LL      IIIII NN   NN KK  KK EEEEEEE RRRRRR  RRRRRR   OOOOO  RRRRRR 
LL       III  NNN  NN KK KK  EE      RR   RR RR   RR OO   OO RR   RR
LL       III  NN N NN KKKK   EEEEE   RRRRRR  RRRRRR  OO   OO RRRRRR 
LL       III  NN  NNN KK KK  EE      RR  RR  RR  RR  OO   OO RR  RR 
LLLLLLL IIIII NN   NN KK  KK EEEEEEE RR   RR RR   RR  OOOOO  RR   RR
                                                           ramblings
____________________________________________________________________
Posted on: Tuesday, May 19th, 2009 at 08:14.
Filed under: All, ServerAdmin, Software.
RSS 2.0 feed for comments.
You can leave a response, or trackback from your own site.

This post is kind of a sequel to that post….

One big problem with suexec and suphp on Apache imho is that files run as their owner, thus an accidental chown might break things. A more logical thing would be to assign a user/group to each VirtualHost, which is exactly what the ITK MPM does.

On top of that it has some additional handy features, such as limiting the maximum number of concurrent requests per VirtualHost and setting a niceness value so you can define a cpu affinity per virtual host.

Now the dc member server finally has users properly isolated from one another.

Setting up mpm-itk was a lot easier than suphp,suexec,or peruser-mpm. (I tried peruser-mpm first, and apache just segfaulted :S).
With only a few lines of additional configuration, I was easily able to automate the migration of our 100+ accounts with a quick and dirty perl script.

mpm-itk is included in the default apache install on FreeBSD. There is no separate port for it (like there is for peruser). To use it, compile apache like this:


cd /usr/ports/www/apache22
make WITH_MPM=itk
make install

And that’s it. Apache will now use the itk mpm, and you can add the
AssignUserID line to your VirtualHost. Anything running on it will run as the specified user/group, whether it’s plain html, php, or cgi. That’s another advantage, since with suexec you end up configuring each web-scripting language individually, and then risk still not covering everything.

pixelstats trackingpixel
____________________________________________________________________

6 Responses to “ITK MPM”

  1. mouser says:

    Sounds perfect.. can’t wait to see how well it works in practice.. is this the holy grail or are there areas where this could be bypassed?

    • John says:

      You still need proper permissions on the system. The vhosts are not chrooted as they run. But since it’s all running on a jailed apache, and none of the member’s folders are world readable, you pretty much achieve the same effect.

      I’m not sure if there is such a thing as a holy grail, but it’s pretty good. :)

  2. mouser says:

    how bad is the hit on memory and cpu?

    • John says:

      The memory/cpu cost of running it isn’t that much higher of a normal preform mpm really. However there is some performance hit, just because there is an extra fork involved to run the process as the specified user. So while you have some speed loss, you don’t really have that much memory/cpu loss. If that makes sense :)

____________________________________________________________________

Leave a Reply