How to make Apache (2.2.4) less greedy, or Sendmail less polite?
dnelson at allantgroup.com
Thu May 3 23:17:34 UTC 2007
In the last episode (May 04), Olaf Greve said:
> Recently I upgraded my Apache 1.3.33 webserver to Apache 2.2.4, and
> ever since, I noticed that it is acting in such a way that it often
> is VERY greedy with my server's resources. Quite often, when running
> "top", a list that is as the one that appears at the bottom of this
> e-mail is shown: indeed pretty much solely httpd instances, that for
> extended periods of time almost continously pull the CPU to close to
> 100%, and that also consume a lot of the memory resources...
> Strangely enough, at other times the CPU load is just slightly above
> 0%, say 0.4% or so...
> Apart from the fact that it "doesn't feel right" to see the CPU for
> substantial amounts of time, almost constantly close to 100%, there
> is a further issue, being that sendmail rejects connections when the
> server load is (too) high. This is very annoying, as e-mail is also
> a crucial part of the server's functionality, and I don't want
> sendmail to reject connections, each and every time that Apache goes
> Now, the machine in question, is an AMD-64 machine, and it runs the
> AMD-64 version of FreeBSD (5.4-release) with a custom kernel.
> Surely, Apache can be reconfigured such that it doesn't behave so
> selfishly, and leaves a decent amount of resources for other stuff
> (such as sendmail) on the machine too.
> What I'm basically trying to find out is:
> 1-Is this normal, or can this perhaps be some (brute force) hack attempt,
> where something is pounding Apache heavily, trying to find/exploit some
> security risk?
> 2-How can I inspect exactly what each httpd instance is doing (i.e. which
> request it is serving)?
> 3-How to best configure Apache 2.2.4 such that it will never use more than a
> specific amount of the system's resources (e.g. a CPU usage limit of 75%,
> and a memory limit of say 1GB)? It would be my guess that the amount of
> "MaxClients" should be lowered, but is that sufficient (note: current
> httpd-mpm.conf settings apper at the end of this e-mail, and indicate an
> amount of 150), and will that not somehow (all too) negatively affect the
> way Apache handles requests?
> 4-How to perhaps tell sendmail to be a bit more selfish, and stop it from
> rejecting connections for extended periods of time? (note: we all know just
> how much "fun" it can be to configure Sendmail :P so for now I've only
> included (a shortened version of the) RX daemon config file, and hope
> someone can give me a good pointer for this - or tell me where else to
> 5-When sendmail rejects (incoming) connections, does mail actually get lost,
> or will it (always) be handled later, when the server is less occupied?
I can't help you with Apache, but it's easy to tell sendmail to ignore
system load and deliver mail no matter what:
Change these lines in your .mc file:
dnl define(`confDELAY_LA, 8)
dnl define(`confREFUSE_LA', 12)
They are more useful on a system that's only handling email, so if
someone starts sending evil attachments that chew up CPU time being
virus or spam-scanned, the server will just start throttling mail
delivery. If the load isn't being caused by mail delivery, it's better
to bump it wayy up.
dnelson at allantgroup.com
More information about the freebsd-amd64