Apache MPM-ITK, mod_fcgid problems..
Hopefully someone can help me sort this issue out..
I am running Apache with MPM-ITK and php-cgi as detailed in the setup guides in the Linode Library.. Each virtual server runs as the users that own the virtual server also as documented..
I want to now switch to using mod_fcgid but I seem to be getting an error..
Chrome throws this error.
Error 324 (net::ERR_EMPTY_RESPONSE): The server closed the connection without sending any data.
The virtual server error log shows..
root@server1:~# tail /home/www.site.com/logs/error.log
[Sat Aug 13 19:37:37 2011] [emerg] (13)Permission denied: mod_fcgid: can't get lock in pid 7426
[Sat Aug 13 19:37:39 2011] [emerg] (13)Permission denied: mod_fcgid: can't get lock in pid 7427
[Sat Aug 13 19:37:40 2011] [emerg] (13)Permission denied: mod_fcgid: can't get lock in pid 7428
[Sat Aug 13 19:37:41 2011] [emerg] (13)Permission denied: mod_fcgid: can't get lock in pid 7429
[Sat Aug 13 19:37:45 2011] [emerg] (13)Permission denied: mod_fcgid: can't get lock in pid 7430
[Sat Aug 13 19:40:00 2011] [emerg] (13)Permission denied: mod_fcgid: can't get lock in pid 7442
[Sat Aug 13 19:41:27 2011] [emerg] (13)Permission denied: mod_fcgid: can't get lock in pid 7444
[Sat Aug 13 20:06:56 2011] [emerg] (13)Permission denied: mod_fcgid: can't get lock in pid 7469
[Sat Aug 13 20:07:07 2011] [emerg] (13)Permission denied: mod_fcgid: can't get lock in pid 7470
[Sat Aug 13 20:07:07 2011] [emerg] (13)Permission denied: mod_fcgid: can't get lock in pid 7471
My fcgid config is pretty basic..
I'm running Ubuntu 10.04..
I ran "aptitude install libapache2-mod-fcgid"
Created /etc/apache2/conf.d/php-fcgid.conf
<ifmodule fcgid_module="">AddHandler fcgid-script .fcgi .php
FcgidMaxRequestsPerProcess 1000
FcgidWrapper /usr/bin/php5-fcgid .php</ifmodule>
Created /usr/bin/php5-fcgid
#!/bin/sh
PHP_FCGI_MAX_REQUESTS=1000
export PHP_FCGI_MAX_REQUESTS
export PHPRC="/etc/php5/cgi"
exec /usr/bin/php5-cgi
I made the script executable..
I added +ExecCGI to the virtual server config file..
I restarted Apache..
What am I doing wrong??
Any help would be appreciated..
TIA
5 Replies
I've recently started using the mpmitk module for apache and have had luck using modphp. This may reduce overhead on your server and free up memory as a result.
That said, should you still wish to go the rout of using mod_fcgid, there are a few things you can check.
What are the permissions of your virtual host directories?
Try:
ls -1l /path/to/directory
Is the file /usr/bin/php5-fcgid able to be executed by the user or users on the system? Can your script execute any other processes it might need to in order to interpret the php code, but still run all of that code under the user you've set in security settings?
I think the mod_php module for apache is easier to use, though that may not be what you need for your particular situation, so there are a few suggestions for you to try. Also, what you're attempting to do may be in conflict. I could be wrong, but here's an example.
Your virtual host configuration tells apache to switch to running under the user and group sample. Next, apache encounters a php script, which then executes your wrapper. The wrapper has insufficient priviliges to execute and/or read data it needs to, since its executing as the user and group sample, which has insufficient priviliges to complete the operations. Therefore, the errors you're getting. I could, of course be wrong about this. If this is what its doing, though, your method of executing php scripts with mod_fcgid may be insecure because of permissions you might need to set. If I'm wrong and its something different, then you may not have to worry so much about security.
If you have any further questions or problems, they are welcome.
Good luck,
Blake
Thanks for the reply..
I never did get it to work but what I have found out since is that MPM-ITK and FCGID are not a good combination anyway.. Obviously the benefit of FCGID is that it stays running.. Apparently MPM-ITK on the other hand doesn't.. So the FCGID processes would have been closed down anyway..
I have now tried most combinations..
