Re: [squid-users] 100% CPU Load problem with squid 3.3.8

For a tproxy socket to be handled and created there must be root
privileges or any corresponding policy issues like SELinux.
you can look at the /proc/process/fd/* and see what user is binding the
sockets to make sure that there might be a mix up about it in the linux
kernel or any other level then just squid.

For now we know that the root and source of the problem is specific and
this issue can be handled by squid process and there for the limit can
be unlimited by allowing only for squid process alone not causing the
entire system to run at enormous limit which should never be allowed by
default to a simple setup.

Eliezer

On 09/11/2013 07:19 AM, Mohsen Dehghani wrote:
> Thanks everybody
>
> [The problem resolved]
> After adding following lines to /etc/security/limits.conf
> root soft nofile 60000
> root hard nofile 60000
>
> but I am eager to know the rationale behind it, cuz squid runs as user
> "proxy" not "root"
>
>
> -----Original Message-----
> From: Eliezer Croitoru [mailto:eliezer_at_ngtech.co.il]
> Sent: Tuesday, September 10, 2013 9:10 PM
> To: squid-users_at_squid-cache.org
> Subject: Re: [squid-users] 100% CPU Load problem with squid 3.3.8
>
> It seems like an endless loop that causes this effect..
> I dont think it's related in any way to squid directly but more to the
> setup..
>
> If we can make a real order and debug the problem I will be happy to try to
> assist you.
>
> please share your iptables, route, ulimit -sA, ulimit -hA and any other
> information you do think is right for the cause and the solution.
>
> if you can share the uname -a output and "cat /proc/cpuinfo|grep model"
> also "free -m", "vmstat", the next script:
> PID=`ps aux |grep squid-1|grep -v grep|awk '{print $2}'`;ls /proc/$PID/fd/
> |wc
>
> which should show how many FD are being used by the first squid process.
> let's try out best and see what is the result..
>
> we will might fine the reason on the first or second try.
>
> Eliezer
> On 09/10/2013 11:34 AM, Mohsen Dehghani wrote:
>> I have compiled and installed squid 3.3.8.
>> I have about 160Mbps bandwidth and about 18000 http request per minute.
>> The problem is that as soon as I redirect traffic to squid, its cpu
>> usage reaches 100% and it hangs and even "squidclient" will not work.
>>
>> What is weird is that when I remove traffic from squid, CPU usage does
>> not go down immediately, but with a delay of about 2 or 3 minutes!
>> While in version 3.1.19(which previously I was using), as soon as I
>> remove traffic from squid, its cpu usage goes down. By the way in
>> 3.1.19, CPU usage never exceeded 30%.
>>
>> When I debug , I see some lines saying: WARNING! Your cache is running
>> out of filedescriptors
>>
>> I don't know this is the cause or not. But I've already compiled squid
>> with
>> 65536 filedescriptors
>>
>> I have disabled disk swap for testing, but the problem yet exists.
>>
>> Any help is appreciated
>>
>> I have attached my compile options and config
>>
>> _______________________________________
>>
>> #squid -v
>> Squid Cache: Version 3.3.8
>> configure options: '--prefix=/usr/local/squid' '--build=x86_64-linux-gnu'
>> '--enable-storeio=ufs,aufs,diskd' '--enable-follow-x-forwarded-for'
>> '--with-filedescriptors=65536' '--with-large-files'
>> '--with-default-user=proxy' '--enable-linux-netfilter'
>> 'build_alias=x86_64-linux-gnu' --enable-ltdl-convenience
>>
>>
>> ###config:####
>> acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
>> acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
>> acl SSL_ports port 443
>> acl Safe_ports port 80 # http
>> acl Safe_ports port 21 # ftp
>> acl Safe_ports port 443 # https
>> acl Safe_ports port 70 # gopher
>> acl Safe_ports port 210 # wais
>> acl Safe_ports port 1025-65535 # unregistered ports
>> acl Safe_ports port 280 # http-mgmt
>> acl Safe_ports port 488 # gss-http
>> acl Safe_ports port 591 # filemaker
>> acl Safe_ports port 777 # multiling http
>> acl CONNECT method CONNECT
>>
>> shutdown_lifetime 3 second
>> wccp2_router 172.22.122.254
>> wccp_version 2
>> wccp2_rebuild_wait on
>> wccp2_forwarding_method 2
>> wccp2_return_method 2
>> wccp2_assignment_method 2
>> # wccp2_service standard 0
>> wccp2_service dynamic 80
>> wccp2_service dynamic 90
>> wccp2_service_info 80 protocol=tcp flags=src_ip_hash priority=240
>> ports=80 wccp2_service_info 90 protocol=tcp
>> flags=dst_ip_hash,ports_source
>> priority=240 ports=80
>>
>> http_port 3129 tproxy
>> qos_flows local-hit=0x18
>> cache_mem 2000 MB
>> maximum_object_size_in_memory 10 MB
>>
>> access_log none
>>
>> snmp_port 3401
>> acl snmppublic snmp_community golabi
>> snmp_access allow snmppublic trusted
>> http_access deny !Safe_ports
>>
>> http_access deny CONNECT !SSL_ports
>>
>> http_access allow localhost manager
>> http_access deny manager
>> http_access allow localnet
>> http_access allow localhost
>>
>> http_access deny all
>>
>> http_port 3128
>>
>> coredump_dir /usr/local/squid/var/cache/squid
>> refresh_pattern ^ftp: 1440 20% 10080
>> refresh_pattern ^gopher: 1440 0% 1440
>> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
>> refresh_pattern . 0 20% 4320
>>
>>
>
>
>
Received on Wed Sep 11 2013 - 21:01:00 MDT