Репозиторий Sisyphus
Последнее обновление: 1 октября 2023 | Пакетов: 18631 | Посещений: 37045191
en ru br
Репозитории ALT
S:2.4.57-alt2
D:2.2.9-alt11
5.1: 2.2.24-alt2.M51.1
4.1: 2.2.8-alt1
4.0: 2.2.6-alt4
+updates:2.2.6-alt2
3.0: 2.0.55-alt1
+backports:2.0.59-alt0.M30.1
www.altlinux.org/Changes

Другие репозитории
Upstream:2.2.8

Группа :: Система/Серверы
Пакет: apache2

 Главная   Изменения   Спек   Патчи   Исходники   Загрузить   Gear   Bugs and FR  Repocop 

<html>
<head>
<title>apache2-mpm-itk</title>
</head>
<body>
<h1>The Apache 2 ITK MPM</h1>

<p>(Very provisional homepage, I'd rather make software than make
web pages :-) )</p>

<p>Direct download link for Apache 2.0: <a href="apache2-mpm-itk-2.0.55-5/">patch series</a> (apply in order), or
a <a href="apache2-mpm-itk-20080727-00.patch">monolithic diff</a>
(both <strong>updated 2008-07-27</strong>).
Apache 2.2: <a href="apache2.2-mpm-itk-2.2.6-02/">patch series</a> (apply in order), or
a <a href="apache2.2-mpm-itk-20080727-00.patch">monolithic diff</a>
(both <strong>updated 2008-07-27</strong>,
see the <a href="apache2.2-mpm-itk-2.2.6-02/CHANGES">changelog</a>).</p>

<p>Both variants now include capabilities and nicing, and should be equivalent except
for what upstream version they apply to.</p>

<p>There is now also a user mailing list at mpm-itk [at] lists.err.no. Visit the
<a href="http://lists.err.no/mailman/listinfo/mpm-itk">mailing list page</a> to
subscribe, or send a blank e-mail to mpm-itk-subscribe [at] lists.err.no.</p>

<h2>Introduction</h2>

<p>apache2-mpm-itk (just mpm-itk for short) is an MPM (Multi-Processing
Module) for the <a href="http://www.apache.org/">Apache</a> 2 web
server (which you've probably heard of :-) ). mpm-itk allows you
to run each of your vhost under a separate uid and gid -- in short,
the scripts and configuration files for one vhost no longer have to
be readable for all the other vhosts.</p>

<p>There are already MPMs available that do this, namely the <em>perchild</em>
and <em><a href="http://www.metux.de/mpm/">Metux</a></em> MPMs (the latter being based on the former, which is
included in the standard Apache 2 tree). However, both have their sets
of problems; for instance, both are threaded, which can be a problem
for many extension modules. Second, AFAIK both have issues with listening
on multiple ports (ie. SSL etc), and I don't know how well they really
perform in practice. (If you only run CGI scripts, suexec will also
probably solve most of your problems.)</p>

<p>mpm-itk is based on the traditional <em>prefork</em> MPM, which means
it's non-threaded; in short, this means you can run non-thread-aware code
(like many <a href="http://www.php.net">PHP</a> extensions) without
problems. (On the other hand, you lose out to any performance benefit
you'd get with threads, of course; you'd have to decide for yourself if
that's worth it or not.)</p>

<h2>Quirks and warnings</h2>

<p><strong>Warning:</strong> since mpm-itk has to be able to setuid(),
it <em>runs as root</em> until the request is parsed and the vhost
determined. This means that <em>any security hole before the request
is parsed</em> will be a root security hole. (The most likely place
is probably in mod_ssl...) Without implementing socket passing (which
is the primary reason why perchild/metux doesn't really work well;
it's complex enough in the difficult cases that nobody has bothered
finished their socket passing implementation) or using some sort of
special SELinux functionality, this is not going to change in the
near future. <strong>UPDATE:</strong> Lennart Poettering kindly
pointed out that at least under Linux, a process can drop most root
privileges (like chown(), kill(), loading kernel modules etc. --
see capabilities(7) for a full list). The second patch above drops
all such privileges except CAP_SETUID and CAP_SETGID, making the
parent process still run as uid=0 (and being able to read files owned
by uid=0 or gid=0), but at least be somewhat more limited.</p>

