Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

Awks's avatar
Awks
OP
9 years ago
Level 3

PHP-FPM restart not working on Envoyer - NOPASSWD

Hello there :)

I've already use Envoyer with a provisioned server from Forge. But today i would like to use Envoyer with a custom server.

Forge tell me something about a PHP-FPM reloading fail :

PHP FPM appears to be running on your server, but we were unable to reload it. This is typically because your SSH user is not allowed to reload the service without hitting a password prompt.

To allow my user to reload the service without a password, i ran the following command on my server:

echo "myuser ALL=NOPASSWD: /usr/sbin/service php5-fpm reload" | sudo tee -a /etc/sudoers.d/php-fpm > /dev/null

echo "myuser ALL=NOPASSWD: /usr/sbin/service php7.0-fpm reload" | sudo tee -a /etc/sudoers.d/php-fpm > /dev/null

To try, i'm running this command:

myuser@myhost-preprod:/$ /usr/sbin/service php7.0-fpm reload

But i still have the prompts:

==== AUTHENTICATING FOR org.freedesktop.systemd1.manage-units ===
Authentication is required to reload 'php7.0-fpm.service'.
Authenticating as: ,,, (myuser)
Password:

Myuser is on the 'sudo' group and sudo -l gave me this output:

myuser@myhost-preprod:~$ sudo -l
Matching Defaults entries for myuser on myhost-preprod.localdomain:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User myuser may run the following commands on myhost-preprod.localdomain:
    (ALL : ALL) ALL
    (root) NOPASSWD: /usr/sbin/service php5-fpm reload
    (root) NOPASSWD: /usr/sbin/service php7.0-fpm reload

Any idea ?

Thanks a lot

0 likes
7 replies
ejdelmonico's avatar

To my knowledge, both Forge and Envoyer use the forge user to perform any tasks. I believe you would have to use the forge user to perform the restart or check the box in Envoyer...which will still use the forge user.

bashy's avatar

The trouble with adding a user to "sudo" group is that it is after the initial settings which means they override it. Try removing from sudo group and testing it. You should add the nopasswd entry above the rest (sudo visudo) or just include them via the .d folder.

mtxz's avatar

Have you fixed the issue? I've exactly the same problem.

My sudoers configuration is OK, sudo -l also show that my user is able to reload php-fpm (sudo -l -U myuser).

  • First two lines come from /etc/sudoers
  • Third line come from /etc/sudoers.d/90-cloud-config (from OVH deployments)
  • Fourth and Fifth lines from my /etc/sudoers.d/php-fpm
(ALL : ALL) ALL
(ALL : ALL) ALL
(ALL : ALL) NOPASSWD: ALL
(root) NOPASSWD: /usr/sbin/service php7.0-fpm reload
(root) NOPASSWD: /usr/sbin/service php5-fpm reload

But trying to reload the service still gives me :

running (as myuser)

 /usr/sbin/service php7.0-fpm reload

gives

==== AUTHENTICATING FOR org.freedesktop.systemd1.manage-units ===
Authentication is required to reload 'php7.0-fpm.service'.
Authenticating as: myuser(myuser)

And so, Envoyer throws a warning about not being able to reload php-fpm. The Same command works perfectly when being logged as root of course.

Running on an OVH server... Tried everything, I'm wondering if it's not another configuration from OVH deployment that forces these security settings, and overrides sudoers configs.

EDIT:

  • I tried to add a custom hook before cloning the release "sudo -i" to gain root, but it does not work
  • I disabled in the server setting the PHP-FPM restart, but next steps also failed
  • Envoyer try to create a new folder in /var/www/myproject, but fail because of permission, even if Envoyer user is in the same group (www-data)...
  • I really think its all about permissions issues
boromake's avatar

@mtxz or anyone:

I was running into this same problem today. I have used Forge in the past, but for this project I am just using Envoyer plus and AWS EC2 instance.

When I was testing my connection status through Envoyer, I was also getting the "PHP FPM appears to be running on your server, but we were unable to reload it. This is typically because your SSH user is not allowed to reload the service without hitting a password prompt." error message.

However, what I found in my case is that the message had nothing to do with the real problem. My problem ended up being that I created the 'authorized_key' file in the wrong place so Envoyer wasn't even able to connect to my AWS instance.

If you are getting this error message, and you have already ran the 'echo "myuser ALL=NOPASSWD: /usr/sbin/service php7.0-fpm reload" | sudo tee -a /etc/sudoers.d/php-fpm > /dev/null' command that Envoyer suggest, then try these things as well:

  • in the command above, make sure it is referencing the correct version of fpm. (ie are you really using php7.0-fpm)
  • make sure you have created a user than envoyer can use, that you have added Envoyer's SSH key to the 'authorized_key' file of that user, and in your Envoyer server setup you have referenced the same user for 'connect as'.
  • if you are using AWS or some other host, make sure you don't have a firewall or anything blocking SSH connections from Envoyer. Envoyer's documentation will give you a list of IPs you can whitelist.
4 likes
edwardkarlsson's avatar

Thanks @boromake. For a while I couldn't figure out why I kept getting "failed to connect" with the described error message. But your hint about firewall got me to realize that it was the firewall that was the actual problem... not the permissions.

The IPs to allow are listed in the docs. https://envoyer.io/docs

2 likes
carminedmsza@gmail.com's avatar

Had the same issue. The message is very misleading in this case. Thanks for the solution.

keleskandarany's avatar

I had the same issue and this how I fixed it

The visudo command is a safe way to edit the sudoers file. The sudoers file allows you to define commands that any user can run as root without having to enter a password. You'll need sudo rights to run the visudo command.

To add php-fpm to the sudoers file, run:

sudo visudo

Then add this line to bottom of the file. Make sure to change "USERNAME" with the name of your user.

USERNAME ALL=(ALL) NOPASSWD: /usr/sbin/service php*.*-fpm reload

Note that this line contains a wildcard php*.*-fpm. This allows you to flush any version of php-fpm with a single command. You can flush php7.4-fpm, php8.0-fpm, and php8.1-fpm without having to edit the sudoers file anymore.

After you've edited the sudoers file, you can now reload the php-fpm service without entering a password using the following command:

sudo -S service php*.*-fpm reload

And if you want to be extra careful, run it like this: echo "" | sudo -S service php*.*-fpm reload

Why echo "" | sudo ...? The "echo + pipe + sudo" is a trick that causes the command to fail instantly if a sudo password is required. This is useful if the visudo whitelist is misconfigured. Without the echo, when prompted for a password, the script will try to use the next three commands as the password. This can have unexpected consequences.

1 like

Please or to participate in this conversation.