Bug#1072804: mod_autoindex: should default to XHTML and send the charset in the document
Package: apache2 Version: 2.4.59-1~deb11u1 Severity: wishlist Tags: upstream X-Debbugs-Cc: t...@mirbsd.de The W3C validator is not quite happy with the default directory indicēs. Applying the following change to its config… - IndexOptions FancyIndexing VersionSort HTMLTable NameWidth=* DescriptionWidth=* Charset=UTF-8 + IndexOptions FancyIndexing VersionSort HTMLTable NameWidth=* DescriptionWidth=* Charset=UTF-8 XHTML … makes it a little happier, only one warning left (no HTML meta element to declare the charset, which would involve patching the C source to emit… ("\n", whateverCharsetVar); … as well (the whateverCharsetVar is the content of the 「Charset=UTF-8」 config from IndexOptions). -- Package-specific info: -- System Information: Debian Release: 11.9 APT prefers oldstable-updates APT policy: (500, 'oldstable-updates'), (500, 'oldstable-security'), (500, 'oldstable-proposed-updates'), (500, 'oldstable') Architecture: amd64 (x86_64) Kernel: Linux 5.10.0-30-amd64 (SMP w/1 CPU thread) Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /bin/lksh Init: sysvinit (via /sbin/init) Versions of packages apache2 depends on: ii apache2-bin 2.4.59-1~deb11u1 ii apache2-data 2.4.59-1~deb11u1 ii apache2-utils2.4.59-1~deb11u1 ii dpkg 1.20.13 ii init-system-helpers 1.60 ii lsb-base 11.1.0 ii mime-support 3.66 ii perl 5.32.1-4+deb11u3 ii procps 2:3.3.17-5 Versions of packages apache2 recommends: ii ssl-cert 1.1.0+nmu1 Versions of packages apache2 suggests: pn apache2-doc pn apache2-suexec-pristine | apache2-suexec-custom ii lynx [www-browser] 2.9.0rel.1-0.2 Versions of packages apache2-bin depends on: ii libapr1 1.7.0-6+deb11u2 ii libaprutil1 1.6.1-5+deb11u1 ii libaprutil1-dbd-pgsql1.6.1-5+deb11u1 ii libaprutil1-dbd-sqlite3 1.6.1-5+deb11u1 ii libaprutil1-ldap 1.6.1-5+deb11u1 ii libbrotli1 1.0.9-2+b2 ii libc62.31-13+deb11u10 ii libcrypt11:4.4.18-4 ii libcurl4 7.88.1-10+deb12u5~bpo11+0wtf1 ii libjansson4 2.13.1-1.1 ii libldap-2.4-22.4.57+dfsg-3+deb11u1 ii liblua5.3-0 5.3.3-1.1+deb11u1 ii libnghttp2-141.43.0-1+deb11u1 ii libpcre3 2:8.39-13 ii libssl1.11.1.1w-0+deb11u1 ii libxml2 2.9.10+dfsg-6.7+deb11u4 ii perl 5.32.1-4+deb11u3 ii zlib1g 1:1.2.11.dfsg-2+deb11u2 Versions of packages apache2-bin suggests: pn apache2-doc pn apache2-suexec-pristine | apache2-suexec-custom ii lynx [www-browser] 2.9.0rel.1-0.2 Versions of packages apache2 is related to: ii apache2 2.4.59-1~deb11u1 ii apache2-bin 2.4.59-1~deb11u1 -- Configuration Files: /etc/apache2/conf-available/charset.conf changed [not included] /etc/apache2/conf-available/security.conf changed [not included] /etc/apache2/mods-available/autoindex.conf changed [not included] /etc/apache2/mods-available/mpm_prefork.conf changed [not included] /etc/apache2/sites-available/000-default.conf changed [not included] /etc/apache2/sites-available/default-ssl.conf changed [not included] /etc/logrotate.d/apache2 changed [not included] -- no debconf information
Bug#1054562: apache2ctl: add new one-word command: list-vhosts
Package: apache2 Version: 2.4.56-1~deb11u2 Severity: wishlist X-Debbugs-Cc: t...@mirbsd.de, report...@stoffels.it Please add a new “apache2ctl list-vhosts” command that can be discovered using the apache2ctl(8) manual page, so that people don’t have to “remember” the full command: sudo apache2ctl -t -D DUMP_VHOSTS -- Package-specific info: -- System Information: Debian Release: 11.8 APT prefers oldstable-updates APT policy: (500, 'oldstable-updates'), (500, 'oldstable-security'), (500, 'oldstable-proposed-updates'), (500, 'oldstable') Architecture: amd64 (x86_64) Kernel: Linux 5.10.0-26-amd64 (SMP w/1 CPU thread) Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /bin/lksh Init: sysvinit (via /sbin/init) Versions of packages apache2 depends on: ii apache2-bin 2.4.56-1~deb11u2 ii apache2-data 2.4.56-1~deb11u2 ii apache2-utils2.4.56-1~deb11u2 ii dpkg 1.20.13 ii init-system-helpers 1.60 ii lsb-base 11.1.0 ii mime-support 3.66 ii perl 5.32.1-4+deb11u2 ii procps 2:3.3.17-5 Versions of packages apache2 recommends: ii ssl-cert 1.1.0+nmu1 Versions of packages apache2 suggests: ii apache2-doc 2.4.56-1~deb11u2 pn apache2-suexec-pristine | apache2-suexec-custom ii lynx [www-browser] 2.9.0dev.6-3~deb11u1 Versions of packages apache2-bin depends on: ii libapr1 1.7.0-6+deb11u2 ii libaprutil1 1.6.1-5+deb11u1 ii libaprutil1-dbd-sqlite3 1.6.1-5+deb11u1 ii libaprutil1-ldap 1.6.1-5+deb11u1 ii libbrotli1 1.0.9-2+b2 ii libc62.31-13+deb11u7 ii libcrypt11:4.4.18-4 ii libcurl4 7.88.1-10+deb12u4~bpo11+0wtf1 ii libjansson4 2.13.1-1.1 ii libldap-2.4-22.4.57+dfsg-3+deb11u1 ii liblua5.3-0 5.3.3-1.1+deb11u1 ii libnghttp2-141.43.0-1 ii libpcre3 2:8.39-13 ii libssl1.11.1.1w-0+deb11u1 ii libxml2 2.9.10+dfsg-6.7+deb11u4 ii perl 5.32.1-4+deb11u2 ii zlib1g 1:1.2.11.dfsg-2+deb11u2 Versions of packages apache2-bin suggests: ii apache2-doc 2.4.56-1~deb11u2 pn apache2-suexec-pristine | apache2-suexec-custom ii lynx [www-browser] 2.9.0dev.6-3~deb11u1 Versions of packages apache2 is related to: ii apache2 2.4.56-1~deb11u2 ii apache2-bin 2.4.56-1~deb11u2 -- Configuration Files: /etc/apache2/apache2.conf changed [not included] /etc/apache2/sites-available/000-default.conf changed [not included] /etc/apache2/sites-available/default-ssl.conf changed [not included] /etc/logrotate.d/apache2 changed [not included] -- no debconf information
