February 27, 2012

Compilation and Packaging of Apache 2.4 on Solaris 10

Wow, it had been an age since I posted here. Ooops. This isn’t because I’ve not been doing interesting things, more just a matter of failing to find the time. No excuses, this is bad. I resolve to blog more often (which isn’t going to be hard given the recent record).

Anyway, on with the plot, this blog details my recent adventures compiling Apache 2.4 on Solaris 10. I also include steps for compiling OpenSSL, rather than relying on the libraries shipped with Solaris 10. The Update 9 release of Solaris 10 I’m using include OpenSSL version 0.9.7d, but by deciding to compile my own I move up to version 1.0.0g.

Following the succesful compilation, I cover the creation of an SVR4 package or two for the new software. I hope to follow this article with a version for Solaris 11 and IPS.

The first step, is of course to download the source. The Apache 2.4 source is available here:


Once downloaded, unpack into a working directory of choice, mine was /var/tmp/httpd-2.4.1. There are many options for configuring and compiling Apache and I won’t regurgitate the README or the Documentation here, suffice to say you do need to do your own background reading and choose the options most applicable to your needs.

Further, I should mention prerequisites; the compiler itself, of course. I’m using the Sun Studio compilers, installed in my environment into /opt/studio, This means, as a minimum I need to include /opt/studio/bin and /usr/ccs/bin in my PATH:

export PATH=/usr/sbin:/usr/bin:/opt/studio/bin:/usr/ccs/bin

This should result in access to the ‘cc’ and ‘make’ commands as follows;

bash-3.00# which cc
bash-3.00# which make

Once you are set with the compiler you need to get back to thinking about your configure options. There are many;

bash-3.00# ./configure --help 
`configure' configures this package to adapt to many kinds of systems.

Usage: ./configure [OPTION]... [VAR=VALUE]...

To assign environment variables (e.g., CC, CFLAGS...), specify them as
VAR=VALUE.  See below for descriptions of some of the useful variables.

Defaults for the options are specified in brackets.

  -h, --help              display this help and exit
      --help=short        display options specific to this package
      --help=recursive    display the short help of all the included packages
  -V, --version           display version information and exit
  -q, --quiet, --silent   do not print `checking ...' messages
      --cache-file=FILE   cache test results in FILE [disabled]
  -C, --config-cache      alias for `--cache-file=config.cache'
  -n, --no-create         do not create output files
      --srcdir=DIR        find the sources in DIR [configure dir or `..']

Installation directories:
  --prefix=PREFIX         install architecture-independent files in PREFIX
  --exec-prefix=EPREFIX   install architecture-dependent files in EPREFIX

By default, `make install' will install all the files in
`/usr/local/apache2/bin', `/usr/local/apache2/lib' etc.  You can specify
an installation prefix other than `/usr/local/apache2' using `--prefix',
for instance `--prefix=$HOME'.

For better control, use the options below.

Fine tuning of the installation directories:
  --bindir=DIR            user executables [EPREFIX/bin]
  --sbindir=DIR           system admin executables [EPREFIX/sbin]
  --libexecdir=DIR        program executables [EPREFIX/libexec]
  --sysconfdir=DIR        read-only single-machine data [PREFIX/etc]
  --sharedstatedir=DIR    modifiable architecture-independent data [PREFIX/com]
  --localstatedir=DIR     modifiable single-machine data [PREFIX/var]
  --libdir=DIR            object code libraries [EPREFIX/lib]
  --includedir=DIR        C header files [PREFIX/include]
  --oldincludedir=DIR     C header files for non-gcc [/usr/include]
  --datarootdir=DIR       read-only arch.-independent data root [PREFIX/share]
  --datadir=DIR           read-only architecture-independent data [DATAROOTDIR]
  --infodir=DIR           info documentation [DATAROOTDIR/info]
  --localedir=DIR         locale-dependent data [DATAROOTDIR/locale]
  --mandir=DIR            man documentation [DATAROOTDIR/man]
  --docdir=DIR            documentation root [DATAROOTDIR/doc/PACKAGE]
  --htmldir=DIR           html documentation [DOCDIR]
  --dvidir=DIR            dvi documentation [DOCDIR]
  --pdfdir=DIR            pdf documentation [DOCDIR]
  --psdir=DIR             ps documentation [DOCDIR]

