manganese upgrade scheduled for 6AM EST sat

Looks like the memory upgrade on manganese will happen tomorrow morning, sometime between 5AM and 9AM EST. They said it shouldn't be down more than 15 minutes or so.

manganese performance tuning

Still waiting on the manganese memory upgrade. :/

However, I've made some configuration changes to apache that should help things run smoother, and also tracked down and resolved a problem that I believe may have been setting off the high server loads.

So things should run a whole lot better now.

Gory details follow for the curious. :)

Here's what I did.

First, I cut the number of allowed apache instances down significantly. Apache instances are bulky, especially given the number of sites running on manganese, so this conserves memory. This is important, because if you run out of memory, linux swaps chunks of memory to disk. If it happens too much, it can really slow things down.

I then disabled the KeepAlive option, so that connections are not held open between requests. Keepalive prevents having to reopen a socket connection for each request (images on a page for example) but it ties up an apache process in the meantime. So I turned that off.

As I was watching the server to make sure this didn't cause even more trouble, I noticed that one user's cgi scripts were being hit in huge batches all at once. There'd be one or two popping in and out for a long time, and then suddenly there's a whole list of these things. Turns out a rather unfriendly spider was making the requests. This was also driving up the load and taking more memory so I blocked it.

The load hasn't stayed as low as I'd like and there is still some swapping going on, but the server does seem to be a whole lot more responsive and quicker to recover from load spikes.

I'll keep an eye on it...

manganese going down for quick upgrade

I've asked the data center to add another gig of RAM to manganese. There has been a lot of swapping going on with that server over the past few weeks, and I think this will help smooth things out considerably.

My options were to give them 24 hours notice to schedule this, or else take the server down for 15 minutes or so as soon as possible. Given that mn has been dragging all day anyway, I went with the latter option.

So: manganse will be down for a bit sometime this afternoon. Sorry for the short notice, but I probably should have done this some time ago.

Giant Logfiles Came From Stupid Mistake

Um. Okay. I've been a complete idiot. :)

The apache logfiles are handled by a script I wrote called ginsu (so called because it chops up the logs into files for each day and site) It's been running fine ever since I first wrote it, and never once had a problem...

UNTIL right before christmas when I "fixed" vengeance. Besides the 30 second rule, I also changed the way vengeance restarted apache, since sometimes apache wouldn't really shut down under high load. So I changed it to a hard kill of the process (sending a KILL signal instead of TERM). The downside is that apache didn't get a chance to clean everything up.

I had vengeance do its own cleanup, but one thing I missed for a while was ginsu: old ginsu processes were still sitting around. They were also taking up a bunch of CPU and driving up the load, so I was killing them whenever I saw them and then yesterday sometime I actually added a line so that if vengeance killed apache, it would kill ginsu as well.

What I didn't think to ask is why were the "dead" ginsu processes taking up so much CPU?

What they SHOULD do is just sit there and wait for their standard input to get a log entry, and then move it to the right place. So a dead ginsu shouldn't take up any resources.

So what were they doing? Well, when the parent apache process got killed, ginsu's standard input stream got messed up, and so somehow it looked liked the same line was being fed over and over. So of course, they were logging that line over and over. And over. And over. Until the ginsu instance got killed, or the hard drive filled up.

I knew something sounded fishy when all those different sites started getting these "attacks". The clue I missed was that the timestamps on each of the duplicate lines was exactly the same. Once I noticed that, it was obvious what happened.

[Michael Moore did link a site on mercury though and send a whole lot of traffic, but I suspect there was a ginsu explosion in that log file too and I just didn't see it in the couple thousands of lines that I extracted before I deleted the giant hard-drive filling file. I'm actually releived to know that even a prominent site like that couldn't cause this hard drive problem.]

So yeah, this was entirely my fault.

On the bright side: it's not going to happen again. I've already made the patch that cleans up ginsu, and I'll also fix vengeance to only do the hard apache kill if the clean one fails.

