apache 2.2 + suexec + mod_fcgid 2.1 + php-cgi: nproc ulimit ineffective, rabid process spawning occurs

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello everyone,

I'm running a webserver (Server version: Apache/2.2.4 (Unix)) on Gentoo 
GNU/Linux, Kernel 2.6.22 (x86, Gentoo patchset) for quite some time now, and 
cannot seem to fix my problems regarding a per-user 
number-of-processes-restriction I need to implement.

I'll post the sections of all the configs I consider relevant to the problem; 
I think that'll make it easiest for everyone interested to follow...

+-----
mod_fcgid.conf (this one's global to apache, it's mostly adopted verbatim from 
my distribution's defaults):
<IfDefine FCGID>
        SharememPath /var/run/fcgid_shm
        SocketPath /var/run/fcgid.sock
        IPCCommTimeout 45
        MaxProcessCount 12
        MaxRequestsPerProcess 500
        DefaultMaxClassProcessCount 4
        IdleTimeout 3600
        ProcessLifeTime 36000
        <IfModule !mod_fcgid.c>
                LoadModule fcgid_module modules/mod_fcgid.so
        </IfModule>
        <IfModule mod_fcgid.c>
                AddHandler fcgid-script .fcg
        </IfModule>
        <Location /fcgid>
                SetHandler fcgid-script
                Options ExecCGI
                allow from all
        </Location>
        <IfDefine PHP>
                AddHandler fcgid-script .php
        </IfDefine>
</IfDefine>
+-----


+-----
vhost.conf (irrelevant parts left out):
<VirtualHost *:80>
	#[...]
        ServerRoot "/home/www_michaelk/www/nicoleundmichael.at"
        DocumentRoot "/home/www_michaelk/www/nicoleundmichael.at/htdocs"
        <IfDefine SUEXEC>
                SuexecUserGroup "www_michaelk" "www_michaelk"
                <IfDefine FCGID>
                        <IfDefine PHP>
                                AddHandler fcgid-script .php
                        </IfDefine>
                        <IfDefine !PHP>
                                <FilesMatch "\.(php)$">
                                        Deny from all
                                </FilesMatch>
                        </IfDefine>
                </IfDefine>
        </IfDefine>
        <Directory "/home/www_michaelk/www/nicoleundmichael.at">
                AllowOverride None
                Order Deny,Allow
                Deny from all
        </Directory>
        <Directory "/home/www_michaelk/www/nicoleundmichael.at/htdocs">
                FCGIWrapper "/var/www/fcgi-wrap/www_michaelk/php.fcgi" .php
                AllowOverride AuthConfig FileInfo Options
                Options +ExecCGI
                Order deny,allow
                Allow from all
        </Directory>
</VirtualHost>
+-----

+-----
php.fcgi (this one's the wrapper invoking php):
#!/bin/bash
export PHPRC="/home/www_michaelk/conf/nicoleundmichael.at/"
export PHP_FCGI_CHILDREN=3
export PHP_FCGI_MAX_REQUESTS=15000
exec /usr/bin/php-cgi
+-----


+-----
/etc/security/limits.conf (relevant part only):
www_michaelk        hard        nproc           25
+-----

If I throw a real lot of requests (100K+) on one site hosted in this manner 
now, at some point, mod_fcgid begins spawning new processes seemingly without 
killing/discarding any old ones. I'd expect mod_fcgid to restrict the max. 
number of processes it dispatches requests to to the value 
of "MaxProcessCount", but this turns out not to be the case.
I always end up with one process above my actual ulimit (I suppose that's 
because of how Linux handles changing a process' effective user id, right?), 
leaving my users unable to login, because it's impossible for them to start a 
new shell.

I already tried fiddling with all the values I suspected of having an impact 
on the situation ("PHP_FCGI_CHILDREN" in the wrapper, "MaxProcessCount" and 
cousins in the mod_fcgid configuration), but nothing actually yielded 
success.

I'm running out of ideas on what to try next, so I figured I'd cry for help by 
posting here. I highly appreciate any sort of input that might lead me into 
the right direction to fix this - thanks in advance for your efforts!

If you feel there's need for additional info I did not provide yet, please 
don't hesitate to let me know.

-- 
with best regards:
- Johannes Truschnigg ( johannes.truschnigg@xxxxxx )

www: http://johannes.truschnigg.info/
phone: +43 650 2 133337
jabber: johannes.truschnigg@xxxxxxxxx

Please do not bother me with HTML-eMail or attachments. Thank you.

Attachment: signature.asc
Description: This is a digitally signed message part.


[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux