You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Jurgen Lamsens <ju...@telenet.be> on 2009/03/26 23:45:18 UTC
[users@httpd] Limit resources per virtual host
Hi all,
I'm having an annoying and rather complex problem, and couldn't find any
decent answer crawling the net for hours, visiting forums, reading
FAQs/official documentation, including the very interesting article at
http://blog.stuartherbert.com/php/2007/11/21/the-challenge-with-securing-shared-hosting/
It takes a while to explain, so please bear with me.
I'm using apache with MPM-worker to host 800 sites on a server, and use
suPHP for the obvious security reason. I'm running PHP as an external
PHP5-CGI binary. Users are in MySQL.
In /etc/apache/apache2.conf, I have configured the following directives:
(I put in comments, what 'I' understand they mean)
<IfModule mpm_worker_module>
# initial number of apache child processes spawned
StartServers 2
# the maximum total number of threads in all processes = maximum number
of clients that may be served simultaneously
MaxClients 250
# minimum/maximum amount of threads kept spare in total over all child
processess
MinSpareThreads 25
MaxSpareThreads 75
# maximum amount of threads per child process; apache never spawns more
ThreadsPerChild 25
# max number of requests that a process will handle, before it is killed
(to avoid memory leaks)
MaxRequestsPerChild 1000
</IfModule>
With the MPM-worker module, I understand you have a root 'apache parent
control process' (root, because it binds to port 80) This process spawns
an initial 2 apache child processess, running under www-data, but growth
is possible. Each of those child processess spawns 25 idle server
threads (actually 26; 25 +1 listener thread), ready to accept
connections:
apache root parent control process
apache child process1
server thread1
server thread2
...
server thread25
apache child process2
server thread1
server thread2
...
server thread25
>From what I understand at
http://httpd.apache.org/docs/2.0/mod/worker.html, if there are maximum
250 simultaneous connections possible (threads), and there are 25
threads per child process, there should only be a maximum of 250/25 = 10
child processess possible, right ?
Question 1: Then why does apache spawn more than 10 child processes,
making 1 or a couple of virtual hosts eat up all my server resources ->
starting to swap as hell -> often killing my apache parent root process:
This is a snapshot of a live environment, where for the moment
everything goes well, but it never lasts...
pstree -cG
init─┬─apache2─┬─apache2─┬─php5-cgi
│ │ └─{apache2}
│ ├─apache2─┬─php5-cgi
│ │ └─{apache2}
│ ├─apache2─┬─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ └─{apache2}
│ ├─apache2─┬─php5-cgi
│ │ ├─php5-cgi
│ │ ├─{apache2}
│ │ └─{apache2}
│ ├─apache2─┬─php5-cgi
│ │ └─{apache2}
│ ├─apache2─┬─php5-cgi
│ │ ├─php5-cgi
│ │ ├─{apache2}
│ │ └─{apache2}
│ ├─apache2─┬─php5-cgi
│ │ └─{apache2}
│ ├─apache2─┬─php5-cgi
│ │ └─{apache2}
│ ├─apache2─┬─php5-cgi
│ │ └─{apache2}
│ ├─apache2─┬─php5-cgi
│ │ ├─php5-cgi
│ │ ├─{apache2}
│ │ └─{apache2}
│ ├─apache2─┬─php5-cgi
│ │ ├─php5-cgi
│ │ ├─{apache2}
│ │ └─{apache2}
│ ├─apache2─┬─php5-cgi
│ │ ├─php5-cgi
│ │ ├─{apache2}
│ │ └─{apache2}
│ ├─apache2─┬─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ └─{apache2}
│ ├─apache2─┬─php5-cgi
│ │ ├─php5-cgi
│ │ ├─{apache2}
│ │ └─{apache2}
│ ├─apache2─┬─php5-cgi
│ │ └─{apache2}
│ ├─apache2─┬─php5-cgi
│ │ ├─php5-cgi
│ │ ├─{apache2}
│ │ └─{apache2}
│ ├─apache2─┬─php5-cgi
│ │ └─{apache2}
│ ├─apache2─┬─php5-cgi
│ │ └─{apache2}
│ ├─apache2─┬─php5-cgi
│ │ ├─php5-cgi
│ │ ├─php5-cgi
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ └─{apache2}
│ ├─apache2─┬─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ └─{apache2}
│ ├─apache2
│ ├─apache2
│ ├─apache2─┬─php5-cgi
│ │ └─{apache2}
│ ├─apache2─┬─php5-cgi
│ │ ├─php5-cgi
│ │ ├─{apache2}
│ │ └─{apache2}
│ ├─apache2─┬─php5-cgi
│ │ ├─php5-cgi
│ │ ├─php5-cgi
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ └─{apache2}
│ ├─apache2─┬─php5-cgi
│ │ ├─php5-cgi
│ │ ├─php5-cgi
│ │ ├─php5-cgi
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ └─{apache2}
│ ├─apache2───{apache2}
│ ├─apache2─┬─php5-cgi
│ │ ├─php5-cgi
│ │ ├─php5-cgi
│ │ ├─php5-cgi
│ │ ├─php5-cgi
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ └─{apache2}
│ ├─apache2─┬─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ └─{apache2}
│ ├─apache2─┬─php5-cgi
│ │ ├─php5-cgi
│ │ ├─php5-cgi
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ └─{apache2}
│ ├─apache2─┬─php5-cgi
│ │ ├─php5-cgi
│ │ ├─{apache2}
│ │ └─{apache2}
│ ├─apache2─┬─php5-cgi
│ │ ├─php5-cgi
│ │ ├─{apache2}
│ │ └─{apache2}
│ ├─apache2─┬─php5-cgi
│ │ ├─php5-cgi
│ │ ├─php5-cgi
│ │ ├─php5-cgi
│ │ ├─php5-cgi
│ │ ├─php5-cgi
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ └─{apache2}
│ ├─apache2─┬─php5-cgi
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ ├─{apache2}
│ │ └─{apache2}
│ └─apache2─┬─php5-cgi
│ └─{apache2}
QUESTION 2: as you can see; why does apache not use all the idle threads
first before spawning new processes with new idle threads ?
