Dave Child's questions

I've got a folder full of log files, and I'm using logrotate to rotate them.

Until recently, I only had Apache log files in there - access.log and error.log. I've added a new log from a daemon, daemon.log. The daemon log is being written by a daemon running under the www-data user.

When it runs, logrotate creates a new log, with permissions of 640, user root and group adm. Apache can write to the access and error logs with these permissions, but my daemon, running as www-data, can't.

As I see it, there are a few options:

1. Change the logrotate config to manually specify which log files are given which permissions. But this means if I add a new log file, I need to remember to configure logrotate to manage it.
2. Modify the logrotate script to somehow create an exception for the daemon.log file. Is that even possible?
3. Move the daemon log to a new folder, with a separate logrotate script to manage log files in that new folder. Simple enough, but I'd like to keep all my logs together if I can.
4. Set logrotate to create the files under a different user and group. Seems like this would risk missing log information.
5. Add the www-data user to the adm group, and set permissions to 660. I don't like the idea of giving the www-data user access to other stuff unintentionally.
6. Set permissions on the log files to 666. Seems like a crude solution.

None of those is ideal, and I'm pretty sure a couple are terrible. Is there another option, or is one of these my best bet? Am I missing something?

I have a remote server running MySQL, with a LAMP server in the same location. The LAMP server can connect to the MySQL server (over the local network) with no problem, most of the time.

I also have a VPN server on the MySQL box (only way I can get a static IP for my home connection). I can connect to the VPN just fine, and browse the web through it, SSH through it, etc.

However, when I connect to my VPN server, PHP can no longer connect to the MySQL server. Once I disconnect, PHP can connect to the MySQL server again.

I'm not even sure where to start fiddling to fix this. Is this a VPN problem? A firewall problem? A problem with Apache? It smells like a VPN problem, as it goes away when I disconnect, but I can't find any indication why this should happen when I connect to the VPN.

I'm running a local dev server on Apache. I have a script (written in PHP) that scans all of the local dev sites I have up and running, and tells me which have outstanding items to commit to git. When I run git status as my own user, git ignores the files set in my .gitignore file. But when I run the command via Apache/PHP, those files are not ignored.

I'm not sure I'm explaining that very well, so by way of a demonstration, I have a folder with three files:

file1.txt
file2.php
file3.backup

My gitignore contains this line, to ignore all backup files:

*.backup 

When I run the git status command manually, I see this (with the backup file correctly ignored):

dave$ git status
file1.txt
file2.php

If I run exec('cd /dir/ && git status -s /dir/', $output); from PHP, I see:

file1.txt
file2.php
file3.backup

The backup file shows up as an unversioned file.

I don't want to set the gitignore on a per-repo basis. Is there any way I can get my www-data user to use a gitignore? Or is there a higher-level gitignore setting for all users on a machine?

I've got a server running apache, and have been seeing occasional apache processes go to 100% and stay there. Today, with two processes at 100%, I turned off external access to the server (to prevent further requests to apache). Five minutes later, no requests are coming in to the server but both processes are still at 100%.

I've run lsof on each process, and they've giving me about 9000 lines of output (that might as well be greek to me). No other processes seem to be behaving strangely or waiting etc.

My database is on a second server. Using mytop shows two MySQL connections active from the apache server, both with a state of "sleep". I killed one of those MySQL threads, and there was no change to either process on the Apache server.

This apache server is one of two behind a simple load balancer. I don't know if that could be related.

How can I confirm that the apache issue is related to what I'm seeing on the database server? And is this likely to be the result of a dodgy SQL call, or something else?

Edit: Found the issue. It was a code problem with Magento. The image resizing function was failing to open an image, because the extension was incorrect (it was a BMP with a jpg extension). The error handler for this was invoking the resize again, et voila - a loop. Found this by doing strace on the misbehaving apache process.

