Re: [squid-users] cant build squid 3.3.5 with external_acl_helper ldap_group on CentOS 6.4 64bits from Ricardo Klein on 2013-06-03 (squid-users)

From: Ricardo Klein <klein.rfk_at_gmail.com>
Date: Mon, 3 Jun 2013 14:15:01 -0300

Hi Eliezer,

I ended up making some changes on my /etc/init.d/squid to force
pidfiles exclusion on /var/run/squid, because when I restart squid it
does not always kill that files (but it end all processes).

My new packages now have the init.d script with that changes and I
have uploaded them here:
http://webfiles.klein.inf.br/centos/squid-3.3.5-2.el6.src.rpm
http://webfiles.klein.inf.br/centos/squid-3.3.5-2.el6.x86_64.rpm
And, my selinux policyes too:
http://webfiles.klein.inf.br/centos/squid_selinuxpolicy.tar.bz2 if you
use any RHEL flavor.

Btw, I have good performance when added some optins on
ext_ldap_group_acl (children-max=50 children-startup=25
children-idle=25), and here is all the interesting part about it:
#### SQUID.CONF parts ####
cache_mem 2048 MB
workers 6
cache_dir rock /var/spool/squid/cache1 4096 max-size=31000
swap-timeout=1000 max-swap-rate=100
cache_dir rock /var/spool/squid/cache2 4096 max-size=31000
swap-timeout=1000 max-swap-rate=100
cache_dir rock /var/spool/squid/cache3 4096 max-size=31000
swap-timeout=1000 max-swap-rate=100
cache_dir rock /var/spool/squid/cache4 4096 max-size=31000
swap-timeout=1000 max-swap-rate=100
cache_dir rock /var/spool/squid/cache5 4096 max-size=31000
swap-timeout=1000 max-swap-rate=100
cache_dir rock /var/spool/squid/cache6 4096 max-size=31000
swap-timeout=1000 max-swap-rate=100

cache_replacement_policy heap LFUDA

logfile_daemon /usr/lib64/squid/log_file_daemon
access_log daemon:/var/log/squid/access.log squid

auth_param basic credentialsttl 20 minutes
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 15
auth_param ntlm keep_alive on
auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic

external_acl_type ldap_group children-max=50 children-startup=25
children-idle=25 %LOGIN /usr/lib64/squid/ext_ldap_group_acl -P -S -R
-b "DC=MYDOMAIN,DC=local" -D
"CN=squid,OU=Internet,OU=Infra-estrutura,DC=MYDOMAIN,DC=local" -w
MYPASSWORD -f "(&(objectclass=person)(sAMAccountName=%v)(memberof=cn=%a,OU=Internet,OU=Infra-estrutura,DC=MYDOMAIN,DC=local))"
-h <IPADDRESS>

authenticate_ttl 600 seconds
#### /SQUID.CONF parts ####

Anyway, I still have some errors like this one when using more then 2
workers (but squid still working):

Squid Cache (Version 3.3.5): Terminated abnormally.
CPU Usage: 0.068 seconds = 0.054 user + 0.014 sys
Maximum Resident Size: 76000 KB
Page faults with physical i/o: 0
FATAL: Ipc::Mem::Segment::open failed to
shm_open(/squid-squid-page-pool.shm): (2) No such file or directory

I am going to test it in production to see how it perform and tell you here ok?

