs.
+; Note: If the user is root, the executable needs to be started with
+; --allow-to-run-as-root option to work.
+; Default Values: The user is set to master process running user by default.
+; If the group is not set, the user's group is used.
+user = cfapache
+group = cfapache
+
+; The address on which to accept FastCGI requests.
+; Valid syntaxes are:
+; 'ip.add.re.ss:port' - to listen on a TCP socket to a specific IPv4 address on
+; a specific port;
+; '[ip:6:addr:ess]:port' - to listen on a TCP socket to a specific IPv6 address on
+; a specific port;
+; 'port' - to listen on a TCP socket to all addresses
+; (IPv6 and IPv4-mapped) on a specific port;
+; '/path/to/unix/socket' - to listen on a unix socket.
+; Note: This value is mandatory.
+listen = 127.0.0.1:9000
+
+; Set listen(2) backlog.
+; Default Value: 511 (-1 on Linux, FreeBSD and OpenBSD)
+;listen.backlog = 511
+
+; Set permissions for unix socket, if one is used. In Linux, read/write
+; permissions must be set in order to allow connections from a web server. Many
+; BSD-derived systems allow connections regardless of permissions. The owner
+; and group can be specified either by name or by their numeric IDs.
+; Default Values: Owner is set to the master process running user. If the group
+; is not set, the owner's group is used. Mode is set to 0660.
+;listen.owner = nobody
+;listen.group = nobody
+;listen.mode = 0660
+
+; When POSIX Access Control Lists are supported you can set them using
+; these options, value is a comma separated list of user/group names.
+; When set, listen.owner and listen.group are ignored
+;listen.acl_users =
+;listen.acl_groups =
+
+; List of addresses (IPv4/IPv6) of FastCGI clients which are allowed to connect.
+; Equivalent to the FCGI_WEB_SERVER_ADDRS environment variable in the original
+; PHP FCGI (5.2.2+). Makes sense only with a tcp listening socket. Each address
+; must be separated by a comma. If this value is left blank, connections will be
+; accepted from any ip address.
+; Default Value: any
+;listen.allowed_clients = 127.0.0.1
+
+; Set the associated the route table (FIB). FreeBSD only
+; Default Value: -1
+;listen.setfib = 1
+
+; Specify the nice(2) priority to apply to the pool processes (only if set)
+; The value can vary from -19 (highest priority) to 20 (lower priority)
+; Note: - It will only work if the FPM master process is launched as root
+; - The pool processes will inherit the master process priority
+; unless it specified otherwise
+; Default Value: no set
+; process.priority = -19
+
+; Set the process dumpable flag (PR_SET_DUMPABLE prctl for Linux or
+; PROC_TRACE_CTL procctl for FreeBSD) even if the process user
+; or group is different than the master process user. It allows to create process
+; core dump and ptrace the process for the pool user.
+; Default Value: no
+; process.dumpable = yes
+
+; Choose how the process manager will control the number of child processes.
+; Possible Values:
+; static - a fixed number (pm.max_children) of child processes;
+; dynamic - the number of child processes are set dynamically based on the
+; following directives. With this process management, there will be
+; always at least 1 children.
+; pm.max_children - the maximum number of children that can
+; be alive at the same time.
+; pm.start_servers - the number of children created on startup.
+; pm.min_spare_servers - the minimum number of children in 'idle'
+; state (waiting to process). If the number
+; of 'idle' processes is less than this
+; number then some children will be created.
+; pm.max_spare_servers - the maximum number of children in 'idle'
+; state (waiting to process). If the number
+; of 'idle' processes is greater than this
+; number then some children will be killed.
+; pm.max_spawn_rate - the maximum number of rate to spawn child
+; processes at once.
+; ondemand - no children are created at startup. Children will be forked when
+; new requests will connect. The following parameter are used:
+; pm.max_children - the maximum number of children that
+; can be alive at the same time.
+; pm.process_idle_timeout - The number of seconds after which
+; an idle process will be killed.
+; Note: This value is mandatory.
+pm = dynamic
+
+; The number of child processes to be created when pm is set to 'static' and the
+; maximum number of child processes when pm is set to 'dynamic' or 'ondemand'.
+; This value sets the limit on the number of simultaneous requests that will be
+; served. Equivalent to the ApacheMaxClients directive with mpm_prefork.
