[squid-users] Debugging slow access

Steve Hill steve at opendium.com
Mon Jan 5 16:29:42 UTC 2015 

On 10.12.14 17:09, Amos Jeffries wrote:

>> I'm looking for advice on figuring out what is causing intermittent
>> high CPU usage.

It appears that the connections gradually gain more and more notes with 
the key "token" (and values containing Kerberos tokens).  I haven't been 
able to reproduce the problem reliably enough to determine if this is 
the root of the high CPU usage problem, but it certainly doesn't look right:

When an ACL is executed that requires the login name (e.g. the 
proxy_auth ACL, or an external ACL using the %LOGIN format specifier), 
Acl.cc:AuthenticateAcl() is called.  This, in turn, calls
UserRequest.cc:tryToAuthenticateAndSetAuthUser(), which calls 
UserRequest.cc:authTryGetUser().  Here we get a call to 
Notes.cc:appendNewOnly() which appends all the notes from 
checklist->auth_user_request->user()->notes.

I can see the appendNewOnly() call sometimes ends up appending a large 
number of "token" notes (I've observed requests with a couple of hundred 
"token" notes attached to them) - the number of notes increases each 
time a Kerberos authentication is performed.  My suspicion is that this 
growth is unbounded and in some cases the number of notes could become 
large enough to be a significant performance hit.

A couple of questions spring to mind:

1. HelperReply.cc:parse() calls notes.add("token",authToken.content()) 
(i.e. it adds a token rather than replacing an existing one).  As far as 
I can tell, Squid only ever uses the first "token" note, so maybe we 
should be removing the old notes when we add a new one?

[Actually, on closer inspection, NotePairs::add() appends to the end of 
the list but NotePairs::findFirst() finds the note closest to the start 
of the list.  Unless I'm missing something, this means the newer "token" 
notes are added but never used?]

2. I'm not sure on how the ACL checklists and User objects are shared 
between connections/requests and how they are supposed to persist.  It 
seems to me that there is something wrong with the sharing/persistence 
if we're accumulating so many "token" notes.  As well as the performance 
problems, there could be some race conditions lurking here?

-- 
  - Steve Hill
    Technical Director
    Opendium Limited     http://www.opendium.com

Direct contacts:
    Instant messager: xmpp:steve at opendium.com
    Email:            steve at opendium.com
    Phone:            sip:steve at opendium.com

Sales / enquiries contacts:
    Email:            sales at opendium.com
    Phone:            +44-1792-824568 / sip:sales at opendium.com

Support contacts:
    Email:            support at opendium.com
    Phone:            +44-1792-825748 / sip:support at opendium.com

More information about the squid-users mailing list