dev@httpd.apache.org
Gang, Is anyone working on a backport of the PID table stuff (r551843 on trunk I think) to the 2.0.x and 2.2.x branches? I think that'd need to go in before we do the long-awaited much rumored tag & roll. I could do some work on that... does anyone have any code to test that change? Thoughts? S. smime.p7s Description: S/MIME Cryptographic Signature
Re: mod_auth_ntlm_winbind needs hosting
William A. Rowe, Jr. wrote: On that note - I suppose this would not be enabled by default, so I have a little less concern. Hmm... I mean to host this module somewhere near the Apache (f.e. at Apache site), and check it by Apache team. But I feel you think about inclusion into standard httpd? It is much more than I expect. ;) ~buc
Re: mod_auth_ntlm_winbind needs hosting
Dmitry Butskoy wrote: > William A. Rowe, Jr. wrote: >> Yet and still, there is the minor issue that NTLM violates RFC2616, >> and as >> such you might find resistance here :) >> > > OTOH, such a module allows to choose a Linux/UNIX server for web or > proxy, even in "strong" Windows environment (where users must be > authenticated against a Windows Domain Controller). In other words, to > choose some open-sourse solution even in such an environment. I don't disagree :) But as a reference implementation, we hold to the standards over misbehavior whenever possible, until someone deliberately breaks the configuration/behavior with respect to the standards. On that note - I suppose this would not be enabled by default, so I have a little less concern. One advantage is that we could do the right thing with respect to proxy agents in front or behind us, when the module is enabled. Having both the proxy and an implementation of NTLM might be a win, from that perspective. Bill
Re: mod_auth_ntlm_winbind needs hosting
William A. Rowe, Jr. wrote: Yet and still, there is the minor issue that NTLM violates RFC2616, and as such you might find resistance here :) OTOH, such a module allows to choose a Linux/UNIX server for web or proxy, even in "strong" Windows environment (where users must be authenticated against a Windows Domain Controller). In other words, to choose some open-sourse solution even in such an environment. ~buc
module testing
Do any unit test/mock object frameworks exist for doing module testing? Thanks
Re: mod_auth_ntlm_winbind needs hosting
William A. Rowe, Jr. wrote: William A. Rowe, Jr. wrote: Dmitry Butskoy wrote: Samba team think that this code is not something Samba-related (see http://lists.samba.org/archive/samba-technical/2007-June/054186.html). Actually, it is Apache's httpd-related. Hence it have to be hosted somewhere in apache.org ... The issue with hosting at Apache, of course, is that nothing more restrictive than the Apache License (BSD-style) could be applied. Fortunately, the list of authors is rather short, in terms of appealing to them for a grant under the Apache License. Yet and still, there is the minor issue that NTLM violates RFC2616, and as such you might find resistance here :) Actually, I'm confused :) Knowing Samba is GPL, overall, I'm not clear from the file headers that this is, in fact, collected as GPL or continues to be Apache Licensed/less restrictive? Certainly, it is Apache Licensed. Not GPL. People, who start with this module, surely know about license compatibility, therefore this module is Apache licensed. Regards, Dmitry Butskoy
Re: svn commit: r554685 - /httpd/site/trunk/xdocs/dev/release.xml
Before I SVN up to the site, some quick eyeballs on my changes r554684 and this commit? It's been very confusing as I refer incubating people back to this document, while pounding the +3 votes before a release ASF-wide policy. [EMAIL PROTECTED] wrote: > Author: wrowe > Date: Mon Jul 9 08:37:38 2007 > New Revision: 554685 > > URL: http://svn.apache.org/viewvc?view=rev&rev=554685 > Log: > Revert 2.0.x generation changes that were invalid. All releases > require a vote and approval by the project members. > > (Anything without three +1's is nothing but a snapshot by another name.) > > Modified: > httpd/site/trunk/xdocs/dev/release.xml > > Modified: httpd/site/trunk/xdocs/dev/release.xml > URL: > http://svn.apache.org/viewvc/httpd/site/trunk/xdocs/dev/release.xml?view=diff&rev=554685&r1=554684&r2=554685 > == > --- httpd/site/trunk/xdocs/dev/release.xml (original) > +++ httpd/site/trunk/xdocs/dev/release.xml Mon Jul 9 08:37:38 2007 > @@ -11,10 +11,18 @@ > Apache HTTP Server Project to create releases of httpd-2.0 (the current > Apache 2.0 branch). As described herein, this policy is not set in stone > and may be adjusted by the Release