QUESTION 3: I did not find a lot of information, on limiting the amount
of resources (cpu, ram, io, disk) 1 customer can have:
- mod_slotlimit:
http://www.debianadmin.com/manage-apache-resources-limits-with-mod_slotlimit.html (but this involves prefork I see)
- apache core: http://httpd.apache.org/docs/1.3/mod/core.html#rlimitcpu,
rlimitmem, rlimitnproc
-> only for processes forked off from the apache child processes, not
for in-process request e.g. mod_perl, libapache2-mod-php (but that works
for me as I run PHP as a CGI process that is forked off from the apache
child process)
Making sure every user gets it's share, is crucial to working in a
shared environment; how can I make sure this happens ?
Thanks for reading, and thanks in advance.
Jurgen L.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Limit resources per virtual host
Posted by Jurgen Lamsens <ju...@telenet.be>.
could someone please help me ? thanks.
On Thu, 2009-03-26 at 23:45 +0100, Jurgen Lamsens wrote:
> Hi all,
>
> I'm having an annoying and rather complex problem, and couldn't find any
> decent answer crawling the net for hours, visiting forums, reading
> FAQs/official documentation, including the very interesting article at
> http://blog.stuartherbert.com/php/2007/11/21/the-challenge-with-securing-shared-hosting/
>
> It takes a while to explain, so please bear with me.
>
> I'm using apache with MPM-worker to host 800 sites on a server, and use
> suPHP for the obvious security reason. I'm running PHP as an external
> PHP5-CGI binary. Users are in MySQL.
>
> In /etc/apache/apache2.conf, I have configured the following directives:
> (I put in comments, what 'I' understand they mean)
>
> <IfModule mpm_worker_module>
> # initial number of apache child processes spawned
> StartServers 2
> # the maximum total number of threads in all processes = maximum number
> of clients that may be served simultaneously
> MaxClients 250
> # minimum/maximum amount of threads kept spare in total over all child
> processess
> MinSpareThreads 25
> MaxSpareThreads 75
> # maximum amount of threads per child process; apache never spawns more
> ThreadsPerChild 25
> # max number of requests that a process will handle, before it is killed
> (to avoid memory leaks)
> MaxRequestsPerChild 1000
> </IfModule>
>
> With the MPM-worker module, I understand you have a root 'apache parent
> control process' (root, because it binds to port 80) This process spawns
> an initial 2 apache child processess, running under www-data, but growth
> is possible. Each of those child processess spawns 25 idle server
> threads (actually 26; 25 +1 listener thread), ready to accept
> connections:
>
> apache root parent control process
> apache child process1
> server thread1
> server thread2
> ...
> server thread25
> apache child process2
> server thread1
> server thread2
> ...
> server thread25
>
> >From what I understand at
> http://httpd.apache.org/docs/2.0/mod/worker.html, if there are maximum
> 250 simultaneous connections possible (threads), and there are 25
> threads per child process, there should only be a maximum of 250/25 = 10
> child processess possible, right ?
>
> Question 1: Then why does apache spawn more than 10 child processes,
> making 1 or a couple of virtual hosts eat up all my server resources ->
> starting to swap as hell -> often killing my apache parent root process:
>
> This is a snapshot of a live environment, where for the moment
> everything goes well, but it never lasts...
