Sophie

Sophie

distrib > Mandriva > 2009.0 > i586 > by-pkgid > caf339018a6654e52c7cc23d1db11db5 > files > 16

apache-2.2.9-12.9mdv2009.0.src.rpm

                              The Apache 2 ITK MPM

   (Very provisional homepage, I'd rather make software than make web
   pages :-) )

   Direct download link for Apache 2.0: [1]patch series (apply in order),
   or a [2]monolithic diff (both updated 2007-04-25). Apache 2.2: [3]patch
   series (apply in order), or a [4]monolithic diff (both updated
   2008-01-05, see the [5]changelog).

   Both variants now include capabilities and nicing, and should be
   equivalent except for what upstream version they apply to.

   There is now also a user mailing list at mpm-itk [at] lists.err.no.
   Visit the [6]mailing list page to subscribe, or send a blank e-mail to
   mpm-itk-subscribe [at] lists.err.no.

Introduction

   apache2-mpm-itk (just mpm-itk for short) is an MPM (Multi-Processing
   Module) for the [7]Apache 2 web server (which you've probably heard of
   :-) ). mpm-itk allows you to run each of your vhost under a separate
   uid and gid -- in short, the scripts and configuration files for one
   vhost no longer have to be readable for all the other vhosts.

   There are already MPMs available that do this, namely the perchild and
   [8]Metux MPMs (the latter being based on the former, which is included
   in the standard Apache 2 tree). However, both have their sets of
   problems; for instance, both are threaded, which can be a problem for
   many extension modules. Second, AFAIK both have issues with listening
   on multiple ports (ie. SSL etc), and I don't know how well they really
   perform in practice. (If you only run CGI scripts, suexec will also
   probably solve most of your problems.)

   mpm-itk is based on the traditional prefork MPM, which means it's
   non-threaded; in short, this means you can run non-thread-aware code
   (like many [9]PHP extensions) without problems. (On the other hand, you
   lose out to any performance benefit you'd get with threads, of course;
   you'd have to decide for yourself if that's worth it or not.)

Quirks and warnings

   Warning: since mpm-itk has to be able to setuid(), it runs as root
   until the request is parsed and the vhost determined. This means that
   any security hole before the request is parsed will be a root security
   hole. (The most likely place is probably in mod_ssl...) Without
   implementing socket passing (which is the primary reason why
   perchild/metux doesn't really work well; it's complex enough in the
   difficult cases that nobody has bothered finished their socket passing
   implementation) or using some sort of special SELinux functionality,
   this is not going to change in the near future. UPDATE: Lennart
   Poettering kindly pointed out that at least under Linux, a process can
   drop most root privileges (like chown(), kill(), loading kernel modules
   etc. -- see capabilities(7) for a full list). The second patch above
   drops all such privileges except CAP_SETUID and CAP_SETGID, making the
   parent process still run as uid=0 (and being able to read files owned
   by uid=0 or gid=0), but at least be somewhat more limited.

   There is also another minor quirk in mpm-itk, since it doesn't support
   forwarding between httpd instances; if you connect to httpd, make a
   request and then make a request on the same connection for a different
   vhost (this is supported as per the RFCs, as far as I know), mpm-itk
   simply shuts down the connection. (This is perfectly legal according to
   RFC2616; the web server simply simulates a timeout, and the client is
   supposed to just open a new connection and retry the request.) In
   practice this should very rarely become a problem, unless you include,
   say, graphics from one vhost on the pages of one with a different uid.

   Note that mpm-itk is experimental software; and we've done a fair
   amount of stress testing, but it's nowhere as tested as, say, prefork.
   That being said, it's being run in production at both
   [10]Studentersamfundet i Trondhjem (the ITK name comes from
   [11]IT-Komiteen, the IT committee at the student society in Trondheim)
   and [12]NTNU (the Norwegian University of Science and Technology, with
   about nine million hits a day), as well as various other places around
   the world, both hobbyist and commercial.

   People have reported issues with mpm-itk and mod_python, mod_ruby and
   FastCGI. I believe the mod_python and FastCGI problems have been
   largely solved by updates to those packages, but as I use neither, I
   can't really guarantee anything. YMMV, test before use. :-)

Installation

   If you can't apply a patch, you probably should not be using this. :-)
   However, several distributions now include mpm-itk as a choice
   alongside the other MPMs; in alphabetical order:
     * [13]Debian GNU/Linux
     * [14]FreeBSD ports
     * [15]Gentoo Linux
     * [16]Mandriva
     * [17]Ubuntu

   If you know of any I missed, or if you have included mpm-itk in your
   favourite distribution, please drop me a note (see below). I'd always
   be happy to expand this list :-)

Configuration variables

   The two new configuration settings compared to the prefork MPM are,
   per-vhost:

   AssignUserID: Takes two parameters, uid and gid (or really, user name
   and group name); specifies what uid and gid the vhost will run as
   (after parsing the request etc., of course).

   MaxClientsVHost: A separate MaxClients for the vhost. This can be
   useful if, say, half of your vhosts depend on some NFS server (like on
   our setup); if the NFS server goes down, you do not want the children
   waiting forever on NFS to take the non-NFS-dependent hosts down. This
   can thus act as a safety measure, giving "server too busy" on the
   NFS-dependent vhosts while keeping the other ones happily running. (Of
   course, you could use it to simply keep one site from eating way too
   much resources, but there are probably better ways of doing that.)

   Note that if you do not assign a user ID, the default one from Apache
   will be used. (It used to be root, but that has changed in more recent
   releases.)

Licensing

   mpm-itk is licensed under the Apache License, version 2.0, like the
   rest of Apache.

Contact

   mpm-itk is at the moment developed by Steinar H. Gunderson; e-mail
   address is at my [18]home page.

References

   1. http://mpm-itk.sesse.net/apache2-mpm-itk-2.0.55-4/
   2. http://mpm-itk.sesse.net/apache2-mpm-itk-20070425-00.patch
   3. http://mpm-itk.sesse.net/apache2.2-mpm-itk-2.2.6-01/
   4. http://mpm-itk.sesse.net/apache2.2-mpm-itk-20080105-00.patch
   5. http://mpm-itk.sesse.net/apache2.2-mpm-itk-2.2.6-01/CHANGES
   6. http://lists.err.no/mailman/listinfo/mpm-itk
   7. http://www.apache.org/
   8. http://www.metux.de/mpm/
   9. http://www.php.net/
  10. http://www.samfundet.no/
  11. http://itk.samfundet.no/
  12. http://www.ntnu.no/
  13. http://www.debian.org/
  14. http://www.freebsd.org/
  15. http://www.gentoo.org/
  16. http://www.mandriva.com/
  17. http://www.ubuntu.com/
  18. http://www.sesse.net/

Perl :: Catalyst :: PostgreSQL :: RPM Valid HTML 4.01 Transitional