Re: [squid-users] squid 3.1.1 bug

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Thu, 08 Apr 2010 00:06:36 +1200

fedorischev wrote:
> Hello all.
>
> Squid 3.1.1 utilizing cpu (near 100%) when client using CONNECT & hitting
> delay pool.
>
> How to reproduce:
>
> 1. Install squid 3.1.1
> 2. Add delay pool to specific host.
> 3. Using CONNECT to download any file from this host.
> 4. See cpu utilization on proxy when download in progress.
>
> Below is my config:
>
> [config_start]
> cache_effective_user nobody
> access_log /var/log/squid/access.log
> cache_store_log /var/log/squid/store.log
> cache_log /var/log/squid/cache.log
> debug_options ALL,2
>
> #
> # Recommended minimum configuration:
> #
> acl manager proto cache_object
> acl localhost src 127.0.0.1/32
> acl localhost src ::1/128
> acl to_localhost dst 127.0.0.0/8 0.0.0.0/32
> acl to_localhost dst ::1/128
>
> # Example rule allowing access from your local networks.
> # Adapt to list your (internal) IP networks from where browsing
> # should be allowed
> acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
> acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
> acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
> acl localnet src fc00::/7 # RFC 4193 local private network range
> acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
>
> #tested machine
> acl im src 172.16.7.101
>
> acl SSL_ports port 443
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
>
> #
> # Recommended minimum Access Permission configuration:
> #
> # Only allow cachemgr access from localhost
> http_access allow manager localhost
> http_access deny manager
>
> # Deny requests to certain unsafe ports
> http_access deny !Safe_ports
>
> # We strongly recommend the following be uncommented to protect innocent
> # web applications running on the proxy server who think the only
> # one who can access services on "localhost" is a local user
> #http_access deny to_localhost
>
> #
> # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
> #
>
> http_access allow im
>
> # And finally deny all other access to this proxy
> http_access deny all
>
> # Squid normally listens to port 3128
> http_port 3128
>
> # We recommend you to use at least the following line.
> hierarchy_stoplist cgi-bin ?
>
> # Uncomment and adjust the following to add a disk cache directory.
> cache_dir ufs /var/cache/squid 100 16 256
>
> # Leave coredumps in the first cache dir
> coredump_dir /var/spool/squid
>
> # Add any of your own refresh_pattern entries above these.
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
> refresh_pattern . 0 20% 4320
>
> #delay pool for "im" acl
> delay_pools 1
> delay_class 1 1
> delay_access 1 allow im
> delay_access 1 deny all
> delay_parameters 1 64000/64000
> [config_end]
>
> top reports:
>
>
> 87.7 4.5 0:24.82 squid
>
>
> 87.7% is the cpu utilization here
>
> cache.log:
> 2010/04/07 14:52:33.009| The request CONNECT www.squid-cache.org:80 is
> ALLOWED, because it matched 'im'
> 2010/04/07 14:52:33.009| client_side_request.cc(547) clientAccessCheck2: No
> adapted_http_access configuration.
> 2010/04/07 14:52:33.009| The request CONNECT www.squid-cache.org:80 is
> ALLOWED, because it matched 'im'
> 2010/04/07 14:53:06.302| commHandleWrite: FD 16: write failure: (104)
> Connection reset by peer.
> 2010/04/07 14:53:06.302| TunnelStateData::Connection::error: FD 16: read/write
> failure: (104) Connection reset by peer
> 2010/04/07 14:53:06.303| ConnStateData::swanSong: FD 16
>
> Some additional info about system:
>
> [root_at_test-ha SPECS]# arch
> x86_64
> [root_at_test-ha SPECS]# cat /etc/redhat-release
> CentOS release 5.4 (Final)
> [root_at_test-ha SPECS]# squid -v
> Squid Cache: Version 3.1.1
> configure options: '--build=x86_64-redhat-linux-gnu'
> '--host=x86_64-redhat-linux-gnu'
> '--target=x86_64-redhat-linux-gnu'
> '--program-prefix='
> '--prefix=/usr'
> '--exec-prefix=/usr'
> '--bindir=/usr/bin'
> '--sbindir=/usr/sbin'
> '--sysconfdir=/etc'
> '--includedir=/usr/include'
> '--libdir=/usr/lib64'
> '--libexecdir=/usr/libexec'
> '--sharedstatedir=/usr/com'
> '--mandir=/usr/share/man'
> '--infodir=/usr/share/info'
> '--exec_prefix=/usr'
> '--bindir=/usr/sbin'
> '--libexecdir=/usr/lib64/squid'
> '--localstatedir=/var'
> '--datadir=/usr/share'
> '--sysconfdir=/etc/squid'
> '--disable-dependency-tracking'
> '--enable-arp-acl'
> '--enable-auth=basic,digest,ntlm,negotiate'
> '--enable-basic-auth-helpers=LDAP,MSNT,NCSA,PAM,SMB,YP,getpwnam,multi-domain-NTLM,SASL'
> '--enable-negotiate-auth-helpers=squid_kerb_auth'
> '--enable-cache-digests'
> '--enable-cachemgr-hostname=localhost'
> '--enable-delay-pools'
> '--enable-digest-auth-helpers=password'
> '--enable-epoll'
> '--enable-esi'
> '--enable-external-acl-helpers=ip_user,ldap_group,unix_group,wbinfo_group'
> '--enable-icap-client' '--enable-ident-lookups'
> '--enable-linux-netfilter'
> '--enable-ntlm-auth-helpers=smb_lm,fakeauth'
> '--enable-referer-log'
> '--enable-removal-policies=heap,lru'
> '--enable-snmp'
> '--enable-ssl'
> '--enable-storeio=aufs,diskd,ufs'
> '--enable-useragent-log'
> '--enable-wccpv2'
> '--with-aio'
> '--with-default-user=squid'
> '--with-filedescriptors=16384'
> '--with-dl'
> '--with-openssl=/usr/kerberos'
> '--with-pthreads'
> 'build_alias=x86_64-redhat-linux-gnu'
> 'host_alias=x86_64-redhat-linux-gnu'
> 'target_alias=x86_64-redhat-linux-gnu'
> 'CFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic'
> 'CXXFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic'
> 'FFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic'
> --with-squid=/usr/src/redhat/BUILD/squid-3.1.1
> --enable-ltdl-convenience
>
>
> Please, verify this bug and confirm it. After this i will open it on
> bugs.squid-cache.org. Maybe it's already known issue ? I will provide any
> additional info, if needed.
>
> Thanks.

You will need an strace of what Squid is actually doing that takes up so
much CPU time.

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.1
Received on Wed Apr 07 2010 - 12:06:48 MDT

This archive was generated by hypermail 2.2.0 : Wed Apr 07 2010 - 12:00:03 MDT