Centos 5 and mpm-itk

时间：2010-08-02 来源：xuequansongmo

Centos 5 and mpm-itk

EDIT: If you just want to get on and use mpm-itk on Centos 5 please check the comments as Sascha Schieferdecker has very kindly compiled some up to date binaries.

A long time ago someone got fed up with suexec suphp and other methods of preventing virtual hosting users messing each others accounts up. They realised that the real problem was not that there was a module missing from Apache to do it, but rather the design of Apache is such that its impossible to make it secure in a per user way. After reading Stuart Herbert discussion of the pros and cons of different solutions to this problem and his evaluation of mpm-itk i decided to look into it further.

On nice solution that has been developed is mpm-peruser but that seemed to spawn a great many processes and have performance issues so I took a look at the much simpler mpm-itk. Fortunately on Debian this module is already prepackaged, unfortunately CentOS does not have a rpm for it, nor could I find one by searching. The only option left was to patch the source httpd rpm myself.

Unfortunately there is only a guide for CentOS 4 online, which does not work with CentOS 5. A little bit of searching on the CentOs wiki found me these two links

The second was most useful as what we wanted to do was patch the SRPMS (Source RPMS) which are then compiled into RPMS. By looking though the Diff file posted in the previous guide I was able to produce a modified .spec file, which I have attached at the end of this article along with the final RPMS. Once we had the .spec file modified correctly I tried to compile the RPMs but came accross a very obsure error which was the result of the the latest mpm-itk patch not being compatable with the version of Apache that comes with CentOS 5. To work around this I had to locate the older patch which is not directly linked on the website. By a bit of googling and guesswork later I had found the location of the older patch.

After these shinnigans the RPMS compiled and it was time to test them. I soon realised I had to make a change to my /etc/sysconfig/httpd file to use the mpm-itk binary and edit httpd.conf to ensure I doesnt try to serve pages as the root user.

Anyway…here is the guide.

Standard Disclaimer myself and hostby.net take no responsibility for any damages, bad things or anything else that happens as the result of following this guide

First we ensure we are NOT the root user. Building RPMS as root is a bad idea.

Once we are using a non-root user, we first need to setup our RPM build enviroment.
cd
wget http://www.oldrpm.org/hintskinks/buildtree/RPM-build-tree.txt
chmod 755 RPM-build-tree.txt
./RPM-build-tree.txt

Now create our own buiding area and download CentOS 5 apache2 SRPM.
mkdir ~/build
mkdir ~/build/httpd-itk
cd ~/build/httpd-itk
wget http://isoredirect.centos.org/centos/5/os/SRPMS/httpd-2.2.3-11.el5_1.centos.3.src.rpm

At this point its good to test you can build the RPM normally before we apply any patches
rpmbuild --rebuild httpd-2.2.3-11.el5_1.centos.3.src.rpm

If this fails you might have to “yum install” some additional packages. I’m assuming you managed to get this to work so we continue.

At this point we copy the rpm spec file for httpd to our own folder so we can customise it
cp ~/rpmbuild/SPECS/httpd.spec httpd-itk.spec

To save you some effort I’ve provided both a diff and the .spec file i used. Basically you change the file to apply an additional patch and compile an extra mpm.

cd ~/rpmbuild/SOURCES
wget http://mpm-itk.sesse.net/apache2.2-mpm-itk-20070425-00.patch
nano apache2.2-mpm-itk-20070425-00.patch

I had to make one tiny change to the patch to make it compile.
after this line (1878)

+#define MPM_NOTE_CHILD_KILLED(i) (MPM_CHILD_PID(i) = 0)

Insert this extra row
+#define MPM_VALID_PID(p) (getpgid(p) == getpgrp())

Now we change back to our folder and use the spec file we modified (or the one i provided httpd-itk.spec) and recompile the rpm.
cd ~/build/httpd
rpmbuild -ba httpd-itk.spec

