Squid configuration

classic Classic list List threaded Threaded
16 messages Options
Reply | Threaded
Open this post in threaded view
|

Squid configuration

sven falempin
Hello,

I am more or less forced to test Squid.
OpenBSD test.my.domain 5.6 GENERIC.MP#333 amd64

I have two problems:

<<
WARNING! Your cache is running out of filedescriptors
>>

And probably have to read more about ICAP
<<
suspending ICAP service for too many failures
>>


My question is about the fds,
i tried to add

squid:\
        :openfiles-cur=4096:\
        :tc=daemon:

into login.conf and did not forget to 'push' it

# cap_mkdb /etc/login.conf
# echo $?
0

It looks like it has no effect. Is this the way to go ? have I to change a
limit somewhere else ?

Best regards,
Sven

Reply | Threaded
Open this post in threaded view
|

Re: Squid configuration

Einfach Jemand
Hi,

Am 02.12.2014 22:46, schrieb sven falempin:

> Hello,
>
> I am more or less forced to test Squid.
> OpenBSD test.my.domain 5.6 GENERIC.MP#333 amd64
>
> I have two problems:
>
> <<
> WARNING! Your cache is running out of filedescriptors
>>>
>
> And probably have to read more about ICAP
> <<
> suspending ICAP service for too many failures
>>>
>
>
> My question is about the fds,
> i tried to add
>
> squid:\
>         :openfiles-cur=4096:\
>         :tc=daemon:
>
> into login.conf and did not forget to 'push' it
>
> # cap_mkdb /etc/login.conf
> # echo $?
> 0

Hmm, I checked on one of my boxen and there /etc/passwd has

_squid
^------------! Note the underline.

as account for this package, so you probably want

_squid:\
        :openfiles-cur=4096:\
        :tc=daemon:

in /etc/login.conf

> It looks like it has no effect. Is this the way to go ? have I to change a
> limit somewhere else ?
>
> Best regards,
> Sven
>

HTH
rru

Reply | Threaded
Open this post in threaded view
|

Re: Squid configuration

Libertas
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 12/02/2014 08:49 PM, Einfach Jemand wrote:
> Hmm, I checked on one of my boxen and there /etc/passwd has
>
> _squid ^------------! Note the underline.
>
> as account for this package, so you probably want
>
> _squid:\

I'm pretty sure it's supposed to be 'squid', as the daemon name is
supposed to be used. The example given in 5.6's default
/etc/login.conf uses 'bgpd', despite the fact that bgpd runs as the
user '_bgpd'.

Sven, make sure the syntax is identical to that of the bgpd example.
It'd probably be easiest just to duplicate it and replace what you
need to. Things like using spaces rather than tabs can easily cause
silent errors.
iQIcBAEBCAAGBQJUfm9dAAoJELxHvGCsI27Nv2wP/j71JWZX1sHkYmIZeIm9hRrD
YwZwazYILx/Bu4U3JDQLGWYebeu+d3cr05hnd/v3Z+FvXqb3TIwNTG+UL0QgHIOK
PGPTXzvih2uJ9RKXG5VUTvtNSqzl6a9+trs4B82A45tEu5uHjYo6YX53a0K+QJBH
uGqys8g5ggHzixqOETccZIIKBxUAq5esyU6UIXQiykvt/3X+ikYNJeH2QDf0Tov/
sYAzQObCuw2CvdYJajK6iftl6rJt+Zpz7hIMVbr/mTi/1ldH+l68IoBSYw1n7EnT
Vq9jxVD+6oY25CIc48Tcb9UcJwsRcywc20F2+rRKvYaZjaUzPNtkCZ8TKFaDaEHe
M9cwqhp+ckxYxzs4BhxqtWNKprOQJ3W3tphGc8pdh+SSdXHdy67mZun2GYN5qWfu
WrqrMRKXE+GlXgtnvOAsUcJ7FUN7S052R0K6+/off96RK+/HMpFsXIgWxKGohO5V
nFUu6g+/gMOye1svmJDmg5jUr+DjqnpqPEadHN4yxAFaKXu05lbG7X2XwJFe4N2P
kCJN8M4PzLxxgL5XlQoRLQ4A5FrxU29h4ST2b24ZbrDNLTncrsEUo/fs5A9YC0xl
jbjiLSUsg6ZixrF+4jnBrdinUIwjekW61es5mnoRhuG0qN2+YZrwjkhaiUTflENL
elmLg8e6dF3O9jEZxImi
=07gk
-----END PGP SIGNATURE-----

Reply | Threaded
Open this post in threaded view
|

Re: Squid configuration

Steven Shockley
In reply to this post by sven falempin
On 12/2/2014 4:46 PM, sven falempin wrote:
> <<
> WARNING! Your cache is running out of filedescriptors
>>>

I have Squid on 5.4 amd64, which may or may not be the same.

