Balancing multiple istances, and PHP-FPM+Suhosin

224 views
Skip to first unread message

Gianluca

unread,
May 22, 2008, 6:05:11 AM5/22/08
to highloa...@googlegroups.com

Hello,

I am not a developer by any means, but I am trying to write a complete

guide/walkthrough to setup a server running nginx and wordpress, as this is

nowadays the most used publishing platform and most non-experts (running

maybe a low end server or a VPS/Slice) would be interested in moving from

apache to nginx, so i thought writing some "newbie level" walkthroughs

would help a little nginx+php adoption.

The first revision of my guide used the (in)famous lighttpd spawn-fcgi, as

many on the web, but then I came across php-fpm, and since yesterday I am

using it on my production server, hosting several wordpress blogs. Seems it

works like a charm: until now.

I have a couple of questions, and I hope someone would be so kind to help

me:

1) Here I've read you can balance multiple fastcgi/fpm istances.

http://bookmarks.honewatson.com/2008/04/24/multiple-fastcgi-php-servers-nginx-load-balancing/

I'm wondering if you reccomend running a couple of instances: and in case

how to achieve this (is enough to edit php-fpm.conf ?) or if this make

sense just with mongrel clusters and ruby stuff.

2) I am wondering if you reccomend - performance wise - to use unix sockets

for php-fpm, or the 127.0.0.1 tcp approach is ok.

3) I've tried to patch with suhosin (php security) a php 5.2.6 source tree

already patched with php-fpm and won't work. So I have compiled suhosin as

a self-loading php module, and it seems to work. Do you see any problem

with this configuration ? Any known issues ?

As I am trying to realize a comprehensive "newbie" guide to start from a

fresh installed server and achieve a fully working nginx+php stack

optimized to run wordpress, as i think this would be useful for many

not-very-expert people running their own VPS, any suggestion, tips, tricks

on your experience running such a configuration, would be greatly

appreciated.

Thank you for reading,

Gianluca

Andrei Nigmatulin

unread,
May 22, 2008, 6:52:35 AM5/22/08
to highloa...@googlegroups.com
Hello,

Thank you for interesting in php-fpm.


On Thursday 22 May 2008 14:05, Gianluca wrote:
> Hello,
>
>
>
> I am not a developer by any means, but I am trying to write a complete
>
> guide/walkthrough to setup a server running nginx and wordpress, as this is
>
> nowadays the most used publishing platform and most non-experts (running
>
> maybe a low end server or a VPS/Slice) would be interested in moving from
>
> apache to nginx, so i thought writing some "newbie level" walkthroughs
>
> would help a little nginx+php adoption.
>
>
>
> The first revision of my guide used the (in)famous lighttpd spawn-fcgi, as
>
> many on the web, but then I came across php-fpm, and since yesterday I am
>
> using it on my production server, hosting several wordpress blogs. Seems it
>
> works like a charm: until now.
>
>
>
> I have a couple of questions, and I hope someone would be so kind to help
>
> me:
>
>
>
> 1) Here I've read you can balance multiple fastcgi/fpm istances.
>
> http://bookmarks.honewatson.com/2008/04/24/multiple-fastcgi-php-servers-ngi
>nx-load-balancing/
>
> I'm wondering if you reccomend running a couple of instances: and in case
>
> how to achieve this (is enough to edit php-fpm.conf ?) or if this make
>
> sense just with mongrel clusters and ruby stuff.

There is no much sense in running multiple instances (or workers) on separate
ports if they share *the same*configuration.

However, the point of such configuration is larger backlog (x5) for buffering
newly arrived fastcgi connections before they get accepted by php.

You can tune somaxconn sysctl if you need larger backlog for a single socket.
This is a preferred way.

In order to run several pools of workers with *different* configuration you
have to copy block <section name="pool"> ... </section> in the php-fpm.conf
and to change name and listen address of the new pool.

Usually one pool of workers is used for serving requests for one site.

> 2) I am wondering if you reccomend - performance wise - to use unix sockets
>
> for php-fpm, or the 127.0.0.1 tcp approach is ok.

Personally I could not see any difference in performance. Theoretically there
might be small gain when using unix sockets for rates about thousands RPS.

> 3) I've tried to patch with suhosin (php security) a php 5.2.6 source tree
>
> already patched with php-fpm and won't work.

Is there compiler errors or what ?

