Re: Limit resources per virtual host

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



could someone please help me ? thanks.

On Thu, 2009-03-26 at 23:45 +0100, Jurgen Lamsens wrote:
> Hi all,
> 
> I'm having an annoying and rather complex problem, and couldn't find any
> decent answer crawling the net for hours, visiting forums, reading
> FAQs/official documentation, including the very interesting article at
> http://blog.stuartherbert.com/php/2007/11/21/the-challenge-with-securing-shared-hosting/ 
> 
> It takes a while to explain, so please bear with me.
> 
> I'm using apache with MPM-worker to host 800 sites on a server, and use
> suPHP for the obvious security reason. I'm running PHP as an external
> PHP5-CGI binary. Users are in MySQL.
> 
> In /etc/apache/apache2.conf, I have configured the following directives:
> (I put in comments, what 'I' understand they mean)
> 
> <IfModule mpm_worker_module>
> # initial number of apache child processes spawned
>     StartServers          2	
> # the maximum total number of threads in all processes = maximum number
> of clients that may be served simultaneously
>     MaxClients          250
> # minimum/maximum amount of threads kept spare in total over all child
> processess
>     MinSpareThreads      25
>     MaxSpareThreads      75 
> # maximum amount of threads per child process; apache never spawns more
>     ThreadsPerChild      25
> # max number of requests that a process will handle, before it is killed
> (to avoid memory leaks)
>     MaxRequestsPerChild  1000
> </IfModule>
> 
> With the MPM-worker module, I understand you have a root 'apache parent
> control process' (root, because it binds to port 80) This process spawns
> an initial 2 apache child processess, running under www-data, but growth
> is possible. Each of those child processess spawns 25 idle server
> threads (actually 26; 25 +1 listener thread), ready to accept
> connections:
> 
> apache root parent control process
> 	apache child process1
> 		server thread1
> 		server thread2
> 		...
> 		server thread25
> 	apache child process2
> 		server thread1
> 		server thread2
> 		...
> 		server thread25
> 
> >From what I understand at
> http://httpd.apache.org/docs/2.0/mod/worker.html, if there are maximum
> 250 simultaneous connections possible (threads), and there are 25
> threads per child process, there should only be a maximum of 250/25 = 10
> child processess possible, right ?
> 
> Question 1: Then why does apache spawn more than 10 child processes,
> making 1 or a couple of virtual hosts eat up all my server resources ->
> starting to swap as hell -> often killing my apache parent root process:
> 
> This is a snapshot of a live environment, where for the moment
> everything goes well, but it never lasts...
> 
> pstree -cG
> init─┬─apache2─┬─apache2─┬─php5-cgi
>      │         │         └─{apache2}
>      │         ├─apache2─┬─php5-cgi
>      │         │         └─{apache2}
>      │         ├─apache2─┬─{apache2}
>      │         │         ├─{apache2}
>      │         │         ├─{apache2}
>      │         │         ├─{apache2}
>      │         │         ├─{apache2}
>      │         │         ├─{apache2}
>      │         │         ├─{apache2}
>      │         │         ├─{apache2}
>      │         │         ├─{apache2}
>      │         │         ├─{apache2}
>      │         │         ├─{apache2}
>      │         │         ├─{apache2}
>      │         │         ├─{apache2}
>      │         │         ├─{apache2}
>      │         │         ├─{apache2}
>      │         │         ├─{apache2}
>      │         │         ├─{apache2}
>      │         │         ├─{apache2}
>      │         │         ├─{apache2}
>      │         │         ├─{apache2}
>      │         │         ├─{apache2}
>      │         │         ├─{apache2}
>      │         │         ├─{apache2}
>      │         │         ├─{apache2}
>      │         │         ├─{apache2}
>      │         │         └─{apache2}
>      │         ├─apache2─┬─php5-cgi
>      │         │         ├─php5-cgi
>      │         │         ├─{apache2}
>      │         │         └─{apache2}
>      │         ├─apache2─┬─php5-cgi
>      │         │         └─{apache2}
>      │         ├─apache2─┬─php5-cgi
>      │         │         ├─php5-cgi
>      │         │         ├─{apache2}
>      │         │         └─{apache2}
>      │         ├─apache2─┬─php5-cgi
>      │         │         └─{apache2}
>      │         ├─apache2─┬─php5-cgi
>      │         │         └─{apache2}
