Announcement

Collapse
No announcement yet.

Support for Apache ITK MPM

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Support for Apache ITK MPM

    Hello,

    Do you support ITK MPM as well (http://mitka.us/articles/mpm-itk/)? This MPM runs each virtualhost process with the effective uid/gid of the virtualhost only. This way, one can not get access to others web space via symlinks etc.

    Or does cloudlinux itself provides this feature of running each child server process for virtualhost with an effective uid/gid of the virtualhosts user?

    I read about secureLVE, but as its still in beta version, not thinking about it as of now.

    Regards,

  • #2
    We haven tested it, but there is no reason for mod_hostinglimits not to work with it.

    Though, I don think it is
    1) Scalable for shared hosting (it either has to keep few processes/threads for each virtual host, or create them all the time -- all costly)
    2) Makes lots of sense for static files -- as it is very hard to exploit, and if one vhost exploited, then all exploited via same bug
    3) Add much protection for you as you run scripts as user anyway (suPHP, suexec)

    The only reason where it makes some sense is when you run mod_php or something similar for end user. Yet, I would just avoid doing that in shared hosting. The overhead of suPHP will be less overall, then overhead of such MPM.

    And SecureLVE provides much more protection - as it virtualizes filesystem itself.

    Comment


    • #3
      Ok, so is SecureLVE ready for being used? Is it stable for quite a long time now (since its a beta version)?

      Regards,

      Comment


      • #4
        It is getting very close.

        Comment


        • #5
          Then how is PHP running? As user apache? So we would go back to issues with ownerships when users upload stuff using FTP?

          Comment


          • #6
            Andrew,

            Not sure what do you mean. Majority of people are using suPHP, mod_fcgid or cgi to run PHP, running it as end user.

            There is no need for ITK MPM, and given that its stability / scalability in shared hosting wasn proven -- I would avoid it.

            Comment


            • #7
              I wasn sure if suPHP is allowed.

              As a side note - we are running itk in very large setups (up to 30k vhosts per machine) and its performing great, in fact - much better than suPHP or fastcgi did.

              So I guess we will have to give suPHP another try.

              Comment


              • #8
                Andrew,

                Really? If ITK works that well -- lets try making it work. You are the first person I head from who made it work for them.
                It should be easy enough to make CL work with it, and I am pretty sure mod_hostinglimits should work with it out of the box (nothing preventing it from doing it).
                SecureLVE -- we will port it to ITK, once again it should be fairly easy.

                Just out of curiosity -- how does it work? Does it keep a process or two per virtual host? Does it create it on demand, keeping it only for the most active?

                Comment


                • #9
                  We are running it for more than a year now, and we have accounts constantly being added/removed.

                  The way itk works is keeping a pool of root-owned processes that parse requests and then setuid() to the right user (they default to apache user, not root). As far as I have noticed, when certain users get more traffic, they are served by the same set of processes (with the same PIDs) so I guess it lets them live for some time after serving a request.

                  The reason why we abandoned fastcgi (that we used before) is exactly what you said - it kept a few processes for each user, which would quickly exhaust memory with so many users.

                  This all being said, we haven yet prepared a test machine for cloudlinux so my question was purely theoretical at this point. I will get back to you when we will start setting up our environment on top of cloudlinux.

                  Comment


                  • #10
                    Igor,

                    I have a running cloudlinux system now (30 days trial). Is there a srpm that I can download and try adding ITK patch to the spec?

                    Comment


                    • #11
                      All you need is mod_hostinglimits.
                      You can get the source here http://repo.cloudlinux.com/cloudlinu...glimits.tar.gz

                      Or you can try installing it from RPM, but if you are running custom apache -- it will probably not going to work.

                      I haven get a chance to get ITK working on my server yet, but looking through the patches/what it does -- I don see a reason why mod_hostinglimits wouldn work.

                      Comment


                      • #12
                        I like the fact that our custom Apache will work with cloudlinux - I thought we would be bound to ancient 2.2.3 like Centos Ill get back and tell you how it works with your module.

                        Comment


                        • #13
                          It has built cleanly, and the resulting RPM package installed without issues. What is the easiest way to ensure that the module works?

                          Comment


                          • #14
                            1. Make sure that you have module enabled (it should print into error log something like LVE enabled) on apache restart
                            2. In modhostinglimits.conf -- make sure that in AllowedHandler there is an entry matching your PHP handler
                            3. Pick PHP site on the server, and hit it with something like:
                            ab -c 10 -n 1000 URL_TO_PHP_PAGE

                            Run lvetop in another terminal. It should show you an entry with LVE id matching the UID of the user that owns the site.

                            Comment


                            • #15
                              Bad news - it doesn work.

                              Module is enabled - after restart Im finding this in error log:

                              Code:
                              mod_hostinglimits:LVE mechanism enabled
                              Handler is matching - excerpt fr om php.conf:

                              Code:
                              AddHandler php5-script .php
                              modhostinglim its.conf:

                              Code:
                              AllowedHandlers cgi-script php5-script php4-script php-script application/x-httpd-php5 application/x-httpd-php
                              The page Im serving is for sure using ITK - not only

                              Code:
                              ps aux | grep httpd
                              returns a couple of itk processes, also index.php is owned by user other than apache with permissions set to 600 and it prints output of PHPs posix_getuid() and the output is 500 which means that its ran as securelve user.

                              Code:
                              # grep 500 /etc/passwd
                              
                              gdrtest:x:500:500::/home/gdrtest:/usr/sbin/securelve_sh
                              Do you have any idea what I could have done wrong?

                              (EDIT - I forgot to add the most important part):

                              lvetop shows no processes, same for lveps.

                              Comment

                              Working...
                              X