I've been having some trouble with a firewall blocking traffic between two servers recently and want to check how iptables handles multiple rules applying to the same IP. If I run iptables -L -n | grep 1.2.3.4 I see this output:

ACCEPT    all  --  1.2.3.4      0.0.0.0/0
DROP      all  --  1.2.3.4      0.0.0.0/0
ACCEPT    all  --  0.0.0.0/0            1.2.3.4
DROP      all  --  0.0.0.0/0            1.2.3.4

How will iptables process these rules? Will all traffic from 1.2.3.4 be dropped?

I have a pair of servers hosting a single Magento ecommerce site with moderate traffic (60k page views per day reported from google analytics, I think about 80k reported on the server itself). The database server runs smoothly and quickly, aside from a rare occasional hiccough, but the apache server has been falling over every so often.

I have set up magento to use the recommended PHP caching (APC), as well as holding its own cache files in a 1.5 gig tmpfs (this tmpfs regularly gets pretty full, and I have a script running to clear cache files when the tmpfs is more than 80% full). I serve most imagery from amazon cloudfront. I recently set up nginx as a reverse proxy to apache (nginx also serves the static files). I have configured apache to the best of my ability - keepalives and hostnamelookups are off, and the prefork is configured as follows:

<IfModule prefork.c>
    StartServers      50
    MinSpareServers   50
    MaxSpareServers  100
    ServerLimit  512
    MaxClients   256
    MaxRequestsPerChild 400
</IfModule>

I've not turned off .htaccess files, and access logging is on. I know there are some modules I can turn off. I'm not sure what effect any of those three changes would have, if any.

The apache server is a VPS with 6 gig of RAM. As of the time of writing the server is reporting load average: 17.77, 18.27, 49.76, but there's about 2 gig of RAM free. When it goes really bad, the load goes to 120+ and stays there - restarting apache brings the site back up and the load back down.

vmstat is (while the server is reporting the load above), I think, showing a CPU idle value fluctuating between 0 and 70 or so. iostat is showing an iowait value between 0 and 0.2%.

I'm a bit stuck. What little I know is telling me that the problem is that the CPU is overloaded as a result of combination of the code being run, and the number of users. But I'm not experienced enough to be certain that that is the problem. If that is the problem, I think the solutions are to either improve the code or to split the site hosting over two VPSes with a load balancer.

So, I guess my questions are:

1. What else can I do to find problems or bottlenecks on the server?
2. Are there any obvious changes I can make to the server config to improve this?
3. Is it a good idea to set an automated system to restart apache when the load goes above a certain level?
4. From the above, how likely is it that the site has outgrown the server?

Edit:

I found something weird - /var/spool/mail/root was large ... 38 gig. That sounds ... unhealthy. Could that be the problem?

I have a development server, and at the moment email is disabled on it, so we can do whatever we need to with the system without worrying about accidentally emailing clients' customers.

I'd like to set up Postfix (or something similar) to route all email from that machine to a specific, single address, no matter who it is addressed to or which domain name they are using.

I've tried this, with no success (the BCC works, but the email still goes to the original recipient):

local_recipient_maps =
luser_relay = [email protected]
always_bcc = [email protected]

I'm using Ubuntu server 10.04, pretty standard LAMP setup.

Possible Duplicate:
How can I set up Postfix so that all email sent on my dev box gets routed to the developer email group?

I have a staging web server, and I have previously prevented any and all mail being sent out from it (I don't want my clients getting test messages from it). I've now set up postfix, but I want to restrict it so that the server only ever sends emails to recipients at one domain name. I've tried:

relay_domains = domain.com  
smtpd_recipient_restrictions = reject_unauth_domain

.. among other variations. I've just switched it to simply this to see if that made any difference:

smtpd_recipient_restrictions = reject

But it's still sending out mail. I think all I'm doing is changing the relay settings, and I need to be changing something else, but can't make head or tail of the documentation.

I'm running postfix reload after each change, and postfix restart. This is on Ubuntu server.