PHP 7.4 packages on ubuntu jammy might be the issue for apache2 processes not being killed on graceful, leading to DoS

c0deright commented 7 months ago

Frequently asked questions

[X] I have read Frequently Asked Questions
[X] I have looked at the list of the existing issues (including closed issues) and searched if my issue has been already reported
[X] I have tried to resolve the issue myself and will describe what I did in clear and consise manner

Describe the bug

We're running stock Ubuntu LTS 22.04 jammy with apache2 version 2.4.52-1ubuntu4.7 and PHP 7.4 packages from your repo.

We experience an unusual issue which is described in detail in this bug report: Ubuntu Bug #2054301: [worker/event] Some child processes aren't killed on reload (graceful), being stuck in state "Sending Reply", leaving old logfiles open, disk fills up, server stops responding after some days, DoS.

TL;DR

What should happen

Apache2 runs php 7.4-cgi via mod_fcgid and when apache2 reloads it's configuration and closes and reopens all logfiles (eighter via apache2ctl graceful or service apache2 reload or via sending SIGUSR1 to the father apache2 process or via systemctl reload apache2) all but the father apache2 process should be exiting and new apache2 child processes are started by the father apache2 process.

What happens instead

Some of the apache2 child processes (not php-cgi) keep running, leaving file handles open on log files and don't accept incoming connections. Over time, at least every 24 hours - when logrotate runs and calls apache2ctl graceful - more and more lingering apache2 processes keep piling up, which will cause a Denial of Service after some time:

/var/log volume is filling up since deleted log files are still being held open via file handles (and thus still consume disk space since they aren't released yet). The tool df (disk free) will show gigabytes being used on /var/log volume despite du (disk usage) will only show some megabytes being used by files in /var/log.

The old apache2 child processes will eventually consume all process slots until they reach the apache2 configured maximum, leaving no apache2 process accepting connections, eventually causing a Denial-of-Service.

Ubuntu developers are indicating that this might be caused by your PHP 7.4 packages because it seems the bug report is the first of this kind. We have projects running on other jammy systems with your PHP 5.6 projects with no issues and servers on jammy systems with your PHP 7.4 packages which had this issue only with MPM worker - after switching to MPM event it disappeared. But all these other systems experience only a fraction of traffic the webserver gets where we have the issue describled in this issue - with MPM worker AND MPM event.

What steps did you take to resolve issue yourself before reporting it here

Please see the linked ubuntu bug report. Tried MPM worker, MPM event. No difference.
Tried apache2 packages from your repo (version 2.4.58-1+ubuntu22.04.1+deb.sury.org+1 instead of 2.4.52-1ubuntu4.7). No difference.
Opened bug #2054301 against apache2 package in ubuntu bugtracker.

Expected behavior No apache2 child processes running forever, not accepting connections, keeping logfiles open after logrotate runs.

Distribution

OS: Ubuntu LTS 22.04 jammy
Architecture: amd64
Repository: deb https://ppa.launchpadcontent.net/ondrej/php/ubuntu/ jammy main

Package(s)