System types:
  --build=BUILD     configure for building on BUILD [guessed]
  --host=HOST       cross-compile to build programs to run on HOST [BUILD]
  --target=TARGET   configure for building compilers for TARGET [HOST]

Optional Features:
  --disable-option-checking  ignore unrecognized --enable/--with options
  --disable-FEATURE       do not include FEATURE (same as --enable-FEATURE=no)
  --enable-FEATURE[=ARG]  include FEATURE [ARG=yes]
  --enable-dtrace         Enable DTrace probes
  --enable-hook-probes    Enable APR hook probes
  --enable-exception-hook Enable fatal exception hook
                          Load all modules
                          Turn on debugging and compile time warnings and load
                          all compiled modules
  --enable-debugger-mode  Turn on debugging and compile time warnings and turn
                          off optimization
  --enable-pie            Build httpd as a Position Independent Executable
                          Space-separated list of modules to enable | "all" |
                          "most" | "few" | "none" | "reallyall" 
                          Space-separated list of shared modules to enable |
                          "all" | "most" | "few" | "reallyall" 
                          Space-separated list of static modules to enable |
                          "all" | "most" | "few" | "reallyall" 
  --disable-authn-file    file-based authentication control
  --enable-authn-dbm      DBM-based authentication control
  --enable-authn-anon     anonymous user authentication control
  --enable-authn-dbd      SQL-based authentication control
  --enable-authn-socache  Cached authentication control
  --disable-authn-core    core authentication module
  --disable-authz-host    host-based authorization control
                          'require group' authorization control
  --disable-authz-user    'require user' authorization control
  --enable-authz-dbm      DBM-based authorization control
  --enable-authz-owner    'require file-owner' authorization control
  --enable-authz-dbd      SQL based authorization and Login/Session support
  --disable-authz-core    core authorization provider vector module
  --enable-authnz-ldap    LDAP based authentication
  --disable-access-compat mod_access compatibility
  --disable-auth-basic    basic authentication
  --enable-auth-form      form authentication
  --enable-auth-digest    RFC2617 Digest authentication
  --enable-allowmethods   restrict allowed HTTP methods
  --enable-isapi          isapi extension support
  --enable-file-cache     File cache
  --enable-cache          dynamic file caching. At least one storage
                          management module (e.g. mod_cache_disk) is also
  --enable-cache-disk     disk caching module
  --enable-socache-shmcb  shmcb small object cache provider
  --enable-socache-dbm    dbm small object cache provider
                          memcache small object cache provider
  --enable-socache-dc     distcache small object cache provider
  --enable-so             DSO capability. This module will be automatically
                          enabled unless you build all modules statically.
  --enable-watchdog       Watchdog module
  --enable-dbd            Apache DBD Framework
  --enable-bucketeer      buckets manipulation filter. Useful only for
                          developers and testing purposes.
  --enable-dumpio         I/O dump filter
  --enable-echo           ECHO server
  --enable-example-hooks  Example hook callback handler module
  --enable-case-filter    Example uppercase conversion filter
  --enable-case-filter-in Example uppercase conversion input filter
  --enable-example-ipc    Example of shared memory and mutex usage
  --enable-buffer         Filter Buffering
  --enable-data           RFC2397 data encoder
  --enable-ratelimit      Output Bandwidth Limiting
  --disable-reqtimeout    Limit time waiting for request from client
  --enable-ext-filter     external filter module
  --enable-request        Request Body Filtering
  --enable-include        Server Side Includes
  --disable-filter        Smart Filtering
  --enable-reflector      Reflect request through the output filter stack
  --enable-substitute     response content rewrite-like filtering
  --enable-sed            filter request and/or response bodies through sed
  --disable-charset-lite  character set translation. Enabled by default only
                          on EBCDIC systems.
  --enable-charset-lite   character set translation. Enabled by default only
                          on EBCDIC systems.
  --enable-deflate        Deflate transfer encoding support
  --enable-xml2enc        i18n support for markup filters
  --enable-proxy-html     Fix HTML Links in a Reverse Proxy
  --enable-http           HTTP protocol handling. The http module is a basic
                          one that enables the server to function as an HTTP
                          server. It is only useful to disable it if you want
                          to use another protocol module instead. Don't
                          disable this module unless you are really sure what
                          you are doing. Note: This module will always be
                          linked statically.
  --disable-mime          mapping of file-extension to MIME. Disabling this
                          module is normally not recommended.
