Re: Squid, events, and file descriptors from Henrik Nordstrom on 2008-06-23 (squid-dev)

From: Henrik Nordstrom <henrik_at_henriknordstrom.net>
Date: Mon, 23 Jun 2008 22:08:09 +0200

On mån, 2008-06-23 at 12:18 +0100, Bradley Kite wrote:

> I am concerned that, for which ever reason, squid stops processing
> requests for a particular website, and then fails to detect when
> clients give up, incorrectly putting the FD into the "half-closed"
> state, leading to the situation where the client closes the socket but
> squid still thinks that the socket is open.

half-closed state is a bit tricky.. and nearly always the client has
given up and aborted the connection.

You can set "half_closed_clients off" to make Squid react more promptly
on those. But it will make a couple obsolete and since long patched
user-agents fail... It probably won't address the underlying problem
cause, but probably mask it a bit..

> Dropping the squid server out of service on the load balancer to stop
> actual traffic, and then running "squid -k debug" produces the
> following messages for lots of different FDs (I presume its for all
> FD's that squid thinks are active):

It's all those half-closed ones..

The fd's that is interesting is the outgoing ones, where Squid is trying
to connect to the web servers. Or whatever other fd Squid is waiting on.

  - external ACL lookups
  - DNS lookups
  - etc,,

> I could set "half_closed_clients off", however, even at the start of
> the decline in file descriptors (ie when there are still file
> descriptors available) there are problems browsing certain websites,
> so I think this will just mask a symptom of the problem rather than
> fix it.

Quite likely, but it will also most likely make the problem easier to
see as you get rid of a lot of sideeffect garbage.

> A simple restart of squid fixes the issue, but only for a while. Our
> support guys are having to restart squid on various devices about 5-10
> times a day at the moment in order to try minimise impact to our
> customers.

Anyting in /var/log/messages?

it could be as simple as running out of netfilter conntrack entries,
making it nearly impossible for Squid to make outgoing connections.

Regards
Henrik

application/pgp-signature attachment: This is a digitally signed message part

Received on Mon Jun 23 2008 - 20:08:14 MDT

This archive was generated by hypermail 2.2.0 : Tue Jun 24 2008 - 12:00:09 MDT