% apt-cache policy apache2 apache2-bin apache2-data apache2-suexec-custom apache2-utils libapache2-mod-fcgid
apache2:
  Installed: 2.4.52-1ubuntu4.7
  Candidate: 2.4.52-1ubuntu4.7
  Version table:
 *** 2.4.52-1ubuntu4.7 500
        500 http://eu-central-1.ec2.archive.ubuntu.com/ubuntu jammy-updates/main amd64 Packages
        500 http://security.ubuntu.com/ubuntu jammy-security/main amd64 Packages
        100 /var/lib/dpkg/status
     2.4.52-1ubuntu4 500
        500 http://eu-central-1.ec2.archive.ubuntu.com/ubuntu jammy/main amd64 Packages
apache2-bin:
  Installed: 2.4.52-1ubuntu4.7
  Candidate: 2.4.52-1ubuntu4.7
  Version table:
 *** 2.4.52-1ubuntu4.7 500
        500 http://eu-central-1.ec2.archive.ubuntu.com/ubuntu jammy-updates/main amd64 Packages
        500 http://security.ubuntu.com/ubuntu jammy-security/main amd64 Packages
        100 /var/lib/dpkg/status
     2.4.52-1ubuntu4 500
        500 http://eu-central-1.ec2.archive.ubuntu.com/ubuntu jammy/main amd64 Packages
apache2-data:
  Installed: 2.4.52-1ubuntu4.7
  Candidate: 2.4.52-1ubuntu4.7
  Version table:
 *** 2.4.52-1ubuntu4.7 500
        500 http://eu-central-1.ec2.archive.ubuntu.com/ubuntu jammy-updates/main amd64 Packages
        500 http://security.ubuntu.com/ubuntu jammy-security/main amd64 Packages
        100 /var/lib/dpkg/status
     2.4.52-1ubuntu4 500
        500 http://eu-central-1.ec2.archive.ubuntu.com/ubuntu jammy/main amd64 Packages
apache2-suexec-custom:
  Installed: 2.4.52-1ubuntu4.7
  Candidate: 2.4.52-1ubuntu4.7
  Version table:
 *** 2.4.52-1ubuntu4.7 500
        500 http://eu-central-1.ec2.archive.ubuntu.com/ubuntu jammy-updates/universe amd64 Packages
        500 http://security.ubuntu.com/ubuntu jammy-security/universe amd64 Packages
        100 /var/lib/dpkg/status
     2.4.52-1ubuntu4 500
        500 http://eu-central-1.ec2.archive.ubuntu.com/ubuntu jammy/universe amd64 Packages
apache2-utils:
  Installed: 2.4.52-1ubuntu4.7
  Candidate: 2.4.52-1ubuntu4.7
  Version table:
 *** 2.4.52-1ubuntu4.7 500
        500 http://eu-central-1.ec2.archive.ubuntu.com/ubuntu jammy-updates/main amd64 Packages
        500 http://security.ubuntu.com/ubuntu jammy-security/main amd64 Packages
        100 /var/lib/dpkg/status
     2.4.52-1ubuntu4 500
        500 http://eu-central-1.ec2.archive.ubuntu.com/ubuntu jammy/main amd64 Packages
libapache2-mod-fcgid:
  Installed: 1:2.3.9-4
  Candidate: 1:2.3.9-4
  Version table:
 *** 1:2.3.9-4 500
        500 http://eu-central-1.ec2.archive.ubuntu.com/ubuntu jammy/universe amd64 Packages
        100 /var/lib/dpkg/status

% apt-cache policy php7.4-cgi
php7.4-cgi:
  Installed: 1:7.4.33-8+ubuntu22.04.1+deb.sury.org+1
  Candidate: 1:7.4.33-8+ubuntu22.04.1+deb.sury.org+1
  Version table:
 *** 1:7.4.33-8+ubuntu22.04.1+deb.sury.org+1 500
        500 https://ppa.launchpadcontent.net/ondrej/php/ubuntu jammy/main amd64 Packages
        100 /var/lib/dpkg/status

