CentOS 6 minimal + Apache+MySQL+latest PHP with eAccelerator, Suhosin

[hybrid]

I'm working on recreating (and enhancing) my minimal LAMP server configuration on CentOS 6 for my web server.

 

I use Apache and MySQL from the CentOS repos, but prefer to compile my own PHP to stay up-to-date with each new stable release of PHP as soon as it is available. I also like to add support for eAccelerator (a memory cache and bytecode cache for PHP, speeds up execution of PHP scripts considerably) and will add support for the Suhosin security patch and extension for PHP.

 

I'm also moving towards using SELinux in enforcing mode with this new CentOS 6 server for enhanced security.

 

I hope in this post to document my setup for this -- Apache, MySQL and the latest PHP from source, as well as eAcceleration and Suhosin, all SELinux compliant. This setup is not yet finished and this post should not therefore be used 'blindly' as a guide for a production server. I'm still testing this setup in a private, closed environment!

 

I have also not gone through this guide start-to-finish to test that it is complete. Since this is an adaptation of my personal guide, which contains specific details of my setup that aren't relevant to a general audience, I have not verified that this particular write-up actually works.

 

Filenames for download links may change as new versions are released. Check all software versions to make sure outdated versions are not being installed.

 

Bear in mind, therefore, that this guide is a work in progress. [img]<___base_url___>//public/style_emoticons/default/wink.png[/img]

 

Install Pre-requisite Packages

 

Begin by ensuring the Development Tools are installed, to faciliate compiling our own PHP and extensions.

 

Code:

# yum groupinstall 'Development Tools'

 

Now install the prerequisites:

 

Code:

# yum install httpd mysql-server httpd-devel libxml2-devel libcurl-devel libjpeg-devel ImageMagick-devel libpng-devel gmp-devel mysql-devel libtool-ltdl-devel

 

MCrypt must be installed manually (I don't want to use third-party yum repos). Download latest from http://mcrypt.sourceforge.net/.

 

Code:

$ tar xjvf libmcrypt-2.5.8.tar.bz2
$ cd libmcrypt-2.5.8
$ ./configure
$ make
$ su -c "make install"

 

MySQL desperately needs a root password set.

 

Code:

$ mysqladmin -u root password newrootpassword

 

Also configure Apache to your specifications. I will omit that configuration here, as much of it is specific to my setup and not relevant to a general audience.

 

Download Suhosin Patch

 

Assumes the Suhosin GPG key has already been securely imported, for verifying the integrity of the patch and extension.

 

Code:

$ wget http://download.suhosin.org/suhosin-patch-5.3.7-0.9.10.patch.gz
$ wget http://download.suhosin.org/suhosin-patch-5.3.7-0.9.10.patch.gz.sig
$ gpg --verify suhosin-patch-5.3.7-0.9.10.patch.gz.sig
$ gunzip suhosin-patch-5.3.7-0.9.10.patch.gz

 

PHP 5.3.7 with Suhosin Patch

 

Download latest PHP from http://www.php.net.

 

Code:

$ tar xjvf php-5.3.7.tar.bz2
$ cd php-5.3.7
$ patch -p 1 -i ../suhosin-patch-5.3.7-0.9.10.patch
$ './configure' '--with-mysqli' '--with-mysql' '--enable-bcmath' '--enable-mbstring' '--with-gmp' '--with-curl' '--with-gd' '--with-freetype' '--with-apxs2=/usr/sbin/apxs' '--with-zlib' '--with-mcrypt' '--with-jpeg-dir' '--with-png-dir' '--with-gif-dir'
$ make
$ make test
$ su -c "make install"
$ su -c "chcon -t textrel_shlib_t '/usr/lib/httpd/modules/libphp5.so'"
$ su -c "/sbin/service httpd restart"

 

PHP configuration to /usr/local/lib/php.ini.

 

Code:

# /usr/bin/chcon -t etc_t /usr/local/lib/php.ini

 

Suhosin Extension

 

Code:

$ wget http://download.suhosin.org/suhosin-0.9.32.1.tar.gz
$ wget http://download.suhosin.org/suhosin-0.9.32.1.tar.gz.sig
$ gpg --verify suhosin-0.9.32.1.tar.gz.sig
$ tar xzvf suhosin-0.9.32.1.tar.gz
$ cd suhosin-0.9.32.1
$ phpize
$ ./configure
$ make
$ su -c "make install"
$ su -c "cp modules/suhosin.so /usr/local/lib/php/extensions"
$ su -c "chcon -t textrel_shlib_t '/usr/local/lib/php/extensions/suhosin.so'"

 

Enable extension in PHP.ini:

 

Code:

extension="suhosin.so"

 

Restart Apache:

 

Code:

# service httpd restart

 

Use a PHPInfo page to verify Suhosin Patch and Suhosin Extension are working.