  --enable-ldap           LDAP caching and connection pooling services
  --disable-log-config    logging configuration. You won't be able to log
                          requests to the server without this module.
  --enable-log-debug      configurable debug logging
  --enable-log-forensic   forensic logging
  --enable-logio          input and output logging
  --enable-lua            Apache Lua Framework
  --enable-luajit         Enable LuaJit Support
  --disable-env           clearing/setting of ENV vars
  --enable-mime-magic     automagically determining MIME type
  --enable-cern-meta      CERN-type meta files
  --enable-expires        Expires header control
  --disable-headers       HTTP header control
  --enable-ident          RFC 1413 identity check
  --enable-usertrack      user-session tracking
  --enable-unique-id      per-request unique ids
  --disable-setenvif      basing ENV vars on headers
  --disable-version       determining httpd version in config files
  --enable-remoteip       translate header contents to an apparent client
  --enable-proxy          Apache proxy module
  --enable-proxy-connect  Apache proxy CONNECT module. Requires and is enabled
                          by --enable-proxy.
  --enable-proxy-ftp      Apache proxy FTP module. Requires and is enabled by
  --enable-proxy-http     Apache proxy HTTP module. Requires and is enabled by
  --enable-proxy-fcgi     Apache proxy FastCGI module. Requires and is enabled
                          by --enable-proxy.
  --enable-proxy-scgi     Apache proxy SCGI module. Requires and is enabled by
  --enable-proxy-fdpass   Apache proxy to Unix Daemon Socket module. Requires
  --enable-proxy-ajp      Apache proxy AJP module. Requires and is enabled by
  --enable-proxy-balancer Apache proxy BALANCER module. Requires and is
                          enabled by --enable-proxy.
  --enable-proxy-express  mass reverse-proxy module. Requires --enable-proxy.
  --enable-session        session module
  --enable-session-cookie session cookie module
  --enable-session-crypto session crypto module
  --enable-session-dbd    session dbd module
  --enable-slotmem-shm    slotmem provider that uses shared memory
  --enable-slotmem-plain  slotmem provider that uses plain memory
  --enable-ssl            SSL/TLS support (mod_ssl)
                          example optional hook exporter
                          example optional hook importer
                          example optional function importer
                          example optional function exporter
  --enable-dialup         rate limits static files to dialup modem speeds
  --enable-static-support Build a statically linked version of the support
                          Build a statically linked version of htpasswd
                          Build a statically linked version of htdigest
                          Build a statically linked version of rotatelogs
                          Build a statically linked version of logresolve
  --enable-static-htdbm   Build a statically linked version of htdbm
  --enable-static-ab      Build a statically linked version of ab
                          Build a statically linked version of checkgid
                          Build a statically linked version of htcacheclean
                          Build a statically linked version of httxt2dbm
                          Build a statically linked version of fcgistarter
                          Apache proxy Load balancing by request counting
                          Apache proxy Load balancing by traffic counting
                          Apache proxy Load balancing by busyness
                          Apache proxy Load balancing from Heartbeats
                          Space-separated list of MPM modules to enable for
                          dynamic loading. MPM-LIST=list | "all" 
  --enable-unixd          unix specific support
  --enable-privileges     Per-virtualhost Unix UserIDs and enhanced security
                          for Solaris
  --enable-heartbeat      Generates Heartbeats
  --enable-heartmonitor   Collects Heartbeats
  --enable-dav            WebDAV protocol handling. --enable-dav also enables
  --disable-status        process/thread monitoring
  --disable-autoindex     directory listing
  --enable-asis           as-is filetypes
  --enable-info           server information
  --enable-suexec         set uid and gid for spawned processes
  --enable-cgid           CGI scripts. Enabled by default with threaded MPMs
  --enable-cgi            CGI scripts. Enabled by default with non-threaded
  --enable-dav-fs         DAV provider for the filesystem. --enable-dav also
                          enables mod_dav_fs.
  --enable-dav-lock       DAV provider for generic locking
  --enable-vhost-alias    mass virtual hosting module
  --enable-negotiation    content negotiation
  --disable-dir           directory request handling
  --enable-imagemap       server-side imagemaps
  --enable-actions        Action triggering on requests
  --enable-speling        correct common URL misspellings
  --enable-userdir        mapping of requests to user-specific directories
  --disable-alias         mapping of requests to different filesystem parts
  --enable-rewrite        rule based URL manipulation
  --enable-v4-mapped      Allow IPv6 sockets to handle IPv4 connections