% apt-cache policy
Package files:
 100 /var/lib/dpkg/status
     release a=now
 500 https://dl.yarnpkg.com/debian stable/main all Packages
     release o=yarn,a=stable,n=stable,l=yarn-stable,c=main,b=all
     origin dl.yarnpkg.com
 500 https://dl.yarnpkg.com/debian stable/main amd64 Packages
     release o=yarn,a=stable,n=stable,l=yarn-stable,c=main,b=amd64
     origin dl.yarnpkg.com
 500 https://ppa.launchpadcontent.net/ondrej/php/ubuntu jammy/main amd64 Packages
     release v=22.04,o=LP-PPA-ondrej-php,a=jammy,n=jammy,l=***** The main PPA for supported PHP versions with many PECL extensions *****,c=main,b=amd64
     origin ppa.launchpadcontent.net
 500 https://deb.nodesource.com/node_16.x jammy/main amd64 Packages
     release o=Node Source,n=jammy,l=Node Source,c=main,b=amd64
     origin deb.nodesource.com
 500 http://security.ubuntu.com/ubuntu jammy-security/multiverse amd64 Packages
     release v=22.04,o=Ubuntu,a=jammy-security,n=jammy,l=Ubuntu,c=multiverse,b=amd64
     origin security.ubuntu.com
 500 http://security.ubuntu.com/ubuntu jammy-security/universe amd64 Packages
     release v=22.04,o=Ubuntu,a=jammy-security,n=jammy,l=Ubuntu,c=universe,b=amd64
     origin security.ubuntu.com
 500 http://security.ubuntu.com/ubuntu jammy-security/restricted amd64 Packages
     release v=22.04,o=Ubuntu,a=jammy-security,n=jammy,l=Ubuntu,c=restricted,b=amd64
     origin security.ubuntu.com
 500 http://security.ubuntu.com/ubuntu jammy-security/main amd64 Packages
     release v=22.04,o=Ubuntu,a=jammy-security,n=jammy,l=Ubuntu,c=main,b=amd64
     origin security.ubuntu.com
 100 http://eu-central-1.ec2.archive.ubuntu.com/ubuntu jammy-backports/universe amd64 Packages
     release v=22.04,o=Ubuntu,a=jammy-backports,n=jammy,l=Ubuntu,c=universe,b=amd64
     origin eu-central-1.ec2.archive.ubuntu.com
 100 http://eu-central-1.ec2.archive.ubuntu.com/ubuntu jammy-backports/main amd64 Packages
     release v=22.04,o=Ubuntu,a=jammy-backports,n=jammy,l=Ubuntu,c=main,b=amd64
     origin eu-central-1.ec2.archive.ubuntu.com
 500 http://eu-central-1.ec2.archive.ubuntu.com/ubuntu jammy-updates/multiverse amd64 Packages
     release v=22.04,o=Ubuntu,a=jammy-updates,n=jammy,l=Ubuntu,c=multiverse,b=amd64
     origin eu-central-1.ec2.archive.ubuntu.com
 500 http://eu-central-1.ec2.archive.ubuntu.com/ubuntu jammy-updates/universe amd64 Packages
     release v=22.04,o=Ubuntu,a=jammy-updates,n=jammy,l=Ubuntu,c=universe,b=amd64
     origin eu-central-1.ec2.archive.ubuntu.com
 500 http://eu-central-1.ec2.archive.ubuntu.com/ubuntu jammy-updates/restricted amd64 Packages
     release v=22.04,o=Ubuntu,a=jammy-updates,n=jammy,l=Ubuntu,c=restricted,b=amd64
     origin eu-central-1.ec2.archive.ubuntu.com
 500 http://eu-central-1.ec2.archive.ubuntu.com/ubuntu jammy-updates/main amd64 Packages
     release v=22.04,o=Ubuntu,a=jammy-updates,n=jammy,l=Ubuntu,c=main,b=amd64
     origin eu-central-1.ec2.archive.ubuntu.com
 500 http://eu-central-1.ec2.archive.ubuntu.com/ubuntu jammy/multiverse amd64 Packages
     release v=22.04,o=Ubuntu,a=jammy,n=jammy,l=Ubuntu,c=multiverse,b=amd64
     origin eu-central-1.ec2.archive.ubuntu.com
 500 http://eu-central-1.ec2.archive.ubuntu.com/ubuntu jammy/universe amd64 Packages
     release v=22.04,o=Ubuntu,a=jammy,n=jammy,l=Ubuntu,c=universe,b=amd64
     origin eu-central-1.ec2.archive.ubuntu.com
 500 http://eu-central-1.ec2.archive.ubuntu.com/ubuntu jammy/restricted amd64 Packages
     release v=22.04,o=Ubuntu,a=jammy,n=jammy,l=Ubuntu,c=restricted,b=amd64
     origin eu-central-1.ec2.archive.ubuntu.com
 500 http://eu-central-1.ec2.archive.ubuntu.com/ubuntu jammy/main amd64 Packages
     release v=22.04,o=Ubuntu,a=jammy,n=jammy,l=Ubuntu,c=main,b=amd64
     origin eu-central-1.ec2.archive.ubuntu.com
Pinned packages:

