Hello world! – mudanza

Posted on 13 de diciembre de 2010 by bisente

Welcome to WordPress. This is your first post. Edit or delete it, then start blogging!

O eso es lo que reza el post por defecto que te mete WordPress en cada nueva instalación.

Si, nueva instalación. Después de n años arrastrando un WordPress-mu 2.x y aprovechando un cambio de servidor, me he decidido a migrar a WordPress 3. Así que cambio de servidor y de software… va a petar todo. O más. Se va a cagar la perra.

Ya iré arreglando cosas poco a poco, instalando plugins, temas, acabando de configurar, migrando ficheros que no se hayan copiado bien y demás. Pero es que si no me tiro a la piscina a lo bestia, no lo hago. Y más con lo dejado que tengo esto últimamente, a ver si así lo retomo.

Además y aprovechando el nuevo servidor he montado un mirror de esto.

Depurando problemas con nginx

Posted on 4 de marzo de 2010 by bisente

Last week I’ve been debugging a problem I had with this site’s nginx server: from time to time it hanged and I had to restart the process. Some time ago I wrote a little script that checked if it was running OK and restarted it otherwise, but anyway that wasn’t a real solution.

So I spent some days really looking into it and asking for support and reporting my findings to the nginx mailing list. One useful tip I got there was enabling the “debug” mode on the error log, which shows full traces of the processes (including their PID) as they’re processing the request, the rewrites, upstreams, etc.

error_log /var/log/nginx/$host-error.log debug;

With this extended log and the PID of the process malfunctioning, it’s quite easy finding out what that process was doing right before hanging. In order to find out the PID of the hanged processes, I extended my check-reboot script to log some generic system metrics right before restarting nginx: netstat -nap (which shows the PID), ps, vmstat, etc.

#!/bin/sh

TIMEOUT=20
CHECK=http://localhost/wp-admin/
LOG=/var/log/checkWeb/checkWeb-$(date +%Y%m%d).log
LOGR=/var/log/checkWeb/restart-$(date +%Y%m%d).log
TMP=/tmp/checkWeb-$RANDOM

if ! wget -t 1 -o /dev/null -O /dev/nul -T $TIMEOUT $CHECK
then
echo "ERROR, restarting nginx"
echo "** RESTARTING **" >> $TMP
date >> $TMP
echo "- CLOSE_WAIT:" >> $TMP
netstat -nap | grep -c CLOSE_WAIT >> $TMP
echo "- vmstat" >> $TMP
vmstat 1 5 >> $TMP
echo "- free" >> $TMP
free >> $TMP
echo "- ps" >> $TMP
ps aux >> $TMP
echo "- netstat" >> $TMP
netstat -nap >> $TMP
echo "" >> $TMP
echo "" >> $TMP

#       pkill -9 -f php-cgi
pkill -9 -f nginx
sleep 1s
/etc/init.d/nginx start

cat $TMP
cat $TMP >> $LOG
date >> $LOGR
fi

rm -rf $TMP

This way, each time localhost/wp-admin was unresponsive (I was debugging a WP site), besides restarting nginx I was getting a lot of system info. With time I got to realize that nginx processes were not actually hanging, but some of their sockets got on the CLOSE_WAIT state forever until the process was restarted. Looking for the PID of those processes according to netstat on the error log, the last request they were processing before getting to the CLOSE_WAIT state was always the same: on my blog I have some examples of how running servers with daemontools; daemontools uses named pipes (FIFOs), which can become kind of black holes if there’s no process feeding them; when nginx hit one of these FIFOs, it hanged.

Funny thing is that I never had this problem with either Apache nor lighttpd. But anyway the problem is not nginx but those FIFOs which shouldn’t really be there. I removed them and have had no hanged processes in five days, while before this nginx was restarting 3-4 times a day.

Probando nginx

Posted on 3 de septiembre de 2009 by bisente

Estoy cacharreando con nginx. El nuevo servidor virtual donde tengo el dominio está un poco justo, con la migración lo dejé con Apache en vez de volver a lighttpd y ahora estoy probando alternativas.

Como aparte de configurar el servidor y el PHP con fast-cgi hay que convertir todos los rewrites del Apache (wpmu y super-cache) al formato de nginx, es posible que el blog haga cosas raras, no se actualice debidamente, algunas páginas no vayan bien, pete, no acepte comentarios, o cobre consciencia de sí mismo y decida matar a todos los humanos. YMMV.

Cluster de correo escalable con software libre

Posted on 2 de octubre de 2008 by bisente

At my previous job I was responsible for the MTA of a group of companies, handling around 3000 e-mail accounts spread over 20 domains. This MTA received around 150,000 mails daily, and over 95% of them was discarded/marked because it was identified as SPAM or viruses (as of last year, don’t know how this evolved since I left). We used a homegrown cluster of seven servers, which enabled us to scale as needed. And it was based on free software.

