Start thinking

Good day dear% username%!
I would like to congratulate all admins on this holiday, and in honor of this I wrote a post on me. By the nature of their activities (* nix admin), I get familiar with various requests for help on servers. Usually requests in the spirit - we began to slow down the site, or something we have hung, etc. Very often, problems arise because of the actions of programmers who do not always understand what they are doing, or do not understand the consequences of what they are doing. After looking at it all, I decided to share with you some cases and exhortations.

Initially, I thought of calling the post “stop admin” and collect in it the typical mistakes of admin programmers, but the idea went a little different, so the title turned out like this. In advance I want to apologize for the confusion of the post, just rolled something to write and how the thought went, and wrote.

')

Case 1.

- “Anton, we began to slow down the site. Take a look? ”
The wording is fairly standard, so to get some understanding of what is happening, I am climbing ssh to the server.
Looking at the top, I see a php process that eats a bunch of resources. What is this? No crime only - remove_old_thumbs.php. As you might guess, it removes old thumbnail images. And all would be nothing, but he does it very actively.
iotop says that the script is very actively tormenting the hard drive. It is understandable, wool in folders and deleting thousands of files is resource-intensive, especially on virtuals. Decision?
ionice -c3 php remove_old_thumbs.php
Since the procedure for removing old thumbnails is not critical, and does not require high priority, you can run it with low I / O priority. We start - the process has gone more quietly, the site has ceased to slow down, miniaturks are slowly being removed - everyone is happy.

Case 2.

- “Anton, we started doing miniatures here, but something is slowing down”
Well, we'll see. Here are those on. Links to thumbnails look like this. thumb.php? image = images / 12311.jpg. Well, here you have to dig into the code.

- Pictures for thumbnails are in the same folder, and there are under a million. There is no need to force fs.
- The script does not save the generated thumbnails. For each appeal, he generates a new thumbnail - not comme il fauté gentlemen!
- Generation of thumbnails for all images will take a long time.

Parse the case. For a start, it would be good to decompose all the pictures into folders. It is proposed to decompose by date, date taken from the publication. There are no special problems with this, everything is transparent and clear. And it turned out somehow like this: images / 2013/08 / 12311.jpg.
To kill the last 2 points, it was suggested to make the thumbnail addresses such as thumbs / 2013/08 / 12311.jpg, and in nginx, configure a rule that checks for the presence of a file at the specified url and redirect the request to thump.php if not. In turn, thumb.php generates a thumbnail, shows it to the client and folds it to disk at the desired address. Thus, we unloaded cpu and fs, and the site flew.

Case 3.

- “Anton, we began to slow down the site. Take a look? ”
In processes 10 processes remove_old_thumbs.php hang. Guys, well, let's in the scripts running about the crown, do a test for neglect? At least creating a lock file in / tmp, and at the end of the script using the register_shutdown_function, call the function that deletes this file. Quick and easy.

Case 4.

I will not dwell on this in great detail, although the topic is very relevant, but each case is strictly individual. I will not reproduce an example for memory, but if it is short then:
"SELECT * FROM posts" - we pulled out the entire base of posts, with all the descriptions and garbage, and are actively working with this array of data, although from the whole array only the id and poster_url are needed.
“SELECT description FROM posts WHERE post_time> '2013-01-01' AND post_moderated = '1' ORDER BY name DESC” - Submit this query with a bunch of joines and quite massive. And why does he suddenly slow down? And all because there is no index in the name field, and new programmers have not heard about EXPLAIN.

Well. The above cases are drawing on programmer errors. In what it is possible to reproach administrators?

To start with this:
ssh : // root : om7ooS3righoob4Xe7ri @ hostname

In 90% of cases, remote access to servers is carried out as root and almost immediately, these servers begin to brute force. This is not right.
What can be done? To begin with, create a user, under which then log in via ssh. And then, disable authorization from root (PermitRootLogin no - disable authorization from root) in sshd_config. To get root rights under the user, you can type “su -” or configure sudo. Isn't it difficult?
What else can be done? You can deny access to ssh from unknown IPs and you do not need to write a stack of rules for iptables, just tweak a couple of files.

hosts.deny
sshd: all

hosts.allow
sshd: 123.231.132.213

And that's it! We have forbidden to go to the server via ssh to everyone except 123.231.132.213.

Ok, what else?
[root @ localhost ~] # ps auwx | grep php
root 795 0.0 0.5 321152 9948? Ss jul22 0:10 php-fpm: master process (/etc/php-fpm.conf)
root 884 0.0 0.3 321696 6724? S Jul22 0:00 php-fpm: pool www
root 885 0.0 0.3 321696 6644? S Jul22 0:00 php-fpm: pool www
root 886 0.0 0.3 321696 6720? S Jul22 0:00 php-fpm: pool www
root 887 0.0 0.3 321728 6720? S Jul22 0:00 php-fpm: pool www
root 888 0.0 0.3 321728 6728? S Jul22 0:00 php-fpm: pool www

Why do php scripts run from root? What for?! It's like leaving your car keys in the car itself. The solution in each case will be different, in this case in the php-fpm.conf config, the user changes to the one you need.

Those who did not run scripts from the root, sinning to others - chmod 777 . I will not describe the consequences and methods of treatment, I will say only one thing. Expose the rights to the files after considering their actions. And never exhibit them like this.
“Chmod 777 -R. “. By the will of fate, you can break the OS by running the command in the wrong folder.

Many admins sin by compiling software and putting it into the system. I do not undertake to say that this is a great evil, but still it is evil. Familiar to ./configure && make && make install ? Guys, do not be lazy to find a package. If there is no package, try using the same checkinstall.

In fact, there are many different cases. You can disassemble them long and hard, but I would like to turn to programmers. Guys, if you maintain a site with serious traffic, do optimizations and create some kind of austere functionality, seek advice from experienced colleagues (especially admins). They will help you with advice and save you from dreadful and not very mistakes.