--
Att...
Ricardo Felipe Klein
klein.rfk_at_gmail.com
On Mon, Jun 3, 2013 at 9:37 AM, Ricardo Klein <klein.rfk_at_gmail.com> wrote:
> Eliezer,
>
> you didnt compiled LDAP_group external acl, see your ./configure line:
> '--enable-external-acl-helpers=wbinfo_group,kerberos_ldap_group,AD_group'
>
> My:
> --enable-external-acl-helpers="file_userip,LDAP_group,kerberos_ldap_group,session,unix_group,wbinfo_group"
>
> But I will try to rebuild your package with LDAP_group enabled
> --
> Att...
>
> Ricardo Felipe Klein
> klein.rfk_at_gmail.com
>
>
> On Mon, Jun 3, 2013 at 8:53 AM, Ricardo Klein <klein.rfk_at_gmail.com> wrote:
>> Eliezer,
>>
>> You mean change permissions on /dev/shm? It is already "world writeable"
>> [root_at_theroutertwo ~]# ll /dev/shm
>> total 0
>> drwxrwxrwt.  2 root root   40 Jun  1 12:16 .
>>
>> (maybe I am doing the hole shm thing wrong)
>>
>> Btw I will test your package this morning (it is monday morning here in
>> Brazil now) and tell you how it goes.
>>
>> --
>> Att...
>>
>> Ricardo Felipe Klein
>> klein.rfk_at_gmail.com
>>
>>
>> On Mon, Jun 3, 2013 at 7:58 AM, Eliezer Croitoru <eliezer_at_ngtech.co.il>
>> wrote:
>>>
>>> Yes it works.
>>> If you need some SHM thing just change the ownership of the directory.
>>> it will solve most of the problems.
>>> If there is some SPEC expert here I will be happy to get some help to do
>>> this change in the SPEC file instead of doing it manually.
>>>
>>> Eliezer
>>>
>>>
>>> On 6/1/2013 11:50 PM, Ricardo Klein wrote:
>>>>
>>>> Eliezer,
>>>>
>>>> nice, you already have the package I need... Did you package works
>>>> with ldap_group external acl?
>>>> I will try it and check if your package works with my conf, this SHM
>>>> error is driving me crazy.
>>>> --
>>>> Att...
>>>>
>>>> Ricardo Felipe Klein
>>>> klein.rfk_at_gmail.com
>>>>
>>>>
>>>> On Sat, Jun 1, 2013 at 5:28 PM, Eliezer Croitoru <eliezer_at_ngtech.co.il>
>>>> wrote:
>>>>>
>>>>> Hey Ricardo,
>>>>>
>>>>> If you can build an RPM and store it it will be helpful for many people.
>>>>> it will also add redundancy to my RPM and an alternative to mine.
>>>>> http://www1.ngtech.co.il/rpm/centos/6/x86_64/
>>>>> if you want the SRPM this is where mine is stored:
>>>>> http://www1.ngtech.co.il/rpm/centos/6/x86_64/SRPM/
>>>>>
>>>>> Eliezer
>>>>>
>>>>>
>>>>> On 6/1/2013 3:01 PM, Ricardo Klein wrote:
>>>>>>
>>>>>>
>>>>>> Amos,
>>>>>>
>>>>>> great thanks, I will fix this mess I did in the ./configure and try
>>>>>> again. If I can build an RPM package for CentOS 6.4 (and it should
>>>>>> work in RHEL 6.4 too) there is any interest I put this in somewhere
>>>>>> people can download it?
>>>>>> --
>>>>>> Att...
>>>>>>
>>>>>> Ricardo Felipe Klein
>>>>>> klein.rfk_at_gmail.com
>>>>>>
>>>>>>
>>>>>> On Sat, Jun 1, 2013 at 12:39 AM, Amos Jeffries <squid3_at_treenet.co.nz>
>>>>>> wrote:
>>>>>>>
>>>>>>>
>>>>>>> On 1/06/2013 7:40 a.m., Ricardo Klein wrote:
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> Hi there,
>>>>>>>>
>>>>>>>> I am trying to build squid on CentOS 6.4 64bits with
>>>>>>>> external_acl_helper "ldap_group", but my ./configure log says:
>>>>>>>> configure: external acl helper ldap_group ... found but cannot be
>>>>>>>> built
>>>>>>>> I have fired a but in the bugtrack, but, if any of you know what is
>>>>>>>> wrong, please tell me so I can cancel that bugtracker.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> The script detecting external-acl-helpers entries has a bug displaying
>>>>>>> the
>>>>>>> wrong message for the error. It will report "found but cannot be
>>>>>>> built"
>>>>>>> for
>>>>>>> both the found and not-found error cases. In your situation I believe
>>>>>>> the
>>>>>>> helpers as named cannot be found at all due to incorrect ./configure
>>>>>>> options.
>>>>>>>
>>>>>>> Details inline with your options...
>>>>>>>
>>>>>>>
>>>>>>>> Here is my ./configure options:
>>>>>>>> ./configure \
>>>>>>>> --prefix=/usr \
>>>>>>>> --exec-prefix=/usr \
>>>>>>>> --bindir=/usr/bin \
>>>>>>>> --sbindir=/usr/sbin \
>>>>>>>> --sysconfdir=/etc \
>>>>>>>> --datadir=/usr/share \
>>>>>>>> --includedir=/usr/include \
>>>>>>>> --libdir=/usr/lib64 \
>>>>>>>> --libexecdir=/usr/libexec \
>>>>>>>> --sharedstatedir=/var/lib \
>>>>>>>> --mandir=/usr/share/man \
>>>>>>>> --infodir=/usr/share/info \
>>>>>>>> --enable-internal-dns \
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> internal-dns is enabeld by default. You can omit this.
