Skip to content

Add ‘Options FollowSymLinks’ and avoid ‘Options SymLinksIfOwnerMatch’ in Apache to save disk I/O

Following up on the advice to stop using AllowOverride All in Apache configs, Wim Godden kindly reminded me of a similar issue that exists when not using FollowSymLinks or when using SymLinksOfOwnerMatch.

The bad configuration

It's about the following kind of configuration.

<Directory "/var/www/html/mysite.be">
    Options SymLinksIfOwnerMatch -FollowSymLinks
</Directory>

The option FollowSymLinks should always be kept on if possible. Without that, every time you request a file, Apache will check if that file resides in a directory that is somehow symlinked. If it is, it will block your request. But that requires an extra check for every file being accessed.

If someone on the site would request the file "/content/styles/v3/style.css", that would results in the following system calls:

stat("/var/www/html/mysite.be/content/styles/v3/style.css", {st_mode=S_IFREG|0644, st_size=5, ...}) = 0
lstat("/var/www/html/mysite.be/content", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
lstat("/var/www/html/mysite.be/content/styles", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
lstat("/var/www/html/mysite.be/content/styles/v3″, {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
lstat("/var/www/html/mysite.be/content/styles/v3/style.css", {st_mode=S_IFREG|0644, st_size=5, ...}) = 0
open("/var/www/html/mysite.be/content/styles/v3/style.css", O_RDONLY|O_CLOEXEC) = 10

That's 4x an lstat() disk I/O to check if any of the directories between "/var/www/html" and "/var/www/html/mysite.be/content/styles/v3″ contain any symlinks.

The good configuration

Below is a better configuration. It does not check the symlinks if the owners match (-SymLinksIfOwnerMatch) and it does not limit the Apache server from following Symlinks (+FollowSymLinks).

<Directory "/var/www/html/mysite.be">
    Options -SymLinksIfOwnerMatch +FollowSymLinks
</Directory>

If I were to request a simple file "/content/styles/v3/style.css", it would result in the following system calls:

stat("/var/www/html/mysite.be/content/styles/v3/style.css", {st_mode=S_IFREG|0644, st_size=5, ...}) = 0
open("/var/www/html/mysite.be/content/styles/v3/style.css", O_RDONLY|O_CLOEXEC) = 10

That's a lot less disk I/O on a busy server.

By Mattias Geniar
Saturday, February 11, 2012
Comment Feed

4 Responses

  1. Philip PaepsMonday, February 13, 2012 @ 19:42Reply

    On modern operating systems, this shouldn’t affect disk i/o much or at all. The kernel will cache the result of the stat() and lstat() calls and return them immediately on subsequent calls. You might gain a slight reduction in context switches but on Linux with VDSO, that shouldn’t be measurable.

    Did you measure any reduction in i/o, or are you just looking at strace output and looking at system calls?

    • MattiTuesday, February 14, 2012 @ 19:16Reply

      For the moment: only looking at strace & system calls, no actual benchmarks on the performance. But even so, avoiding (even cached) system/kernel calls should be encouraged.



Some HTML is OK

*

or, reply to this post via trackback.

Continuing the Discussion

  1. [...] # Defining Chaos In Order Tips, Tricks & Rants of a DevOps Skip to content HomeExperienceGuides – How To’sProjectsAboutContact Information ← RHEL 6/ CentOS 6: Slow SSH logins with DNS timeouts Add ‘Options FollowSymLinks’ and avoid ‘Options SymLinksIfOwnerMatch’ in Apa… [...]

    Avoid ‘AllowOverride All’ in Apache to limit disk I/O access ~ Mattias GeniarSaturday, February 11, 2012 @ 21:10

  2. [...] check every path component for symlinks to ensure the owners match. But today I learned from this blog post that not using FollowSymLinks is just as expensive as using SymLinksIfOwnerMatch, because Apache [...]

    Options FollowSymLinks - Control+RSaturday, February 11, 2012 @ 23:58