30 second timeouts, part 2

This is a follow-up to my earlier post about the 30 second timeout rule and its implications for programs like movable type.

Thank you, everyone who offered feedback. I read every reply and tried to address every point raised. I'm working from notes here and responding to a lot of issues at once, so forgive me if I don't credit everyone who offered an idea individually.

clarifications

First of all, I'm not trying to ban MT, and I don't ever want to be pushing people from one CMS to another every time there's a problem. Banning MT would be disastrous for cornerhost's financial prospects, so it's not at all what I was trying to say. MT is simply the most popular piece of software that routinely conflicts with the 30 second execution rule that happens to be very effective at protecting the servers.

Nor did I mean to imply that MT wasn't mature. I just meant that there are other blogging tools that are also mature and don't have MT's particular problem. Wordpress blogs get just as much comment spam as MT blogs, and as Chuck Welch pointed out, there are hosts out there that have had to ban wordpress sites for hogging resources.

how MT degrades

The scalability problems in MT and wordpress are very different. MT uses static html files so that it's easy for thousands of people to view the same page at once. Wordpress (or MT in dynamic page mode) has to make a database connection for each page view and then execute a bunch of database queries, so a massive influx of traffic can tie up the database and really slow things down.

Mt degrades in a different way. Because all the pages on an MT site are rendered as html files, then pages need to be rebuilt every time something changes. For example, if someone post a comment on an entry, then the front page and any archive or category page that shoes that entry has to be updated, because those pages all show the number of comments at the bottom of the entry. The more comments and entries there are, the longer this takes. However, MT often runs much slower than it should, even accounting for these requirements. For example, someone told me last night that the time required for posting a comment to his site went from about 4 seconds to about 40 over the course of a couple days.

If you think about the graph of an exponential function, this makes sense. Things run smoothly, almost flat for a while, and then abruptly curve upward. I haven't jumped into the MT source code to prove this, but I suspect that the comment posting algorithm in MT displays this behavior: you grow too big and suddenly you hit a tipping point, and suddenly your site takes forever to do anything. Like I said, I haven't proved this, but it seems to fit the data.

Comment spam + Slow MT = dead server

Then along comes a spammer, ready to post 500 or even just 5 comments to a blog. Since the spam comes in faster than a "slow" MT site can deal with it, the mt-comment.cgi and mt-trackback.cgi processes pile up in memory. And remember, these aren't little tiny CGI scripts any more. Each one has inflated into a server-crippling resource hog of it's own.

Each server at cornerhost has Dual Xeon 2.8 GHz processors. These are FAST machines. But a program with exponential complexity can tie it up just the same. Think of the exponential graph as representing the amount of hardware resources necessary to complete the task: it shoots up so fast that it doesn't matter how powerful your computer is.

Not every MT site is affected

I haven't looked through the MT code to prove that the algorithm they use has this problem, that's just my theory. Some sites, even older ones, haven't tipped, and may not ever tip. I don't have enough data to nail down the cause. All I know is that SOMETIMES mt goes nuts, and then even moderate comment traffic can take down a server. I usually call these comment spam attacks, but of course it can happen even with normal commenting by real users.

Six Apart is not very cooperative

Someone made the suggestion of working with Six Apart to solve this problem. This is troublesome. If you look at their license, they are somewhat hostile to any kind of outside commercial support. For example, a host is not permitted to preinstall MT for users (only Six Apart can do that) and of course they are actively competing against hosting companies with Typepad. They're aware that MT has this problem. I really can't offer any explanation as to why it still happens in even the latest versions. Either they want to fix it but don't know how, or they don't want to fix it. And since MT is proprietary software, nobody else can (legally) fix it either.

But I really don't hate MT

MT causes me more problems than just about anything else, but I don't really hate it or want to ban it. For the most part, the problem is manageable. I much prefer it when people use other tools, but I understand that people like MT and want to use it and for the most part I'm happy to host MT sites, as long as I can keep the server running.

