For the overall OPcache size check, we currently compare used memory with free memory. However, `opcache.memory_consumption` is split into `used_memory`, `free_memory` and `wasted_memory`. When cached files change on disk, old entries are not replaced or removed, but remain as wasted memory, until the cache is actually full, and if their percentage is above `opcache.max_wasted_percentage`, which is 5% by default. When this happens, the engine is restarted, resetting the cache completely, like a `opcache_reset()` call.
As long as we do not consider wasted cache, recommendations based on free memory can be false. To solve this, we could count wasted memory as free memory, if it is above `opcache.max_wasted_percentage`, as the engine will be restarted as soon as needed, freeing up this wasted space. On the other hand, wasted memory below the threshold permanently blocks the OPcache, which supports counting it as used memory. Depending on the situation, instead of raising OPcache size, it could be also advised to reduce `opcache.max_wasted_percentage`. But too frequent cache resets break its purpose as well.
In my opinion, the matter is too complex to consider wasted cache correctly, and do precise recommendations, but we should focus on reducing false positives instead. What we know for sure is: if the cache is full (`$status['cache_full'] === true`), and the limit for cached keys has not been reached, the OPcache was too small to maintain free space, with wasted memory below the configured threshold, where it consumes memory permanently. Recommending to raise the OPcache size in this case, is hence as accurate as it gets. Even if 5% wasted cache could be freed, 95% used memory is still above the previous threshold for the setup check warning. And if `opcache.max_wasted_percentage` is above 5%, then the admin must have decided to change the default, deciding that system memory consumption has lower priority than preventing OPcache engine restarts.
`cache_full` can be true as well if the limit for cached keys has been reached, hence we need to merge both checks. In this case `num_cached_keys` equals `max_cached_keys` exactly, hence it is easy to differentiale whether `opcache.max_accelerated_files` or `opcache.memory_consumption` needs to be raised to address the `cache_full` state.
In practice, this change relaxes the checks: the respective limit needs to be reached 100% instead of 90%, to trigger a warning, eliminating also false alarms if a large share of the cache is consumed by wasted memory, which would be automatically freed once cache is 100% full.
Additionally, the recommendation for raising `opcache.max_accelerated_files` now says "a value higher than `max_cached_keys`", instead of "higher than `opcache.max_accelerated_files`". The actual limit, reflected by `max_cached_keys` from `opcache_get_status()`, [is a next higher value from a set of prime numbers](https://www.php.net/manual/en/opcache.configuration.php#ini.opcache.max-accelerated-files). E.g. if `opcache.max_accelerated_files` is set to 10,000 (PHP default), the effective limit is 16,229 OPcache keys. Recommending "higher than 10000" could hence lead to a settings change without effect. For an effective change, the new value needs to be "higher than 16229" instead, which is what the setup check will show in this situation, with this change applied.
Signed-off-by: MichaIng <micha@dietpi.com>
This trait is used by other apps for creating setup checks,
so we should provide it instead apps using private API.
Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
We basically mock the way `URLGenerator::getAbsoluteURL` works,
so we must make sure that the URL might already contain the webroot.
Because `baseURL` and `cliURL` also contain the webroot we need to remove
the webroot from the URL first.
Co-authored-by: Ferdinand Thiessen <opensource@fthiessen.de>
Co-authored-by: Daniel <mail@danielkesselberg.de>
Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
1) The checks for well-known urls should always run against the root domain and therefore the option to remove the webroot.
2) For trusted domains, the available protocol is unknown, and thus some guesswork would be needed to make that work. I've decided for now to not consider them anymore to reduce false-positives.
Signed-off-by: Daniel Kesselberg <mail@danielkesselberg.de>
When checking for public (web) access to the data directory the status is not enough
as you might have a webserver that forwards to e.g. a login page.
So instead check that the content of the file matches.
For this the `.ncdata` file (renamed from `.ocdata`¹) has minimal text content
to allow checking.
¹The file was renamed from the legacy `.ocdata`, there is a repair step to remove the old one.
Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
Enjeck C
Josh
Ferdinand Thiessen
Joas Schilling
MichaIng
invario
rakekniven
Joas Schilling
Marcel Klehr
Johan Bernhardsson
Andy Scherzinger
Côme Chilliet
Git'Fellow
skjnldsv
Benjamin Gaussorgues
provokateurin
Daniel Kesselberg
Julius Härtl
Anna Larch