Geoff Millikan
asked on
Apache bloated with unecessary underlying processes, consuming excessive RAM
Per below, why is libldap-2.3.so.0.2.31 showing up in my Apache processes when there's no LDAP module being called out by either httpd.conf (or any other *.conf files) or the php.ini files?
Now Apache does load PHP and in my PHP complied settings I show '--with-ldap=shared' (see below). However I believe when the module is "shared" it means I have to explicitly load the module meaning that something like "extension=/usr/lib64/php/ modules/ld ap.so" would need to be in my php.ini file (but there no such entry).
Now Apache does load PHP and in my PHP complied settings I show '--with-ldap=shared' (see below). However I believe when the module is "shared" it means I have to explicitly load the module meaning that something like "extension=/usr/lib64/php/
[root@www /]# ps 31673
PID TTY STAT TIME COMMAND
31673 ? S 0:00 /usr/sbin/httpd
[root@www /]# pmap -d 31673 | grep ldap
00002b362d5b0000 224 r-x-- 0000000000000000 0fd:00000 libldap-2.3.so.0.2.31
00002b362d5e8000 2048 ----- 0000000000038000 0fd:00000 libldap-2.3.so.0.2.31
00002b362d7e8000 8 rw--- 0000000000038000 0fd:00000 libldap-2.3.so.0.2.31
[root@www /]#
[root@www /]# php -i | more
phpinfo()
PHP Version => 5.1.6
System => Linux www.t1shopper.com 2.6.18-194.32.1.el5 #1 SMP Wed Jan 5 17:52:25 EST 2011 x86_64
Build Date => Nov 29 2010 16:41:38
Configure Command => './configure' '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--target=x86_64-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '
--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--localstatedir=/var' '--sharedstatedir=/usr/com' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--cache-file
=../config.cache' '--with-libdir=lib64' '--with-config-file-path=/etc' '--with-config-file-scan-dir=/etc/php.d' '--disable-debug' '--with-pic' '--disable-rpath' '--without-pear' '--with-bz2' '--with-curl' '--with-exec-dir=/usr/bin' '--wit
h-freetype-dir=/usr' '--with-png-dir=/usr' '--enable-gd-native-ttf' '--without-gdbm' '--with-gettext' '--with-gmp' '--with-iconv' '--with-jpeg-dir=/usr' '--with-openssl' '--with-png' '--with-pspell' '--with-expat-dir=/usr' '--with-pcre-re
gex=/usr' '--with-zlib' '--with-layout=GNU' '--enable-exif' '--enable-ftp' '--enable-magic-quotes' '--enable-sockets' '--enable-sysvsem' '--enable-sysvshm' '--enable-sysvmsg' '--enable-track-vars' '--enable-trans-sid' '--enable-yp' '--ena
ble-wddx' '--with-kerberos' '--enable-ucd-snmp-hack' '--with-unixODBC=shared,/usr' '--enable-memory-limit' '--enable-shmop' '--enable-calendar' '--enable-dbx' '--enable-dio' '--with-mime-magic=/usr/share/file/magic.mime' '--without-sqlite
' '--with-libxml-dir=/usr' '--with-xml' '--with-system-tzdata' '--enable-force-cgi-redirect' '--enable-pcntl' '--with-imap=shared' '--with-imap-ssl' '--enable-mbstring=shared' '--enable-mbstr-enc-trans' '--enable-mbregex' '--with-ncurses=
shared' '--with-gd=shared' '--enable-bcmath=shared' '--enable-dba=shared' '--with-db4=/usr' '--with-xmlrpc=shared' '--with-ldap=shared' '--with-ldap-sasl' '--with-mysql=shared,/usr' '--with-mysqli=shared,/usr/lib64/mysql/mysql_config' '--
enable-dom=shared' '--with-dom-xslt=/usr' '--with-dom-exslt=/usr' '--with-pgsql=shared' '--with-snmp=shared,/usr' '--enable-soap=shared' '--with-xsl=shared,/usr' '--enable-xmlreader=shared' '--enable-xmlwriter=shared' '--enable-fastcgi' '
--enable-pdo=shared' '--with-pdo-odbc=shared,unixODBC,/usr' '--with-pdo-mysql=shared,/usr/lib64/mysql/mysql_config' '--with-pdo-pgsql=shared,/usr' '--with-pdo-sqlite=shared,/usr' '--enable-dbase=shared'
Server API => Command Line Interface
Virtual Directory Support => disabled
Configuration File (php.ini) Path => /etc/php.ini
Scan this dir for additional .ini files => /etc/php.d
additional .ini files parsed => /etc/php.d/bcmath.ini,
/etc/php.d/dom.ini,
/etc/php.d/mysql.ini,
/etc/php.d/soap.ini
...