Manager. > + > +With the introduction of Apache 2.1, the Apache httpd project has > +adopted an odd-even release strategy, where development happens with > +alpha and beta releases assigned an odd-numbered minor version, and its > +general availability (stable) release is designed with the subsequent > +even-numbered minor version. E.g. 2.1.0-alpha through 2.1.6-alpha > +were followed by 2.1.7-beta through 2.1.9 beta, and cumulated in the > +2.2.0 general availability release. > > > Who can make a release? > -Technically, any one can make a release of the source code due to the > +Technically, anyone can make a release of the source code due to the > http://www.apache.org/licenses/";>Apache Software License. > However, only members of the Apache HTTP Server Project (committers) > can make a release designated with Apache. Other people must > @@ -31,13 +39,12 @@ > Who is in charge of a release? > The release is coordinated by the Release Manager (hereafter, abbreviated > as RM). Since this job requires coordination of the development community > -(and access to CVS), only committers to the project can be RM. However, > +(and access to subversion), only committers to the project can be RM. > However, > there is no set RM. Any committer may perform a release at any time. In > order to facilitate communication, it is deemed nice to alert the > community with your planned release schedule before executing the > release. A release should only be made when there is a plan to publicly > -release it. (A release should not be made only for private distribution. > -A private release is more suitable for that.) > +release it. (A release must not be made only for private distribution). > > > Who may make a good candidate for an RM? > @@ -59,7 +66,7 @@ > entry is resolved. These items may be bugs, outstanding vetos that have > not yet been resolved, or enhancements that must make it into the > release. Note that the RM may also add showstopper entries to indicate > -what issues must be resolved before a release may be created. > +what issues must be resolved before they intend to create a release. > > > What power does the RM yield? > @@ -91,7 +98,8 @@ > The RM may perform sanity checks on release candidates. One highly > recommended suggestion is to run the httpd-test suite against the candidate. > The release candidate should pass all of the relevant tests before making > -it official. > +it official, and certainly avoid new regressions (tests that previously > +passed, and now fail). > > Another good idea is to coordinate running a candidate on apache.org for > a period of time. This will require coordination with the current > > > >
Re: mod_auth_ntlm_winbind needs hosting
William A. Rowe, Jr. wrote: > Dmitry Butskoy wrote: >> Samba team think that this code is not something Samba-related (see >> http://lists.samba.org/archive/samba-technical/2007-June/054186.html). >> Actually, it is Apache's httpd-related. Hence it have to be hosted >> somewhere in apache.org ... > > The issue with hosting at Apache, of course, is that nothing more restrictive > than the Apache License (BSD-style) could be applied. Fortunately, the list > of authors is rather short, in terms of appealing to them for a grant under > the Apache License. > > Yet and still, there is the minor issue that NTLM violates RFC2616, and as > such you might find resistance here :) Actually, I'm confused :) Knowing Samba is GPL, overall, I'm not clear from the file headers that this is, in fact, collected as GPL or continues to be Apache Licensed/less restrictive? c.f. http://viewcvs.samba.org/cgi-bin/viewcvs.cgi/*checkout*/trunk/mod_auth_ntlm_winbind/mod_auth_ntlm_winbind.c?rev=713&content-type=text%2Fplain&root=lorikeet Bill
Re: mod_auth_ntlm_winbind needs hosting
Dmitry Butskoy wrote: > > Samba team think that this code is not something Samba-related (see > http://lists.samba.org/archive/samba-technical/2007-June/054186.html). > Actually, it is Apache's httpd-related. Hence it have to be hosted > somewhere in apache.org ... The issue with hosting at Apache, of course, is that nothing more restrictive than the Apache License (BSD-style) could be applied. Fortunately, the list of authors is rather short, in terms of appealing to them for a grant under the Apache License. Yet and still, there is the minor issue that NTLM violates RFC2616, and as such you might find resistance here :) Bill
Re: mod_authn_dbd - internal server error after certain idle time
