Hi,
finally I've something interesting that may help to fix the problem.
It seems that the new apparmor makes php-fpm start time sensibly higher
and systemd timeout.
There is a correlation between php-fpm slowing down and the new version
of apparmor but at the moment I just increased systemd timeout
(TimeoutStartSec).
If you've any suggest to collect any information that could be useful
let me know.
On 08/04/2018 04:02 AM, intrigeri wrote:
Control: tag -1 + moreinfo
Hi Ivan,
Ivan Sergio Borgonovo:
I've a lxc guest running apache php fpm for horde.
lxc guest and host both were running apparmor.
Host was updated from 2.12-5 to 2.13-6.
Guest was updated from 2.13-4 to 2.13-6.
Can you confirm this happens on Debian testing?
What exact kernel are you running?
After upgrading apparmor horde stopped working.
I downgraded apparmor on the host and still horde on the guest was not working.
After downgrading apparmor on the guest horde started to work again.
Problems seems related to apparmor recipes rather than in binaries since by
mistake
I forgot to downgrade the apparmor package in the guest and things were working.
I'm curious how AppArmor is involved, because AFAIK Debian testing
does not enable any AppArmor confinement for Apache/PHP:
- do you have libapache2-mod-apparmor installed?
did you do anything to enable and use it?
- I see that recent php-fpm have support for switching AppArmor
"hats"; did you enable this?
related log entries may be
Aug 1 19:46:50 caronte kernel: [265475.231940] audit: type=1400
audit(1533145610.777:245): apparmor="STATUS" operation="profile_replace"
info="same
as current profile, skipping" profile="unconfined" name="klogd" pid=19732
comm="apparmor_parser"
Sadly, this one is irrelevant. Please provide some more info:
- the output of "journalctl -b | grep apparmor"
- the output of "aa-status"
Also, https://wiki.debian.org/AppArmor/Debug might help.
Cheers,
--
Ivan Sergio Borgonovo
https://www.webthatworks.it https://www.borgonovo.net
