Excessive resource usage from cPanel 3rdparty processes

tui

Well-Known Member
Jun 15, 2007
145
40
78
Mexico
cPanel Access Level
Root Administrator
First, i want to clarify that i know from where the alerts are comming and that CSF/LFD is not part of cPanel, i know how to "disable" or prevent the CSF/LFD alerts, and thats not what i want to do...

The issue is not with CSF/LFD exactly, is from cPanel php-fpm directly let me explain:

Here is one of the alerts im receiving everyday since a past cPanel update WHERE cpanel started using php-fpm as the default php handler for cPanel processes:

Subject: lfd on host.server.com: Excessive resource usage: useraccount (30966 (Parent PID:30443))
Time: Thu Oct 20 10:29:40 2022 -0500
Account: useraccount
Resource: Process Time
Exceeded: 2165 > 2100 (seconds)
Executable: /usr/local/cpanel/3rdparty/php/74/sbin/php-fpm
Command Line: php-fpm: pool user_useraccount
PID: 30966 (Parent PID:30443)
Killed: No

I know what this mean and that if i change the time on CSF/LFD or ignore the user account or ignore the executable the alerts are going to go away, but thats not the purpose of CSF/LFD in that case if i will start to ignore users and processes is better to remove CSF/LFD.

What i see here is that this alerts are comming after cPanel change the handler to php-fpm;

After investigating, the alerts im receiving are from users that are using roundcube, however, with php-fpm is not possible to ignore the roundcube executable, and, if you raise the time to receive an alert (that is not what i want for my server) the alerts keeps triggering because the user keeps the roundcube opened in their browser, there are users that leave their browser with roundcube opened all the 24hours of the day.

If you ignore the executable you will not receive alerts when a accounts get compromised or a user uses a php file to do nasty things, if you ignore the user pool is the same.

So, the problem i see is that they way that php-fpm works there is no way to se the exact filename, process or executable that is triggering the alerts...

My question is no how can i get rid of the alerts but many questions:

1) How can i properly handle the executable or files when using php-fpm?
2) How can i properly add roundcube to ignore if php-fpm only shows the user pool so i can still watching the users processes?
3) Is there a way to completely disable php-fpm for cpanel processes?
3.1) Turning PHP-FPM service for cPanel Daemons off on "WHM>>Service Configuration>> Service Manager" is not a way because it turn on automatically after few hours/days (SOLVED - CPANEL-37047 - How to disable PHP-FPM for cpanel) and the option to disable it will be removed in future.
4) Is there a way that the php-fpm service for cPanel Daemons are handled by different handler like suphp instead of cgi/fcgi so we can keep track of the real executable and ignore them properly?
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
13,463
2,114
363
cPanel Access Level
Root Administrator
Hey there! I think the main issue is the root cause of the notification. PHP-FPM process are longer-running than their more traditional PHP counterparts, so I think disabling the process time check for that specific process globally is a fine option.

1 - I'm not sure I understand this question - can you get me more details?
2 - Adding the specific Roundcube executable will stop that notification for all users.
3 - We determined this is happening by design during the nightly updates as WordPress Toolkit required PHP-FPM, so there's not a way to disable that. Is there a specific reason you need this disabled? We ship this is a default and few users run into issues with that configuration.
4 - Not that I know of at this time.
 

tui

Well-Known Member
Jun 15, 2007
145
40
78
Mexico
cPanel Access Level
Root Administrator
Hey there! I think the main issue is the root cause of the notification. PHP-FPM process are longer-running than their more traditional PHP counterparts, so I think disabling the process time check for that specific process globally is a fine option.

1 - I'm not sure I understand this question - can you get me more details?
2 - Adding the specific Roundcube executable will stop that notification for all users.
3 - We determined this is happening by design during the nightly updates as WordPress Toolkit required PHP-FPM, so there's not a way to disable that. Is there a specific reason you need this disabled? We ship this is a default and few users run into issues with that configuration.
4 - Not that I know of at this time.
For 1 and 2

The problem is that there is no way to disable the process time check for specific process as php-fpm just show itself as the process but not the exact process

In this specific case (but there are more cases that apply) CSF/LFD sees the process as "Executable: /usr/local/cpanel/3rdparty/php/74/sbin/php-fpm" and the command line as "Command Line: php-fpm: pool user_useraccount", but the real process is "webmaild" (as you can see on the attached image) that is roundcube

There is no way to add webmaild or roundcube to the pignore list because php-fpm is what CSF/LFD sees, no mater if you add webmaild or roundcube to ignore, alerts about php-fpm will still triggering

If you turn off php-fpm for cpanel, the process changes and CSF/LFD sees the process exactly as the command that is triggering it and then you can ignore the process but not with php-fpm

So, if i add php-fpm to ignore and a user execute a php script to do nasty things i will never get the alert, did you get what is happening here?

The same ocurrs if you use cgi/fcgi as a php handler for domains because cgi/fcgi never shows you the exact process, but this is not problem because we can change the php handler to suphp but not for php-fpm for cpanel

In this case, if a user keeps the webmail opened in the browser all the time i receive php-fpm alerts every xx time and there is no way to ignore the webmaild service
 

Attachments