We run a inbound proxy service using
mod_proxy coupled with an in-house traffic regulator built around a custom module. This is one of the first services we’re targeting to run with habitat.
This opens some interesting questions, which I think will be applicable to the community, but I’d also appreciate any input from people with relevant or parallel experience.
We’re using a fork of
core/httpd, which is built with Exception Hook, and no developer modules (i.e.
all rather than
What we have so far is a package which builds the module with
apxs, and a ‘wrapper’ package called
pxy which has as its dependencies our own
httpd, and our built module.
In order to start
httpd and the custom module as dependencies, and in addition to the stock config from
core/httpd, loads the custom module, and enables exception hook.
Some already resolved gotchas for reference:
- when using a dependent service (like
http) it’s necessary to copy the hooks over into the ‘wrapping’ cookbook
- when referring to paths in the
httpdconfig, it’s necessary to use the
The problem I have now is that the service segfaults when I start it, and I get precisely no information about how or why.
Additionally, when attempting to start
httpd using the
hab user and group (as is done in
core/httpd) I get permissions errors:
pxy.default(SV): Starting service as user=hab, group=hab pxy.default(O): (13)Permission denied: AH00072: make_sock: could not bind to address [::]:80 pxy.default(O): (13)Permission denied: AH00072: make_sock: could not bind to address 0.0.0.0:80 pxy.default(O): no listening sockets available, shutting down pxy.default(O): AH00015: Unable to open logs
Referring to https://github.com/habitat-sh/habitat/pull/4366 I tried setting these to root, to see if
httpd would drop privileges, but now I get:
pxy.default(SV): Starting service as user=hab, group=hab pxy.default(O): AH00526: Syntax error on line 127 of /hab/svc/pxy/config/httpd.conf: pxy.default(O): Error:\tApache has not been designed to serve pages while\n\trunning as root. There are known race conditions that\n\twill allow any local user to read any file on the system.\n\tIf you still desire to serve pages as root then\n\tadd -DBIG_SECURITY_HOLE to the CFLAGS env variable\n\tand then rebuild the server.\n\tIt is strongly suggested that you instead modify the User\n\tdirective in your httpd.conf file to list a non-root\n\tuser.\n hab-launch(SV): Child for service 'pxy.default' with PID 16733 exited with code exit code: 1
So, a couple of issues:
Does anyone have any help / experience / suggestions in general with debugging a segfaulting httpd / custom module? How to get some diagnostics, specifically with respect to habitat? Under normal circumstances, I might try to use gdb.
Any idea of the best approach to resolve the user/group issue?