why User root is running process httpd all time?

Portal Home > Knowledgebase > Articles Database > why User root is running process httpd all time?

Posted by papiandy, 07-02-2009, 07:15 PM
Hi ... I usually use the "top" command to see what is happening in my server ... Normally everything is OK untill one week ago I start so see this process: PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND 1115 root 20 0 10768 10m 164 R 26 0.5 46:17.27 httpd Is the number 1 on the top list using a lot of CPU and MEM (as I say before ... I never have seen this command in the past) So when I kill the process everything goes fine but only for a few minutes and then is comming back any ideas ? Thks a lot guys !
Posted by mugo, 07-02-2009, 11:51 PM
This is normal, is used to grab port 80 and fork, among other reasons. This is what your initial httpd process runs as. You'll always see 1 owned by root.
Posted by foobic, 07-03-2009, 12:02 AM
It's normal to see one (and only one) httpd process running as root but it's not normal to see it using a lot of resources. Assuming 1115 is still the pid, try
Posted by mugo, 07-03-2009, 12:12 AM
Your CPU is a little high, but .5% Mem isn't a lot. If your server is busy, this could be normal...how many active connections do you have when the cpu is this high?
Posted by inspiron, 07-03-2009, 05:58 AM
Yes, your CPU load seems to be high, You can check active connection by using the following command, #netstat -an | grep :80 | sort This command output will show only the active internet connection to your server at port 80 and sort the results.
Posted by mugo, 07-03-2009, 06:06 AM
For all active, add |grep ESTAB onto that
Posted by whrss2, 07-03-2009, 06:38 AM
Apache(httpd) would run under the user you specify it to. This can be changed under the Apache configuration file "%apacheroot%/conf/httpd.conf" You could use these commands to know : 1. Which server IP address is getting these connections. netstat -ntu | awk '{print $4}' | cut -d: -f1 | sort | uniq -c | sort -n|tail -n 5 (ipv4) netstat -alpn | grep :80 | awk '{print $4}' |awk -F: '{print $(NF-1)}' |sort | uniq -c | sort -n (ipv6) 2. This would tell you which all IP addresses are currently connected/connecting to your web server. netstat -alpn | grep :80 | awk '{print $5}' |awk -F: '{print $(NF-1)}' |sort | uniq -c | sort -n Hope this helps out...
Posted by mugo, 07-03-2009, 06:42 AM
That reminds me, I need to get my Sherman tank cleaned...goin' deer hunting tomorrow...
Posted by papiandy, 07-03-2009, 12:28 PM
Thks everybody for u help I got this result with the next commands: # netstat -an |grep :80 |wc -l 1506 # netstat -an|awk '/tcp/ {print $6}'|sort|uniq -c 13 CLOSE_WAIT 2 CLOSING 273 ESTABLISHED 18 FIN_WAIT1 4 FIN_WAIT2 177 LISTEN 38 SYN_RECV 1558 TIME_WAIT With the command to see all ips are connectes to my server (netstat -plan|grep :80 | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n) only going to put the last 9 results wich are: 18 0.0.0.0 23 208.53.131.169 24 189.147.148.190 7 115.132.61.130 7 189.163.242.1 7 189.164.59.196 7 66.98.25.235 8 83.35.141.168 10 200.67.219.247 18 0.0.0.0 36 208.53.131.169 66 189.189.134.240 According to my WHM Apache stats I got this: Current Time: Friday, 03-Jul-2009 11:26:08 CDT Restart Time: Thursday, 02-Jul-2009 14:31:46 CDT Parent Server Generation: 0 Server uptime: 20 hours 54 minutes 22 seconds Total accesses: 1856619 - Total Traffic: 4.3 GB CPU Usage: u7.16 s6.24 cu154.85 cs0 - .224% CPU load 24.7 requests/sec - 60.1 kB/second - 2493 B/request 14 requests currently being processed, 16 idle workers _C___..C._WC___CC_CC.CCC_C.._.____WC............._.............. ................................................................ ................................................................ ................................................................ So is it all information good? Thks
Posted by Winstyn, 07-03-2009, 01:16 PM
Seems pretty nominal overall. Maybe the CPU usage is due to disk I/O?
Posted by ramnet, 07-03-2009, 08:12 PM
That is very likely since the httpd process is responsible for access and error logging too - and it is not really efficient to have the system do a write on every read - (extfs used to have this issue before noatime and relatime, the httpd issue is similar but not quite as bad). You might want to consider piping your access logging to another program that will buffer your logs a little so they aren't so disk-intensive.
Posted by papiandy, 07-03-2009, 08:51 PM
I Think u rigth ... My error log is about 11Gb and it's getting bigger and bigger every second MY access log is 26Mb so I think is a lot of difference between error log and access log The question is what can I do for fix this
Posted by Winstyn, 07-03-2009, 09:36 PM
Well you can start by truncating the error log to at least 20mbs or less. 11gbs is a lot. The other thing to do would be to check what the error is. It might be something that is continually repeating due to a bad server configuration. Try doing a tail -f on it and see how often its spiting out errors. This is most likely the reason for the cpu though if its throwing 100 erros/sec.
Posted by ramnet, 07-03-2009, 10:56 PM
Agreed. Also check and make sure your site isn't generating lot's of 404 not found errors - things like /favicon.ico are very bad at doing that. Also, if you haven't got it already, you might consider setting up logrotate to automatically archive your old logs so you don't get massive logs like this (that may be beyond what you are able to do however)
Posted by WHR-Abner, 07-04-2009, 12:40 PM
As you know 0-1024 are reserved logical ports. If you need to open a reserved port, you need to be the super user. That is why you see the first http process running under 'root'. This process will not accept any tcp connections and i responsible only for opening port 80.
Posted by papiandy, 07-06-2009, 05:02 PM
You were rigth guys I had a lot of stupid errors like 404 not found errors and /favicon.ico How Can I do that?
Posted by Winstyn, 07-07-2009, 12:14 AM
Someone might have something better but basically this sequence should work. You will need to of course edit the paths. Last edited by Winstyn; 07-07-2009 at 12:14 AM. Reason: Forgot about path editing.
Posted by WHR-Abner, 07-07-2009, 06:23 AM
I would suggest you to configure logrotation. Configure to rotate the logs for a limit less than 2GB. P.S: Apache has a file limit size of 2GB and hence the webserver may fail if it exceeds this limit. Try setting the limit less than 1.5GB.

Add to Favourites Print this Article