Optional Packages:
  --with-PACKAGE[=ARG]    use PACKAGE [ARG=yes]
  --without-PACKAGE       do not use PACKAGE (same as --with-PACKAGE=no)
  --with-included-apr     Use bundled copies of APR/APR-Util
  --with-apr=PATH         prefix for installed APR or the full path to
  --with-apr-util=PATH    prefix for installed APU or the full path to
  --with-pcre=PATH        Use external PCRE library
  --with-port=PORT        Port on which to listen (default is 80)
  --with-sslport=SSLPORT  Port on which to securelisten (default is 443)
  --with-distcache=DIR    Distcache installation directory
  --with-z=DIR            use a specific zlib library
  --with-libxml2          location for libxml2
  --with-lua=PATH         Path to the Lua 5.1 prefix
  --with-ssl=DIR          OpenSSL base directory
  --with-mpm=MPM          Choose the process model for Apache to use by
                          default. MPM={event|worker|prefork|winnt} This will
                          be statically linked as the only available MPM
                          unless --enable-mpms-shared is also specified.
                          Enable module-file in the modules/<module-type>
  --with-program-name     alternate executable name
  --with-suexec-bin       Path to suexec binary
  --with-suexec-caller    User allowed to call SuExec
  --with-suexec-userdir   User subdirectory
  --with-suexec-docroot   SuExec root directory
  --with-suexec-uidmin    Minimal allowed UID
  --with-suexec-gidmin    Minimal allowed GID
  --with-suexec-logfile   Set the logfile
  --with-suexec-safepath  Set the safepath
  --with-suexec-umask     umask for suexec'd process

Some influential environment variables:
  CC          C compiler command
  CFLAGS      C compiler flags
  LDFLAGS     linker flags, e.g. -L<lib dir> if you have libraries in a
              nonstandard directory <lib dir>
  LIBS        libraries to pass to the linker, e.g. -l<library>
  CPPFLAGS    (Objective) C/C++ preprocessor flags, e.g. -I<include dir> if
              you have headers in a nonstandard directory <include dir>
  CPP         C preprocessor

Use these variables to override the choices made by `configure' or to help
it to find libraries and programs with nonstandard names/locations.

Report bugs to the package provider.

Phew! Have a read through and jot down some candidates. This may lead to other things, for example I quickly realised that I would need to use options to tell configure where to find my OpenSSL and PCRE.

PCRE :  "--with-pcre=/opt/warwick/pcre/bin/pcre-config" 
and  :  "--prefix=/opt/warwick/apache2/2.4" 
and  :  "--with-ssl=/opt/warwick/openssl"

And, of course, it would make sense to put these in place first. So, I downloaded OpenSSL from http://www.openssl.org/source and compiled with:

It was super-easy

# ./Configure solaris-x86-cc --shared --prefix=/opt/warwick/openssl

Then ‘make’, ‘make install’ and OpenSSL is ready.

PCRE was equally as straight forward, available from http://www.pcre.org/

Now I have OpenSSL under /opt/warwick/openssl and PCRE under /opt/warwick/pcre, back to the plot with Apache. The final configure options I used were:

"./configure" \
"--prefix=/opt/warwick/apache2/2.4" \
"--enable-so" \
"--enable-mods-shared=all" \
"--enable-cache" \
"--enable-deflate" \
"--enable-disk-cache" \
"--enable-file-cache" \
"--enable-cgi" \
"--enable-proxy" \
"--enable-proxy-ajp" \
"--enable-proxy-balancer" \
"--enable-proxy-connect" \
"--enable-proxy-http" \
"--enable-ssl" \
"--enable-suexec" \
"--with-suexec-caller=webservd" \
"--enable-exception-hook" \
"--with-ssl=/opt/warwick/openssl" \
"--with-included-apr" \
"--with-mpm=prefork" \
"--with-pcre=/opt/warwick/pcre/bin/pcre-config" \
"CC=cc -m32" \
"CFLAGS=-xarch=386 -xchip=pentium -xspace -xs -xO4 -Xa -xildoff -xc99=all -xnorunpath -m32 -DSSL_ENGINE -DSSL_EXPERIMENTAL" \
"LDFLAGS= -s" \