> So I have compiled suhosin as
>
> a self-loading php module, and it seems to work. Do you see any problem
>
> with this configuration ? Any known issues ?
>
>
>
> As I am trying to realize a comprehensive "newbie" guide to start from a
>
> fresh installed server and achieve a fully working nginx+php stack
>
> optimized to run wordpress, as i think this would be useful for many
>
> not-very-expert people running their own VPS, any suggestion, tips, tricks
>
> on your experience running such a configuration, would be greatly
>
> appreciated.
>
>
>
> Thank you for reading,
>
>
>
> Gianluca

--
Andrei Nigmatulin
GPG PUB KEY 6449830D

Now I lay me down to sleep(3)
Pray the OS my core to keep
If I die before I wake
Pray the Disk my core to take

Gianluca

unread,
May 22, 2008, 7:48:41 AM5/22/08
to highloa...@googlegroups.com

On Thu, 22 May 2008 14:52:35 +0400, Andrei Nigmatulin

<andrei.n...@gmail.com> wrote:

> There is no much sense in running multiple instances (or workers) on

> separate ports if they share *the same* configuration.

Ok.

Well, let me specify my situation is not exactly "high-load" in the proper

meaning, as my websites are not resource intensive: is more a "scarce

resources" situation, so a matter of optimization.

Infact my situation (and i guess the one of many people nowadays) is a

virtual server, where you have a lack of ram AND not so fast i/o, so memory

footprint is very important. My xen VPS for example provides 512mb ram and

is a quite typical configuration.

Using Nginx + Php-FPM allows me to free up A LOT of memory, that can be

used more productively in PHP opcode caching (xcache), or mySQL memory, to

improve page generation times. For example at the moment with nginx and

php-fpm i get an average of 0.110sec for home page, while spawn-fcgi would

result me in a 0.3sec average.

I am confident this is a farily common scenario between thousands of vps

users that could benefit from switching from apache to something like

nginx+php-fpm to keep the website responsive also under diggs and similar

"peak" situations. These people (like me) are not usually developers, and

that's why, after a lot of researching I am writing this walkthrough, as I

got a lot of google hits for "nginx and wordpress", "php-fpm and nginx",

and the like with the first revision... so i want to improve it.

> In order to run several pools of workers with *different* configuration

> you have to copy block <section name="pool"> ... </section> in the

> php-fpm.conf and to change name and listen address of the new pool.

>

> Usually one pool of workers is used for serving requests for one site.

So, let's say I run a server with 5 low traffic wordpress blogs, where

maximum peak usage can be around 60 page views each second (ie. you have

been linked in some social news website), but usually is no more than 5-10

page views/second (as a WHOLE, i mean the whole 5 blogs): do you see any

advantage in running a different pool of workers for each blog ? Or can I

safely use the default configuration (5 static workers on :9000) to serve

all of the different sites and just don't care ?

>> 3) I've tried to patch with suhosin (php security) a php 5.2.6 source

> Is there compiler errors or what ?

It won't even ./configure :

server:/usr/local/src/php-5.2.6# patch -p 1 -i

../suhosin-patch-5.2.6-0.9.6.2.patch

patching file TSRM/TSRM.h

[...]

patching file Zend/zend_llist.c

patching file configure

Hunk #1 succeeded at 18981 with fuzz 1 (offset 485 lines).

Hunk #2 succeeded at 116257 (offset 497 lines).

Hunk #3 succeeded at 116459 (offset 497 lines).

patching file configure.in

Hunk #2 succeeded at 1311 (offset 9 lines).

[...]

patching file sapi/cgi/cgi_main.c

Hunk #1 succeeded at 1831 (offset 105 lines).

patching file sapi/cli/php_cli.c

patching file win32/build/config.w32

ska:/usr/local/src/php-5.2.6#

server:# ./configure --enable-fastcgi --enable-fpm --enable-suhosin

--with-mcrypt --with-zlib --enable-mbstring --with-openssl --with-mysql

--with-mysql-sock --with-gd --with-jpeg-dir=/usr/lib --enable-gd-native-ttf

--without-sqlite --disable-pdo --disable-reflection

[...]

Notice: Following unknown configure options were used:

--enable-suhosin

Thanks a lot for your software, and for your help,

Have a nice day,

Gianluca

Floren Munteanu

unread,
May 22, 2008, 8:43:34 AM5/22/08
to highload-php-en
If you don't use crazy PHP code, you do not need suhosin. Simply look
at the source and you will see rightaway if you deal with quality
code. In fact, the devs admit suhosin will slow down your compiled
code.

Andrei Nigmatulin

unread,
May 22, 2008, 9:05:32 AM5/22/08
to highloa...@googlegroups.com

Unless your blogs uses different php.ini values or any other options such as
environment variables etc, that makes two pools of fastcgi workers different
from the start you don't have to run multiple pools.

