Compilation and Packaging of Apache 2.4 on Solaris 10
Wow, it had been an age since I posted here. Ooops. This isn’t because I’ve not been doing interesting things, more just a matter of failing to find the time. No excuses, this is bad. I resolve to blog more often (which isn’t going to be hard given the recent record).
Anyway, on with the plot, this blog details my recent adventures compiling Apache 2.4 on Solaris 10. I also include steps for compiling OpenSSL, rather than relying on the libraries shipped with Solaris 10. The Update 9 release of Solaris 10 I’m using include OpenSSL version 0.9.7d, but by deciding to compile my own I move up to version 1.0.0g.
Following the succesful compilation, I cover the creation of an SVR4 package or two for the new software. I hope to follow this article with a version for Solaris 11 and IPS.
The first step, is of course to download the source. The Apache 2.4 source is available here:
http://httpd.apache.org/download.cgi#apache24Once downloaded, unpack into a working directory of choice, mine was /var/tmp/httpd-2.4.1. There are many options for configuring and compiling Apache and I won’t regurgitate the README or the Documentation here, suffice to say you do need to do your own background reading and choose the options most applicable to your needs.
Further, I should mention prerequisites; the compiler itself, of course. I’m using the Sun Studio compilers, installed in my environment into /opt/studio, This means, as a minimum I need to include /opt/studio/bin and /usr/ccs/bin in my PATH:
export PATH=/usr/sbin:/usr/bin:/opt/studio/bin:/usr/ccs/binThis should result in access to the ‘cc’ and ‘make’ commands as follows;
bash-3.00# which cc
/opt/studio/bin/cc
bash-3.00# which make
/usr/ccs/bin/makeOnce you are set with the compiler you need to get back to thinking about your configure options. There are many;
bash-3.00# ./configure --help
`configure' configures this package to adapt to many kinds of systems.
Usage: ./configure [OPTION]... [VAR=VALUE]...
To assign environment variables (e.g., CC, CFLAGS...), specify them as
VAR=VALUE. See below for descriptions of some of the useful variables.
Defaults for the options are specified in brackets.
Configuration:
-h, --help display this help and exit
--help=short display options specific to this package
--help=recursive display the short help of all the included packages
-V, --version display version information and exit
-q, --quiet, --silent do not print `checking ...' messages
--cache-file=FILE cache test results in FILE [disabled]
-C, --config-cache alias for `--cache-file=config.cache'
-n, --no-create do not create output files
--srcdir=DIR find the sources in DIR [configure dir or `..']
Installation directories:
--prefix=PREFIX install architecture-independent files in PREFIX
[/usr/local/apache2]
--exec-prefix=EPREFIX install architecture-dependent files in EPREFIX
[PREFIX]
By default, `make install' will install all the files in
`/usr/local/apache2/bin', `/usr/local/apache2/lib' etc. You can specify
an installation prefix other than `/usr/local/apache2' using `--prefix',
for instance `--prefix=$HOME'.
For better control, use the options below.
