[squid-users] Debugging slow access

Eliezer Croitoru eliezer at ngtech.co.il
Mon Jan 5 16:35:46 UTC 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hey Steve,

Can you share the "squid -v" output and the OS you are using?

Eliezer

On 01/05/2015 06:29 PM, Steve Hill wrote:
> On 10.12.14 17:09, Amos Jeffries wrote:
> 
>>> I'm looking for advice on figuring out what is causing
>>> intermittent high CPU usage.
> 
> It appears that the connections gradually gain more and more notes
> with the key "token" (and values containing Kerberos tokens).  I
> haven't been able to reproduce the problem reliably enough to
> determine if this is the root of the high CPU usage problem, but it
> certainly doesn't look right:
> 
> When an ACL is executed that requires the login name (e.g. the 
> proxy_auth ACL, or an external ACL using the %LOGIN format
> specifier), Acl.cc:AuthenticateAcl() is called.  This, in turn,
> calls UserRequest.cc:tryToAuthenticateAndSetAuthUser(), which
> calls UserRequest.cc:authTryGetUser().  Here we get a call to 
> Notes.cc:appendNewOnly() which appends all the notes from 
> checklist->auth_user_request->user()->notes.
> 
> I can see the appendNewOnly() call sometimes ends up appending a
> large number of "token" notes (I've observed requests with a couple
> of hundred "token" notes attached to them) - the number of notes
> increases each time a Kerberos authentication is performed.  My
> suspicion is that this growth is unbounded and in some cases the
> number of notes could become large enough to be a significant
> performance hit.
> 
> A couple of questions spring to mind:
> 
> 1. HelperReply.cc:parse() calls
> notes.add("token",authToken.content()) (i.e. it adds a token rather
> than replacing an existing one).  As far as I can tell, Squid only
> ever uses the first "token" note, so maybe we should be removing
> the old notes when we add a new one?
> 
> [Actually, on closer inspection, NotePairs::add() appends to the
> end of the list but NotePairs::findFirst() finds the note closest
> to the start of the list.  Unless I'm missing something, this means
> the newer "token" notes are added but never used?]
> 
> 2. I'm not sure on how the ACL checklists and User objects are
> shared between connections/requests and how they are supposed to
> persist.  It seems to me that there is something wrong with the
> sharing/persistence if we're accumulating so many "token" notes.
> As well as the performance problems, there could be some race
> conditions lurking here?

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBAgAGBQJUqr1iAAoJENxnfXtQ8ZQUkiYH/0CQXQAZNWiGfMj4razjcgRg
VXa8/GzvnkacAqUfGPtIxGqxzfjXg8Q9aP5bOrGI/3jBXUVT2bjzfO62wYkRnb7q
U/bgV5XXIiFjGYpgMDonXYBr1IAHkr18a+aH21b17nVkTKx32P0jPxncPEBliLnD
wAHGQox/DfMKyGkZBgvLDJ+Ol83V1iwCEzuRXTcR7L9jLKbB27RGN/3SUetNcvM1
04bTY0eCtO0tocIlNNci76U1Mb9RyL1RKuDUg+AlbnxP4mhWqd8X/OA8LtiqA7hQ
9CVIvXVwG4SZI5Ut5e96uJvbzjoSxbzjmkORx+s2/jJ7vOCAXgYuRaEDngci9VY=
=d44w
-----END PGP SIGNATURE-----


More information about the squid-users mailing list