This is not an step-by-step installation guide with technical details and configuration files, but rather the story of the evolution of the service, the various problems that we faced, how we solved them, and the design decisions in each case.

Migration

The first incarnation of the server was in 2001 when we had to migrate the old server, which was starting to give lots of trouble, to more current software and hardware. I seem to remember it was a mail server from Netscape (!?) that stored the account information in an LDAP directory, but can’t recall the exact name or version of the product. The server we chosed for the migration was qmail-ldap, mainly because of the good reviews we read about its stability, reliability and security, ease of setup (personally I still think qmail is much simpler than eg sendmail) and because it also used an LDAP directory. The latter may seem a silly reason, but in the end the migration had to be done in extremis at a time that the original server wouldn’t even boot most of the times, and we got away with it with a simple ldapsearch and a little script that “translated” the LDAP scheme of one server into that of the other one. Over time the choice of qmail-ldap proved to be the right one, because thanks to its modular design it allowed us to progressively move from a one server deploy to the cluster that I refered about in the introduction.

This first server was a rack-mounted one, with redundant power supplies and hw RAID5, so that all the data was secure (or so we thought back then). We also rolled qmail-scanner and the Kaspersky anti-virus (there was no ClamAV yet, we moved to it some years later). The same server held the SMTP, POP, IMAP and WebMail (SquirrelMail) services.

Active/Passive backup

We had to do the first architectural upgrade a couple of months after the migration: a RAID5 hiccup lead to a corrupted filesystem which was quite difficult to fix. It became clear that the RAID discs and the redundant power supplies were not enough to ensure the data integrity and service availability, so we installed another server exactly like the first one, and synchronized the configuration and mailboxes using rsync and cron jobs. The switching from the primary to the backup server was manual back then, using NAT at the router.

Over time the server was upgraded to new models several times, but we kept the active/passive backup structure. The syncronization between both servers was also improved, with DRBD for the mailboxes and csync2 for the configuration, AV bases, and so on. Master-backup monitoring and service switch was automatized with heartbeat.

The SPAM flood, specialization by resources

Sometime around 2002-2003 viruses ceased beeing e-mail’s biggest problem: the increasing number of SPAM messages received every day was way worse. So we threw SpamAssassin into the mix. Over time this lead to an ever-increasing CPU and memory consumption, slowing the server to a crawl. At first it seemed that the only option was to migrate every year to a new, more powerful server (and what would we do with the old one then?), or have multiple servers and distribute all the domains among them in an attempt to distribute the load.

Finally we realized that we had two different kinds of resource needs, with different growth patterns:

HD space for the mailboxes: the number of mailboxes in our system was fairly stable and the vast majority of our users downloaded their e-mails using POP, so HD scalability wasn’t really that big of a problem for us. We could easily afford to upgrade disk every few years, moving the service to the backup server while we were upgrading the master one.
CPU for the filtering: SPAM was growing at an exponential rate, we basically needed to double the CPU power each year.

So, why not specialize our servers into storage servers and a filtering farm? We moved the SMTP service from the main servers to a front-line of SMTP servers with the follwing characteristics:

they were off-the-shelf PCs and their configuration was practically identical (no variations appart from hostnames and IP addressess). We prepared a system image we could easily dump in a matter of minutes to a new PC, in case one of the servers went down or we needed more raw CPU power because of an increase in SPAM.
we had a router load-balaincing port 25 among all these servers.
all these SMTP servers were independent from the central ones, except for the final step of delivering the already analized mail to its destination mailbox: each server had a local copy of the LDAP directory (synchronized with slurpd), a copy of all the configuration files and all the AV bases and the SpamAssassin bayesian database (synchronized with csync2), and a DNS resolver/cache (dnscache).
they did local logs, but also sent them to a centralized syslog server for easier analysis.
they didn’t store the mails locally for later delivery, in other words they had no delivery queue: e-mails were analyzed on the fly during the SMTP session and if one of them met certain anti-SPAM/AV criteria (blacklisted IP, a number of RBL hits, certain keywords, etc.) it was immediatelly rejected with an SMTP error and the connection was closed; on the other hand if the mail was let through (it was either legitimate, or marked as possible SPAM), it was sent to the central server on the spot, and the filtering server never gave the OK to the origin MTA until the mailboxes server acknowledged the delivery. This is done quite simply with qmail by means of replacing the qmail-queue binary with the qmail-qmqpc one. By doing this we were able to guarantee that no mail would be lost in the event that a filtering server crashed, as the origin MTA wouldn’t receive the OK from us and would re-try the delivery after a couple of minutes.

Mailboxes, the POP and IMAP services, the LDAP master, webmail, and the remote queue remained in the central server, although most of them could have been moved to independent servers if needed, but we never needed to.

