Not enabling PHP 8.0 FPM by default??

When I run the phpinfo command I see:

Server API: FPM/FastCGI

So is FPM running or not?

The upgrade installer for Ubuntu NEVER (?!?!?!?) enables php-fpm…it always goes with the (perceived safer, I suppose) mod_php (utterly stupid IMHO!).

Should I run the commands?

Yes…although you need to disable mod_php first.

When I run the phpinfo command I see:
 
Server API: FPM/FastCGI
 
So is FPM running or not?

Probably not…phpinfo is reporting on the collection of enabled modules. It can't/won't look outside of it's field of vision for daemons you (or something else) might have enabled/started. Do a

ps -ef | grep php

to look for the daemon…

-- sw

xxxxx$ ps -ef | grep php
root 479674 1 0 08:01 ? 00:00:00 php-fpm: master process (/etc/php/8.0/fpm/php-fpm.conf)
www-data 479676 479674 0 08:01 ? 00:00:02 php-fpm: pool www
www-data 479677 479674 0 08:01 ? 00:00:02 php-fpm: pool www
xxxx 483174 421813 0 11:33 pts/0 00:00:00 grep --color=auto php

I don't see the daemon here.

How do I do that? By running the two commands?
 
NOTICE: Not enabling PHP 8.0 FPM by default.
NOTICE: To enable PHP 8.0 FPM in Apache2 do:
NOTICE: a2enmod proxy_fcgi setenvif
NOTICE: a2enconf php8.0-fpm

a2dismod php80

…or some such…

-- sw

xxxxx$ ps -ef | grep php
root 479674 1 0 08:01 ? 00:00:00 php-fpm: master process (/etc/php/8.0/fpm/php-fpm.conf)
www-data 479676 479674 0 08:01 ? 00:00:02 php-fpm: pool www
www-data 479677 479674 0 08:01 ? 00:00:02 php-fpm: pool www

This is the daemon. It's a single process (the config file for it is /etc/php/8.0/fpm/php-fpm.conf) with 2 threads. However, just because it's running now, does not mean that your updated web server will use it when it restarts. What you're seeing is an artifact of systemd. You need to do the above a2* commands to make that happen.

You also need to restart php-fpm with systemctl…after you use the a2* to put your web server config back the way it was before Canonical wrecked it with apt upgrade (because Shuttleworth always knows what you want better than you do).

-- sw

Looks like it is running:

xxxx@xxxx:/var/www/html/xxxx.com/xxxx$ systemctl status php8.0-fpm

● php8.0-fpm.service - The PHP 8.0 FastCGI Process Manager
Loaded: loaded (/lib/systemd/system/php8.0-fpm.service; enabled; vendor preset: enabled)
Active: active (running) since Sat 2022-08-06 08:01:03 PDT; 5h 38min ago
Docs: man:php-fpm8.0(8)
Process: 479678 ExecStartPost=/usr/lib/php/php-fpm-socket-helper install /run/php/php-fpm.sock /etc/php/8.0/fpm/pool.d/www.conf 80 (c>
Main PID: 479674 (php-fpm8.0)
Status: "Processes active: 0, idle: 2, Requests: 1577, slow: 0, Traffic: 0.1req/sec"
Tasks: 3 (limit: 9512)
Memory: 28.6M
CGroup: /system.slice/php8.0-fpm.service
├─479674 php-fpm: master process (/etc/php/8.0/fpm/php-fpm.conf)
├─479676 php-fpm: pool www
└─479677 php-fpm: pool www

Looks like it is running

Since you've updated your system to a distro version that supports PHP 8.0 out of the box, you'll probably want to remove any references to PPAs you might have set up previously to get 8.0 on your previous rev (where 8.0 was not the default installed rev) and start using the distro-standard packages…pursuant to our discussion on this matter of a few months ago…

You have to edit your files in /etc/apt to do this. Since I don't know/can't see what you did here, I'm afraid you're on your own…

-- sw

Since you've updated your system to a distro version that supports PHP 8.0

I've not updated yet… still running Ubuntu 20.04 LTS. Once I do the research on how best to upgrade to 22.04 LTS I'll do it and that distro version defaults to PHP 8.0 TTBOMK.

I'll probably just spin up new server with 22.04… IF I can swap the new IP for the old one so I don't have to mess with all the DNS records for my domains. I believe Linode makes that possible. Anyway, there is no urgency to upgrade. Everything is working quite well.

