Re: [squid-users] cant build squid 3.3.5 with external_acl_helper ldap_group on CentOS 6.4 64bits

Hi Eliezer,

I dont now if 3.3.x and 3.2.x *really need* more helpers to work, I
just saw here http://www.squid-cache.org/Doc/config/external_acl_type/
that now we CAN start more helper process, and as I have resources I
might start more of them just to have them up if needed in some point
of time. So,"its not a bug, its a feature" hehehe...

But, about having more then 1 rock store, I dont know, I may have made
some confusion when reading about SMP and cache_dir options diferent
then "rock", maybe THAT is what is generating the "FATAL:
Ipc::Mem::Segment::open failed to
shm_open(/squid-squid-page-pool.shm): (2) No such file or directory"
errors... I am not in work yet (had a long kernel's updates night) but
I will test with only one rock store to check how things go...

and, yes, ext_ldap_grou_helper is working like a charm, what is
already half of the way for me...

regards.

--
Att...
Ricardo Felipe Klein
klein.rfk_at_gmail.com
On Tue, Jun 4, 2013 at 3:55 AM, Eliezer Croitoru <eliezer_at_ngtech.co.il> wrote:
> hey Ricardo.
>
> GOOD and Thanks!
> I have seen this issue before but didn't had much time to handle it.
> So now the ldap helper works fine??
> If I understand right there is something odd about the helpers code which
> forces the admin to use more helpers then it used to be in 2.7 and 3.1.
>
> How about testing it and making sure it's a *bug* and file a bug together on
> it?
>
> Why do you use couple rock store caches if they are all available to all the
> workers?
>
> Eliezer
>
>
> On 6/3/2013 8:15 PM, Ricardo Klein wrote:
>>
>> Hi Eliezer,
>>
>> I ended up making some changes on my /etc/init.d/squid to force
>> pidfiles exclusion on /var/run/squid, because when I restart squid it
>> does not always kill that files (but it end all processes).
>>
>> My new packages now have the init.d script with that changes and I
>> have uploaded them here:
>> http://webfiles.klein.inf.br/centos/squid-3.3.5-2.el6.src.rpm
>> http://webfiles.klein.inf.br/centos/squid-3.3.5-2.el6.x86_64.rpm
>> And, my selinux policyes too:
>> http://webfiles.klein.inf.br/centos/squid_selinuxpolicy.tar.bz2 if you
>> use any RHEL flavor.
>>
>> Btw, I have good performance when added some optins on
>> ext_ldap_group_acl (children-max=50 children-startup=25
>> children-idle=25), and here is all the interesting part about it:
>> #### SQUID.CONF parts ####
>> cache_mem 2048 MB
>> workers 6
>> cache_dir rock /var/spool/squid/cache1 4096 max-size=31000
>> swap-timeout=1000 max-swap-rate=100
>> cache_dir rock /var/spool/squid/cache2 4096 max-size=31000
>> swap-timeout=1000 max-swap-rate=100
>> cache_dir rock /var/spool/squid/cache3 4096 max-size=31000
>> swap-timeout=1000 max-swap-rate=100
>> cache_dir rock /var/spool/squid/cache4 4096 max-size=31000
>> swap-timeout=1000 max-swap-rate=100
>> cache_dir rock /var/spool/squid/cache5 4096 max-size=31000
>> swap-timeout=1000 max-swap-rate=100
>> cache_dir rock /var/spool/squid/cache6 4096 max-size=31000
>> swap-timeout=1000 max-swap-rate=100
>>
>> cache_replacement_policy heap LFUDA
>>
>> logfile_daemon /usr/lib64/squid/log_file_daemon
>> access_log daemon:/var/log/squid/access.log squid
>>
>> auth_param basic credentialsttl 20 minutes
>> auth_param ntlm program /usr/bin/ntlm_auth
>> --helper-protocol=squid-2.5-ntlmssp
>> auth_param ntlm children 15
>> auth_param ntlm keep_alive on
>> auth_param basic program /usr/bin/ntlm_auth
>> --helper-protocol=squid-2.5-basic
>>
>> external_acl_type ldap_group children-max=50 children-startup=25
>> children-idle=25 %LOGIN /usr/lib64/squid/ext_ldap_group_acl -P -S -R
>> -b "DC=MYDOMAIN,DC=local" -D
>> "CN=squid,OU=Internet,OU=Infra-estrutura,DC=MYDOMAIN,DC=local" -w
>> MYPASSWORD -f
>> "(&(objectclass=person)(sAMAccountName=%v)(memberof=cn=%a,OU=Internet,OU=Infra-estrutura,DC=MYDOMAIN,DC=local))"
>> -h <IPADDRESS>
>>
>> authenticate_ttl 600 seconds
>> #### /SQUID.CONF parts ####
>>
>> Anyway, I still have some errors like this one when using more then 2
>> workers (but squid still working):
>>
>> Squid Cache (Version 3.3.5): Terminated abnormally.