Bug#1018718: apache2-doc: despite having been disabled, apache2-doc.conf gets rather silently re-enabled automatically
Package: apache2-doc Version: 2.4.56-1~deb11u1 Followup-For: Bug #1018718 X-Debbugs-Cc: t...@mirbsd.de Control: severity -1 serious Justification: Policy §10.7.3 This package overwrites local changes on upgrade, which is a release-critical bug as it’s a Policy violation. -- System Information: Debian Release: 11.6 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 5.10.0-21-amd64 (SMP w/1 CPU thread) Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /bin/lksh Init: sysvinit (via /sbin/init) apache2-doc depends on no packages. Versions of packages apache2-doc recommends: ii apache2 2.4.56-1~deb11u1 apache2-doc suggests no packages. -- no debconf information
Bug#990580: debdiff for NMU apache2 (= 2.4.48-3.1) (was Re: Bug#990580: apache2: [regression] daily cron mails from logrotate: Reloading Apache httpd web server: apache2., caused by #979813)
On Sun, 11 Jul 2021, Adam Borowski wrote: > I for one believe the old behaviour was superior for the common case of > "success" -- no news is good news No disagreement from here. We could do things like… output=$(command 2>&1; echo $? >tempfile) case $(cat tempfile 2>&1) in (0) ;; (*) printf >&2 '%s\n' "$output" ;; esac … but… > • three weeks before the release is no time for such meddling … precisely this. > • it should be coded in sysv-rc/runit/etc instead of every daemon Nope. This is out of the scope of init systems. bye, //mirabilos -- Infrastrukturexperte • tarent solutions GmbH Am Dickobskreuz 10, D-53121 Bonn • http://www.tarent.de/ Telephon +49 228 54881-393 • Fax: +49 228 54881-235 HRB AG Bonn 5168 • USt-ID (VAT): DE122264941 Geschäftsführer: Dr. Stefan Barth, Kai Ebenrett, Boris Esser, Alexander Steeg * Mit dem tarent-Newsletter nichts mehr verpassen: www.tarent.de/newsletter *
Bug#990580: debdiff for NMU apache2 (= 2.4.48-3.1) (was Re: Bug#990580: apache2: [regression] daily cron mails from logrotate: Reloading Apache httpd web server: apache2., caused by #979813)
On Fri, 9 Jul 2021, Yadd wrote: > Apache2 is RFH for years, feel free to contribute OK, thanks for the maintainer approval. Accordingly, I have just uploaded the attached debdiff. I chose to direct the output to syslog instead of the bitbucket so it is not lost if someone indeed needs it so it isn’t a regression. bye, //mirabilos -- Infrastrukturexperte • tarent solutions GmbH Am Dickobskreuz 10, D-53121 Bonn • http://www.tarent.de/ Telephon +49 228 54881-393 • Fax: +49 228 54881-235 HRB AG Bonn 5168 • USt-ID (VAT): DE122264941 Geschäftsführer: Dr. Stefan Barth, Kai Ebenrett, Boris Esser, Alexander Steeg * Mit dem tarent-Newsletter nichts mehr verpassen: www.tarent.de/newsletter *diff -Nru apache2-2.4.48/debian/apache2.logrotate apache2-2.4.48/debian/apache2.logrotate --- apache2-2.4.48/debian/apache2.logrotate 2021-06-20 13:55:24.0 +0200 +++ apache2-2.4.48/debian/apache2.logrotate 2021-07-10 23:31:24.0 +0200 @@ -14,7 +14,7 @@ endscript postrotate if pgrep -f ^/usr/sbin/apache2 > /dev/null; then - invoke-rc.d apache2 reload + invoke-rc.d apache2 reload 2>&1 | logger -t apache2.logrotate fi endscript } diff -Nru apache2-2.4.48/debian/changelog apache2-2.4.48/debian/changelog --- apache2-2.4.48/debian/changelog 2021-06-20 16:39:33.0 +0200 +++ apache2-2.4.48/debian/changelog 2021-07-10 23:31:28.0 +0200 @@ -1,3 +1,11 @@ +apache2 (2.4.48-3.1) unstable; urgency=medium + + * Non-maintainer upload. + * Direct init script reload output from logrotate to syslog, to +avoid mail-spamming the local admin (Closes: #990580) + + -- Thorsten Glaser Sat, 10 Jul 2021 23:31:28 +0200 + apache2 (2.4.48-3) unstable; urgency=medium * Fix debian/changelog
Bug#990580: apache2: [regression] daily cron mails from logrotate: Reloading Apache httpd web server: apache2., caused by #979813
Thanks Adam for the analysis! > To stop the mails from logrotate, could you please change back: > - invoke-rc.d apache2 reload > + invoke-rc.d apache2 reload > /dev/null 2>&1 > > otherwise, people running Bullseye will be mightily unhappy. > > I also wonder why such a cleanup was done late during hard freeze. Indeed. ping‽ (I intend to NMU if no activity happens.) bye, //mirabilos -- tarent solutions GmbH Rochusstraße 2-4, D-53123 Bonn • http://www.tarent.de/ Tel: +49 228 54881-393 • Fax: +49 228 54881-235 HRB 5168 (AG Bonn) • USt-ID (VAT): DE122264941 Geschäftsführer: Dr. Stefan Barth, Kai Ebenrett, Boris Esser, Alexander Steeg * Mit unserem Consulting bieten wir Unternehmen maßgeschneiderte Angebote in Form von Beratung, Trainings sowie Workshops in den Bereichen Softwaretechnologie, IT Strategie und Architektur, Innovation und Umsetzung sowie Agile Organisation. Besuchen Sie uns auf https://www.tarent.de/consulting . Wir freuen uns auf Ihren Kontakt. *
Bug#990580: apache2: [regression] daily cron mails from logrotate: Reloading Apache httpd web server: apache2.