<p>There is also another minor quirk in mpm-itk, since it doesn't support forwarding
between httpd instances; if you connect to httpd, make a request and
then make a request on the same connection for a different vhost (this
is supported as per the RFCs, as far as I know), mpm-itk simply
shuts down the connection. (This is perfectly legal according to RFC2616;
the web server simply simulates a timeout, and the client is supposed
to just open a new connection and retry the request.) In practice this
should very rarely become a problem, unless you include, say, graphics
from one vhost on the pages of one with a different uid.</p>

<p>Note that mpm-itk is experimental software; and we've done a
fair amount of stress testing, but it's nowhere as tested as, say,
prefork. That being said, it's being run in production at both
<a href="http://www.samfundet.no/">Studentersamfundet i Trondhjem</a> (the
ITK name comes from <a href="http://itk.samfundet.no/">IT-Komiteen</a>,
the IT committee at the student society in Trondheim) and
<a href="http://www.ntnu.no/">NTNU</a> (the Norwegian University of
Science and Technology, with about nine million hits a day), as
well as various other places around the world, both hobbyist and
commercial.</p>

<p>People have reported issues with mpm-itk and mod_python, mod_ruby
and FastCGI. I believe the mod_python and FastCGI problems have been
largely solved by updates to those packages, but as I use neither, I
can't really guarantee anything. YMMV, test before use. :-)</p>

<h2>Installation</h2>

<p>If you can't apply a patch, you probably should not be using this. :-)
However, several distributions now include mpm-itk as a choice alongside
the other MPMs; in alphabetical order:</p>

<ul>
<li><a href="http://www.debian.org/">Debian GNU/Linux</a></li>
<li><a href="http://www.freebsd.org/">FreeBSD</a> ports</li>
<li><a href="http://www.gentoo.org/">Gentoo Linux</a></li>
<li><a href="http://www.mandriva.com/">Mandriva</a></li>
<li><a href="http://www.ubuntu.com/">Ubuntu</a></li>
</ul>

<p>If you know of any I missed, or if you have included mpm-itk in your
favourite distribution, please drop me a note (see below).
I'd always be happy to expand this list :-)</p>

<h2>Configuration variables</h2>

<p>The two new configuration settings compared to the prefork MPM are,
per-vhost:</p>

<p><code>AssignUserID</code>: Takes two parameters, uid and gid (or
really, user name and group name); specifies what uid and gid the
vhost will run as (after parsing the request etc., of course).</p>

<p><code>MaxClientsVHost</code>: A separate MaxClients for the vhost.
This can be useful if, say, half of your vhosts depend on some NFS
server (like on our setup); if the NFS server goes down, you do not
want the children waiting forever on NFS to take the non-NFS-dependent
hosts down. This can thus act as a safety measure, giving "server too
busy" on the NFS-dependent vhosts while keeping the other ones
happily running. (Of course, you could use it to simply keep one site
from eating way too much resources, but there are probably better
ways of doing that.)</p>

<p>Note that if you do not assign a user ID, the default one from
Apache will be used. (It used to be root, but that has changed in
more recent releases.)</p>

<h2>Licensing</h2>

<p>mpm-itk is licensed under the Apache License, version 2.0, like the rest
of Apache.</p>

<h2>Contact</h2>

<p>mpm-itk is at the moment developed by Steinar H. Gunderson; e-mail
address is at my <a href="http://www.sesse.net/">home page</a>.</p>
</body>
</html>
 
дизайн и разработка: Vladimir Lettiev aka crux © 2004-2005, Andrew Avramenko aka liks © 2007-2008
текущий майнтейнер: Michael Shigorin