Manually Upgrading PHP

Infrastructure: PHP 8.4 (Remi Repository)
Platform: RHEL/Rocky Linux 9

Overview

Diskover Web runs on PHP 8.4 via PHP-FPM, served behind Nginx. Periodically, PHP must be upgraded to pick up security patches, bug fixes, or minor version bumps from the Remi repository.

This guide covers two scenarios:

• Online upgrade — The server can reach the Remi and EPEL repositories directly.

• Offline / restricted-network upgrade — The server is air-gapped or firewalld and cannot reach external repositories without explicit allowlisting.

Both paths end with the same post-upgrade verification and ownership fix steps.

Understanding PHP-FPM in the Diskover Stack

PHP-FPM (FastCGI Process Manager) is the runtime that executes the Diskover Web UI. Nginx proxies incoming HTTP/HTTPS requests to PHP-FPM through a Unix socket.

Diskover installs PHP 8.4 from the Remi repository on RHEL-family systems and configures PHP-FPM to run under the nginx user/group. Key paths on RHEL/Rocky 9:

When PHP packages are upgraded, the package manager can overwrite pool configuration and reset directory ownership. The steps below account for both of these known side effects.

Prerequisites

Pre-Upgrade Checklist

• Confirm current PHP version: /opt/remi/php84/root/usr/sbin/php-fpm -v
• Verify PHP-FPM is running: systemctl status php-fpm
• Note current session directory ownership (see Backup section)
• Schedule a brief maintenance window (the web UI will be unavailable during the PHP-FPM restart)

Backup

Before making any changes, back up the PHP-FPM pool configuration and record the current ownership of the session directory. You will need both if you need to roll back.

Back up the pool config:

find / -name "www.conf" -type f 2>/dev/null

This returns the full path — typically /etc/opt/remi/php84/php-fpm.d/www.conf.

cp /etc/opt/remi/php84/php-fpm.d/www.conf /etc/opt/remi/php84/php-fpm.d/www.conf.backup

Record session directory ownership:

ls -l /var/opt/remi/php84/lib/php/

Expected output (Diskover default):

drwxrwx--- 2 root nginx       6 Nov 19 00:32 opcache
drwxr-xr-x 2 root nginx      36 Nov 26 12:15 peclxml
drwxrwx--- 2 root nginx    4096 Jan 13 09:58 session
drwxrwx--- 2 root nginx       6 Nov 19 00:32 wsdlcache

Save or screenshot this output — you will compare against it after the upgrade.

Online Upgrade

Use these steps when the server has direct internet access to the Remi and EPEL repositories.

Step 1: Install the Remi and EPEL Repositories (if not already present)

dnf install https://rpms.remirepo.net/enterprise/remi-release-9.rpm
dnf install https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm

Remi is a trusted third-party repository that provides PHP 8.4 packages for RHEL-family distributions. The EPEL repository is a required dependency of the Remi repository.

Note: If these repositories are already installed from the original Diskover deployment, these commands will report that the packages are already present. That is expected — you can safely move on.

Step 2: Upgrade PHP Packages

dnf upgrade "php8*"

Review the transaction summary and confirm when prompted.

Step 3: Restart PHP-FPM

systemctl restart php-fpm

Verify the service is active:

systemctl status php-fpm

You should see active (running) in the output. If the service fails to start, check the troubleshooting section below.

Step 4: Fix Session Directory Ownership

The upgrade can reset directory ownership from nginx to apache, which breaks PHP session management and prevents users from logging in to the Diskover Web UI.

Check the current ownership:

ls -l /var/opt/remi/php84/lib/php/

If the group has changed to apache, restore it:

chown -R root:nginx /var/opt/remi/php84/lib/php/

Verify the fix:

ls -l /var/opt/remi/php84/lib/php/

All directories should now show root nginx ownership.

Note: Diskover's PHP-FPM pool runs under the nginx user/group by default. If your environment was originally configured with different ownership (e.g., nginx:nginx), restore to whatever was recorded in the Backup step above.

Step 5: Verify the Web UI

Open the Diskover Web UI in a browser and confirm you can log in successfully.

Restricted-Network Upgrade

Use these steps when the server cannot reach external repositories directly due to firewall rules or air-gap policies.

Step 1: Install the Remi and EPEL Repositories

Follow the same repository installation as Step 1 of the Online Upgrade. If the server cannot reach the RPM URLs at all, download the RPMs on a machine with internet access, transfer them to the server, and install locally:

dnf install ./remi-release-9.rpm
dnf install ./epel-release-latest-9.noarch.rpm

Step 2: Configure the Remi Modular Repository

Edit the Remi modular repository configuration to use a direct base URL instead of mirrors:

vim /etc/yum.repos.d/remi-modular.repo

Make these changes:

1. Comment out the mirrorlist line (add # at the beginning):

#mirrorlist=http://cdn.remirepo.net/enterprise/$releasever/modular/$basearch/mirror

2. Uncomment the baseurl line and ensure it points to the HTTPS URL your network allows:

baseurl=https://rpms.remirepo.net/enterprise/$releasever/modular/$basearch/

3. Set enabled to 1:

enabled=1

In an offline environment, mirrors are unreachable unless explicitly allowlisted. Switching to a direct baseurl lets the server pull packages from a single, known URL that your network team can add to the firewall allowlist.

Step 3: Configure the Remi Safe Repository

Apply the same changes to the remi-safe repository:

vim /etc/yum.repos.d/remi-safe.repo

• Comment out mirrorlist

• Uncomment and set baseurl to https://rpms.remirepo.net/...

• Set enabled=1

Step 4: Rebuild the Repository Metadata Cache

dnf makecache --disablerepo="*" --enablerepo="remi-modular,remi-safe"

This command:

• --disablerepo="*" — Temporarily disables all repositories to avoid timeout errors against unreachable repos.

• --enablerepo="remi-modular,remi-safe" — Enables only the two Remi repositories you just configured.

• makecache — Downloads the package metadata catalog so DNF knows what updates are available.

Step 5: Upgrade PHP Packages

dnf upgrade "php*" --disablerepo="*" --enablerepo="remi-modular,remi-safe"

The --disablerepo / --enablerepo flags ensure the upgrade only pulls from the Remi repositories you configured, avoiding errors from unreachable default repos.

Step 6: Restart PHP-FPM and Fix Ownership

Follow the same post-upgrade steps as the Online path:

systemctl restart php-fpm
systemctl status php-fpm

Fix ownership if needed:

ls -l /var/opt/remi/php84/lib/php/
chown -R root:nginx /var/opt/remi/php84/lib/php/

Step 7: Verify the Web UI

Open the Diskover Web UI in a browser and confirm you can log in successfully.

Step 8: Disable Repositories (Recommended)

Once the upgrade is complete, disable the Remi repositories to prevent unintended package pulls during future dnf update operations:

vim /etc/yum.repos.d/remi-modular.repo

Change enabled=1 to enabled=0. Repeat for remi-safe.repo.

Verify only your standard system repositories remain active:

dnf repolist

You should see only your base RHEL/Rocky repositories — not the Remi repos.

Service Management

Verification

Troubleshooting

Log Locations:

Support

• https://support.diskoverdata.com

• https://support.diskoverdata.com/hc/en-us

• Remi Repository documentation: https://blog.remirepo.net/post/2024/12/18/Install-PHP-8.4-on-Fedora-RHEL-CentOS-Alma-Rocky-or-other-clone