[squid-users] New Squid 3.5 reconfigure causes service down

Fri Oct 6 06:11:40 UTC 2017

On 06/10/17 05:44, Nicola Ferrari (#554252) wrote:
> On 05/10/2017 18:25, Alex Rousskov wrote:
>> The "couple of minutes" part might be related to your upgrade and, if
>> so, you may be able to avoid such delays. For list readers not familiar
>> with Debian releases, which _Squid_ version are you upgrading from?
>>
> 
> I was running squid 3.4 on top of Debian 8 (jessie)
> I upgraded to squid 3.5 on top of Debian 9 (stretch)
> 
>> I suggest to start by figuring our what Squid is doing during those
>> "couple of minutes" if you have not already.
> 
> What I notice by checking cache.log is that it stops for a while on
> 
> helperOpenServers: Starting 1/60 'ntlm_auth' processes
> 2017/10/05 11:36:06 kid1| Starting new ntlmauthenticator helpers...
> 
> This was not a usual behaviour on Squid 3.4;

The behaviour of starting helpers has been present since forever - 
though it may not have been logged correctly. The "Starting N/N 
'helper_name' processes" log entry was added with dynamic helper in 
Squid-3.2, so should have been visible in Jesse.

The 1/60 indicates that the number of ntlm_auth helpers running was 1 
less than your startup=N configuration value. The N defaults to the max 
value (60) if not configured explicitly.

> 
> At the moment of the upgrade, I had to adjust various path from
> "/squid3" to "/squid" ..
> 
> I checked authenticators path and other occurrences in conf file,
> everything seems to be ok.

Did Squid start properly and at least seem to work okay after the 
upgrade and before you manually ran the "-k reconfigure" ?

FYI: Stretch brings somewhat deeper SELinux integration in the 
background. The packaged init script updates the SELinux permissions for 
cache_dir. But if you have any custom directories for other things you 
may need to run /sbin/restorecon on them manually after any changes to 
the path or OS permissions - or do it anyway just in case SELinux is 
being confused.

> 
> Just for testing purposes, I would try my config on a new clean install,
> just to be sure this is not related to the upgrade in some way, and let
> you know!
> 

Please also try a full clean restart of Squid:

  Shutdown completely using the init script. If any 'squid' or 
'(squid-N)' process remains after that use kill -9 to halt that process, 
and manually delete the squid.pid / squid3.pid file if any still exists.

  Starting Squid using the Stretch package init script should then 
ensure that the expected paths have the right permissions, and runs the 
'-k parse' checks for you.

Since this is the Samba NTLM helper you should also check that the 
Samba, winbind etc components still have it enabled. Behaviour is 
undefined if the OS components are only partially functioning.

Amos