Package: apache2 Version: 2.4.48-3 Severity: important X-Debbugs-Cc: t...@mirbsd.de, debian-rele...@lists.debian.org Having just upgraded machines from 2.4.46-4 to 2.4.48-3 I now get daily¹ cron mails: | From: Anacron | Message-ID: <20210702075325.946f340...@ci-busyapps.lan.tarent.de> | To: r...@ci-busyapps.lan.tarent.de | Date: Fri, 2 Jul 2021 07:53:25 + (UTC) | Subject: Anacron job 'cron.daily' on ci-busyapps.lan.tarent.de | | /etc/cron.daily/logrotate: | Reloading Apache httpd web server: apache2. This is a regression that’s going to severely annoy admins and ought to be fixed, including for bullseye. ① I know they are daily because I have been getting them on another system for some time already but didn’t know if it was that system or something in the package; as multiple other systems are now affected identically, I know it’s a bug in the package. -- Package-specific info: -- System Information: Debian Release: 11.0 APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 5.10.0-8-amd64 (SMP w/1 CPU thread) Locale: LANG=C, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /bin/lksh Init: sysvinit (via /sbin/init) Versions of packages apache2 depends on: ii apache2-bin 2.4.48-3 ii apache2-data 2.4.48-3 ii apache2-utils2.4.48-3 ii dpkg 1.20.9 ii init-system-helpers 1.60 ii lsb-base 11.1.0 ii mime-support 3.66 ii perl 5.32.1-4 ii procps 2:3.3.17-5 Versions of packages apache2 recommends: ii ssl-cert 1.1.0+nmu1 Versions of packages apache2 suggests: pn apache2-doc pn apache2-suexec-pristine | apache2-suexec-custom ii lynx [www-browser] 2.9.0dev.6-2 Versions of packages apache2-bin depends on: ii libapr11.7.0-6 ii libaprutil11.6.1-5 ii libaprutil1-dbd-pgsql 1.6.1-5 ii libaprutil1-ldap 1.6.1-5 ii libbrotli1 1.0.9-2+b2 ii libc6 2.31-12 ii libcrypt1 1:4.4.18-4 ii libcurl4 7.74.0-1.3 ii libjansson42.13.1-1.1 ii libldap-2.4-2 2.4.57+dfsg-3 ii liblua5.3-05.3.3-1.1+b1 ii libnghttp2-14 1.43.0-1 ii libpcre3 2:8.39-13 ii libssl1.1 1.1.1k-1 ii libxml22.9.10+dfsg-6.7 ii perl 5.32.1-4 ii zlib1g 1:1.2.11.dfsg-2 Versions of packages apache2-bin suggests: pn apache2-doc pn apache2-suexec-pristine | apache2-suexec-custom ii lynx [www-browser] 2.9.0dev.6-2 Versions of packages apache2 is related to: ii apache2 2.4.48-3 ii apache2-bin 2.4.48-3 -- Configuration Files: /etc/apache2/mods-available/ssl.conf changed [not included] /etc/apache2/sites-available/000-default.conf changed [not included] /etc/apache2/sites-available/default-ssl.conf changed [not included] -- no debconf information
Bug#958473: apache2-bin: please demote Depends on libaprutil1-dbd-* to Recommends (at most)
Package: apache2-bin Version: 2.4.43-1 Severity: wishlist What use has the dependency on libaprutil1-dbd-sqlite3, considering apache2 is not linked against it? I was unable to even find anything in the package for which ldd reports one of the dbd libraries being needed… -- Package-specific info: -- System Information: Debian Release: bullseye/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 5.4.0-4-amd64 (SMP w/2 CPU cores) Locale: LANG=C, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=C (charmap=UTF-8) Shell: /bin/sh linked to /bin/lksh Init: sysvinit (via /sbin/init) Versions of packages apache2-bin depends on: ii libapr1 1.6.5-1+b1 ii libaprutil1 1.6.1-4+b1 ii libaprutil1-dbd-sqlite3 1.6.1-4+b1 ii libaprutil1-ldap 1.6.1-4+b1 ii libbrotli1 1.0.7-6+b1 ii libc62.30-4 ii libcrypt11:4.4.16-1 ii libcurl4 7.68.0-1 ii libjansson4 2.12-1 ii libldap-2.4-22.4.49+dfsg-4 ii liblua5.2-0 5.2.4-1.1+b3 ii libnghttp2-141.40.0-1 ii libpcre3 2:8.39-12+b1 ii libssl1.11.1.1g-1 ii libxml2 2.9.10+dfsg-5 ii perl 5.30.0-10 ii zlib1g 1:1.2.11.dfsg-2 apache2-bin recommends no packages. Versions of packages apache2-bin suggests: pn apache2-doc pn apache2-suexec-pristine | apache2-suexec-custom ii lynx [www-browser] 2.9.0dev.5-1 Versions of packages apache2 depends on: ii apache2-data 2.4.43-1 ii apache2-utils 2.4.43-1 ii dpkg 1.19.7 ii lsb-base 11.1.0 ii mime-support 3.64 ii perl 5.30.0-10 ii procps 2:3.3.16-4 Versions of packages apache2 recommends: ii ssl-cert 1.0.39 Versions of packages apache2 suggests: pn apache2-doc pn apache2-suexec-pristine | apache2-suexec-custom ii lynx [www-browser] 2.9.0dev.5-1 Versions of packages apache2-bin is related to: ii apache2 2.4.43-1 ii apache2-bin 2.4.43-1 -- no debconf information
Bug#912277: apache2: does not start any more: AH01903: Failed to configure CA certificate chain!
retitle 912277 apache2: SSLCertificateChainFile silently ignored, causing AH01903 startup failure thanks > 2.4.33-3+b1 is the oldest version I can downgrade to, and it > also exhibits the problem. WTF. This is a real WTF. I found https://serverfault.com/a/892300/189656 and thought “hey, Apache 2 still documents SSLCertificateChainFile, plus it’s the proper way to specify the chain given it’s normally separate from the certificates, and there’s no warning message about that directive, but let’s give it a shot”. So I did: # cat /etc/ssl/W_lan_tarent_de.cer /etc/ssl/W_lan_tarent_de.ca >/etc/ssl/combined-cer-chain.pem Then I edited /etc/apache2/sites-enabled/default-ssl.conf, commenting out SSLCertificateFile and SSLCertificateChainFile, and adding SSLCertificateFile /etc/ssl/combined-cer-chain.pem tglase@tglase:~ $ sudo cleanenv / /etc/init.d/apache2 stop Stopping Apache httpd web server: apache2. Server was not running ... (warning). tglase@tglase:~ $ sudo cleanenv / /etc/init.d/apache2 start Starting Apache httpd web server: apache2 .. .oO(wait, what?) tglase@tglase:~ $ curl --head https://$(hostname -f)/ HTTP/1.1 200 OK Date: Sun, 04 Nov 2018 17:34:29 GMT Server: Apache/2.4.35 (Debian) Content-Type: text/html;charset=UTF-8 .oO(what now?) So it turns out that, ever since some upgrade, the directive SSLCertificateChainFile is *silently* ignored, but this only becomes apparent when you stop+start instead of restart (so they are *still* not equivalent ☹). I don’t think this acceptable. Ideally, the option would be still supported; it does no harm and has worked for decades. If that’s not desired, it MUST yield a warning. bye, //mirabilos -- tarent solutions GmbH Rochusstraße 2-4, D-53123 Bonn • http://www.tarent.de/ Tel: +49 228 54881-393 • Fax: +49 228 54881-235 HRB 5168 (AG Bonn) • USt-ID (VAT): DE122264941 Geschäftsführer: Dr. Stefan Barth, Kai Ebenrett, Boris Esser, Alexander Steeg
Bug#912277: apache2: does not start any more: AH01903: Failed to configure CA certificate chain!
Dixi quod… > I just hit this on another machine, it’s the 2.4.35-1 → 2.4.37-1 upgrade > that caused the failure. Given that I originally reported this against 2.4.35-1 and that… > More debugging data points: this did not occur immediately after > the package upgrade, only when I did an /etc/init.d/apache2 stop > followed by start. > > Worse, this persists after downgrading apache2, apache2-bin, > apache2-data, apache2-utils to 2.4.35-1 (?!?!?!). … this is obviously nonsense. 2.4.33-3+b1 is the oldest version I can downgrade to, and it also exhibits the problem. WTF. We did switch certificates recently, but OpenSSL accepts them… Still puzzled, //mirabilos -- tarent solutions GmbH Rochusstraße 2-4, D-53123 Bonn • http://www.tarent.de/ Tel: +49 228 54881-393 • Fax: +49 228 54881-235 HRB 5168 (AG Bonn) • USt-ID (VAT): DE122264941 Geschäftsführer: Dr. Stefan Barth, Kai Ebenrett, Boris Esser, Alexander Steeg
Bug#912277: apache2: does not start any more: AH01903: Failed to configure CA certificate chain!