Fine tuning of the installation directories:
--bindir=DIR user executables [EPREFIX/bin]
--sbindir=DIR system admin executables [EPREFIX/sbin]
--libexecdir=DIR program executables [EPREFIX/libexec]
--sysconfdir=DIR read-only single-machine data [PREFIX/etc]
--sharedstatedir=DIR modifiable architecture-independent data [PREFIX/com]
--localstatedir=DIR modifiable single-machine data [PREFIX/var]
--libdir=DIR object code libraries [EPREFIX/lib]
--includedir=DIR C header files [PREFIX/include]
--oldincludedir=DIR C header files for non-gcc [/usr/include]
--datarootdir=DIR read-only arch.-independent data root [PREFIX/share]
--datadir=DIR read-only architecture-independent data [DATAROOTDIR]
--infodir=DIR info documentation [DATAROOTDIR/info]
--localedir=DIR locale-dependent data [DATAROOTDIR/locale]
--mandir=DIR man documentation [DATAROOTDIR/man]
--docdir=DIR documentation root [DATAROOTDIR/doc/PACKAGE]
--htmldir=DIR html documentation [DOCDIR]
--dvidir=DIR dvi documentation [DOCDIR]
--pdfdir=DIR pdf documentation [DOCDIR]
--psdir=DIR ps documentation [DOCDIR]
System types:
--build=BUILD configure for building on BUILD [guessed]
--host=HOST cross-compile to build programs to run on HOST [BUILD]
--target=TARGET configure for building compilers for TARGET [HOST]
Optional Features:
--disable-option-checking ignore unrecognized --enable/--with options
--disable-FEATURE do not include FEATURE (same as --enable-FEATURE=no)
--enable-FEATURE[=ARG] include FEATURE [ARG=yes]
--enable-layout=LAYOUT
--enable-dtrace Enable DTrace probes
--enable-hook-probes Enable APR hook probes
--enable-exception-hook Enable fatal exception hook
--enable-load-all-modules
Load all modules
--enable-maintainer-mode
Turn on debugging and compile time warnings and load
all compiled modules
--enable-debugger-mode Turn on debugging and compile time warnings and turn
off optimization
--enable-pie Build httpd as a Position Independent Executable
--enable-modules=MODULE-LIST
Space-separated list of modules to enable | "all" |
"most" | "few" | "none" | "reallyall"
--enable-mods-shared=MODULE-LIST
Space-separated list of shared modules to enable |
"all" | "most" | "few" | "reallyall"
--enable-mods-static=MODULE-LIST
Space-separated list of static modules to enable |
"all" | "most" | "few" | "reallyall"
--disable-authn-file file-based authentication control
--enable-authn-dbm DBM-based authentication control
--enable-authn-anon anonymous user authentication control
--enable-authn-dbd SQL-based authentication control
--enable-authn-socache Cached authentication control
--disable-authn-core core authentication module
--disable-authz-host host-based authorization control
--disable-authz-groupfile
'require group' authorization control
--disable-authz-user 'require user' authorization control
--enable-authz-dbm DBM-based authorization control
--enable-authz-owner 'require file-owner' authorization control
--enable-authz-dbd SQL based authorization and Login/Session support
--disable-authz-core core authorization provider vector module
--enable-authnz-ldap LDAP based authentication
--disable-access-compat mod_access compatibility
--disable-auth-basic basic authentication
--enable-auth-form form authentication
--enable-auth-digest RFC2617 Digest authentication
--enable-allowmethods restrict allowed HTTP methods
--enable-isapi isapi extension support
--enable-file-cache File cache
--enable-cache dynamic file caching. At least one storage
management module (e.g. mod_cache_disk) is also
necessary.
--enable-cache-disk disk caching module
--enable-socache-shmcb shmcb small object cache provider
--enable-socache-dbm dbm small object cache provider
--enable-socache-memcache
memcache small object cache provider
--enable-socache-dc distcache small object cache provider
--enable-so DSO capability. This module will be automatically
enabled unless you build all modules statically.
--enable-watchdog Watchdog module
--enable-dbd Apache DBD Framework
--enable-bucketeer buckets manipulation filter. Useful only for
developers and testing purposes.
--enable-dumpio I/O dump filter
--enable-echo ECHO server
--enable-example-hooks Example hook callback handler module
--enable-case-filter Example uppercase conversion filter
--enable-case-filter-in Example uppercase conversion input filter
--enable-example-ipc Example of shared memory and mutex usage
--enable-buffer Filter Buffering
--enable-data RFC2397 data encoder
--enable-ratelimit Output Bandwidth Limiting
--disable-reqtimeout Limit time waiting for request from client
--enable-ext-filter external filter module
--enable-request Request Body Filtering
--enable-include Server Side Includes
--disable-filter Smart Filtering
--enable-reflector Reflect request through the output filter stack
--enable-substitute response content rewrite-like filtering
--enable-sed filter request and/or response bodies through sed
--disable-charset-lite character set translation. Enabled by default only
on EBCDIC systems.
--enable-charset-lite character set translation. Enabled by default only
on EBCDIC systems.
