[squid-users] leaking memory in squid 3.4.8 and 3.4.7.

Victor Sudakov sudakov at sibptus.tomsk.ru
Fri Oct 3 09:00:24 UTC 2014 

Amos Jeffries wrote:

[dd]

> > Bingo! After setting "ident_access deny all" squid does not grow 
> > infinitely any more. However, it remains a major CPU hog.
> > 
> 
> Yay. Any news on the bug patch?

Will try during the weekend. I can live without IDENT lookups for a
while, they are not very important, just convenient.

> 
> Note that from the same "CPU hog" cycles you are now getting around 2x
> the HTTP traffic throughput.

I have found out that the major CPU hog is the NTLM authenticator.
After I disabled the NTLM helper, there is no high CPU utilization.
Which brings the next question, please see below :)

> 
> You have the delay pools feature configured. It is a wasteful consumer
> of CPU cycles. 
>  2) moving the delay pools limitation into kernel QoS systems.

1. I am planning to use the delay pool to restrict bandwidth differently
to different users. The kernerl QoS system (ipfw pipes in my case)
cannot do that for non-local users.

2. Delay pools worked fine in squid27, never a problem. I don't see a
reason why they should become a problem in squid3.

> Also NTLM authentication is used, that doubles the HTTP
> request overheads on each new TCP connection.
>  1) converting from NTLM to Kerberos authentication.

I have tried to setup Kerberos (negotiate) authentication, but all I
see is Internet Explorer asking users for their login/password.

I am pretty sure that I have setup the server part correctly. At least
when I do the following:

kinit -t /usr/local/etc/squid/squid.keytab HTTP/proxy.sibptus.transneft.ru

I obtain the TGT issued to HTTP/proxy.sibptus.transneft.ru at SIBPTUS.TRANSNEFT.RU

My squid.keytab contains:

Vno  Type              Principal
  0  arcfour-hmac-md5 HTTP/proxy.sibptus.transneft.ru at SIBPTUS.TRANSNEFT.RU


To me, this means the Kerberos server part is correct. I don't know for
the present how to debug it further. Any Kerberos gurus?

Below is a bit of debug from negotiate_kerberos_auth

negotiate_kerberos_auth.cc(212): pid=96295 :2014/10/03 15:45:53 kid1|   Took 0.41 seconds (80933.38 objects/sec).
2014/10/03 15:45:53| negotiate_kerberos_auth: INFO: Starting version 3.0.4sq
2014/10/03 15:45:53 kid1| Beginning Validation Procedure
2014/10/03 15:45:53 kid1|   Completed Validation Procedure
2014/10/03 15:45:53 kid1|   Validated 33380 Entries
2014/10/03 15:45:53 kid1|   store_swap_size = 878994.00 KB
negotiate_kerberos_auth.cc(258): pid=96289 :2014/10/03 15:45:53| negotiate_kerberos_auth: DEBUG: Got 'YR TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==' from squid (length: 59).
negotiate_kerberos_auth.cc(311): pid=96289 :2014/10/03 15:45:53| negotiate_kerberos_auth: DEBUG: Decode 'TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==' (decoded length: 40).
negotiate_kerberos_auth.cc(321): pid=96289 :2014/10/03 15:45:53| negotiate_kerberos_auth: WARNING: received type 1 NTLM token
negotiate_kerberos_auth.cc(258): pid=96290 :2014/10/03 15:45:53| negotiate_kerberos_auth: DEBUG: Got 'YR TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==' from squid (length: 59).
negotiate_kerberos_auth.cc(311): pid=96290 :2014/10/03 15:45:53| negotiate_kerberos_auth: DEBUG: Decode 'TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==' (decoded length: 40).
negotiate_kerberos_auth.cc(321): pid=96290 :2014/10/03 15:45:53| negotiate_kerberos_auth: WARNING: received type 1 NTLM token
negotiate_kerberos_auth.cc(258): pid=96292 :2014/10/03 15:45:53| negotiate_kerberos_auth: DEBUG: Got 'YR TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==' from squid (length: 59).
negotiate_kerberos_auth.cc(311): pid=96292 :2014/10/03 15:45:53| negotiate_kerberos_auth: DEBUG: Decode 'TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==' (decoded length: 40).
negotiate_kerberos_auth.cc(321): pid=96292 :2014/10/03 15:45:53| negotiate_kerberos_auth: WARNING: received type 1 NTLM token
negotiate_kerberos_auth.cc(258): pid=96287 :2014/10/03 15:45:53| negotiate_kerberos_auth: DEBUG: Got 'YR TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==' from squid (length: 59).
negotiate_kerberos_auth.cc(311): pid=96287 :2014/10/03 15:45:53| negotiate_kerberos_auth: DEBUG: Decode 'TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==' (decoded length: 40).
negotiate_kerberos_auth.cc(321): pid=96287 :2014/10/03 15:45:53| negotiate_kerberos_auth: WARNING: received type 1 NTLM token
negotiate_kerberos_auth.cc(258): pid=96293 :2014/10/03 15:45:53| negotiate_kerberos_auth: DEBUG: Got 'YR TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==' from squid (length: 59).
negotiate_kerberos_auth.cc(311): pid=96293 :2014/10/03 15:45:53| negotiate_kerberos_auth: DEBUG: Decode 'TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==' (decoded length: 40).
negotiate_kerberos_auth.cc(321): pid=96293 :2014/10/03 15:45:53| negotiate_kerberos_auth: WARNING: received type 1 NTLM token
negotiate_kerberos_auth.cc(258): pid=96294 :2014/10/03 15:45:53| negotiate_kerberos_auth: DEBUG: Got 'YR TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==' from squid (length: 59).
negotiate_kerberos_auth.cc(311): pid=96294 :2014/10/03 15:45:53| negotiate_kerberos_auth: DEBUG: Decode 'TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==' (decoded length: 40).
negotiate_kerberos_auth.cc(321): pid=96294 :2014/10/03 15:45:53| negotiate_kerberos_auth: WARNING: received type 1 NTLM token
negotiate_kerberos_auth.cc(258): pid=96295 :2014/10/03 15:45:53| negotiate_kerberos_auth: DEBUG: Got 'YR TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw==' from squid (length: 59).
negotiate_kerberos_auth.cc(311): pid=96295 :2014/10/03 15:45:53| negotiate_kerberos_auth: DEBUG: Decode 'TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw==' (decoded length: 40).
negotiate_kerberos_auth.cc(321): pid=96295 :2014/10/03 15:45:53| negotiate_kerberos_auth: WARNING: received type 1 NTLM token
negotiate_kerberos_auth.cc(258): pid=96291 :2014/10/03 15:45:53| negotiate_kerberos_auth: DEBUG: Got 'YR TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==' from squid (length: 59).
negotiate_kerberos_auth.cc(311): pid=96291 :2014/10/03 15:45:53| negotiate_kerberos_auth: DEBUG: Decode 'TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==' (decoded length: 40).
negotiate_kerberos_auth.cc(321): pid=96291 :2014/10/03 15:45:53| negotiate_kerberos_auth: WARNING: received type 1 NTLM token
2014/10/03 15:45:53 kid1| ERROR: Negotiate Authentication validating user. Result: {result=BH, notes={message: received type 1 NTLM token; }}
2014/10/03 15:45:53 kid1| ERROR: Negotiate Authentication validating user. Result: {result=BH, notes={message: received type 1 NTLM token; }}
2014/10/03 15:45:53 kid1| ERROR: Negotiate Authentication validating user. Result: {result=BH, notes={message: received type 1 NTLM token; }}
2014/10/03 15:45:53 kid1| ERROR: Negotiate Authentication validating user. Result: {result=BH, notes={message: received type 1 NTLM token; }}
2014/10/03 15:45:53 kid1| ERROR: Negotiate Authentication validating user. Result: {result=BH, notes={message: received type 1 NTLM token; }}
2014/10/03 15:45:53 kid1| ERROR: Negotiate Authentication validating user. Result: {result=BH, notes={message: received type 1 NTLM token; }}
2014/10/03 15:45:53 kid1| ERROR: Negotiate Authentication validating user. Result: {result=BH, notes={message: received type 1 NTLM token; }}
2014/10/03 15:45:53 kid1| ERROR: Negotiate Authentication validating user. Result: {result=BH, notes={message: received type 1 NTLM token; }}
negotiate_kerberos_auth.cc(258): pid=96287 :2014/10/03 15:45:53| negotiate_kerberos_auth: DEBUG: Got 'YR TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==' from squid (length: 59).
negotiate_kerberos_auth.cc(311): pid=96287 :2014/10/03 15:45:53| negotiate_kerberos_auth: DEBUG: Decode 'TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==' (decoded length: 40).
negotiate_kerberos_auth.cc(321): pid=96287 :2014/10/03 15:45:53| negotiate_kerberos_auth: WARNING: received type 1 NTLM token
2014/10/03 15:45:53 kid1| ERROR: Negotiate Authentication validating user. Result: {result=BH, notes={message: received type 1 NTLM token; }}
negotiate_kerberos_auth.cc(258): pid=96287 :2014/10/03 15:45:53| negotiate_kerberos_auth: DEBUG: Got 'YR TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==' from squid (length: 59).
negotiate_kerberos_auth.cc(311): pid=96287 :2014/10/03 15:45:53| negotiate_kerberos_auth: DEBUG: Decode 'TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==' (decoded length: 40).
negotiate_kerberos_auth.cc(321): pid=96287 :2014/10/03 15:45:53| negotiate_kerberos_auth: WARNING: received type 1 NTLM token
2014/10/03 15:45:53 kid1| ERROR: Negotiate Authentication validating user. Result: {result=BH, notes={message: received type 1 NTLM token; }}
negotiate_kerberos_auth.cc(258): pid=96287 :2014/10/03 15:45:53| negotiate_kerberos_auth: DEBUG: Got 'YR TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==' from squid (length: 59).
negotiate_kerberos_auth.cc(311): pid=96287 :2014/10/03 15:45:53| negotiate_kerberos_auth: DEBUG: Decode 'TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==' (decoded length: 40).
negotiate_kerberos_auth.cc(321): pid=96287 :2014/10/03 15:45:53| negotiate_kerberos_auth: WARNING: received type 1 NTLM token
2014/10/03 15:45:53 kid1| ERROR: Negotiate Authentication validating user. Result: {result=BH, notes={message: received type 1 NTLM token; }}
negotiate_kerberos_auth.cc(258): pid=96287 :2014/10/03 15:45:53| negotiate_kerberos_auth: DEBUG: Got 'YR TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==' from squid (length: 59).
negotiate_kerberos_auth.cc(311): pid=96287 :2014/10/03 15:45:53| negotiate_kerberos_auth: DEBUG: Decode 'TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==' (decoded length: 40).
negotiate_kerberos_auth.cc(321): pid=96287 :2014/10/03 15:45:53| negotiate_kerberos_auth: WARNING: received type 1 NTLM token
2014/10/03 15:45:53 kid1| ERROR: Negotiate Authentication validating user. Result: {result=BH, notes={message: received type 1 NTLM token; }}
negotiate_kerberos_auth.cc(258): pid=96287 :2014/10/03 15:45:53| negotiate_kerberos_auth: DEBUG: Got 'YR TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==' from squid (length: 59).
negotiate_kerberos_auth.cc(311): pid=96287 :2014/10/03 15:45:53| negotiate_kerberos_auth: DEBUG: Decode 'TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==' (decoded length: 40).
negotiate_kerberos_auth.cc(321): pid=96287 :2014/10/03 15:45:53| negotiate_kerberos_auth: WARNING: received type 1 NTLM token
2014/10/03 15:45:53 kid1| ERROR: Negotiate Authentication validating user. Result: {result=BH, notes={message: received type 1 NTLM token; }}
negotiate_kerberos_auth.cc(258): pid=96287 :2014/10/03 15:45:53| negotiate_kerberos_auth: DEBUG: Got 'YR TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==' from squid (length: 59).

-- 
Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
sip:sudakov at sibptus.tomsk.ru

More information about the squid-users mailing list