% dpkg -l | grep -F deb.sury.org
ii  libgd3:amd64                     2.3.3-9+ubuntu22.04.1+deb.sury.org+1         amd64        GD Graphics Library
ii  libhashkit2:amd64                1.1.4-1+ubuntu22.04.1+deb.sury.org+1         amd64        libmemcached hashing functions and algorithms
ii  libmemcached11:amd64             1.1.4-1+ubuntu22.04.1+deb.sury.org+1         amd64        C and C++ client library to the memcached server
ii  libpcre2-16-0:amd64              10.42-3+ubuntu22.04.1+deb.sury.org+1         amd64        New Perl Compatible Regular Expression Library - 16 bit runtime files
ii  libpcre2-32-0:amd64              10.42-3+ubuntu22.04.1+deb.sury.org+1         amd64        New Perl Compatible Regular Expression Library - 32 bit runtime files
ii  libpcre2-8-0:amd64               10.42-3+ubuntu22.04.1+deb.sury.org+1         amd64        New Perl Compatible Regular Expression Library- 8 bit runtime files
ii  libpcre2-dev:amd64               10.42-3+ubuntu22.04.1+deb.sury.org+1         amd64        New Perl Compatible Regular Expression Library - development files
ii  libpcre2-posix3:amd64            10.42-3+ubuntu22.04.1+deb.sury.org+1         amd64        New Perl Compatible Regular Expression Library - posix-compatible runtime files
ii  libpcre3:amd64                   2:8.45-1+ubuntu22.04.1+deb.sury.org+1        amd64        Perl 5 Compatible Regular Expression Library - runtime files
ii  libxml2:amd64                    2.9.14+dfsg-0.1+ubuntu22.04.1+deb.sury.org+1 amd64        GNOME XML library
ii  php-apcu-bc                      1.0.5-19+ubuntu22.04.1+deb.sury.org+4        amd64        APCu Backwards Compatibility Module
ii  php-common                       2:94+ubuntu22.04.1+deb.sury.org+2            all          Common files for PHP packages
ii  php7.4-apcu                      5.1.23-1+ubuntu22.04.1+deb.sury.org+1        amd64        APC User Cache for PHP
ii  php7.4-apcu-bc                   1.0.5-19+ubuntu22.04.1+deb.sury.org+4        amd64        APCu Backwards Compatibility Module
ii  php7.4-bcmath                    1:7.4.33-8+ubuntu22.04.1+deb.sury.org+1      amd64        Bcmath module for PHP
ii  php7.4-cgi                       1:7.4.33-8+ubuntu22.04.1+deb.sury.org+1      amd64        server-side, HTML-embedded scripting language (CGI binary)
ii  php7.4-cli                       1:7.4.33-8+ubuntu22.04.1+deb.sury.org+1      amd64        command-line interpreter for the PHP scripting language
ii  php7.4-common                    1:7.4.33-8+ubuntu22.04.1+deb.sury.org+1      amd64        documentation, examples and common module for PHP
ii  php7.4-curl                      1:7.4.33-8+ubuntu22.04.1+deb.sury.org+1      amd64        CURL module for PHP
ii  php7.4-dba                       1:7.4.33-8+ubuntu22.04.1+deb.sury.org+1      amd64        DBA module for PHP
ii  php7.4-dev                       1:7.4.33-8+ubuntu22.04.1+deb.sury.org+1      amd64        Files for PHP7.4 module development
ii  php7.4-gd                        1:7.4.33-8+ubuntu22.04.1+deb.sury.org+1      amd64        GD module for PHP
ii  php7.4-igbinary                  3.2.15-1+ubuntu22.04.1+deb.sury.org+1        amd64        igbinary PHP serializer
ii  php7.4-imagick                   3.7.0-4+ubuntu22.04.1+deb.sury.org+2         amd64        Provides a wrapper to the ImageMagick library
ii  php7.4-intl                      1:7.4.33-8+ubuntu22.04.1+deb.sury.org+1      amd64        Internationalisation module for PHP
ii  php7.4-json                      1:7.4.33-8+ubuntu22.04.1+deb.sury.org+1      amd64        JSON module for PHP
ii  php7.4-mbstring                  1:7.4.33-8+ubuntu22.04.1+deb.sury.org+1      amd64        MBSTRING module for PHP
ii  php7.4-mcrypt                    3:1.0.6-1+ubuntu22.04.1+deb.sury.org+2       amd64        PHP bindings for the libmcrypt library
ii  php7.4-memcached                 3.2.0++-1+ubuntu22.04.1+deb.sury.org+2       amd64        memcached extension module for PHP, uses libmemcached
ii  php7.4-msgpack                   1:2.1.2-1+ubuntu22.04.1+deb.sury.org+1       amd64        PHP extension for interfacing with MessagePack
ii  php7.4-mysql                     1:7.4.33-8+ubuntu22.04.1+deb.sury.org+1      amd64        MySQL module for PHP
ii  php7.4-oauth                     2.0.7++-1+ubuntu22.04.1+deb.sury.org+2       amd64        OAuth 1.0 consumer and provider extension
ii  php7.4-opcache                   1:7.4.33-8+ubuntu22.04.1+deb.sury.org+1      amd64        Zend OpCache module for PHP
ii  php7.4-phpdbg                    1:7.4.33-8+ubuntu22.04.1+deb.sury.org+1      amd64        server-side, HTML-embedded scripting language (PHPDBG binary)
ii  php7.4-readline                  1:7.4.33-8+ubuntu22.04.1+deb.sury.org+1      amd64        readline module for PHP
ii  php7.4-redis                     6.0.2-1+ubuntu22.04.1+deb.sury.org+1         amd64        PHP extension for interfacing with Redis
ii  php7.4-xml                       1:7.4.33-8+ubuntu22.04.1+deb.sury.org+1      amd64        DOM, SimpleXML, XML, and XSL module for PHP
ii  php7.4-xmlrpc                    1:7.4.33-8+ubuntu22.04.1+deb.sury.org+1      amd64        XMLRPC-EPI module for PHP
ii  php7.4-zip                       1:7.4.33-8+ubuntu22.04.1+deb.sury.org+1      amd64        Zip module for PHP

c0deright commented 7 months ago

More info from the ubuntu bug report:

Most of the lingering apache2 processes have incoming TCP connections in state CLOSE_WAIT. After some time (30 mins/1h) these connections disappear from netstat output. Apache2 /server-status still reports that these processes have 1-3 open connections which clearly isn't the case. The state of the apache2 processes in question is "Sending Reply" respectively "Stopping".

