Results 1 to 18 of 18
  1. #1

    why User root is running process httpd all time?

    Hi ... I usually use the "top" command to see what is happening in my server ... Normally everything is OK untill one week ago I start so see this process:

    PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
    1115 root 20 0 10768 10m 164 R 26 0.5 46:17.27 httpd


    Is the number 1 on the top list using a lot of CPU and MEM (as I say before ... I never have seen this command in the past)

    So when I kill the process everything goes fine but only for a few minutes and then is comming back

    any ideas ?
    Thks a lot guys !

  2. #2
    Join Date
    Mar 2009
    Location
    Austin Tx
    Posts
    2,001
    This is normal, is used to grab port 80 and fork, among other reasons.
    This is what your initial httpd process runs as.
    You'll always see 1 owned by root.
    This is the best signature in the world....Tribute!
    (It is not the best signature in the world, no. This is just a tribute)

  3. #3
    Join Date
    Feb 2005
    Location
    Australia
    Posts
    5,842
    It's normal to see one (and only one) httpd process running as root but it's not normal to see it using a lot of resources. Assuming 1115 is still the pid, try
    Code:
    cat /proc/1115/cmdline
    Chris

    "Some problems are so complex that you have to be highly intelligent and well informed just to be undecided about them." - Laurence J. Peter

  4. #4
    Join Date
    Mar 2009
    Location
    Austin Tx
    Posts
    2,001
    Your CPU is a little high, but .5% Mem isn't a lot.
    If your server is busy, this could be normal...how many active connections do you have when the cpu is this high?
    This is the best signature in the world....Tribute!
    (It is not the best signature in the world, no. This is just a tribute)

  5. #5
    Yes, your CPU load seems to be high, You can check active connection by using the
    following command,

    #netstat -an | grep :80 | sort

    This command output will show only the active internet connection to your server
    at port 80 and sort the results.
    Support Facility | 24/7 web hosting technical support services
    Technical support | Server management | Data migration

    Technical Articles

  6. #6
    Join Date
    Mar 2009
    Location
    Austin Tx
    Posts
    2,001
    For all active, add
    |grep ESTAB
    onto that
    This is the best signature in the world....Tribute!
    (It is not the best signature in the world, no. This is just a tribute)

  7. #7
    Join Date
    Jul 2009
    Location
    SLASH ROOT
    Posts
    26
    Apache(httpd) would run under the user you specify it to. This can be changed under the Apache configuration file "%apacheroot%/conf/httpd.conf"


    You could use these commands to know :

    1. Which server IP address is getting these connections.

    netstat -ntu | awk '{print $4}' | cut -d: -f1 | sort | uniq -c | sort -n|tail -n 5
    (ipv4)
    netstat -alpn | grep :80 | awk '{print $4}' |awk -F: '{print $(NF-1)}' |sort | uniq -c | sort -n
    (ipv6)

    2. This would tell you which all IP addresses are currently connected/connecting to your web server.

    netstat -alpn | grep :80 | awk '{print $5}' |awk -F: '{print $(NF-1)}' |sort | uniq -c | sort -n

    Hope this helps out...

  8. #8
    Join Date
    Mar 2009
    Location
    Austin Tx
    Posts
    2,001
    That reminds me, I need to get my Sherman tank cleaned...goin' deer hunting tomorrow...
    This is the best signature in the world....Tribute!
    (It is not the best signature in the world, no. This is just a tribute)

  9. #9
    Thks everybody for u help

    I got this result with the next commands:
    # netstat -an |grep :80 |wc -l
    1506

    # netstat -an|awk '/tcp/ {print $6}'|sort|uniq -c
    13 CLOSE_WAIT
    2 CLOSING
    273 ESTABLISHED
    18 FIN_WAIT1
    4 FIN_WAIT2
    177 LISTEN
    38 SYN_RECV
    1558 TIME_WAIT

    With the command to see all ips are connectes to my server (netstat -plan|grep :80 | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n) only going to put the last 9 results wich are:

    18 0.0.0.0
    23 208.53.131.169
    24 189.147.148.190
    7 115.132.61.130
    7 189.163.242.1
    7 189.164.59.196
    7 66.98.25.235
    8 83.35.141.168
    10 200.67.219.247
    18 0.0.0.0
    36 208.53.131.169
    66 189.189.134.240


    According to my WHM Apache stats I got this:
    Current Time: Friday, 03-Jul-2009 11:26:08 CDT
    Restart Time: Thursday, 02-Jul-2009 14:31:46 CDT
    Parent Server Generation: 0
    Server uptime: 20 hours 54 minutes 22 seconds
    Total accesses: 1856619 - Total Traffic: 4.3 GB
    CPU Usage: u7.16 s6.24 cu154.85 cs0 - .224% CPU load
    24.7 requests/sec - 60.1 kB/second - 2493 B/request
    14 requests currently being processed, 16 idle workers

    _C___..C._WC___CC_CC.CCC_C.._.____WC............._..............
    ................................................................
    ................................................................
    ................................................................


