-1

We have a Dockerized environment for our clients so that each customer gets his own container to host his website. Each container usually runs on the php:7 image so we're speaking about Apache 2.4 using mpm_prefork. Each container has a memory limit of 256Mb.

Now should any container be compromised for some reason, using the default Apache settings, it spawns lots of child processes eating essentially entire machine's RAM. That happens, because, apparently, total child process memory usage doesn't count towards the limit.

I'd like to prevent Apache from spawning child processes at all. So if the container is hacked, it will reach its memory limit and get killed by Docker.

I tried with:

StartServers         1
MinSpareServers      1
MaxSpareServers      1
ServerLimit          1
MaxClients           1
MaxRequestsPerChild  4000

But the performance was terrible, basic Drupal site with multiple CSS/script assets was loading for almost 60 seconds.

Is it possible to force Apache to use only one process and keep at least some performance? Sites are small and don't get a lot traffic so we don't care much, but the site should load fast for a single user at least.

Michael Zukowski
  • 109
  • 6

2 Answers2

1

You need to increase those limits from 1 to something a bit higher, but probably less than the defaults. Setting them to 1 basically means you can only service one connection at any time which is why you're seeing terrible performance. A browser will try and issue multiple simultaneous connections in order to fetch the base page and any CSS, Javascript, etc. linked within it.

bodgit
  • 4,661
  • 13
  • 26
0

But the performance was terrible

No?! Really!!

You do realise that the pre-fork MPM is designed to spawn child processes for each request and each child process only serves one request at a time. See How do I select which Apache MPM to use?

By limiting that to one what will happen is the following: a browser will try to load the HTML that is your crappy web page. Once that succeeds it will see that that page depends on a number of external css files, images and script resources. Then it will send a number of parallel request to load those. Rather than handling those concurrently those apache settings will only allow apache to be able to send those resources one after the other, sequentially rather than concurrently. That takes forever !

You don't want a web server that can barely support one concurrent site visitor... Adjust those settings.

Consider placing a caching reverse proxy server before your dockers to reduce the number of hits forwarded to each docker container and adjusting the settings to something a little more sane to make each docker container more responsive.

HBruijn
  • 72,524
  • 21
  • 127
  • 192