Example

% ps f -o user,pid,nice,%cpu,%mem,cputime,etime,thcount,command ax
USER         PID  NI %CPU %MEM     TIME     ELAPSED THCNT COMMAND
root      906764   0  0.0  0.1 00:00:00       30:30     1 /usr/sbin/apache2 -k start
www-data  906768   0  1.1  0.2 00:00:20       30:30     3  \_ /usr/sbin/apache2 -k start   <-----
www-data  906771   0  1.5  0.2 00:00:27       30:30     3  \_ /usr/sbin/apache2 -k start   <-----
www-data  906772   0  0.7  0.2 00:00:14       30:30     5  \_ /usr/sbin/apache2 -k start   <-----
www-data  907681   0  0.0  0.0 00:00:00       15:47     1  \_ /usr/sbin/apache2 -k start
netto     907948   0  0.9  0.7 00:00:09       15:46     1  |   \_ /usr/lib/cgi-bin/php7.4
netto     907956   0  1.2  0.7 00:00:11       15:45     1  |   \_ /usr/lib/cgi-bin/php7.4
netto     907957   0  0.5  0.7 00:00:05       15:45     1  |   \_ /usr/lib/cgi-bin/php7.4
netto     907958   0  1.6  0.7 00:00:15       15:45     1  |   \_ /usr/lib/cgi-bin/php7.4
netto     907959   0  0.9  0.7 00:00:08       15:45     1  |   \_ /usr/lib/cgi-bin/php7.4
netto     907960   0  0.7  0.6 00:00:06       15:45     1  |   \_ /usr/lib/cgi-bin/php7.4
netto     907961   0  1.1  0.7 00:00:11       15:45     1  |   \_ /usr/lib/cgi-bin/php7.4
netto     907964   0  1.2  0.7 00:00:11       15:45     1  |   \_ /usr/lib/cgi-bin/php7.4
netto     907965   0  2.0  0.7 00:00:19       15:45     1  |   \_ /usr/lib/cgi-bin/php7.4
netto     907967   0  1.6  0.7 00:00:15       15:45     1  |   \_ /usr/lib/cgi-bin/php7.4
netto     907968   0  0.7  0.7 00:00:07       15:45     1  |   \_ /usr/lib/cgi-bin/php7.4
netto     907976   0  2.0  0.7 00:00:19       15:44     1  |   \_ /usr/lib/cgi-bin/php7.4
netto     907979   0  0.1  0.6 00:00:01       15:42     1  |   \_ /usr/lib/cgi-bin/php7.4
netto     908228   0  0.1  0.6 00:00:00       08:33     1  |   \_ /usr/lib/cgi-bin/php7.4
netto     908230   0  0.0  0.6 00:00:00       08:33     1  |   \_ /usr/lib/cgi-bin/php7.4
www-data  907683   0  0.8  0.3 00:00:07       15:46    52  \_ /usr/sbin/apache2 -k start
www-data  907684   0  1.0  0.3 00:00:10       15:46    52  \_ /usr/sbin/apache2 -k start
www-data  907685   0  0.9  0.3 00:00:08       15:46    52  \_ /usr/sbin/apache2 -k start
www-data  907687   0  2.3  0.4 00:00:21       15:46    52  \_ /usr/sbin/apache2 -k start
www-data  907688   0  1.7  0.4 00:00:16       15:46    52  \_ /usr/sbin/apache2 -k start

Apache was restarted 30 minutes and 30 seconds ago and reloaded 15 minutes and 46 seconds ago. The php child processes and the apache2 child processes at the bottom of the process list have been restarted after the graceful command - but the <----- marked apache2 processes are still running.

/server-status

Server Version: Apache/2.4.58 (Ubuntu) mod_fcgid/2.3.9 OpenSSL/3.0.2 Server MPM: event Server Built: 2023-10-25T05:39:09

Current Time: Tuesday, 20-Feb-2024 10:44:55 CET Restart Time: Tuesday, 20-Feb-2024 10:10:15 CET Parent Server Config. Generation: 2 Parent Server MPM Generation: 1 Server uptime: 34 minutes 39 seconds Server load: 0.59 0.41 0.40 Total accesses: 48447 - Total Traffic: 895.7 MB - Total Duration: 835184 CPU Usage: u118.76 s27.27 cu128 cs24.35 - 14.4% CPU load 23.3 requests/sec - 441.2 kB/second - 18.9 kB/request - 17.2391 ms/request 45 requests currently being processed, 0 workers gracefully restarting, 205 idle workers

Slot PID Stopping Connections Threads Async connections total accept busy graceful idle writing keep-alive closing 0 906768 yes (old gen) 1 no 0 0 0 0 0 0 1 907683 no 15 yes 7 0 43 0 6 1 2 907684 no 18 yes 9 0 41 0 8 3 3 906771 yes (old gen) 1 no 0 0 0 0 0 0 4 906772 yes (old gen) 3 no 0 0 0 0 0 0 5 907685 no 15 yes 5 0 45 0 7 1 6 907687 no 36 yes 11 0 39 0 20 5 7 907688 no 28 yes 13 0 37 0 11 4 Sum 8 3 117 45 0 205 0 52 14

............................................W.....R__RR__R_____R
R________________R__________________________R________________R_R
_______RR_W___R____RR_........................W.................
.............W..............W.................W..........._R____
___R___R______________R_______________R________R____R__RRR____R_
___R_R__R_____R__________R___________R______________R___R__R_R__
RRRR___R__RR__R_................................................
................................................................
................................................................
................................................................
................................................................
................................................................
................................................................
................................................................
................................................................
........................................

