Long-Running CLI Applications with the Suhosin Patch

A side effect of the Suhosin patch is that it prevents the PHP Agent from ensuring cleanup in long-running CLI applications.

If your PHP has the Suhosin patch, it is possible that resources will not be freed in long-running applications. Thus memory leaks could result if the application itself does not explicitly free these resources.

The long-running-cli feature defends PHP applications in an environment in which both of the following conditions exist:

  • PHP with the Suhosin patch is running on Debian or Ubuntu. It is common for Debian and Ubuntu PHPs to have this patch. This feature is not needed for PHPs with only the Suhosin extension, which is different from the patch. Be aware that some PHPs use both the extension and the patch.
  • Using the PHP Agent API, you are instrumenting a CLI application that has multiple unbounded business transactions running on the same process,

How the Long-Running CLI Feature Works

At installation time, if the installer determines that PHP has the Suhosin patch and CLI is enabled (agent.cli_enabled=1), the value of the installer option results as follows

  • If true, a fatal error is generated and the installer terminates. With the option set, the installer refuses to instrument a long-running CLI application on a PHP installation with the Suhosin patch.
  • If false (the default) the installation continues and warns that memory leaks could occur in long-running CLI processes.

If the installer determines that PHP does not have the Suhosin patch, the installation continues. Long-running CLI processes are supported by the agent, since there is no Suhosin patch.

If the agent could not determine whether your PHP has the Suhosin patch at installation but it does detect the patch at runtime, having set the installer option to 'true' prevents the agent from instrumenting any CLI processes, not just long-running ones. This prevents the Suhosin-patched PHP from exiting.

If CLI is enabled and the installer did not terminate because of the detection of the Suhosin patch, Splunk AppDynamics recommends that you install the agent with the enable-cli- long-running option (for shell script installs) or the APPD_CONF_CLI_LONG_RUNNING_ENABLED environment variable (for RPM installs) set to true. This will defend your PHP if the patch is detected at runtime.

If the CLI part of your application does not get instrumented, because the installer detected the Suhosin patch, you can unset the option by setting the agent.cli_long_running option in the PHP .ini file to off. Or alternatively, you can re-install with the installer.