Date: Thu, 3 May 2007 18:01:05 -0500 From: Dan Nelson <dnelson@allantgroup.com> To: Olaf Greve <o.greve@axis.nl> Cc: freebsd-questions@freebsd.org, freebsd-amd64@freebsd.org Subject: Re: How to make Apache (2.2.4) less greedy, or Sendmail less polite? Message-ID: <20070503230104.GC42913@dan.emsphone.com> In-Reply-To: <2BEB30C2-C9C5-43AB-9DCA-5C9A1B0AC2C0@axis.nl> References: <2BEB30C2-C9C5-43AB-9DCA-5C9A1B0AC2C0@axis.nl>
next in thread | previous in thread | raw e-mail | index | archive | help
In the last episode (May 04), Olaf Greve said: > Recently I upgraded my Apache 1.3.33 webserver to Apache 2.2.4, and > ever since, I noticed that it is acting in such a way that it often > is VERY greedy with my server's resources. Quite often, when running > "top", a list that is as the one that appears at the bottom of this > e-mail is shown: indeed pretty much solely httpd instances, that for > extended periods of time almost continously pull the CPU to close to > 100%, and that also consume a lot of the memory resources... > Strangely enough, at other times the CPU load is just slightly above > 0%, say 0.4% or so... > > Apart from the fact that it "doesn't feel right" to see the CPU for > substantial amounts of time, almost constantly close to 100%, there > is a further issue, being that sendmail rejects connections when the > server load is (too) high. This is very annoying, as e-mail is also > a crucial part of the server's functionality, and I don't want > sendmail to reject connections, each and every time that Apache goes > berserk. > > Now, the machine in question, is an AMD-64 machine, and it runs the > AMD-64 version of FreeBSD (5.4-release) with a custom kernel. > Surely, Apache can be reconfigured such that it doesn't behave so > selfishly, and leaves a decent amount of resources for other stuff > (such as sendmail) on the machine too. > > What I'm basically trying to find out is: > 1-Is this normal, or can this perhaps be some (brute force) hack attempt, > where something is pounding Apache heavily, trying to find/exploit some > security risk? > 2-How can I inspect exactly what each httpd instance is doing (i.e. which > request it is serving)? > 3-How to best configure Apache 2.2.4 such that it will never use more than a > specific amount of the system's resources (e.g. a CPU usage limit of 75%, > and a memory limit of say 1GB)? It would be my guess that the amount of > "MaxClients" should be lowered, but is that sufficient (note: current > httpd-mpm.conf settings apper at the end of this e-mail, and indicate an > amount of 150), and will that not somehow (all too) negatively affect the > way Apache handles requests? > 4-How to perhaps tell sendmail to be a bit more selfish, and stop it from > rejecting connections for extended periods of time? (note: we all know just > how much "fun" it can be to configure Sendmail :P so for now I've only > included (a shortened version of the) RX daemon config file, and hope > someone can give me a good pointer for this - or tell me where else to > look). > 5-When sendmail rejects (incoming) connections, does mail actually get lost, > or will it (always) be handled later, when the server is less occupied? I can't help you with Apache, but it's easy to tell sendmail to ignore system load and deliver mail no matter what: http://www.sendmail.org/m4/tweaking_config.html#confQUEUE_LA Change these lines in your .mc file: dnl define(`confDELAY_LA, 8) dnl define(`confREFUSE_LA', 12) to define(`confQUEUE_LA', 999) define(`confDELAY_LA', 999) define(`confREFUSE_LA', 999) They are more useful on a system that's only handling email, so if someone starts sending evil attachments that chew up CPU time being virus or spam-scanned, the server will just start throttling mail delivery. If the load isn't being caused by mail delivery, it's better to bump it wayy up. -- Dan Nelson dnelson@allantgroup.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070503230104.GC42913>