+; Equivalent to the PHP_FCGI_CHILDREN environment variable in the original PHP
+; CGI. The below defaults are based on a server without much resources. Don't
+; forget to tweak pm.* to fit your needs.
+; Note: Used when pm is set to 'static', 'dynamic' or 'ondemand'
+; Note: This value is mandatory.
+pm.max_children = {{{max_children}}}
+
+; The number of child processes created on startup.
+; Note: Used only when pm is set to 'dynamic'
+; Default Value: (min_spare_servers + max_spare_servers) / 2
+pm.start_servers = {{{start_servers}}}
+
+; The desired minimum number of idle server processes.
+; Note: Used only when pm is set to 'dynamic'
+; Note: Mandatory when pm is set to 'dynamic'
+pm.min_spare_servers = {{{min_spare_servers}}}
+
+; The desired maximum number of idle server processes.
+; Note: Used only when pm is set to 'dynamic'
+; Note: Mandatory when pm is set to 'dynamic'
+pm.max_spare_servers = {{{max_spare_servers}}}
+
+; The number of rate to spawn child processes at once.
+; Note: Used only when pm is set to 'dynamic'
+; Note: Mandatory when pm is set to 'dynamic'
+; Default Value: 32
+;pm.max_spawn_rate = 32
+
+; The number of seconds after which an idle process will be killed.
+; Note: Used only when pm is set to 'ondemand'
+; Default Value: 10s
+;pm.process_idle_timeout = 10s;
+
+; The number of requests each child process should execute before respawning.
+; This can be useful to work around memory leaks in 3rd party libraries. For
+; endless request processing specify '0'. Equivalent to PHP_FCGI_MAX_REQUESTS.
+; Default Value: 0
+;pm.max_requests = 500
+
+; The URI to view the FPM status page. If this value is not set, no URI will be
+; recognized as a status page. It shows the following information:
+; pool - the name of the pool;
+; process manager - static, dynamic or ondemand;
+; start time - the date and time FPM has started;
+; start since - number of seconds since FPM has started;
+; accepted conn - the number of request accepted by the pool;
+; listen queue - the number of request in the queue of pending
+; connections (see backlog in listen(2));
+; max listen queue - the maximum number of requests in the queue
+; of pending connections since FPM has started;
+; listen queue len - the size of the socket queue of pending connections;
+; idle processes - the number of idle processes;
+; active processes - the number of active processes;
+; total processes - the number of idle + active processes;
+; max active processes - the maximum number of active processes since FPM
+; has started;
+; max children reached - number of times, the process limit has been reached,
+; when pm tries to start more children (works only for
+; pm 'dynamic' and 'ondemand');
+; Value are updated in real time.
+; Example output:
+; pool: www
+; process manager: static
+; start time: 01/Jul/2011:17:53:49 +0200
+; start since: 62636
+; accepted conn: 190460
+; listen queue: 0
+; max listen queue: 1
+; listen queue len: 42
+; idle processes: 4
+; active processes: 11
+; total processes: 15
+; max active processes: 12
+; max children reached: 0
+;
+; By default the status page output is formatted as text/plain. Passing either
+; 'html', 'xml' or 'json' in the query string will return the corresponding
+; output syntax. Example:
+; http://www.foo.bar/status
+; http://www.foo.bar/status?json
+; http://www.foo.bar/status?html
+; http://www.foo.bar/status?xml
+;
+; By default the status page only outputs short status. Passing 'full' in the
+; query string will also return status for each pool process.
+; Example:
+; http://www.foo.bar/status?full
+; http://www.foo.bar/status?json&full
+; http://www.foo.bar/status?html&full
+; http://www.foo.bar/status?xml&full
+; The Full status returns for each process:
+; pid - the PID of the process;
+; state - the state of the process (Idle, Running, ...);
+; start time - the date and time the process has started;
+; start since - the number of seconds since the process has started;
+; requests - the number of requests the process has served;
+; request duration - the duration in µs of the requests;
+; request method - the request method (GET, POST, ...);
+; request URI - the request URI with the query string;
+; content length - the content length of the request (only with POST);
+; user - the user (PHP_AUTH_USER) (or '-' if not set);
+; script - the main script called (or '-' if not set);
+; last request cpu - the %cpu the last request consumed
+; it's always 0 if the process is not in Idle state
+; because CPU calculation is done when the request
+; processing has terminated;
+; last request memory - the max amount of memory the last request consumed
+; it's always 0 if the process is not in Idle state
+; because memory calculation is done when the request
+; processing has terminated;
+; If the process is in Idle state, then informations are related to the
+; last request the process has served. Otherwise informations are related to
+; the current request being served.
