How to make Apache (2.2.4) less greedy, or Sendmail less polite?

Dan Nelson dnelson at allantgroup.com
Thu May 3 23:17:34 UTC 2007 

In the last episode (May 04), Olaf Greve said:
>  Recently I upgraded my Apache 1.3.33 webserver to Apache 2.2.4, and
>  ever since, I noticed that it is acting in such a way that it often
>  is VERY greedy with my server's resources. Quite often, when running
>  "top", a list that is as the one that appears at the bottom of this
>  e-mail is shown: indeed pretty much solely httpd instances, that for
>  extended periods of time almost continously pull the CPU to close to
>  100%, and that also consume a lot of the memory resources... 
>  Strangely enough, at other times the CPU load is just slightly above
>  0%, say 0.4% or so...
> 
>  Apart from the fact that it "doesn't feel right" to see the CPU for
>  substantial amounts of time, almost constantly close to 100%, there
>  is a further issue, being that sendmail rejects connections when the
>  server load is (too) high. This is very annoying, as e-mail is also
>  a crucial part of the server's functionality, and I don't want
>  sendmail to reject connections, each and every time that Apache goes
>  berserk.
> 
>  Now, the machine in question, is an AMD-64 machine, and it runs the
>  AMD-64 version of FreeBSD (5.4-release) with a custom kernel.
>  Surely, Apache can be reconfigured such that it doesn't behave so
>  selfishly, and leaves a decent amount of resources for other stuff
>  (such as sendmail) on the machine too.
> 
>  What I'm basically trying to find out is:
>  1-Is this normal, or can this perhaps be some (brute force) hack attempt, 
>  where something is pounding Apache heavily, trying to find/exploit some 
>  security risk?
>  2-How can I inspect exactly what each httpd instance is doing (i.e. which 
>  request it is serving)?
>  3-How to best configure Apache 2.2.4 such that it will never use more than a 
>  specific amount of the system's resources (e.g. a CPU usage limit of 75%, 
>  and a memory limit of say 1GB)? It would be my guess that the amount of 
>  "MaxClients" should be lowered, but is that sufficient (note: current 
>  httpd-mpm.conf settings apper at the end of this e-mail, and indicate an 
>  amount of 150), and will that not somehow (all too) negatively affect the 
>  way Apache handles requests?
>  4-How to perhaps tell sendmail to be a bit more selfish, and stop it from 
>  rejecting connections for extended periods of time? (note: we all know just 
>  how much "fun" it can be to configure Sendmail :P so for now I've only 
>  included (a shortened version of the) RX daemon config file, and hope 
>  someone can give me a good pointer for this - or tell me where else to 
>  look).
>  5-When sendmail rejects (incoming) connections, does mail actually get lost, 
>  or will it (always) be handled later, when the server is less occupied?

I can't help you with Apache, but it's easy to tell sendmail to ignore
system load and deliver mail no matter what:

http://www.sendmail.org/m4/tweaking_config.html#confQUEUE_LA

Change these lines in your .mc file:

  dnl define(`confDELAY_LA,    8)
  dnl define(`confREFUSE_LA', 12)

to 

  define(`confQUEUE_LA', 999)
  define(`confDELAY_LA', 999)
  define(`confREFUSE_LA', 999)
  
They are more useful on a system that's only handling email, so if
someone starts sending evil attachments that chew up CPU time being
virus or spam-scanned, the server will just start throttling mail
delivery.  If the load isn't being caused by mail delivery, it's better
to bump it wayy up.

-- 
	Dan Nelson
	dnelson at allantgroup.com

More information about the freebsd-amd64 mailing list