IF I can swap the new IP for the old one so I don't have to mess with all the DNS records for my domains.

You can certainly do this…and I speak from experience. You need to take some care though. Also, only the IPv4 address will be swapped…not any IPv6 addresses (IPv6 addresses are allocated differently)…so if you use IPv6 you'll have to do all the DNS work you describe (DNS plus whatever IPv6 configuration you may have on your Linode).

You prob don't use IPv6. It mattered to me because I do… What I had to do wasn't hard…just tedious.

Anyway, there is no urgency to upgrade. Everything is working quite well.

Frankly, if your setup is that stable, I'd just leave it alone…PHP 8.0 PPA and all… Upgrade at 24.04 LTS…just inside the EOL window for 20.04 ;-)

-- sw

just inside the EOL window for 20.04 ;-)

Do you mean actual EOL or End of Support????

https://wiki.ubuntu.com/Releases

EOS…which, in Canonical-speak, really means EOL…unless you've got big bux to toss their way…

For nobodies like you or me, for all practical purposes, the 22.10 release meant EOS for 22.04. Call up Canonical on the phone and ask them for a patch for some problem you're having… I'll bet you a month's pay that the response will be "You should upgrade to 22.10 [which won’t be released until October]" or "Suck it up buttercup…wait until 24.04" or "What's your current position in highly-liquid assets".

This is how much Canonical cares about you. Trust me on this…

-- sw

P.S. I reported a bug in an Ubuntu package (not a PPA) 2+ years ago (with an attached 3-line fix!…I build the package from source for my FreeBSD systems…). Every now and again I go to launchpad.net to check on it’s status. Nada, zero, bupkis, zilch, nothing, zip, ничего, nil, 蔑, niks … I withdrew the patch…that got their attention. Lots of crocodile tears from the repo owner but not a single email asking why.

This is how much Canonical cares about you. Trust me on this…

So what do you run? Arch or some other rolling-update distro? You could try Slackware (which I started with in 1999 until 2002 when I went to Debian until 2006 when I went to the Mac OS X.) Slack hardly ever has updates!

FreeBSD. Linux sux IMHO.

Too much corporate & not enough engineering/reliability/user… Too many Linus personality flaws on display… systemd is a perfect example.

Linux has become little more than a collection of packages and systemd…to the detriment of just about everybody/everything. Canonical, having drunk the Kool-Aid, just makes it worse.

You can argue “popularity” until the cows come in to the barn for milking… popularity changes nothing about what I’ve said…you can't equate popular with good.

— sw

FreeBSD. Linux sux IMHO.

Before I got up the nerve to run my own servers on Linode, I was with an ISP for 15 years (Pair.com who ran all of their severs… shared and dedicated on FreeBSD.

About two years ago they decided to drop FreeBSD for Ubuntu 18.04 LTS saying that updates for popular applications and libraries as well as security fixes were too slow to come out of FreeBSD. I stayed with FreeBSD since I had a dedicated server and never had a problem with FreeBSD (I forget which version.)

While I didn't have root privileges with Pair I still learned enough over the years of using BSD to run a Linux server… because at the basic level the commands are the same and all my bash scripts worked etc. The only thing I don't know how to use is the ports system and I do like the simplicity and ease of Linux/Debian/Ubuntu 'apt'.

I didn't even know Linode offered FreeBSD. What version do you run? Instead of upgrading to Ubuntu 22.04 LTS I would consider going back to FreeBSD. Does FreeBSD use UFW and fail2ban which is so easy to configure to help lock down the server.

You will find this interesting FreeBSD vs Linux: Which Open Source OS is Superior? as well as this Why we're migrating (many of) our servers from Linux to FreeBSD .

I didn't even know Linode offered FreeBSD.

They don't. FWIW, I'm not the only FreeBSD user on Linode either.

What version do you run?

13.1 (the update from 13.0 took about 2 hours to update 3 systems…I have 2 at home)

Does FreeBSD use UFW and fail2ban which is so easy to configure to help lock down the server.

fail2ban yes…in the ports collection (v 0.11.2). It's (more or less) the same fail2ban as is available for most Linux distros. FWIW, for the most part, you don't need fail2ban because FreeBSD has blacklistd built into most services. blacklistd traps an abuse event at the time of occurrence and does something with the IP address (usually add it to a persistent table in pf). fail2ban will only find it after the fact and only if it's logged (and you have it's cryptic regexp rules set up properly to find the log entries you're interested in).

ufw no. On FreeBSD, the firewall is completely different. Actually, there are 3 firewalls available on FreeBSD: ipfw, ipfilter, and pf. Which one you choose is up to you (although, I would gather that most people use pf). pf is what I use. All 3 firewalls are considerably easier to use/configure than iptables (which is what ufw is a front-end for…like snapd, you'd be hard pressed to find ufw on any distro but Ubuntu).