Hi Stefan, > On Monday, 29 October 2018 20:31:54 CET Thorsten Glaser wrote: > > tglase@tglase:~ $ cat /var/log/apache2/error.log > > [Mon Oct 29 20:18:58.090841 2018] [ssl:emerg] [pid 17306] AH01903: Failed to > > configure CA certificate chain! > > [Mon Oct 29 20:18:58.090919 2018] [ssl:emerg] [pid 17306] AH02311: Fatal > > error initialising mod_ssl, exiting. > > See /var/log/apache2/error.log for more information AH00016: Configuration > > Failed > > Have you looked into /var/log/apache2/error.log if there is more > information? the thing you quoted was exactly what was in /var/log/apache2/error.log as the “cat” showed… I just hit this on another machine, it’s the 2.4.35-1 → 2.4.37-1 upgrade that caused the failure. > If there is none, try adding loglevel ssl:debug and re-try. OK, thanks for the debugging help. That gives: [Sun Nov 04 17:05:02.839408 2018] [ssl:info] [pid 18196] AH01887: Init: Initializing (virtual) servers for SSL [Sun Nov 04 17:05:02.839427 2018] [ssl:info] [pid 18196] AH01914: Configuring server ci-busyapps.lan.tarent.de:443 for SSL protocol [Sun Nov 04 17:05:02.839433 2018] [ssl:debug] [pid 18196] ssl_engine_init.c(1748): AH10083: Init: (ci-busyapps.lan.tarent.de:443) mod_md support is unavailable. [Sun Nov 04 17:05:02.839729 2018] [ssl:emerg] [pid 18196] AH01903: Failed to configure CA certificate chain! [Sun Nov 04 17:05:02.839739 2018] [ssl:emerg] [pid 18196] AH02311: Fatal error initialising mod_ssl, exiting. See /var/log/apache2/error.log for more information AH00016: Configuration Failed So perhaps the mod_ssl backport / new feature was bad? On a hunch, I tried a2enmod md, but that does not change much: [Sun Nov 04 17:05:47.417353 2018] [ssl:info] [pid 18229] AH01887: Init: Initializing (virtual) servers for SSL [Sun Nov 04 17:05:47.417371 2018] [ssl:info] [pid 18229] AH01914: Configuring server ci-busyapps.lan.tarent.de:443 for SSL protocol [Sun Nov 04 17:05:47.417377 2018] [ssl:debug] [pid 18229] ssl_engine_init.c(1748): AH10083: Init: (ci-busyapps.lan.tarent.de:443) mod_md support is available. [Sun Nov 04 17:05:47.417663 2018] [ssl:emerg] [pid 18229] AH01903: Failed to configure CA certificate chain! [Sun Nov 04 17:05:47.417673 2018] [ssl:emerg] [pid 18229] AH02311: Fatal error initialising mod_ssl, exiting. See /var/log/apache2/error.log for more information AH00016: Configuration Failed More debugging data points: this did not occur immediately after the package upgrade, only when I did an /etc/init.d/apache2 stop followed by start. Worse, this persists after downgrading apache2, apache2-bin, apache2-data, apache2-utils to 2.4.35-1 (?!?!?!). Dazed and confused, //mirabilos -- tarent solutions GmbH Rochusstraße 2-4, D-53123 Bonn • http://www.tarent.de/ Tel: +49 228 54881-393 • Fax: +49 228 54881-235 HRB 5168 (AG Bonn) • USt-ID (VAT): DE122264941 Geschäftsführer: Dr. Stefan Barth, Kai Ebenrett, Boris Esser, Alexander Steeg
Bug#912277: apache2: does not start any more: AH01903: Failed to configure CA certificate chain!
Package: apache2 Version: 2.4.35-1 Severity: important After a recent upgrade, apache2 does not start any more: tglase@tglase:~ $ cat /var/log/apache2/error.log [Mon Oct 29 20:18:58.090841 2018] [ssl:emerg] [pid 17306] AH01903: Failed to configure CA certificate chain! [Mon Oct 29 20:18:58.090919 2018] [ssl:emerg] [pid 17306] AH02311: Fatal error initialising mod_ssl, exiting. See /var/log/apache2/error.log for more information AH00016: Configuration Failed The certificate itself and the chain are ok, though: tglase@tglase:~ $ openssl verify -CApath /etc/ssl/certs -show_chain -purpose sslserver -verify_hostname tglase.lan.tarent.de -untrusted /etc/ssl/W_lan_tarent_de.ca /etc/ssl/W_lan_tarent_de.cer /etc/ssl/W_lan_tarent_de.cer: OK Chain: depth=0: CN = *.lan.tarent.de (untrusted) depth=1: C = US, O = DigiCert Inc, OU = www.digicert.com, CN = RapidSSL TLS RSA CA G1 (untrusted) depth=2: C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root G2 Postfix, on the same system, using the same certificates… smtpd_tls_cert_file = /etc/ssl/W_lan_tarent_de.cer smtpd_tls_key_file = /etc/ssl/private/W_lan_tarent_de.key smtpd_tls_CAfile = /etc/ssl/W_lan_tarent_de.ca … runs fine, so this must be some regression in Apache2. -- Package-specific info: -- System Information: Debian Release: buster/sid APT prefers unreleased APT policy: (500, 'unreleased'), (500, 'buildd-unstable'), (500, 'unstable') Architecture: x32 (x86_64) Foreign Architectures: i386, amd64 Kernel: Linux 4.18.0-2-amd64 (SMP w/8 CPU cores) Locale: LANG=C, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=C (charmap=UTF-8) Shell: /bin/sh linked to /bin/lksh Init: sysvinit (via /sbin/init) Versions of packages apache2 depends on: ii apache2-bin2.4.35-1 ii apache2-data 2.4.35-1 ii apache2-utils 2.4.35-1 ii dpkg 1.19.2 ii lsb-base 9.20170808 ii mime-support 3.61 ii perl 5.26.2-7+b1 ii procps 2:3.3.15-2 Versions of packages apache2 recommends: ii ssl-cert 1.0.39 Versions of packages apache2 suggests: ii apache2-doc 2.4.35-1 pn apache2-suexec-pristine | apache2-suexec-custom ii dillo [www-browser] 3.0.5-4 ii links2 [www-browser] 2.17-1 ii lynx [www-browser] 2.8.9rel.1-2 ii opera-static [www-browser] 9.64.2480.gcc4.qt3 Versions of packages apache2-bin depends on: ii libapr1 1.6.3-3 ii libaprutil1 1.6.1-3+b1 ii libaprutil1-dbd-pgsql1.6.1-3+b1 ii libaprutil1-dbd-sqlite3 1.6.1-3+b1 ii libaprutil1-ldap 1.6.1-3+b1 ii libbrotli1 1.0.6-1 ii libc62.27-6 ii libcurl4 7.61.0-1 ii libjansson4 2.11-1 ii libldap-2.4-22.4.46+dfsg-5+x32.1 ii liblua5.2-0 5.2.4-1.1+b1 ii libnghttp2-141.34.0-1 ii libpcre3 2:8.39-11 ii libssl1.11.1.1-1 ii libxml2 2.9.4+dfsg1-7+b1 ii perl 5.26.2-7+b1 ii zlib1g 1:1.2.11.dfsg-1 Versions of packages apache2-bin suggests: ii apache2-doc 2.4.35-1 pn apache2-suexec-pristine | apache2-suexec-custom ii dillo [www-browser] 3.0.5-4 ii links2 [www-browser] 2.17-1 ii lynx [www-browser] 2.8.9rel.1-2 ii opera-static [www-browser] 9.64.2480.gcc4.qt3 Versions of packages apache2 is related to: ii apache2 2.4.35-1 ii apache2-bin 2.4.35-1 -- Configuration Files: /etc/apache2/apache2.conf changed: DefaultRuntimeDir ${APACHE_RUN_DIR} PidFile ${APACHE_PID_FILE} Timeout 300 KeepAlive On MaxKeepAliveRequests 100 KeepAliveTimeout 5 User ${APACHE_RUN_USER} Group ${APACHE_RUN_GROUP} HostnameLookups Off ErrorLog ${APACHE_LOG_DIR}/error.log LogLevel warn IncludeOptional mods-enabled/*.load IncludeOptional mods-enabled/*.conf Include ports.conf Options FollowSymLinks AllowOverride None Require all denied AllowOverride None Require all granted Options Indexes FollowSymLinks ExecCGI AddHandler cgi-script .cgi AllowOverride None Require all granted AccessFileName .htaccess Require all denied LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined LogFormat "%h %l %u %t \"%r\" %>s %O" common LogFormat "%{Referer}i -> %U" referer LogFormat "%{User-agent}i" agent IncludeOptional conf-enabled/*.conf IncludeOptional sites-enabled/*.conf /etc/apache2/sites-available/default-ssl.conf changed: ServerAdmin webmaster@localhost