MT speedups and workarounds

There are some ways to improve MT performance. They have a paper up here:

http://www.sixapart.com/pronet/articles/how_to_speed_up.html

I'm not convinced these solutions address the core problem (the algorithm) but they can help with the symptoms.

Enable background tasks

Some people have told me that enabling background tasks (see the "how to speed up" link above) prevents their sites from running up against the 30 second timeout. I suspect that while the pages appear to run faster, the background tasks may still pile up. However, I haven't had a chance to really look into this yet. In any case, it does seem to improve user experience and should prevent duplicate comment attempts due to timeouts.

FastCGI?

Someone asked about FastCGI.

FastCGI keeps the mt process in memory deliberately, so as to avoid launching a new copy of perl with each page request. If the core problem is (as I am suggesting) an exponential-time algorithm, then shaving a few milli-seconds off the startup for perl wouldn't help much. It can only offer a small, linear improvement, and again the servers are very fast to begin with.

However, I am considering offering FastCGI for other reasons people who use certain web frameworks keep asking for it, so I may offer this at some point in the future, as an add-on service or new account type.

The 30 Second Rule

Let me explain the 30 second rule.

The way it works is there's a script called vengeance that sits in memory, continually monitoring all the processes running on the machine. It knows the difference between a program you're running through the shell (pine or emacs or vim) and one that's being run from cron or apache.

If a script is older than about 15 seconds or so, vengeance will renice it, which means give it a lower priority in the operating system. Then at the 30 second point, the process is simply killed.

For a long time, I turned off the "kill" part. Why? Because so many people complained that MT was getting killed. So for a time, all vengeance did was renice processes. Unfortunately, this just gives you a lot of low-priority scripts that still hog the server. I now whitelist mt.cgi itself, but the mt-comments and mt-trackback scripts still get killed.

The thirty-second rule isn't a cureall (plenty of other things can go wrong) but the servers run a whole lot better, for longer, when it's in place.

Is the rule too strict?

I chose the number 30 because that's what pair.com used to do back when I was a customer there, and pair's servers run pretty well. But the number is just an arbitrary cutoff point.

In general, it just shouldn't take 30 seconds for a high speed modern computer to put a comment on a blog.

Of course there are other scripts that time out, and some of these are harmless. Vengeance doesn't consider the actual resources used by the script.

Nor does it consider the environment. The degree to which a script is tolerated should vary depending on the server load, and other factors. If the server is really busy, it makes sense to shorten the timeout, and if the server is calm, then things can be allowed to run longer.

There's a field of technology called fuzzy logic that's very good at problems like this, and I'm planning to incorporate a simple fuzzy inference engine into a new replacement for vengeance. This is actually a lot easier than it sounds, and it should make the system much more lenient while still keeping the servers stable.

blacklisting spammers

Another approach that strikes at the symptom, but which could benefit a whole lot of people, is a blacklist for comment spammers. I've been hesitant to do this in the past because it's way too easy for the blacklist to be wrong. However, a good blacklist would certainly ward off comment spam, which would ease the burden of the slow MT sites. I haven't made up my mind about this yet, and am very open to feedback.

better analysis of incidents

One problem with vengeance is that it doesn't notify people that their scripts have been killed. It's actually pretty easy to identify a script's owner, even when it's running through apache without SuExec. I consider it a bug that nobody is notified when a script is killed. The data just goes into a logfile, which I look at occasionally, but the information could definitely be put to better use.

The only real obstacle is that I don't want to send someone 500 emails if one of their sites goes nuts. It makes more sense to filter this information automatically and tie it into some kind of ticket system. It's simply a matter of having the time and resources to make it happen.

and finally: rantelope

Even though I'm happy with diversity and will continue to let people host whatever software they want, I also know that I'd have a very strong competetive advantage if there was a tool that I knew inside and out. I'd be able to offer much more in-depth support, even down to the level of optimizing and debugging the code, and doing the initial installation and setup work.

