Solved Unknown lvalue in php-fpm service

[Richard G]

I've asked this before, but was with something else so really did not get an answer to this.

Will appear in the log when php-fpm is restarted or apache is restarted which causes all php-fpm services to restart.

Mar  7 19:54:14 server23 systemd: [/etc/systemd/system/php-fpm80.service:41] Unknown lvalue 'ProtectKernelModules' in section 'Service'
Mar  7 19:54:14 server23 systemd: [/etc/systemd/system/php-fpm80.service:48] Unknown lvalue 'ProtectKernelTunables' in section 'Service'
Mar  7 19:54:14 server23 systemd: [/etc/systemd/system/php-fpm80.service:51] Unknown lvalue 'ProtectControlGroups' in section 'Service'
Mar  7 19:54:14 server23 systemd: [/etc/systemd/system/php-fpm80.service:54] Unknown lvalue 'RestrictRealtime' in section 'Service'
Mar  7 19:54:14 server23 systemd: [/etc/systemd/system/php-fpm81.service:41] Unknown lvalue 'ProtectKernelModules' in section 'Service'
Mar  7 19:54:14 server23 systemd: [/etc/systemd/system/php-fpm81.service:48] Unknown lvalue 'ProtectKernelTunables' in section 'Service'
Mar  7 19:54:14 server23 systemd: [/etc/systemd/system/php-fpm81.service:51] Unknown lvalue 'ProtectControlGroups' in section 'Service'
Mar  7 19:54:14 server23 systemd: [/etc/systemd/system/php-fpm81.service:54] Unknown lvalue 'RestrictRealtime' in section 'Service'

Same for php-fpm74 by the way.

Running Centos 7.9, normal Apache.

Just an ignorable issue or what is this?

 

[sparek]

What specifically is in /etc/systemd/system/php-fpm80.service and /etc/systemd/system/php-fpm81.service?

 

[Richard G]

And also in php-fpm74.service. It's all default.....

They all got exactly the same content except the pid changes to the correct php version.

# php-fpm startup for DirectAdmin servers
# To alter the FPM environment, drop a file with the suffix
# .conf in /etc/systemd/system/php-fpm.service.d, with
#     [Service]
#     Environment=FOO=bar
# To reload systemd daemon after changes to this file:
# systemctl --system daemon-reload

[Unit]
Description=The PHP FastCGI Process Manager
After=syslog.target network.target

[Service]
Type=notify
PIDFile=/run/php-fpm74.pid
ExecStart=/usr/local/php74/sbin/php-fpm74 --nodaemonize --pid=/run/php-fpm74.pid
ExecReload=/bin/kill -USR2 $MAINPID
LimitMEMLOCK=infinity
LimitNOFILE=65535

# Set up a new file system namespace and mounts private /tmp and /var/tmp directories
# so this service cannot access the global directories and other processes cannot
# access this service's directories.
PrivateTmp=true

# Sets up a new /dev namespace for the executed processes and only adds API pseudo devices
# such as /dev/null, /dev/zero or /dev/random (as well as the pseudo TTY subsystem) to it,
# but no physical devices such as /dev/sda.
# CageFS does not work with php-fpm on DirectAdmin servers. The issue is caused by this directive set to true, thus, commented out
#PrivateDevices=true

# Attempts to create memory mappings that are writable and executable at the same time,
# or to change existing memory mappings to become executable are prohibited.

