Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

DietPi-Software | PHP-FPM: fails to fork multiple processes on single core systems #1298

Closed
pablopoo opened this Issue Dec 12, 2017 · 10 comments

Comments

Projects
None yet
3 participants
@pablopoo
Copy link

pablopoo commented Dec 12, 2017

Creating a bug report/issue:

Pi-hole timeout when tries to show the block page for blocked domains.

The block page (/var/www/html/pihole/index.php) internally calls a php script on the same server using an http request, but php5-fpm is configured with only 1 server and 1 child process ( /etc/php5/fpm/pool.d/www.conf ) , so the call timeout because can't fork any more process to reply that self request.

Required Information:

  • DietPi Version 159
  • x86 VM
  • Linux DietPi 3.16.0-4-amd64 #1 SMP Debian 3.16.51-2 (2017-12-03) x86_64 GNU/Linux

Additional Information (if applicable):

Pi-hole version is v3.2 (Latest: v3.2)
AdminLTE version is v3.2 (Latest: v3.2)
FTL version is vDev-437af07 (Latest: v2.12)

Expected behaviour:

Pi-hole must show the block page instead of a timeout message.

Actual behaviour:

The request from http://pi.hole/pihole/index.php to http://127.0.0.1/admin/scripts/pi-hole/php/queryads.php?domain=$serverName&bp fails.

Steps to reproduce:

In my case, just open a blocked domain.

@k-plan k-plan changed the title Pi-hole timeout on block page DietPi-Software | Pi-hole: timeout on block page Dec 12, 2017

@Fourdee Fourdee added this to the v160 milestone Dec 14, 2017

@Fourdee

This comment has been minimized.

Copy link
Collaborator

Fourdee commented Dec 14, 2017

@pablopoo

VM
but php5-fm is configured with only 1 server and 1 child process ( /etc/php5/fpm/pool.d/www.conf

Many thanks for the report 👍 i'll need to investigate. Are you running your VM as single core/CPU?

@pablopoo

This comment has been minimized.

Copy link
Author

pablopoo commented Dec 14, 2017

@Fourdee
Yes, it’s a single core hyper-v vm. Mapping 1 core to max 1 one php-fpm process could do the job in some scenarios, but I think limiting it to 1 thread per fpm process is not enough.

@k-plan

This comment has been minimized.

Copy link
Collaborator

k-plan commented Dec 15, 2017

The block page (/var/www/html/pihole/index.php) internally calls a php script on ...

No, path on DietPi is /var/www/html/admin/index.php ... or the symbolic links

root@NanoPi-Neo:~# ls -lah /var/www/ | grep admin
lrwxrwxrwx  1 www-data www-data   19 Dez 11 20:11 admin -> /var/www/html/admin
lrwxrwxrwx  1 www-data www-data   19 Dez 11 20:11 pihole -> /var/www/html/admin

Do you use a Custom Block Page ? Like https://github.com/WaLLy3K/Pi-hole-Block-Page ?

This project is discontinued as of Pi-hole v3.2
If you would like to implement a custom block page, it is since Pi-hole v3.2 recommended to create a file called /var/www/html/pihole/custom.php and use that instead.

This script will not presume where the default document-root is, as installations such as DietPi are known to change this

Pi-hole must show the block page instead of a timeout message.
Steps to reproduce:
In my case, just open a blocked domain.

171215-0001

The request from http://pi.hole/pihole/index.php
to http://127.0.0.1/admin/scripts/pi-hole/php/queryads.php?domain=$serverName&bp fails.

171215-0005

171215-0003

I think, you just want to simple click in Dashboard on a Blocked Domain and get this?
http://pi.hole/admin/queries.php?domain=ping.dozuki.com

171215-0004

@pablopoo

This comment has been minimized.

Copy link
Author

pablopoo commented Dec 15, 2017

@k-plan I believe that project was integrated in the latest pihole: pi-hole/pi-hole#1688

I didn't have time yet to replicate the issue on a clean install, but I only did normal dietpi and pihole update proceses.

@Fourdee

This comment has been minimized.

Copy link
Collaborator

Fourdee commented Dec 16, 2017

@pablopoo

Yes, it’s a single core hyper-v vm. Mapping 1 core to max 1 one php-fpm process could do the job in some scenarios, but I think limiting it to 1 thread per fpm process is not enough.

