apache2 run script

apache2 run script

[Mark]

Hello.

On the apache2 run script listed under 

  http://smarden.org/runit/runscripts.html#apache2

o recent runit-1.6.0 doesn't install '/command/pgrphack' anymore so
  '/command/chpst -P' is required
o GNU/Linux too requires '/command/chpst -P' otherwise Apache comes up again
  after 'sv down'.

So this is my current run script:

#!/bin/sh
exec 2>&1
exec /command/chpst -P /usr/local/apache2/bin/httpd -DNO_DETACH

Bye,
  Mark

-- 
    TOAD -- A Simple and Powerful C++ GUI Toolkit for the X Window System
    /OO\    Check it out at http://www.mark13.org/toad/
__(/_--_\)__________________________ Mark-André Hopf <mhopf@mark13.org>

Re: apache2 run script

[Alex Efros]

Hi!

On Sun, Oct 01, 2006 at 11:29:40AM +0200, Mark wrote:
> #!/bin/sh
> exec 2>&1
> exec /command/chpst -P /usr/local/apache2/bin/httpd -DNO_DETACH

Hmm. I'm using Gentoo, and maybe it add some custom patches for apache
related to this issue, not sure. But AFAIK -DNO_DETACH is enough and no
process group hack needed anymore. My exec line in run script is:

exec env -i PATH=$PATH apache2 -DNO_DETACH -k start -DSSL

Gentoo's package name is: net-www/apache-2.0.58-r2.

-- 
			WBR, Alex.

Re: apache2 run script

[Charlie Brady]

On Sun, 1 Oct 2006, Mark wrote:

> Hello.
>
> On the apache2 run script listed under
>
>  http://smarden.org/runit/runscripts.html#apache2
>
> o recent runit-1.6.0 doesn't install '/command/pgrphack' anymore so
>  '/command/chpst -P' is required
> o GNU/Linux too requires '/command/chpst -P' otherwise Apache comes up again
>  after 'sv down'.
>
> So this is my current run script:
>
> #!/bin/sh
> exec 2>&1
> exec /command/chpst -P /usr/local/apache2/bin/httpd -DNO_DETACH

This is what I have:

exec 2>&1
exec chpst -P /usr/sbin/httpd -f $config -D FOREGROUND

Re: apache2 run script

[Vincent Danen]

[-- Attachment #1: Type: text/plain, Size: 1105 bytes --]

* Alex Efros <powerman@powerman.asdfGroup.com> [2006-10-06 02:58:25 +0300]:

> On Sun, Oct 01, 2006 at 11:29:40AM +0200, Mark wrote:
> > #!/bin/sh
> > exec 2>&1
> > exec /command/chpst -P /usr/local/apache2/bin/httpd -DNO_DETACH
> 
> Hmm. I'm using Gentoo, and maybe it add some custom patches for apache
> related to this issue, not sure. But AFAIK -DNO_DETACH is enough and no
> process group hack needed anymore. My exec line in run script is:
> 
> exec env -i PATH=$PATH apache2 -DNO_DETACH -k start -DSSL
> 
> Gentoo's package name is: net-www/apache-2.0.58-r2.

This is what I'm using in Annvix:

http://svn.annvix.org/cgi-bin/viewcvs.cgi/releases/2.0-CURRENT/httpd-conf/SOURCES/httpd.run?root=packages&view=markup

It's a little long to paste in here because we do some auto-detection
and definitions of modules for the way our configuration file is laid
out, but we haven't needed to use chpst with httpd, and we also use
-DNO_DETACH.


-- 
{FEE30AD4 : 7F6C A60C 06C2 4811 FA1C  A2BC 2EBC 5E32 FEE3 0AD4}
mysql> SELECT * FROM users WHERE clue > 0;
Empty set (0.00sec)

[-- Attachment #2: Type: application/pgp-signature, Size: 186 bytes --]

Re: apache2 run script

[Charlie Brady]

On Fri, 6 Oct 2006, Vincent Danen wrote:

> * Alex Efros <powerman@powerman.asdfGroup.com> [2006-10-06 02:58:25 +0300]:
>
>> On Sun, Oct 01, 2006 at 11:29:40AM +0200, Mark wrote:
>>> #!/bin/sh
>>> exec 2>&1
>>> exec /command/chpst -P /usr/local/apache2/bin/httpd -DNO_DETACH
>>
>> Hmm. I'm using Gentoo, and maybe it add some custom patches for apache
>> related to this issue, not sure. But AFAIK -DNO_DETACH is enough and no
>> process group hack needed anymore. My exec line in run script is:
>>
>> exec env -i PATH=$PATH apache2 -DNO_DETACH -k start -DSSL
>>
>> Gentoo's package name is: net-www/apache-2.0.58-r2.
>
> This is what I'm using in Annvix:
>
> http://svn.annvix.org/cgi-bin/viewcvs.cgi/releases/2.0-CURRENT/httpd-conf/SOURCES/httpd.run?root=packages&view=markup
>
> It's a little long to paste in here because we do some auto-detection
> and definitions of modules for the way our configuration file is laid
> out, but we haven't needed to use chpst with httpd, and we also use
> -DNO_DETACH.

I think that "chpst -P .... -D FOREGROUND" is equivalent to "... -D 
NO_DETACH"

http://mail-archives.apache.org/mod_mbox/httpd-cvs/200204.mbox/%3C20020405001814.86519.qmail@icarus.apache.org%3E

...
   +  *) worker and prefork MPMs: Add -DFOREGROUND switch to cause the
   +     Apache parent process to run in the foreground (similar to -DNO_DETACH
   +     except that it doesn't switch session ids).  [Jeff Trawick]
...

Re: apache2 run script

[Charlie Brady]

On Fri, 6 Oct 2006, Alex Efros wrote:

> Hi!
>
> On Sun, Oct 01, 2006 at 11:29:40AM +0200, Mark wrote:
>> #!/bin/sh
>> exec 2>&1
>> exec /command/chpst -P /usr/local/apache2/bin/httpd -DNO_DETACH
>
> Hmm. I'm using Gentoo, and maybe it add some custom patches for apache
> related to this issue, not sure. But AFAIK -DNO_DETACH is enough and no
> process group hack needed anymore. My exec line in run script is:
>
> exec env -i PATH=$PATH apache2 -DNO_DETACH -k start -DSSL

As a matter of interest, why do you do "env -i PATH=$PATH"? One of the 
things that runit gives you is a guaranteed consistent environment, 
inherited from runsvdir.

Do you have "env -i ..." in all your run scripts?

Re: apache2 run script

[Alex Efros]

Hi!

On Fri, Oct 06, 2006 at 10:30:12AM -0400, Charlie Brady wrote:
> >exec env -i PATH=$PATH apache2 -DNO_DETACH -k start -DSSL
> 
> As a matter of interest, why do you do "env -i PATH=$PATH"? One of the 
> things that runit gives you is a guaranteed consistent environment, 
> inherited from runsvdir.
> 
> Do you have "env -i ..." in all your run scripts?

:-) Because I've shown here only part of my real 'exec' line to not
overcomplicate example. My ./run really is:

---cut---
#!/bin/sh
exec &>/var/log/all/.log
[[ -e .wait4dep ]] && exit
exec env -i PATH=$PATH LD_PRELOAD=libREV.so \
    apache2 -DNO_DETACH -k start -DDOC -DSSL -DFASTCGI # -DPHP4
---cut---

1) /var/log/all/.log is cumulative log (FIFO) designed to be only log file
   always opened for reading (tail -F) by admin and to be really readable:
   usually there few lines with important information added in few hours.
   It contains:
   a) All 'unusual' output from all services: runsvdir's STDOUT/STDERR
      for example. Here you see apache's STDOUT/STDERR redirected there
      because in normal execution flow apache will not output anything
      into STDOUT/STDERR, it will use own logs instead.
   b) All lines from all service's logs except filtered by admin
      non-interested lines. I'm using 'e' and 'E' in ./config files of
      svlogd to select these lines and my ./log/run usually looks this way:
	#!/bin/sh
	exec &>/var/log/all/.log
	exec svlogd -tt /var/log/acpid/*/
   Also I've notification service which is also reading this one log file
   and do some actions: modify firewall, notify me, etc. It's based on idea
   from http://smarden.org/socklog/notify.html .

2) .wait4dep is my home-made service dependency system. It's fairly simple
   (realization is 519 bytes of bash script) and designed mostly to make
   system startup faster by avoiding starting all services at once (not to
   provide 'reliable dependencies', because this is impossible).

3) libREV.so is our trick for web development. This library able to
   intercept all syscalls for opening files and redirect them to different
   files if needed. Looks like rootkit. ;-) This is for working with
   different 'revisions' of same CGI/html file at same time.

So... because of LD_PRELOAD and libREV's nature I prefer to not export
LD_PRELOAD to processes which doesn't need it. Most safe way - provide
this variable only for apache2 process using `env` or `envdir` or `chpst -e`.


P.S. No, I don't have `env` in all my ./run scripts. ;-) I've it only in
apache's ./run script.

-- 
			WBR, Alex.