Bug#856570: apache2: does not send any Content-Type for plaintext files
On Fri, 3 Mar 2017, Dominik George wrote: > Apache uses /etc/mime.types to translate extensions into mime types, > which, in my eyes, is a design flaw, because it is a 1:n mapping used by I believe this system to be horridly flawed anyway… I mean, where should Apache know the correct MIME type from? A system based on a registry (mapping files to MIME types in a database; entry is automatic with a guessed type if none exists but can be overridden) is better. > What you are probably looking for is this: > > http://serverfault.com/a/88449 Yes… well, almost. I had to quote the MIME type for it to work. This works now: […] Options FollowSymLinks Require all granted ForceType "text/plain; charset=UTF-8" […] I am *not* happy with this solution (but thank you anyway) because globbing like this could be fragile, but at least it works, somewhat, now. I still consider this a bug in the webserver. bye, //mirabilos -- tarent solutions GmbH Rochusstraße 2-4, D-53123 Bonn • http://www.tarent.de/ Tel: +49 228 54881-393 • Fax: +49 228 54881-235 HRB 5168 (AG Bonn) • USt-ID (VAT): DE122264941 Geschäftsführer: Dr. Stefan Barth, Kai Ebenrett, Boris Esser, Alexander Steeg * **Besuchen Sie uns auf der EuroShop 2017!** **5. – 9. März 2017, Messe Düsseldorf** The World’s No.1 Retail Trade Fair tarent präsentiert richtungsweisende und innovative Lösungen für den Handel. Wir freuen uns auf Ihren Besuch (**Halle 6, Stand I52**) und empfehlen unsere Vorträge: **„Wettbewerbsanalyse im Handel: Preisvergleich online und offline“** Dienstag, 7. März 2017, 16:30 Uhr im Omnichannel Forum (Halle 6 / Stand I09) „**Smart Cart – Connected Shopping“** Donnerstag, 9. März 2017, 11:00 Uhr im EuroCIS Forum (Halle 6 / Stand I75) [www.tarent.de/euroshop](http://Www.tarent.de/euroshop) ** ** **Besuchen Sie uns auf der Internet World 2017** **7. – 8. März 2017, Messe München** Die E-Commerce Messe tarent präsentiert Produkte und Dienstleistungen aus dem E-Commerce und Online Marketing. Wir freuen uns auf Ihren Besuch (**Halle A6, Stand C160**) und empfehlen unsere Vortrag: **„Wettbewerbsanalyse im Handel: Preisvergleich online und offline“** Mittwoch, 8. März 2017, 10:20 Uhr, Halle A6, Infoarena II [www.tarent.de/internetworld](http://www.tarent.de/internetworld) * **Visit us at EuroShop 2017!** **March 5th – 9th, 2017, Messe Dusseldorf** The World’s No.1 Retail Trade Fair tarent presents trendsetting and innovative solutions for retail stores. We look forward to seeing you (**hall 6, booth I52**), and recommend our presentations: **„Competitor analysis in retail: price comparison online and offline“** Tuesday, March 7th, 2017, 4:30 pm at the Omnichannel Forum (hall 6 / booth I09) „**Smart Cart – Connected Shopping“** Thursday, March 9th, 2017, at 11 am at the EuroCIS Forum (hall 6 / booth SI75) w[ww.tarent.de/euroshop](http://Www.tarent.de/euroshop) **Visit us at Internet World 2017!** **March 7th – 8th, 2017, Messe Munich** The E-Commerce fair tarent presents products and services from e-commerce and online marketing. We look forward to seeing you (**hall A6, booth C160**), and recommend our presentation: **„Competitor analysis in retail: price comparison online and offline“** Wednesday, March 8th, 2017, 10:20 am (hall A6 / Infoarena II) [www.tarent.de/internetworld](http://www.tarent.de/internetworld)
Bug#856570: apache2: does not send any Content-Type for plaintext files
Package: apache2 Version: 2.4.10-10+deb8u7 Severity: important Apache 2 does not send *any* Content-Type header for plaintext files any more, so I cannot tell it to send “text/plain; charset="UTF-8"” to work around at least TWO bugs in Firefox (which likes to interpret those files, unlike Lynx, Chromium and Safari, as windows-1252). Even if I add… DefaultType text/plain AddDefaultCharset UTF-8 … to the Directory, it does not cause the presence of a Content-Type header. -- Package-specific info: -- System Information: Debian Release: 8.7 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 3.16.0-4-amd64 (SMP w/1 CPU core) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to C.UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages apache2 depends on: ii apache2-bin2.4.10-10+deb8u7 ii apache2-data 2.4.10-10+deb8u7 ii apache2-utils 2.4.10-10+deb8u7 ii dpkg 1.17.27 ii lsb-base 4.1+Debian13+nmu1 ii mime-support 3.58 ii perl 5.20.2-3+deb8u6 ii procps 2:3.3.9-9 Versions of packages apache2 recommends: ii ssl-cert 1.0.35 Versions of packages apache2 suggests: pn apache2-doc pn apache2-suexec-pristine | apache2-suexec-custom ii lynx-cur [www-browser] 2.8.9dev1-2+deb8u1 Versions of packages apache2-bin depends on: ii libapr1 1.5.1-3 ii libaprutil1 1.5.4-1 ii libaprutil1-dbd-sqlite3 1.5.4-1 ii libaprutil1-ldap 1.5.4-1 ii libc62.19-18+deb8u7 ii libldap-2.4-22.4.40+dfsg-1+deb8u2 ii liblua5.1-0 5.1.5-7.1 ii libpcre3 2:8.35-3.3+deb8u4 ii libssl1.0.0 1.0.1t-1+deb8u6 ii libxml2 2.9.1+dfsg1-5+deb8u4 ii perl 5.20.2-3+deb8u6 ii zlib1g 1:1.2.8.dfsg-2+b1 Versions of packages apache2-bin suggests: pn apache2-doc pn apache2-suexec-pristine | apache2-suexec-custom ii lynx-cur [www-browser] 2.8.9dev1-2+deb8u1 Versions of packages apache2 is related to: ii apache2 2.4.10-10+deb8u7 ii apache2-bin 2.4.10-10+deb8u7 -- Configuration Files: /etc/apache2/sites-available/000-default.conf changed: # The ServerName directive sets the request scheme, hostname and port that # the server uses to identify itself. This is used when creating # redirection URLs. In