How to Switch from Apache Prefork/Worker to MPM-ITK on CentOS 7 When Using httpd.itk Binary


2 views

When attempting to configure per-user process ownership in Apache through MPM-ITK on CentOS 7, you'll encounter version compatibility issues. The default httpd 2.4.6 package in CentOS repositories doesn't support compiling the mpm_itk module directly. Here's the technical landscape:


# Current Apache version check
httpd -v
Server version: Apache/2.4.6 (CentOS)

Red Hat/CentOS provides a separate binary package that solves this:


yum install httpd-itk

This installs /usr/sbin/httpd.itk alongside the regular Apache binary. The key difference from older CentOS versions is that we're no longer dealing with a loadable module but with a complete alternative executable.

First, stop the existing Apache service:


systemctl stop httpd

Modify the systemd service unit to use the ITK binary. Create or edit:


/etc/systemd/system/httpd.service.d/itk.conf

With these contents:


[Service]
ExecStart=
ExecStart=/usr/sbin/httpd.itk -DFOREGROUND

Edit /etc/httpd/conf.modules.d/00-mpm.conf to ensure proper MPM loading:


# Comment out other MPM modules
LoadModule mpm_itk_module modules/mod_mpm_itk.so

Here's a sample vhost configuration showing ITK directives:


<VirtualHost *:80>
    ServerName example.com
    DocumentRoot /var/www/html
    
    <IfModule mpm_itk_module>
        AssignUserId webuser webgroup
        MaxClientsVHost 50
    </IfModule>
</VirtualHost>

After making these changes:


systemctl daemon-reload
systemctl start httpd
systemctl status httpd

Verify the running process:


ps aux | grep httpd.itk

And confirm the module is loaded:


httpd.itk -M | grep mpm_itk

When working with CentOS 7, you might encounter version compatibility issues with Apache modules. The standard Apache package (httpd-2.4.6) doesn't support compiling MPM-ITK directly, as it requires Apache 2.4.7 or later. CentOS provides an alternative solution through the httpd-itk package, which includes a separate binary (/usr/sbin/httpd.itk).

Older guides suggested modifying /etc/sysconfig/httpd to switch to ITK mode. However, CentOS 7 handles module loading differently through /etc/httpd/conf.modules.d/00-mpm.conf. The complication arises because ITK isn't just a module - it's a complete alternative executable.

Here's how to properly configure your system:


# Install the required package
sudo yum install httpd-itk

# Disable the standard httpd service
sudo systemctl disable httpd
sudo systemctl stop httpd

# Enable and start the ITK version
sudo systemctl enable httpd@itk
sudo systemctl start httpd@itk

You'll need to modify the service configuration:


# Create or edit the ITK service override
sudo mkdir -p /etc/systemd/system/httpd@itk.service.d
sudo nano /etc/systemd/system/httpd@itk.service.d/override.conf

Add these contents to the override file:


[Service]
Environment=OPTIONS=-DFOREGROUND
ExecStart=
ExecStart=/usr/sbin/httpd.itk -DFOREGROUND

After making these changes, verify everything is working:


# Reload systemd configuration
sudo systemctl daemon-reload

# Check the running process
ps aux | grep httpd

You should see httpd.itk processes running instead of the standard httpd.

Here's how to assign different users to different virtual hosts:


<VirtualHost *:80>
    ServerName example1.com
    AssignUserId user1 group1
    # Other directives...
</VirtualHost>

<VirtualHost *:80>
    ServerName example2.com
    AssignUserId user2 group2
    # Other directives...
</VirtualHost>

If you encounter permission problems, ensure SELinux is properly configured:


# Check SELinux denials
sudo ausearch -m avc -ts recent

# If needed, adjust SELinux policies
sudo setsebool -P httpd_unified 1