Re: apache2 run script

[Charlie Brady]

On Fri, 6 Oct 2006, Alex Efros wrote:

> Hi!
>
> On Fri, Oct 06, 2006 at 10:30:12AM -0400, Charlie Brady wrote:
>>> exec env -i PATH=$PATH apache2 -DNO_DETACH -k start -DSSL
>>
>> As a matter of interest, why do you do "env -i PATH=$PATH"? One of the
>> things that runit gives you is a guaranteed consistent environment,
>> inherited from runsvdir.
...
> exec env -i PATH=$PATH LD_PRELOAD=libREV.so \
>    apache2 -DNO_DETACH -k start -DDOC -DSSL -DFASTCGI # -DPHP4
...
> 3) libREV.so is our trick for web development. This library able to
>   intercept all syscalls for opening files and redirect them to different
>   files if needed. Looks like rootkit. ;-) This is for working with
>   different 'revisions' of same CGI/html file at same time.
>
> So... because of LD_PRELOAD and libREV's nature I prefer to not export
> LD_PRELOAD to processes which doesn't need it. Most safe way - provide
> this variable only for apache2 process using `env` or `envdir` or `chpst -e`.

I don't see any advantage over:

export LD_PRELOAD=libREV.so
exec apache2 -DNO_DETACH -k start -DDOC -DSSL -DFASTCGI # -DPHP4

or

LD_PRELOAD=libREV.so exec apache2 -DNO_DETACH -k start \
   -DDOC -DSSL -DFASTCGI # -DPHP4

Re: apache2 run script

[Alex Efros]

Hi!

On Fri, Oct 06, 2006 at 11:46:29AM -0400, Charlie Brady wrote:
> >exec env -i PATH=$PATH LD_PRELOAD=libREV.so \
> >   apache2 -DNO_DETACH -k start -DDOC -DSSL -DFASTCGI # -DPHP4
> ...
> 
> I don't see any advantage over:
> 
> export LD_PRELOAD=libREV.so
> exec apache2 -DNO_DETACH -k start -DDOC -DSSL -DFASTCGI # -DPHP4

This way there a chance to occasionally add some commands between export
and exec lines. This may result in accessing wrong files in these commands
because of libREV.

> LD_PRELOAD=libREV.so exec apache2 -DNO_DETACH -k start \
>   -DDOC -DSSL -DFASTCGI # -DPHP4

Yeah, this is acceptable, but I prefer to have 'exec' word in beginning of line
to make scripts ease to read/understand.


Anyway. Why you dislike `env -i` so much to invent all these alternatives? :)
For me `env` is good small program which doing it small task good enough:
    env - run a program in a modified environment
In my ./run I need to 'run a program in a modified environment' so I've
used `env`. What's wrong with this? 

-- 
			WBR, Alex.

Re: apache2 run script

[Paul Jarc]

Alex Efros <powerman@powerman.asdfGroup.com> wrote:
> Anyway. Why you dislike `env -i` so much to invent all these alternatives? :)

I think the interest is mostly in -i, not env.  Do you have variables
in runsv's environment that Apache shouldn't have?


paul

Re: apache2 run script

[Alex Efros]

Hi!

On Fri, Oct 06, 2006 at 12:01:49PM -0400, Paul Jarc wrote:
> Alex Efros <powerman@powerman.asdfGroup.com> wrote:
> > Anyway. Why you dislike `env -i` so much to invent all these alternatives? :)
> 
> I think the interest is mostly in -i, not env.  Do you have variables
> in runsv's environment that Apache shouldn't have?

Hmm. No, I don't think -i really needed. In ./run script there about 30
variables, but most of them bash-related and I don't think some of them may
affect apache execution.

But... it just ease to use -i when starting apache than think 'is it safe'
about every from these 30 variables, check apache's documentation about used
variables, etc. Many years ago when I was a newbie sysadmin I have some
problems with apache started in unclean environment, so I always use -i
from that time... just for the case. That's called experience. ;-)

-- 
			WBR, Alex.

Re: apache2 run script

[Charlie Brady]

On Fri, 6 Oct 2006, Alex Efros wrote:

> On Fri, Oct 06, 2006 at 12:01:49PM -0400, Paul Jarc wrote:
>> Alex Efros <powerman@powerman.asdfGroup.com> wrote:
>>> Anyway. Why you dislike `env -i` so much to invent all these alternatives? :)
>>
>> I think the interest is mostly in -i, not env.  Do you have variables
>> in runsv's environment that Apache shouldn't have?
>
> Hmm. No, I don't think -i really needed. In ./run script there about 30
> variables, but most of them bash-related and I don't think some of them may
> affect apache execution.
>
> But... it just ease to use -i when starting apache than think 'is it safe'
> about every from these 30 variables, check apache's documentation about used
> variables, etc.

I'd be surprised if you have 30 variables set. I have only these:

@400000004526ef972d1a97bc SELINUX_INIT=YES
@400000004526ef972d1a9f8c CONSOLE=/dev/console
@400000004526ef972d1aa374 TERM=linux
@400000004526ef972d1aa374 INIT_VERSION=sysvinit-2.85
@400000004526ef972d1aa75c PATH=/command:/usr/local/bin:/usr/local/sbin:/bin:/sbin:/usr/bin:/usr/sbin
@400000004526ef972d1aab44 RUNLEVEL=7
@400000004526ef972d1aaf2c PWD=/var/service/mysqld
@400000004526ef972d1aaf2c PREVLEVEL=N
@400000004526ef972d1ab314 HOME=/
@400000004526ef972d1ab6fc SHLVL=1
@400000004526ef972d1ab6fc _=/bin/env

Add 'env' to one of your run scripts and you will learn what you have.

My /etc/runit/2 script is this (but with proctitle arg edited for 
brevity):

===
#!/bin/sh

PATH=/command:/usr/local/bin:/usr/local/sbin:/bin:/sbin:/usr/bin:/usr/sbin

exec </dev/null
exec runsvdir -P /service 'log: ...[snip]...'
===

The environment could be smaller again if I used 'env -' in the 
/etc/runit/2 script.

> Many years ago when I was a newbie sysadmin I have some
> problems with apache started in unclean environment, so I always use -i
> from that time... just for the case. That's called experience. ;-)

That was before you started to use supervision, which was designed in part 
to guarantee a clean, predictable and invariant environment.

'env -' is not harmful, it's just wasted cycles.

Re: apache2 run script

[Alex Efros]

Hi!

On Fri, Oct 06, 2006 at 08:15:38PM -0400, Charlie Brady wrote:
> I'd be surprised if you have 30 variables set. I have only these:
> 
> @400000004526ef972d1a97bc SELINUX_INIT=YES
> @400000004526ef972d1a9f8c CONSOLE=/dev/console
> @400000004526ef972d1aa374 TERM=linux
> @400000004526ef972d1aa374 INIT_VERSION=sysvinit-2.85
> @400000004526ef972d1aa75c 
> PATH=/command:/usr/local/bin:/usr/local/sbin:/bin:/sbin:/usr/bin:/usr/sbin
> @400000004526ef972d1aab44 RUNLEVEL=7
> @400000004526ef972d1aaf2c PWD=/var/service/mysqld
> @400000004526ef972d1aaf2c PREVLEVEL=N
> @400000004526ef972d1ab314 HOME=/
> @400000004526ef972d1ab6fc SHLVL=1
> @400000004526ef972d1ab6fc _=/bin/env
> 
> Add 'env' to one of your run scripts and you will learn what you have.

Hmm. I've used 'set':

    BASH=/bin/sh
    BASH_ARGC=()
    BASH_ARGV=()
    BASH_LINENO=([0]="0")
    BASH_SOURCE=([0]="./run")
    BASH_VERSINFO=([0]="3" [1]="1" [2]="17" [3]="1" [4]="release" [5]="i686-pc-linux-gnu")
    BASH_VERSION='3.1.17(1)-release'
    DIRSTACK=()
    EUID=0
    GROUPS=()
    HOSTNAME=home
    HOSTTYPE=i686
    IFS=' 	
    '
    MACHTYPE=i686-pc-linux-gnu
    OPTERR=1
    OPTIND=1
    OSTYPE=linux-gnu
    PATH=/command:/usr/local/bin:/usr/local/sbin:/bin:/sbin:/usr/bin:/usr/sbin:/usr/X11R6/bin
    POSIXLY_CORRECT=y
    PPID=19003
    PS4='+ '
    PWD=/service/1
    SHELL=/bin/bash
    SHELLOPTS=braceexpand:hashall:interactive-comments:posix
    SHLVL=1
    TERM=dumb
    UID=0
    _=/bin/sh

but this probably wrong because it also show non-exported variables.
'env' show only these:

    PATH=/command:/usr/local/bin:/usr/local/sbin:/bin:/sbin:/usr/bin:/usr/sbin:/usr/X11R6/bin
    PWD=/service/1
    SHLVL=1
    _=/bin/env

Ok then, I'll fix my ./run script. ;-D

-- 
			WBR, Alex.

Re: apache2 run script

[Paul Jarc]

Charlie Brady <charlieb-supervision@budge.apana.org.au> wrote:
> 'env -' is not harmful, it's just wasted cycles.

It also makes the correctness of the script more easily inferred by
the reader, which is not a bad thing.  Cycles are cheap.


paul