What I found after compilation is that the configure script doesn’t correctly pick up the change of location for SSL. Setting the LD_RUN_PATH before the make solves this:

  # export LD_RUN_PATH=/opt/warwick/openssl/lib

After ‘make’ and ‘make install’, I checked my new libraries and modules with:

bash-3.00# ldd /opt/warwick/apache2/2.4/modules/mod_ssl.so
    libssl.so.1.0.0 =>     /opt/warwick/openssl/lib/libssl.so.1.0.0
    libcrypto.so.1.0.0 =>     /opt/warwick/openssl/lib/libcrypto.so.1.0.0

The PCRE linking can be checked with:

bash-3.00# ldd /opt/warwick/apache2/2.4/bin/httpd 
    libpcre.so.0 =>     /opt/warwick/pcre/lib/libpcre.so.0

After creation of some self-signed certs, the installation is tested and seems to work fine:

bash-3.00# /opt/warwick/apache2/2.4/bin/apachectl start
bash-3.00# tail /opt/warwick/apache2/2.4/logs/error_log 
[Fri Feb 24 13:15:27.869212 2012] [mpm_prefork:notice] [pid 16668] AH00169: caught SIGTERM, shutting down
[Fri Feb 24 13:15:28.315640 2012] [mpm_prefork:notice] [pid 16735] AH00163: Apache/2.4.1 (Unix) OpenSSL/1.0.0g configured 
   -- resuming normal operations
[Fri Feb 24 13:15:28.315777 2012] [core:notice] [pid 16735] AH00094: Command line: '/opt/warwick/apache2/2.4/bin/httpd'

bash-3.00# netstat -an | grep 80
      *.51680                             Idle
      *.80                 *.*                0      0 49152      0 LISTEN
      *.80                              *.*                             0      0 49152      0 LISTEN      
bash-3.00# netstat -an | grep 443
      *.443                *.*                0      0 49152      0 LISTEN
      *.443                             *.*                             0      0 49152      0 LISTEN      
bash-3.00# telnet localhost 80
Connected to localhost.
Escape character is '^]'.
<html><h1>It works!</h1></html>
Connection to localhost closed by foreign host.

SSL works too – tested in a browser.

Soon I’ll package this up, first a custom manifest for SMF. The reader should be noted that currently, because of the need to bind to a privileged port, apache normally needs to start as the root user;

root  9911 18276   0 14:29:48 ?           0:00 /opt/warwick/apache2/2.4/bin/httpd -k start

The server will hand off children processes as the webservd user, but there will always be the single parent running as root. Clearly the process doesn’t need full root privileges, only the ability to bind to ports lower than 1024. There is room here then for security improvements / paranoia relief because we can use the least priv model in Solaris to run everything as webservd and give webservd just the enough privs (net_privaddr). The manifest I’ve used is fundamentally the same as the one found here

setprop start/privileges = astring: (basic,!proc_session,!proc_info,!file_link_any,net_privaddr)
setprop start/user = astring: (webservd)

OK, create the manifest and method script with these entries and import…

   #  cp war-apache2.xml /var/svc/manifest/network/
   #  cp war-apache2 /lib/svc/method/

bash-3.00# svccfg import /var/svc/manifest/network/war-apache2.xml 
bash-3.00# svcs war-apache2
STATE          STIME    FMRI
disabled       14:20:08 svc:/network/war-apache2:default

bash-3.00# /opt/warwick/apache2/2.4/bin/apachectl stop

bash-3.00# svcadm enable war-apache2 ; tail -f /opt/warwick/apache2/2.4/logs/error_log 

[Fri Feb 24 13:02:21.804521 2012] [mpm_prefork:notice] [pid 14926] AH00163: Apache/2.4.1 (Unix) OpenSSL/1.0.0g configured -- resuming normal operations
[Fri Feb 24 13:02:21.804585 2012] [core:notice] [pid 14926] AH00094: Command line: '/opt/warwick/apache2/2.4/bin/httpd'

