PHP 7.1 beta packages for Arch Linux

The first beta version of PHP 7.1 has been released and its time to have a look at the next iteration of the PHP 7 series. You will find a set of packages in my repository:

[php]
Server = https://repo.pierre-schmitz.com/$repo/os/$arch

Insert these lines on top of the other repository definitions in your /etc/pacman.conf. A copy of the PKGBUILDs I used to create these packages are available in my git repository.

Packaging

I intend to update these with beta versions and release candidates till the final release of PHP 7.1.0 later this year. Even though I will try to provide a smooth update path, please be prepared to encounter problems.

Despite of a having a new module API, third party modules seem to work fine after a simple rebuild, in contrast to our first contact with PHP 7. All these modules are available in my repository as well.

New features

With the new minor release we will get more improvements of the scalar and return type declarations introduced in PHP 7.0. My favorite new features are:

  • Nullable Types
    Being able to declare a type to be either specific or null was a missing feature in version 7.0 which lead people to not declare any type at all.
  • Void Return Type
    You are now able to declare a function to never return anything; another missing piece of the new return type declarations.
  • Iterable type
    We are finally able to declare a type that matches an array but also classes that implement the Traversable interface. In short it is anything you can use with foreach(). This means we no longer need to put primitive arrays into traversable objects if we like to use type hinting.
  • Class constant visibility modifiers
    Using constants internally is less awkward as we are now able to declare them with private visibility. People no longer need to abuse private properties to document that certain constants should not be used from a foreign context.

A complete list of changes can be found in the PHP 7.1 NEWS file. Also see the continuously updated UPGRADING file.

Testing and benchmarking

While PHP 7.1 is still under development the packages I provide are configured with production settings. Optimizations are turned on, all debugging functions and information are disabled and stripped from the binaries. This means you may use these to test and benchmark your applications and server setups.

Let me know of any issues and share your experiences with the first minor update of PHP 7.

Using OPcache to speed up your CLI scripts

With PHP 7 it is now possible to use OPcache efficiently. It can be configured to store the compiled byte code on disk and use it on the next run of a script. Complex command line scripts like Composer and PHPUnit tests will benefit from such a cache as it reduces startup time dramatically.

In addition to benefiting cli scripts, this cache is also used as second level cache in general. This should increase performance if the SHM backed OPcache runs out of memory or the PHP process gets restarted.

To enable the second level cache simply ensure the following ini directives are set:

zend_extension=opcache.so
opcache.enable=1
opcache.enable_cli=1
opcache.file_cache=/tmp/php-opcache

In this case I am going to store the byte code in /tmp which means it wont survive a reboot and will be kept in RAM by default. We now need to ensure that the mentioned directory /tmp/php-opcache is created by systemd on boot. Place the following content in a file called /etc/tmpfiles.d/php-cli-opcache.conf:

d /tmp/php-opcache 1777 root root 1d

This will also prune all files that are older than one day. You might want to adjust these values to your needs or even use a persistent storage in /var/tmp instead of /tmp.
To initially create this folder simply run

# systemd-tmpfiles --create /etc/tmpfiles.d/php-cli-opcache.conf

You may now check your configuration by running some cli scripts:

$ composer -V

The compiled byte code should now appear in /tmp/php-opcache:

$ tree /tmp/php-opcache               
/tmp/php-opcache
├── 896f8ffaef254102552141eb4ab1b214
│   └── usr
│       └── bin
│           └── composer.bin
└── 896f8ffaef254102552141eb4ab1b214phar:
    └── usr
        └── bin
            └── composer
                ├── bin
                │   └── composer.bin
                ├── src
                │   ├── bootstrap.php.bin
                │   └── Composer
                │       ├── Command
                │       │   ├── AboutCommand.php.bin
                │       │   ├── ArchiveCommand.php.bin
                │       │   ├── ClearCacheCommand.php.bin
...

PHP 7 on Arch Linux

I have been working on PHP 7 packages for a while. They are available in my repository:

[php]
Server = https://repo.pierre-schmitz.com/$repo/os/$arch

Insert these lines on top of the other repository definitions in your /etc/pacman.conf
A copy of the PKGBUILDs I used to create the packages are available in my git repository.

Upstream changes

PHP 7 is possibly one of the most interesting releases since version 5 which was published over a decade ago. Besides up to twice the performance PHP now offers scalar type declarations and return types. The official migration guide lists all new features and incompatible changes.

Packaging changes

With PHP 7 I am trying to move closer to upstream defaults and be less opinionated. While this requires a more responsible configuration by the user it also eliminates some surprises. And after all this is the Arch way. As a bonus, scripts like Composer work fine with the default configuration now.

Core package changes

  • php-pear is no longer available
  • php-mssql was removed by upstream
  • php-ldap is now included in the core php package as its dependencies were already met
  • The mysql extension was dropped upstream and is no longer available

Configuration changes

  • openssl, phar and posix modules are now built in. Remove the corresponding directives from you php.ini, e.g. extension=openssl.so
  • The include_path is no longer set to /usr/share/pear by default
  • open_basedir is no longer defined. This also means that packaged scripts do not need to be put into an awkward /usr/share/webapps directory.
  • PHP-FPM does no longer provide a logrotate configuration. By default errors are logged to syslog (these will be picked up by journald).
  • FPM pool configuration is now stored in /etc/php/php-fpm.d by default.
  • The upstream FPM service file is now installed which does not include PrivateTmp=true.