Scoreboard Key: "_" Waiting for Connection, "S" Starting up, "R" Reading Request, "W" Sending Reply, "K" Keepalive (read), "D" DNS Lookup, "C" Closing connection, "L" Logging, "G" Gracefully finishing, "I" Idle cleanup of worker, "." Open slot with no current process

Srv PID Acc     M   CPU     SS  Req Dur Conn    Child   Slot    Client      Protocol    VHost           Request
0-0 906768  1/146/146   W   20.52   1181    0   1569    0.0 2.37    2.37    77.23.XXX.XX    http/1.1    www.nettolohn.de:443    POST / HTTP/1.1
3-0 906771  1/180/180   W   27.46   1195    0   2123    0.0 3.53    3.53    176.4.XXX.XXX   http/1.1    www.nettolohn.de:443    POST / HTTP/1.1
4-0 906772  1/103/103   W   14.30   1188    0   1163    0.0 1.78    1.78    95.91.XXX.XXX   http/1.1    www.nettolohn.de:443    GET / HTTP/1.1
4-0 906772  1/101/101   W   13.71   1194    0   1161    0.0 1.80    1.80    91.65.XXX.XXX   http/1.1    www.nettolohn.de:443    GET /rechner/firmenwagenrechner.html HTTP/1.1
4-0 906772  1/98/98     W   14.33   1192    0   3356    0.0 2.06    2.06    156.67.XXX.XXX  http/1.1    www.nettolohn.de:443    POST / HTTP/1.1

Now let's see if the lingering apache2 processes have really TCP connections open:

% netstat -antpe | grep -P '906768|906771|906772'
tcp6       1      0 10.0.X.Y:443         91.65.XXX.XXX:58430     CLOSE_WAIT  33         115570910  906772/apache2
tcp6       1      0 10.0.X.Y:443         77.23.XXX.XX:48341      CLOSE_WAIT  33         115570504  906768/apache2
tcp6       1      0 10.0.X.Y:443         156.67.XXX.XXX:51031    CLOSE_WAIT  33         115571313  906772/apache2
tcp6       1      0 10.0.X.Y:443         95.91.XXX.XXX:4912      CLOSE_WAIT  33         115571178  906772/apache2
tcp6       1      0 10.0.X.Y:443         176.4.XXX.XXX:39367     CLOSE_WAIT  33         115570723  906771/apache2

lsof still showing several threads in these processes having open file handles on logfiles:

