Using MPM ITK as a Custom Opt Module

[cPanelTristan]

MPM ITK Overview

PHP handler options such as suPHP or FCGI only show processes running as the user for PHP processes, while other Apache processes such as HTML pages or download links will run as the user nobody. To overcome this issue, MPM ITK is an MPM for Apache that runs user processes as the user and group set in "AssignUserID" field set in the VirtualHost directive, forcing all user requests to run as that user and group. This MPM also allows setting "MaxClientsVHost" within each VirtualHost to restrict a user's processes at the Apache level.

In order to use MPM ITK until it is in EasyApache itself, there is currently the option to download it from the cPanel documentation site and install it as a Custom Opt Module. Unfortunately, due to the fact that ZTS support is set to on for MPMs other than Prefork, this means that DSO will be disabled during the compile of MPM ITK. Since MPM ITK will only work properly when using mod_php (DSO), this guide will enable using this MPM until it goes into EasyApache.

Please note that MPM ITK and recompiling PHP are both experimental customizations, which are not supported by cPanel itself. This guide would be used at your own risk. If you run into any issues, simply remove the customizations and revert to your prior EasyApache settings.

Adding MPM ITK

Grab the tarfile and install the custom_opt_mods:

cd /root
wget http://docs.cpanel.net/twiki/pub/EasyApache3/CustomMods/MPMitk.tar.gz
tar -C /var/cpanel/easy/apache/custom_opt_mods -xzf MPMitk.tar.gz

At that point, run EasyApache from command line to select the module:

/scripts/easyapache

Select MPM itk in Exhaustive Options List for Apache Modules.

Compiling DSO PHP from Source

Grab a copy of PHP 5.3.6 and extract it:

cd /root
wget http://www.php.net/get/php-5.3.6.tar.gz/from/ar.php.net/mirror
tar xzf php-5.3.6*
cd php-5.3.6

Configure DSO with the proper flags (you may need to add other flags as I've simply used the default flags after switching to DSO on initial cPanel install):

./configure \
--disable-fileinfo \
--disable-pdo \
--enable-bcmath \
--enable-calendar \
--enable-ftp \
--enable-libxml \
--enable-magic-quotes \
--enable-sockets \
--prefix=/usr/local \
--with-apxs2=/usr/local/apache/bin/apxs \
--with-curl=/opt/curlssl/ \
--with-gd \
--with-imap=/opt/php_with_imap_client/ \
--with-imap-ssl=/usr \
--with-jpeg-dir=/usr \
--with-kerberos \
--with-libdir=lib64 \
--with-libxml-dir=/opt/xml2/ \
--with-mysql=/usr \
--with-mysql-sock=/var/lib/mysql/mysql.sock \
--with-mysqli=/usr/bin/mysql_config \
--with-openssl=/usr \
--with-openssl-dir=/usr \
--with-pcre-regex=/opt/pcre \
--with-pic \
--with-png-dir=/usr \
--with-xpm-dir=/usr \
--with-zlib \
--with-zlib-dir=/usr

Run make and make install to complete the installation:

make && make install

Additional Steps for DSO

Copy the libphp5.so file to /root to save a copy of it, since future /scripts/easyapache recompiles will move the file out of /usr/local/apache/modules folder:

cp /usr/local/apache/modules/libphp5.so /root

Now, before you run /scripts/easyapache in the future, create this file:

vi /scripts/posteasyapache

Place the following content into the file:

#!/bin/bash

cp /root/libphp5.so /usr/local/apache/modules/
/etc/init.d/httpd restart
/usr/local/cpanel/bin/rebuild_phpconf 5 none dso enabled

The above code copies libphp5.so back into /usr/local/apache/modules folder at the end of the build, restarts Apache, and re-enables dso for the PHP handler as it will switch to suPHP during the EasyApache build but dso will become available again after the libphp5.so is copied back to /usr/local/apache/modules folder. If you use PHP 4 as well, you may need to revise the last line to put something other than none for the PHP 4 handler.

After saving the file, ensure it can execute:

chmod +x /scripts/posteasyapache

Of note, I previously was adding the LoadModule to /usr/local/apache/conf/includes/pre_main_global.conf file, but this isn't necessary due to the fact that it will be added to /usr/local/apache/conf/php.conf file once libphp5.so is moved back to /usr/local/apache/modules folder.

Adding MPM ITK VirtualHost Directives

Finally, to enable individual VirtualHost directives for MPM ITK, use the following steps:

mkdir -p /usr/local/apache/conf/userdata/std/2/username
echo "AssignUserID username username" >> /usr/local/apache/conf/userdata/std/2/username/mpm.conf
/scripts/ensure_vhost_includes --user=username

Above, please replace username with the cPanel username for each instance.