--enable-deflate Deflate transfer encoding support
--enable-xml2enc i18n support for markup filters
--enable-proxy-html Fix HTML Links in a Reverse Proxy
--enable-http HTTP protocol handling. The http module is a basic
one that enables the server to function as an HTTP
server. It is only useful to disable it if you want
to use another protocol module instead. Don't
disable this module unless you are really sure what
you are doing. Note: This module will always be
linked statically.
--disable-mime mapping of file-extension to MIME. Disabling this
module is normally not recommended.
--enable-ldap LDAP caching and connection pooling services
--disable-log-config logging configuration. You won't be able to log
requests to the server without this module.
--enable-log-debug configurable debug logging
--enable-log-forensic forensic logging
--enable-logio input and output logging
--enable-lua Apache Lua Framework
--enable-luajit Enable LuaJit Support
--disable-env clearing/setting of ENV vars
--enable-mime-magic automagically determining MIME type
--enable-cern-meta CERN-type meta files
--enable-expires Expires header control
--disable-headers HTTP header control
--enable-ident RFC 1413 identity check
--enable-usertrack user-session tracking
--enable-unique-id per-request unique ids
--disable-setenvif basing ENV vars on headers
--disable-version determining httpd version in config files
--enable-remoteip translate header contents to an apparent client
remote_ip
--enable-proxy Apache proxy module
--enable-proxy-connect Apache proxy CONNECT module. Requires and is enabled
by --enable-proxy.
--enable-proxy-ftp Apache proxy FTP module. Requires and is enabled by
--enable-proxy.
--enable-proxy-http Apache proxy HTTP module. Requires and is enabled by
--enable-proxy.
--enable-proxy-fcgi Apache proxy FastCGI module. Requires and is enabled
by --enable-proxy.
--enable-proxy-scgi Apache proxy SCGI module. Requires and is enabled by
--enable-proxy.
--enable-proxy-fdpass Apache proxy to Unix Daemon Socket module. Requires
--enable-proxy.
--enable-proxy-ajp Apache proxy AJP module. Requires and is enabled by
--enable-proxy.
--enable-proxy-balancer Apache proxy BALANCER module. Requires and is
enabled by --enable-proxy.
--enable-proxy-express mass reverse-proxy module. Requires --enable-proxy.
--enable-session session module
--enable-session-cookie session cookie module
--enable-session-crypto session crypto module
--enable-session-dbd session dbd module
--enable-slotmem-shm slotmem provider that uses shared memory
--enable-slotmem-plain slotmem provider that uses plain memory
--enable-ssl SSL/TLS support (mod_ssl)
--enable-optional-hook-export
example optional hook exporter
--enable-optional-hook-import
example optional hook importer
--enable-optional-fn-import
example optional function importer
--enable-optional-fn-export
example optional function exporter
--enable-dialup rate limits static files to dialup modem speeds
--enable-static-support Build a statically linked version of the support
binaries
--enable-static-htpasswd
Build a statically linked version of htpasswd
--enable-static-htdigest
Build a statically linked version of htdigest
--enable-static-rotatelogs
Build a statically linked version of rotatelogs
--enable-static-logresolve
Build a statically linked version of logresolve
--enable-static-htdbm Build a statically linked version of htdbm
--enable-static-ab Build a statically linked version of ab
--enable-static-checkgid
Build a statically linked version of checkgid
--enable-static-htcacheclean
Build a statically linked version of htcacheclean
--enable-static-httxt2dbm
Build a statically linked version of httxt2dbm
--enable-static-fcgistarter
Build a statically linked version of fcgistarter
--enable-lbmethod-byrequests
Apache proxy Load balancing by request counting
--enable-lbmethod-bytraffic
Apache proxy Load balancing by traffic counting
--enable-lbmethod-bybusyness
Apache proxy Load balancing by busyness
--enable-lbmethod-heartbeat
Apache proxy Load balancing from Heartbeats
--enable-mpms-shared=MPM-LIST
Space-separated list of MPM modules to enable for
dynamic loading. MPM-LIST=list | "all"
--enable-unixd unix specific support
--enable-privileges Per-virtualhost Unix UserIDs and enhanced security
for Solaris
--enable-heartbeat Generates Heartbeats
--enable-heartmonitor Collects Heartbeats
--enable-dav WebDAV protocol handling. --enable-dav also enables
mod_dav_fs
--disable-status process/thread monitoring
--disable-autoindex directory listing
--enable-asis as-is filetypes
--enable-info server information
--enable-suexec set uid and gid for spawned processes
--enable-cgid CGI scripts. Enabled by default with threaded MPMs
--enable-cgi CGI scripts. Enabled by default with non-threaded
MPMs
--enable-dav-fs DAV provider for the filesystem. --enable-dav also
enables mod_dav_fs.
