mpm-itk feature request in bug-tracker Hello! I've been using mpm-worker and mod-fcgid on my server and I would like to replace it with mpm-itk and mod-php5. if I have understood correctly, I need to run Code: aptitude remove libapache2-mod-fcgid aptitude install apache2-mpm-itk libapache2-mod-php5 All that remains is ISPConfig3, could someone instruct me how to get ISPConfig3 to work with mpm-itk? Can I access ISPConfig3 web interface after changing to mpm-itk or do I need to edit it's own vhost manually? The bugtracker note mentions vhost templates, but I couldn't find any topics about mpm-itk and ISPConfig3. Is it possible to get ISPConfig3 to support mpm-itk in web interface without major pain in the ass and still allowing easy updates when new version of ISPConfig3 is released? Thank you.
As far as I know, mpm-itk has not been testedc with ISPConfig 3, so I can not predict if it will work or not.
I wouldn't mind to try out, I just realized that I can use Sites / <domain> / Options / Apache directives and add following piece to each domain. Code: <IfModule mpm_itk_module> AssignUserId web1 client1 </IfModule> That way it should work without official support, the downside is that I need to go through a few dozen domains by hand to add each domain's correct user and group, but whatever. I guess I need to edit 000-ispconfig.vhost by hand and add Code: <IfModule mpm_itk_module> AssignUserId ispconfig ispconfig </IfModule> Or does ISPConfig overwrite these changes to its own vhost if I use the web interface?
Where is it located exactly? And if I use the master template, does this work? Code: <IfModule mpm_itk_module> AssignUserId <tmpl_var name='system_user'> <tmpl_var name='system_group'> </IfModule>
I just realized that I should ask whether I need to do something after editing vhost.conf.master file? I mean, how are the changes going to propagate to all vhosts that are already set up? Edit: Further searching on the forums revealed it's not possible to force new settings on existing vhosts but they are updated if you edit them in web interface. Of course this poses a problem on how to update ispconfig.vhost. By hand I guess.
Okay, here's how I set up mpm-itk. /etc/apache2/apache2.conf Code: #itk MPM <IfModule mpm_itk_module> StartServers 5 MinSpareServers 5 MaxSpareServers 10 MaxClients 150 MaxRequestsPerChild 5000 </IfModule> /etc/apache2/sites-available/ispconfig.vhost Code: <IfModule mpm_itk_module> AssignUserId ispconfig ispconfig </IfModule> /usr/local/ispconfig/server/conf/vhost.conf.master Code: <IfModule mpm_itk_module> AssignUserId <tmpl_var name='system_user'> <tmpl_var name='system_group'> </IfModule> Updated each vhost in ispconfig to make these changes apply to vhosts. mkdir /etc/php5/apache2 cp /etc/php5/cgi/php.ini /etc/php5/apache2/php.ini apache2ctl -k graceful-stop && aptitude remove apache2 apache2-mpm-worker -y && aptitude install apache2-mpm-itk libapache2-mod-php5 -y && a2enmod php5 && /etc/init.d/apache2 restart In ispconfig changed fastcgi to mod-php and disabled suexec. apache2ctl -k graceful Now everything works except for the one reason I installed mpm-itk for, permissions. I tested what happens if I change file permissions to another user and group, to my dismay php happily executed those files with no regard to AssignUserId. Then I turned on suexec, no effect. Tried ispconfig.vhost, permissions worked as expected. So effectively this seems to have disabled all permissions checks for all except ispconfig.vhost! Seriously, what's going on here? mpm-itk is smart enough to throw a hissy fit if AssignUserId is in wrong place in vhost, which I tested. So why does mpm-itk work only on ispconfig.vhost, ignoring rest? Does anyone have any idea? Could it be that suexec, mpm-itk happily reads but doesn't write to files owned by other users and groups? If so, then I wonder why ispconfig stops working altogether when user and group doesn't match. I assumed permission control was to prevent reading of files belonging to other users as well. Edit: mpm-itk works with above set-up, which is fairly easy to do. At least the effect is same as using suexec, but according to benchmarks should be faster.
Have you tested this yourself? I tested two weeks ago apache2 with mod_php, php-fcgi and cgi and the fcgi version was even a bist faster then the mod_php version. Thats why I would recommend to use the default ispconfig setup with php-fcgi + suexec instead of reconfiguring it with mpm-itk.
I would have continued to use mpm-worker and mod-fcgid but fcgid and suexec didn't play along well with mpm-worker. One Apache process would frequently rise to 100% cpu usage and make Apache unusable. Apparently suphp did work though, but it ignores mod-fcgid process control. Hence I thought that if I have to switch to prefork, I might as well use mpm-itk which places permissions control where it should be and is in effect in all files, not just php/cgi. Also, since it doesn't use mod-fcgid use of php accelerator like APC or X-Cache is now possible. These won't work with mod-fcgid because they don't share cache between fcgid processes. I haven't benchmarked mpm-itk against mpm-prefork with mod-fcgid/suexec on live server where it should be done to get realistic results.
I've been using mpm-itk with ISPConfig for quite some time on fairly busy sites, and it works well. It'd be rather nice if it could be integrated into ISPConfig so we don't have to patch after each release I need to restrict directory permissions (no world readable directories), so the alternatives to mpm-itk (php-fcgi/etc) won't work in my case.
If you create patches for the nescessary changes and sent them to dev [at] ispconfig [dot] org, then we can integrate it in ispconfig.
Keeper/ilaidlaw, I am interested in testing this out, however the only way for me to do that is to put it onto the production server and to see how it goes. Is mpm-itk still working properly for you? Could you explain the steps that are required for getting this to work, and could you please lay out benefits and so? Is anyone working on a patch for ispconfig 3?
How I set it up was explained in previous page. mpm-itk is still working fine and even though it performs slightly slower than prefork, I believe it's been worth it from security perspective considering the server hosts something like 30-40 sites, though most of them are low-traffic. Due to performance issues however I'm waiting for ISPConfig3 to support nginx and then ponder switching over to it.