% lsof -n | grep -P '(906768|906771|906772).*(TCP|log)'
apache2   906768                         www-data    2w      REG              259,3      13551     263809 /var/log/apache2/error.log
apache2   906768                         www-data    3u     sock                0,8        0t0  115491219 protocol: TCP
apache2   906768                         www-data    5u     sock                0,8        0t0  115491223 protocol: TCP
apache2   906768                         www-data   10w      REG              259,2   26081587     110129 /home/netto/www.nettolohn.de/www_log/error_log
apache2   906768                         www-data   11w      REG              259,3  108695678     263712 /var/log/apache2/access.log
apache2   906768                         www-data   44u     IPv6          115570504        0t0        TCP 10.0.XX.XXX:https->77.23.XXX.XXX:48341 (CLOSE_WAIT)
apache2   906768 907058 apache2          www-data    2w      REG              259,3      13551     263809 /var/log/apache2/error.log
apache2   906768 907058 apache2          www-data    3u     sock                0,8        0t0  115491219 protocol: TCP
apache2   906768 907058 apache2          www-data    5u     sock                0,8        0t0  115491223 protocol: TCP
apache2   906768 907058 apache2          www-data   10w      REG              259,2   26081587     110129 /home/netto/www.nettolohn.de/www_log/error_log
apache2   906768 907058 apache2          www-data   11w      REG              259,3  108695678     263712 /var/log/apache2/access.log
apache2   906768 907058 apache2          www-data   44u     IPv6          115570504        0t0        TCP 10.0.XX.XXX:https->77.23.XXX.XXX:48341 (CLOSE_WAIT)
apache2   906768 907069 apache2          www-data    2w      REG              259,3      13551     263809 /var/log/apache2/error.log
apache2   906768 907069 apache2          www-data    3u     sock                0,8        0t0  115491219 protocol: TCP
apache2   906768 907069 apache2          www-data    5u     sock                0,8        0t0  115491223 protocol: TCP
apache2   906768 907069 apache2          www-data   10w      REG              259,2   26081587     110129 /home/netto/www.nettolohn.de/www_log/error_log
apache2   906768 907069 apache2          www-data   11w      REG              259,3  108695678     263712 /var/log/apache2/access.log
apache2   906768 907069 apache2          www-data   44u     IPv6          115570504        0t0        TCP 10.0.XX.XXX:https->77.23.XXX.XXX:48341 (CLOSE_WAIT)
apache2   906771                         www-data    2w      REG              259,3      13551     263809 /var/log/apache2/error.log
apache2   906771                         www-data    3u     sock                0,8        0t0  115491219 protocol: TCP
apache2   906771                         www-data    5u     sock                0,8        0t0  115491223 protocol: TCP
apache2   906771                         www-data   10w      REG              259,2   26081587     110129 /home/netto/www.nettolohn.de/www_log/error_log
apache2   906771                         www-data   11w      REG              259,3  108695678     263712 /var/log/apache2/access.log
apache2   906771                         www-data   63u     IPv6          115570723        0t0        TCP 10.0.XX.XXX:https->176.4.XXX.XXX:39367 (CLOSE_WAIT)
apache2   906771 906944 apache2          www-data    2w      REG              259,3      13551     263809 /var/log/apache2/error.log
apache2   906771 906944 apache2          www-data    3u     sock                0,8        0t0  115491219 protocol: TCP
apache2   906771 906944 apache2          www-data    5u     sock                0,8        0t0  115491223 protocol: TCP
apache2   906771 906944 apache2          www-data   10w      REG              259,2   26081587     110129 /home/netto/www.nettolohn.de/www_log/error_log
apache2   906771 906944 apache2          www-data   11w      REG              259,3  108695678     263712 /var/log/apache2/access.log
apache2   906771 906944 apache2          www-data   63u     IPv6          115570723        0t0        TCP 10.0.XX.XXX:https->176.4.XXX.XXX:39367 (CLOSE_WAIT)
apache2   906771 906970 apache2          www-data    2w      REG              259,3      13551     263809 /var/log/apache2/error.log
apache2   906771 906970 apache2          www-data    3u     sock                0,8        0t0  115491219 protocol: TCP
apache2   906771 906970 apache2          www-data    5u     sock                0,8        0t0  115491223 protocol: TCP
apache2   906771 906970 apache2          www-data   10w      REG              259,2   26081587     110129 /home/netto/www.nettolohn.de/www_log/error_log
apache2   906771 906970 apache2          www-data   11w      REG              259,3  108695678     263712 /var/log/apache2/access.log
apache2   906771 906970 apache2          www-data   63u     IPv6          115570723        0t0        TCP 10.0.XX.XXX:https->176.4.XXX.XXX:39367 (CLOSE_WAIT)
apache2   906772                         www-data    2w      REG              259,3      13551     263809 /var/log/apache2/error.log
apache2   906772                         www-data    3u     sock                0,8        0t0  115491219 protocol: TCP
apache2   906772                         www-data    5u     sock                0,8        0t0  115491223 protocol: TCP
apache2   906772                         www-data   10w      REG              259,2   26081587     110129 /home/netto/www.nettolohn.de/www_log/error_log
apache2   906772                         www-data   11w      REG              259,3  108695678     263712 /var/log/apache2/access.log
