virtualmin 6.07.gpl breaks fpm every hour

I upgraded to webmin-virtual-server 6.07.gpl on Ubuntu 16.04 and now every hour my php/fpm setting break all the web sites.

I was using pipes, but it forces the config over to ports and increments the port numbers every hour. It does NOT change the apache port references, so each web site that uses PHP stops working.

My former setup looked like this:

$ grep sock /etc/php/7.0/fpm/pool.d/vm.conf /etc/apache2/sites-enabled/vm*conf /etc/php/7.0/fpm/pool.d/vm.conf:listen = /var/php-fpm/php7.0-fpm-vm.sock /etc/apache2/sites-enabled/ "proxy:unix:/var/php-fpm/php7.0-fpm-vm.sock|fcgi://localhost/"

Using pipes instead of ports means that the fpm interface is not exposed to external networks, and that the permissions on the pipes can be enforced. Forcing it to ports breaks both of those security precautions.

i had the same issue last saturday at midnight. some cron probably. i was using pool.d/*.conf like “listen = 8019” but then, it was changed to 8130, but not updating apache. so nothing was serving correctly.
same thing happened after latest virtualmin upgrade, luckily we keep backups and could restore from working confs…

My impact is the same. After upgrading virtualmin, all PHP sites stopped working. Once I fixed them again, they would re-break every hour on the hour.

My “solution” at the moment is to fix all the pool.d/*.conf files, and then chattr +i *.conf as root to make them immutable. This stops the hourly breakage, but it also means that none of the new FPM editing options work.

Jamie Cameron added some code to avoid changing virtualmin owned fpm modules. I’ve not tested it, but it looks to me that in my case it will still break the non-virtualmin owned sites that are on this same machine.

My recommendation is to not use listen = <port> at all as it’s has security issues. At least use listen = localhost:<port> but much better to use listen = <pipe> and then also use listen.owner and to set ownership so only the correct user can run FPM/PHP code on your site.

Unfortunately virtualmin does not (yet?) support this more secure method.

I also want the pool.d/*.conf files named after the user, (which are already unique in /home/*) and more readily apparent than the current domain-id.conf

Try to disable schedule on checking config of Virtualmin.

Virtualmin - limits and validation - validate virtual servers. It’s second tab over there