Danie Qian wrote: > >> >> With this patch, setting DBDTimout lower than the MySQL system variable >> 'wait_timeout' will ensure than expired connections never get used. >> > > Assuming by DBDTimeout you mean DBDExptime in mod_dbd documentation > where it implies a keepalive value, how about making mod_dbd to send > something to mysql server so that its wait_timeout timer gets reset > whenever the keepalive time elapses? Is this what the setting originally > meant for? > As I am pretty new to this listing and I apologize if I am not on the > same page as you guys. > Yes, sorry - you are correct. I did mean DBDExptime. I slipped up translating the APR lingo to the mod_dbd lingo... re "not on the same page" - I didn't think that at all. If you're new to this, you sure catch on quick! The patch I proposed is not just for MySQL. I don't use MySQL myself (although I tested the patch with it anyway). The problem with "send something to mysql server" is that it is a MySQL-only solution to the problem. I was trying for a more general solution since this affects other databases too. As an aside - I have an apr_dbd_odbc driver: http://code.google.com/p/odbc-dbd/ which I use with several different kinds of databases. This is what I used to test the patch. I don't know if the APR folks will like my proposed patch - they might not. You are welcome to use it, but you probably won't want to use it in production until they decide. A better short-term MySQL-only solution would be a change to apr_dbd_mysql like the one Nick Kew suggested. -tom-
mod_auth_ntlm_winbind needs hosting
There is a module, "mod_auth_ntlm_winbind", which allows to authenticate users against a Windows domain using "NTLM" and "Negotiate" authentication mechanisms. The module uses a way, recommended by the Samba team -- it utilizes a special helper program "ntlm_auth", which interacts with Samba's "winbind" daemon. (This way Squid does ntlm already). For historical reasons, this module still lives in Samba's CVS (see http://viewcvs.samba.org/cgi-bin/viewcvs.cgi/trunk/mod_auth_ntlm_winbind/?root=lorikeet ) and has no any normal "upstream". This does not mean that the module is unstable -- it is successfully used long time. Recently it was included into Debian and Fedora (I maintain it in Fedora, see http://download.fedora.redhat.com/pub/fedora/linux/updates/7/SRPMS/mod_auth_ntlm_winbind-0.0.0-0.5.20070129svn713.fc7.src.rpm ) Samba team think that this code is not something Samba-related (see http://lists.samba.org/archive/samba-technical/2007-June/054186.html). Actually, it is Apache's httpd-related. Hence it have to be hosted somewhere in apache.org ... Any comments? Moreover, because of its current location, this module lacks good skilled httpd developers. There can be a lot of things to fix or to improve on it. Could anyone look on it carefully? Regards, Dmitry Butskoy http://www.fedoraproject.org/wiki/DmitryButskoy
Re: mod_authn_dbd - internal server error after certain idle time
- Original Message - From: "Tom Donovan" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, July 09, 2007 10:09 AM Subject: Re: mod_authn_dbd - internal server error after certain idle time Danie Qian wrote: It is working a little better now after I set both DBDKeep and DBDMin to zero. But I am still getting the internal server error from time to time. Users usually can get pass the error by reloading the same page. Here is the error messages in the log: [Sat Jul 07 02:56:44 2007] [error] (20014)Internal error: DBD [mysql] Error: Lost connection to MySQL server during query [Sat Jul 07 02:56:44 2007] [error] [client 75.87.112.250] authn_dbd_acquire: Error looking up josiahhansen in database Unfortunately, DBD connection pooling (which is performed by the apr-util reslist facility) presumes that connections last longer than DBDTimeout, so just setting DBDKeep and DBDMin will not completely eliminate the problem. The proposed changes to the MySQL driver seem like a good idea and they may help - but they will only help MySQL, not any other databases. I entered a new APR bug and proposed a patch - http://issues.apache.org/bugzilla/show_bug.cgi?id=42841 to change the interpretation of timeout so that it will work to avoid this error. With this patch, setting DBDTimout lower than the MySQL system variable 'wait_timeout' will ensure than expired connections never get used. Assuming by DBDTimeout you mean DBDExptime in mod_dbd documentation where it implies a keepalive value, how about making mod_dbd to send something to mysql server so that its wait_timeout timer gets reset whenever the keepalive time elapses? Is this what the setting originally meant for? As I am pretty new to this listing and I apologize if I am not on the same page as you guys.
