[squid-users] Re: squid_kerb_auth high CPU usage

From: Markus Moeller <huaraz_at_moeller.plus.com>
Date: Wed, 24 Jun 2009 20:12:45 +0100

Hi,

  TBH I haven't had yet a chance to do performance testing of my helper.
What you are seeing is the Kerberos replay protection cache. HTTP is the
part of the service principal and 501 is the uid of the process. Depending
on the request/sec it can be quite a bit as each request will be
authenticated. If I find time I will check which part of the helper is
creating the load.

Regards
Markus

"J.J." <jayjayjay_at_gmx.de> wrote in message
news:20090624140826.52200_at_gmx.net...
> hi Everybody!
>
> i have a problem with authentication helper squid_kerb_auth.
> It's consuming too much CPU. 15 min Load average from the squid server is
> about 5, 5 min average peaks upto 13, see top output
>
> top - 13:48:13 up 15:45, 5 users, load average: 8.23, 6.21, 4.85
> Tasks: 175 total, 2 running, 173 sleeping, 0 stopped, 0 zombie
> Cpu(s): 11.0%us, 25.6%sy, 0.0%ni, 45.6%id, 16.3%wa, 0.2%hi, 1.3%si,
> 0.0%st
> Mem: 2073876k total, 2020008k used, 53868k free, 251548k buffers
> Swap: 2031608k total, 640k used, 2030968k free, 1029856k cached
>
> The Cache serves about 350 Users, OS is Fedora 10.
>
> From stracing a helper process i saw its opening/writing/reading from and
> to "/var/tmp/HTTP_501" , which is a 150-200k file, growing and shrinking
> all the time, containing all the Usernames a few times.
>
> Kerberos as itself works as intended. I already changed number of helper
> childs, did not help.
>
> I found no suspicious alerts in the cache log or other system logs, just
> high CPU Usage.
>
> Does anybody know if this behaviour is OK, or how to debug it?
>
> This HTTP_501 file, which contains every Username more than redundant,
> also makes me curious, as HTTP 501 is error code for "not implemented"
>
> Anybody with Kerberos Config here that can help me with this?
>
> Thanks!
>
> Regards
>
> jay
>
>
> ---krb5.conf
>
> [logging]
> default = SYSLOG:VERBOSE:USER
>
> [libdefaults]
> default_realm = XXXX
> dns_lookup_realm = false
> dns_lookup_kdc = false
> default_keytab_name = FILE:/etc/krb5.keytab
> clockskew = 300
>
> ...
>
> [appdefaults]
> pam =
> {
> debug = false
> ticket_lifetime = 36000
> renew_lifetime = 36000
> forwardable = true
> krb4_convert = false
> }
>
> --
> GRATIS für alle GMX-Mitglieder: Die maxdome Movie-FLAT!
> Jetzt freischalten unter http://portal.gmx.net/de/go/maxdome01
>
Received on Wed Jun 24 2009 - 19:13:09 MDT

This archive was generated by hypermail 2.2.0 : Thu Jun 25 2009 - 12:00:04 MDT