--enable-dav-lock DAV provider for generic locking
--enable-vhost-alias mass virtual hosting module
--enable-negotiation content negotiation
--disable-dir directory request handling
--enable-imagemap server-side imagemaps
--enable-actions Action triggering on requests
--enable-speling correct common URL misspellings
--enable-userdir mapping of requests to user-specific directories
--disable-alias mapping of requests to different filesystem parts
--enable-rewrite rule based URL manipulation
--enable-v4-mapped Allow IPv6 sockets to handle IPv4 connections
Optional Packages:
--with-PACKAGE[=ARG] use PACKAGE [ARG=yes]
--without-PACKAGE do not use PACKAGE (same as --with-PACKAGE=no)
--with-included-apr Use bundled copies of APR/APR-Util
--with-apr=PATH prefix for installed APR or the full path to
apr-config
--with-apr-util=PATH prefix for installed APU or the full path to
apu-config
--with-pcre=PATH Use external PCRE library
--with-port=PORT Port on which to listen (default is 80)
--with-sslport=SSLPORT Port on which to securelisten (default is 443)
--with-distcache=DIR Distcache installation directory
--with-z=DIR use a specific zlib library
--with-libxml2 location for libxml2
--with-lua=PATH Path to the Lua 5.1 prefix
--with-ssl=DIR OpenSSL base directory
--with-mpm=MPM Choose the process model for Apache to use by
default. MPM={event|worker|prefork|winnt} This will
be statically linked as the only available MPM
unless --enable-mpms-shared is also specified.
--with-module=module-type:module-file
Enable module-file in the modules/<module-type>
directory.
--with-program-name alternate executable name
--with-suexec-bin Path to suexec binary
--with-suexec-caller User allowed to call SuExec
--with-suexec-userdir User subdirectory
--with-suexec-docroot SuExec root directory
--with-suexec-uidmin Minimal allowed UID
--with-suexec-gidmin Minimal allowed GID
--with-suexec-logfile Set the logfile
--with-suexec-safepath Set the safepath
--with-suexec-umask umask for suexec'd process
Some influential environment variables:
CC C compiler command
CFLAGS C compiler flags
LDFLAGS linker flags, e.g. -L<lib dir> if you have libraries in a
nonstandard directory <lib dir>
LIBS libraries to pass to the linker, e.g. -l<library>
CPPFLAGS (Objective) C/C++ preprocessor flags, e.g. -I<include dir> if
you have headers in a nonstandard directory <include dir>
CPP C preprocessor
Use these variables to override the choices made by `configure' or to help
it to find libraries and programs with nonstandard names/locations.
Report bugs to the package provider.Phew! Have a read through and jot down some candidates. This may lead to other things, for example I quickly realised that I would need to use options to tell configure where to find my OpenSSL and PCRE.
PCRE : "--with-pcre=/opt/warwick/pcre/bin/pcre-config"
and : "--prefix=/opt/warwick/apache2/2.4"
and : "--with-ssl=/opt/warwick/openssl"And, of course, it would make sense to put these in place first. So, I downloaded OpenSSL from http://www.openssl.org/source and compiled with:
It was super-easy
# ./Configure solaris-x86-cc --shared --prefix=/opt/warwick/opensslThen ‘make’, ‘make install’ and OpenSSL is ready.
PCRE was equally as straight forward, available from http://www.pcre.org/
Now I have OpenSSL under /opt/warwick/openssl and PCRE under /opt/warwick/pcre, back to the plot with Apache. The final configure options I used were:
"./configure" \
"--prefix=/opt/warwick/apache2/2.4" \
"--enable-so" \
"--enable-mods-shared=all" \
"--enable-cache" \
"--enable-deflate" \
"--enable-disk-cache" \
"--enable-file-cache" \
"--enable-cgi" \
"--enable-proxy" \
"--enable-proxy-ajp" \
"--enable-proxy-balancer" \
"--enable-proxy-connect" \
"--enable-proxy-http" \
"--enable-ssl" \
"--enable-suexec" \
"--with-suexec-caller=webservd" \
"--enable-exception-hook" \
"--with-ssl=/opt/warwick/openssl" \
"--with-included-apr" \
"--with-mpm=prefork" \
"--with-pcre=/opt/warwick/pcre/bin/pcre-config" \
"CC=cc -m32" \
"CFLAGS=-xarch=386 -xchip=pentium -xspace -xs -xO4 -Xa -xildoff -xc99=all -xnorunpath -m32 -DSSL_ENGINE -DSSL_EXPERIMENTAL" \
"LDFLAGS= -s" \
"$@"What I found after compilation is that the configure script doesn’t correctly pick up the change of location for SSL. Setting the LD_RUN_PATH before the make solves this:
# export LD_RUN_PATH=/opt/warwick/openssl/libAfter ‘make’ and ‘make install’, I checked my new libraries and modules with:
bash-3.00# ldd /opt/warwick/apache2/2.4/modules/mod_ssl.so
libssl.so.1.0.0 => /opt/warwick/openssl/lib/libssl.so.1.0.0
libcrypto.so.1.0.0 => /opt/warwick/openssl/lib/libcrypto.so.1.0.0The PCRE linking can be checked with:
bash-3.00# ldd /opt/warwick/apache2/2.4/bin/httpd
libpcre.so.0 => /opt/warwick/pcre/lib/libpcre.so.0After creation of some self-signed certs, the installation is tested and seems to work fine:
bash-3.00# /opt/warwick/apache2/2.4/bin/apachectl start
bash-3.00# tail /opt/warwick/apache2/2.4/logs/error_log
[Fri Feb 24 13:15:27.869212 2012] [mpm_prefork:notice] [pid 16668] AH00169: caught SIGTERM, shutting down
[Fri Feb 24 13:15:28.315640 2012] [mpm_prefork:notice] [pid 16735] AH00163: Apache/2.4.1 (Unix) OpenSSL/1.0.0g configured
-- resuming normal operations
[Fri Feb 24 13:15:28.315777 2012] [core:notice] [pid 16735] AH00094: Command line: '/opt/warwick/apache2/2.4/bin/httpd'
bash-3.00#
bash-3.00# netstat -an | grep 80
*.51680 Idle
*.80 *.* 0 0 49152 0 LISTEN
*.80 *.* 0 0 49152 0 LISTEN
bash-3.00# netstat -an | grep 443
*.443 *.* 0 0 49152 0 LISTEN
*.443 *.* 0 0 49152 0 LISTEN
bash-3.00# telnet localhost 80
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
GET /
<html><h1>It works!</h1></html>
Connection to localhost closed by foreign host.
bash-3.00# SSL works too – tested in a browser.
