[squid-users] Debugging slow access
Eliezer Croitoru
eliezer at ngtech.co.il
Mon Jan 5 16:35:46 UTC 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hey Steve,
Can you share the "squid -v" output and the OS you are using?
Eliezer
On 01/05/2015 06:29 PM, Steve Hill wrote:
> On 10.12.14 17:09, Amos Jeffries wrote:
>
>>> I'm looking for advice on figuring out what is causing
>>> intermittent high CPU usage.
>
> It appears that the connections gradually gain more and more notes
> with the key "token" (and values containing Kerberos tokens). I
> haven't been able to reproduce the problem reliably enough to
> determine if this is the root of the high CPU usage problem, but it
> certainly doesn't look right:
>
> When an ACL is executed that requires the login name (e.g. the
> proxy_auth ACL, or an external ACL using the %LOGIN format
> specifier), Acl.cc:AuthenticateAcl() is called. This, in turn,
> calls UserRequest.cc:tryToAuthenticateAndSetAuthUser(), which
> calls UserRequest.cc:authTryGetUser(). Here we get a call to
> Notes.cc:appendNewOnly() which appends all the notes from
> checklist->auth_user_request->user()->notes.
>
> I can see the appendNewOnly() call sometimes ends up appending a
> large number of "token" notes (I've observed requests with a couple
> of hundred "token" notes attached to them) - the number of notes
> increases each time a Kerberos authentication is performed. My
> suspicion is that this growth is unbounded and in some cases the
> number of notes could become large enough to be a significant
> performance hit.
>
> A couple of questions spring to mind:
>
> 1. HelperReply.cc:parse() calls
> notes.add("token",authToken.content()) (i.e. it adds a token rather
> than replacing an existing one). As far as I can tell, Squid only
> ever uses the first "token" note, so maybe we should be removing
> the old notes when we add a new one?
>
> [Actually, on closer inspection, NotePairs::add() appends to the
> end of the list but NotePairs::findFirst() finds the note closest
> to the start of the list. Unless I'm missing something, this means
> the newer "token" notes are added but never used?]
>
> 2. I'm not sure on how the ACL checklists and User objects are
> shared between connections/requests and how they are supposed to
> persist. It seems to me that there is something wrong with the
> sharing/persistence if we're accumulating so many "token" notes.
> As well as the performance problems, there could be some race
> conditions lurking here?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBAgAGBQJUqr1iAAoJENxnfXtQ8ZQUkiYH/0CQXQAZNWiGfMj4razjcgRg
VXa8/GzvnkacAqUfGPtIxGqxzfjXg8Q9aP5bOrGI/3jBXUVT2bjzfO62wYkRnb7q
U/bgV5XXIiFjGYpgMDonXYBr1IAHkr18a+aH21b17nVkTKx32P0jPxncPEBliLnD
wAHGQox/DfMKyGkZBgvLDJ+Ol83V1iwCEzuRXTcR7L9jLKbB27RGN/3SUetNcvM1
04bTY0eCtO0tocIlNNci76U1Mb9RyL1RKuDUg+AlbnxP4mhWqd8X/OA8LtiqA7hQ
9CVIvXVwG4SZI5Ut5e96uJvbzjoSxbzjmkORx+s2/jJ7vOCAXgYuRaEDngci9VY=
=d44w
-----END PGP SIGNATURE-----
More information about the squid-users
mailing list