How to let OPcache work correctly under chroot?

Question

There is PHP-FPM and OPCache (downloaded and compiled from php.net)

opcache.enable = 1
opcache.use_cwd = 1
zend_extension=opcache.so

php-fpm profiles run in chroot, i.e. /home/user1/www/index.php -> /www/index.php, /home/user2/www/index.php -> /www/index.php, what index.php see in both cases.

• user1 have installed WordPress. user2 have custom index.php.

• user1's index.php was executed before user2's index.php.

In such case, when I'm calling index.php from user2 folder, I see compiled output of index.php from user1 folder.

Current solution. I can run different PHPs per user or I must kill my beautiful structure /home/user1/www to /home/user1/user1www/ cause OPcache need to see differ paths. Or I disable OPcache, but it affect perfomance.

Is there a way to keep /home/user1/www, /home/user2/www, etc and let OPcache work correctly?

Answer 1

This is famous bug: https://bugs.php.net/bug.php?id=69090 which was present for years. But not anymore.

So, update your PHP version, and add this to php.ini:

opcache.validate_root=1

This will make cache keys unique per user, so even if there are two /htdocs/wp-config.php in two different chroot's, from now they will get two different cache entries.

Answer 2

No, you need to have unique paths inside the chroot to achieve your goal. This issue happens because the whole PHP-FPM worker is working inside the chroot, but it is using a global OPCache. Inside the chroot it simply cannot see anything else than /www in the beginning of the filename.

This could be fixed in the PHP codebase by using both pool name and filename as the cache key. However, since chroot is a special case, it hasn't been implemented as far as I know.

When I was implementing chroot PHP-FPM for one project, I made a structure like:

/srv/www/domain.com/domain.com/docroot

Where the chroot directory was /srv/www/domain.com. This way there is always an unique identifier inside the chroot for the filename so that cache key collisions do not happen.