Not going to ApacheCon

by Mads
March 25, 2008 at 23:27 | categories: apache, httpd, asf

Last week I got notified about some changes to the planned schedule that unfortunately put my talk at a time I would have a hard time making. So rather than stressing around trying to make ends meet in what was already to be a hit'n'run trip, my talk is off the schedule and I won't be going.
Instead I'll try to rewrite my talk into some blog entries as time permits.

ApacheCon US also looks very unlikely as I'm not very keen on going to New Orleans.


Out with the old and in with the new.

by Mads
August 05, 2007 at 23:20 | categories: hardware, sun, solaris, asf, httpd

For quite some time, the infrastructure team at the ASF has been running our websites, mail-archives and wiki on a Sun Fire T2000 Server kindly donated by Sun. Along with the T2000 there's also a Dell SATA raid donated by ask.
Naturally, the machine is running Solaris 10 and that along with dtrace has already allowed us to find and correct pretty serious performance issue. Our load was hitting 500 and beyond and was close to knocking the machine over. Some digging around with DTRACE showd us an insane number of syscalls and almost all of them being reads.
More digging around with the following one-liner by Brendan Gregg:

# Read bytes by process,
dtrace -n 'sysinfo:::readch { @bytes[execname] = sum(arg0); }'

It gave a very clear picture that almost all reads were of 1k size and that allowed Joe Schaefer to create a patch for apr to Use buffered I/O with SDBM..
The current look of things is a lot better:

  httpd                                             
           value  ------------- Distribution ------------- count    
              -1 |                                         0        
               0 |                                         987      
               1 |                                         0        
               2 |                                         6        
               4 |                                         296      
               8 |                                         30       
              16 |                                         147      
              32 |                                         130      
              64 |                                         47       
             128 |                                         140      
             256 |                                         460      
             512 |                                         118      
            1024 |                                         19       
            2048 |                                         72       
            4096 |@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ 336511   
            8192 |                                         11       
           16384 |                                         3        
           32768 |                                         0        
           65536 |                                         8        
          131072 |                                         0        

With the change, our load has dropped from over 500 to somewhere between 5 and 10.

For a long time we've also been wanting to add some redundancy by placing a similar setup at our European site. The board approved our request to go shopping and after lots of hassle trying to buy the machine from Sun (being a small customer at Sun is rarely much fun and I think we were even more unlucky than usual). Eventually we got there and Sander along with Colm got the machines racked.

The pictures are by Colm
before

after

The upper picture show the old Itanic and a broken X-serve. Below is the "after" picture, showing Aurora which is now the European mirror of Eos. The machine above Aurora is a Sun Fire X2200 M2 Server that will serve as a mail frontend.

and so ends the tale of how the rising Sun replaced the sinking Itanic :)

Linuxforum

by Mads
February 14, 2007 at 21:32 | categories: httpd, solaris, linux

This year I'll be speaking at LinuxForum (Don't let the name fool you, a more appropriate name would be Unix or Opensource Forum). My presentation will introduce some of the more interesting bits of OpenSolaris. The idea is to show how to use features like ZFS, zones, SMF, dtrace and least privileges while showing how they can be used with Apache httpd. This is a refinement on the talk that was rejected for ApacheCon.
Doing this talk is all part of a greater plan to generate some more interest in OpenSolaris and can hopefully be used to start up OpenSolaris User Group Denmark (see also Opensolaris user groups).
The video from my marathon session (3 hours in danish) is now available.

linuxforum

Root free httpd on Solaris

by Mads
September 19, 2006 at 21:21 | categories: httpd, security, solaris

As I was playing around with Sun Studio 11 and trying out different compile options on httpd I bumped into the old problem of not being allowed to bind port 80. In usual circumstances I'd just switch to a port above 1024, but why not use Solaris privileges instead?

The usual error:
(13)Permission denied: make_sock: could not bind to address 0.0.0.0:80

Finding the missing privilege:
# ppriv -eD ./httpd -k start

httpd[12474]: missing privilege "net_privaddr" (euid = 100, syscall = 232) needed at tcp_bind+0x631

As root add the missing privilege:
# usermod -K defaultpriv=basic,net_privaddr apache
# grep apache /etc/user_attr
apache::::type=normal;defaultpriv=basic,net_privaddr

Start httpd as the apache user and you're done.

Of course there's a lot more to it than just handing out privileges, but you can find much more in the Roles, Rights Profiles, and Privileges section of the System Administration Guide: Security Services

ApacheCon 2006 US - httpd on OpenSolaris.

by Mads
August 10, 2006 at 12:27 | categories: apache, httpd, solaris

Much to my surprise, I've had my proposed talk accepted for ApacheCon 2006/US.
This time I'll be speaking about running httpd on OpenSolaris. I'm still a bit unsure about the final content, but I hope to cover:

  • SMF for httpd
  • Least Privileges
  • "zoning httpd"
  • dtracing httpd
  • kssl

The list is bound to evolve as I find the time to actually work on these things.


Next Page ยป