# Commented out, problems with PHP 7.0/7.1 reported
#MemoryDenyWriteExecute=true

# Explicit module loading will be denied. This allows to turn off module load and unload
# operations on modular kernels. It is recommended to turn this on for most services that
# do not need special file systems or extra kernel modules to work.
ProtectKernelModules=true

# Kernel variables accessible through /proc/sys, /sys, /proc/sysrq-trigger, /proc/latency_stats,
# /proc/acpi, /proc/timer_stats, /proc/fs and /proc/irq will be made read-only to all processes
# of the unit. Usually, tunable kernel variables should only be written at boot-time, with the
# sysctl.d(5) mechanism. Almost no services need to write to these at runtime; it is hence
# recommended to turn this on for most services.
ProtectKernelTunables=true

# Required for resource throttling
ProtectControlGroups=false

# Any attempts to enable realtime scheduling in a process of the unit are refused.
RestrictRealtime=true

# Restricts the set of socket address families accessible to the processes of this unit.
# Protects against vulnerabilities such as CVE-2016-8655
RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX

# Takes away the ability to create or manage any kind of namespace
#RestrictNamespaces=true

[Install]
WantedBy=multi-user.targetp

 

[sparek]

What version of systemd are using?

rpm -qa | grep systemd

 

[zEitEr]

Hello Richard,

Just an ignorable issue or what is this?

I would rather ignore it. This does not impact anything, just a warning saying that your system does not know these options. They are probably OS specific. Can be found in Ubuntu man pages:

Ubuntu Manpage: systemd.exec - Execution environment configuration

manpages.ubuntu.com

 

[Richard G]

What version of systemd are using?

The ones belonging to Centos 7.9.

rpm -qa | grep systemd
systemd-libs-219-78.el7_9.7.x86_64
systemd-devel-219-78.el7_9.7.x86_64
systemd-sysv-219-78.el7_9.7.x86_64
systemd-219-78.el7_9.7.x86_64

Can be found in Ubuntu man pages:

But not running Ubuntu, I'm running Centos 7.9. However if I can safely ignore them it's fine by me too.
I'm just wondering why they are appearing while I don't have anything configured to use them, just using default Centos 7.9.

 

[zEitEr]

I'm running Centos 7.9.

That's why I wrote: They are probably OS specific

Directadmin developers knowing that the unknown options in a systemd file don't break anything, prepared an unified config suitable for CentOS and Ubuntu.

If you want to to get rid of them, then customize the files.

 

[Richard G]

If you want to to get rid of them, then customize the files.

Sorry, I misunderstood the "probably OS specific" as that it would be probably specific to the Ubuntu OS. I'm not native English.
I rather not customize things if not needed. So if it's just warnings, not breaks anything and I can safely ignore them, then I will do just that.
Ignore them.

Thank you!

Also thank you @sparek for the help.

 

[MisterM]

Sorry, I misunderstood the "probably OS specific" as that it would be probably specific to the Ubuntu OS. I'm not native English.
I rather not customize things if not needed. So if it's just warnings, not breaks anything and I can safely ignore them, then I will do just that.
Ignore them.

Thank you!

Also thank you @sparek for the help.

How do I exclude kernel or other packages from getting updated in Red Hat Enterprise Linux while updating system via yum? - Red Hat Customer Portal

How do I exclude kernel or other packages from getting updated in Red Hat Enterprise Linux while updating system via yum? How do I use the exclude option with yum? How to prevent a package from updating while updating system from Satellite Server ? How to exclude only 32 bit or 64 bit packages ?

access.redhat.com

 

[Richard G]

@MisterM Sorry, but I don't know what this has to do with my question about the warnings or how?
I know how to exclude updates from yum, but I'm not going to exclude kernel updates.

 

[sparek]

I never noticed this before, but indeed my CentOS 7 servers are showing this as well.

Safe to ignore.

But if you're looking for an explanation, see - https://raw.githubusercontent.com/systemd/systemd/main/NEWS

RestrictRealtime was added in systemd version 231

ProtectKernelModules, ProtectKernelTunables, and ProtectControlGroups were added in sytemd version 232.

CentOS 7 still uses systemd 219

systemctl --version

And while CentOS (or really RedHat) like to backport fixes - so even though the reported systemd version is 219 you may have features or fixes present in newer versions of systemd - they apparently did not add these directives into the version 219 they are using.

That's the explanation for these "errors". The systemd that CentOS 7 is using doesn't know what these directives are. But systemd just skips over them.

 

[Richard G]

Thank you.
The github link is interesting too!