Specialization by type of client

The next problem we faced came about 2-3 years ago when image- and PDF-based SPAM became popular: we added an SpamAssassin plugin which re-composed animated GIF images and did OCR to all image attachments. This extra analysis greatly increased our CPU needs (we had to go from 2 or 3 filtering servers to 5 in a couple of days) and even so there were times when a server got overloaded for some 5-10 minutes and an e-mail could take not less than 2 minutes to be processed, delivered and SMTP-OK’d. When this happened and the sending party was another MTA it represented no bigger issue, as in the event of a timeout or disconnection the remote server would re-try the delivery several times; however, if the sender was an end-user with his MUA, a longer-than-usual delivery time or (God forbid) an error message from Outlook because of an eventual dropped connection lead to a phone call to the IT team because “the mail wouldn’t work.”

The solution was splitting the SMTP and analysis farm into two: one for external mail and another for internal ones, for our users. The first farm is the one the DNS’ MX records pointed to, and had all the SPAM filtering options activated; while the second one retained the domain name end users used as the SMTP server in their MUAs, had all the heavy-weight lifting filters disabled and required SMTP authentication (wouldn’t accept non-authenticated sesions even for local domains). This way all external e-mail coming from remote MTAs would go through all the filters, and our users went to the privileged servers with somewhat lesser filering capabilities (but enough for internal mail) and great response times.

The big picture

Acceder con Facebook

Visitas
Amigos
Comentarios

Últimas visitas

Mi primera media maratón
Por bisente
24/01/2012 16:05
No hago mucho más, los gimnasios me aburren. Estiramientos y flexiones a veces en casa, nada del otro mundo. Y buceo, pero realmente no es un deporte de hacer mucho ejercicio (salvo que pilles corriente ), es más de ir relajado.
Mi primera media maratón
Por Siew
24/01/2012 11:04
El tema es que a mi también me relaja correr (de hecho, cuando corro, lo hago sin música, así que imagínate). Pero me cuesta mucho el ponerme. Creo que me quemé muy rápido obsesionándome demasiado con mi objetivo de la media. Quizá deba empezar poco a poco como tu, saliendo más cuando el cuerpo me pida más.
Además de correr, ¿haces algún otro tipo de ejercicio?
Mi primera media maratón
Por bisente
23/01/2012 20:05
¡Hombre Pablo! ¡Muchas gracias!
Tal como lo dices parece que pienses que lo he planificado o algo… he ido haciendo lo que me pedía el cuerpo. A lo que me refería es a que empecé a correr por hacer algún tipo de ejercicio hará 7-8 años y al principio con correr 15 minutos estaba que tiraba la papilla y ni me planteaba volver a correr esa semana, pero el cuerpo se va acostumbrando y con los años he ido corriendo más a menudo y más tiempo/distancia casi sin darme cuenta. Nunca he planificado los entrenamientos (salvo con lo del ZTD hará 3 años que me puse como meta el hábito de correr todos los días) ni nunca me lo he tomado como una obligación, aunque me levanto pronto si un día no me apetece salir a correr me quedo leyendo cualquier cosa por Internet mientras me tomo el café. De hecho no pienso en esto como entrenamientos si no “salir a correr”.
No tengo método. Simplemente le he cogido el gusto a correr, me relaja y me ayuda a despejar la mente en temporadas de mucho estrés, y el cuerpo se va acostumbrando al ejercicio y pide más.
Mi primera media maratón
Por Siew
23/01/2012 19:26
En primer lugar enhorabuena por tu primera media. Como ya sabes yo me estaba preparando para la mía, cuando lo tuve que dejar por una lesión en la pierna… y luego vino lo del coche.
La cuestión es que ahora me encuentro mucho mejor y me gustaría ponerme las pilas otra vez. He leído que te pusiste a correr incrementando gradualmetne duración y frecuencia de tus entrenos. ¿Cómo lo hiciste exactamente?
Varios websites con HTTPS sobre una misma IP
Por bisente
21/01/2012 07:42
Mientras que los distintos servicios usen SSL para el cifrado si, puedes usar el mismo certificado. El tema es el dominio. Los navegadores (o el cliente de correo, o FTP, o lo que sea) comprueban que el nombre (DNS) al que te estés conectando esté en el certificado, y si no lo está sacan una advertencia de seguridad. En ese caso necesitarías tener todos los servicios sobre el mismo nombre (p.ej., web, ftp y correo en “www.dominio.com”), que en mi opinión no es buena idea. Por eso, y por poder tener varios hosts virtuales en el mismo Apache con una única IP, es posible generar certificados válidos para varios dominios. Claro, que son más caros y si te comprometen ese certificado, todos los dominios están comprometidos con lo que desde el punto de vista de la seguridad tampoco es buena idea.
Es lo de siempre, si tienes recursos (dinero) puedes hacer las cosas bien y tener distintas IP por servicio, distintos nombres de dominio y distintos certificados; pero si vas justo, te toca apañarte con lo que hay.

Desarrollado por Sociable!

JomPeich d'er Bisente

Este es mi blog. Hay otros muchos pero este es el mío.

Tag Archives: servidor