>
> pstree -cG
> init─┬─apache2─┬─apache2─┬─php5-cgi
> │ │ └─{apache2}
> │ ├─apache2─┬─php5-cgi
> │ │ └─{apache2}
> │ ├─apache2─┬─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ └─{apache2}
> │ ├─apache2─┬─php5-cgi
> │ │ ├─php5-cgi
> │ │ ├─{apache2}
> │ │ └─{apache2}
> │ ├─apache2─┬─php5-cgi
> │ │ └─{apache2}
> │ ├─apache2─┬─php5-cgi
> │ │ ├─php5-cgi
> │ │ ├─{apache2}
> │ │ └─{apache2}
> │ ├─apache2─┬─php5-cgi
> │ │ └─{apache2}
> │ ├─apache2─┬─php5-cgi
> │ │ └─{apache2}
> │ ├─apache2─┬─php5-cgi
> │ │ └─{apache2}
> │ ├─apache2─┬─php5-cgi
> │ │ ├─php5-cgi
> │ │ ├─{apache2}
> │ │ └─{apache2}
> │ ├─apache2─┬─php5-cgi
> │ │ ├─php5-cgi
> │ │ ├─{apache2}
> │ │ └─{apache2}
> │ ├─apache2─┬─php5-cgi
> │ │ ├─php5-cgi
> │ │ ├─{apache2}
> │ │ └─{apache2}
> │ ├─apache2─┬─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ └─{apache2}
> │ ├─apache2─┬─php5-cgi
> │ │ ├─php5-cgi
> │ │ ├─{apache2}
> │ │ └─{apache2}
> │ ├─apache2─┬─php5-cgi
> │ │ └─{apache2}
> │ ├─apache2─┬─php5-cgi
> │ │ ├─php5-cgi
> │ │ ├─{apache2}
> │ │ └─{apache2}
> │ ├─apache2─┬─php5-cgi
> │ │ └─{apache2}
> │ ├─apache2─┬─php5-cgi
> │ │ └─{apache2}
> │ ├─apache2─┬─php5-cgi
> │ │ ├─php5-cgi
> │ │ ├─php5-cgi
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ └─{apache2}
> │ ├─apache2─┬─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ └─{apache2}
> │ ├─apache2
> │ ├─apache2
> │ ├─apache2─┬─php5-cgi
> │ │ └─{apache2}
> │ ├─apache2─┬─php5-cgi
> │ │ ├─php5-cgi
> │ │ ├─{apache2}
> │ │ └─{apache2}
> │ ├─apache2─┬─php5-cgi
> │ │ ├─php5-cgi
> │ │ ├─php5-cgi
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ └─{apache2}
> │ ├─apache2─┬─php5-cgi
> │ │ ├─php5-cgi
> │ │ ├─php5-cgi
> │ │ ├─php5-cgi
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ └─{apache2}
> │ ├─apache2───{apache2}
> │ ├─apache2─┬─php5-cgi
> │ │ ├─php5-cgi
> │ │ ├─php5-cgi
> │ │ ├─php5-cgi
> │ │ ├─php5-cgi
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ └─{apache2}
> │ ├─apache2─┬─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ └─{apache2}
> │ ├─apache2─┬─php5-cgi
> │ │ ├─php5-cgi
> │ │ ├─php5-cgi
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ └─{apache2}
> │ ├─apache2─┬─php5-cgi
> │ │ ├─php5-cgi
> │ │ ├─{apache2}
> │ │ └─{apache2}
> │ ├─apache2─┬─php5-cgi
> │ │ ├─php5-cgi
> │ │ ├─{apache2}
> │ │ └─{apache2}
> │ ├─apache2─┬─php5-cgi
> │ │ ├─php5-cgi
> │ │ ├─php5-cgi
> │ │ ├─php5-cgi
> │ │ ├─php5-cgi
> │ │ ├─php5-cgi
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ └─{apache2}
> │ ├─apache2─┬─php5-cgi
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ ├─{apache2}
> │ │ └─{apache2}
> │ └─apache2─┬─php5-cgi
> │ └─{apache2}
>
>
> QUESTION 2: as you can see; why does apache not use all the idle threads
> first before spawning new processes with new idle threads ?
>
> QUESTION 3: I did not find a lot of information, on limiting the amount
> of resources (cpu, ram, io, disk) 1 customer can have:
> - mod_slotlimit:
> http://www.debianadmin.com/manage-apache-resources-limits-with-mod_slotlimit.html (but this involves prefork I see)
> - apache core: http://httpd.apache.org/docs/1.3/mod/core.html#rlimitcpu,
> rlimitmem, rlimitnproc
> -> only for processes forked off from the apache child processes, not
> for in-process request e.g. mod_perl, libapache2-mod-php (but that works
> for me as I run PHP as a CGI process that is forked off from the apache
> child process)
>
> Making sure every user gets it's share, is crucial to working in a
> shared environment; how can I make sure this happens ?
>
> Thanks for reading, and thanks in advance.
>
> Jurgen L.
>
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org