I have a dell server running redhat 9.
It came with apache 2 already installed and I've just
started playing with apache 2.2.

When I try to stop apache 2.2, it does stop, but it also
does something to the old instance of apache - It is still
running (as I can see webpages from it) but it no longer
shows up as a process??? I threw together a little cgi-script
and put it where the websever can get it, and it tells me that
it can see itself with a "ps -ef" and now I know its pid, but
I cannot kill it.

from my searching, it appears to have become a "hidden process"
i guess, but I can find nothing that helps me stop the server
without pulling the plug - I did try a shutdown, and it shutdown
everything but the apache2.0 server and hangs (hence the pulled plug).

any info would be helpful, any questions that might shed more
light on this are more than welcome.

-bluerover

sure that when you visit the server in your webbrowser that it isnt just a chce on your browser?

no. it's not cache - cache wouldn't have the "ps -ef" output.

Are you saying that if you run ps -ef from the commandline it doesn't show up, but if you do it from the webserver it does?

That doesn't sound right.

When you see the running processes are they owned by root or by your webserver username (typically nobody, apache or www-data)? If owned by root, that is the initial instance of apache, any children should be owned by the username as defined in the config.


You should be able to kill any active processes using
as the root user. You would want to kill the root owned process, which should then close all the others.

Following is the "ps -ef" from inside the webserver ...

UID PID PPID C STIME TTY TIME CMD
root 1 0 0 Aug04 ? 00:00:41 init
root 2 0 0 Aug04 ? 00:00:00 [migration/0]
root 3 0 0 Aug04 ? 00:00:00 [migration/1]
root 4 1 0 Aug04 ? 00:00:00 [keventd]
root 5 1 0 Aug04 ? 00:00:00 [ksoftirqd_CPU0]
root 6 1 0 Aug04 ? 00:00:00 [ksoftirqd_CPU1]
root 11 1 0 Aug04 ? 00:00:00 [bdflush]
root 7 1 0 Aug04 ? 00:00:06 [kswapd]
root 8 1 0 Aug04 ? 00:00:03 [kscand/DMA]
root 9 1 0 Aug04 ? 00:09:09 [kscand/Normal]
root 10 1 0 Aug04 ? 00:07:14 [kscand/HighMem]
root 12 1 0 Aug04 ? 00:00:03 [kupdated]
root 13 1 0 Aug04 ? 00:00:00 [mdrecoveryd]
root 19 1 0 Aug04 ? 00:00:00 [scsi_eh_0]
root 20 1 0 Aug04 ? 00:00:00 [scsi_eh_1]
root 24 1 0 Aug04 ? 00:00:04 [kjournald]
root 83 1 0 Aug04 ? 00:00:00 [khubd]
root 191 1 0 Aug04 ? 00:00:00 [kjournald]
root 192 1 0 Aug04 ? 00:00:09 [kjournald]
root 193 1 0 Aug04 ? 00:00:12 [kjournald]
root 194 1 0 Aug04 ? 00:00:01 [kjournald]
root 524 1 0 Aug04 ? 00:00:09 syslogd -m 0
root 528 1 0 Aug04 ? 00:00:00 klogd -x
root 762 1 0 Aug04 ? 00:00:02 /usr/sbin/sshd
root 903 1 0 Aug04 ? 00:00:00 /usr/sbin/snmpd -s -l /dev/null -P /var/run/snmpd -a
root 1038 1 0 Aug04 ? 00:00:21 /usr/bin/perl /usr/libexec/webmin/miniserv.pl /etc/webmin/miniserv.conf
root 1042 1 0 Aug04 tty2 00:00:00 /sbin/mingetty tty2
root 1043 1 0 Aug04 tty3 00:00:00 /sbin/mingetty tty3
root 1044 1 0 Aug04 tty4 00:00:00 /sbin/mingetty tty4
root 1045 1 0 Aug04 tty5 00:00:00 /sbin/mingetty tty5
root 1046 1 0 Aug04 tty6 00:00:00 /sbin/mingetty tty6
root 5095 1 0 Aug04 tty1 00:00:00 /sbin/mingetty tty1
root 11721 1 0 Aug05 ? 00:00:10 /usr/sbin/httpd
named 25098 1 0 Aug08 ? 00:00:24 [named]
root 25151 1 0 Aug08 ? 00:00:21 [sendmail]
smmsp 25160 1 0 Aug08 ? 00:00:00 [sendmail]
root 9467 1 0 Aug09 ? 00:00:00 /usr/sbin/vsftpd /etc/vsftpd/vsftpd.conf
root 26664 1 0 Aug10 ? 00:00:03 /usr/local/apache2/servers/sso/bin/httpd -k start
daemon 26665 26664 0 Aug10 ? 00:00:00 [httpd]
daemon 26666 26664 0 Aug10 ? 00:00:00 [httpd]
daemon 26667 26664 0 Aug10 ? 00:00:00 [httpd]
daemon 26668 26664 0 Aug10 ? 00:00:00 [httpd]
daemon 26669 26664 0 Aug10 ? 00:00:00 [httpd]
daemon 27283 26664 0 Aug10 ? 00:00:00 [httpd]
daemon 27284 26664 0 Aug10 ? 00:00:00 [httpd]
daemon 27285 26664 0 Aug10 ? 00:00:00 [httpd]
daemon 27286 26664 0 Aug10 ? 00:00:00 [httpd]
apache 29393 11721 0 Aug13 ? 00:00:00 [httpd]
apache 29395 11721 0 Aug13 ? 00:00:00 [httpd]
daemon 31142 26664 0 Aug14 ? 00:00:00 [httpd]
apache 8134 11721 0 Aug14 ? 00:00:00 [httpd]
apache 10005 11721 0 05:13 ? 00:00:00 [httpd]
apache 10011 11721 0 05:13 ? 00:00:00 [httpd]
apache 10013 11721 0 05:13 ? 00:00:00 [httpd]
apache 10014 11721 0 05:13 ? 00:00:00 [httpd]
apache 10015 11721 0 05:13 ? 00:00:00 [httpd]
apache 10018 11721 0 05:13 ? 00:00:00 [httpd]
apache 11245 11721 0 07:33 ? 00:00:00 [httpd]
apache 11246 11721 0 07:33 ? 00:00:00 [httpd]
apache 11898 11721 0 09:15 ? 00:00:00 [httpd]
apache 11899 11721 0 09:15 ? 00:00:00 [httpd]
apache 11900 11721 0 09:15 ? 00:00:00 [httpd]
apache 11920 11721 0 09:17 ? 00:00:00 [httpd]
apache 11921 11721 0 09:17 ? 00:00:00 [httpd]
apache 11924 11721 0 09:17 ? 00:00:00 [httpd]
apache 11925 11721 0 09:17 ? 00:00:00 [httpd]
apache 11926 11721 0 09:17 ? 00:00:00 [httpd]
apache 11927 11721 0 09:17 ? 00:00:00 [httpd]
root 12623 762 0 10:14 ? 00:00:00 /usr/sbin/sshd
500 12625 12623 0 10:14 ? 00:00:00 [sshd]
500 12626 12625 0 10:14 pts/0 00:00:00 -bash
root 12660 12626 0 10:14 pts/0 00:00:00 [su]
root 12661 12660 0 10:14 pts/0 00:00:00 -bash
apache 13042 10015 0 10:27 ? 00:00:00 /usr/bin/perl /home/web/site/cgi-bin/printenv
apache 13043 13042 0 10:27 ? 00:00:00 ps -ef

____________
Following is the "ps -ef" from bash prompt as root ...

# ps -ef
UID PID PPID C STIME TTY TIME CMD
root 1 0 0 Aug04 ? 00:00:41 init
root 2 0 0 Aug04 ? 00:00:00 [migration/0]
root 3 0 0 Aug04 ? 00:00:00 [migration/1]
root 4 1 0 Aug04 ? 00:00:00 [keventd]
root 5 1 0 Aug04 ? 00:00:00 [ksoftirqd_CPU0]
root 6 1 0 Aug04 ? 00:00:00 [ksoftirqd_CPU1]
root 11 1 0 Aug04 ? 00:00:00 [bdflush]
root 7 1 0 Aug04 ? 00:00:06 [kswapd]
root 8 1 0 Aug04 ? 00:00:03 [kscand/DMA]
root 9 1 0 Aug04 ? 00:09:09 [kscand/Normal]
root 10 1 0 Aug04 ? 00:07:14 [kscand/HighMem]
root 12 1 0 Aug04 ? 00:00:03 [kupdated]
root 13 1 0 Aug04 ? 00:00:00 [mdrecoveryd]
root 19 1 0 Aug04 ? 00:00:00 [scsi_eh_0]
root 20 1 0 Aug04 ? 00:00:00 [scsi_eh_1]
root 24 1 0 Aug04 ? 00:00:04 [kjournald]
root 83 1 0 Aug04 ? 00:00:00 [khubd]
root 191 1 0 Aug04 ? 00:00:00 [kjournald]
root 192 1 0 Aug04 ? 00:00:09 [kjournald]
root 193 1 0 Aug04 ? 00:00:12 [kjournald]
root 194 1 0 Aug04 ? 00:00:01 [kjournald]
root 524 1 0 Aug04 ? 00:00:09 syslogd -m 0
root 528 1 0 Aug04 ? 00:00:00 klogd -x
root 762 1 0 Aug04 ? 00:00:02 /usr/sbin/sshd
root 903 1 0 Aug04 ? 00:00:00 /usr/sbin/snmpd -s -l /dev/null -P /var/run/snmpd -a
root 1038 1 0 Aug04 ? 00:00:21 /usr/bin/perl /usr/libexec/webmin/miniserv.pl /etc/webmin/miniserv.conf
root 1042 1 0 Aug04 tty2 00:00:00 /sbin/mingetty tty2
root 1043 1 0 Aug04 tty3 00:00:00 /sbin/mingetty tty3
root 1044 1 0 Aug04 tty4 00:00:00 /sbin/mingetty tty4
root 1045 1 0 Aug04 tty5 00:00:00 /sbin/mingetty tty5
root 1046 1 0 Aug04 tty6 00:00:00 /sbin/mingetty tty6
root 5095 1 0 Aug04 tty1 00:00:00 /sbin/mingetty tty1
named 25098 1 0 Aug08 ? 00:00:24 [named]
root 25151 1 0 Aug08 ? 00:00:21 [sendmail]
smmsp 25160 1 0 Aug08 ? 00:00:00 [sendmail]
root 9467 1 0 Aug09 ? 00:00:00 /usr/sbin/vsftpd /etc/vsftpd/vsftpd.conf
root 26664 1 0 Aug10 ? 00:00:03 /usr/local/apache2/servers/sso/bin/httpd -k start
daemon 26665 26664 0 Aug10 ? 00:00:00 [httpd]
daemon 26666 26664 0 Aug10 ? 00:00:00 [httpd]
daemon 26667 26664 0 Aug10 ? 00:00:00 [httpd]
daemon 26668 26664 0 Aug10 ? 00:00:00 [httpd]
daemon 26669 26664 0 Aug10 ? 00:00:00 [httpd]
daemon 27283 26664 0 Aug10 ? 00:00:00 [httpd]
daemon 27284 26664 0 Aug10 ? 00:00:00 [httpd]
daemon 27285 26664 0 Aug10 ? 00:00:00 [httpd]
daemon 27286 26664 0 Aug10 ? 00:00:00 [httpd]
daemon 31142 26664 0 Aug14 ? 00:00:00 [httpd]
root 12623 762 0 10:14 ? 00:00:00 /usr/sbin/sshd
500 12625 12623 0 10:14 ? 00:00:00 [sshd]
500 12626 12625 0 10:14 pts/0 00:00:00 -bash
root 12660 12626 0 10:14 pts/0 00:00:00 [su]
root 12661 12660 0 10:14 pts/0 00:00:00 -bash
root 13131 12661 0 10:41 pts/0 00:00:00 ps -ef

_______________
See that from inside, the process 11721 is the root of the hidden apache server,
when I issue the kill command that follows, well, you see the results ...

# kill -9 11721
-bash: kill: (11721) - No such process


Definitely not right!
-Bluerover

My First Thoughts (now dismissed)
---
One thing that may show that would be running apache through inetd (xinetd).
If so then you would only see the apache daemon running when it is called from inetd, so it would only exist when serving requests. So when you run ps from inside a request it shows up as it is running the daemon to handle that request.
I don't think that is the case here though as you don't appear to be running inetd (worth checking).

Perhaps another explanation is whether something is restarting the daemon, and it is then crashing, but being restarted again. This could be the case if you started the daemon from inside inittab with the respawn option, or if you had a monitoring application that was restarting it (e.g. something like Tivoli or Patrol etc...).
None of these are normally used by default.
---
After writing the above I then looked at the times in the ps, and although it looks like the client processes have only been started recently the parent process has been running for a few days, so it looks like that rules out the above ideas ...

Can you try using sudo to run the command as user apache, and even try a kill -9 from that to see if that shows up. That should effectively be doing the same as the web page does, but I can't see why it wouldn't show as root.

he?! stop apache?
You just want to stop it?
so why don't you just stop the service as root?
#service httpd stop

or are I am currently total of the road?

i tried to su to apache, but from there it is no better than from root,
i see the same processes and kill -9 has the same results.
"service httpd stop" will stop the new apache, but not the old one
- it just replies [FAILED]
"apachectl stop" replies: no such process.

it's appears to be behaving as if there are two parallel process tables -
one that i can see, and the one that is running - thought of a system
compromise crossed my mind, i've checked into this and can tell nothing.
it does not appear to have been plied by some root-kit, but i could be wrong.

Can you try: /etc/init./apache2 stop
This is how you do it in Debian and not sure what distro you are using.

How about the chkconfig tool?
#chkconfig --list
then check out if you find the real name of that second Apache thing.
If it is like apache2 then..
#chkconfig apache2 off
next boot it should be gone ;-)

Yep what odcheck said. chkconfig --list then for example once you find the name in the list you would type:
chkconfig httpd off
then it would not start at boot time.
The apache service has always been called httpd on my RH servers. So (as ocheck said previously) type:
service httpd stop
That should stop the apache service.

You might also do a:
rpm -qa | grep http
this should find out how many apache modules you have out there. I would be tempted to uninstall all of them, reboot then install the version you want.

killall apache

sudo is an Ubuntu thing. Without sudo, he will need a root account (Ubuntu does not have by default). He will need to login as root with this command.

So for what is the command visudo and the sudoers file?
Your're right thats a standard Ubuntu configuration but its also usable for other types of Distributions.
But never the less.. could we yet give bluerover6 a clue on how to fix his apache thing? @bluerover6 did that work what fakie flip told you?

my objective in killing the hidden apache process is not simply to stop it, but to regain control - at the moment i can't alter the httpd.conf to add new virtual servers or change allow/deny on directories... anything. the apachectl script fails to find the process - it appears that anything from outside the hidden server can't get to it. the old apache does not even show up under the /proc directory. I get the impression that all these tools rely on processes being under that directory to find other processes -- of course when i list the /proc directory from inside the webserver, i can see all the hidden processes.

somehow i need to get the old apache to either reveal itself under /proc in order for any admin operations to affect it from the command line, another possibility would be to somehow get one of the old apache child processes to become root and kill it from the inside, but i don't know how to do that short of hacking in a root-kit.
does anyone know of methods that can be used that would cause the old apache to just stop on its own (and i don't mean direct admin functions as all the suggestions have buzzed around, but something more basic to the old apache itself -
maybe something along the line of renaming a path or the permisions to write in logs

i don't want to simply wipe the old apache out after a reboot (which i can't do cleanly anyhow since shutdown hangs on this).

killall apache (as root) replies "no process killed".
i still want the old apache started in the init scripts - the new apache is what
i'm experimenting with, so it's not ready to be the main stay yet. ergo, i am not
removing its rpm. the new apache is from compiled source (there is no rpm) - which i have loaded on a few other hosts to try and see if i can reproduce the effect on another system, and everything on the other systems work just fine and this problem does not appear.

the main reasons i'm very reluctant to pull the plug are 1) the machine sits at a co-location site 2 hours drive away, and 2) with 4 Tbytes spinning an integrity check after an "unplanned" shutdown takes over an hour.
the original plan was to have the old apache run on the current IP's and the new apache to run on new IP's then change the DNS and wait for the named cached records in the cloud to refresh and then shutdown the old apache - all to maintain zero downtime. (so much for the plan.)