+; Example output:
+; ************************
+; pid: 31330
+; state: Running
+; start time: 01/Jul/2011:17:53:49 +0200
+; start since: 63087
+; requests: 12808
+; request duration: 1250261
+; request method: GET
+; request URI: /test_mem.php?N=10000
+; content length: 0
+; user: -
+; script: /home/fat/web/docs/php/test_mem.php
+; last request cpu: 0.00
+; last request memory: 0
+;
+; Note: There is a real-time FPM status monitoring sample web page available
+; It's available in: /var/cfengine/httpd/php/share/php/fpm/status.html
+;
+; Note: The value must start with a leading slash (/). The value can be
+; anything, but it may not be a good idea to use the .php extension or it
+; may conflict with a real PHP file.
+; Default Value: not set
+;pm.status_path = /status
+
+; The address on which to accept FastCGI status request. This creates a new
+; invisible pool that can handle requests independently. This is useful
+; if the main pool is busy with long running requests because it is still possible
+; to get the status before finishing the long running requests.
+;
+; Valid syntaxes are:
+; 'ip.add.re.ss:port' - to listen on a TCP socket to a specific IPv4 address on
+; a specific port;
+; '[ip:6:addr:ess]:port' - to listen on a TCP socket to a specific IPv6 address on
+; a specific port;
+; 'port' - to listen on a TCP socket to all addresses
+; (IPv6 and IPv4-mapped) on a specific port;
+; '/path/to/unix/socket' - to listen on a unix socket.
+; Default Value: value of the listen option
+;pm.status_listen = 127.0.0.1:9001
+
+; The ping URI to call the monitoring page of FPM. If this value is not set, no
+; URI will be recognized as a ping page. This could be used to test from outside
+; that FPM is alive and responding, or to
+; - create a graph of FPM availability (rrd or such);
+; - remove a server from a group if it is not responding (load balancing);
+; - trigger alerts for the operating team (24/7).
+; Note: The value must start with a leading slash (/). The value can be
+; anything, but it may not be a good idea to use the .php extension or it
+; may conflict with a real PHP file.
+; Default Value: not set
+;ping.path = /ping
+
+; This directive may be used to customize the response of a ping request. The
+; response is formatted as text/plain with a 200 response code.
+; Default Value: pong
+;ping.response = pong
+
+; The access log file
+; Default: not set
+;access.log = log/$pool.access.log
+{{#data:cfengine_enterprise_mission_portal_debug_php_fpm}}
+access.log = {{{vars.sys.workdir}}}/httpd/logs/www-pool.access.log
+{{/data:cfengine_enterprise_mission_portal_debug_php_fpm}}
+
+; The access log format.
+; The following syntax is allowed
+; %%: the '%' character
+; %C: %CPU used by the request
+; it can accept the following format:
+; - %{user}C for user CPU only
+; - %{system}C for system CPU only
+; - %{total}C for user + system CPU (default)
+; %d: time taken to serve the request
+; it can accept the following format:
+; - %{seconds}d (default)
+; - %{milliseconds}d
+; - %{milli}d
+; - %{microseconds}d
+; - %{micro}d
+; %e: an environment variable (same as $_ENV or $_SERVER)
+; it must be associated with embraces to specify the name of the env
+; variable. Some examples:
+; - server specifics like: %{REQUEST_METHOD}e or %{SERVER_PROTOCOL}e
+; - HTTP headers like: %{HTTP_HOST}e or %{HTTP_USER_AGENT}e
+; %f: script filename
+; %l: content-length of the request (for POST request only)
+; %m: request method
+; %M: peak of memory allocated by PHP
+; it can accept the following format:
+; - %{bytes}M (default)
+; - %{kilobytes}M
+; - %{kilo}M
+; - %{megabytes}M
+; - %{mega}M
+; %n: pool name
+; %o: output header
+; it must be associated with embraces to specify the name of the header:
+; - %{Content-Type}o
+; - %{X-Powered-By}o
+; - %{Transfert-Encoding}o
+; - ....
+; %p: PID of the child that serviced the request
+; %P: PID of the parent of the child that serviced the request
+; %q: the query string
+; %Q: the '?' character if query string exists
+; %r: the request URI (without the query string, see %q and %Q)
+; %R: remote IP address
+; %s: status (response code)
+; %t: server time the request was received
+; it can accept a strftime(3) format:
+; %d/%b/%Y:%H:%M:%S %z (default)
+; The strftime(3) format must be encapsulated in a %{}t tag
+; e.g. for a ISO8601 formatted timestring, use: %{%Y-%m-%dT%H:%M:%S%z}t
+; %T: time the log has been written (the request has finished)
+; it can accept a strftime(3) format:
+; %d/%b/%Y:%H:%M:%S %z (default)
+; The strftime(3) format must be encapsulated in a %{}t tag
+; e.g. for a ISO8601 formatted timestring, use: %{%Y-%m-%dT%H:%M:%S%z}t
+; %u: remote user
+;
+; Default: "%R - %u %t \"%m %r\" %s"
+;access.format = "%R - %u %t \"%m %r%Q%q\" %s %f %{milli}d %{kilo}M %C%%"
+
+; A list of request_uri values which should be filtered from the access log.
+;
+; As a security precuation, this setting will be ignored if:
+; - the request method is not GET or HEAD; or
+; - there is a request body; or
+; - there are query parameters; or
+; - the response code is outwith the successful range of 200 to 299
+;
+; Note: The paths are matched against the output of the access.format tag "%r".
+; On common configurations, this may look more like SCRIPT_NAME than the
+; expected pre-rewrite URI.
+;
+; Default Value: not set
+;access.suppress_path[] = /ping
+;access.suppress_path[] = /health_check.php
+
+; The log file for slow requests
+; Default Value: not set
+; Note: slowlog is mandatory if request_slowlog_timeout is set
+;slowlog = log/$pool.log.slow
+
+; The timeout for serving a single request after which a PHP backtrace will be
+; dumped to the 'slowlog' file. A value of '0s' means 'off'.
+; Available units: s(econds)(default), m(inutes), h(ours), or d(ays)
+; Default Value: 0
+;request_slowlog_timeout = 0
+
+; Depth of slow log stack trace.
+; Default Value: 20
+;request_slowlog_trace_depth = 20
+
+; The timeout for serving a single request after which the worker process will
+; be killed. This option should be used when the 'max_execution_time' ini option
+; does not stop script execution for some reason. A value of '0' means 'off'.
+; Available units: s(econds)(default), m(inutes), h(ours), or d(ays)
+; Default Value: 0
+;request_terminate_timeout = 0
+
+; The timeout set by 'request_terminate_timeout' ini option is not engaged after
+; application calls 'fastcgi_finish_request' or when application has finished and
+; shutdown functions are being called (registered via register_shutdown_function).
+; This option will enable timeout limit to be applied unconditionally
+; even in such cases.
+; Default Value: no
+;request_terminate_timeout_track_finished = no
+
+; Set open file descriptor rlimit.
+; Default Value: system defined value
+;rlimit_files = 1024
+
+; Set max core size rlimit.
+; Possible Values: 'unlimited' or an integer greater or equal to 0
+; Default Value: system defined value
+;rlimit_core = 0
+
+; Chroot to this directory at the start. This value must be defined as an
+; absolute path. When this value is not set, chroot is not used.
+; Note: you can prefix with '$prefix' to chroot to the pool prefix or one
+; of its subdirectories. If the pool prefix is not set, the global prefix
+; will be used instead.
+; Note: chrooting is a great security feature and should be used whenever
+; possible. However, all PHP paths will be relative to the chroot
+; (error_log, sessions.save_path, ...).
+; Default Value: not set
+;chroot =
+
+; Chdir to this directory at the start.
+; Note: relative path can be used.
+; Default Value: current directory or / when chroot
+;chdir = /var/www
+
+; Redirect worker stdout and stderr into main error log. If not set, stdout and
+; stderr will be redirected to /dev/null according to FastCGI specs.
