Re: How to make Apache (2.2.4) less greedy, or Sendmail less polite?

In the last episode (May 04), Olaf Greve said:
Recently I upgraded my Apache 1.3.33 webserver to Apache 2.2.4, and
ever since, I noticed that it is acting in such a way that it often
is VERY greedy with my server's resources. Quite often, when running
"top", a list that is as the one that appears at the bottom of this
e-mail is shown: indeed pretty much solely httpd instances, that for
extended periods of time almost continously pull the CPU to close to
100%, and that also consume a lot of the memory resources...
Strangely enough, at other times the CPU load is just slightly above
0%, say 0.4% or so...

Apart from the fact that it "doesn't feel right" to see the CPU for
substantial amounts of time, almost constantly close to 100%, there
is a further issue, being that sendmail rejects connections when the
server load is (too) high. This is very annoying, as e-mail is also
a crucial part of the server's functionality, and I don't want
sendmail to reject connections, each and every time that Apache goes
berserk.

Now, the machine in question, is an AMD-64 machine, and it runs the
AMD-64 version of FreeBSD (5.4-release) with a custom kernel.
Surely, Apache can be reconfigured such that it doesn't behave so
selfishly, and leaves a decent amount of resources for other stuff
(such as sendmail) on the machine too.

What I'm basically trying to find out is:
1-Is this normal, or can this perhaps be some (brute force) hack attempt,
where something is pounding Apache heavily, trying to find/exploit some
security risk?
2-How can I inspect exactly what each httpd instance is doing (i.e. which
request it is serving)?
3-How to best configure Apache 2.2.4 such that it will never use more than a
specific amount of the system's resources (e.g. a CPU usage limit of 75%,
and a memory limit of say 1GB)? It would be my guess that the amount of
"MaxClients" should be lowered, but is that sufficient (note: current
httpd-mpm.conf settings apper at the end of this e-mail, and indicate an
amount of 150), and will that not somehow (all too) negatively affect the
way Apache handles requests?
4-How to perhaps tell sendmail to be a bit more selfish, and stop it from
rejecting connections for extended periods of time? (note: we all know just
how much "fun" it can be to configure Sendmail :P so for now I've only
included (a shortened version of the) RX daemon config file, and hope
someone can give me a good pointer for this - or tell me where else to
look).
5-When sendmail rejects (incoming) connections, does mail actually get lost,
or will it (always) be handled later, when the server is less occupied?

I can't help you with Apache, but it's easy to tell sendmail to ignore
system load and deliver mail no matter what:

http://www.sendmail.org/m4/tweaking_config.html#confQUEUE_LA

Change these lines in your .mc file:

dnl define(`confDELAY_LA, 8)
dnl define(`confREFUSE_LA', 12)

to

define(`confQUEUE_LA', 999)
define(`confDELAY_LA', 999)
define(`confREFUSE_LA', 999)

They are more useful on a system that's only handling email, so if
someone starts sending evil attachments that chew up CPU time being
virus or spam-scanned, the server will just start throttling mail
delivery. If the load isn't being caused by mail delivery, it's better
to bump it wayy up.

--
Dan Nelson
dnelson@xxxxxxxxxxxxxxx
_______________________________________________
freebsd-questions@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscribe@xxxxxxxxxxx"

Relevant Pages