How to fix php 7.2 503 Service Unavailable Litespeed Error

Thanks to EA4 (EasyApache 4), WHM cPanel now allows multiple php versions to be installed simultaneously. Here is a peculiar example of getting php 7.2 enabled on a cpanel server with LiteSpeed and grsec kernel enabled on server.

Assumption: Here we are assuming a scenario where we have WHM cPanel server installed on Centos 6 and configured with ASL (Atomic Secured Linux) available from Atomicorp.com.

When ASL is enabled, server will be booted into ASL kernel powered by grsecurity modules and rules.

The procedure to enable php 7.2 from WHM would be to login to WHM -> EasyApache 4 -> Customize – PHP versions -> Enable 7.2

Once PHP 7.2 is enabled on server, you will need to enable in Litespeed. To do so, login to Litespeed web interface by visiting your server url with port 7080

Once logged in login to Configuration -> Server -> External App -> Add

Then you will need to add Script Handler so click on Script Handler -> Add. Make sure to configure handler type as “LiteSpeed SAPI” and handler name as “[Server Level]: lsphp72”

Save and restart LiteSpeed web server. Now when you configure php 7.2 for a particular account from WHM -> MultiPHP Manager and access the website in browser, you will notice error “503 Service Unavailable, Please try again later”

On debugging you will notice logs in /usr/local/apache/logs/error_logs as follows:


connection to [/tmp/lshttpd/APVH_xxxxxxx_Suphp72.sock.825] on request #0, confirmed, 1, associated process: 14544, running: 1, error: Connection reset by peer!
2018-01-26 09:45:21.065 [NOTICE] [xxxxxxx:59282] No request delivery notification has been received from LSAPI process group [14544], possible run away process.
2018-01-26 09:45:21.066 [NOTICE] [xxxxxxxx:59282] Retry with new process group.
2018-01-26 09:45:21.066 [NOTICE] Graceful stop process group lead by pid: 14544
2018-01-26 09:45:21.067 [INFO] [APVH_xxxxxxx_Suphp72:] PID: 23289, add child process pid: 14593, procinfo: 0x4e5e970
2018-01-26 09:45:21.155 [INFO] [xxxxxxxx:59282] connection to [/tmp/lshttpd/APVH_xxxxxx_Suphp72.sock.413] on request #0, confirmed, 1, associated process: 14593, running: 1, error: Connection reset by peer!
2018-01-26 09:45:21.155 [NOTICE] [xxxxxxx:59282] Max retries has been reached, 503!
2018-01-26 09:45:21.155 [NOTICE] [xxxxxxx:59282] oops! 503 Service Unavailable
2018-01-26 09:45:21.155 [NOTICE] [xxxxxxx:59282] Content len: 0, Request line: ‘GET /~xxxxxxxx/ HTTP/1.1’
2018-01-26 09:45:21.155 [NOTICE] [xxxxxxx:59282] Redirect: #1, URL: /index.php
2018-01-26 09:45:21.155 [INFO] [xxxxxxx:59282] abort request…, code: 4
2018-01-26 09:45:21.155 [INFO] [xxxxx:59282] File not found [/home/xxxxx/public_html/503.shtml]


Further tailing /var/log/messages, you will notice errors similar to:


Jan 26 11:05:19 xxxxxxx kernel: [1331781.378288] PAX: terminating task: /opt/cpanel/ea-php72/root/usr/bin/lsphp(lsphp):25821, uid/euid: 591/591, PC: 0000036c959c2010, SP: 000003d92b1a9c28
Jan 26 11:05:19 xxxxxxx kernel: [1331781.381445] PAX: bytes at PC: 53 41 57 41 56 41 55 55 48 8b df 48 83 ec 50 48 8b 43 10 48
Jan 26 11:05:19 xxxxxxx kernel: [1331781.383039] PAX: bytes at SP-8: 0000036c92aa5460 00000000004c3253 000003d92b1a9cc0 00000000040b3d70 0000000004187f20 0000036c92a01900 0000036c92a01900 0000036c92a01909 000003d92b1a9cc0 0000000000000004 0000000000000000
Jan 26 11:05:19 xxxxxxx kernel: [1331781.386756] grsec: From xxxxxxx: denied resource overstep by requesting 64 for RLIMIT_CORE against limit 0 for /opt/cpanel/ea-php72/root/usr/bin/lsphp[lsphp:25821] uid/euid:591/591 gid/egid:589/589, parent /opt/cpanel/ea-php72/root/usr/bin/lsphp[lsphp:25820] uid/euid:591/591 gid/egid:589/589
Jan 26 11:05:19 xxxxxxx PAM-hulk[25770]: Brute force detection active: 580 LOGIN DENIED — EXCESSIVE FAILURES — IP TEMP BANNED
Jan 26 11:05:19 xxxxxxx kernel: [1331781.391657] grsec: From xxxxxxx: denied resource overstep by requesting 120 for RLIMIT_CORE against limit 0 for /opt/cpanel/ea-php72/root/usr/bin/lsphp[lsphp:25821] uid/euid:591/591 gid/egid:589/589, parent /opt/cpanel/ea-php72/root/usr/bin/lsphp[lsphp:25820] uid/euid:591/591 gid/egid:589/589
Jan 26 11:05:19 xxxxxxx kernel: [1331781.396551] grsec: From xxxxxxx: denied resource overstep by requesting 176 for RLIMIT_CORE against limit 0 for /opt/cpanel/ea-php72/root/usr/bin/lsphp[lsphp:25821] uid/euid:591/591 gid/egid:589/589, parent /opt/cpanel/ea-php72/root/usr/bin/lsphp[lsphp:25820] uid/euid:591/591 gid/egid:589/589
Jan 26 11:05:19 xxxxxxx kernel: [1331781.401450] grsec: From xxxxxxx: denied resource overstep by requesting 232 for RLIMIT_CORE against limit 0 for /opt/cpanel/ea-php72/root/usr/bin/lsphp[lsphp:25821] uid/euid:591/591 gid/egid:589/589, parent /opt/cpanel/ea-php72/root/usr/bin/lsphp[lsphp:25820] uid/euid:591/591 gid/egid:589/589
Jan 26 11:05:19 xxxxxxx kernel: [1331781.406601] grsec: From xxxxxxx: bruteforce prevention initiated for the next 30 minutes or until service restarted, stalling each fork 30 seconds. Please investigate the crash report for /opt/cpanel/ea-php72/root/usr/bin/lsphp[lsphp:25821] uid/euid:591/591 gid/egid:589/589, parent /opt/cpanel/ea-php72/root/usr/bin/lsphp[lsphp:25820] uid/euid:591/591 gid/egid:589/589


 

The error is likely due to the fact that the grsec kernel which is installed on server from ASL, is assuming php 7.2 as insecure and hence, restricting it. This means that PHP is trying to violate the kernels memory protection features.  Unfortunately, PHP 7 needs to operate in this insecure manner.  To allow PHP to operate this way, follow the steps below:

The solution here is to configure the system to allow php to run insecurely. This can be achieved by :

  • Stopping Litespeed webserver on the server using command:

cd /usr/local/lsws/bin

./lswsctrl stop

  • Then give the command:

paxctl -m /opt/cpanel/ea-php72/root/usr/bin/lsphp

  • If you receive error similar to “file /opt/cpanel/ea-php72/root/usr/bin/lsphp does not have a PT_PAX_FLAGS program header, try conversion” then try following solution

paxctl -c /opt/cpanel/ea-php72/root/usr/bin/lsphp

  • and finally restart Litespeed webserver using command:

./lswsctrl restart

Accessing your website now configured with php 7.2 version on a cPanel server with Litespeed and ASL (Automic Secure Linuc) or grsec kernel should now work sucessfully.

 

 

Solution to Centos 6 / Centos 7 VM not booting on Citrix Xenserver

Solution to Centos 6 or Centos 7 vm not booting on Citrix Xenserver after kernel update

With latest kernel update, Centos 6 and Centos 7 vm’s on Citrix Xenserver are found not booting when rebooted.

After installing the latest updates (including the latest kernel), neither boots. The virtual serial consoles provided by the VM services show nothing.

As an alternative the only solution is

  1. to manually boot the affected VM into old kernel

  2. Or to install Centos Plus kernel

  3. Or simply do not update kernels on Centos 6 /  Centos 7 vm’s

This issue is apparently something to do with the new code for the “meltdown” vulnerability and is currently failing on both el6 and el7 latest kernels.

This is being tracked in https://bugs.centos.org/view.php?id=14336

Solution :

If you have already updated the kernel then manually configure grub to boot into old kernel

OR

You can try installing Centos Plus kernel as follows:

  1. Edit the following file:

/etc/yum.repos.d/CentOS-Base.repo

2) Change the following section from


 

[base]
name=CentOS-$releasever – Base
mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=os&infra=$infra
#baseurl=http://mirror.centos.org/centos/$releasever/os/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6

#released updates
[updates]
name=CentOS-$releasever – Updates
mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=updates&infra=$infra
#baseurl=http://mirror.centos.org/centos/$releasever/updates/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6


To:


[base]
name=CentOS-$releasever – Base
mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=os&infra=$infra
#baseurl=http://mirror.centos.org/centos/$releasever/os/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
exclude = kernel kernel-devel kernel-PAE- *

#released updates
[updates]
name=CentOS-$releasever – Updates
mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=updates&infra=$infra
#baseurl=http://mirror.centos.org/centos/$releasever/updates/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
exclude = kernel kernel-devel kernel-PAE- *


Then to enable Centos Plus apply the following section to this file from:


#additional packages that extend functionality of existing packages
[centosplus]
name=CentOS-$releasever – Plus
mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=centosplus&infra=$infra
#baseurl=http://mirror.centos.org/centos/$releasever/centosplus/$basearch/
gpgcheck=1
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6


To:


#additional packages that extend functionality of existing packages
[centosplus]
name=CentOS-$releasever – Plus
mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=centosplus&infra=$infra
#baseurl=http://mirror.centos.org/centos/$releasever/centosplus/$basearch/
gpgcheck=1
enabled=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
includepkgs = kernel *


Once done, you can now install Centos-plus kernel as follows:

yum install kernel-plus

The VPS now when booted into new kernel, will come up in Centos 6 kernel plus with similar output:

uname -r
2.6.32-696.16.1.el6.centos.plus.x86_64

 

Limited Offer : 20% Off on all GeoTrust SSL Certificates

Cheap SSL Certificates

For a limited time, WebHostUK is offering 20% discount on new purchase of GeoTrust SSL Certificates as available on our website https://www.webhost.uk.net/ssl-certificates.html

SSL Certificates are now almost mandatory, if your website is accepting any kind of sensitive information such as passwords, credit cards etc. Securing your website with SSL certificate builds trust for your visitor, and allows a secure medium to do the transaction. At WebHostUK, we offer discounted SSL certificates with Free installation and setup. For a very limited period, we are offering additional 20% discount on new SSL purchases.

GeoTrust RapidSSL® 256 bit certificate
Original Price: £32 /year
Discounted Price: £25.5 /year
Use Coupon Code SSL20 to get 20% discount : Order Now

GeoTrust Quick SSL certificate
Original Price: £75 /year
Discounted Price: £60 /year
Use Coupon Code SSL20 to get 20% discount : Order Now

GeoTrust QuickSSL® Premium Certificate
Original Price: £115 /year
Discounted Price: £92 /year
Use Coupon Code SSL20 to get 20% discount : Order Now

GeoTrust True BusinessID® Certificate
Original Price: £130 /year
Discounted Price: £104 /year
Use Coupon Code SSL20 to get 20% discount : Order Now

GeoTrust True BusinessID® Certificate with EV
Original Price: £339 /year
Discounted Price: £271 /year
Use Coupon Code SSL20 to get 20% discount : Order Now

GeoTrust True BusinessID® Wildcard Certificate
Original Price: £499 /year
Discounted Price: £399 /year
Use Coupon Code SSL20 to get 20% discount : Order Now

Hurry ..! Above offer is a limited offer, valid till 30th of April 2017

 

How to Repair a MySQL Database with phpMyAdmin

mysql and PHPmyadmin
PHPmyadmin

Occasionally, database tables become corrupt and you are no longer able to
access them.Always backup your information in case it can’t be restored. Fortunately,
you can fix the table so you can access the data again.

In this post we will learn How to Repair a MySQL Database with phpMyAdmin

1) Login to phpMyAdmin (Login to cPanel / Plesk control panel)

2) Choose the affected database. It should choose it by default so you don’t
need to do anything, If you only have one database.

3)In the right panel, you should see a list of your database tables. Check the
boxes by the tables that need repair.

4)At the bottom of the window just below the list of tables, there is a drop
down menu. Choose “Repair Table”

5)phpMyAdmin informs you whether or not the optimization process is
successful.

6)This should fix your table, and let you access it again. Now that it is
fixed.pMyAdmin is a fairly simple process.