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I hear you saying that it's nothing to worry about but we run 100+ Apache threads. Each thread has the 2kB bloat. And of course this isn't the only shared library that Apache is linking that isn't in use at all.
I was loading some default PHP modules (like dbase.so) into PHP and until using pmap, I had no idea that because PHP is loading up dbase.so, Apache loads it up too! By commenting out these extra PHP modules, we were able to take the average Apache thread writeable/private memory size down from 7000K to 5736K. When running as many threads as we are, this really adds up.
So can you convince me again that I shouldn't try to remove the LDAP? I'd love to free up some more precious RAM. :-)
I was loading some default PHP modules (like dbase.so) into PHP and until using pmap, I had no idea that because PHP is loading up dbase.so, Apache loads it up too! By commenting out these extra PHP modules, we were able to take the average Apache thread writeable/private memory size down from 7000K to 5736K. When running as many threads as we are, this really adds up.
So can you convince me again that I shouldn't try to remove the LDAP? I'd love to free up some more precious RAM. :-)
ASKER
Maybe PHP loads LDAP extension?PHP was complied with the '--with-ldap=shared' flag. Does this complies setting mean it's always going to load the /usr/lib64/php/modules/lda
I could only recommend using worker MPM instead of prefork to have one apache process per 200 connections instead of 1:1
ASKER
I've read worker MPM isn't very thread safe so we've stayed away from it but lots of people seem to recommend it so I'm surprised. Also, the RPM binaries from CentOS and RHEL don't offer the worker MPM and we really like getting the security patches via yum instead of have to recompiling if there's a security update.
http://serverfault.com/questions/97969/how-to-install-mpm-worker-on-centos-5-3
Please complement your "i've read" with a repeatable bug report, preferably to Apache team.
Please complement your "i've read" with a repeatable bug report, preferably to Apache team.
Can you compile PHP with --without-LDAP?
ASKER
gheist: I see your point but there seems to be no bug report, just offical documentation that seems to advise against using the Worker MPM with PHP. Per link below, "If you feel you have to use a threaded MPM, look at a FastCGI configuration where PHP is running in its own memory space."
http://www.php.net/manual/en/faq.installation.php#faq.installation.apache2
duncan_roe: Yes. But are you sure that would fix our issue? (If it did this though, it woudl be a pian because we really like getting the security patches via yum instead of having to recompiling if there's a security update.
It would be awesome though if someone knew if when PHP is complied with the '--with-ldap=shared' flag it means the /usr/lib64/php/modules/lda p.so module is always going to be loaded?
http://www.php.net/manual/en/faq.installation.php#faq.installation.apache2
duncan_roe: Yes. But are you sure that would fix our issue? (If it did this though, it woudl be a pian because we really like getting the security patches via yum instead of having to recompiling if there's a security update.
It would be awesome though if someone knew if when PHP is complied with the '--with-ldap=shared' flag it means the /usr/lib64/php/modules/lda
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Sorry guys, this is taking a bit more time to research, hold please..
php 5.1 is NO LONGER MAINTAINED...
ASKER
duncan_roe: Holy cow, thanks for all the detail! I thought I was good at Apache but I can see I'm not as cool as I thought I was. But to your questions/feedback:
..the .so files do not have the execute bit set. Is that the case on your system also?
Mine are set to execute, 0755. Note that I'm probably using the 64 bit versions.
...omitting libldap.so might save you more than you expected.
That would be nice!
...that's the price you pay for nonstandard fine-tuning.
