On Fri, May 09, 2003 at 11:00:18AM +0200, poeml@cmdline.net wrote:
On Fri, May 09, 2003 at 07:28:02AM +0200, Jon Clausen wrote:
error_log says: [Wed May 7 00:16:10 2003] [notice] SIGUSR1 received. Doing graceful restart
Please browse through your logs, to see when the last graceful restart before this one has been!
grep -i -A 3 grace * error_log:[Sun Jan 5 10:28:23 2003] [notice] SIGUSR1 received. Doing graceful restart error_log-[Sun Jan 5 10:28:32 2003] [notice] Apache/1.3.26 (Linux/SuSE) mod_ssl/2.8.10 OpenSSL/0.9.6g PHP/4.2.2 mod_perl/1.27 configured -- resuming normal operations error_log-[Sun Jan 5 10:28:32 2003] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec) error_log-[Sun Jan 5 10:28:32 2003] [notice] Accept mutex: sysvsem (Default: sysvsem) -- error_log:[Wed May 7 00:16:10 2003] [notice] SIGUSR1 received. Doing graceful restart error_log-[Wed May 7 00:16:31 2003] [error] Cannot resolve host name Scum.kinkon --- ignoring! error_log-[Wed May 7 00:16:31 2003] [error] mod_ssl: Init: (Scum.kinkon:80) Ops, no RSA or DSA server certificate found?! error_log-[Wed May 7 00:16:31 2003] [error] mod_ssl: Init: (Scum.kinkon:80) You have to perform a *full* server restart when you added or removed a certificate and/or key file <snip>
There was a thread about logrotate recently. And since the time of death is when logrotate is run (IINM), I'm thinking that *that* might've played a part?
Surely it triggered it, as the time indicates. But my suspicion is that your apache configuration has been hosed for a long time, and it only showed up now because it was the first time it has been read again. That means, logrotate ran every night to find that the apache log files do not need rotating, until yesterday.
Hmm. The only log that's been rotated is ssl_engine_log: ll ssl_engine_log* -rw-r--r-- 1 jon users 872 2003-05-07 00:16 ssl_engine_log -rw-r--r-- 1 jon users 52484 2003-05-06 15:01 ssl_engine_log-20030507.gz So I guess you have a point there.
At any rate, it is likely that the configuration files have been changed since the last time apache was started. You might want to check the log files, and modification dates of the files below /etc/httpd.
DAMN! I just destroyed the timestamp on httpd.conf ...went in there to look at the ssl section, and accidentally exited with :wq ...so that's lost. In any case nothing (else) below /etc/httpd has been changed in quite a while: Scum:/etc/httpd # find . -ctime -50 . ./httpd.conf Scum:/etc/httpd #
Then you could assess whether apache or mod_ssl has been updated since then, and whether there are any .rpmsave or .rpmnew files around in /etc/httpd.
no .rpm{new|save}s either.
If you however find that a graceful restart ("rcapache reload") has been working in the past, and the configuration has not been changed since then, it would be quite suspicious...
Dunno whether to suspect foul play here, or what... maybe not, but in any case I'm taking the box offline. This is a good a time as any, to see if any of that RAM I found fits/is good, and then I may as well ZAP the box, and try setting up a more secure machine. Thanks, Jon -- If we can't be free, at least we can be cheap!