Environment variables ignored by php-fpm

[mikehaertl]

If you use the php-fpm variant, environment variables (e.g. for linked docker hosts) are not available in your $_ENV var in your PHP scripts. This is a problem as usually docker containers are configured via environment variables (following the 12 factor principles). While this is rather a PHP problem, I still think that the official php-fpm image should provide a workaround for this, as otherwhise it's pretty much useless.

For php-fpm all environment variables have to be listed in the php-fpm.conf like:

[www]
env[MY_ENV_VAR_1] = 'value1'
env[MY_ENV_VAR_2] = 'value2'

So I suggest to create a wrapper script to first add all variables from env to the configuration, before actually starting php.

[mikehaertl]

For reference, this discussion may also have some useful tips: https://groups.google.com/forum/#!topic/docker-user/FCzUbjTIp_0

[mikehaertl]

Here's a workaround that does the job for me. It would be great if we could include that in the php-fpm image:

FROM php:5.6.6-fpm

# Allow to include custom php-fpm config, e.g. to set environment variables
RUN echo 'include=/usr/local/etc/conf.d/*' >> /usr/local/etc/php-fpm.conf \
    && mkdir /usr/local/etc/conf.d/

COPY run-php-fpm /usr/local/bin/

CMD ["run-php-fpm"]

run-php-fpm:

#!/bin/bash

env | sed "s/\(.*\)=\(.*\)/env[\1]='\2'/" > /usr/local/etc/conf.d/env.conf

php-fpm

[md5]

If you're going to re-expose the whole environment, clear_env = no would be simpler.

[mikehaertl]

Not sure what you mean. Where would you put that and what does it do?

I've added the whole environment as this is the same what the mod_php module does in Apache. It's what you'd probably expect from inside PHP.

[mikehaertl]

Ahhh, now i see: http://php.net/manual/en/install.fpm.configuration.php. Why didn't I find this earlier? Spent quite some time to find a solution (and there are obviously others who also missed this).

So shouldn't this be set by default in this image? I think, env vars is the way to go with docker images.

[md5]

From http://php.net/manual/en/install.fpm.configuration.php:

clear_env boolean
Clear environment in FPM workers. Prevents arbitrary environment variables from reaching FPM worker processes by clearing the environment in workers before env vars specified in this pool configuration are added. Since PHP 5.4.27. Default value: Yes.

You'd put it in your php-fpm.conf or a file included from it.

FWIW, I don't think the php:fpm image should be changed to act as you've requested, but I do think the environment variable issue should be documented.

[md5]

Or maybe it should be the default... I'm not sure actually.

[mikehaertl]

FWIW, I don't think the php:fpm image should be changed to act as you've requested, but I do think the environment variable issue should be documented.

Hmm, why not? I don't think it's a security issue as mod_php does the same in Apache. Wouldn't you agree, that PHP apps should follow the 12factor principles and use env vars? If that's the case, we will always need this.

[md5]

I'd just say that the fact that clear_env = Yes is the default for php-fpm should count for something, but I see your point.

[md5]

BTW, if you're going to have a script like run-php-fpm, make sure to do exec php-fpm at the end instead of just php-fpm 👍

[mikehaertl]

Ok, thanks. But undoing the above in my project now anyway :)

[mathroc]

👍 for clear_env = Yes by default

[mikehaertl]

@mathroc Can you explain why you're against clear_env = no by default?

[mathroc]

oops that was a mistake :/ I meant 👍 for clear_env = no by default… as for the reason, it's because I need to add it manually in each of my php-fpm containers, I guess a lot of people have to do the same or worst are manually adding each need env var in php-fpm conf as you did at first. it's not that easy to find information about clear_env when you search for "php-fpm env var" on google

[sherter]

I think in general it's a good idea to have clear_env = yes for php, since env variables may contain sensible data which php should not be able to access.
You normally have a modified php-fpm.conf anyway, so adding this one line is not to much of a hassle.