Yep, please can you try increasing the child count to say 10?

  • edit /etc/php/7.0/fpm/pool.d/www.conf
  • Change pm.max_children = 10
  • Restart services dietpi-services restart

If that resolves it, i'll set pm.max_children = $(( $CPU_CORES_TOTAL * 10 )) by default


edit:
x 10 is possibly a little high:

https://myshell.co.uk/blog/2012/07/adjusting-child-processes-for-php-fpm-nginx/
pm.max_children = Total RAM dedicated to the web server / Max child process size - in my case it was 85MB
On an average each PHP-FPM process took ~75MB of RAM on my machine.
You can check an average memory usage by single PHP-FPM process with this handy command:
ps --no-headers -o "rss,cmd" -C php-fpm | awk '{ sum+=$1 } END { printf ("%d%s\n", sum/NR/1024,"M") }'

Fourdee added a commit that referenced this issue Dec 17, 2017

v160
DietPi-Software | Aira2 (Stretch): Resolved installation, now used APT
installation: #1310

DietPi-Software | PHP-FPM: Increased from "$CPU_CORES_TOTAL" to
"pm.max_children = $(( $CPU_CORES_TOTAL * 3 ))". This should avoid
failed forking of PHP-FPM processes/requests :
#1298
@Fourdee

This comment has been minimized.

Copy link
Collaborator

Fourdee commented Dec 17, 2017

@pablopoo

I've increased the pm.max_children = $(( $CPU_CORES_TOTAL * 3 )) for v160. This should resolve issues, however, if you have a chance to test and verify (#1298 (comment)), i'd appreciate it.

@Fourdee Fourdee added the Bug 🐞 label Dec 17, 2017

@Fourdee Fourdee changed the title DietPi-Software | Pi-hole: timeout on block page DietPi-Software | PHP-FPM: fails to fork multiple processes on single core systems Dec 17, 2017

@pablopoo

This comment has been minimized.

Copy link
Author

pablopoo commented Dec 17, 2017

@Fourdee

Ok, did this test:

1.- Installed the VirtualBox DietPi image.
imagen

2.- Dietpi auto-updated to latest v159

3.- Installed only Pi-hole
imagen

-Noticed this time installed php7-fmp instead of php5-fpm

4.- cat /etc/php/7.0/fpm/pool.d/www.conf

imagen

-Got the same config I have in php5-fpm.

5.-Tested Pi-hole:

imagen

-Got the usual blocking page.

6.-Updated Pi-hole: pihole -up
pihole already up to date.

7.- Now started to wondering why I got another blocking page, not the text one above I got when first installed pihole months ago, because the only thing I did was install the pihole and dietpi updates.
I started comparing my current pihole install files with the test install until I found what I believe is the reason:
When pihole is installed the first time using dietpi it uses a different /etc/lighttpd/lighttpd.conf than the one installed after a pihole -up upgrade.

8.- Replaced my test lighttpd.conf:


`server.modules = (
"mod_access",
"mod_alias",
"mod_compress",
"mod_redirect",
)

server.document-root = "/var/www"
server.upload-dirs = ( "/var/cache/lighttpd/uploads" )
server.errorlog = "/var/log/lighttpd/error.log"
server.pid-file = "/var/run/lighttpd.pid"
server.username = "www-data"
server.groupname = "www-data"
server.port = 80

index-file.names = ( "index.php", "index.html", "index.lighttpd.html" )
url.access-deny = ( "~", ".inc" )
static-file.exclude-extensions = ( ".php", ".pl", ".fcgi" )

compress.cache-dir = "/var/cache/lighttpd/compress/"
compress.filetype = ( "application/javascript", "text/css", "text/html", "text/plain" )

default listening port for IPv6 falls back to the IPv4 port

include_shell "/usr/share/lighttpd/use-ipv6.pl " + server.port
include_shell "/usr/share/lighttpd/create-mime.assign.pl"
include_shell "/usr/share/lighttpd/include-conf-enabled.pl"`


with the one I have trouble:

`# Pi-hole: A black hole for Internet advertisements

(c) 2017 Pi-hole, LLC (https://pi-hole.net)

Network-wide ad blocking via your own hardware.

