[squid-users] leaking memory in squid 3.4.8 and 3.4.7.

Amos Jeffries squid3 at treenet.co.nz
Wed Oct 1 08:12:28 UTC 2014 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 1/10/2014 8:45 p.m., Victor Sudakov wrote:
> Amos Jeffries wrote:
>>>>> 
>>>>> You have 200 MB of RAM locked up in IDENT lookups.
>>>>> 
>>>>> Probably http://bugs.squid-cache.org/show_bug.cgi?id=3803
>>>> 
>>>> I have temporarily disabled IDENT-related acls. Squid still
>>>> grows in memory, but more slowly. So IDENT was certainly one
>>>> of the major causes of the leak.
>>>> 
>>>> Could we make another iteration of looking at the
>>>> cachemgr.cgi memory counters?
>>>> 
>>> 
>>> Attaching two cachemgr reports: right after squid restart and 
>>> several hours later (grown to 816M in SIZE).
>>> 
>> 
>> These are still showing over 47K IDENT lookups.
>> 
>> Probably you did not disable all the uses of IDENT. You need to
>> both set "ident_access deny all" and remove use of ident type
>> ACLs.
> 
> Bingo! After setting "ident_access deny all" squid does not grow 
> infinitely any more. However, it remains a major CPU hog.
> 

Yay. Any news on the bug patch?


Note that from the same "CPU hog" cycles you are now getting around 2x
the HTTP traffic throughput.

> 
> Start Time:	Mon, 29 Sep 2014 15:24:54 GMT Current Time:	Tue, 30 Sep
> 2014 02:09:51 GMT Connection information for squid: Number of
> clients accessing cache:	161 Number of HTTP requests received:
> 152054 Average HTTP requests per minute since start:	235.8 Select
> loop called: 4664551 times, 8.296 ms avg



> Start Time:	Tue, 30 Sep 2014 15:56:38 GMT Current Time:	Wed, 01 Oct
> 2014 06:00:28 GMT Connection information for squid: Number of
> clients accessing cache:	170 Number of HTTP requests received:
> 375550 Average HTTP requests per minute since start:	445.1 Select
> loop called: 32559927 times, 1.555 ms avg

You have the delay pools feature configured. It is a wasteful consumer
of CPU cycles. Also NTLM authentication is used, that doubles the HTTP
request overheads on each new TCP connection.


There are two things you can do to further improve performance:
 1) converting from NTLM to Kerberos authentication.
 2) moving the delay pools limitation into kernel QoS systems.

Amos

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBAgAGBQJUK7dsAAoJELJo5wb/XPRjJqQIAICPcvQbP+pMvmZk5SnqHUvU
vrHLXcK1+WHhw+29UvYTZUQaTf8f7r3oWSfQS4mm56YrekMiFFJSeb+QMTh3nRdK
ij3dcgdk/cT1ziQJgyh7i2AyzpC8iAofC5I8MTP247qzV14s0ZdmtRpyCbPYeRL5
JqCsMW+X/7dWbVvNhSjb0J57Po2M4Fo0RWFuPIhU/gOP6jLyesbqgm1CaGXSYvyh
kVjwZuaNKjCL1bV18vPPMJXW6Kgl6p4cK+X/v8aw00Eb2EcYsu8ieaLXvAehlsuB
xViLWe1KPuJOawJ6uaGULkoGF+a6hc+3DbJ+iLHRFNdW1OHvKWJGgOs8M5jiIHw=
=Z7vQ
-----END PGP SIGNATURE-----

More information about the squid-users mailing list