Soon I’ll package this up, first a custom manifest for SMF. The reader should be noted that currently, because of the need to bind to a privileged port, apache normally needs to start as the root user;
root 9911 18276 0 14:29:48 ? 0:00 /opt/warwick/apache2/2.4/bin/httpd -k startThe server will hand off children processes as the webservd user, but there will always be the single parent running as root. Clearly the process doesn’t need full root privileges, only the ability to bind to ports lower than 1024. There is room here then for security improvements / paranoia relief because we can use the least priv model in Solaris to run everything as webservd and give webservd just the enough privs (net_privaddr). The manifest I’ve used is fundamentally the same as the one found here
setprop start/privileges = astring: (basic,!proc_session,!proc_info,!file_link_any,net_privaddr)
setprop start/user = astring: (webservd)OK, create the manifest and method script with these entries and import…
# cp war-apache2.xml /var/svc/manifest/network/
# cp war-apache2 /lib/svc/method/
bash-3.00# svccfg import /var/svc/manifest/network/war-apache2.xml
bash-3.00# svcs war-apache2
STATE STIME FMRI
disabled 14:20:08 svc:/network/war-apache2:default
bash-3.00# /opt/warwick/apache2/2.4/bin/apachectl stop
bash-3.00# svcadm enable war-apache2 ; tail -f /opt/warwick/apache2/2.4/logs/error_log
[Fri Feb 24 13:02:21.804521 2012] [mpm_prefork:notice] [pid 14926] AH00163: Apache/2.4.1 (Unix) OpenSSL/1.0.0g configured -- resuming normal operations
[Fri Feb 24 13:02:21.804585 2012] [core:notice] [pid 14926] AH00094: Command line: '/opt/warwick/apache2/2.4/bin/httpd'After this, we can see that it all started ok:
bash-3.00# svcs war-apache2
STATE STIME FMRI
online 13:02:21 svc:/network/war-apache2:default
bash-3.00# Notice, not a single root process…
bash-3.00# ps -ef | grep http | grep -v grep
webservd 14930 14926 0 13:02:22 ? 0:00 /opt/warwick/apache2/2.4/bin/httpd -k start
webservd 14928 14926 0 13:02:22 ? 0:00 /opt/warwick/apache2/2.4/bin/httpd -k start
webservd 14931 14926 0 13:02:22 ? 0:00 /opt/warwick/apache2/2.4/bin/httpd -k start
webservd 14927 14926 0 13:02:22 ? 0:00 /opt/warwick/apache2/2.4/bin/httpd -k start
webservd 14929 14926 0 13:02:22 ? 0:00 /opt/warwick/apache2/2.4/bin/httpd -k start
webservd 14926 18276 0 13:02:22 ? 0:00 /opt/warwick/apache2/2.4/bin/httpd -k startWhich is neat. very neat. Now I’ll attempt to package this all up in an SVR4 pkg.
# find /opt/warwick/apache2 -print > /var/tmp/war-apache-pkg/file-list
# cat /var/tmp/war-apache-pkg/file-list | pkgproto > /var/tmp/war-apache-pkg/Prototype
bash-3.00# cat pkginfo
PKG="WARapache"
NAME="Apache 2.4"
VERSION="2.4.1"
ARCH="x86"
CLASSES="none"
CATEGORY="utility"
VENDOR="Warwick"
PSTAMP="ro-ora01-sol10-201202241534"
EMAIL="paul.eggleton@warwick.ac.uk"
ISTATES="S s 1 2 3"
RSTATES="S s 1 2 3"
BASEDIR="/"I also created a basic postinstall and checkinstall script. The checkinstall is optional and I used this simply to check the architecture was correct. The postinstall installs the SMF service;
bash-3.00# cat postinstall
#!/bin/sh
if [ -f /var/svc/manifest/network/war-apache2.xml ]
then
/usr/sbin/svccfg import /var/svc/manifest/network/war-apache2.xml
else
echo "Error with installation - /var/svc/manifest/network/war-apache2.xml not present, aborting"
exit 1
fiNext the SVR4 packaging voodoo;
# pkgmk -o -r / -d /var/tmp/war-apache-pkg/ -f Prototype
# pkgtrans -s /var/tmp/war-apache-pkg WARapache24.pkg WARapacheAnd we have a package:
bash-3.00# ls WAR*
WARapache24.pkg
WARapache:
install pkginfo pkgmap root
bash-3.00#
bash-3.00# pkginfo -d WARapache24.pkg
utility WARapache Apache 2.4
bash-3.00#
bash-3.00# pkgadd -d WARapache24.pkg
The following packages are available:
1 WARapache Apache 2.4
(x86) 2.4.1
Select package(s) you wish to process (or 'all' to process
all packages). (default: all) [?,??,q]: My OpenSSL package was built almost identically. I think this is almost the finished product. I should note that I also included the PCRE files in the final WARapache package to avoided an extra package dependency.
Next up, Solaris 11 and IPS.
27 Feb 2012 16:25
| 
Tags: Solaris
| 
Comments (1)
| 
Report a problem
Please wait - comments are loading
Loading…
