From owner-freebsd-amd64@FreeBSD.ORG Thu May 3 23:17:34 2007 Return-Path: X-Original-To: freebsd-amd64@freebsd.org Delivered-To: freebsd-amd64@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 88DBC16A400 for ; Thu, 3 May 2007 23:17:34 +0000 (UTC) (envelope-from dan@dan.emsphone.com) Received: from dan.emsphone.com (dan.emsphone.com [199.67.51.101]) by mx1.freebsd.org (Postfix) with ESMTP id 2C7DD13C44C for ; Thu, 3 May 2007 23:17:34 +0000 (UTC) (envelope-from dan@dan.emsphone.com) Received: (from dan@localhost) by dan.emsphone.com (8.14.1/8.13.8) id l43N15ab000720; Thu, 3 May 2007 18:01:05 -0500 (CDT) (envelope-from dan) Date: Thu, 3 May 2007 18:01:05 -0500 From: Dan Nelson To: Olaf Greve Message-ID: <20070503230104.GC42913@dan.emsphone.com> References: <2BEB30C2-C9C5-43AB-9DCA-5C9A1B0AC2C0@axis.nl> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <2BEB30C2-C9C5-43AB-9DCA-5C9A1B0AC2C0@axis.nl> X-OS: FreeBSD 6.2-STABLE User-Agent: Mutt/1.5.15 (2007-04-06) Cc: freebsd-questions@freebsd.org, freebsd-amd64@freebsd.org Subject: Re: How to make Apache (2.2.4) less greedy, or Sendmail less polite? X-BeenThere: freebsd-amd64@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Porting FreeBSD to the AMD64 platform List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 May 2007 23:17:34 -0000 In the last episode (May 04), Olaf Greve said: > Recently I upgraded my Apache 1.3.33 webserver to Apache 2.2.4, and > ever since, I noticed that it is acting in such a way that it often > is VERY greedy with my server's resources. Quite often, when running > "top", a list that is as the one that appears at the bottom of this > e-mail is shown: indeed pretty much solely httpd instances, that for > extended periods of time almost continously pull the CPU to close to > 100%, and that also consume a lot of the memory resources... > Strangely enough, at other times the CPU load is just slightly above > 0%, say 0.4% or so... > > Apart from the fact that it "doesn't feel right" to see the CPU for > substantial amounts of time, almost constantly close to 100%, there > is a further issue, being that sendmail rejects connections when the > server load is (too) high. This is very annoying, as e-mail is also > a crucial part of the server's functionality, and I don't want > sendmail to reject connections, each and every time that Apache goes > berserk. > > Now, the machine in question, is an AMD-64 machine, and it runs the > AMD-64 version of FreeBSD (5.4-release) with a custom kernel. > Surely, Apache can be reconfigured such that it doesn't behave so > selfishly, and leaves a decent amount of resources for other stuff > (such as sendmail) on the machine too. > > What I'm basically trying to find out is: > 1-Is this normal, or can this perhaps be some (brute force) hack attempt, > where something is pounding Apache heavily, trying to find/exploit some > security risk? > 2-How can I inspect exactly what each httpd instance is doing (i.e. which > request it is serving)? > 3-How to best configure Apache 2.2.4 such that it will never use more than a > specific amount of the system's resources (e.g. a CPU usage limit of 75%, > and a memory limit of say 1GB)? It would be my guess that the amount of > "MaxClients" should be lowered, but is that sufficient (note: current > httpd-mpm.conf settings apper at the end of this e-mail, and indicate an > amount of 150), and will that not somehow (all too) negatively affect the > way Apache handles requests? > 4-How to perhaps tell sendmail to be a bit more selfish, and stop it from > rejecting connections for extended periods of time? (note: we all know just > how much "fun" it can be to configure Sendmail :P so for now I've only > included (a shortened version of the) RX daemon config file, and hope > someone can give me a good pointer for this - or tell me where else to > look). > 5-When sendmail rejects (incoming) connections, does mail actually get lost, > or will it (always) be handled later, when the server is less occupied? I can't help you with Apache, but it's easy to tell sendmail to ignore system load and deliver mail no matter what: http://www.sendmail.org/m4/tweaking_config.html#confQUEUE_LA Change these lines in your .mc file: dnl define(`confDELAY_LA, 8) dnl define(`confREFUSE_LA', 12) to define(`confQUEUE_LA', 999) define(`confDELAY_LA', 999) define(`confREFUSE_LA', 999) They are more useful on a system that's only handling email, so if someone starts sending evil attachments that chew up CPU time being virus or spam-scanned, the server will just start throttling mail delivery. If the load isn't being caused by mail delivery, it's better to bump it wayy up. -- Dan Nelson dnelson@allantgroup.com