If you would also like to limit the MaxClients for that user, you can do:

echo "MaxClientsVHost #" >> /usr/local/apache/conf/userdata/std/2/username/mpm.conf
/scripts/ensure_vhost_includes --user=username

Here replace both username and # where # is the number you wish to limit for the MaxClients for that VirtualHost such as 50 or 25.

Setting the PHP handler before the next EasyApache recompile

In WHM > Apache Configuration > PHP and SuExec Configuration area, set the PHP 5 handler to dso.

Alternatively, run this via command line:

/usr/local/cpanel/bin/rebuild_phpconf 5 none dso enabled

As noted previously, if you are using PHP 4 as well via another handler, you'll need to change none to whatever handler PHP 4 should have.

Working Examples

To see a working example of my html page, PHP page and rails application page running under my username via MPM ITK, here are some process outputs:

1. HTML page loaded in a browser returns 1 Apache process as the user

tristan 28413 0.0 0.2 111600 5864 ? S 11:52 0:00 /usr/local/apache/bin/httpd -k start -DSSL

2. PHP page loaded in a browser returns 2 Apache processes as the user

tristan 28463 0.0 0.3 112232 7140 ? S 11:52 0:00 /usr/local/apache/bin/httpd -k start -DSSL
tristan 28464 0.0 0.3 111600 6332 ? S 11:52 0:00 /usr/local/apache/bin/httpd -k start -DSSL

3. Rails page loaded in a browser returns 5 Apache processes as the user

tristan 28512 0.0 0.2 111600 6144 ? S 11:52 0:00 /usr/local/apache/bin/httpd -k start -DSSL
tristan 28514 0.0 0.2 111600 5840 ? S 11:52 0:00 /usr/local/apache/bin/httpd -k start -DSSL
tristan 28516 0.0 0.2 111600 5840 ? S 11:52 0:00 /usr/local/apache/bin/httpd -k start -DSSL
tristan 28517 0.0 0.2 111600 5840 ? S 11:52 0:00 /usr/local/apache/bin/httpd -k start -DSSL
tristan 28518 0.0 0.2 111600 5840 ? S 11:52 0:00 /usr/local/apache/bin/httpd -k start -DSSL

 

[britsenigma]

I'm testing this currently. Can you confirm some WHM settings:

Default PHP Version (.php files) 5
PHP 5 Handler dso
PHP 4 Handler none
Suexec off

 

[britsenigma]

I made this script, my bash skills are basic at best.

Any way to get the mpm.conf added (any hooks) when a new user account is created?

Also, what php Optcode cache will work best with this setup?

##########SCRIPT

#!/bin/bash

src="/usr/local/apache/conf/userdata/std/2/"

for dir in `ls "$src/"`
do
if [ -d "$src/$dir" ]; then
echo $dir
echo "Removing Old $dir/mpm.conf"
rm -f /usr/local/apache/conf/userdata/std/2/$dir/mpm.conf
echo "Adding AssignUserId to $dir/mpm.conf"
echo "AssignUserID $dir $dir" >> /usr/local/apache/conf/userdata/std/2/$dir/mpm.conf
# echo "MaxClientsVHost 25" >> /usr/local/apache/conf/userdata/std/2/$dir/mpm.conf
/scripts/ensure_vhost_includes --user=$dir
echo "Ensuring Vhost Inlcudes --user=$dir"
fi
done

 

[britsenigma]

I've gone back to the magic bullet config I was using before. This does work, it is faster, but there are compatibility issues I've not worked out yet.

 

[Brian]

I would strongly advise against using MPM ITK at this point for any reason.

Why? Our developers reviewed and considered both MPM ITK and mod_ruid2 for inclusion to the cPanel product a few months back. Both provide similar behavior/changes to Apache.

Our developers sided with mod_ruid2 and it is now included and available via the latest EasyApache (as of v3.8.2). Although, note that you must be running cPanel 11.31.3.* or higher (Currently in EDGE only as of this posting) for mod_ruid2 to be available in EasyApache as a selection. This is due to product changes that were required to support mod_ruid2.

Essentially, wait for 11.31.3.* or higher to hit your chosen cPanel tier and then utilize mod_ruid2 if you're looking for MPM ITK type behaviors. In this fashion, you will be using a cPanel sanctioned module vs. a custom opt mod that requires a decent amount of manual work arounds to even get working.

More information can be found here in the feature request thread: http://forums.cpanel.net/f145/case-52294-support-mod_ruid2-229432.html