>      │         ├─apache2─┬─php5-cgi
>      │         │         └─{apache2}
>      │         ├─apache2─┬─php5-cgi
>      │         │         ├─php5-cgi
>      │         │         ├─{apache2}
>      │         │         └─{apache2}
>      │         ├─apache2─┬─php5-cgi
>      │         │         ├─php5-cgi
>      │         │         ├─{apache2}
>      │         │         └─{apache2}
>      │         ├─apache2─┬─php5-cgi
>      │         │         ├─php5-cgi
>      │         │         ├─{apache2}
>      │         │         └─{apache2}
>      │         ├─apache2─┬─{apache2}
>      │         │         ├─{apache2}
>      │         │         ├─{apache2}
>      │         │         ├─{apache2}
>      │         │         ├─{apache2}
>      │         │         ├─{apache2}
>      │         │         ├─{apache2}
>      │         │         ├─{apache2}
>      │         │         ├─{apache2}
>      │         │         ├─{apache2}
>      │         │         ├─{apache2}
>      │         │         ├─{apache2}
>      │         │         ├─{apache2}
>      │         │         ├─{apache2}
>      │         │         ├─{apache2}
>      │         │         ├─{apache2}
>      │         │         ├─{apache2}
>      │         │         ├─{apache2}
>      │         │         ├─{apache2}
>      │         │         ├─{apache2}
>      │         │         ├─{apache2}
>      │         │         ├─{apache2}
>      │         │         ├─{apache2}
>      │         │         ├─{apache2}
>      │         │         ├─{apache2}
>      │         │         └─{apache2}
>      │         ├─apache2─┬─php5-cgi
>      │         │         ├─php5-cgi
>      │         │         ├─{apache2}
>      │         │         └─{apache2}
>      │         ├─apache2─┬─php5-cgi
>      │         │         └─{apache2}
>      │         ├─apache2─┬─php5-cgi
>      │         │         ├─php5-cgi
>      │         │         ├─{apache2}
>      │         │         └─{apache2}
>      │         ├─apache2─┬─php5-cgi
>      │         │         └─{apache2}
>      │         ├─apache2─┬─php5-cgi
>      │         │         └─{apache2}
>      │         ├─apache2─┬─php5-cgi
>      │         │         ├─php5-cgi
>      │         │         ├─php5-cgi
>      │         │         ├─{apache2}
>      │         │         ├─{apache2}
>      │         │         └─{apache2}
>      │         ├─apache2─┬─{apache2}
>      │         │         ├─{apache2}
>      │         │         ├─{apache2}
>      │         │         ├─{apache2}
>      │         │         ├─{apache2}
>      │         │         ├─{apache2}
>      │         │         ├─{apache2}
>      │         │         ├─{apache2}
>      │         │         ├─{apache2}
>      │         │         ├─{apache2}
>      │         │         ├─{apache2}
>      │         │         ├─{apache2}
>      │         │         ├─{apache2}
>      │         │         ├─{apache2}
>      │         │         ├─{apache2}
>      │         │         ├─{apache2}
>      │         │         ├─{apache2}
>      │         │         ├─{apache2}
>      │         │         ├─{apache2}
>      │         │         ├─{apache2}
>      │         │         ├─{apache2}
>      │         │         ├─{apache2}
>      │         │         ├─{apache2}
>      │         │         ├─{apache2}
>      │         │         ├─{apache2}
>      │         │         └─{apache2}
>      │         ├─apache2
>      │         ├─apache2
>      │         ├─apache2─┬─php5-cgi
>      │         │         └─{apache2}
>      │         ├─apache2─┬─php5-cgi
>      │         │         ├─php5-cgi
>      │         │         ├─{apache2}
>      │         │         └─{apache2}
>      │         ├─apache2─┬─php5-cgi
>      │         │         ├─php5-cgi
>      │         │         ├─php5-cgi
>      │         │         ├─{apache2}
>      │         │         ├─{apache2}
>      │         │         └─{apache2}
>      │         ├─apache2─┬─php5-cgi
>      │         │         ├─php5-cgi
>      │         │         ├─php5-cgi
>      │         │         ├─php5-cgi
>      │         │         ├─{apache2}
>      │         │         ├─{apache2}
>      │         │         ├─{apache2}
>      │         │         └─{apache2}
>      │         ├─apache2───{apache2}
>      │         ├─apache2─┬─php5-cgi
>      │         │         ├─php5-cgi
>      │         │         ├─php5-cgi
>      │         │         ├─php5-cgi
>      │         │         ├─php5-cgi
>      │         │         ├─{apache2}
>      │         │         ├─{apache2}
