could someone please help me ? thanks.
On Thu, 2009-03-26 at 23:45 +0100, Jurgen Lamsens wrote:
> Hi all,
>
> I'm having an annoying and rather complex problem, and couldn't find any
> decent answer crawling the net for hours, visiting forums, reading
> FAQs/official documentation, including the very interesting article at
> http://blog.stuartherbert.com/php/2007/11/21/the-challenge-with-securing-shared-hosting/
>
> It takes a while to explain, so please bear with me.
>
> I'm using apache with MPM-worker to host 800 sites on a server, and use
> suPHP for the obvious security reason. I'm running PHP as an external
> PHP5-CGI binary. Users are in MySQL.
>
> In /etc/apache/apache2.conf, I have configured the following directives:
> (I put in comments, what 'I' understand they mean)
>
> <IfModule mpm_worker_module>
> # initial number of apache child processes spawned
> StartServers 2
> # the maximum total number of threads in all processes = maximum number
> of clients that may be served simultaneously
> MaxClients 250
> # minimum/maximum amount of threads kept spare in total over all child
> processess
> MinSpareThreads 25
> MaxSpareThreads 75
> # maximum amount of threads per child process; apache never spawns more
> ThreadsPerChild 25
> # max number of requests that a process will handle, before it is killed
> (to avoid memory leaks)
> MaxRequestsPerChild 1000
> </IfModule>
>
> With the MPM-worker module, I understand you have a root 'apache parent
> control process' (root, because it binds to port 80) This process spawns
> an initial 2 apache child processess, running under www-data, but growth
> is possible. Each of those child processess spawns 25 idle server
> threads (actually 26; 25 +1 listener thread), ready to accept
> connections:
>
> apache root parent control process
> apache child process1
> server thread1
> server thread2
> ...
> server thread25
> apache child process2
> server thread1
> server thread2
> ...
> server thread25
>
> >From what I understand at
> http://httpd.apache.org/docs/2.0/mod/worker.html, if there are maximum
> 250 simultaneous connections possible (threads), and there are 25
> threads per child process, there should only be a maximum of 250/25 = 10
> child processess possible, right ?
>
> Question 1: Then why does apache spawn more than 10 child processes,
> making 1 or a couple of virtual hosts eat up all my server resources ->
> starting to swap as hell -> often killing my apache parent root process:
>
> This is a snapshot of a live environment, where for the moment
> everything goes well, but it never lasts...
>
> pstree -cG
> init─┬─apache2─┬─apache2─┬─php5-cgi
> │ │ └─{apache2}
> │ ├─apache2─┬─php5-cgi
> │ │ └─{apache2}
> │ ├─apache2─┬─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ └─{apache2}
> │ ├─apache2─┬─php5-cgi
> │ │ ├─php5-cgi
> │ │ ├─{apache2}
> │ │ └─{apache2}
> │ ├─apache2─┬─php5-cgi
> │ │ └─{apache2}
> │ ├─apache2─┬─php5-cgi
> │ │ ├─php5-cgi
> │ │ ├─{apache2}
> │ │ └─{apache2}
> │ ├─apache2─┬─php5-cgi
> │ │ └─{apache2}
> │ ├─apache2─┬─php5-cgi
> │ │ └─{apache2}
> │ ├─apache2─┬─php5-cgi
> │ │ └─{apache2}
> │ ├─apache2─┬─php5-cgi
> │ │ ├─php5-cgi
> │ │ ├─{apache2}
> │ │ └─{apache2}
> │ ├─apache2─┬─php5-cgi
> │ │ ├─php5-cgi
> │ │ ├─{apache2}
> │ │ └─{apache2}
> │ ├─apache2─┬─php5-cgi
> │ │ ├─php5-cgi
> │ │ ├─{apache2}
> │ │ └─{apache2}
> │ ├─apache2─┬─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ └─{apache2}
> │ ├─apache2─┬─php5-cgi
> │ │ ├─php5-cgi
> │ │ ├─{apache2}
> │ │ └─{apache2}
> │ ├─apache2─┬─php5-cgi
> │ │ └─{apache2}
> │ ├─apache2─┬─php5-cgi
> │ │ ├─php5-cgi
> │ │ ├─{apache2}
> │ │ └─{apache2}
> │ ├─apache2─┬─php5-cgi
> │ │ └─{apache2}
> │ ├─apache2─┬─php5-cgi
> │ │ └─{apache2}
> │ ├─apache2─┬─php5-cgi
> │ │ ├─php5-cgi
> │ │ ├─php5-cgi
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ └─{apache2}
> │ ├─apache2─┬─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ └─{apache2}
> │ ├─apache2
> │ ├─apache2
> │ ├─apache2─┬─php5-cgi
> │ │ └─{apache2}
> │ ├─apache2─┬─php5-cgi
> │ │ ├─php5-cgi
> │ │ ├─{apache2}
> │ │ └─{apache2}
> │ ├─apache2─┬─php5-cgi
> │ │ ├─php5-cgi
> │ │ ├─php5-cgi
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ └─{apache2}
> │ ├─apache2─┬─php5-cgi
> │ │ ├─php5-cgi
> │ │ ├─php5-cgi
> │ │ ├─php5-cgi
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ └─{apache2}
> │ ├─apache2───{apache2}
> │ ├─apache2─┬─php5-cgi
> │ │ ├─php5-cgi
> │ │ ├─php5-cgi
> │ │ ├─php5-cgi
> │ │ ├─php5-cgi
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ └─{apache2}
> │ ├─apache2─┬─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ └─{apache2}
> │ ├─apache2─┬─php5-cgi
> │ │ ├─php5-cgi
> │ │ ├─php5-cgi
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ └─{apache2}
> │ ├─apache2─┬─php5-cgi
> │ │ ├─php5-cgi
> │ │ ├─{apache2}
> │ │ └─{apache2}
> │ ├─apache2─┬─php5-cgi
> │ │ ├─php5-cgi
> │ │ ├─{apache2}
> │ │ └─{apache2}
> │ ├─apache2─┬─php5-cgi
> │ │ ├─php5-cgi
> │ │ ├─php5-cgi
> │ │ ├─php5-cgi
> │ │ ├─php5-cgi
> │ │ ├─php5-cgi
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ └─{apache2}
> │ ├─apache2─┬─php5-cgi
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ └─{apache2}
> │ └─apache2─┬─php5-cgi
> │ └─{apache2}
>
>
> QUESTION 2: as you can see; why does apache not use all the idle threads
> first before spawning new processes with new idle threads ?
>
> QUESTION 3: I did not find a lot of information, on limiting the amount
> of resources (cpu, ram, io, disk) 1 customer can have:
> - mod_slotlimit:
> http://www.debianadmin.com/manage-apache-resources-limits-with-mod_slotlimit.html (but this involves prefork I see)
> - apache core: http://httpd.apache.org/docs/1.3/mod/core.html#rlimitcpu,
> rlimitmem, rlimitnproc
> -> only for processes forked off from the apache child processes, not
> for in-process request e.g. mod_perl, libapache2-mod-php (but that works
> for me as I run PHP as a CGI process that is forked off from the apache
> child process)
>
> Making sure every user gets it's share, is crucial to working in a
> shared environment; how can I make sure this happens ?
>
> Thanks for reading, and thanks in advance.
>
> Jurgen L.
>
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
> " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
> For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
>
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
" from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|