    So is it all information good?
    Thks

  10. #10
    Join Date
    Sep 2003
    Location
    Chicago, IL
    Posts
    164
    Seems pretty nominal overall. Maybe the CPU usage is due to disk I/O?
    eSited LLC - Dedicated Servers, VPS, Managed Hosting
    Nullivex LLC - Web Services, PHP Development, System administration.
    █ Visit http://www.esited.com/ or Email contact[at]nullivex.com

  11. #11
    Join Date
    Apr 2009
    Location
    USA / UK
    Posts
    4,553
    Quote Originally Posted by bryan_tong View Post
    Seems pretty nominal overall. Maybe the CPU usage is due to disk I/O?
    That is very likely since the httpd process is responsible for access and error logging too - and it is not really efficient to have the system do a write on every read - (extfs used to have this issue before noatime and relatime, the httpd issue is similar but not quite as bad).

    You might want to consider piping your access logging to another program that will buffer your logs a little so they aren't so disk-intensive.
    RAM Host -- Premium & Budget Linux Hosting From The USA & EU
    █ Featuring Powerful cPanel CloudLinux Shared Hosting
    █ & Cheap Premium Virtual Dedicated Servers
    Follow us on Twitter

  12. #12
    I Think u rigth ...
    My error log is about 11Gb and it's getting bigger and bigger every second

    MY access log is 26Mb so I think is a lot of difference between error log and access log
    The question is what can I do for fix this

  13. #13
    Join Date
    Sep 2003
    Location
    Chicago, IL
    Posts
    164
    Well you can start by truncating the error log to at least 20mbs or less.

    11gbs is a lot. The other thing to do would be to check what the error is. It might be something that is continually repeating due to a bad server configuration.

    Try doing a tail -f on it and see how often its spiting out errors.

    This is most likely the reason for the cpu though if its throwing 100 erros/sec.
    eSited LLC - Dedicated Servers, VPS, Managed Hosting
    Nullivex LLC - Web Services, PHP Development, System administration.
    █ Visit http://www.esited.com/ or Email contact[at]nullivex.com

  14. #14
    Join Date
    Apr 2009
    Location
    USA / UK
    Posts
    4,553
    Quote Originally Posted by bryan_tong View Post
    Well you can start by truncating the error log to at least 20mbs or less.

    11gbs is a lot. The other thing to do would be to check what the error is. It might be something that is continually repeating due to a bad server configuration.

    Try doing a tail -f on it and see how often its spiting out errors.

    This is most likely the reason for the cpu though if its throwing 100 erros/sec.
    Agreed. Also check and make sure your site isn't generating lot's of 404 not found errors - things like /favicon.ico are very bad at doing that.

    Also, if you haven't got it already, you might consider setting up logrotate to automatically archive your old logs so you don't get massive logs like this (that may be beyond what you are able to do however)
    RAM Host -- Premium & Budget Linux Hosting From The USA & EU
    █ Featuring Powerful cPanel CloudLinux Shared Hosting
    █ & Cheap Premium Virtual Dedicated Servers
    Follow us on Twitter

  15. #15
    Join Date
    May 2009
    Location
    SLASH ROOT
    Posts
    853

  16. #16
    You were rigth guys

    I had a lot of stupid errors like
    404 not found errors and /favicon.ico

    Well you can start by truncating the error log to at least 20mbs or less.
    How Can I do that?

  17. #17
    Join Date
    Sep 2003
    Location
    Chicago, IL
    Posts
    164
    Someone might have something better but basically this sequence should work.

    Code:
    cp /var/www/logs/error_log /var/www/logs/error_log_old
    cp /var/www/logs/access_log /var/www/logs/access_log_old
    Code:
    echo “ “ > /var/www/logs/error_log
    echo " " > /var/www/logs/access_log
    You will need to of course edit the paths.
    Last edited by Winstyn; 07-07-2009 at 12:14 AM. Reason: Forgot about path editing.
    eSited LLC - Dedicated Servers, VPS, Managed Hosting
    Nullivex LLC - Web Services, PHP Development, System administration.
    █ Visit http://www.esited.com/ or Email contact[at]nullivex.com

  18. #18
    Join Date
    May 2009
    Location
    SLASH ROOT
    Posts
    853

Similar Threads

  1. httpd running under user nobody
    By xeno007 in forum Hosting Security and Technology
    Replies: 7
    Last Post: 12-08-2008, 05:24 PM
  2. WHM emails.. Suspicious process running under user XXXX..
    By webuser00 in forum Hosting Security and Technology
    Replies: 2
    Last Post: 08-29-2008, 09:08 PM
  3. How do i work out the running time of a process?
    By PhilG in forum Hosting Security and Technology
    Replies: 4
    Last Post: 10-14-2006, 05:52 AM
  4. how to on linux bash from root run process as diffrent user?
    By nand in forum Hosting Security and Technology
    Replies: 2
    Last Post: 09-05-2004, 11:54 PM
  5. getting the user from the httpd process
    By DuncanMcLord in forum Hosting Security and Technology
    Replies: 5
    Last Post: 07-28-2002, 11:14 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •