2011年8月30日星期二

Debian 5 VPS下的nginx+php+mysql的解决方案

本文介绍在Debian 5 VPS下的nginx+php+mysql的解决方案,本方案使用php-fpm作为fastcgi的进程管理器。


本文基于64位的Debian 5 VPS,如果是32位的Debian VPS,请在相应部分做修改。


使用php-fpm就必须重新编译php,不能使用系统自带的php。MySQL使用Debian自带的,Nginx是从Debian官方软件库中下载的最新版本。


安装Nginx


Debian 5系统自带的nginx版本比较低,现在Nginx的新稳定版本0.7.61,即将发行的Debian 6里面带的是最新版本的nginx,测试后发现这个nginx在Debian 5下可以运行。我们在 http://ftp.us.debian.org/debian/pool/main/n/nginx/ 下载了Nginx的deb包,放到了 http://rashost.com/download/ 方便客户下载


安装命令:


dpkg -i nginx_0.7.61-3_amd64.deb
/etc/init.d/nginx start
mkdir -p /var/www/nginx-default
echo 'nginx ok'>/var/www/nginx-default/index.html
echo '<?phpinfo()?>' > /var/www/nginx-default/test.php


另外运行dpkg -L nginx命令可以看到nginx的文件都安装在哪些目录下面了


Debian下nginx的缺省网页目录是/var/www/nginx-default,这个目录安装的时候没有创建,我们是手工创建的。


通过浏览器访问,应该能看到nginx的缺省网页了,说明nginx正常工作了!


安装MySQL


我们使用Debian自带的MySQL,安装命令:


apt-get install mysql-server-5.0
/etc/init.d/mysql start


运行mysql -uroot -p命令,应该可以正常连接到MySQL


安装php & php-fpm


安装php所需要的库文件:


apt-get update
apt-get install libxml2 libldap-2.4-2 libmhash2 curl libpng3 libjpeg62 libsasl2-2 libmcrypt4


http://rashost.com/download/ 下载安装我们自己在Debian下编译的php-fpm:


cd /opt
tar zxf php-fpm-5.2.10-amd64.tar.gz
ln -s /opt/php/sbin/php-fpm /etc/init.d/php-fpm
update-rc.d -f php-fpm defaults
/etc/init.d/php-fpm start


整合


首先在/var/www/nginx-default目录下创建文件test.php,其内容很简单,只要下面一行:


<?phpinfo();?>


假设所在VPS的地址是debian5.rashost.com,这时通过浏览器访问http://debian5.rashost.com/test.php是得不到正确的显示结果的。


修改nginx的配置文件/etc/nginx/sites-enabled/default,在文件内搜索fastcgi_pass,修改该部分内容为:


      location ~ \.php$ {
            fastcgi_pass   127.0.0.1:9000;
            fastcgi_index  index.php;
            fastcgi_param  SCRIPT_FILENAME  /var/www/nginx-default/$fastcgi_script_name;
            include        fastcgi_params;
        }


注意,Debian下的nginx配置文件和centos下的区别比较大,Debian下把配置分割成多个文件了,推荐一个站点一个配置文件,我们修改的是/etc/nginx/sites-enabled/default。另外fastcgi_param参数后面的/var/www/nginx-default/部分,这是具体的网页目录,如果像Debian下那样写成$document_root不知道为什么就不工作了。


然后重启nginx:


/etc/init.d/nginx/restart


然后在浏览器中访问test.php页面,就应该能正确显示了,reboot VPS测试一下,各个模块应该都能自带启动。大功告成!

Common used / rarely used daemons

Common unused / rarely used daemons


The following list contains daemons that may not be used by a 'normal' end-user. You can compare the list of daemons started up on your system to this list, and see if you could safely disable some of those daemons.



  • Bluetooth

    • hcid, sdpd and hidd (These daemons provide Bluetooth services and are unnecessary if you don't have any Bluetooth hardware)



  • Printing

    • cups and cups-config-daemon (These daemons provide printer services and are unnecessary if you don't have any printer hardware attached to your local pc or to a network pc)

    • hpiod and hpssd (These daemons provide extensive support for HP printers. They can safely be disabled if you never print using an HP printer)



  • Console

    • gpm (This daemon provides mouse support for text-based applications, like Midnight Commander. It also provides copying/pasting with the middle mouse button in console environments. Can be disabled if you do not use the console much)



  • Webserver

    • httpd (This daemon provides web hosting services, and is unecessary on workstations and servers that do not host any websites or webinterfaces)

    • mysqld and postgresqld (These daemons provide database backend services. You can usually disable them if you're not running a webserver, although some applications use these databases for their data storage)



  • Firewall

    • netfilter/iptables (This daemon provides firewall services. Those are not that necessary if you're behind a router or smoothwall with a built-in firewall)



  • InfraRed

    • irda (This daemon enables your computer to communicate with other devices using IR (InfraRed) hardware. If you haven't got such hardware, you can safely disable this service)

    • lircd (This daemon provides remote control support using IR (InfraRed) receivers. Can be disabled if you don't have hardware capable of receiving IR signals)



  • Multiple CPU's

    • irqbalance (This daemon balances interrupts over multiple CPU's in the system. Can be disabled if you don't have multiple CPU's or a dual core processor)



  • Software RAID

    • mdmonitor, mdadm and mdmpd (These daemons provide information about and management functionality over software RAID devices. They are unnecessary if you don't use software RAID)



  • DNS Server

    • named (also known as BIND) (This daemon provides DNS server functionality. It is usually not needed on workstations)



  • Remote kernel logging

    • netdump, netcrashdump and netconsole (These services provide functionality for kernel logging and debugging over network connections. Only necessary if you want to view your kernel's log and debugging messages on an other computer)



  • Fileservers

    • NFS server

      • nfs (This daemon provides NFS server functionality, allowing other computers with NFS clients to connect to your computer and access files. You can disable this if you don't need/want others to access your system using NFS)

      • portmap (This daemon manages RPC connections, used by protocols like NFS and NIS. Only needed on computers that need to act as a server)

      • rpcsvcgssd (This daemon manages RPCSEC GSS contexts for the NFSv4 server and is not needed unless you are running an NFS server)





    • Samba server

      • smbd and nmbd (These daemons provides other computers (Windows computers, too) with access to your files. This is not needed if you don't want others to be able to access your files over the network)





  • Network Authentication

    • nscd (This daemon handles passwd and group lookups and caches their results. Only needed when using a 'slow' name service, like NIS, NIS+, LDAP, or hesiod)

    • portmap (This daemon manages RPC connections, used by protocols like NFS and NIS. Only needed on computers that need to act as a server)



  • Remote time setting

    • ntpd (This daemon sets your system time to a value it retrieves from a so-called ntp server, which usually serves a very accurate time. Although it is a useful feature, it tends to slow your system's startup a lot, especially if the server cannot be found)



  • Process Accounting

    • psacct (also known as acct) (This daemon provides process accounting, which gives a more detailed insight into the execution of commands on your system. This is usually not needed unless you are running a server that is accessed by a lot of people that you cannot trust entirely)



  • Plaintext Authentication Requests

    • saslauthd (This daemon handles SASL Plaintext Authentication Requests, and is only required on a server that needs to communicate using SASL mechanisms)



  • Mailserver

    • sendmail (This daemon sends and forwards email messages, acting as a server. You don't need this daemon to be able to send a normal message. It is only needed if you need your computer to act as a mailserver)

    • spamd (also known as Spamassassin) (This daemon checks incoming mail messages for spam. This can usually be disabled, but keep in mind that some mail clients, like KMail, can use spamd's functionality)



  • SSH Server

    • sshd (This daemon allows remote login to your computer using the SSH protocol. It can be disabled if you don't want/need this access)



  • VNC Server

    • vncserver or xvnc (This daemon allows others to get a virtual graphical Desktop that actually runs on your computer)



  • Task Scheduler

    • cron (and variants, like vixie-cron...) (This daemon runs periodic tasks on your system, like updating the search index or the manpage index, but also rotating logfiles. This one is generally required for a server system to run correctly, but workstations may be able to run without it)



Enabling and disabling services during start up in GNU/Linux

In any Linux distribution, some services are enabled to start at boot up by default. For example, on my machine, I have pcmcia, cron daemon, postfix mail transport agent ... just to name a few, which start during boot up. Usually, it is prudent to disable all services that are not needed as they are potential security risks and also they unnecessarily waste hardware resources. For example, my machine does not have any pcmcia cards so I can safely disable it. Same is the case with postfix which is also not used.

So how do you disable these services so that they are not started at boot time?

The answer to that depends on the type of Linux distribution you are using. True, many Linux distributions including Ubuntu bundle with them a GUI front end to accomplish the task which makes it easier to enable and disable the system services. But there is no standard GUI utility common across all Linux distributions. And this makes it worth while to learn how to enable and disable the services via the command line.

But one thing is common for all Linux distributions which is that all the start-up scripts are stored in the '/etc/init.d/' directory. So if you want to say, enable apache webserver in different run levels, then you should have a script related to the apache webserver in the /etc/init.d/ directory. It is usually created at the time of installing the software. And in my machine (which runs Ubuntu), it is named apache2. Where as in Red Hat, it is named httpd. Usually, the script will have the same name as the process or daemon.

Here I will explain different ways of enabling and disabling the system services.

1) Red Hat Method

Red Hat and Red Hat based Linux distributions make use of the script called chkconfig to enable and disable the system services running in Linux.

For example, to enable the apache webserver to start in certain run levels, you use the chkconfig script to enable it in the desired run levels as follows:
# chkconfig httpd --add

# chkconfig httpd on --level 2,3,5
This will enable the apache webserver to automatically start in the run levels 2, 3 and 5. You can check this by running the command:
# chkconfig --list httpd
One can also disable the service by using the off flag as shown below:
# chkconfig httpd off

# chkconfig httpd --del
Red Hat also has a useful script called service which can be used to start or stop any service. Taking the previous example, to start apache webserver, you execute the command:
# service httpd start
and to stop the service...
# service httpd stop
The options being start, stop and restart which are self explanatory.

2) Debian Method

Debian Linux has its own script to enable and disable services across runlevels. It is called update-rc.d. Going by the above example, you can enable apache webserver as follows:
# update-rc.d apache2 defaults
... this will enable the apache webserver to start in the default run levels of 2,3,4 and 5. Of course, you can do it explicitly by giving the run levels instead of the "defaults" keyword as follows:
# update-rc.d apache2 start 20 2 3 4 5 . stop 80 0 1 6 .
The above command modifies the sym-links in the respective /etc/rcX.d directories to start or stop the service in the destined runlevels. Here X stands for a value of 0 to 6 depending on the runlevel. One thing to note here is the dot (.) which is used to terminate the set which is important. Also 20 and 80 are the sequence codes which decides in what order of precedence the scripts in the /etc/init.d/ directory should be started or stopped.

And to disable the service in all the run levels, you execute the command:
# update-rc.d -f apache2 remove
Here -f option which stands for force is mandatory.

But if you want to enable the service only in runlevel 5, you do this instead:
# update-rc.d apache2  start 20 5 . stop 80 0 1 2 3 4 6 .
3) Gentoo Method
Gentoo also uses a script to enable or disable services during boot-up. The name of the script is rc-update . Gentoo has three default runlevels. Them being: boot, default and nonetwork. Suppose I want to add the apache webserver to start in the default runlevel, then I run the command:
# rc-update add apache2 default
... and to remove the webserver, it is as simple as :
# rc-update del apache2
To see all the running applications at your runlevel and their status, similar to what is achieved by chkconfig --list, you use the rc-status command.
# rc-status --all
4) The old fashioned way
I remember the first time I started using Linux, there were no such scripts to aid the user in enabling or disabling the services during start-up. You did it the old fashioned way which was creating or deleting symbolic links in the respective /etc/rcX.d/ directories. Here X in rcX.d is a number which stands for the runlevel. There can be two kinds of symbolic links in the /etc/rcX.d/ directories. One starts with the character 'S' followed by a number between 0 and 99 to denote the priority, followed by the name of the service you want to enable. The second kind of symlink has a name which starts with a 'K' followed by a number and then the name of the service you want to disable. So in any runlevel, at any given time, for each service, there should be only one symlink of the 'S' or 'K' variety but not both.

So taking the above example, suppose I want to enable apache webserver in the runlevel 5 but want to disable it in all other runlevels, I do the following:

First to enable the service for run level 5, I move into /etc/rc5.d/ directory and create a symlink to the apache service script residing in the /etc/init.d/ directory as follows:
# cd /etc/rc5.d/

# ln -s /etc/init.d/apache2 S20apache2
This creates a symbolic link in the /etc/rc5.d/ directory which the system interprets as - start (S) the apache service before all the services which have a priority number greater than 20.

If you do a long listing of the directory /etc/rc5.d in your system, you can find a lot of symlinks similar to the one below.
lrwxrwxrwx  1 root root 17 Mar 31 13:02 S20apache2 -> ../init.d/apache2

Now if I start a service, I will want to stop the service while rebooting or while moving to single user mode and so on. So in those run levels I have to create the symlinks starting with character 'K'. So going back to the apache2 service example, if I want to automatically stop the service when the system goes into runlevel 0, 1 or 6, I will have to create the symlinks as follows in the /etc/rc0.d, /etc/rc1.d/, /etc/rc6.d/ directories.
# ln -s /etc/init.d/apache2 K80apache2
One interesting aspect here is the priority. Lower the number, the higher is the priority. So since the starting priority of apache2 is 20 - that is apache starts way ahead of other services during startup, we give it a stopping priority of 80. There is no hard and fast rule for this but usually, you follow the formula as follows:

If you have 'N' as the priority number for starting a service, you use the number (100-N) for the stopping priority number and vice versa.

Removing Unwanted Startup Debian Files or Services

Under Debian Linux ( and most other distros) startup files are stored in /etc/init.d/ directory and symbolic linked between /etc/rcX.d/ directory exists. Debian Linux (Red Hat/ Fedora) uses System V initialization scripts to start services at boot time from /etc/rcX.d/ directory. Debian Linux comes with different utilities to remove unwanted startup file:

(A) rcconf
It is a console based interactive utility that allows you to control which services are started when the system boots up or reboots. It displays a menu of all the services which could be started at boot. The ones that are configured to do so are marked and you can toggle individual services on and off. To start rconf, login as root user and type rcconf
# rcconf

Select the service you would like to enable or disable.

(B) sysv-rc-conf is yet another tool for for SysV like init script links under Debian Linux. To start sysv-rc-conf, login as root user and type sysv-rc-conf:
# sysv-rc-conf

Select the service you would like to enable or disable.

Both sysv-rc-conf and rcconf are best tools to use on Remote Debian Linux or when GUI is not available, they are just like ntsysv command under Red Hat Linux.

(C) You can also use update-rc.d script as follows (update-rc.d removes any links in the /etc/rcX.d directories to the script /etc/init.d/service):
# update-rc.d -f {SERVICE-NAME} remove

For example to stop xinetd service at boot time, type the command as follows:
# update-rc.d -f xinetd remove

--------------------------------------------------------

Q: Which services are unnecessary in debian?

A : It depends upon your applications. For example if you run web server then you only need

httpd (80)
mysql
sshd
mail service
syslogd
klogd
cron

Rest of the service can be disabled for example
lpd (printing service)
autofs (until and unless you wanna mount something remotely or locally)
dbus-1 ( manages certificate revocation lists)
portmap, rpc services, nfs server (for unix to unix/linux file sharing)
telnetd, relogin, rexec (all insecure remote login service, it is better to use ssh)
inetd or xinetd (disabled all those r services, finger, time etc)
named (Do you need your own dedicated name server?)

All create a firewall, to accept service according to your server services