Hi.
On 15.03.2011 16:54, Amos Jeffries wrote:
>
> Start with the -d option.
> Then add/update debug() lines to any place that looks useful. I'm
> interested in making the debug helpful so patches for that are welcome
> upstream.
> debug() operates identical to printf() but sends the result to the
> helper channel for Squid cache.log.
>
> FWIW, I think adding pam_strerror() results into both of the WARNING:
> messages with that text should be enough to point at the actual problem.
>
Well... I did all of that (and it didn't help). By the way, debug seems
to be a macro, rather than a squid channel logging function (could it be
even possible ? main part of squid 3.x is written in C++ and the helper
part - in C). Anyway, may be it's time to describe my problem, rather
than to describe the solution as I see it. :)
Okay, the problem description: as I said I have a proxy. That's the
company main proxy, and the wpad for the network of more than 2K
machines points at it. So, during the weekdays I have loads of requests
from all sorts of clients, most of them remains blocked, but all of the
basic authentication requests are handled by pam_auth. I have 35
simultaneously running pam_auth processes. During load peaks I ususally
have 3-5 (sometimes even more) pam_auth processes that eat 100% of the
both CPUs all together. I used to think that those are the processes
that squid failed to release. But, when I kill some of it to release the
CPUs from unnecessary load, squid complains in its log like that:
WARNING: basicauthenticator #8 (FD 93) exited
It's obvious that I'm wrong and this isn't the helper squid cannot
release, but this is the actually running helper. So the questions are
- why only small parts of basic helpers are affected with such load ?
- why such load even exists ? when I kill affected processes squid
continues to run without influencing its clients for some time. Then the
load appears again.
- and, of course, what can be done to solve this.
I had a look at the code of the helper - it seems to be very
straightforward and simple, so I don't see how such a simple code can
eat CPU.
The basic helper config is:
auth_param basic program /usr/local/libexec/squid/pam_auth
auth_param basic children 35
auth_param basic realm Squid[Kamtelecom]
auth_param basic credentialsttl 1 minute
auth_param basic casesensitive off
and the pam config for the squid service name is:
auth sufficient pam_unix.so no_warn
auth sufficient /usr/local/lib/pam_winbind.so
try_first_pass
auth sufficient pam_krb5.so no_warn
try_first_pass
auth required pam_deny.so no_warn
(yup, I use the AD authentication scheme).
Thanks.
Eugene.
Received on Sat Apr 09 2011 - 13:11:27 MDT
This archive was generated by hypermail 2.2.0 : Sat Apr 09 2011 - 12:00:02 MDT