MPM-ITK + php-cgi = Simple setup for running scripts as the owner, ok performance, can't use APC. Low memory usage.
MPM-ITK + mod_php = Very simple setup, good performance and ability to use APC. Little more memory used.
MPM-ITK + mod_fcgid = Couldn't get it working.
MPM-prefork + suEXEC + php-cgi = More complicated setup, performance similar to MPM-ITK + php-cgi.
MPM-prefork + suEXEC + mod_php = more complicated setup, good performance.
MPM-prefork + suEXEC + mod_fcgid=more complicated setup, excellent performance.
MPM-worker + suEXEC + php-cgi=More complicated setup, better performance than MPM-ITK + php-cgi.
MPM-worker + suEXEC + mod_php=Not recommended because php is apparently not thread safe.
MPM-worker + suEXEC + mod_fcgid=More complicated setup, best performance.
Obviously a lot depends on your load, what you are serving and the tons of configuration parameters.. I found the last setup with everything pretty much let at defaults to be VERY quick.. Especially as load increases..
I'm glad you were able to sort out your problems. Some of your setups interest me and I may check them out, too. The only problem I see with some of them is that some only work with php to isolate the apache process from a user account, such as using SuExec. However, mpm_itk will isolate the apache process itself to a specific user. I don't know how it operates under high load yet, but I've benchmarked it and it appears to work okay. I'm going to run some more tests.
Anyway, your other suggestions are good, but do you know of any that will allow execution of other scripts using different scripting languages, perl, python, or others, and keep the scripts isolated to a specific user? I know there are modules for those in Apache and I think they would work with mpm_itk to isolate the scripts to a specific user.
Thanks,
Blake
stack script
function install_php_apache_worker
{
aptitude -y install apache2-mpm-worker libapache2-mod-fcgid php5-cgi php5-cli php5-curl php5-gd php5-mcrypt php5-mysql php5-sqlite php-apc
sed -i 's/short_open_tag = On/short_open_tag = Off/' /etc/php5/cgi/php.ini
sed -i 's/disable_functions =/disable_functions = dl/' /etc/php5/cgi/php.ini
sed -i 's/expose_php = On/expose_php = Off/' /etc/php5/cgi/php.ini
sed -i 's/memory_limit = 128M/memory_limit = 32M/' /etc/php5/cgi/php.ini
sed -i 's/;arg_separator.output = "&"/arg_separator.output = "&"/' /etc/php5/cgi/php.ini
sed -i 's/;date.timezone =/date.timezone = UTC/' /etc/php5/cgi/php.ini
sed -i 's/session.name = PHPSESSID/session.name = SESSID/' /etc/php5/cgi/php.ini
cat <<eot>/etc/apache2/conf.d/fcgi.conf
FcgidMaxProcesses 4
FcgidMaxRequestsPerProcess 5000
AddHandler fcgid-script .php
FcgidWrapper /usr/local/bin/php5-fcgi-wrapper .php
EOT
cat < <eot>/usr/local/bin/php5-fcgi-wrapper
#!/bin/sh
PHP_FCGI_MAX_REQUESTS=0
export PHP_FCGI_MAX_REQUESTS
PHP_FCGI_CHILDREN=0
export PHP_FCGI_CHILDREN
exec /usr/bin/php-cgi
EOT
chmod +x /usr/local/bin/php5-fcgi-wrapper
mkdir -p /etc/monit/conf.d
cat <<eot>/etc/monit/conf.d/apache2
check process apache with pidfile /var/run/apache2.pid
group www-data
start program = "/etc/init.d/apache2 start"
stop program = "/etc/init.d/apache2 stop"
if failed port 80 protocol HTTP request / within 5 cycles then restart
if 5 restarts within 5 cycles then timeout
EOT
a2dissite default # disable the interfering default virtualhost
# clean up, or add the NameVirtualHost line to ports.conf
sed -i -e 's/^NameVirtualHost \*$/NameVirtualHost *:80/' /etc/apache2/ports.conf
if ! grep -q NameVirtualHost /etc/apache2/ports.conf; then
echo 'NameVirtualHost *:80' > /etc/apache2/ports.conf.tmp
cat /etc/apache2/ports.conf >> /etc/apache2/ports.conf.tmp
mv -f /etc/apache2/ports.conf.tmp /etc/apache2/ports.conf
fi
}</eot></eot></eot>