Keep having problems with PHP session files (APC, suEXEC ProcessGroup)

[bloom360]

Hello,

I have started fiddling with LS and so far looks very promising.

We are running a cPanel server (CentOS) with DSO/mod_ruid2 as the PHP Handler + APC opcode cache.

Now, when I run LS with suEXEC Daemon and "User Home Directory Only" everything works fine, except APC. It does not cache anything (I believe this is the expected behavior in this scenario so no panic just yet)

However, when we switch to ProcessGroup and PHP suEXEC to "No", APC works beautifully but we get permission errors like this:

Warning: session_start(): open(/tmp/sess_123xx, O_RDWR) failed: Permission denied (13)

I understand that enabling suEXEC will fix this, but will stop APC. What can I do then? There surely must be a way to run APC under ProcessGroup without breaking all websites?

Many thanks.

 

[mistwang]

APC should work fine with ProcessGroup mode. Please check error_log and stderr.log for APC related errors.
If you use cageFS, make sure the user's Cage has been updated to get all changes at server level.
It should work with suEXEC Daemon mode as well, just all user shares the same APC cache, which is not good. I think you have the same issue with DSO/mod_ruid2 setup as well.

 

[bloom360]

Hi @mistwang thanks for the quick reply.

I think I may not have explained myself properly. My query is not about making APC work. My problem is we are getting these errors when switching to ProcessGroup mode:

Warning: session_start(): open(/tmp/sess_123xx, O_RDWR) failed: Permission denied (13)

In another thread in this forum it has been suggested to enable suEXEC in order to solve this problem. However, that solution will not work since that would disable APC.

But, again, my problem is not APC per se, but rather, the error message mentioned above.

 

[NiteWave]

>when we switch to ProcessGroup and PHP suEXEC to "No"
even in ProcessGroup mode, should set PHP suEXEC to "Yes"

document:
http://www.litespeedtech.com/products/litespeed-sapi/php/suexec-processgroup
but maybe it's better to mention set PHP suEXEC to "Yes" here

this wiki page
http://www.litespeedtech.com/suppor...litespeed_wiki:php:which_php_setup_am_i_using
is more clear about suExec or non-suExec settings. since ProcessGroup is one of suExec mode,

when such error occur again, please check its ownership:
#ls -al /tmp/sess_123xx
it should be user:user, not nobody:nobody(or apache:apache)

 

[bloom360]

Hi,

Sorry for insisting but still can't get this to work. With suEXEC on or "Home Directory Only", APC doesn't work.

With suEXEC off, we still get the file permission errors. Yes, the files are user:user already,

I am really perplexed, any help is very welcome.

 

[NiteWave]

I'm ok today to login your server to take a look.
please PM (Start a Conversation) your server's access.

 

[NiteWave]

update:
seems not an issue. in error_log, the last permission issue is found on May 13.
all accounts has been running ProcessGroup mode when I logged in on May 15.
during about 2 days period I was on the server, always in ProcessGroup mode.

how to determine if lsphp running in ProcessGroup mode instead of default Worker mode ?
first, this wiki
http://www.litespeedtech.com/suppor...litespeed_wiki:php:which_php_setup_am_i_using
is the background for coming discussion.

1. the is a WHM/cPanel server. check the configuration first:
#cat /usr/local/apache/conf/includes/pre_virtualhost_global.conf
<IfModule LiteSpeed>
LSPHP_ProcessGroup on
LSPHP_Workers 15
</IfModule>
...
this suggests in all accounts, lsphp will run under ProcessGroup mode

2. run time check:

#pstree -p 11475;date
litespeed(11475)─┬─httpd(11476)
                 ├─litespeed(11479)─┬─{litespeed}(11480)
                 │                  └─{litespeed}(11481)
                 ├─litespeed(11482)─┬─lsphp5(12711)───lsphp5(12712)
                 │                  ├─lsphp5(12707)───lsphp5(12708)
                 │                  ├─lsphp5(11522)───lsphp5(11523)
                 │                  ├─lsphp5(12713)───lsphp5(12714)
                 │                  ├─lsphp5(12705)─┬─lsphp5(12706)
                 │                  │               └─lsphp5(12709)
                 │                  ├─{litespeed}(11483)
                 │                  └─{litespeed}(11484)
                 └─lsphp5(11478)
Fri May 15 03:06:37 AEST 2015

this confirmed ProcessGroup Mode is on.
for example
lsphp5(12707)───lsphp5(12708)
process 12707 is parent lsphp5 process, this is only possible in ProcessGroup mode.
in Worker mode, no parent lsphp5 process. all lsphp5's parent process is "litespeed" process.
you can further run
#ps -ef | grep lsphp5
to check each lsphp5 process's user/group info.

so while it looks complicated by identify which account is running in which mode, it's quite clear and distinguish them easily when running "#pstree -p" as a sysadmin

3.in ProcessGroup mode, opcode cache is allocated with parent lsphp5 process and the child lsphp5 process can share with the cache. so
1) be careful to the apc.shm_size (in example of apc).
if there are 100 parent lsphp5 running, and apc.shm_size is 256M, then 256M x 100 ~ 25G memory is allocated for store opcode only. if your server only has 32G memory, this is too big. of course if the sever has 256G memory in total, apc.shm_size=256M should be ok.
2)each account has its own parent lsphp5 process and so its own apc
apc has a web admin interface to show the cache status -- and for each account as well.
you can't check accountA's apc status by accessing
accountBs_website.com/apc.php
(apc.php is apc's web admin script)
instead, accessing
accountAs_website.com/apc.php
while this looks obvious, people may get confused if not understand ProcessGroup/Worker mode well.