After this, we can see that it all started ok:

bash-3.00# svcs war-apache2
STATE          STIME    FMRI
online         13:02:21 svc:/network/war-apache2:default

Notice, not a single root process…

bash-3.00# ps -ef | grep http | grep -v grep    
webservd 14930 14926   0 13:02:22 ?           0:00 /opt/warwick/apache2/2.4/bin/httpd -k start
webservd 14928 14926   0 13:02:22 ?           0:00 /opt/warwick/apache2/2.4/bin/httpd -k start
webservd 14931 14926   0 13:02:22 ?           0:00 /opt/warwick/apache2/2.4/bin/httpd -k start
webservd 14927 14926   0 13:02:22 ?           0:00 /opt/warwick/apache2/2.4/bin/httpd -k start
webservd 14929 14926   0 13:02:22 ?           0:00 /opt/warwick/apache2/2.4/bin/httpd -k start
webservd 14926 18276   0 13:02:22 ?           0:00 /opt/warwick/apache2/2.4/bin/httpd -k start

Which is neat. very neat. Now I’ll attempt to package this all up in an SVR4 pkg.

# find /opt/warwick/apache2 -print > /var/tmp/war-apache-pkg/file-list 
# cat /var/tmp/war-apache-pkg/file-list | pkgproto > /var/tmp/war-apache-pkg/Prototype

bash-3.00# cat pkginfo
NAME="Apache 2.4" 
ISTATES="S s 1 2 3" 
RSTATES="S s 1 2 3" 

I also created a basic postinstall and checkinstall script. The checkinstall is optional and I used this simply to check the architecture was correct. The postinstall installs the SMF service;

bash-3.00# cat postinstall

if [ -f /var/svc/manifest/network/war-apache2.xml ]
    /usr/sbin/svccfg import /var/svc/manifest/network/war-apache2.xml
    echo "Error with installation - /var/svc/manifest/network/war-apache2.xml not present, aborting" 
    exit 1

Next the SVR4 packaging voodoo;

# pkgmk -o -r / -d /var/tmp/war-apache-pkg/ -f Prototype 

# pkgtrans -s /var/tmp/war-apache-pkg WARapache24.pkg WARapache

And we have a package:

bash-3.00# ls WAR*

install  pkginfo  pkgmap   root

bash-3.00# pkginfo -d WARapache24.pkg 
utility     WARapache Apache 2.4

bash-3.00# pkgadd -d WARapache24.pkg 

The following packages are available:
  1  WARapache     Apache 2.4
                   (x86) 2.4.1

Select package(s) you wish to process (or 'all' to process
all packages). (default: all) [?,??,q]: 

My OpenSSL package was built almost identically. I think this is almost the finished product. I should note that I also included the PCRE files in the final WARapache package to avoided an extra package dependency.

Next up, Solaris 11 and IPS.

- One comment Not publicly viewable

  1. Maria MacCallum

    Started sorting out new vers for sparc: http://blogs.warwick.ac.uk/mariamaccallum/entry/apache_249_in/

    12 May 2014, 11:58

Add a comment

You are not allowed to comment on this entry as it has restricted commenting permissions.

February 2012

Mo Tu We Th Fr Sa Su
Jan |  Today  |
      1 2 3 4 5
6 7 8 9 10 11 12
13 14 15 16 17 18 19
20 21 22 23 24 25 26
27 28 29            

Search this blog



Most recent comments

  • Started sorting out new vers for sparc: http://blogs.warwick.ac.uk/mariamaccallum/entry/apache_249_i… by Maria MacCallum on this entry
  • Solaris 11.1 is slightly different, I only had to do this before starting ipfilter: svccfg –s setpro… by Maria MacCallum on this entry
  • Really useful information, thanks a lot! I do a NAT using IPFILTER and all was working good, until I… by Nilton on this entry
  • Paul, Thanks for your information. It got me started quickly. I have discovered , thought I've not s… by Tom C on this entry
  • Are you familiar with the Monty Python sketch? by Ian Eiloart on this entry

Blog archive

Not signed in
Sign in

Powered by BlogBuilder