Lighttpd config for Pi-hole

This file is copyright under the latest version of the EUPL.

Please see LICENSE file for your rights under this license.

###############################################################################

FILE AUTOMATICALLY OVERWRITTEN BY PI-HOLE INSTALL/UPDATE PROCEDURE.

ANY CHANGES MADE TO THIS FILE AFTER INSTALL WILL BE LOST ON THE NEXT UPDATE

CHANGES SHOULD BE MADE IN A SEPARATE CONFIG FILE:

/etc/lighttpd/external.conf

###############################################################################

server.modules = (
"mod_access",
"mod_accesslog",
"mod_auth",
"mod_expire",
"mod_compress",
"mod_redirect",
"mod_setenv",
"mod_rewrite"
)

server.document-root = "/var/www/html"
server.error-handler-404 = "pihole/index.php"
server.upload-dirs = ( "/var/cache/lighttpd/uploads" )
server.errorlog = "/var/log/lighttpd/error.log"
server.pid-file = "/var/run/lighttpd.pid"
server.username = "www-data"
server.groupname = "www-data"
server.port = 80
accesslog.filename = "/var/log/lighttpd/access.log"
accesslog.format = "%{%s}t|%V|%r|%s|%b"

index-file.names = ( "index.php", "index.html", "index.lighttpd.html" )
url.access-deny = ( "~", ".inc", ".md", ".yml", ".ini" )
static-file.exclude-extensions = ( ".php", ".pl", ".fcgi" )

compress.cache-dir = "/var/cache/lighttpd/compress/"
compress.filetype = ( "application/javascript", "text/css", "text/html", "text/plain" )

default listening port for IPv6 falls back to the IPv4 port

include_shell "/usr/share/lighttpd/use-ipv6.pl " + server.port
include_shell "/usr/share/lighttpd/create-mime.assign.pl"

Prevent Lighttpd from enabling Let's Encrypt SSL for every blocked domain

#include_shell "/usr/share/lighttpd/include-conf-enabled.pl"
include_shell "find /etc/lighttpd/conf-enabled -name '*.conf' -a ! -name 'letsencrypt.conf' -printf 'include "%p"\n' 2>/dev/null"

If the URL starts with /admin, it is the Web interface

$HTTP["url"] =~ "^/admin/" {
# Create a response header for debugging using curl -I
setenv.add-response-header = (
"X-Pi-hole" => "The Pi-hole Web interface is working!",
"X-Frame-Options" => "DENY"
)

$HTTP["url"] =~ ".ttf$" {
    # Allow Block Page access to local fonts
    setenv.add-response-header = ( "Access-Control-Allow-Origin" => "*" )
}

}

Block . files from being served, such as .git, .github, .gitignore

$HTTP["url"] =~ "^/admin/.(.*)" {
url.access-deny = ("")
}

Add user chosen options held in external file

include_shell "cat external.conf 2>/dev/null"`

9- Then tested again:
imagen

Now got some progress, that was the error message I was looking for.

10.- Edited /etc/php/7.0/fpm/pool.d/www.conf
changed pm.max_children from 1 to 2.
imagen

11.- restarted php-fpm, then I got this blocking page:
imagen

12.- @Fourdee , Answering your question, for me, works with at least 2 max_children. Thanks.

@k-plan

This comment has been minimized.

Copy link
Collaborator

k-plan commented Dec 17, 2017

@pablopoo

Thanks! 👍

@Fourdee

hmm.. will we get the new block page feature?

  • Only possible with lighttp?
  • What will be with the other web server stack?
  • $HTTP["url"] =~ "^/admin/.(.*)" {
    url.access-deny = ("")
    }
    Will this work with the symbolic links as well?
@Fourdee

This comment has been minimized.

Copy link
Collaborator

Fourdee commented Dec 18, 2017

@pablopoo

Many thanks 👍

@k-plan

hmm.. will we get the new block page feature?

I'll take a look, if its just a standard html or php page, we can use that one instead of our current:

# - Generate index page that replaces adverts and prevents popups
cat << _EOF_ > /var/www/index.html
<html>
Blocked by Pi-hole.
<script>window.close();</script>
</html>
_EOF_

When we added the above, Pi-Hole didnt have a block page at that time (if i remember correctly).