+; Note: on highloaded environment, this can cause some delay in the page
+; process time (several ms).
+; Default Value: no
+;catch_workers_output = yes
+
+; Decorate worker output with prefix and suffix containing information about
+; the child that writes to the log and if stdout or stderr is used as well as
+; log level and time. This options is used only if catch_workers_output is yes.
+; Settings to "no" will output data as written to the stdout or stderr.
+; Default value: yes
+;decorate_workers_output = no
+
+; Clear environment in FPM workers
+; Prevents arbitrary environment variables from reaching FPM worker processes
+; by clearing the environment in workers before env vars specified in this
+; pool configuration are added.
+; Setting to "no" will make all environment variables available to PHP code
+; via getenv(), $_ENV and $_SERVER.
+; Default Value: yes
+;clear_env = no
+
+; Limits the extensions of the main script FPM will allow to parse. This can
+; prevent configuration mistakes on the web server side. You should only limit
+; FPM to .php extensions to prevent malicious users to use other extensions to
+; execute php code.
+; Note: set an empty value to allow all extensions.
+; Default Value: .php
+;security.limit_extensions = .php .php3 .php4 .php5 .php7
+
+; Pass environment variables like LD_LIBRARY_PATH. All $VARIABLEs are taken from
+; the current environment.
+; Default Value: clean env
+;env[HOSTNAME] = $HOSTNAME
+;env[PATH] = /usr/local/bin:/usr/bin:/bin
+;env[TMP] = /tmp
+;env[TMPDIR] = /tmp
+;env[TEMP] = /tmp
+
+; Additional php.ini defines, specific to this pool of workers. These settings
+; overwrite the values previously defined in the php.ini. The directives are the
+; same as the PHP SAPI:
+; php_value/php_flag - you can set classic ini defines which can
+; be overwritten from PHP call 'ini_set'.
+; php_admin_value/php_admin_flag - these directives won't be overwritten by
+; PHP call 'ini_set'
+; For php_*flag, valid values are on, off, 1, 0, true, false, yes or no.
+
+; Defining 'extension' will load the corresponding shared extension from
+; extension_dir. Defining 'disable_functions' or 'disable_classes' will not
+; overwrite previously defined php.ini values, but will append the new value
+; instead.
+
+; Note: path INI options can be relative and will be expanded with the prefix
+; (pool, global or /var/cfengine/httpd/php)
+
+; Default Value: nothing is defined by default except the values in php.ini and
+; specified at startup with the -d argument
+;php_admin_value[sendmail_path] = /usr/sbin/sendmail -t -i -f www@my.domain.com
+;php_flag[display_errors] = off
+;php_admin_value[error_log] = /var/log/fpm-php.www.log
+;php_admin_flag[log_errors] = on
+;php_admin_value[memory_limit] = 32M
diff --git a/cfe_internal/update/update_processes.cf b/cfe_internal/update/update_processes.cf
index 85d21f79ce..61490029ed 100644
--- a/cfe_internal/update/update_processes.cf
+++ b/cfe_internal/update/update_processes.cf
@@ -98,6 +98,7 @@ bundle agent cfe_internal_update_processes
# definitions for each component.
"agent[cf_postgres]" string => "cf-postgres";
+ "agent[cf_php_fpm]" string => "cf-php-fpm";
"agent[cf_apache]" string => "cf-apache";
any::
diff --git a/lib/service_config.cf b/lib/service_config.cf
new file mode 100644
index 0000000000..0ee9b5c4bf
--- /dev/null
+++ b/lib/service_config.cf
@@ -0,0 +1,72 @@
+# - service_started_file - a file which should have the timestamp of when the service was last started, typically a pid file or maybe /proc/ directory.