 

eAccelerator

 

Download page appears to be down as of 2011-08-21. [img]<___base_url___>//public/style_emoticons/default/sad.png[/img]

 

Code:

$ tar xjvf eaccelerator-0.9.6.1.tar.bz2
$ cd eaccelerator-0.9.6.1
$ phpize
$ ./configure
$ make
$ su -c "make install"
$ su -c "cp modules/eaccelerator.so /usr/local/lib/php/extensions"
$ su -c "mkdir /var/cache/eaccelerator"
$ su -c "chown apache /var/cache/eaccelerator"
$ su -c "/etc/init.d/httpd restart"
$ su -c "chcon -t textrel_shlib_t '/usr/local/lib/php/extensions/eaccelerator.so'"

 

Configure eAccelerator settings in PHP.ini:

 

Code:

extension="eaccelerator.so"
eaccelerator.shm_size="128"    ; 128 MB of memcaching, lower on low-memory machines
eaccelerator.cache_dir="/var/cache/eaccelerator"
eaccelerator.enable="1"
eaccelerator.optimizer="1"
eaccelerator.check_mtime="1"
eaccelerator.debug="0"
eaccelerator.filter=""
eaccelerator.shm_max="0"
eaccelerator.shm_ttl="0"
eaccelerator.shm_prune_period="0"
eaccelerator.shm_only="0"
eaccelerator.compress="1"
eaccelerator.compress_level="9"
eaccelerator.log_file="/var/log/eaccelerator.log"

 

Set up dirs:

 

Code:

# mkdir /var/cache/eaccelerator
# chown apache /var/cache/eaccelerator
# touch /var/log/eaccelerator.log
# chown apache /var/log/eaccelerator.log

 

TODO: SELinux contexts for /var/cache/eaccelerator and /var/log/eaccelerator.log?

 

Restart Apache:

 

Code:

# service httpd restart

 

Verify eAccelerator with a PHPInfo page.

[inittux]

Thanks for this post :) Looks like you're loading eaccelerator as a module into your apache, did I see that right?

[hybrid]

I'm loading eAccelerator as a PHP extension. After compiling and installing PHP, I do the phpize, ./configure, make, make install dance with eAccelerator (then copy the file into the actual PHP extensions folder, as it doesn't seem to pick up the right place to put it).

 

PHP is running as an Apache module with mod_php (that's achieved with the --with-apxs2=/usr/sbin/apxs switch when I configure PHP).

[hybrid]

Note that you should not upgrade to PHP 5.3.7 -- there is a serious bug with crypt() and MD5 which might affect some PHP applications and in the worst cases, allow people to bypass some kinds of password authentication. I will update this guide for PHP 5.3.8 upon release.

[Dungeon-Dave]

I'm really interested in your experiences on here - it's a fascinating insight into your journey.

 

I'm also curious about two things:

1. Why not use the YUM-supplied packages from the official repos? Do you get any version conflicts between what CentOS understands as installed packages (RPM databases) versus what's been manually compiled?

2. Any advantages in using eAccelerator over APC? I've not really looked at caching/accelerating - Xoops has inbuilt caching, and the last time I tried some PHP caching module I found it didn't like certain PHP expressions and seemed to cache non-working code.

 

Actually, on that last bit:

Code:

$ rpm -qa | grep -i php
php-eaccelerator-5.0.4_0.9.3-4.2.fc4.rf

aha, seems I was using eAccel anyway, which I then disabled.

 

Thinking about it - I'm kinda blaming the package for my own lack of knowledge/familiarity. Do you have any configs or guides to use eAccel? I'd like to have another crack at using it, but I'm conscious that it's not a set-and-forget thing, and I'd prefer to pick the brains of someone that has used it.

[hybrid]

Well, I've done the upgrade and it is live on my actual production web server. The actual process I went through, as I've already mentioned, is more complicated and has more customisation that isn't necessarily public. Hopefully I will update this more generic guide soon. :)

 

To answer your questions, Dave...

 

1.

 

There was a time, quite a while ago, when I was making use, in my custom PHP apps, of new features in PHP 5.3 (or perhaps it was a point-release of 5.2?) that weren't available in the version that was in the CentOS repos. For that reason initially, I compiled my own, and have desired ever since to keep up with the official releases! I probably don't need to anymore, but it feels like something I want to do!

 

I haven't had any conflict issues.

 

2.

 

I haven't looked at APC in detail (perhaps I should!), but it is suggested that eAccelerator is faster than APC, although obviously any opcode caching is faster than none!

 

I've not had any compatibility issues with eAccelerator either -- it works for me and has not caused problems, so I'm quite happy.

 

You'll notice from my configuration of it somewhere in the mess above that I use quite a large shared memory size -- 128 MB -- for the cached scripts. The server has no GUI, minimal other stuff running and 1.5 GB of RAM, so I try to make good use of all that free RAM by being quite aggressive with eAccelerator's caching memory usage.

 

As far as configuration goes, it is pretty simple for me. I literally just compile it in, create any necessary directories and drop its settings (again, somewhere in that post above) into PHP.ini. After that, it just works. It offers only a modest speed increase on an already under-stressed machine, but I want to do everything I can to ensure my site feels snappy.

[hybrid]

Quick update on my actual server install.

 

I threw it all out after seeing, via Tripwire, what I thought were suspicious changes to some binaries on the system that I couldn't account for. It looks like this was actually prelink, so no harm was actually done on the box.

 

So, I reinstalled again from scratch, using my guide, which has been very successful. It's running well, as far as I can see!