>>>>>>>
>>>>>>>
>>>>>>>> --disable-strict-error-checking \
>>>>>>>> --exec_prefix=/usr \
>>>>>>>> --libexecdir=/usr/lib64/squid \
>>>>>>>> --localstatedir=/var \
>>>>>>>> --datadir=/usr/share/squid \
>>>>>>>> --sysconfdir=/etc/squid \
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> You already specified several of the above batch of options (datadir,
>>>>>>> sysconfdir, libexecdir) with different values. This may cause
>>>>>>> unexpected
>>>>>>> results when installing.
>>>>>>> And "--exec_prefix" does not exist. There is a different
>>>>>>> "--exec-prefix"
>>>>>>> option earlier which will be used ... so more unexpected results when
>>>>>>> installing.
>>>>>>>
>>>>>>>> --with-logdir=$LOCALSTATEDIR/log/squid \
>>>>>>>> --with-pidfile=$LOCALSTATEDIR/run/squid.pid \
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>> --disable-dependency-tracking \
>>>>>>>> --enable-arp-acl \
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> "--enable-arp-acl" does not exit. The replacement --enable-eui is
>>>>>>> already
>>>>>>> enabled  by default, so all you need do is to remove the above option.
>>>>>>>
>>>>>>>> --enable-follow-x-forwarded-for \
>>>>>>>> --enable-auth \
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> NP: auth is enabled by default, and when omitted will be auto-enabled
>>>>>>> by
>>>>>>> the
>>>>>>> below helpers options anyway. You can omit "--enable-auth" entirely.
>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> --enable-basic-auth-helpers=LDAP,MSNT,NCSA,PAM,SMB,YP,getpwnam,multi-domain-NTLM,SASL,DB,squid_radius_auth
>>>>>>>> --enable-ntlm-auth-helpers=smb_lm,no_check,fakeauth \
>>>>>>>> --enable-digest-auth-helpers=password,ldap,eDirectory \
>>>>>>>> --enable-negotiate-auth-helpers=squid_kerb_auth \
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> The auth build options underwent a major change in the squid-3.2
>>>>>>> series.
>>>>>>> --enable-X-auth-helpers options no longer exist.
>>>>>>> Squid ./configure script is ignoring the above auth helper options and
>>>>>>> using
>>>>>>> the default versions of the new --enable-auth-X options.
>>>>>>>
>>>>>>> For example your basic auth helpers line should be:
>>>>>>>
>>>>>>>
>>>>>>> --enable-auth-basic="LDAP,MSNT,NCSA,PAM,SMB,NIS,getpwnam,MSNT-multi-domain,SASL,DB,RADIUS"
>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> --enable-external-acl-helpers=ip_user,ldap_group,session,unix_group,wbinfo_group
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> You are not getting build problems with the auth helpers because the
>>>>>>> entire
>>>>>>> configure --enable-* option name changed and the broken ones above are
>>>>>>> ignored in favour of the auto-detected helpers.
>>>>>>> The external-acl-helpers option however did not change, so you hit
>>>>>>> error
>>>>>>> messages trying to build the differently named helpers.
>>>>>>>
>>>>>>> Run "ls -1 helpers/*/" to see all the new helper names. Note that the
>>>>>>> list
>>>>>>> here is case sensitive.
>>>>>>>
>>>>>>>
>>>>>>>> --enable-cache-digests \
>>>>>>>> --enable-cachemgr-hostname=localhost \
>>>>>>>> --enable-delay-pools \
>>>>>>>> --enable-epoll \
>>>>>>>> --enable-icap-client \
>>>>>>>> --enable-ident-lookups \
>>>>>>>> --enable-linux-netfilter \
>>>>>>>> --enable-referer-log \
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> --enable-referer-log no longer exists. It is a built-in squid.conf
>>>>>>> logformat
>>>>>>> type instead now.
>>>>>>>
>>>>>>>> --enable-removal-policies=heap,lru \
>>>>>>>> --enable-snmp \
>>>>>>>> --enable-ssl \
>>>>>>>> --enable-storeio=aufs,diskd,ufs \
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> NP: with 3.2 and later you probably want to build "rock" cache type as
>>>>>>> well.
>>>>>>>
>>>>>>>> --enable-useragent-log \
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> --enable-useragent-log no longer exists. It is a built-in squid.conf
>>>>>>> logformat type instead now.
>>>>>>>
>>>>>>>
>>>>>>>> --enable-wccpv2 \
>>>>>>>> --enable-esi \
>>>>>>>> --with-aio \
>>>>>>>> --with-default-user=squid \
>>>>>>>> --with-filedescriptors=30000 \
>>>>>>>> --with-dl \
>>>>>>>> --with-openssl \
>>>>>>>> --with-pthreads
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Amos
>>>>>
>>>>>
>>>>>
>>>
>>

Received on Mon Jun 03 2013 - 17:15:14 MDT

This archive was generated by hypermail 2.2.0 : Tue Jun 04 2013 - 12:00:10 MDT