Exiting SSH sessions suddenly killing Apache
Okay, this is a doozy. I'm running Apache 2.4 on Ubuntu 16.04 server instances. I use near-identical environments for both production and testing instances, as well as a near-identical VirtualBox instance that I manage using Vagrant for development. For the longest time, I've been able to SSH into any of these server instances as the same user that Apache runs under, deploy some application code changes, and then run exit
to terminate the SSH session, and Apache would be running just fine afterward. Now, however, I can't do an exit
without the Apache service encountering a fatal error:
[mpm_prefork:emerg] [pid 23466] (43)Identifier removed: AH00144: couldn't grab the accept mutex
[core:alert] [pid 17750] AH00050: Child 23466 returned a Fatal error... Apache is exiting!
Notes:
- The Apache user is
app
. - If I SSH as
app
, switch toroot
,restart
the service asroot
, switch back toapp
, then terminate the session, it kills Apache. - If I SSH as
root
,restart
the service, then terminate the session, Apache is fine. - If I SSH as
root
,restart
the service, switch toapp
, switch back toroot
, then terminate the session, Apache is fine. - If I SSH as
root
,restart
the service, terminate the session, SSH again asapp
, then terminate the session again, it kills Apache. - Prior to this week, I've been able to consistently SSH as
app
, switch toroot
,restart
the service asroot
, and terminate the session without killing Apache. - I've tried modifying
/lib/systemd/system/apache2.service.d/apache2-systemd.conf
and changing the lineRemainAfterExit=no
toRemainAfterExit=yes
, performed asystemctl daemon-reload
, and finally aservice apache2 restart
with no effect.
Is there some explanation for the sudden change in behavior? Is there a reasonable fix to restore previous behavior? If not, then what would be best practice for deploying changes to application code and giving permissions for Apache (the app
user) to read it without needing to log in to an SSH session as root
? The entire reason for logging in as app
was to limit the need to log in as root
in the first place.
I'm at a complete loss here and don't understand how everything could suddenly be broken.
The root cause of this is a change in how systemd (from 219) handles IPC objects created by logged in users. By default it will remove any IPC objects left after the user logs out. This applies to all non-system users (uid >= 1000). System users (uid < 1000) are not affected.
Since you have changed Apache to run under a non-system user, whenever you log out of that user account, systemd nukes all of Apache's IPC objects, and Apache then complains about losing its mutex and dies.
You can change this behavior by setting RemoveIPC=no
in /etc/systemd/logind.conf
(the default on Ubuntu is yes
) and restarting systemd-logind.service
.
It's better to leave Apache running as a system user (e.g. www-data
on Ubuntu), and use permissions and ACLs to give www-data
access to files it needs to read/write.