the context of virtual hosts, the ServerName # specifies what hostname must appear in the request's Host: header to # match this virtual host. For the default virtual host (this file) this # value is not decisive as it is used as a last resort host regardless. # However, you must set it for any further virtual host explicitly. #ServerName www.example.com ServerAdmin webmaster@localhost DocumentRoot /var/www/html RedirectMatch 301 . https://foo-dev-04.lan.tarent.de/ # Available loglevels: trace8, ..., trace1, debug, info, notice, warn, # error, crit, alert, emerg. # It is also possible to configure the loglevel for particular # modules, e.g. #LogLevel info ssl:warn ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined # For most configuration files from conf-available/, which are # enabled or disabled at a global level, it is possible to # include a line for only one particular virtual host. For example the # following line enables the CGI configuration for this host only # after it has been globally disabled with "a2disconf". #Include conf-available/serve-cgi-bin.conf /etc/apache2/sites-available/default-ssl.conf changed: JkOptions +ForwardURIEscaped ServerAdmin webmaster@localhost DocumentRoot /var/lib/footool/html Options FollowSymLinks Require all granted JkMount /footool-services* ajp13_worker AllowEncodedSlashes On SSLCertificateFile /etc/ssl/footool.crt SSLCertificateKeyFile /etc/ssl/private/footool.key SSLCertificateChainFile /etc/ssl/chain.crt # Available loglevels: trace8, ..., trace1, debug, info, notice, warn, # error, crit, alert, emerg. # It is also possible to configure the loglevel for particular # modules, e.g. #LogLevel info ssl:warn ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined # For most configuration files from
Re: Bug#742145: openssl: uses only 32 bytes (256 bit) for key generation
Control: severity -1 normal Joey Hess dixit: Also, /usr/sbin/make-ssl-cert uses openssl req, and strace shows it also reading only 32 bytes bits of entropy. We talked a bit about it in IRC. I think this is no need to panic. While I still think that 32 bytes is cutting off a safety margin I’d prefer to have I’ve been pointed to readings that make me agree that not having the entire keysize in bits is required. I recall people asking the arc4random implementations on GNU/Linux systems to restrict themselves to seed with only 16 bytes, due to the much smaller size of Linux {,u}random. So this may be deliberate. I think the OpenSSL situation may be improved by using a RANDFILE, like PGP and GnuPG use their seed files, since that’s mixed into its internal PRNG. That’s something the local admin or user must do by themselves but could be an interesting way to increase the amount of entropy available to each openssl(1) invocation without unduly burdening the kernel pool. Methods to fill it (especially initially) are abundant. I’m lowering priority to normal, for now. Maybe someone from Linux, OpenSSL, or elsewhere will comment on this issue, too. ENTROPY_NEEDED is hardcoded to 32. Is that OpenSSL/Debian, OpenSSL/GNU/Linux, or OpenSSL in general, by the way? (While I’m not unfamiliar with the codebase, the one I’m using on BSD differs.) bye, //mirabilos -- Natureshadow Warum ist MirWebseite eigentlich so cool? mirabilos weil ich ich sie geschrieben habe Natureshadow Hast du sie geschrieben oder geforkt? mirabilos geschrieben, from scratch Natureshadow Ach, deshalb finde ich auch so selten Bugs dadrin. Irgendwie hast du Recht. -- To UNSUBSCRIBE, email to debian-apache-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/pine.bsm.4.64l.1403192216130.17...@herc.mirbsd.org
Bug#711117: Fwd: Anacron job 'cron.daily' on tglase.lan.tarent.de
tags 77 + patch thanks Hi, please see the attached patch. (The initscript is ugly, but I tried to keep the changes relatively minimal.) bye, //mirabilos -- tarent solutions GmbH Rochusstraße 2-4, D-53123 Bonn • http://www.tarent.de/ Tel: +49 228 54881-393 • Fax: +49 228 54881-314 HRB 5168 (AG Bonn) • USt-ID (VAT): DE122264941 Geschäftsführer: Boris Esser, Sebastian Mancke -- Forwarded message -- From: Anacron r...@tglase.lan.tarent.de Message-ID: 20130602053545.90c13702...@tglase.lan.tarent.de To: r...@tglase.lan.tarent.de Date: Sun, 2 Jun 2013 07:35:45 +0200 (CEST) Subject: Anacron job 'cron.daily' on tglase.lan.tarent.de /etc/cron.daily/logrotate: error: error running shared postrotate script for '/var/log/apache2/*.log ' run-parts: /etc/cron.daily/logrotate exited with return code 1From b47a2167c32559885d7cff6d72f83301aa67bfc6 Mon Sep 17 00:00:00 2001 From: Thorsten Glaser t...@debian.org Date: Wed, 5 Jun 2013 11:04:59 +0200 Subject: [PATCH] The init script exits 0 unless an error occured. Closes: #77 Signed-off-by: Thorsten Glaser t...@debian.org --- debian/apache2.init | 25 - 1 file changed, 20 insertions(+), 5 deletions(-) diff --git a/debian/apache2.init b/debian/apache2.init index a9f215f..78f84cc 100755 --- a/debian/apache2.init +++ b/debian/apache2.init @@ -206,7 +206,9 @@ do_stop() # Function that sends a SIGHUP to the daemon/service # do_reload() { -if $APACHE2CTL configtest /dev/null 21; then + $APACHE2CTL configtest /dev/null 21 + APACHE2_INIT_CONFIGTEST_STATUS=$? + if test $APACHE2_INIT_CONFIGTEST_STATUS = 0; then if ! pidofproc -p $PIDFILE $DAEMON /dev/null 21 ; then APACHE2_INIT_MESSAGE=Apache2 is not running return 2 @@ -282,6 +284,7 @@ case $1 in [ $VERBOSE != no ] log_end_msg 1 [ -n $APACHE2_INIT_MESSAGE ] echo $APACHE2_INIT_MESSAGE 2 log_failure_msg + exit 1 ;; esac ;; @@ -305,15 +308,25 @@ case $1 in [ $VERBOSE != no ] log_end_msg $? fi + case $RET_STATUS in + (0|1) + ;; + (*) + exit 1 + ;; + esac + ;; status) - status_of_proc -p $PIDFILE apache2 $NAME exit 0 || exit $? + status_of_proc -p $PIDFILE apache2 $NAME + exit $? ;; reload|force-reload|graceful) log_daemon_msg Reloading $DESC $NAME do_reload log_end_msg $? [ $VERBOSE != no ] [ x$APACHE2_INIT_MESSAGE != x ] log_warning_msg $APACHE2_INIT_MESSAGE + test $APACHE2_INIT_CONFIGTEST_STATUS = 0 || exit 1 ;; restart) log_daemon_msg Restarting $DESC $NAME @@ -322,14 +335,15 @@ case $1 in 0|1) do_start case $? in - 0) log_end_msg 0 ;; - 1) log_end_msg 1 ;; # Old process is still running - *) log_end_msg 1 ;; # Failed to start + 0) log_end_msg 0 ;; + 1) log_end_msg 1; exit 1 ;; # Old process is still running + *) log_end_msg 1; exit 1 ;; # Failed to start esac ;; *) # Failed to stop log_end_msg 1 + exit 1 ;; esac ;; @@ -348,3 +362,4 @@ case $1 in exit 3 ;; esac +exit 0 -- 1.8.3
