Linux

Apache/IBM HTTP Server: No space left on device: Couldn’t create accept lock

As part of restart of IBM HTTP Server (IHS) to effect a configuration I recently came across this error. We couldn’t find any syntax errors, and even reversing the change the error message was still written to the Apache error logs:

[emerg] (28)No space left on device: Couldn't create accept lock

My initial impression was the message is related to a lack of disk space, but there was plenty free on the box. Further research revealed the problem is related to semaphores which are used for communicating between the parent and child processes.

To resolve the problem I performed the following steps:

Run this command as root:

# ipcs -s

If you see a list of semaphores, Apache has not cleaned up after itself, and some semaphores are stuck. Clear them out with this command:

# for i in `ipcs -s | awk '/httpd/ {print $2}'`; do (ipcrm -s $i); done

Now, in almost all cases, Apache should start properly. If it doesn’t, you may just be completely out of available semaphores. You may want to increase your available semaphores. Add this to /etc/sysctl.conf:

kernel.msgmni = 1024
kernel.sem = 250 256000 32 1024

And then run sysctl -p to pick up the new changes.

Installing a Godaddy SSL Certificate into Apache Ubuntu Linux

Godaddy is probably the cheapest SSL certificate provide on the web with their root CA present in all the major browsers. I was able to pick up a 12 month SSL certificate for only $12.99 (~£10.00 inc VAT) by following the link HERE

Now on to the good stuff.

  • Webserver: Ubuntu 8.04 LTS
  • Apache2 with http.conf: /etc/apache2/http.conf

First we need to generate a ‘key’ file that tells our server apart from other servers. You should have openssl installed on your machine, if not, simply type in

sudo apt-get install openssl

Then change to the directory to the place you would like to store everything. In my case, I chose:

mkdir /etc/apache2/ssl
kdir /etc/apache2/ssl/certs
mkdir /etc/apache2/ssl/private
cd /etc/apache2/ssl/private
openssl genrsa -out websitename.key 2048

This will spit out a key for our server to create the CSR which is what we need to send to send to Godaddy in order to get the required files to finish the setup. Next we generate a CSR (so in the same directory):

openssl req -new -key websitename.key -out websitename.csr

When filling out the CSR via the terminal it will ask you for several things(Country Name, State or Province, Locality Name, Organization Name, Organizational Unit Name, Common Name, Email Address, and Password) Some of these are optional, but make sure that under Common Name you put your website url (website.com).

Now, we need the contents of this CSR to give to godaddy.

cat websitename.csr

Copy the text and paste it into Godaddy’s CSR pane. Make sure you keep the —Begin— and —End— stuff or else godaddy will reject it. I also chose the Starfield Technologies certificate just because it sounded cooler than Godaddy. Once accepted, you would then download the certificate.

Click on the common name [yourwebsite] then on download. Select Apache server type. This will give you a zip file with two files in it. You need to copy the website.crt to /etc/apache2/ssl/certs and the sf_bundle.crt to /etc/apache2/ssl I used a program called WinSCP to drag and drop these files in there via ssh.

Recap:

Folder Layout >
/etc/apache2/ssl/
        -certs
        |__ website.crt
        -private
        |__ website.key
        |__ website.csr (Can be deleted)
        -sf_bundle.crt

We need to edit our http.conf file to make sure that we have a valid path for the SSL. Here is my Vhost listing for the ssl. As you can see I have added a few extra things to make it play nice. I turned on SSLEngine and included the files for it to work properly. Feel free to copy and paste with minor changes.

<VirtualHost *:443>
  ServerName example.com
  ServerAlias example.com
  SSLEngine on
  SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
  SSLCertificateFile /etc/apache2/ssl/certs/website.crt
  SSLCertificateKeyFile /etc/apache2/ssl/private/website.key
  SSLCertificateChainFile /etc/apache2/ssl/sf_bundle.crt
  DocumentRoot /var/www/www.website.com/htdocs
</VirtualHost>

Now when you restart apache:

/etc/init.d/apache2 restart

Apache Secured Shared Hosting with mod_proxy and mod_chroot

I have been investigating how I can isolate the various sites I host on my VPS box. Ideally I would have my own dedicated server with each site in it’s own VPS, this may be an option if I roll my own dedicated server in the near future but for now the next best option appears to be a chroot jail for each site proxied behind the primary Apache instance.

First step ensure Apache2 and mod_chroot are installed on your box, for Ubuntu this is:

apt-get install apache2 libapache2-mod-chroot

Then for each domain, create a virtual host config like /etc/apache2/sites-available/example.com:

<VirtualHost *:80>
  ServerAdmin test@example.com
  ServerName example.com
  ServerAlias *.example.com

  ProxyRequests Off
  ProxyPreserveHost On
  ProxyPass / http://localhost:8000/
  ProxyPassReverse / http://localhost:8000/
  <Proxy *>
    Allow from all
  </Proxy>

  ErrorLog /home/example/www/example.com/log/error.log
  LogLevel warn
  CustomLog /home/example/www/example.com/log/access.log combined
</VirtualHost>

This will be used by the Apache proxy, which is the normal system apache2 running as the default “www-data” user. This proxy handles name-based virtual hosts, and proxies the requests to a second process, running at localhost on port 8080.

Note that the logs are configured here and not in the user’s Apache process, for two reasons:

  1. Keep logs pristine in the event of a break-in on a user site (for example via a buggy or malicious PHP script)
  2. Single system-wide log file analysis process instead of per-user

Next, create a user account for each domain:

mkdir -p /home/example/www/example.com
cd /home/example/www/example.com
mkdir htdocs logs conf
chown www-data:www-data logs
chown example:example htdocs/

Create the following in /home/example/www/example.com/conf/apache2.conf:

ServerRoot "/home/example/www/example.com/"
LockFile /home/example/www/example.com/conf/accept.lock
PidFile /home/example/www/example.com/conf/apache2.pid
Timeout 300
KeepAlive On
MaxKeepAliveRequests 100
KeepAliveTimeout 15
User example
Group example
AccessFileName .htaccess
<Files ~ "^\.ht">
  Order allow,deny
  Deny from all
</Files>

Options -Indexes

DefaultType text/plain
HostnameLookups Off
ErrorLog /home/example/www/example.com/conf/error.log
LogLevel warn
LoadFile /lib/libnss_dns.so.2
LoadModule chroot_module /usr/lib/apache2/modules/mod_chroot.so
Include /etc/apache2/mods-enabled/*.load
Include /etc/apache2/mods-enabled/*.conf
Listen 8000
DocumentRoot /home/example/www/example.com/htdocs
ChrootDir /home/example/www/example.com

Once the chroot has been applied the root directory as far as the Apache process is concerned is /home/example/www/example.com – this creates a problem whereby the DocumentRoot is actually now /htdocs. The way round this is to use the –bind option of mount shown here:

mkdir -p /home/example/www/example.com/home/example/www/example.com
mount --bind /home/example/www/example.com /home/example/www/example.com/home/example/www/example.com

Now launch the new Apache process:

apache2 -f /home/example/www/example.com/conf/apache2.conf -k start

Everything should now work, but you may notice some problems, particularly with scripts like PHP, CGI etc. Generally the way round this is to make parts of the system available in the chroot and by ammending paths using the apache2.conf file in the jail.

This is as far as I have got, I have been working on getting startup right with an init script and automating the mount –bind by editing the /etc/fstab entries. I will cover my success (or otherwise) in another post.