enabling and disabling xdebug on cpanel servers

[actived]

Hi,
We have a huge web application with a few 100s of source code files (some huge), lots of modules, templating, etc. So we need to profile it to see how things can be sped up. Going with xdebug, I've got it running on Windows and Linux (XAMPP) for debugging and profiling and it works well.

Now I want to know:
1.
Is it a huge security risk to have xdebug installed for a day or two on the production server for debugging and profiling?

2.
Is it necessary to do an EasyApache rebuild to enable / disable the xdebug extension?
That is, can it not be simply installed once and then enabled disabled using only php.ini edit+restart ?

3.
I've used the Easy Xdebug Firefox extension. It initiates profiling from the browser add-on.
So, can any user who has the Firefox Xdebug extension installed, connect to an xdebug-enabled production web app and grab any data from it?

Thanks in advance.
Regards,
Dave.

 

[actived]

XHProf, PHP_Debug, xdebug in PECL but not get Re:enabling/disabling xdebug

Hi,
I looked into xdebug alternatives because enabling profiling on production using xdebug looked a bad idea.
I found that xdebug has an option to be enabled/disabled by code - only for a region of code - not for the whole app. This gives security and performance while also providing debugging capability.

However, i found many advocating Facebook's XHProf as being designed for production environments.

So I searched in PECL ( WHM > Module Installers > PECL > Manage ) and did find :

xhprof 0.9.2 beta XHProf: A Hierarchical Profiler for PHP Install Show Docs

However on clicking install it gives the following message:

Failed to download pecl/xhprof within preferred state "stable", 
latest release is version 0.9.2, stability "beta", 
use "channel://pecl.php.net/xhprof-0.9.2" to install
install failed
The xhprof.so object is not in /usr/local/lib/php/extensions/no-debug-non-zts-20060613
Tidying /usr/local/lib/php.ini...
No changes
Tidying /usr/local/cpanel/3rdparty/etc/php.ini...
No changes

We use Release Tier - would this mean that Xdebug is the best option for us?
(I havent seen PHP_Debug yet).

 

[actived]

Well, I tried installing xdebug, only to find that it apparently conflicts with Zend Optimizer, which too we have installed.

Compatibility
Xdebug does not work together with the Zend Optimizer or any other extension that deals with PHP's internals (DBG, APD, ioncube etc). This is due to compatibility problems with those modules.

This causes an endless stream of such errors:

[Mon Aug 06 11:46:32 2012] [notice] Apache/2.2.22 (Unix) mod_ssl/2.2.22 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 configured -- resuming normal operations
[Mon Aug 06 11:46:32 2012] [error] [client x.x.x.x] Premature end of script headers: index.php
[Mon Aug 06 11:46:34 2012] [error] [client x.x.x.x] Premature end of script headers: index.php
[Mon Aug 06 11:46:34 2012] [error] [client x.x.x.x] Premature end of script headers: index.php
...

Since we need Zend Optimizer, the only option we have left for profiling is to install XHProf manually (if possible) or PHP_Debug or a custom solution.

 

[actived]

Got this thread: http://forums.cpanel.net/f42/installing-xhprof-php-function-call-debugging-252521.html with all the answers I need. I'll post if all went as expected.

UPDATE:
Works perfectly.
A couple of minor changes:
Step # 6 in that howto - xhprof_lib and xhprof_html were not formed under any xhprof directory but just by themselves in /root/tmp/pear/cache/

When I try to see the call graph , inspite of having dot installed, I get

failed to shell execute cmd=" dot -Tpng"

This is because we have disabled proc_open for security reasons:

[06-Aug-2012 14:24:02] PHP Warning:  proc_open() has been disabled for security reasons in /home/username/public_html/xhprof/xhprof_lib/utils/callgraph_utils.php on line 108