Re: Log for attempted build of apr_1.4.6-4 on m68k (dist=unstable)
fail fails some parts of the testsuite Failed TestsTotal FailFailed % === testlock4 1 25.00% testprocmutex 6 1 16.67% testshm 6 1 16.67% -- To UNSUBSCRIBE, email to debian-apache-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/pine.bsm.4.64l.1305172229170.2...@herc.mirbsd.org
Bug#667069: apache2: FTBFS: mkdir: cannot create directory `debian/build-tree/arch': No such file or directory
Source: apache2 Version: 2.2.22-2 Severity: serious Justification: fails to build from source (but built successfully in the past) Hi, I suspect this breakage occurs to the recent changes introducing support for actually calling build-{arch,indep} targets. -- System Information: Debian Release: wheezy/sid APT prefers unreleased APT policy: (500, 'unreleased'), (500, 'unstable') Architecture: m68k Kernel: Linux 3.2.0-2-atari Locale: LANG=C, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/mksh-static I: Using pkgname logfile I: Current time: Tue Apr 3 19:53:23 UTC 2012 I: pbuilder-time-stamp: 1333482803 I: Obtaining the cached apt archive contents I: Installing the build-deps W: no hooks of type D found -- ignoring - Attempting to parse the build-deps - Considering build-dep debhelper (= 8.9.7~) - Trying debhelper - Considering build-dep lsb-release - Trying lsb-release - Considering build-dep libaprutil1-dev (= 1.3.4) - Trying libaprutil1-dev - Considering build-dep libapr1-dev - Trying libapr1-dev - Considering build-dep openssl - Trying openssl - Considering build-dep libpcre3-dev - Trying libpcre3-dev - Considering build-dep mawk - Trying mawk - Considering build-dep zlib1g-dev - Trying zlib1g-dev - Considering build-dep libssl-dev (= 0.9.8m) - Trying libssl-dev - Considering build-dep sharutils - Trying sharutils - Considering build-dep libcap-dev [linux-any] - Trying libcap-dev - Considering build-dep autoconf - Trying autoconf - Installing debhelper lsb-release libaprutil1-dev libapr1-dev openssl libpcre3-dev mawk zlib1g-dev libssl-dev sharutils libcap-dev autoconf Reading package lists... Building dependency tree... Reading state information... Starting Starting 2 Done debhelper is already the newest version. mawk is already the newest version. The following extra packages will be installed: comerr-dev krb5-multidev libapr1 libaprutil1 libcap2 libdb4.8 libexpat1 libexpat1-dev libgcrypt11 libgnutls26 libgpg-error0 libgssapi-krb5-2 libgssrpc4 libk5crypto3 libkadm5clnt-mit8 libkadm5srv-mit8 libkdb5-6 libkeyutils1 libkrb5-3 libkrb5-dev libkrb5support0 libldap-2.4-2 libldap2-dev libmysqlclient-dev libmysqlclient16 libncursesw5 libp11-kit0 libpcrecpp0 libpq-dev libpq5 libsasl2-2 libsqlite3-0 libsqlite3-dev libssl1.0.0 libtasn1-3 m4 mime-support mysql-common python python-minimal python2.7 python2.7-minimal uuid-dev Suggested packages: autoconf2.13 autoconf-archive gnu-standards autoconf-doc libtool doc-base krb5-doc manpages-dev rng-tools krb5-user postgresql-doc-9.1 sqlite3-doc lsb ca-certificates python-doc python-tk python2.7-doc binfmt-support bsd-mailx mailx Recommended packages: automake automaken krb5-locales libgpm2 libsasl2-modules libssl-doc The following NEW packages will be installed: autoconf comerr-dev krb5-multidev libapr1 libapr1-dev libaprutil1 libaprutil1-dev libcap-dev libcap2 libdb4.8 libexpat1 libexpat1-dev libgcrypt11 libgnutls26 libgpg-error0 libgssapi-krb5-2 libgssrpc4 libk5crypto3 libkadm5clnt-mit8 libkadm5srv-mit8 libkdb5-6 libkeyutils1 libkrb5-3 libkrb5-dev libkrb5support0 libldap-2.4-2 libldap2-dev libmysqlclient-dev libmysqlclient16 libncursesw5 libp11-kit0 libpcre3-dev libpcrecpp0 libpq-dev libpq5 libsasl2-2 libsqlite3-0 libsqlite3-dev libssl-dev libssl1.0.0 libtasn1-3 lsb-release m4 mime-support mysql-common openssl python python-minimal python2.7 python2.7-minimal sharutils uuid-dev zlib1g-dev 0 upgraded, 53 newly installed, 0 to remove and 0 not upgraded. Need to get 9044 kB/22.6 MB of archives. After this operation, 66.8 MB of additional disk space will be used. Get:1 http://ftp.debian-ports.org/debian/ unstable/main libsasl2-2 m68k 2.1.25.dfsg1-4 [108 kB] Get:2 http://ftp.debian-ports.org/debian/ unstable/main libldap-2.4-2 m68k 2.4.28-1.2 [214 kB] Get:3 http://ftp.debian-ports.org/debian/ unstable/main libpcrecpp0 m68k 1:8.30-4 [124 kB] Get:4 http://ftp.debian-ports.org/debian/ unstable/main libcap2 m68k 1:2.22-1 [11.9 kB] Get:5 http://ftp.debian-ports.org/debian/ unstable/main libaprutil1 m68k 1.4.1-1 [74.8 kB] Get:6 http://ftp.debian-ports.org/debian/ unstable/main libldap2-dev m68k 2.4.28-1.2 [527 kB] Get:7 http://ftp.debian-ports.org/debian/ unstable/main libexpat1-dev m68k 2.1.0~beta3-2 [186 kB] Get:8 http://ftp.debian-ports.org/debian/ unstable/main libpcre3-dev m68k 1:8.30-4 [333 kB] Get:9 http://ftp.debian-ports.org/debian/ unstable/main libsqlite3-dev m68k 3.7.11-2 [505 kB] Get:10 http://ftp.debian-ports.org/debian/ unstable/main libpq5 m68k 9.1.2-4 [485 kB] Get:11 http://ftp.debian-ports.org/debian/ unstable/main libpq-dev m68k 9.1.2-4 [563 kB] Get:12 http://ftp.debian-ports.org/debian/ unstable/main mysql-common all 5.1.61-2 [68.8 kB] Get:13 http://ftp.debian-ports.org/debian/ unstable/main libmysqlclient16 m68k 5.1.58-1 [1907 kB] Get:14 http://ftp.debian-ports.org/debian/ unstable/main libmysqlclient-dev m68k 5.1.58-1
Bug#485413: apache2/lenny/amd64 eats up all RAM