Re: apr_table_setn in mod_proxy_balancer.c
> -Ursprüngliche Nachricht-
> Von: jean-frederic clere
> Gesendet: Montag, 9. Juli 2007 16:29
> An: dev@httpd.apache.org
> Betreff: Re: apr_table_setn in mod_proxy_balancer.c
>
>
> jean-frederic clere wrote:
> > Ruediger Pluem wrote:
> >>
> >> On 06/27/2007 05:09 PM, jean-frederic clere wrote:
> >>> Hi,
> >>>
> >>> In mod_proxy_balancer.c there is the following code:
> >>> +++
> >>>/* Add the session route to request notes if present */
> >>>if (route) {
> >>>apr_table_setn(r->notes, "session-sticky",
> (*balancer)->sticky);
> >>>apr_table_setn(r->notes, "session-route", route);
> >>>
> >>>/* Add session info to env. */
> >>>apr_table_setn(r->subprocess_env,
> >>> "BALANCER_SESSION_STICKY",
> (*balancer)->sticky);
> >>>apr_table_setn(r->subprocess_env,
> >>> "BALANCER_SESSION_ROUTE", route);
> >>>}
> >>> +++
> >>> "session-route" is SC_A_JVM_ROUTE in AJP but what are the
> purpose of the
> >>> others?
> >>
> >> Does
> >>
> >>
> http://httpd.apache.org/docs/2.2/en/mod/mod_proxy_balancer.htm
l#environment
>>
>>
>> answer this question?
>
> So I have to propose the attached patch to get
> http://svn.apache.org/viewvc?view=rev&rev=551935 and
> http://svn.apache.org/viewvc?view=rev&rev=550519 correct.,
Looks good to me.
Regards
Rüdiger
Re: apr_table_setn in mod_proxy_balancer.c
jean-frederic clere wrote:
Ruediger Pluem wrote:
On 06/27/2007 05:09 PM, jean-frederic clere wrote:
Hi,
In mod_proxy_balancer.c there is the following code:
+++
/* Add the session route to request notes if present */
if (route) {
apr_table_setn(r->notes, "session-sticky", (*balancer)->sticky);
apr_table_setn(r->notes, "session-route", route);
/* Add session info to env. */
apr_table_setn(r->subprocess_env,
"BALANCER_SESSION_STICKY", (*balancer)->sticky);
apr_table_setn(r->subprocess_env,
"BALANCER_SESSION_ROUTE", route);
}
+++
"session-route" is SC_A_JVM_ROUTE in AJP but what are the purpose of the
others?
Does
http://httpd.apache.org/docs/2.2/en/mod/mod_proxy_balancer.html#environment
answer this question?
So I have to propose the attached patch to get
http://svn.apache.org/viewvc?view=rev&rev=551935 and
http://svn.apache.org/viewvc?view=rev&rev=550519 correct.,
Oops the attachment was missing... Sorry.
Cheers
Jean-Frederic
Comments?
Cheers
Jean-Frederic
Regards
Rüdiger
Index: modules/proxy/mod_proxy_balancer.c
===
--- modules/proxy/mod_proxy_balancer.c (revision 552435)
+++ modules/proxy/mod_proxy_balancer.c (working copy)
@@ -241,6 +241,7 @@
static proxy_worker *find_session_route(proxy_balancer *balancer,
request_rec *r,
char **route,
+const char **sticky_used,
char **url)
{
proxy_worker *worker = NULL;
@@ -253,13 +254,16 @@
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
"proxy: BALANCER: Found value %s for "
"stickysession %s", *route, balancer->sticky_path);
+*sticky_used = balancer->sticky_path;
}
else {
*route = get_cookie_param(r, balancer->sticky);
-if (*route)
+if (*route) {
+*sticky_used = balancer->sticky;
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
"proxy: BALANCER: Found value %s for "
"stickysession %s", *route, balancer->sticky);
+}
}
/*
* If we found a value for sticksession, find the first '.' within.
