Unable to launch php-fpm.service 'Permission denied - Unable to read php-fpm.conf'

When I run sudo systemctl start php-fpm.service, I get the following error msg.

  - May 12 22:32:26 localhost.localdomain systemd[1]: Starting The PHP FastCGI Process Manager...
  - May 12 22:32:26 localhost.localdomain php-fpm[31129]: [12-May-2021 22:32:26] ERROR: failed to open configuration file>
  - May 12 22:32:26 localhost.localdomain php-fpm[31129]: [12-May-2021 22:32:26] ERROR: failed to load configuration file>
  - May 12 22:32:26 localhost.localdomain php-fpm[31129]: [12-May-2021 22:32:26] ERROR: FPM initialization failed
  - May 12 22:32:26 localhost.localdomain systemd[1]: php-fpm.service: Main process exited, code=exited, status=78/CONFIG
  - May 12 22:32:26 localhost.localdomain systemd[1]: php-fpm.service: Failed with result 'exit-code'.
  - May 12 22:32:26 localhost.localdomain systemd[1]: Failed to start The PHP FastCGI Process Manager.
  - ~

I have checked the permission on php-fpm.conf:

ls -l /etc/php8/fpm/php-fpm.conf
-rwxrw-r-- 1 root root 5324 May 12 22:26 /etc/php8/fpm/php-fpm.conf

I see two options for the error:

1. The configuration file can be opened but the content is not valid
2. Another configuration file then /etc/php8/fpm/php-fpm.conf is used

You can issue “sudo systemctl cat php-fpm.service” to check which command is executed with the argument and try executing that on the command prompt. What does that give?

Here the content of php-fpm.service :

# /etc/systemd/system/php-fpm.service# It's not recommended to modify this file in-place, because it
# will be overwritten during upgrades.  If you want to customize,
# the best way is to use the "systemctl edit" command.


[Unit]
Description=The PHP FastCGI Process Manager
After=network.target
Before=apache2.service nginx.service lighttpd.service


[Service]
User=root
Type=notify
ExecStart=/usr/sbin/php-fpm --nodaemonize --fpm-config /etc/php8/fpm/php-fpm.co>
ExecReload=/bin/kill -USR2 $MAINPID


# Set up a new file system namespace and mounts private /tmp and /var/tmp direc>
# so this service cannot access the global directories and other processes cann>
# access this service's directories.
PrivateTmp=true


# Mounts the /usr, /boot, and /etc directories read-only for processes invoked >
ProtectSystem=full


# Sets up a new /dev namespace for the executed processes and only adds API pse>
# such as /dev/null, /dev/zero or /dev/random (as well as the pseudo TTY subsys>
# but no physical devices such as /dev/sda.
PrivateDevices=true


# Explicit module loading will be denied. This allows to turn off module load a>
# operations on modular kernels. It is recommended to turn this on for most ser>
# do not need special file systems or extra kernel modules to work.
ProtectKernelModules=true


# Kernel variables accessible through /proc/sys, /sys, /proc/sysrq-trigger, /pr>
# /proc/acpi, /proc/timer_stats, /proc/fs and /proc/irq will be made read-only >
# of the unit. Usually, tunable kernel variables should only be written at boot>
# sysctl.d(5) mechanism. Almost no services need to write to these at runtime; >
# recommended to turn this on for most services.
ProtectKernelTunables=true


# The Linux Control Groups (cgroups(7)) hierarchies accessible through /sys/fs/>
# made read-only to all processes of the unit. Except for container managers no>
# require write access to the control groups hierarchies; it is hence recommend>
# for most services
ProtectControlGroups=true


# Any attempts to enable realtime scheduling in a process of the unit are refus>
RestrictRealtime=true


# Restricts the set of socket address families accessible to the processes of t>
# Protects against vulnerabilities such as CVE-2016-8655
RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX


# Takes away the ability to create or manage any kind of namespace
RestrictNamespaces=true


[Install]
WantedBy=multi-user.target

Following your toughts I have tried anoher configuration for php-fpm.conf from the Internet :
https://gist.github.com/sotarok/2767859

This does not work neither.

Good to have the contents of php-fpm.service

Can you execute, on the console, as root, what is after “ExecStart=” and share the output?

Here the reply of sudo /usr/sbin/php-fpm --nodaemonize --fpm-config /etc/php8/fpm/php-fpm.conf

[14-May-2021 12:48:55] ERROR: failed to open configuration file '/etc/php8/fpm/php-fpm.conf': Permission denied (13)
[14-May-2021 12:48:55] ERROR: failed to load configuration file '/etc/php8/fpm/php-fpm.conf'
[14-May-2021 12:48:55] ERROR: FPM initialization failed

Thank you very much for your help \o/

Okay, so the problem is accessing /etc/php8/fpm/php-fpm.conf (as root) but according to you first post it owned by root and everybody has read access.

Quite mysterious, searching for the error I found https://serverfault.com/questions/501258/php-fpm-gives-permission-denied.

Can you check if one of the solutions listed there works for you?

I finally achieve starting this service by downgrading to php7-fpm.
It works now.
The bug isn’t resolved…

Thank you very much for your help, and time.

I have been having this problem since PHP 8.x was added to the repository, php 7.x works fine.
I finally had to resort to using Apache, which does not require php-fpm, for all my openSuSE TW servers…
I have no problem using NGiNX and php-fpm 8.x with openSuSE Leap.
But, openSuSE TW will not run php-fpm 8.x…
[18-May-2021 13:58:55] ERROR: failed to open configuration file ‘/etc/php8/fpm/php-fpm.conf’: Permission denied (13)

Seems to be a bug no-one is catching, because no-one is using it, yet?

I usually wait a few months and these kinds of problems go away or a work around is found.

Not this one, 6 months and no fix or work around see on the web, and this is the first mention, I’ve found.

Thanks, for all your hard work!

At least two people did catch it I am reasonable sure quite some others that did not report it just like you did until now

I think more can be tried/debugged but you can also created a bug at https://bugzilla.opensuse.org

Bug submitted:

https://bugzilla.opensuse.org/show_bug.cgi?id=1186267

Thanks.

As not everybody opens up bugzilla:

Looks to me the problem was AppArmor related, there is a hotfix and things will be fix in a next release.