Once upon a time, I decided to write a blogging tool called rantelope for just these reasons, but the project never got very far. It's been on the back burner ever since, and is certainly not ready for prime time.

However, lately I've been thinking more and more of the idea of building rantelope by porting and extending an existing tool (probably wordpress or drupal). This would give me the chance to understand each part of the system without having to create it from whole cloth.

coming soon...

All of this is a lot of work, so it's going to take a while to make it happen. I'm still working out what's coming first, and how all this balances with the many other projects on my plate. In the meantime, at least for a while, the 30 second rule is staying put.

holy crap it happened again

ARGH. Okay, I'm starting to think this diskspace thing is deliberate. It's gone from something that happened maybe once in the three years I've been in business to a regular occurrance.

This out is from a site's log directory on manganese:

-rw-r--r--    1 xxxx     xxxx      1040455 Jan  3 23:57 20060103.log
-rw-r--r--    1 xxxx     xxxx      2466806 Jan  4 23:59 20060104.log
-rw-r--r--    1 xxxx     xxxx      1924651 Jan  5 23:57 20060105.log
-rw-r--r--    1 xxxx     xxxx      2127007 Jan  6 23:56 20060106.log
-rw-r--r--    1 xxxx     xxxx      2161171 Jan  7 23:59 20060107.log
-rw-r--r--    1 xxxx     xxxx      2033203 Jan  8 23:59 20060108.log
-rw-r--r--    1 xxxx     xxxx      1813743 Jan  9 23:59 20060109.log
-rw-r--r--    1 apache   apache   40191872722 Jan 10 22:19 20060110.log

From 2 MB of logs a day to 40GB over the course of a couple hours.

And two other sites are showing similar patterns. Needless to say I haven't had time to implement the solutions I talked about earlier.

update: All of the requests were for a single page and it'sassociated CSS file. If it weren't for the CSS file and the arbitrary URL, I'd think it was a scripted attack. But this almost looks like someone's browser went nuts.

I installed mod_evasive on manganese, which should catch this specific sort of bizarre behavior in the future. It's only a partial solution though. I'll install it on the other machines once I have an RPM set up.

Holiday Post-Mortem

The holidays are generally a rough time around here, for a number of reasons. Large numbers of people have time off and are looking to try new things with their sites, and plenty of bored hackers and script kiddies have time on their hands too. Plus I tend to do a lot of driving (to see my family in Texas for Christmas, and then my girlfriend in Florida for New Years), and on top of all that I've had the flu.

The week before I left, the servers were getting hit pretty hard with comment spam and other normal problems. I spent a lot of time working on vengeance, the script that watches over the servers and helps make sure things are running. After working some bugs out, vengeance has been handling most of the issues from high load. I posted a little bit about that (regarding the 30 second timeout) a few days ago, and have gotten a lot of great feedback, which I'll be responding to shortly.

Right now, I wanted to write a bit about three incidents that didn't get handled automatically and lead to several hours of downtime each, and try to analyze what happened and what I'm going to be doing differently in the future.

incident: scandium overload on 12/28/2005

This turned out to be an issue with spamassasssin. As I posted to innercircle shortly after it was resolved:

As far as I can tell, the issue on scandium seems to be from spamassassin going out of control. It's due for an upgrade anyway, but I'm not going to make any major changes that might cause more problems over the holidays here. For the time being, I've set spamassassin to restart every 15 minutes on this machine, and I'll keep an eye on things. So far it's been up for an hour and 20 minutes with no problem.

incident: manganese out of disk space (!) on 01/02/2006

On the 2nd, a single user's site was essentially attacked by an out-of-control bot. Bloglines, or someone claiming to be bloglines, began requesting a small set of feeds many times a second. While the server handled the traffic without problem, it caused the site's logfile to grow at an astounding rate, quickly filling over 60GB of hard drive space.