>> CPU Usage: 0.068 seconds = 0.054 user + 0.014 sys
>> Maximum Resident Size: 76000 KB
>> Page faults with physical i/o: 0
>> FATAL: Ipc::Mem::Segment::open failed to
>> shm_open(/squid-squid-page-pool.shm): (2) No such file or directory
>>
>> I am going to test it in production to see how it perform and tell you
>> here ok?
>> --
>> Att...
>>
>> Ricardo Felipe Klein
>> klein.rfk_at_gmail.com
>>
>>
>> On Mon, Jun 3, 2013 at 9:37 AM, Ricardo Klein <klein.rfk_at_gmail.com> wrote:
>>>
>>> Eliezer,
>>>
>>> you didnt compiled LDAP_group external acl, see your ./configure line:
>>> '--enable-external-acl-helpers=wbinfo_group,kerberos_ldap_group,AD_group'
>>>
>>> My:
>>>
>>> --enable-external-acl-helpers="file_userip,LDAP_group,kerberos_ldap_group,session,unix_group,wbinfo_group"
>>>
>>> But I will try to rebuild your package with LDAP_group enabled
>>> --
>>> Att...
>>>
>>> Ricardo Felipe Klein
>>> klein.rfk_at_gmail.com
>>>
>>>
>>> On Mon, Jun 3, 2013 at 8:53 AM, Ricardo Klein <klein.rfk_at_gmail.com>
>>> wrote:
>>>>
>>>> Eliezer,
>>>>
>>>> You mean change permissions on /dev/shm? It is already "world writeable"
>>>> [root_at_theroutertwo ~]# ll /dev/shm
>>>> total 0
>>>> drwxrwxrwt.  2 root root   40 Jun  1 12:16 .
>>>>
>>>> (maybe I am doing the hole shm thing wrong)
>>>>
>>>> Btw I will test your package this morning (it is monday morning here in
>>>> Brazil now) and tell you how it goes.
>>>>
>>>> --
>>>> Att...
>>>>
>>>> Ricardo Felipe Klein
>>>> klein.rfk_at_gmail.com
>>>>
>>>>
>>>> On Mon, Jun 3, 2013 at 7:58 AM, Eliezer Croitoru <eliezer_at_ngtech.co.il>
>>>> wrote:
>>>>>
>>>>>
>>>>> Yes it works.
>>>>> If you need some SHM thing just change the ownership of the directory.
>>>>> it will solve most of the problems.
>>>>> If there is some SPEC expert here I will be happy to get some help to
>>>>> do
>>>>> this change in the SPEC file instead of doing it manually.
>>>>>
>>>>> Eliezer
>>>>>
>>>>>
>>>>> On 6/1/2013 11:50 PM, Ricardo Klein wrote:
>>>>>>
>>>>>>
>>>>>> Eliezer,
>>>>>>
>>>>>> nice, you already have the package I need... Did you package works
>>>>>> with ldap_group external acl?
>>>>>> I will try it and check if your package works with my conf, this SHM
>>>>>> error is driving me crazy.
>>>>>> --
>>>>>> Att...
>>>>>>
>>>>>> Ricardo Felipe Klein
>>>>>> klein.rfk_at_gmail.com
>>>>>>
>>>>>>
>>>>>> On Sat, Jun 1, 2013 at 5:28 PM, Eliezer Croitoru
>>>>>> <eliezer_at_ngtech.co.il>
>>>>>> wrote:
>>>>>>>
>>>>>>>
>>>>>>> Hey Ricardo,
>>>>>>>
>>>>>>> If you can build an RPM and store it it will be helpful for many
>>>>>>> people.
