Ok, knightfoo suggested this in another forum post:

http://www.serverbeach.com/forums/showthread.php?s=&postid=903#post903

Now, I want to limit the CPU/Memory resources limit. knightfoo gave the following links:

http://httpd.apache.org/docs/mod/core.html#rlimitcpu
http://httpd.apache.org/docs/mod/core.html#rlimitmem
http://httpd.apache.org/docs/mod/core.html#rlimitnproc

I have a few questions (as always):

1) How do I even set these up?

2) What are suggested values for each?

3) The Proc limit one has a note on the end.

"Note: If CGI processes are not running under userids other than the web server userid, this directive will limit the number of processes that the server itself can create. Evidence of this situation will be indicated by cannot fork messages in the error_log."

How do I make sure they are running under userids?

4) If I do this, is there any reason to modify the php.ini to limit cpu/mem resources (I would think there still is).

5) Any other suggestions/tip/whatever?

Thanks for all the help.

Wow! It's been a long time since I had time to play with that httpd stuff. But I think you can add those values to the httpd.conf file. Don't quote me on that though, I use IIS.

Hello,

Plesk runs cgi scripts under their respective userid's in suexec.

Hope that helps!

What is suexec? Does that mean I can safely add the limitproc?

Suexec is the cgi handler that plesk uses to handle cgi scripts. There are several security features in suexec.

As for the limits, I would assume so, since they do run as independant users!

I seem to have a lot of Apache questions. Is there another place I could go for Apache expertise that you guys know of?

All of the RLimit* directives can be used either in the main server configuration or within a <VirtualHost>. It is safe to use RLimitCPU and RLimitMEM in the main server configuration, but I would recommend only using RLimitNPROC within a VirtualHost with suexec enabled (User and Group set, see Apache docs).

The values depend on your system and what kind of scripts you run. A safe value for RLimitCPU is 30 (seconds) .. you can increase this if you have scripts that take longer than 30 seconds to run. RLimitMEM is a little fuzzier, but I would not recommend setting it lower than 16MB (loading an interpreter and libraries can easily take 8MB, before you even start executing code!). I've never had a need for RLimitNPROC, but it would be useful if there is one particular user or site that tends to spawn a ton of processes at once. This simply limits the number of processes that a user can spawn.

The RLimit directives only apply to processes which are forked from Apache, such as CGI scripts. Things like PHP and mod_perl are not forked (they are executed within httpd) so RLimit will have no effect on them. However, PHP and mod_perl have their own ways to limit resources .. check their respective manuals for more information.

-knightfoo

Knightfoo,

Within plesk you cannot add it to the virtualhost since the httpd.include file is overwritten by the psa database every rebuild. You could however add it to the vhost.conf file - correct?

Thanks for your help knightfoo. I'm going to try and read some more documentation about how to make the appropriate changes to the httpd.conf file.

As far as I understand it, I'm using Plesk and that uses suexec, so I'm good there, correct?

Now, as far as when to implement the RLimitProc to a specific user, about how many processes are to high? We have a few users that use 15 or more processes at a time sometimes. Is that abnormally high (it seems so to me)? What would you limit the number of processes to?

I think I will try 30 for the RLimitCPU and will try 20 for the RLimitMem. Let's say a user has a script that tries to run past this limit, what happens?

I've heard on the forums that there is stuff in the php.ini file, so I can dig that up myself probably.

However, I don't even really know what mod_perl is. I thought cgi and perl were the same things? What are the differences? I'm sure this is probably a pretty obvious question, but sometimes I'm just dense like that :)

Thanks for all the help guys.

Be very careful modifying the httpd.conf file! make backups....I took out frontpage server wide for 3 days once b/c of stupid changes in the http.conf file ;-)

Originally posted by awsolutions
Knightfoo,

Within plesk you cannot add it to the virtualhost since the httpd.include file is overwritten by the psa database every rebuild. You could however add it to the vhost.conf file - correct?

Yes, you can add those configuratin options to the vhost.conf

Originally posted by OOagent137
Thanks for your help knightfoo. I'm going to try and read some more documentation about how to make the appropriate changes to the httpd.conf file.

As far as I understand it, I'm using Plesk and that uses suexec, so I'm good there, correct?

Now, as far as when to implement the RLimitProc to a specific user, about how many processes are to high? We have a few users that use 15 or more processes at a time sometimes. Is that abnormally high (it seems so to me)? What would you limit the number of processes to?

I think I will try 30 for the RLimitCPU and will try 20 for the RLimitMem. Let's say a user has a script that tries to run past this limit, what happens?

I've heard on the forums that there is stuff in the php.ini file, so I can dig that up myself probably.

However, I don't even really know what mod_perl is. I thought cgi and perl were the same things? What are the differences? I'm sure this is probably a pretty obvious question, but sometimes I'm just dense like that :)

Thanks for all the help guys.

You will probably have to experiment a little bit to get the optimal number of processes. If a script exceeds the CPU or MEM limits, then it is simply killed.

CGI is more of an interface than a language. CGI scripts can be written in Perl, python, C, C++, bash, etc. mod_perl is an Apache module which allows you to write perl code that can be run like any other apache module .. this gives you access to more low level calls and a performance boost. mod_perl code is precompiled and cached, and there is no fork() to execute the script, similar to how PHP is used.

-knightfoo

So then, if it's simply killed, then does the user know anything is wrong? I mean, I don't want ppl thinking their code is messed up b/c their database is not updating when it's really a server issue.

The errors are logged by httpd in the ErrorLog. The assumption is that if the process hits the limit, it has already gone wrong and probably won't do anything useful anyway. The users should probably be made aware of the limits .. they may have a special case and the default limit is too low, but raising the limit would not be unreasonable. Customers should be also be able to see the error logs for their domains (but should not have write access to them) to help debug any issues that come up.

-knightfoo

Thanks for your help knightfoo. I guess we will set up those limits and inform our customers.

Well, I know I'm bring this thread back to life again (this has gotten pushed back), I'm not sure if I should start a new one or not, but here goes.

I've decided that I want to limit the CPU execution time to 30 seconds and to 24 mb of memory. Anyway, here is a standard section of an httpd.conf file:#
# ExtendedStatus controls whether Apache will generate "full" status
# information (ExtendedStatus On) or just basic information (ExtendedStatus
# Off) when the "server-status" handler is called. The default is Off.
#
ExtendedStatus On


Now, above that first line I posted, would I just put this?#
#This sets resource limits for the CPU and memory
#
RlimitCPU 30|max
RLimitMEM 25165824|maxI got that last number by multiplying 24 *1024*1024.

Thus, my httpd.conf file would now look like this:#
#This sets resource limits for the CPU and memory
#
RlimitCPU 30|max
RLimitMEM 25165824|max

#
# ExtendedStatus controls whether Apache will generate "full" status
# information (ExtendedStatus On) or just basic information (ExtendedStatus
# Off) when the "server-status" handler is called. The default is Off.
#
ExtendedStatus OnIs this correct?

Nope, remove the |max from them all.

The seconds|max in the specs are because you can set the value to either seconds or max, not both.

Ah, alright. Thanks for the help. Anyone have any other suggestions on what to do with these commands? Like, any additional options or anything (I read something about a hard and soft limit).