+# todo, maybe chmod, user, group for config_final_path
+bundle agent service_config(
+ service_name,
+ config_template_path,
+ config_final_path,
+ validate_config_command,
+ template_data,
+ service_started_file
+)
+{
+ vars:
+
+ "staged_config" string => "$(config_final_path).staged";
+
+
+ methods:
+
+ "staged config rendered" usebundle => file_make_mustache($(staged_config), $(config_template_path), @(template_data));
+ "final config and restart" usebundle => validate_config_and_restart_service($(staged_config), $(validate_config_command), $(config_final_path), $(service_name), $(service_started_file));
+
+
+ reports:
+
+ DEBUG::
+ "template_data is ${with}" with => storejson(template_data);
+}
+
+bundle agent validate_config_and_restart_service(
+ staged_config,
+ validate_config_command,
+ config_final_path,
+ service_name,
+ service_started_file)
+{
+ vars:
+ "validation_output" string => "$(staged_config)-validation.log";
+
+ classes:
+
+ "config_validated" expression => returnszero("$(validate_config_command) $(staged_config) >$(validation_output) 2>&1", "useshell");
+ "config_final_exists" expression => fileexists("$(config_final_path)");
+ "config_newer_than_started_file" expression => isnewerthan("$(config_final_path)", "$(service_started_file)"),
+ if => "$(service_name)_config_ok";
+
+
+ files:
+
+ "$(config_final_path)"
+ copy_from => local_dcp($(staged_config)),
+ if => "config_validated",
+ classes => scoped_classes_generic("bundle", "$(service_name)_config");
+
+
+ services:
+
+ "$(service_name)"
+ service_policy => "restart",
+ if => and("config_validated", or(not("config_final_exists"), "config_newer_than_started_file"));
+
+
+ reports:
+
+ DEBUG::
+ "service_started_file is $(service_started_file)";
+ "$(staged_config) validates" if => "config_validated";
+ "$(config_final_path) exists" if => "config_final_exists";
+ "$(config_final_path) is newer than service started file $(service_started_file)" if => "config_newer_than_started_file";
+
+ !config_validated::
+ "validation output ${with}" with => readfile("${validation_output}");
+}
diff --git a/lib/stdlib.cf b/lib/stdlib.cf
index 017a5eebfa..dace8a57ad 100644
--- a/lib/stdlib.cf
+++ b/lib/stdlib.cf
@@ -39,6 +39,7 @@ bundle common stdlib_common
"input[files]" string => "$(this.promise_dirname)/files.cf";
"input[edit_xml]" string => "$(this.promise_dirname)/edit_xml.cf";
"input[services]" string => "$(this.promise_dirname)/services.cf";
+ "input[service_config]" string => "$(this.promise_dirname)/service_config.cf";
"input[processes]" string => "$(this.promise_dirname)/processes.cf";
"input[storage]" string => "$(this.promise_dirname)/storage.cf";
"input[databases]" string => "$(this.promise_dirname)/databases.cf";
diff --git a/templates/cf-apache.service.mustache b/templates/cf-apache.service.mustache
index 9ebeb7e3da..9169be66b4 100644
--- a/templates/cf-apache.service.mustache
+++ b/templates/cf-apache.service.mustache
@@ -1,8 +1,14 @@
[Unit]
Description=CFEngine Enterprise Webserver
After=syslog.target
+{{#classes.mission_portal_http2_enabled}}
+Wants=cf-php-fpm.service
+After=cf-php-fpm.service
+{{/classes.mission_portal_http2_enabled}}
+{{^classes.mission_portal_http2_enabled}}
Wants=cf-postgres.service
After=cf-postgres.service
+{{/classes.mission_portal_http2_enabled}}
ConditionPathExists={{{vars.sys.workdir}}}/httpd/bin/apachectl
PartOf=cfengine3.service
diff --git a/templates/cf-php-fpm.service.mustache b/templates/cf-php-fpm.service.mustache
new file mode 100644
index 0000000000..ff8267c8e5
--- /dev/null
+++ b/templates/cf-php-fpm.service.mustache
@@ -0,0 +1,16 @@
+[Unit]
+Description=CFEngine Enterprise PHP FastCGI Process Manager
+After=syslog.target
+Wants=cf-postgres.service
+After=cf-postgres.service
+ConditionPathExists={{{vars.sys.workdir}}}/httpd/php/sbin/php-fpm
+PartOf=cfengine3.service
+
+[Service]
+ExecStart={{{vars.sys.workdir}}}/httpd/php/sbin/php-fpm --nodaemonize --force-stderr
+ExecReload=/bin/kill -USR2 $MAINPID
+PIDFile={{{vars.sys.workdir}}}/httpd/php-fpm.pid
+Type=simple
+
+[Install]
+WantedBy=multi-user.target