@@ -410,6 +414,7 @@
int access_status;
proxy_worker *runtime;
char *route = NULL;
+const char *sticky = NULL;
apr_status_t rv;
*worker = NULL;
@@ -436,7 +441,7 @@
force_recovery(*balancer, r->server);
/* Step 4: find the session route */
-runtime = find_session_route(*balancer, r, &route, url);
+runtime = find_session_route(*balancer, r, &route, &sticky, url);
if (runtime) {
int i, total_factor = 0;
proxy_worker *workers;
@@ -520,12 +525,12 @@
access_status = rewrite_url(r, *worker, url);
/* Add the session route to request notes if present */
if (route) {
-apr_table_setn(r->notes, "session-sticky", (*balancer)->sticky);
+apr_table_setn(r->notes, "session-sticky", sticky);
apr_table_setn(r->notes, "session-route", route);
/* Add session info to env. */
apr_table_setn(r->subprocess_env,
- "BALANCER_SESSION_STICKY", (*balancer)->sticky);
+ "BALANCER_SESSION_STICKY", sticky);
apr_table_setn(r->subprocess_env,
"BALANCER_SESSION_ROUTE", route);
}
Re: apr_table_setn in mod_proxy_balancer.c
Ruediger Pluem wrote:
On 06/27/2007 05:09 PM, jean-frederic clere wrote:
Hi,
In mod_proxy_balancer.c there is the following code:
+++
/* Add the session route to request notes if present */
if (route) {
apr_table_setn(r->notes, "session-sticky", (*balancer)->sticky);
apr_table_setn(r->notes, "session-route", route);
/* Add session info to env. */
apr_table_setn(r->subprocess_env,
"BALANCER_SESSION_STICKY", (*balancer)->sticky);
apr_table_setn(r->subprocess_env,
"BALANCER_SESSION_ROUTE", route);
}
+++
"session-route" is SC_A_JVM_ROUTE in AJP but what are the purpose of the
others?
Does
http://httpd.apache.org/docs/2.2/en/mod/mod_proxy_balancer.html#environment
answer this question?
So I have to propose the attached patch to get
http://svn.apache.org/viewvc?view=rev&rev=551935 and
http://svn.apache.org/viewvc?view=rev&rev=550519 correct.,
Comments?
Cheers
Jean-Frederic
Regards
Rüdiger
Re: Apache Service Control
Thanks for your quick response. Nick Kew wrote: To restart the process you need to send a HUP signal. This works fine, but what if you want to stop the server for a moment and then start it again, perhaps doing something in the mean while. This cannot be automated unless you watch the process/PID in some way. You could send it SIGKILL and take the consequences. Not that I'd recommend that! There are various techniques you can use for scripting a shutdown: for example, polling it. With polling it I figure you just mean something along the lines of a "kill -0" to see if it's still running. So is there (when sending a TERM signal) some shutdown processes that can fail and cause Apache to abort the shutdown? This is fine for most purposes, but what if you want to stop what you're doing in case the shutdown fails. If the "httpd" binary would return a non-negative exit code Return a code to whom? Basically like "if ! httpd -k stop; then --failed--; fi". These are just some issues people have. Some people feel it's a bad design. Why? Simply because you can't determine for certain if the shutdown was successful or not, and to restart apache you have to rely on the restart signal or uncertain timeouts. Some people (like me) are not so sure what the idea behind it is. To give the workers time to finish serving current requests rather than aborting them. I understand this yes. This question was more along the lines of whether or not there is a reason one just sends and waits, or not IPC which returns only later or any one of the methods daemons can use to shutdown. We're open to patches if you have a better design. The design seems fine. Perhaps just some mechanism to track the shutdown? Or a command line switch to block the process until shutdown completed? With some guidance and advice I would be more than willing to implement something. Q Beukes