>>>>>>> it will also add redundancy to my RPM and an alternative to mine.
>>>>>>> http://www1.ngtech.co.il/rpm/centos/6/x86_64/
>>>>>>> if you want the SRPM this is where mine is stored:
>>>>>>> http://www1.ngtech.co.il/rpm/centos/6/x86_64/SRPM/
>>>>>>>
>>>>>>> Eliezer
>>>>>>>
>>>>>>>
>>>>>>> On 6/1/2013 3:01 PM, Ricardo Klein wrote:
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> Amos,
>>>>>>>>
>>>>>>>> great thanks, I will fix this mess I did in the ./configure and try
>>>>>>>> again. If I can build an RPM package for CentOS 6.4 (and it should
>>>>>>>> work in RHEL 6.4 too) there is any interest I put this in somewhere
>>>>>>>> people can download it?
>>>>>>>> --
>>>>>>>> Att...
>>>>>>>>
>>>>>>>> Ricardo Felipe Klein
>>>>>>>> klein.rfk_at_gmail.com
>>>>>>>>
>>>>>>>>
>>>>>>>> On Sat, Jun 1, 2013 at 12:39 AM, Amos Jeffries
>>>>>>>> <squid3_at_treenet.co.nz>
>>>>>>>> wrote:
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On 1/06/2013 7:40 a.m., Ricardo Klein wrote:
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Hi there,
>>>>>>>>>>
>>>>>>>>>> I am trying to build squid on CentOS 6.4 64bits with
>>>>>>>>>> external_acl_helper "ldap_group", but my ./configure log says:
>>>>>>>>>> configure: external acl helper ldap_group ... found but cannot be
>>>>>>>>>> built
>>>>>>>>>> I have fired a but in the bugtrack, but, if any of you know what
>>>>>>>>>> is
>>>>>>>>>> wrong, please tell me so I can cancel that bugtracker.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> The script detecting external-acl-helpers entries has a bug
>>>>>>>>> displaying
>>>>>>>>> the
>>>>>>>>> wrong message for the error. It will report "found but cannot be
>>>>>>>>> built"
>>>>>>>>> for
>>>>>>>>> both the found and not-found error cases. In your situation I
>>>>>>>>> believe
>>>>>>>>> the
>>>>>>>>> helpers as named cannot be found at all due to incorrect
>>>>>>>>> ./configure
>>>>>>>>> options.
>>>>>>>>>
>>>>>>>>> Details inline with your options...
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>> Here is my ./configure options:
>>>>>>>>>> ./configure \
>>>>>>>>>> --prefix=/usr \
>>>>>>>>>> --exec-prefix=/usr \
>>>>>>>>>> --bindir=/usr/bin \
>>>>>>>>>> --sbindir=/usr/sbin \
>>>>>>>>>> --sysconfdir=/etc \
>>>>>>>>>> --datadir=/usr/share \
>>>>>>>>>> --includedir=/usr/include \
>>>>>>>>>> --libdir=/usr/lib64 \
>>>>>>>>>> --libexecdir=/usr/libexec \
>>>>>>>>>> --sharedstatedir=/var/lib \
>>>>>>>>>> --mandir=/usr/share/man \
>>>>>>>>>> --infodir=/usr/share/info \
>>>>>>>>>> --enable-internal-dns \
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> internal-dns is enabeld by default. You can omit this.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>> --disable-strict-error-checking \
>>>>>>>>>> --exec_prefix=/usr \
>>>>>>>>>> --libexecdir=/usr/lib64/squid \
>>>>>>>>>> --localstatedir=/var \
>>>>>>>>>> --datadir=/usr/share/squid \
>>>>>>>>>> --sysconfdir=/etc/squid \
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> You already specified several of the above batch of options
>>>>>>>>> (datadir,
>>>>>>>>> sysconfdir, libexecdir) with different values. This may cause
>>>>>>>>> unexpected
>>>>>>>>> results when installing.
>>>>>>>>> And "--exec_prefix" does not exist. There is a different
>>>>>>>>> "--exec-prefix"
>>>>>>>>> option earlier which will be used ... so more unexpected results
>>>>>>>>> when
>>>>>>>>> installing.