apache2   906772                         www-data   27u     IPv6          115571178        0t0        TCP 10.0.XX.XXX:https->95.91.XXX.XXX:4912 (CLOSE_WAIT)
apache2   906772                         www-data   39u     IPv6          115571313        0t0        TCP 10.0.XX.XXX:https->156.67.XXX.XXX:51031 (CLOSE_WAIT)
apache2   906772                         www-data   47u     IPv6          115570910        0t0        TCP 10.0.XX.XXX:https->91.65.XXX.XXX:58430 (CLOSE_WAIT)
apache2   906772 906813 apache2          www-data    2w      REG              259,3      13551     263809 /var/log/apache2/error.log
apache2   906772 906813 apache2          www-data    3u     sock                0,8        0t0  115491219 protocol: TCP
apache2   906772 906813 apache2          www-data    5u     sock                0,8        0t0  115491223 protocol: TCP
apache2   906772 906813 apache2          www-data   10w      REG              259,2   26081587     110129 /home/netto/www.nettolohn.de/www_log/error_log
apache2   906772 906813 apache2          www-data   11w      REG              259,3  108695678     263712 /var/log/apache2/access.log
apache2   906772 906813 apache2          www-data   27u     IPv6          115571178        0t0        TCP 10.0.XX.XXX:https->95.91.XXX.XXX:4912 (CLOSE_WAIT)
apache2   906772 906813 apache2          www-data   39u     IPv6          115571313        0t0        TCP 10.0.XX.XXX:https->156.67.XXX.XXX:51031 (CLOSE_WAIT)
apache2   906772 906813 apache2          www-data   47u     IPv6          115570910        0t0        TCP 10.0.XX.XXX:https->91.65.XXX.XXX:58430 (CLOSE_WAIT)
apache2   906772 906842 apache2          www-data    2w      REG              259,3      13551     263809 /var/log/apache2/error.log
apache2   906772 906842 apache2          www-data    3u     sock                0,8        0t0  115491219 protocol: TCP
apache2   906772 906842 apache2          www-data    5u     sock                0,8        0t0  115491223 protocol: TCP
apache2   906772 906842 apache2          www-data   10w      REG              259,2   26081587     110129 /home/netto/www.nettolohn.de/www_log/error_log
apache2   906772 906842 apache2          www-data   11w      REG              259,3  108695678     263712 /var/log/apache2/access.log
apache2   906772 906842 apache2          www-data   27u     IPv6          115571178        0t0        TCP 10.0.XX.XXX:https->95.91.XXX.XXX:4912 (CLOSE_WAIT)
apache2   906772 906842 apache2          www-data   39u     IPv6          115571313        0t0        TCP 10.0.XX.XXX:https->156.67.XXX.XXX:51031 (CLOSE_WAIT)
apache2   906772 906842 apache2          www-data   47u     IPv6          115570910        0t0        TCP 10.0.XX.XXX:https->91.65.XXX.XXX:58430 (CLOSE_WAIT)
apache2   906772 906877 apache2          www-data    2w      REG              259,3      13551     263809 /var/log/apache2/error.log
apache2   906772 906877 apache2          www-data    3u     sock                0,8        0t0  115491219 protocol: TCP
apache2   906772 906877 apache2          www-data    5u     sock                0,8        0t0  115491223 protocol: TCP
apache2   906772 906877 apache2          www-data   10w      REG              259,2   26081587     110129 /home/netto/www.nettolohn.de/www_log/error_log
apache2   906772 906877 apache2          www-data   11w      REG              259,3  108695678     263712 /var/log/apache2/access.log
apache2   906772 906877 apache2          www-data   27u     IPv6          115571178        0t0        TCP 10.0.XX.XXX:https->95.91.XXX.XXX:4912 (CLOSE_WAIT)
apache2   906772 906877 apache2          www-data   39u     IPv6          115571313        0t0        TCP 10.0.XX.XXX:https->156.67.XXX.XXX:51031 (CLOSE_WAIT)
apache2   906772 906877 apache2          www-data   47u     IPv6          115570910        0t0        TCP 10.0.XX.XXX:https->91.65.XXX.XXX:58430 (CLOSE_WAIT)
apache2   906772 906889 apache2          www-data    2w      REG              259,3      13551     263809 /var/log/apache2/error.log
apache2   906772 906889 apache2          www-data    3u     sock                0,8        0t0  115491219 protocol: TCP
apache2   906772 906889 apache2          www-data    5u     sock                0,8        0t0  115491223 protocol: TCP
apache2   906772 906889 apache2          www-data   10w      REG              259,2   26081587     110129 /home/netto/www.nettolohn.de/www_log/error_log
apache2   906772 906889 apache2          www-data   11w      REG              259,3  108695678     263712 /var/log/apache2/access.log
apache2   906772 906889 apache2          www-data   27u     IPv6          115571178        0t0        TCP 10.0.XX.XXX:https->95.91.XXX.XXX:4912 (CLOSE_WAIT)
apache2   906772 906889 apache2          www-data   39u     IPv6          115571313        0t0        TCP 10.0.XX.XXX:https->156.67.XXX.XXX:51031 (CLOSE_WAIT)
apache2   906772 906889 apache2          www-data   47u     IPv6          115570910        0t0        TCP 10.0.XX.XXX:https->91.65.XXX.XXX:58430 (CLOSE_WAIT)

Eventually the TCP connections in CLOSE_WAIT will disappear from netstat and lsof but the open file handles will remain with the lingering apache2 processes causing a denial-of-service after the server the reaches the configured max process slots or the log volume fills up because of open file handles.

c0deright commented 7 months ago

It's confirmed to be even an issue with non of your packages installed on the system.

Will close this issue.

oerdnj / deb.sury.org

PHP 7.4 packages on ubuntu jammy might be the issue for apache2 processes not being killed on graceful, leading to DoS #2083

Example

/server-status