For comparison, all the log files for all sites for the past several years on manganese currently take up about 69GB. Many of those files are zipped and some people delete their older logs regularly, but the point is this was an extremely unusual situation that I wasn't prepared for.

In any case, once I finally got wind of the problem and deleted the logfile and confirmed that the "attack" was over with, things returned to normal.

incident: mercury out of disk space (!!) on 01/04/2006

And then of course the same thing happened on mercury two days later. I was back home and out of bed by this time and caught the problem much sooner. I already posted about this (see the "mercury vs michael moore" blog entry)

prevention

Here's a list of things I'm working on to help prevent these problems from happening again, and to help minimize outages next time something unexpected goes wrong.

continue to improve the monitoring system

Before I left for Texas, when I was working on vengeance, I came up with a whole set of changes I wanted to make, including a renaming the thing and opening the source code for collaboration and feedback, and also just making the whole system smarter. I got about a third of the way through the list before I had to leave, and once I finish catching up on email, that will be my main project again. More on that soon.

more transparent status reports

A big complaint that several people had was that I didn't post any sort of feedback that I was aware of the problem. This has been an issue in the past, too. Usually when something goes wrong, I get a steady stream of messages from customers who want to know what's going on and when things will be fixed and not even knowing if I'm aware of the issue or working on it or what.

My plan is to set up a centralized system for this, as well as a public status page that combines an uptime display for all servers, the status blog, and various other resources. I'm picturing an "incidents in progress" box that shows all known open issues and when I was paged, and so on.

cooperative system administration

Once the status for all servers is available to everyone, it makes sense that other people ought to be able to act on that information, especially when I'm not around. Since I don't have the budget to hire a team of admins, a couple people have suggested I start empowering certain trusted customers to help out. I don't have any set plan in this regard, but I'm very open to this idea and plan to explore it further in the coming weeks.

mobile network access for me

Another problem is that I can't be at my computer 24x7. I can be paged when things go wrong, but when I'm on the road (or at the gym, or doing laundry, or just generally away from my desk) then of course I don't have access to the internet. When I'm driving I tend to stop every couple hours to take advantage of the wi-fi from a McDonalds or Starbucks, but that's often hit-or-miss.

My phone is one of the earliest internet-enabled phones and the connection is so slow as to be useless. Thankfully, Verizon is finally providing broadband speeds in most of the places I tend to be, so I'll be upgrading my phone to a newer model this week.

upgrading spamassassin

Speaking of upgrading, I'm going to upgrade spamassassin this week as well. Aside from it taking down Scandium, other users have been complaining about flaky behavior (spam not getting tested, etc). I'm starting to suspect that this may be a byproduct of the 30-second rule, and if so I should have that resolved today. But I'd also like to keep it up to date and so will be upgrading to the lastest version as soon as time permits.

enforcing disk quotas at OS level

Could the disk space problem have been prevented? I already have a system to monitor that. It acts as an early warning signal, by alerting me if the space drops below a threshold, and it does the (very slow) work of figuring out what files and directories are taking up the space.

But these issues happened so quickly that the disk space was out before the early warning system even noticed. The better answer here would be to use hard disk quotas at the operating system level, rather than the more flexible but (as these incidents showed) more vulnerable soft quotas I'm using now. Setting up hard quotas is also on my short list.

etc.

This whole thing is an ongoing process, and as usual I'm open to ideas or feedback on any of this.

I'll be following this up later today with another post responding to the feedback I got on the 30-second timeout rule, so stay tuned...

control panel working again

The control panel has been working again for at least an hour or so. The problem seems to be not with MySQL, but in communicating with the XML-RPC servers on the various machines. Restarting the server fixed it, but I didn't have a chance to diagnose the exact problem. If it happens again, I'll look there first.

Control Panel Down

The control panel is refusing connections. I think it's an issue with the session database, since other MySQL apps on the machine are working fine... I'm looking into it right now.