For example, here's a section of my firewall config that opens IMAP (TCP port 143) but only if the packet originates from localhost:

##
##      Allow inbound imap from _localnet (127.0.0.1) & _localnet_6 (::1)
##        to _ip (my Linode's IPv4 address) and _ip_6 (my Linode's IPv6
##        address)...things starting with '$' are variables I've defined.
##
pass in quick on $ext_if proto tcp from $_localnet to $_ip \
                                            port imap flags S/SA keep state
pass in quick on $ext_if inet6 proto tcp from $_localnet_6 to $_ip_6 \
                                            port imap flags S/SA keep state

Compare that to iptables:

# Allow inbound imap from _localnet (TCP)
#
iptables --append INPUT --protocol tcp --src 127.0.0.1 --sport 143 --jump ACCEPT

# Allow inbound imap from _localnet (UDP)
#
iptables --append INPUT --protocol tcp --src 127.0.0.1 --sport 143 --jump ACCEPT

# Allow inbound imap from _localnet6 (TCP)
#
iptables6 --append INPUT --protocol tcp --src ::1 --sport 143 --jump ACCEPT

# Allow inbound imap from _localnet (UDP)
#
iptables6 --append INPUT --protocol tcp --src ::1 --sport 143 --jump ACCEPT

Here's another example… This blocks ssh abusers. An "ssh abuser" is defined as a host that tries to connect with more than 5 clients in 30 seconds.

## abuse table -- this table automatically persists at
##     /srv/pf/var/db/net-abuse
##
table <net-abuse> persist file "/srv/pf/var/db/net-abuse"
block in log quick from <net-abuse> 
...
## special case for ssh...guard against brute force attacks: 
##   if more than 5 clients from the same IP address & they try to  
##   reconnect 5 times within 30 secs add the IP address to the 
##   <net-abuse> table.
##
pass in on $ext_if proto tcp from any to any \
                            port ssh flags S/SA keep state \
                                ( \
                                    max-src-conn 5, \
                                    max-src-conn-rate 5/30, \
                                    overload <net-abuse> flush global \
                                )

The iptables rules are similar:

iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --set
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --update --seconds 30 --hitcount 5 -j DROP

Then, you have to bolt on ipset to save the blocked IP address in a table (and rewrite your rules); then you have to write a cron job to flush the table to the disc periodically; then you have to wade into systemd configuration to get your persistent table established/saved when the firewall starts up/shuts down.

You get the picture… I don't even think you can do the brute force attack mitigation (more 5 client connections from the same host per 30 sec) in ufw. I used FreeBSD when worked at Yahoo! after I left HP. I had a FreeBSD server in my home before I switched to Linode.

I used Linux for a lot of years -- SuSE, Ubuntu, Red Hat/Fedora, Debian… It boggles my mind that Linux users put up with stuff like this firewall nonsense and think that they have it so good -- because Linus is such a great guy* and all…

-- sw

* not! Linus lives in Portland. It turns out we have nerd friends in common. In a social setting at a bar, I watched Linus get 86'd for verbally abusing the staff. You could tell it wasn't his first rodeo.

I looked into the installation of FreeBSD and it is about as complex (or simple… depending on your experience level) as installing a Linux distro, but far more work than spinning up a Linode OS selection.

I'm surprised Linode does not have an installer script that does all of this stuff:

Install FreeBSD on Linode

I'm surprised Linode does not have an installer script that does all of this stuff:

They don't support FreeBSD, remember? You have to do the same thing for every non-Linux OS you can run on a Linode (Windoze, Chromium OS, FreeDOS, etc).

It's not so hard…you just have to pay attention. Once you get the installer booted, it's pretty easy. The doc is what you have to do to get the installer installed/booted.

Once you get FreeBSD installed, an upgrade is usually as easy as:

sudo freebsd-update -r xx.y-RELEASE update
sudo freebsd-update install

If you change your mind, you can sudo freebsd-update rollback instead of update.

-- sw