[squid-dev] Squid-4 status update

[Amos Jeffries]

On 20/04/17 05:40, Amos Jeffries wrote:
> On 20/04/17 04:26, Alex Rousskov wrote:
>> On 03/26/2017 09:20 PM, Amos Jeffries wrote:
>>
>>> Below are the bugs which are currently preventing a "stable" release:
>>


>>> 4505 - Memory hits shadow disk entries and vice versa
>>>
 >>
>> Factory is working on this major bug. The fix was stuck in my review
>> queue, but I should be able to start the review within a few days. I
>> hope to see the final patch posted here soon after the PID file fixes
>> (discussed below).
>>


>>> 4631 - security_file_certgen drops request due to a full queue
>>>
>>>   * seems to be an expected but undesirable consequence of being helper
>>> API. The effects are major, but the fix is technically a feature
>>> enhancement AFAICT.
 >>
>> My understanding of that bug report is completely different: The current
>> working theory is that some kind of unusual input or condition (e.g., a
>> very large certificate or malformed helper request) results in more and
>> more helpers getting independently stuck waiting for more input from
>> Squid that never comes.
>>
>> The bug will remain stuck until somebody volunteers to analyze the
>> latest logs from Dan (at least).
>>


>>
>>> Any other issues that dont have bug reports I should wait for?
>> I recall several issues that might be worth waiting for (your call):
>>
>> 1. PID file management changes
>>
>> We fixed some of the problems in trunk r13867 but the current code still
>> badly mishandles SMP race conditions. We see a stream of related problem
>> reports from SMP installations that cannot reliably start, restart, or
>> send signals. The fix went through several major rewrites and review
>> cycles already, so I hope we are within a week of the final solution.
>>
>> The fix contains some Squid "interface" changes (exit codes, what
>> failures are considered fatal, level-1 messages, etc.) so it may be a
>> good idea to get it in before a lot of folks start upgrading to v4. It
>> is your call though.
>
> Ouch. Okay, thanks.
>

AFAIK the changes here are all in. Is that correct Alex?


>> 2. New transaction_initiator ACL
>>
>> Based on squid-users and private requests, quite a few admins are likely
>> to need this ACL to better cope with regression-like problems related to
>> other recent improvements. Here is a quote from the being-reviewed patch
>> preamble:
>>
>>> This ACL is essential in several use cases, including:
>>>
>>> * After fetching a missing intermediate certificate, Squid uses the
>>>    regular cache (and regular caching rules) to store the response.
>>> Squid
>>>    deployments that do not want to cache regular traffic need to cache
>>>    fetched certificates and only them.
>>>
>>>    acl fetched_certificate transaction_initiator certificate-fetching
>>>    cache allow fetched_certificate
>>>    cache deny all
>>>
>>> * Many traffic policies and tools assume the existence of an HTTP client
>>>    behind every transaction. Internal Squid requests violate that
>>>    assumption. Identifying internal requests protects external ACLs, log
>>>    analyzers, and other mechanisms from the transactions they mishandle.
>>>
>>>    acl skip_logging transaction_initiator internal
>>>    access_log ... !skip_logging
>> I do not know whether v4 port is practical but it would be nice to have
>> this ACL in v4.
>
> If it is not too intrusive to record the state info that needs then I'm
> okay backporting ACL types, though it is a new feature so v5 is
> indicated by the RoadMap policy when there is any doubt about its impact
> on stability.
>

This one is now just waiting in my backport queue.


Some new ones have appeared:

* Bug 4718 - ssl-bump parser crash

* Bug 4710 - crash with on_unsupported_protocol and eCAP


Amos