Instead, you might be interested in running more processes in one pool. Five
static workers can be enough for small site, but finding the optimal value
depends on many things. The practical approach is
1) watching 'top' for running php-cgi workers
2) watching 'netstat -np | grep 127.0.0.1:9000' for fastcgi connections (if in
linux):

tcp 0 0 127.0.0.1:9000 127.0.0.1:59053 ESTABLISHED 21881/php-cgi
tcp 0 0 127.0.0.1:9000 127.0.0.1:59057 ESTABLISHED -

The first line corresponds to accepted fastcgi connection and the second is
still waiting in a backlog (not accepted).

You'll need to set higher max_children in php-fpm.conf in order to minimize
amount of awaiting connections.

> >> 3) I've tried to patch with suhosin (php security) a php 5.2.6 source
> >
> > Is there compiler errors or what ?
>
> It won't even ./configure :

I'll need some time to figure out the problem, stay tuned.

--

Gianluca

unread,
May 22, 2008, 10:20:08 AM5/22/08
to highloa...@googlegroups.com

On Thu, 22 May 2008 17:05:32 +0400, Andrei Nigmatulin

<andrei.n...@gmail.com> wrote:

> Unless your blogs uses different php.ini values or any other options such

> as environment variables etc, that makes two pools of fastcgi workers

> different from the start you don't have to run multiple pools.

Thanks for you help, good to know.

> tcp 0 0 127.0.0.1:9000 127.0.0.1:59053 ESTABLISHED

> 21881/php-cgi

> tcp 0 0 127.0.0.1:9000 127.0.0.1:59057 ESTABLISHED -

>

> The first line corresponds to accepted fastcgi connection and the second

> is still waiting in a backlog (not accepted).

I suppose all those TIME WAIT - lines have no influence.

> You'll need to set higher max_children in php-fpm.conf in order to

> minimize amount of awaiting connections.

I think I have got it.

Thank you.

>> >> 3) I've tried to patch with suhosin (php security) a php 5.2.6 source

>> >

>> > Is there compiler errors or what ?

>>

>> It won't even ./configure :

>

> I'll need some time to figure out the problem, stay tuned.

Oh well, I don't use Suhosin at the moment, besides it will compile

withouth problems as a self-contained php module, so it's not a big deal.

I have written a small walktrough (very dumbed down for people like me),

here:

http://blog.sonnoprofondo.com/2008/04/30/nginx-php-php-fpm-on-debian-etch-40/

I guess it's not the kind of documentation people on this mailing list

needs, but I guess all kind of documentation, from the technical to the

simplest, may be useful to help adoption of good software ideas like

php-fpm or nginx.

mike

unread,
May 22, 2008, 3:16:48 PM5/22/08
to highloa...@googlegroups.com

This works fine for me. It assumes you have the proper suhosin patch
and php-fpm patch. I think the order applying the patches is
important. This has worked for me for 5.2.4, 5.2.5 and 5.2.6
(obviously with different suhosin patches and such)

#!/bin/sh
VER=5.2.6
BD=`pwd`
rm -rf php-${VER}
wget -c http://us3.php.net/get/php-${VER}.tar.gz/from/this/mirror
tar xvfz php-${VER}.tar.gz
cd php-${VER}
cp ../php-5.2.6-fpm-0.5.8.diff .
patch -p1 < php-5.2.6-fpm-0.5.8.diff
cp ../suhosin-patch-${VER}.patch .
patch -p1 < suhosin-patch-${VER}.patch
make distclean
./configure \
--enable-fastcgi \
--enable-discard-path \
--enable-force-cgi-redirect \
--enable-fpm \
--with-fpm-pid=/var/run/php-fpm.pid \
--with-fpm-log=/var/log/php-fpm.log \
--with-fpm-conf=/etc/php-fpm.conf \
--enable-cli \
--enable-inline-optimization \
--disable-rpath \
--disable-ipv6 \
--enable-mbstring \
--enable-mbregex \
--enable-sqlite-utf8 \
--with-mysql \
--with-mysqli=/usr/bin/mysql_config \
--with-curl \
--with-zlib \
--with-gd \
--with-jpeg-dir=/usr \
--with-png-dir=/usr \
--with-freetype-dir \
--enable-gd-native-ttf \
--enable-exif \
--enable-shmop \
--with-xsl=shared \
--with-mssql=shared \
--enable-soap=shared \
--enable-sockets \
--enable-pcntl=shared \
--with-mcrypt \
--with-bz2 \
--with-tidy \
--with-pcre-dir \
--with-imap=shared \
--with-imap-ssl \
--with-kerberos \
--with-pear
make -j2
make install

Reply all
Reply to author
Forward
0 new messages