[OpenAFS] AFS && Apache

15 May 2002 11:09:03 +0200

[long post]

Turbo Fredriksson <turbo@bayour.com> said:
>I've moved my web directory to AFS space. I'm running
>TWO webserver, Roxen2 and Apache. I only run Apache
>because I have not been luckily getting PHP working
>with Roxen...
>
I'm not sure what your problem is, but I'm sure what my solution is :-). So
I'll bore you with it.

First off, I like to use daemontools (http://cr.yp.to/daemontools.html). You
may differ in opinion, but I do note that hardly anyone that has installed and
used it walks away from it back to inittab/rc scripts et al. 

Daemontools has a service starter (which starts a little service monitor
per service that is responsible for restarts, up/down, delivering
signals). A service starter is associated with a directory, by default
/service; services are defined in directories below the main directory and
are started by daemontools by executing scripts called 'run' inside these
directories. Services are not supposed to background/detach themselves
(the daemontools philosophy, which I subscribe to, is that this is not
a responsibility of a server program but of the environment). There
are Apache hacks to prevent it from forking etcetera, and also some
programs in the daemontools package to prevent software from detaching
(so that the signals cannot be delivered).

With daemontools and an adapted Apache in place, I run an 'apache' service in
daemontools:

/service/
  apache/
    run 

'run' starts another copy of the scanner inside a new PAG that monitors
a service directory under the apache service directory:

/service/
  apache/
    service/
      httpd/
        run
      reauth/
        run

the httpd/run script starts Apache so that it doesn't detach. The
reauth/run script authorizes with Kerberos, and then sleeps a couple of
hours - when the sleep is done, the run script exits, and the monitoring
daemon from daemontools automatically restarts the 'service', so that
reauthorization is done, etcetera.

I've been messing with lots of possibilities, but this is the cleanest
solution I have found so far. For example, it is extremely easy to
start more servers inside the same PAG (one example is Intershop which
we host: it consists of Apache and a Perl-based server, the latter is
started from just another directory under /service/intershop/service/
with a simple run script; another example would be a qmail installation
which consists of lots of small services). It is also simple to restart
Apache within the PAG (because you just restart the 'nested' service,
which is completely handled inside the PAG).

Here are the scripts I use for a secure HTTP server:

/service/secure/run:
---
exec 2>&1

exec pagsh.krb5 <<EOF
    cd $(dirname $0)
    exec svscan $(/bin/pwd)/service
EOF
---

/service/secure/service/reauth/run:
---
kinit -k secure_svc && exec sleep 15000
---
(in fact, I'm doing a random sleep so that in a load-balanced situation the
renewals - with possible failure - are spread out over time. But that code
would detract from the essence of the script).

/service/secure/service/httpd/run:
---
exec 2>&1

HTTPD=/usr/sbin/httpd
CONF=/afs/tio/common/etc/cfg/secure/httpd.conf
$HTTPD -t -f $CONF && LD_PRELOAD=/afs/tio/@sys/opt/admin/nodaemon.so exec \
        $HTTPD -f $CONF
---
(the LD_PRELOAD hack is a library I wrote that intercepts fork() and setsid()
in order to prevent Apache from detaching itself - other solutions are
possible e.g. by changing the Apache source code, but I had to resort to this
solution for commercial software where I don't have the source code and
therefore applied it to open source packages as well to have some
standardization).

-- 
Cees de Groot               http://www.cdegroot.com     <cg@cdegroot.com>
GnuPG 1024D/E0989E8B 0016 F679 F38D 5946 4ECD  1986 F303 937F E098 9E8B