If all goes well this should compile with no errors. In the folder ~/rpmbuild/RPMS you should have a nice new set of RPMS which include mpm-itk. The only way to find out is of course to test it. Now we change to root
su
cd /home/userwebuildrpmsas/rpmbuild/RPMS
rpm -U httpd-2.2.3-11.itk.3.i386.rpm mod_ssl-2.2.3-11.itk.3.i386.rpm httpd-devel-2.2.3-11.itk.3.i386.rpm httpd-manual-2.2.3-11.itk.3.i386.rpm

Now check that mpm-itk has been installed.
httpd.itk -l

Compiled in modules:
core.c
prefork.c
http_core.c
mod_so.c

In order for the httpd service to use the mpm you need to make a few changes as its disabled by default. First of all edit httpd.conf and add the following lines.
# itk modules

AssignUserID apache apache
StartServers 8
MinSpareServers 5
MaxSpareServers 20
ServerLimit 256
MaxClients 256
MaxRequestsPerChild 4000

Then edit /etc/sysconfig/httpd and add this line
HTTPD=/usr/sbin/httpd.itk

Restart apache and you should notice all the processes are httpd.itk now

Attachments

httpd-223-11itk3i386.rpm httpd-devel-223-11itk3i386.rpm httpd-manual-223-11itk3i386.rpm mod_ssl-223-11itk3i386.rpm httpd-itk.spec httpd.spec.diff

Tags: apache, centos, mpm-itk

This entry was posted on Saturday, July 12th, 2008 at 2:21 pm and is filed under Development. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

16 Responses to “Centos 5 and mpm-itk”

Bill Bacher Says:
July 16th, 2008 at 2:12 pm
I used the patch file apache2.2-mpm-itk-20080105-00.patch and had to modify line 1127 from:
ap_get_server_description());

to:
ap_get_server_version());

in order to get the package to compile
Rob Pomeroy Says:
January 12th, 2009 at 12:43 pm
I *think* that after “wget http://isoredirect.centos.org/centos/5/os/SRPMS/httpd-2.2.3-11.el5_1.centos.3.src.rpm“, you also need “rpm -i httpd-2.2.3-11.el5_1.centos.3.src.rpm”.

Also the line “cd ~/build/httpd” should read “cd ~/build/httpd-itk”.

Great HowTo though – thanks!
Sascha Schieferdecker Says:
April 15th, 2009 at 10:41 am
If anyone is doing this with centos 5.3 use this diff for the spec:

10c10
Release: 22.itk
35a36,37
> # itk
> Patch10: apache2.2-mpm-itk-20080727-00.patch
92c94
web server. With mpm-itk support.
142a145
> %patch10 -p1 -b .itk
269a273,283
>
> mpmbuild itk \
> --enable-mods-shared=all \
> --enable-ssl --with-ssl --enable-distcache \
> --enable-proxy \
> --enable-cache --enable-mem-cache \
> --enable-file-cache --enable-disk-cache \
> --enable-ldap --enable-authnz-ldap \
> --enable-cgid \
> --enable-authn-anon --enable-authn-alias
>
271a286
>
285a301
> install -m 755 itk/httpd $RPM_BUILD_ROOT%{_sbindir}/httpd.itk
Sascha Schieferdecker Says:
April 15th, 2009 at 10:43 am
Oops, the comment function filtered some chars. Ignore above post.
hostby.net Says:
April 15th, 2009 at 1:30 pm
I’ve edited your comment and put in [code] tags, if its not correct still repost, but enclose your code/patch file with [code] [/code] and i can delete the old comment.
Sascha Schieferdecker Says:
April 15th, 2009 at 2:41 pm
Here is the correct diff for Centos 5.3:

[code]
10c10
Release: 22.itk
35a36,37
> # itk
> Patch10: apache2.2-mpm-itk-20080727-00.patch
92c94
web server. With mpm-itk support.
142a145
> %patch10 -p1 -b .itk
269a273,283
>
> mpmbuild itk \
> --enable-mods-shared=all \
> --enable-ssl --with-ssl --enable-distcache \
> --enable-proxy \
> --enable-cache --enable-mem-cache \
> --enable-file-cache --enable-disk-cache \
> --enable-ldap --enable-authnz-ldap \
> --enable-cgid \
> --enable-authn-anon --enable-authn-alias
>
271a286
>
285a301
> install -m 755 itk/httpd $RPM_BUILD_ROOT%{_sbindir}/httpd.itk
[/code]
Sascha Schieferdecker Says:
April 15th, 2009 at 2:44 pm
I am sorry, this still does not work, but I have posted the diff here:

http://www.sascha-schieferdecker.de/centos/itk_diff.txt
Anonymous Says:
August 25th, 2009 at 8:50 am
[...] [...]
Sascha Schieferdecker Says:
November 3rd, 2009 at 11:32 am
Latest ITK-Patch, Diff and compiled X86_64 RPMs for Centos 5.4 are here:

http://www.sascha-schieferdecker.de/centos/httpd-itk.centos5.4.zip
Lars Says:
November 5th, 2009 at 3:38 pm
Was right on patching httpd in Centos 5.4way and found your link.

It seems that there’s something wrong with the zip file. Could you repackage it?

Thanks
Sascha Schieferdecker Says:
November 17th, 2009 at 7:40 am
Hi there,

the files above are repackaged and I have also included RPMs for 5.3 here:

http://www.sascha-schieferdecker.de/centos/httpd-itk.centos5.3.zip
Sascha Schieferdecker Says:
November 17th, 2009 at 7:49 am
I will continue to publish RPMs with MPM-ITK here, as we use these packages in a production environment, so I need to build up-to-date RPMs anyway…
izghitu Says:
November 21st, 2009 at 6:37 pm
Hi,

Sascha, when I try to build the itk rpms using your httpd-itk.spec I get the following error:
/usr/lib/apr-1/build/libtool –silent –mode=link gcc -pthread -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector –param=ssp-buffer-size=4 -m32 -march=i386 -mtune=generic -fasynchronous-unwind-tables -fno-strict-aliasing -Wl,-z,relro -o mod_rewrite.la -rpath /usr/lib/httpd/modules -module -avoid-version mod_rewrite.lo
make[4]: Leaving directory `/root/rpmbuild/BUILD/httpd-2.2.3/itk/modules/mappers’
make[3]: Leaving directory `/root/rpmbuild/BUILD/httpd-2.2.3/itk/modules/mappers’
make[2]: Leaving directory `/root/rpmbuild/BUILD/httpd-2.2.3/itk/modules’
make[2]: Entering directory `/root/rpmbuild/BUILD/httpd-2.2.3/itk/support’
make[2]: Leaving directory `/root/rpmbuild/BUILD/httpd-2.2.3/itk/support’

make[1]: Leaving directory `/root/rpmbuild/BUILD/httpd-2.2.3/itk’
make: *** [all-recursive] Error 1
error: Bad exit status from /var/tmp/rpm-tmp.3422 (%build)

RPM build errors:
Bad exit status from /var/tmp/rpm-tmp.3422 (%build)

The last lines of /var/tmp/rpm-tmp.3422 are:
[root@srv3 httpd-itk]# tail /var/tmp/rpm-tmp.3422
–enable-ldap –enable-authnz-ldap \
–enable-cgid \
–enable-authn-anon –enable-authn-alias

# For the other MPMs, just build httpd and no optional modules
mpmbuild worker –enable-modules=none
mpmbuild event –enable-modules=none

exit 0

Unfortunately I have CentOS 5.4 32bit and I can’t use your RPMs.

Any ideas?

Please advise
izghitu Says:
November 21st, 2009 at 7:09 pm
Hi,

Actually I found the answer for this problem here:
http://lists.err.no/pipermail/mpm-itk/2008-July/000063.html

Thanks
Nikolay Ulyanitsky Says:
May 1st, 2010 at 12:31 pm
Increase Apache Vhost Security With mpm-itk In RHEL/CentOS 5
Sascha Schieferdecker Says:
July 23rd, 2010 at 9:09 am
There is a repo which has CentOS RPMS:

http://www.webtatic.com/blog/2010/04/mpm-itk-on-centos/