[squid-users] FATAL: shm_open(/squid-ssl_session_cache.shm)

Mon Aug 28 18:06:28 UTC 2017

Fair enough.  I can understand why Squid would want to do that for
user security purposes.

Sounds like having a single layer/wide cache using the rock cache is
the way to go.  Probably would end up fixing a lot of issues I'm
seeing.
--
Aaron Turner
https://synfin.net/         Twitter: @synfinatic
My father once told me that respect for the truth comes close to being
the basis for all morality.  "Something cannot emerge from nothing,"
he said.  This is profound thinking if you understand how unstable
"the truth" can be.  -- Frank Herbert, Dune

On Mon, Aug 28, 2017 at 10:48 AM, Alex Rousskov
<rousskov at measurement-factory.com> wrote:
> On 08/28/2017 10:27 AM, Aaron Turner wrote:
>
>> So I guess what I'd like to know is how squid handles a multi-layer
>> cache config with ssl bumping?
>
> If you are asking how to SSL bump requests in one Squid worker and then
> satisfy those bumped requests in another Squid worker (and/or another
> Squid instance), then the answer is that you cannot do that because
> Squid does not support exporting decrypted bumped requests (without
> encrypting them) from a Squid worker.
>
>
>> For obvious performance reasons, I
>> don't want to bump the same connection twice.  Much rather have the
>> first layer bump the connection and have a memory cache.  If that
>> cache is a miss, then hit the slower disk cache/outbound network
>> connection.
>
> Your desires require the currently missing Squid code to export bumped
> requests _and_ they clash with the current Squid Project policy of
> prohibiting the export of bumped requests.
>
> If performance is important, consider using SMP-aware rock cache_dirs
> instead of multiple Squid instances (including hacks that emulate
> multiple Squid instances in a single Squid instance by abusing SMP macros).
>
>
> HTH,
>
> Alex.
>
>
>> On Fri, Aug 25, 2017 at 3:13 PM, Alex Rousskov wrote:
>>> On 08/25/2017 11:21 AM, Aaron Turner wrote:
>>>> FATAL: Ipc::Mem::Segment::open failed to
>>>> shm_open(/squid-ssl_session_cache.shm): (2) No such file or directory
>>>
>>>> I've verified that /dev/shm is mounted and based on the list of files
>>>> in there, clearly squid is able to create files there, so it's not a
>>>> Linux/shm config issue.
>>>
>>> Yes, moreover, this is not a segment creation failure. This is a failure
>>> to open a segment that should exist but is missing. That segment should
>>> have been created by the master process, but since your config (ab)uses
>>> SMP macros, I am guessing that depending on the configuration details,
>>> the master process may not know that it needs to create that segment.
>>>
>>> For the record, the same error happens in older Squids (including v3.5)
>>> when there are two concurrent Squid instances running. However, I
>>> speculate that you are suffering from a misconfiguration, not broken PID
>>> file management here.
>>>
>>>
>>>> So here's the funny thing... this worked fine until I enabled
>>>> ssl-bumping on the backends (I was debugging some problems and on a
>>>> whim I tried enabling it).  That didn't solve my problem and so I
>>>> disabled ssl bumping on the backends.  And that's when this SHM error
>>>> started happening with my frontend.   Re-enabling ssl-bump on the
>>>> backends fixes the SHM error, but I don't think that would be a
>>>> correct config?
>>>
>>> This is one of the reasons folks should not abuse SMP Squid for
>>> implementing CARP clusters IMHO -- the config on that wiki page is
>>> conceptually wrong, even though it may work in some cases.
>>>
>>> SMP macros are useful for simple, localized hacks like splitting
>>> cache.log into worker-specific files or adding worker ID to access.log
>>> entries. However, the more process-specific changes you introduce, the
>>> higher are the changes that Squid will get confused.
>>>
>>> The overall principle is that all Squid processes should see the same
>>> configuration. YMMV, but the number of places where SMP Squid relies on
>>> that principle keeps growing...
>>>
>>> Alex.
>