OAN Set Up - Just In Time CoolStack Part 1: Apache

 

The new Solaris AMP stack, a.k.a. CoolStack 1.1 is here. And not a moment too soon, as I sit down to build another server for the Open Architecture Network. This is server #2, which will provide the n+1 scaling and redundancy necessary to keep the the OAN up and functional in the face of any one component failure and through a good slash-dotting. 

Of all the goodies in this new release, it was the GD library that we needed in particular. It is also nice to see suhosin from the hardened-php project included in this release. Here's a quick breakdown of version differences between CoolStack 1.0 and 1.1:


CoolStack 1.0.2
CoolStack 1.1
Apache
2.0.58
2.2.3
PHP
5.1.4
5.2.0
MySQL
5.0.22
5.0.33
install dir
/usr/local
/opt/coolstack

Convert CoolStack Apache to SMF 

First, I notice that the services in coolstack are not integrated with SMF. We need apache to run under SMF so its privileges can be easily limited.  I convert it to SMF, and prepare it for limited privileges by creating a service manifest and service method based on the original apache service shipped with Solaris 10.

# cp /lib/svc/method/http-apache2 \
/lib/svc/method/http-CSKapache2
# cp /var/svc/manifest/network/http-apache2.xml \
/var/svc/manifest/network/http-CSKapache2.xml

In /lib/svc/method/http-CSKapache2 change

 
    11  APACHE_HOME=/usr/apache2
    12  CONF_FILE=/etc/apache2/httpd.conf
    13  PIDFILE=/var/run/apache2/httpd.pid


    20          /bin/mkdir -p /var/run/apache2 

to 

    11  APACHE_HOME=/opt/coolstack/apache2
    12  CONF_FILE=/opt/coolstack/apache2/conf/httpd.conf
    13  PIDFILE=/var/apache2/run/httpd.pid


    20          /bin/mkdir -p /var/apache2/run
 

In /var/svc/manifest/network/http-CSKapache2.xml change 

    10  <service_bundle type='manifest' name='SUNWapch2r:apache'>

    23          <instance name='apache2' enabled='false'>

   100                                  manpath='/usr/apache2/man' />

to 

    10  <service_bundle type='manifest' name='CSKapch2r:apache'>

    23          <instance name='CSKapache2' enabled='false'>

   100                                  manpath='/opt/coolstack/apache2/man' />

Then import the service:
# svccfg -v import /var/svc/manifest/network/http-CSKapache2.xml

Minimize Apache's Service Privileges

Next, we configure the new service to run with minimal privileges following the example in 
Glenn's Limiting Service Privileges BluePrint.  After the procedure the CSKapache2 privileges
should look like this:
# svcprop -v -p start CSKapache2
start/timeout_seconds count 60
start/type astring method
start/exec astring /lib/svc/method/http-CSKapache2\ start
start/user astring webservd
start/group astring webservd
start/privileges astring basic,!proc_session,!proc_info,!file_link_any,net_privaddr
start/limit_privileges astring :default
start/use_profile boolean false
start/supp_groups astring :default
start/working_directory astring :default
start/project astring :default
start/resource_pool astring :default

Note that the changes to the PidFile and LockFile directives specified in this minimization procedure will be overridden  by the Server-pool management configuration that is loaded by 

474  Include conf/extra/httpd-mpm.conf

Unless the corresponding directives are commented out of  /opt/coolstack/apache2/conf/extra/httpd-mpm.conf

Increase Semaphores for PHP 

By default the php5_module is loaded in the CoolStack 1.1 apache.  I observed that PHP was causing the maximum number of semaphores to be exceeded, so I created a project  httpd.php  to bump the max from 128 up to 256:

# projadd -c "Apache-PHP" -U webservd httpd.php
# projmod -sK "project.max-sem-ids=(privileged,256,deny)" httpd.php

then added the project to the service configuration:

svccfg -s http:CSKapache2 setprop start/project = astring: httpd.php

Enable suhosin

Because the site is expected to receive lots of publicity, and it will not have a 24x7 SWAT team ready to jump in and thwart the bad guys, we want it to be as hardened to attacks as possible.  Suhosin gets us a long way toward that goal.  Since it's already built for us in CoolStack, we just need to enable it by  uncommenting  extension="suhosin.so"  in  /opt/coolstack/php5/lib/php.ini


Now we're ready to setup the CoolStack 1.1 MySQL ...


Additional SMF resources:

 

Posted on: Mar 05, 2007

Posted by: downstream

Category: social networking

Tags:

Permanent link to this entry

Comments:

Hi, thanks for this, well done. A a note, there is a small omission, one must also modify every 'exec' instance in the http-CSKapache2.xml to point to the new/correct /lib/svc/method/http-CSKapache2, otherwise the poor user will be baffled by "garbled DSO" messages coming from Apache 2.0.x (or any previous version) trying to load 2.2 DSO modules when starting, stopping or restarting. I also leave the CONF_FILE in the svc/method to point to /etc, that way one can have local httpd.conf's for each Solaris zone with one binary. Regards, geoff

Posted by gb on March 24, 2007 at 04:48 PM PDT #

Post a Comment:
Comments are closed for this entry.

This blog copyright 2009 by downstream