Hi all, I'm having an annoying and rather complex problem, and couldn't find any decent answer crawling the net for hours, visiting forums, reading FAQs/official documentation, including the very interesting article at http://blog.stuartherbert.com/php/2007/11/21/the-challenge-with-securing-shared-hosting/ It takes a while to explain, so please bear with me. I'm using apache with MPM-worker to host 800 sites on a server, and use suPHP for the obvious security reason. I'm running PHP as an external PHP5-CGI binary. Users are in MySQL. In /etc/apache/apache2.conf, I have configured the following directives: (I put in comments, what 'I' understand they mean) <IfModule mpm_worker_module> # initial number of apache child processes spawned StartServers 2 # the maximum total number of threads in all processes = maximum number of clients that may be served simultaneously MaxClients 250 # minimum/maximum amount of threads kept spare in total over all child processess MinSpareThreads 25 MaxSpareThreads 75 # maximum amount of threads per child process; apache never spawns more ThreadsPerChild 25 # max number of requests that a process will handle, before it is killed (to avoid memory leaks) MaxRequestsPerChild 1000 </IfModule> With the MPM-worker module, I understand you have a root 'apache parent control process' (root, because it binds to port 80) This process spawns an initial 2 apache child processess, running under www-data, but growth is possible. Each of those child processess spawns 25 idle server threads (actually 26; 25 +1 listener thread), ready to accept connections: apache root parent control process apache child process1 server thread1 server thread2 ... server thread25 apache child process2 server thread1 server thread2 ... server thread25 >From what I understand at http://httpd.apache.org/docs/2.0/mod/worker.html, if there are maximum 250 simultaneous connections possible (threads), and there are 25 threads per child process, there should only be a maximum of 250/25 = 10 child processess possible, right ? Question 1: Then why does apache spawn more than 10 child processes, making 1 or a couple of virtual hosts eat up all my server resources -> starting to swap as hell -> often killing my apache parent root process: This is a snapshot of a live environment, where for the moment everything goes well, but it never lasts... pstree -cG init─┬─apache2─┬─apache2─┬─php5-cgi │ │ └─{apache2} │ ├─apache2─┬─php5-cgi │ │ └─{apache2} │ ├─apache2─┬─{apache2} │ │ ├─{apache2} │ │ ├─{apache2} │ │ ├─{apache2} │ │ ├─{apache2} │ │ ├─{apache2} │ │ ├─{apache2} │ │ ├─{apache2} │ │ ├─{apache2} │ │ ├─{apache2} │ │ ├─{apache2} │ │ ├─{apache2} │ │ ├─{apache2} │ │ ├─{apache2} │ │ ├─{apache2} │ │ ├─{apache2} │ │ ├─{apache2} │ │ ├─{apache2} │ │ ├─{apache2} │ │ ├─{apache2} │ │ ├─{apache2} │ │ ├─{apache2} │ │ ├─{apache2} │ │ ├─{apache2} │ │ ├─{apache2} │ │ └─{apache2} │ ├─apache2─┬─php5-cgi │ │ ├─php5-cgi │ │ ├─{apache2} │ │ └─{apache2} │ ├─apache2─┬─php5-cgi │ │ └─{apache2} │ ├─apache2─┬─php5-cgi │ │ ├─php5-cgi │ │ ├─{apache2} │ │ └─{apache2} │ ├─apache2─┬─php5-cgi │ │ └─{apache2} │ ├─apache2─┬─php5-cgi │ │ └─{apache2} │ ├─apache2─┬─php5-cgi │ │ └─{apache2} │ ├─apache2─┬─php5-cgi │ │ ├─php5-cgi │ │ ├─{apache2} │ │ └─{apache2} │ ├─apache2─┬─php5-cgi │ │ ├─php5-cgi │ │ ├─{apache2} │ │ └─{apache2} │ ├─apache2─┬─php5-cgi │ │ ├─php5-cgi │ │ ├─{apache2} │ │ └─{apache2} │ ├─apache2─┬─{apache2} │ │ ├─{apache2} │ │ ├─{apache2} │ │ ├─{apache2} │ │ ├─{apache2} │ │ ├─{apache2} │ │ ├─{apache2} │ │ ├─{apache2} │ │ ├─{apache2} │ │ ├─{apache2} │ │ ├─{apache2} │ │ ├─{apache2} │ │ ├─{apache2} │ │ ├─{apache2} │ │ ├─{apache2} │ │ ├─{apache2} │ │ ├─{apache2} │ │ ├─{apache2} │ │ ├─{apache2} │ │ ├─{apache2} │ │ ├─{apache2} │ │ ├─{apache2} │ │ ├─{apache2} │ │ ├─{apache2} │ │ ├─{apache2} │ │ └─{apache2} │ ├─apache2─┬─php5-cgi │ │ ├─php5-cgi │ │ ├─{apache2} │ │ └─{apache2} │ ├─apache2─┬─php5-cgi │ │ └─{apache2} │ ├─apache2─┬─php5-cgi │ │ ├─php5-cgi │ │ ├─{apache2} │ │ └─{apache2} │ ├─apache2─┬─php5-cgi │ │ └─{apache2} │ ├─apache2─┬─php5-cgi │ │ └─{apache2} │ ├─apache2─┬─php5-cgi │ │ ├─php5-cgi │ │ ├─php5-cgi │ │ ├─{apache2} │ │ ├─{apache2} │ │ └─{apache2} │ ├─apache2─┬─{apache2} │ │ ├─{apache2} │ │ ├─{apache2} │ │ ├─{apache2} │ │ ├─{apache2} │ │ ├─{apache2} │ │ ├─{apache2} │ │ ├─{apache2} │ │ ├─{apache2} │ │ ├─{apache2} │ │ ├─{apache2} │ │ ├─{apache2} │ │ ├─{apache2} │ │ ├─{apache2} │ │ ├─{apache2} │ │ ├─{apache2} │ │ ├─{apache2} │ │ ├─{apache2} │ │ ├─{apache2} │ │ ├─{apache2} │ │ ├─{apache2} │ │ ├─{apache2} │ │ ├─{apache2} │ │ ├─{apache2} │ │ ├─{apache2} │ │ └─{apache2} │ ├─apache2 │ ├─apache2 │ ├─apache2─┬─php5-cgi │ │ └─{apache2} │ ├─apache2─┬─php5-cgi │ │ ├─php5-cgi │ │ ├─{apache2} │ │ └─{apache2} │ ├─apache2─┬─php5-cgi │ │ ├─php5-cgi │ │ ├─php5-cgi │ │ ├─{apache2} │ │ ├─{apache2} │ │ └─{apache2} │ ├─apache2─┬─php5-cgi │ │ ├─php5-cgi │ │ ├─php5-cgi │ │ ├─php5-cgi │ │ ├─{apache2} │ │ ├─{apache2} │ │ ├─{apache2} │ │ └─{apache2} │ ├─apache2───{apache2} │ ├─apache2─┬─php5-cgi │ │ ├─php5-cgi │ │ ├─php5-cgi │ │ ├─php5-cgi │ │ ├─php5-cgi │ │ ├─{apache2} │ │ ├─{apache2} │ │ ├─{apache2} │ │ ├─{apache2} │ │ └─{apache2} │ ├─apache2─┬─{apache2} │ │ ├─{apache2} │ │ ├─{apache2} │ │ ├─{apache2} │ │ ├─{apache2} │ │ ├─{apache2} │ │ ├─{apache2} │ │ ├─{apache2} │ │ ├─{apache2} │ │ ├─{apache2} │ │ ├─{apache2} │ │ ├─{apache2} │ │ ├─{apache2} │ │ ├─{apache2} │ │ ├─{apache2} │ │ ├─{apache2} │ │ ├─{apache2} │ │ ├─{apache2} │ │ ├─{apache2} │ │ ├─{apache2} │ │ ├─{apache2} │ │ ├─{apache2} │ │ ├─{apache2} │ │ ├─{apache2} │ │ ├─{apache2} │ │ └─{apache2} │ ├─apache2─┬─php5-cgi │ │ ├─php5-cgi │ │ ├─php5-cgi │ │ ├─{apache2} │ │ ├─{apache2} │ │ └─{apache2} │ ├─apache2─┬─php5-cgi │ │ ├─php5-cgi │ │ ├─{apache2} │ │ └─{apache2} │ ├─apache2─┬─php5-cgi │ │ ├─php5-cgi │ │ ├─{apache2} │ │ └─{apache2} │ ├─apache2─┬─php5-cgi │ │ ├─php5-cgi │ │ ├─php5-cgi │ │ ├─php5-cgi │ │ ├─php5-cgi │ │ ├─php5-cgi │ │ ├─{apache2} │ │ ├─{apache2} │ │ ├─{apache2} │ │ ├─{apache2} │ │ ├─{apache2} │ │ └─{apache2} │ ├─apache2─┬─php5-cgi │ │ ├─{apache2} │ │ ├─{apache2} │ │ ├─{apache2} │ │ ├─{apache2} │ │ ├─{apache2} │ │ ├─{apache2} │ │ ├─{apache2} │ │ ├─{apache2} │ │ ├─{apache2} │ │ ├─{apache2} │ │ ├─{apache2} │ │ ├─{apache2} │ │ ├─{apache2} │ │ ├─{apache2} │ │ ├─{apache2} │ │ ├─{apache2} │ │ ├─{apache2} │ │ ├─{apache2} │ │ ├─{apache2} │ │ ├─{apache2} │ │ ├─{apache2} │ │ ├─{apache2} │ │ ├─{apache2} │ │ ├─{apache2} │ │ ├─{apache2} │ │ └─{apache2} │ └─apache2─┬─php5-cgi │ └─{apache2} QUESTION 2: as you can see; why does apache not use all the idle threads first before spawning new processes with new idle threads ? QUESTION 3: I did not find a lot of information, on limiting the amount of resources (cpu, ram, io, disk) 1 customer can have: - mod_slotlimit: http://www.debianadmin.com/manage-apache-resources-limits-with-mod_slotlimit.html (but this involves prefork I see) - apache core: http://httpd.apache.org/docs/1.3/mod/core.html#rlimitcpu, rlimitmem, rlimitnproc -> only for processes forked off from the apache child processes, not for in-process request e.g. mod_perl, libapache2-mod-php (but that works for me as I run PHP as a CGI process that is forked off from the apache child process) Making sure every user gets it's share, is crucial to working in a shared environment; how can I make sure this happens ? Thanks for reading, and thanks in advance. Jurgen L. --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx