[squid-users] external_acl_type problem

Amos Jeffries squid3 at treenet.co.nz
Wed Oct 26 11:50:31 UTC 2016 

On 26/10/2016 9:56 p.m., reinerotto wrote:
>> You referred to some assumptions that we might have on a linux system but
> the question from my side is:
> What for example?
> Disk Space?
> Libraries?
> Etc..<
> 
> Sorry, I do not really know. I had one similar, very strange effect on my
> embedded LINUX, regarding bash:
> It was necessary for redirect function in bash to work, to have this one:
> ln -s /proc/self/fd /dev/fd
> So just my idea about this special squid function having a similar reason.
> Because as I have seen, squid uses socket connections to communicate with
> the helper. 
> So just a long shot.
> 
> It very looks like squids accouting of helpers is disturbed: I see much more
> than max helpers active after a few hours.  And lot of helpers stay alive,
> when I kill parent process squid. 

By 'kill' do you mean something like "kill -9" ?

Or do you mean the proper "kill -SIGHUP" or "squid -k shutdown" sequence ?



> This problem only shows up, in case of having 2 (or more) active requests to
> 2 helpers (same key: %SRC).
> Like squid assumes some internal queuing of the 2 requests, but second
> request is not.

There *is* queueing for what it sends to the helper. The queue length
defaults to being equal to the number of running helpers.

Squid writes multiple lookups and waits for the responses. When
concurrency is disabled the helper must reply to them in order. When
concurrency is enabled it can reply in any order, but must deliver the
relevant channel-ID back to Squid with each reply.

If two requests have already been written to the helper, but it crashes
or exists after replying to the first one, the second should be handled
as if the helper replied with a BH (broken helper) response.


NP: if the helper does not real each "line" of input and response with
exactly 1 line of output for each. Then it is the helper which is broken.
Also, any helper which exitst or closes after only one line of input is
broken. Squid requires that they stay running.

> So it also could be some type of resource issue: Only one socket conn
> allowed for squid, second one is silently ignored. This would cause exactly
> my effect.

There better not be any socket limits like that. A *single* client web
browser opening a web page can cause around a hundred connections to be
opened. And these helpers require 3 FD/sockets (stdin->FD, stdout->FD,
and stderr->cache.log)


I see that you are using the obsolete RHEL custom built option
"--with-maxfd=4096". That will mean the --with-filedescriptors option
defaults to being 4096 unless the system building the Squid binary had a
smaller value enforced.


> It must be something very special, as I have a lot of other software running
> on this embedded LINUX, incl. nginx, rsync. And without the helper, squid
> ran fine for long time, incl. cache to SSD.


Squid uses fork() + execv() to start helpers. That results in the helper
process using as much virtual memory space a the main Squid was using at
the time the helper started. On an embeded system that could blow either
Squid or the helper out of the allowed memory limits.


> 
> configure options:
> Squid Cache: Version 3.5.22
> Service Name: squid
> configure options:  '--target=mipsel-openwrt-linux'
> '--host=mipsel-openwrt-linux' '--build=x86_64-linux-gnu' '--program-prefix='
> '--program-suffix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin'
> '--sbindir=/usr/sbin' '--libexecdir=/usr/lib' '--sysconfdir=/etc'
> '--datadir=/usr/share' '--localstatedir=/var' '--mandir=/usr/man'
> '--infodir=/usr/info' '--disable-nls' '--config-cache'
> '--datadir=/usr/share/squid' '--libexecdir=/usr/lib/squid'
> '--sysconfdir=/etc/squid' '--enable-shared' '--disable-static'
> '--disable-icmp' '--enable-delay-pools' '--disable-icap-client'
> '--enable-kill-parent-hack' '--disable-snmp' '--disable-ecap'
> '--disable-wccp' '--disable-wccpv2' '--disable-eui' '--disable-htcp'
> '--disable-ident-lookups' '--enable-auth'
> '--disable-storeid-rewrite-helpers' '--disable-ipv6' '--enable-ssl'

"--enable-ssl" is obsolete. Remove.

> '--enable-ssl-crtd' '--disable-cache-digests' '--enable-linux-netfilter'
> '--disable-unlinkd' '--disable-x-accelerator-vary' '--disable-translation'
> '--disable-auto-locale' '--with-dl' '--with-pthreads' '--without-expat'
> '--without-libxml2' '--without-gnutls' '--without-nettle'
> '--with-openssl=/etc/openwrt/mw-m96/staging_dir/target-mipsel_24kec+dsp_uClibc-0.9.33.2/usr'
> '--enable-epoll' '--with-maxfd=4096' '--enable-external-acl-helpers'
> '--disable-auth-negotiate' '--disable-auth-ntlm' '--disable-auth-digest'
> '--enable-auth-basic' '--disable-arch-native' '--with-krb5-config=no'
> '--without-mit-krb5' '--without-libcap' '--without-netfilter-conntrack'
> 'build_alias=x86_64-linux-gnu' 'host_alias=mipsel-openwrt-linux'
> 'target_alias=mipsel-openwrt-linux' 'CC=mipsel-openwrt-linux-uclibc-gcc'
> 'CFLAGS=-Os -pipe -mno-branch-likely -mips32r2 -mtune=24kec -mdsp
> -fno-caller-saves -fhonour-copts -Wno-error=unused-but-set-variable
> -Wno-error=unused-result -msoft-float '
> 'LDFLAGS=-L/etc/openwrt/mw-m96/staging_dir/target-mipsel_24kec+dsp_uClibc-0.9.33.2/usr/lib
> -L/etc/openwrt/router/staging_dir/target-mipsel_24kec+dsp_uClibc-0.9.33.2/lib
> -L/etc/openwrt/router/staging_dir/toolchain-mipsel_24kec+dsp_gcc-4.8-linaro_uClibc-0.9.33.2/usr/lib
> -L/etc/openwrt/router/staging_dir/toolchain-mipsel_24kec+dsp_gcc-4.8-linaro_uClibc-0.9.33.2/lib
> '
> 'CPPFLAGS=-I/etc/openwrt/router/staging_dir/target-mipsel_24kec+dsp_uClibc-0.9.33.2/usr/include
> -I/etc/openwrt/router/staging_dir/target-mipsel_24kec+dsp_uClibc-0.9.33.2/include
> -I/etc/openwrt/router/staging_dir/toolchain-mipsel_24kec+dsp_gcc-4.8-linaro_uClibc-0.9.33.2/usr/include
> -I/etc/openwrt/router/staging_dir/toolchain-mipsel_24kec+dsp_gcc-4.8-linaro_uClibc-0.9.33.2/include
> ' 'CXX=mipsel-openwrt-linux-uclibc-g++' 'CXXFLAGS=-Os -pipe
> -mno-branch-likely -mips32r2 -mtune=24kec -mdsp -fno-caller-saves
> -fhonour-copts -Wno-error=unused-but-set-variable -Wno-error=unused-result
> -msoft-float '
> 'PKG_CONFIG=/etc/openwrt/router/staging_dir/host/bin/pkg-config'
> 'PKG_CONFIG_PATH=/etc/openwrt/router/staging_dir/target-mipsel_24kec+dsp_uClibc-0.9.33.2/usr/lib/pkgconfig:/etc/openwrt/router/staging_dir/target-mipsel_24kec+dsp_uClibc-0.9.33.2/usr/share/pkgconfig'
> 'PKG_CONFIG_LIBDIR=/etc/openwrt/router/staging_dir/target-mipsel_24kec+dsp_uClibc-0.9.33.2/usr/lib/pkgconfig:/etc/openwrt/router/staging_dir/target-mipsel_24kec+dsp_uClibc-0.9.33.2/usr/share/pkgconfig'
> 
> 

Amos

More information about the squid-users mailing list