Third party extensions

We offer a few PHP modules that are maintained by third parties and are not part of the PHP source distribution. So far only modules that are in active development were able to provide updated versions. This means we have to drop most of these PHP extensions, especially those that might be considered dead.

The following list provides an overview of modules I gathered so far. It is possible we could re-upload updated packages once upstream provides us with compatible versions.

Package Status Solution
graphviz incompatible remove PHP bindings
php-apcu compatible update to version 5
php-geoip incompatible remove package
php-memcache incompatible remove package, project seems dead
php-memcached incompatible remove package, move back when upstream version is available
php-mongo incompatible remove package, superseded by the mongodb driver
php-xcache incompatible remove package, project seems dead
uwsgi-plugin-php incompatible remove PHP support, upstream update seems possible
xdebug compatible update to latest release candidate of version 2.4

In addition to this I will introduce a new module called php-apc-bc which will provide the legacy apc_ function for use with the APCu extension. Before version 5 this feature was provided by APCu itself.

Testing in Production

While I have been working on PHP 7 for months now one really only sees how it performs when put into production. So a few days ago I started running all services at archlinux.de (this also includes this very blog) with that latest version of PHP.

So far its running fine. The update went smoother than expected and the needed configuration changes were close to nonexistent.

There are some regular but very few core dumps produced by php-fpm. These did not result in 5xx server responses though and I assume that they are related to shutting down fpm workers. It should be investigated but it does not seem critical.

Before updating I had to make two small source code changes:

  • Engine errors are now of the type \Error. \Error and \Exception implement the \Throwable interface. So I had to adjust a type hint, or in this case remove it so it would also work in PHP 5.6.
  • The return type of the \SessionHandlerInterface are now enforced. If you return anything other than a string in your custom session handler the operation will fail.

Your Feedback

Now it is your turn. The packages provided in my repository are ready and I will ensure an upgrade path once the updated packages are available in the [extra] repository. I do not plan to hold them back for very long but I’d like to get some feedback first. After all it is a major update, we drop a lot of extensions and compatibility with many scripts out there is unknown.

Try these packages, test your own code and send me your feedback and suggestions.

PHP 5.5 on Arch Linux

Packages of PHP 5.5 are available in my repository. Note that these are debug builds and might require the use of the [testing] repository.

[php]
Server = https://repo.pierre-schmitz.com/$repo/os/$arch

Only try this at home. APC gets replaced by APCu for user data caching. Use the new opcache module to cache the PHP scripts. XCache is also available as a development snapshot.

Let me know of any issues but also successes. More will follow up soon.

PHP 5.4.1 in – Suhosin out

Today I finally moved PHP 5.4.1 into our [testing] repository. Our previous tests of 5.4.0 were quite successful. In short PHP 5.4 is ready for production now and will be in our [extra] repository in a couple of days.

When I first packaged PHP 5.4.0 one of the most concerning issues was the lack of a compatible Suhosin patch and extension. Unfortunately this situation has not changed within the last two months: there is still no information if or when Suhosin will be released for recent versions of PHP. Therefor I decided to remove the Suhosin patch and its extension from our repository. To not break compatibility on minor updates the current version in [extra], PHP 5.3.11, includes a patched version of Suhosin; the last official one was dedicated for 5.3.9.

Suhosin is a safe guard for scripts and PHP itself. It consists of  patch to PHP and an extension which can be used independently. The patch aims to protect the PHP core against buffer overflows and string format vulnerabilities. Scripts written in PHP are protected by the Suhosin extension. It can be configured to disallow or limit certain user input. There is also a feature to transparently encrypt cookie and session data. More of Suhosin’s features are described on its website.

Certainly some of Suhosin’s features are a good idea as they might protect you in case PHP itself or scripts fail. This is why it was added years ago when I took over maintainership of PHP. Fortunately some of its features got added to PHP itself over time. But today we are confronted with several problems:

  • There is no Suhosin for PHP 5.4. This means we would be stuck at 5.3 and cannot ship the most recent packages which is one of the goals of Arch Linux.
  • The upstream project has become less and less active in the past years. There are certain indicators which make Suhosin an unhealthy open source project: There is still only one main contributor, the development process is mostly closed, there is no public repository for the patch, no bug tracker, the forums are in maintenance mode for years and the latest news entry is from 2007. Of course things might be different in the background, but this is the situation which is publicly visible.
  • The delays between PHP releases and their Suhosin counterparts are increasing. I often have to patch the Suhosin patch itself to use it with latest minor updates of PHP. This leaves us with a PHP version that is neither supported by the PHP project nor the Suhosin authors. While these modifications are mostly trivial I cannot exclude the possibility that I break PHP in a dangerous way. The situation is even worse on major update like we have now. Adjusting Suhosin to PHP 5.4 is not trivial. In addition to this testing development releases or release candidates often means that you have to disable Suhosin.
  • There are no plans of the project to ever move any of Suhosin’s features into PHP itself. In fact the Suhosin author is strictly against such a move.

In general we have a “Do not patch” policy in Arch and try to keep our packages as close to upstream as possible. In its current state I no longer have any excuse to break this rule for Suhosin; in fact I now have a lot of arguments which support this policy. So even if a new version of Suhosin was released tomorrow, next week or in a few months, it wont be re-added to our PHP packages. The upstream projects would need some changes to its process to be reliable again.The relationship with the PHP project itself has to improve and it should at least be tried to apply certain features into the PHP core project.