Trinity Net

Debugging high Roundcube server load

segfault — Fri, 18 Jun 2010 22:49:11 +0000

Recently I’ve been attempting to fix a problem with high load on a server that is dedicated to serving Roundcube Webmail. The load issue appeared after migrating users off Squirrelmail and onto Roundcube. The symptoms are: high load average and lots of Apache child processes connected to the IMAP server sitting in the CLOSE_WAIT. For the most part, Apache was serving up the pages in a timely manner. I managed to deal with the load issue by killing off the stale child processes with a script, however this was no long term fix.

Many people have reported this issue over the last few years. I joined the list of people complaining about this problem in the Roundcube Trac in an effort to solve the issue.

The server was a fairly standard setup: Ubuntu 8.04 LTS, Apache2, PHP5 (mod_php), Roundcube 0.3 and Imapproxy. In order to try to fix the load problem, the server was upgraded to Ubuntu 10.04 LTS and php-apc was installed. This resulted in crippling load on the server and very slow page load times.

Further investigation and a good hunch revealed that MySQL needed tuning. Up until this point, MySQL had been running with the default tuning options. As Roundcube stores all its data using InnoDB, the InnoDB settings had to be tuned. Changing the following options caused the webmail to instantly perform well again.

innodb_buffer_pool_size = 64M
innodb_additional_mem_pool_size = 20M

php-apc was doing a great job and the cache hits for it were almost 100%. The issue with Apache children hanging around still persisted however. I began to think that the cause might be bottlenecks that were being thrown in Roundcube’s way.

I suspected that imapproxy may be one bottleneck in the system. Netstat revealed that there were 200 IMAP connections open by imapproxy. Once it was disabled, this fell to a handful. The Roundcube interface became very responsive and the load issue on the server went away. Now there are no Apache children that get stuck in the CLOSE_WAIT state.

If you’re having similar problems, try the above solutions that worked for me. If they don’t work, I’d suggest looking for other bottlenecks on your system as Roundcube seems to be quite sensitive to them.

Sacred music resources for the Mass

segfault — Wed, 28 Oct 2009 07:59:35 +0000

There are so many sites on the internet now that offer sacred music suitable for the Mass that I have started losing track of them. This is my attempt to bring them all together on one page. I’ll try to keep this up to date as I find new sites.

Polyphony

Choral Wiki

Organ/Hymnody

Propers

Ordinaries

MP3 recordings of ordinaries including notation

Psalmody

shadowAccount attributes in LDAP

segfault — Sat, 06 Jun 2009 23:27:06 +0000

An explanation of the shadowAccount attributes in LDAP. These correspond to the fields in /etc/shadow

shadowLastChange – number of days since January 1, 1970 that the password was last changed.
shadowMin – number of days before the password can be changed (typically 0).
shadowMax – number of days before the password must be changed (typically 99999).
shadowWarning – number of days to warn user of an expiring password (typically 7).
shadowInactive – number of days after password expires that account is disabled.
shadowExpire – number of days since January 1, 1970 that the account was disabled.
shadowFlag – reserved.

Setting up tftpd on Debian/Ubuntu

segfault — Mon, 30 Mar 2009 04:31:29 +0000

The documentation on setting up tftpd on Debian/Ubuntu is pretty sparse Here is how you do it:

sudo apt-get install tftpd && sudo mkdir /srv/tftp
 
# If you want to be able to upload to the TFTP server
sudo chown nobody /srv/tftp

Setting up IOS clock for New Zealand timezones

segfault — Mon, 30 Mar 2009 00:12:56 +0000

First set the clock to the current time:

clock set 13:08:30 30 March 2008

Then tell IOS what the New Zealand offset is and when daylight savings comes in:

clock timezone NZST 12
clock summer-time NZDT recurring last Sun Sep 2:00 1 Sun Apr 3:00

The official Cisco documentation is here.

Make your own Cisco RJ45 to DB9 console cable

segfault — Sun, 29 Mar 2009 03:33:49 +0000

Today I purchased a Cisco 2950 switch and needed a console cable (RJ45 to DB9) so that I could set the switch up. Rather than pay through the nose for a pre-made cable, I realised that I could make my own one from an old serial cable. You just need a spare RJ45 plug and a crimper.

CCNA Network Simulator

segfault — Mon, 23 Mar 2009 10:12:19 +0000

InformIT have the Cisco Press CCENT ICND1 640-822 Network Simulator on sale for only $75 USD. As a special deal until the end of May, you will receive a free copy of the CCNA ICND2 640-816 Network Simulator when it is released in June. That’s a saving of $75 USD! Both of these combined will provide you with all the labs that you need to know for your CCNA exam. For a review, click here.

Omnibus update: Django 1.0, GeoDjango, Google Maps SRID

segfault — Wed, 08 Oct 2008 01:21:41 +0000

Django 1.0 has been released. I haven’t had a chance to play around with it yet, but it is a vast improvement on 0.97. You can read the release notes here.

GeoDjango is a geographic framework for Django that is now included as part of the Django distribution. It looks fairly good and I’ll be using it on some upcoming projects. There are some presentations here if you want to get an idea of how it works.

Google Maps has its own SRID: 900913. 1337-speak for Google. If you want to use it with PostGIS, you’ll have to add the definition to the spatial_ref_sys table.

Setting up a Dynalink RTA1335 in half-bridge mode

segfault — Thu, 10 Jul 2008 06:55:52 +0000

Ben has a great tutorial on setting up a Dynalink RTA1320 or RTA1335 in half bridge mode so that you can have a world routable IP on a separate router (ie, a Linksys WRT54G). I have pretty much the same setup as Ben – the only difference is that I have a Dynalink RTA1335.

I can highly recommend these Dynalink products. So far I haven’t had any problems and I’m surprised at the quality of the firmware – far better than products from much bigger companies (ie Linksys, D-Link, etc). I can also highly recommend the Tomato firmware for the Linksys WRT54G wireless router. I used to run DD-WRT and was reluctant to move to Tomato because DD-WRT was quite good. After having moved though, I’m wishing that I had done it earlier. Tomato does everything that I need and it does it well.

One particular feature that I can’t live without is the bandwidth graphs in Tomato. There is also a feature to save the data usage logs to an SMB share so that if you have to restart your router, historical usage data can still be shown. Another feature that I’m quite happy about is the ability to force clients to use only WPA2 + AES to connect to the router. I ultimately want my network to be as secure as possible and forcing clients to use WPA2 + AES is a good way of doing that.

Major DNS vulnerability discovered

segfault — Thu, 10 Jul 2008 04:45:00 +0000

Dan Kaminsky recently discovered a vulnerability in the DNS protocol that could lead to DNS cache poisoning attacks. When a DNS lookup is made, the DNS server returns a random query id between 1 and 65,000. What Dan found is that the query id’s that were being generated by a lot of the DNS servers were not all that random, allowing someone to potentially poison a DNS cache by anticipating the query id. You can read more about this issue here. The Ubuntu security report is here. I would strongly recommend that you upgrade your DNS servers ASAP if you haven’t already.