Edit looks like the main Pi-Hole index page handles the block page aswell?
https://github.com/pi-hole/pi-hole/blob/master/advanced/lighttpd.conf.debian#L30

Needs more research to see if this can be implemented compatible with our global webserver confs, and, if it has no effect on other web applications (eg: nextcloud).

@Fourdee

This comment has been minimized.

Copy link
Collaborator

Fourdee commented Dec 18, 2017

I'll mark this as closed, original issue is resolved in v160.

Ticket for block page: #1313

@Fourdee Fourdee closed this Dec 18, 2017

@Fourdee Fourdee self-assigned this Dec 18, 2017

@Fourdee Fourdee referenced this issue Jan 28, 2018

Merged

v6.0 #1426

Fourdee added a commit that referenced this issue Jan 28, 2018

Merge pull request #1426 from Fourdee/testing
**v6.0** (previously v160)
(28/01/18)

**Important Information:**
**All DietPi images have been re-created. Existing installations (v159 or lower), can no longer be updated, or supported. To continue support, users must install the latest v6.0 image.**
 - #1385
 - All images are now Debian Stretch (excluding Odroid's)
 - ARMbian based images are now mainline kernel 4.13+.
 - Native PC (EFI): is now an ISO, with clonezilla bundled. Simplifies installation via Rufus write: #1171 (comment)
 - If you are happy with your existing installation of v159 (or lower), you are not required to install the v6.0 image, however, we cannot continue to provide support for v159 (or lower) installations.

**Minor notes:**
The XMAS tree has now been taken down, stored away on github history for next year. Hope you all had a good one :D

**Changes / Improvements / Optimizations:**

General | DietPi RPi kernel, now reverted to stock RPi kernel: #1378

General | We have completed much needed backbone work for DietPi, which will allow for improved expansion in source code. This includes the use of dietpi-globals.

DietPi-Globals | New script which optimizes most used DietPi commands and vars, throughout our scripts. Also exported to bash session, please type 'G_' then press 'TAB' to see a full list of options: #1311

General | FHS compliance completed. /etc/dietpi has moved to /var/lib/dietpi. RAMlog store has moved to /var/tmp/dietpi: #1297 (comment)

General | We have refreshed our terminal messages look & feel, oriented on RPi boot messages, and with process animation: #1377

General | wget: Now set to prefer IPv4 by default (generally faster, can be changed by 'CONFIG_PREFER_IPVERSION' in dietpi.txt): #1285 (comment)

General | APT: Now set to force IPv4 by default (generally faster, can be changed by 'CONFIG_PREFER_IPVERSION' in dietpi.txt): #1285 (comment)

General | SparkySBC: CPU gov default changed to Performance, reports of increased stability.

General | Swapfile generation is now completed during 1st run of dietpi-software (previously boot stage): #1270 (comment)

General | DietPi-Funtime: Removed from DietPi. Although it looked pretty, it did absolutely nothing (except slow down a program)

DietPi-Automation | All dietpi.txt entries have been renamed and cleaned up.

DietPi-Automation | dietpi.txt: CONFIG_NTP_MODE will now be applied during 1st run of device: #1379

DietPi-Boot | Improved the method of initial FS_partition and FS_expansion during 1st run, via systemD services. 'fs_force_resize=' in dietpi.txt is no longer supported: #1285 (comment)

DietPi-Banner | IP: Will now also list the active network adapter used (eg: eth0/wlan0)

DietPi-Config | Dion Audio LOCO V1/V2: Soundcards added for RPi.

DietPi-Config | Locale: en_GB.UTF-8 is now automatically installed, alongside user selected choice. Required for DietPi scripts to function.

DietPi-Drive_Manager | Added support for exFAT, many thanks @MichaIng : #1312

DietPi-Globals | Global variables and functions are now exported during login. Please see the sourcecode for more information: #1311

DietPi-Set_Hardware | Sparky SBC: enable aotg.aotg1_speed compatibility setting for USB 1.1, when USB-DAC configured: #1301

DietPi-Set_Software | "pool" directive is now used for NTPD: #1404

DietPi-Software | NAA Daemon: Updated to latest (3.5.2-36). Existing installs will be patched automatically: #1305

DietPi-Software | PHP-FPM: Increased from "$CPU_CORES_TOTAL" to "pm.max_children = $(( $CPU_CORES_TOTAL * 3 ))". This should avoid failed forking of PHP-FPM processes/requests : #1298

DietPi-Software | ownCloud/Nextcloud: Added option to choose data directory via dietpi.txt pre installation: #1314 (comment)

DietPi-Software | ownCloud/Nextcloud: Switch to pretty URLs (without "index.php") on Apache

DietPi-Software | ownCloud/Nextcloud: Automated backup restoring on install and creation und uninstall to ownCloud/Nextcloud data directory

DietPi-Software | ownCloud: Switch to non-package/archive installation. This allows usage of preferred web based updater.

DietPi-Software | Nextcloud: Resolved OPcache admin panel warnings now also on Lighttpd

DietPi-Software | UrBackup: Installation updated to latest version 2.1.20. For new installations only: #1335

DietPi-Software | NodeRed: Corrected user which nodered runs under, now runs as its own user, created during install: #1294 (comment)

DietPi-Software | SqueezeBox/LMS (Stretch): Installation resolved: #1124

DietPi-Software | MySQL: Completely remove MySQL from DietPi in favour of MariaDB: #1397

DietPi-Software | Ampache: MySQL DB and configs have been updated (adds correct userdata folder for music by default): #1420

run_ntpd | Added support for systemd-timesyncd completion/detection: #1379

**Bug Fixes:**

General | Fixed two systemd error messages during shutdown and boot: #1330

DietPi-Automation | Resolved an issue where AUTO_SETUP_TIMEZONE was not being applied correctly, thanks @k-plan: #1285 (comment)

DietPi-Automation | dietpi.txt: CONFIG_NTP_MIRROR will now be applied to systemd-timesyncd configuration: #1379

DietPi-Config | Resolved an issue with WiFi Country code, failing to set on some devices: #838

DietPi-Config | Resolved an issue where disabling IPv6 didn't have an effect on AMD64 devices: #1343 (comment)

DietPi-Services | dietpi-wifi-monitor: Is no longer controlled, to prevent WiFi drop during software installs/updates etc: #1288 (comment)

DietPi-Software | General: MySQL using software titles now have their own database user, instead of accessing as "root": #1397 (comment)

DietPi-Software | qBittorrent: Resolved an issue with inability to log into web interface: #1366

DietPi-Software | Resolved an issue where our custom LD_LIBRARY_PATH would cause APT failures. LD_LIBRARY_PATH has now been reverted, apologies if this effected your system: #1329

DietPi-Software | Resolved an issue where APT installations would fail if services were masked. All known 

DietPi software services, will be enabled/unmasked, before installation: #1320

DietPi-Software | WiFi Hotspot (Stretch): Resolved an issue where hostapd would fail to run due to missing libssl1.0.0 lib, not available in repos: #1299

DietPi-Software | Shairport-sync (Stretch): Resolved an issue where this would fail to install, due to pre-req URLS becomming invalid: #1303

DietPi-Software | Plex Media Server: Resolved uninstall to include /var/lib/plexmediaserver in removal (which is not completed via apt purge).

DietPi-Software | MariaDB: Resolved an issue where MariaDB would fail to uninstall correctly: #1280

DietPi-Software | Aira2 (Stretch): Resolved installation, now used APT installation: #1310

DietPi-Software | Mosquitto: Resolved various issues with failed install, due to Mosq repo not being maintained (deb's missing from repo header list, requires non-stretch available packages). deb's are now hosted on dietpi.com: #1306

DietPi-Software | ownCloud/Nextcloud: Fixed an installation issue on Jessie with MariaDB: #1319

DietPi-Software | Google AIY: Updated install to gitbranch=voicekit. Many thanks to @mpember for the heads up: #1065 (comment)

DietPi-Software | OpenJDK: Replaces OracleJDK: #1401

DietPi-Update | dietpi.txt is now checked for missing entries, and, will now be patched during the update: #1292 (comment)

Sparky SBC | Kernel updated, which resolves issues with HQPlayer playback: https://www.computeraudiophile.com/forums/topic/32132-allo-sparky-usbridge/?do=findComment&comment=753100

**Allo Web Interface v5:**

Sparky SBC: Matrix Audio X-SPDIF 2, native DSD is now added to kernel, many thanks @sudeep: sparkysbc/Linux#3
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.