True. And rats. But that doesn't mean we have to like it. ;-)
But rather than go to all that trouble, why not buy more RAM?
Great question. Because this is an "older" server (like 3 years old), getting sticks of 4GB registered server RAM runs about $1000 USD per stick. So it's cheaper to get a new box, and that's not something we want to do now. Rather than having to watch the security releases and recompile every time, we're probably just stick with it as it is.
gheist: php 5.1 is NO LONGER MAINTAINED Did you bring this up because you're concerned for our security? Thank you! Correct me if I'm wrong here but since PHP 5.1 is the version shipping with RHEL5 (and CentOS 5) it's receiving back ported security patches via RedHat per link here.
Have we answered the question in the OP? Yes. gheist said, --with-ldap compiles in ldap support. I tested this by looking at other "--with-service" complied in modules and almost all of them (like XML and gmp) that are in the PHP compile settings are also showing up in the Apache process.
Really appreciate all the help here. Many thanks.
..the .so files do not have the execute bit set. Is that the case on your system also?
Mine are set to execute, 0755. Note that I'm probably using the 64 bit versions.
[root@www /]# cd /usr/lib
[root@www lib]# ls -Fl *ldap*
lrwxrwxrwx 1 root root 21 Jan 3 18:30 libldap-2.3.so.0 -> libldap-2.3.so.0.2.31*
-rwxr-xr-x 1 root root 238576 Nov 29 08:50 libldap-2.3.so.0.2.31*
lrwxrwxrwx 1 root root 23 Jan 3 18:30 libldap_r-2.3.so.0 -> libldap_r-2.3.so.0.2.31*
-rwxr-xr-x 1 root root 255796 Nov 29 08:50 libldap_r-2.3.so.0.2.31*
lrwxrwxrwx 1 root root 26 Aug 22 2010 libnss_ldap.so -> ../../lib/libnss_ldap.so.2*
[root@www lib]# cd /usr/lib64
[root@www lib64]# ls -Fl *ldap*
lrwxrwxrwx 1 root root 21 Jan 3 18:30 libldap-2.3.so.0 -> libldap-2.3.so.0.2.31*
-rwxr-xr-x 1 root root 241392 Nov 29 08:50 libldap-2.3.so.0.2.31*
-rwxr-xr-x 1 root root 220136 Dec 11 2007 libldap60.so*
lrwxrwxrwx 1 root root 23 Jan 3 18:30 libldap_r-2.3.so.0 -> libldap_r-2.3.so.0.2.31*
-rwxr-xr-x 1 root root 257520 Nov 29 08:50 libldap_r-2.3.so.0.2.31*
lrwxrwxrwx 1 root root 28 Aug 22 2010 libnss_ldap.so -> ../../lib64/libnss_ldap.so.2*
-rwxr-xr-x 1 root root 20560 Dec 11 2007 libprldap60.so*
-rwxr-xr-x 1 root root 49024 Dec 11 2007 libssldap60.so*
...omitting libldap.so might save you more than you expected.
That would be nice!
...that's the price you pay for nonstandard fine-tuning.
True. And rats. But that doesn't mean we have to like it. ;-)
But rather than go to all that trouble, why not buy more RAM?
Great question. Because this is an "older" server (like 3 years old), getting sticks of 4GB registered server RAM runs about $1000 USD per stick. So it's cheaper to get a new box, and that's not something we want to do now. Rather than having to watch the security releases and recompile every time, we're probably just stick with it as it is.
gheist: php 5.1 is NO LONGER MAINTAINED Did you bring this up because you're concerned for our security? Thank you! Correct me if I'm wrong here but since PHP 5.1 is the version shipping with RHEL5 (and CentOS 5) it's receiving back ported security patches via RedHat per link here.
Have we answered the question in the OP? Yes. gheist said, --with-ldap compiles in ldap support. I tested this by looking at other "--with-service" complied in modules and almost all of them (like XML and gmp) that are in the PHP compile settings are also showing up in the Apache process.
Really appreciate all the help here. Many thanks.
Maybe PHP loads LDAP extension?
I would not call 2kB import a Bload....