There is a set of patches over Apache 2 component suexec
.
It's distrbuted under same license, stated in debian/copyright
file.
The "master" branch contains all the features available.
Branches described below should be considered as tags (development stages):
less security checks.
Options:
AP_SUEXEC_SKIP_DOC_ROOT_CHECK
: scripts which are executed on behalf of vhost owner may reside in arbitrary directoryAP_SUEXEC_EXEC_ROOT
: allow execute of root-owned scripts on behalf of vhost owner
new features to limit the number of processes, memory and cputime
Options:
AP_SUEXEC_RLIMIT_MEMORY_META
Memory (in bytes), e.g. 268435456AP_SUEXEC_RLIMIT_NPROC_SOFT
Number of processes, e.g. 53AP_SUEXEC_RLIMIT_CPU_SOFT
CPU Time, e.g. 330
new features to execute processes in cgroup context unsing cgrulesengd or hardcoded values
Options:
AP_SUEXEC_CGROUPS_FAST
(hardcoded)AP_SUEXEC_CGROUPS
(cgrulesengd)AP_SUEXEC_CGROUPS_FAST_PATH
(must be specified insuexec.h
)AP_SUEXEC_CGROUPS_FAST_CONTROLLERS
(must be specified insuexec.h
)
Options:
AP_STICKY_AFFINITY
: process sticks to the CPU core it was started on. This should take off some stress from process scheduler constantly trying to re-schedule hundreds of processes between cores.
The exact set of features which should be compiled in the executable is tuned in the Makefile. Hardcoded values for cgroups are set in suexec.h
.
It makes sense to build suexec as debian package, otherwise (if you want to compile things manually) the list of dependencies can be found in debian/control
file.
Happy restricting!