Dixi quod… Trying with the attached patch now. Let’s see whether this helps to work around the problem. It doesn’t: root@dev-hudson:/proc/4480 # cat limits Limit Soft Limit Hard Limit Units Max cpu time unlimitedunlimitedms Max file size unlimitedunlimitedbytes Max data size 268435456268435456bytes Max stack size8388608 unlimitedbytes Max core file size0unlimitedbytes Max resident set unlimitedunlimitedbytes Max processes 102400 102400 processes Max open files1024 1024 files Max locked memory 3276832768bytes Max address space unlimitedunlimitedbytes Max file locksunlimitedunlimitedlocks Max pending signals 102400 102400 signals Max msgqueue size 819200 819200 bytes Max nice priority 00 Max realtime priority 00 Max realtime timeout unlimitedunlimitedus root@dev-hudson:/proc/4480 # cat status Name: apache2 State: S (sleeping) Tgid: 4480 Pid:4480 PPid: 7113 TracerPid: 0 Uid:33 33 33 33 Gid:33 33 33 33 FDSize: 64 Groups: 33 VmPeak: 13022820 kB VmSize: 13022820 kB VmLck: 0 kB VmHWM: 11278624 kB VmRSS: 10980224 kB VmData: 12901596 kB VmStk:88 kB VmExe: 392 kB VmLib: 11840 kB VmPTE: 25436 kB Threads:1 SigQ: 0/102400 SigPnd: ShdPnd: SigBlk: SigIgn: 1000 SigCgt: 0001880046eb CapInh: CapPrm: CapEff: CapBnd: Cpus_allowed: 0007 Cpus_allowed_list: 0-2 Mems_allowed: ,0001 Mems_allowed_list: 0 voluntary_ctxt_switches:51843420 nonvoluntary_ctxt_switches: 303994690 Can please someone recommend a different ulimit, or some other suggestion? Thanks, //mirabilos -- tarent solutions GmbH Rochusstraße 2-4, D-53123 Bonn • http://www.tarent.de/ Tel: +49 228 54881-393 • Fax: +49 228 52675-25 HRB AG Bonn 5168 • USt-ID (VAT): DE122264941 Geschäftsführer: Boris Esser, Elmar Geese -- To UNSUBSCRIBE, email to debian-apache-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/alpine.deb.2.00.1108150941480.7...@tglase.lan.tarent.de
Bug#485413: apache2/lenny/amd64 eats up all RAM
On Mon, 15 Aug 2011, Stefan Fritsch wrote: - How much memory does your machine have, how much is actually available for apache (i.e. not used by other processes). This one has 12 GiB in total. Memory is mostly shared between Apache, Sonar (Jenkins Plugin) and Jenkins. Normally, Apache has 11 processes, each using less than 5 MiB (ps ax -O rss). - Which MPM do you use? ii apache2-mpm-prefork 2.2.9-10+lenny9.0tarent1 Apache HTTP Server - traditional non-threade - What are your settings for StartServers, MaxRequestsPerChild, ThreadsPerChild, MinSpareThreads/MinSpareServers, MaxSpareThreads/MaxSpareServers Used to be the defaults. When the problems started, I tried tweaking to these (no success): /etc/apache2/apache2.conf:StartServers 5 /etc/apache2/apache2.conf:MinSpareServers 5 /etc/apache2/apache2.conf:MaxSpareServers 10 /etc/apache2/apache2.conf:MaxRequestsPerChild 3000 On another box, I have these: /etc/apache2/apache2.conf:StartServers 5 /etc/apache2/apache2.conf:MinSpareServers 5 /etc/apache2/apache2.conf:MaxSpareServers 10 /etc/apache2/apache2.conf:MaxRequestsPerChild 20 /etc/apache2/apache2.conf:MaxMemFree 512 Will monitor whether it occurs there, too – a bit futile since we know of nothing to trigger the problem, it just happens every once in a while. - How large do the apache2 processes grow? (RSS) How quickly do they grow? As could be seen, they eat up _all_ available RAM and swap. This happens very quickly because we usually notice the problem because Jenkins is terminated by the OOM Kernel thing when Apache grows; Jenkins is in use by our developers, so this occurs suddenly. - How many apache2 are running during normal operation? Eleven, as seen above. If that doesn't help, try setting 'MaxMemFree 4'. If that doesn't help enough, add 'export MALLOC_MMAP_THRESHOLD_=8000' to /etc/apache2/envvars (the trailing underscore is not a typo). These options lower performance, though. Will do. First thing is lowering MaxRequestsPerChild for all our Jenkins instances, I’d say. Please report back about the results. OK. Thanks! bye, //mirabilos -- tarent solutions GmbH Rochusstraße 2-4, D-53123 Bonn • http://www.tarent.de/ Tel: +49 228 54881-393 • Fax: +49 228 52675-25 HRB AG Bonn 5168 • USt-ID (VAT): DE122264941 Geschäftsführer: Boris Esser, Elmar Geese -- To UNSUBSCRIBE, email to debian-apache-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/alpine.deb.2.00.1108151317440.18...@tglase.lan.tarent.de
Bug#485413: apache2/lenny/amd64 eats up all RAM
Trying with the attached patch now. Let’s see whether this helps to work around the problem. bye, //mirabilos -- tarent solutions GmbH Rochusstraße 2-4, D-53123 Bonn • http://www.tarent.de/ Tel: +49 228 54881-393 • Fax: +49 228 52675-25 HRB AG Bonn 5168 • USt-ID (VAT): DE122264941 Geschäftsführer: Boris Esser, Elmar Geesediff -u apache2-2.2.9/debian/apache2.2-common.apache2.default apache2-2.2.9/debian/apache2.2-common.apache2.default --- apache2-2.2.9/debian/apache2.2-common.apache2.default +++ apache2-2.2.9/debian/apache2.2-common.apache2.default @@ -1,3 +1,10 @@ +### apache2 settings ### + +## uncomment this to change the datasize ulimit +## commented out means do not set it at all +## otherwise this is the ulimit in Kibibytes +#APACHE2_DATASIZE=262144 + ### htcacheclean settings ### ## run htcacheclean: yes, no, auto diff -u apache2-2.2.9/debian/changelog apache2-2.2.9/debian/changelog --- apache2-2.2.9/debian/changelog +++ apache2-2.2.9/debian/changelog @@ -1,3 +1,9 @@ +apache2 (2.2.9-10+lenny9.0tarent1) local; urgency=low + + * Allow setting the datasize ulimit for the Apache 2 Web Server + + -- Thorsten Glaser t.gla...@tarent.de Thu, 11 Aug 2011 13:09:19 +0200 + apache2 (2.2.9-10+lenny9) stable-security; urgency=high * Add the new SSLInsecureRenegotiation directive to configure if clients diff -u apache2-2.2.9/debian/apache2.2-common.apache2.init apache2-2.2.9/debian/apache2.2-common.apache2.init --- apache2-2.2.9/debian/apache2.2-common.apache2.init +++ apache2-2.2.9/debian/apache2.2-common.apache2.init @@ -18,6 +18,7 @@ #echo To add and enable a host, use addhost and enhost. exit 0 #edit /etc/default/apache2 to change this. +APACHE2_DATASIZE= HTCACHECLEAN_RUN=auto HTCACHECLEAN_MODE=daemon HTCACHECLEAN_SIZE=300M @@ -148,7 +149,11 @@ case $1 in start) log_daemon_msg Starting web server apache2 - if $APACHE2CTL start; then + if ( + test -n $APACHE2_DATASIZE \ + ulimit -d $APACHE2_DATASIZE + exec $APACHE2CTL start + ); then if check_htcacheclean ; then log_progress_msg htcacheclean start_htcacheclean || log_end_msg 1
Bug#485413: apache2/lenny/amd64 eats up all RAM
Hi, this also happens on an installation without PHP, but mod_jk and SSL enabled (Jenkins frontend). bye, //mirabilos -- tarent solutions GmbH Rochusstraße 2-4, D-53123 Bonn • http://www.tarent.de/ Tel: +49 228 54881-393 • Fax: +49 228 52675-25 HRB AG Bonn 5168 • USt-ID (VAT): DE122264941 Geschäftsführer: Boris Esser, Elmar Geese -- To UNSUBSCRIBE, email to debian-apache-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/alpine.deb.2.00.1108101341500.7...@tglase.lan.tarent.de