>      │         │         ├─{apache2}
>      │         │         ├─{apache2}
>      │         │         └─{apache2}
>      │         ├─apache2─┬─{apache2}
>      │         │         ├─{apache2}
>      │         │         ├─{apache2}
>      │         │         ├─{apache2}
>      │         │         ├─{apache2}
>      │         │         ├─{apache2}
>      │         │         ├─{apache2}
>      │         │         ├─{apache2}
>      │         │         ├─{apache2}
>      │         │         ├─{apache2}
>      │         │         ├─{apache2}
>      │         │         ├─{apache2}
>      │         │         ├─{apache2}
>      │         │         ├─{apache2}
>      │         │         ├─{apache2}
>      │         │         ├─{apache2}
>      │         │         ├─{apache2}
>      │         │         ├─{apache2}
>      │         │         ├─{apache2}
>      │         │         ├─{apache2}
>      │         │         ├─{apache2}
>      │         │         ├─{apache2}
>      │         │         ├─{apache2}
>      │         │         ├─{apache2}
>      │         │         ├─{apache2}
>      │         │         └─{apache2}
>      │         ├─apache2─┬─php5-cgi
>      │         │         ├─php5-cgi
>      │         │         ├─php5-cgi
>      │         │         ├─{apache2}
>      │         │         ├─{apache2}
>      │         │         └─{apache2}
>      │         ├─apache2─┬─php5-cgi
>      │         │         ├─php5-cgi
>      │         │         ├─{apache2}
>      │         │         └─{apache2}
>      │         ├─apache2─┬─php5-cgi
>      │         │         ├─php5-cgi
>      │         │         ├─{apache2}
>      │         │         └─{apache2}
>      │         ├─apache2─┬─php5-cgi
>      │         │         ├─php5-cgi
>      │         │         ├─php5-cgi
>      │         │         ├─php5-cgi
>      │         │         ├─php5-cgi
>      │         │         ├─php5-cgi
>      │         │         ├─{apache2}
>      │         │         ├─{apache2}
>      │         │         ├─{apache2}
>      │         │         ├─{apache2}
>      │         │         ├─{apache2}
>      │         │         └─{apache2}
>      │         ├─apache2─┬─php5-cgi
>      │         │         ├─{apache2}
>      │         │         ├─{apache2}
>      │         │         ├─{apache2}
>      │         │         ├─{apache2}
>      │         │         ├─{apache2}
>      │         │         ├─{apache2}
>      │         │         ├─{apache2}
>      │         │         ├─{apache2}
>      │         │         ├─{apache2}
>      │         │         ├─{apache2}
>      │         │         ├─{apache2}
>      │         │         ├─{apache2}
>      │         │         ├─{apache2}
>      │         │         ├─{apache2}
>      │         │         ├─{apache2}
>      │         │         ├─{apache2}
>      │         │         ├─{apache2}
>      │         │         ├─{apache2}
>      │         │         ├─{apache2}
>      │         │         ├─{apache2}
>      │         │         ├─{apache2}
>      │         │         ├─{apache2}
>      │         │         ├─{apache2}
>      │         │         ├─{apache2}
>      │         │         ├─{apache2}
>      │         │         └─{apache2}
>      │         └─apache2─┬─php5-cgi
>      │                   └─{apache2}
> 
> 
> QUESTION 2: as you can see; why does apache not use all the idle threads
> first before spawning new processes with new idle threads ?
> 
> QUESTION 3: I did not find a lot of information, on limiting the amount
> of resources (cpu, ram, io, disk) 1 customer can have:
> - mod_slotlimit:
> http://www.debianadmin.com/manage-apache-resources-limits-with-mod_slotlimit.html (but this involves prefork I see)
> - apache core: http://httpd.apache.org/docs/1.3/mod/core.html#rlimitcpu,
> rlimitmem, rlimitnproc
> -> only for processes forked off from the apache child processes, not
> for in-process request e.g. mod_perl, libapache2-mod-php (but that works
> for me as I run PHP as a CGI process that is forked off from the apache
> child process)
> 
> Making sure every user gets it's share, is crucial to working in a
> shared environment; how can I make sure this happens ?
> 
> Thanks for reading, and thanks in advance.
> 
> Jurgen L.
> 
> 
> 
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
>    "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
> For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
> 
> 


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx


[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux