What happens downstream?: Scott Mattoon's blog

 

The new Solaris AMP stack, a.k.a. CoolStack 1.1 is here. And not a moment too soon, as I sit down to build another server for the Open Architecture Network. This is server #2, which will provide the n+1 scaling and redundancy necessary to keep the the OAN up and functional in the face of any one component failure and through a good slash-dotting. 

Of all the goodies in this new release, it was the GD library that we needed in particular. It is also nice to see suhosin from the hardened-php project included in this release. Here's a quick breakdown of version differences between CoolStack 1.0 and 1.1:

	CoolStack 1.0.2	CoolStack 1.1
Apache	2.0.58	2.2.3
PHP	5.1.4	5.2.0
MySQL	5.0.22	5.0.33
install dir	/usr/local	/opt/coolstack

Convert CoolStack Apache to SMF 

First, I notice that the services in coolstack are not integrated with SMF. We need apache to run under SMF so its privileges can be easily limited.  I convert it to SMF, and prepare it for limited privileges by creating a service manifest and service method based on the original apache service shipped with Solaris 10.

# cp /lib/svc/method/http-apache2 \
/lib/svc/method/http-CSKapache2
# cp /var/svc/manifest/network/http-apache2.xml \
/var/svc/manifest/network/http-CSKapache2.xml

In /lib/svc/method/http-CSKapache2 change

 
    11  APACHE_HOME=/usr/apache2
    12  CONF_FILE=/etc/apache2/httpd.conf
    13  PIDFILE=/var/run/apache2/httpd.pid


    20          /bin/mkdir -p /var/run/apache2 

to

    11  APACHE_HOME=/opt/coolstack/apache2
    12  CONF_FILE=/opt/coolstack/apache2/conf/httpd.conf
    13  PIDFILE=/var/apache2/run/httpd.pid


    20          /bin/mkdir -p /var/apache2/run
 

In /var/svc/manifest/network/http-CSKapache2.xml change

    10  <service_bundle type='manifest' name='SUNWapch2r:apache'>

    23          <instance name='apache2' enabled='false'>

   100                                  manpath='/usr/apache2/man' />

to

    10  <service_bundle type='manifest' name='CSKapch2r:apache'>

    23          <instance name='CSKapache2' enabled='false'>

   100                                  manpath='/opt/coolstack/apache2/man' />

Then import the service:

# svccfg -v import /var/svc/manifest/network/http-CSKapache2.xml

Minimize Apache's Service Privileges

Next, we configure the new service to run with minimal privileges following the example in 
Glenn's Limiting Service Privileges BluePrint.  After the procedure the CSKapache2 privileges
should look like this:

# svcprop -v -p start CSKapache2
start/timeout_seconds count 60
start/type astring method
start/exec astring /lib/svc/method/http-CSKapache2\ start
start/user astring webservd
start/group astring webservd
start/privileges astring basic,!proc_session,!proc_info,!file_link_any,net_privaddr
start/limit_privileges astring :default
start/use_profile boolean false
start/supp_groups astring :default
start/working_directory astring :default
start/project astring :default
start/resource_pool astring :default

Note that the changes to the PidFile and LockFile directives specified in this minimization procedure will be overridden  by the Server-pool management configuration that is loaded by

474  Include conf/extra/httpd-mpm.conf

Unless the corresponding directives are commented out of  /opt/coolstack/apache2/conf/extra/httpd-mpm.conf

Increase Semaphores for PHP 

By default the php5_module is loaded in the CoolStack 1.1 apache.  I observed that PHP was causing the maximum number of semaphores to be exceeded, so I created a project  httpd.php  to bump the max from 128 up to 256:

# projadd -c "Apache-PHP" -U webservd httpd.php
# projmod -sK "project.max-sem-ids=(privileged,256,deny)" httpd.php

then added the project to the service configuration:

svccfg -s http:CSKapache2 setprop start/project = astring: httpd.php

Enable suhosin

Because the site is expected to receive lots of publicity, and it will not have a 24x7 SWAT team ready to jump in and thwart the bad guys, we want it to be as hardened to attacks as possible.  Suhosin gets us a long way toward that goal.  Since it's already built for us in CoolStack, we just need to enable it by  uncommenting  extension="suhosin.so"  in  /opt/coolstack/php5/lib/php.ini

Now we're ready to setup the CoolStack 1.1 MySQL ...

---

Additional SMF resources:

• BigAdmin: developing services to run within SMF
• OpenSolaris SMF Community
  
• SMF BluePrint
• Converted Services: Manifests and Methods on OpenSolaris.org
  

 

"I feel like we're embarking on a very interesting social experiment ...learning about the social behaviors of architects... How does this strange black turtleneck wearing species interact when they are not at a cocktail party?"
- Kate Stohr, Co-founder of Architecture for Humanity.

This was the reply I received from Kate after sharing a post on tips for fostering a community online. The post couldn't be more relevant to her and the rest of Architecture for Humanity as they approach the launch of the Open Architecture Network (OAN), which will coincide with this year's TED conference. Lessons from the social networking front line are pouring in, and I expect the OAN will begin it's contribution of do's and dont's, how-to's, and testimonies to the power of the network soon.

Anyone who has launched an online social network will tell you that the experience is, indeed, a very interesting social experiment. Some of the most compelling communities have taken shape with minimal intervention and control from it's founders, yet their vision and values manage to persist through its evolution by virtue of their participation. The social networking movement puts Metcalfe's law squarely back in good standing as a reasonable measure of the value of the network, which the law says is proportional to the square of the number of users. In fact, it may be time to revise the formula as we see true benefit reach well beyond the network itself, to those who have never touched a computer. And the Open Architecture Network is poised to be one of the those networks whose beneficiaries may have never before been touched by the network effect.

If you give a damn, listen to the Treehugger interview with Architecture for Humanity's other co-founder, Cameron Sinclair. And watch this space for breaking news about the new Open Architecture Network.