php-fpm - ERROR: Unable to create the PID file (/var/run/php-fpm.pid).: Permission denied (13)

This document (000020762) is provided subject to the disclaimer at the end of this document.

Environment

SUSE Linux Enterprise Server 15 SP4

Situation

In SLES 15 SP4, when the /etc/php7/fpm/php-fpm.conf config file is assigned a pid file, for example "pid = run/php-fpm.pid", the service may fail to start with the following output:

ERROR: Unable to create the PID file (/var/run/php-fpm.pid).: Permission denied (13)
ERROR: FPM initialization failed
systemd[1]: php-fpm.service: Main process exited, code=exited, status=78/CONFIG

Resolution

To resolve the issue, please do one of the following:
  • Disable apparmor
  • Disable the php-fpm profile
  • Make appropriate modification to the php-fpm profile configuration.
Note that apparmor is a great security feature, and the ideal long term solution would be to make the appropriate modification to the php-fpm profile configuration. If additional help is required, please reach out to SUSE support. 
 

Disabling apparmor

To stop and disable the apparmor service altogether, and unload the profiles without rebooting, you could run the following:
# aa-status
# aa-teardown
# aa-status
# systemctl disable --now apparmor.service
# aa-status
 

Disabling apparmor profiles

To disable just the php-fpm profile, but keep the other profiles loaded run:

# aa-status
# aa-disable php-fpm
# aa-status

You'll notice the php-fpm profile is removed from the status output.

 

Make appropriate modification to the php-fpm profile configuration

Modify the profile configuration file, to fit your needs. For example: vim /etc/apparmor.d/php-fpm
You'll see a comment line "# we need to be able to create all sockets".  Below the line, add the following line:

@{run}/php{,-fpm}/php*-fpm.pid rw,

Save, and then reload the service, and rescan the profile, by running: 

# systemctl reload apparmor.service

Cause

Apparmor is installed by default in SLES 15 SP4. The php-fpm profile has been added as well, and needs to be configured to handle custom pid files. 

Status

Reported to Engineering

Additional Information

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:000020762
  • Creation Date: 10-Nov-2022
  • Modified Date:10-Nov-2022
    • SUSE Linux Enterprise Server

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

Join Our Community

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.


SUSE Customer Support Quick Reference Guide SUSE Technical Support Handbook Update Advisories
Support FAQ

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.

Go to Customer Center