Hi all,
I'm having an annoying and rather complex problem, and couldn't find any
decent answer crawling the net for hours, visiting forums, reading
FAQs/official documentation, including the very interesting article at
http://blog.stuartherbert.com/php/2007/11/21/the-challenge-with-securing-shared-hosting/
It takes a while to explain, so please bear with me.
I'm using apache with MPM-worker to host 800 sites on a server, and use
suPHP for the obvious security reason. I'm running PHP as an external
PHP5-CGI binary. Users are in MySQL.
In /etc/apache/apache2.conf, I have configured the following directives:
(I put in comments, what 'I' understand they mean)
<IfModule mpm_worker_module>
# initial number of apache child processes spawned
StartServers 2
# the maximum total number of threads in all processes = maximum number
of clients that may be served simultaneously
MaxClients 250
# minimum/maximum amount of threads kept spare in total over all child
processess
MinSpareThreads 25
MaxSpareThreads 75
# maximum amount of threads per child process; apache never spawns more
ThreadsPerChild 25
# max number of requests that a process will handle, before it is killed
(to avoid memory leaks)
MaxRequestsPerChild 1000
</IfModule>
With the MPM-worker module, I understand you have a root 'apache parent
control process' (root, because it binds to port 80) This process spawns
an initial 2 apache child processess, running under www-data, but growth
is possible. Each of those child processess spawns 25 idle server
threads (actually 26; 25 +1 listener thread), ready to accept
connections:
apache root parent control process
apache child process1
server thread1
server thread2
...
server thread25
apache child process2
server thread1
server thread2
...
server thread25
>From what I understand at
http://httpd.apache.org/docs/2.0/mod/worker.html, if there are maximum
250 simultaneous connections possible (threads), and there are 25
threads per child process, there should only be a maximum of 250/25 = 10
child processess possible, right ?
Question 1: Then why does apache spawn more than 10 child processes,
making 1 or a couple of virtual hosts eat up all my server resources ->
starting to swap as hell -> often killing my apache parent root process:
This is a snapshot of a live environment, where for the moment
everything goes well, but it never lasts...
pstree -cG
init─┬─apache2─┬─apache2─┬─php5-cgi
│ │ └─{apache2}
│ ├─apache2─┬─php5-cgi
│ │ └─{apache2}
│ ├─apache2─┬─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ └─{apache2}
│ ├─apache2─┬─php5-cgi
│ │ ├─php5-cgi
│ │ ├─{apache2}
│ │ └─{apache2}
│ ├─apache2─┬─php5-cgi
│ │ └─{apache2}
│ ├─apache2─┬─php5-cgi
│ │ ├─php5-cgi
│ │ ├─{apache2}
│ │ └─{apache2}
│ ├─apache2─┬─php5-cgi
│ │ └─{apache2}
│ ├─apache2─┬─php5-cgi
│ │ └─{apache2}
│ ├─apache2─┬─php5-cgi
│ │ └─{apache2}
│ ├─apache2─┬─php5-cgi
│ │ ├─php5-cgi
│ │ ├─{apache2}
│ │ └─{apache2}
│ ├─apache2─┬─php5-cgi
│ │ ├─php5-cgi
│ │ ├─{apache2}
│ │ └─{apache2}
│ ├─apache2─┬─php5-cgi
│ │ ├─php5-cgi
│ │ ├─{apache2}
│ │ └─{apache2}
│ ├─apache2─┬─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ └─{apache2}
│ ├─apache2─┬─php5-cgi
│ │ ├─php5-cgi
│ │ ├─{apache2}
│ │ └─{apache2}
│ ├─apache2─┬─php5-cgi
│ │ └─{apache2}
│ ├─apache2─┬─php5-cgi
│ │ ├─php5-cgi
│ │ ├─{apache2}
│ │ └─{apache2}
│ ├─apache2─┬─php5-cgi
│ │ └─{apache2}
│ ├─apache2─┬─php5-cgi
│ │ └─{apache2}
│ ├─apache2─┬─php5-cgi
│ │ ├─php5-cgi
│ │ ├─php5-cgi
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ └─{apache2}
│ ├─apache2─┬─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ └─{apache2}
│ ├─apache2
│ ├─apache2
│ ├─apache2─┬─php5-cgi
│ │ └─{apache2}
│ ├─apache2─┬─php5-cgi
│ │ ├─php5-cgi
│ │ ├─{apache2}
│ │ └─{apache2}
│ ├─apache2─┬─php5-cgi
│ │ ├─php5-cgi
│ │ ├─php5-cgi
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ └─{apache2}
│ ├─apache2─┬─php5-cgi
│ │ ├─php5-cgi
│ │ ├─php5-cgi
│ │ ├─php5-cgi
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ └─{apache2}
│ ├─apache2───{apache2}
│ ├─apache2─┬─php5-cgi
│ │ ├─php5-cgi
│ │ ├─php5-cgi
│ │ ├─php5-cgi
│ │ ├─php5-cgi
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ └─{apache2}
│ ├─apache2─┬─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ └─{apache2}
│ ├─apache2─┬─php5-cgi
│ │ ├─php5-cgi
│ │ ├─php5-cgi
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ └─{apache2}
│ ├─apache2─┬─php5-cgi
│ │ ├─php5-cgi
│ │ ├─{apache2}
│ │ └─{apache2}
│ ├─apache2─┬─php5-cgi
│ │ ├─php5-cgi
│ │ ├─{apache2}
│ │ └─{apache2}
│ ├─apache2─┬─php5-cgi
│ │ ├─php5-cgi
│ │ ├─php5-cgi
│ │ ├─php5-cgi
│ │ ├─php5-cgi
│ │ ├─php5-cgi
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ └─{apache2}
│ ├─apache2─┬─php5-cgi
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ └─{apache2}
│ └─apache2─┬─php5-cgi
│ └─{apache2}
QUESTION 2: as you can see; why does apache not use all the idle threads
first before spawning new processes with new idle threads ?
QUESTION 3: I did not find a lot of information, on limiting the amount
of resources (cpu, ram, io, disk) 1 customer can have:
- mod_slotlimit:
http://www.debianadmin.com/manage-apache-resources-limits-with-mod_slotlimit.html (but this involves prefork I see)
- apache core: http://httpd.apache.org/docs/1.3/mod/core.html#rlimitcpu,
rlimitmem, rlimitnproc
-> only for processes forked off from the apache child processes, not
for in-process request e.g. mod_perl, libapache2-mod-php (but that works
for me as I run PHP as a CGI process that is forked off from the apache
child process)
Making sure every user gets it's share, is crucial to working in a
shared environment; how can I make sure this happens ?
Thanks for reading, and thanks in advance.
Jurgen L.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
" from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|