>>>>>>>>>
>>>>>>>>>> --with-logdir=$LOCALSTATEDIR/log/squid \
>>>>>>>>>> --with-pidfile=$LOCALSTATEDIR/run/squid.pid \
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>> --disable-dependency-tracking \
>>>>>>>>>> --enable-arp-acl \
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> "--enable-arp-acl" does not exit. The replacement --enable-eui is
>>>>>>>>> already
>>>>>>>>> enabled  by default, so all you need do is to remove the above
>>>>>>>>> option.
>>>>>>>>>
>>>>>>>>>> --enable-follow-x-forwarded-for \
>>>>>>>>>> --enable-auth \
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> NP: auth is enabled by default, and when omitted will be
>>>>>>>>> auto-enabled
>>>>>>>>> by
>>>>>>>>> the
>>>>>>>>> below helpers options anyway. You can omit "--enable-auth"
>>>>>>>>> entirely.
>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> --enable-basic-auth-helpers=LDAP,MSNT,NCSA,PAM,SMB,YP,getpwnam,multi-domain-NTLM,SASL,DB,squid_radius_auth
>>>>>>>>>> --enable-ntlm-auth-helpers=smb_lm,no_check,fakeauth \
>>>>>>>>>> --enable-digest-auth-helpers=password,ldap,eDirectory \
>>>>>>>>>> --enable-negotiate-auth-helpers=squid_kerb_auth \
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> The auth build options underwent a major change in the squid-3.2
>>>>>>>>> series.
>>>>>>>>> --enable-X-auth-helpers options no longer exist.
>>>>>>>>> Squid ./configure script is ignoring the above auth helper options
>>>>>>>>> and
>>>>>>>>> using
>>>>>>>>> the default versions of the new --enable-auth-X options.
>>>>>>>>>
>>>>>>>>> For example your basic auth helpers line should be:
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> --enable-auth-basic="LDAP,MSNT,NCSA,PAM,SMB,NIS,getpwnam,MSNT-multi-domain,SASL,DB,RADIUS"
>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> --enable-external-acl-helpers=ip_user,ldap_group,session,unix_group,wbinfo_group
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> You are not getting build problems with the auth helpers because
>>>>>>>>> the
>>>>>>>>> entire
>>>>>>>>> configure --enable-* option name changed and the broken ones above
>>>>>>>>> are
>>>>>>>>> ignored in favour of the auto-detected helpers.
>>>>>>>>> The external-acl-helpers option however did not change, so you hit
>>>>>>>>> error
>>>>>>>>> messages trying to build the differently named helpers.
>>>>>>>>>
>>>>>>>>> Run "ls -1 helpers/*/" to see all the new helper names. Note that
>>>>>>>>> the
>>>>>>>>> list
>>>>>>>>> here is case sensitive.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>> --enable-cache-digests \
>>>>>>>>>> --enable-cachemgr-hostname=localhost \
>>>>>>>>>> --enable-delay-pools \
>>>>>>>>>> --enable-epoll \
>>>>>>>>>> --enable-icap-client \
>>>>>>>>>> --enable-ident-lookups \
>>>>>>>>>> --enable-linux-netfilter \
>>>>>>>>>> --enable-referer-log \
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> --enable-referer-log no longer exists. It is a built-in squid.conf
>>>>>>>>> logformat
>>>>>>>>> type instead now.
>>>>>>>>>
>>>>>>>>>> --enable-removal-policies=heap,lru \
>>>>>>>>>> --enable-snmp \
>>>>>>>>>> --enable-ssl \
>>>>>>>>>> --enable-storeio=aufs,diskd,ufs \
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> NP: with 3.2 and later you probably want to build "rock" cache type
>>>>>>>>> as
>>>>>>>>> well.
>>>>>>>>>
>>>>>>>>>> --enable-useragent-log \
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> --enable-useragent-log no longer exists. It is a built-in
>>>>>>>>> squid.conf
>>>>>>>>> logformat type instead now.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>> --enable-wccpv2 \
>>>>>>>>>> --enable-esi \
>>>>>>>>>> --with-aio \
>>>>>>>>>> --with-default-user=squid \
>>>>>>>>>> --with-filedescriptors=30000 \
>>>>>>>>>> --with-dl \
>>>>>>>>>> --with-openssl \
>>>>>>>>>> --with-pthreads
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Amos
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>
>>>>
>