> And probably have to read more about ICAP
> <<
> suspending ICAP service for too many failures
>>>

Do you need ICAP?  I think it's primarily for web filtering or virus/DLP
scans.


> My question is about the fds,
> i tried to add
>
> squid:\
>          :openfiles-cur=4096:\
>          :tc=daemon:
>
> into login.conf

Is there a reason you chose a different config than suggested in the
port README?

squid:\
        :datasize=1500M:\
        :openfiles=4096:\
        :tc=daemon:

Does setting openfiles-cur also increase openfiles-max if it's not
specified?  Based on http://marc.info/?l=openbsd-misc&m=140698839413081,
it appears not.

Reply | Threaded
Open this post in threaded view
|

Re: Squid configuration

Steven Shockley
In reply to this post by Einfach Jemand
On 12/2/2014 8:49 PM, Einfach Jemand wrote:

> Hmm, I checked on one of my boxen and there /etc/passwd has
>
> _squid
> ^------------! Note the underline.
>
> as account for this package, so you probably want

According to the package README:

When started by rc.d(8) (i.e. via pkg_scripts in rc.conf.local or from
"${RCDIR}/squid start") the appropriately-named login class is used
automatically.

So, the underline shouldn't be necessary.

Reply | Threaded
Open this post in threaded view
|

Re: Squid configuration

Einfach Jemand
Am 03.12.2014 03:55, schrieb Steve Shockley:

> On 12/2/2014 8:49 PM, Einfach Jemand wrote:
>
>> Hmm, I checked on one of my boxen and there /etc/passwd has
>>
>> _squid
>> ^------------! Note the underline.
>>
>> as account for this package, so you probably want
>
> According to the package README:
>
> When started by rc.d(8) (i.e. via pkg_scripts in rc.conf.local or from
> "${RCDIR}/squid start") the appropriately-named login class is used
> automatically.
>
> So, the underline shouldn't be necessary.

Yes, I have rechecked and that is correct, no underline/underscore needed.

Directing someone looking for a solution into the wrong direction is no
good, please accept my apologies.

Bye,
rru

Reply | Threaded
Open this post in threaded view
|

Re: Squid configuration

Maxim Bourmistrov-5
echo "max_filedescriptors 4096” >> /etc/squid/squid.conf

> On 3 dec 2014, at 04:07, Einfach Jemand <[hidden email]> wrote:
>
> Am 03.12.2014 03:55, schrieb Steve Shockley:
>> On 12/2/2014 8:49 PM, Einfach Jemand wrote:
>>
>>> Hmm, I checked on one of my boxen and there /etc/passwd has
>>>
>>> _squid
>>> ^------------! Note the underline.
>>>
>>> as account for this package, so you probably want
>>
>> According to the package README:
>>
>> When started by rc.d(8) (i.e. via pkg_scripts in rc.conf.local or from
>> "${RCDIR}/squid start") the appropriately-named login class is used
>> automatically.
>>
>> So, the underline shouldn't be necessary.
>
> Yes, I have rechecked and that is correct, no underline/underscore needed.
>
> Directing someone looking for a solution into the wrong direction is no
> good, please accept my apologies.
>
> Bye,
> rru

Reply | Threaded
Open this post in threaded view
|

Re: Squid configuration

sven falempin
In reply to this post by Einfach Jemand
On Tue, Dec 2, 2014 at 8:49 PM, Einfach Jemand <[hidden email]> wrote:

>
> Hi,
>
> Am 02.12.2014 22:46, schrieb sven falempin:
> > Hello,
> >
> > I am more or less forced to test Squid.
> > OpenBSD test.my.domain 5.6 GENERIC.MP#333 amd64
> >
> > I have two problems:
> >
> > <<
> > WARNING! Your cache is running out of filedescriptors
> >>>
> >
> > And probably have to read more about ICAP
> > <<
> > suspending ICAP service for too many failures
> >>>
> >
> >
> > My question is about the fds,
> > i tried to add
> >
> > squid:\
> >         :openfiles-cur=4096:\
> >         :tc=daemon:
> >
> > into login.conf and did not forget to 'push' it
> >
> > # cap_mkdb /etc/login.conf
> > # echo $?
> > 0
>
> Hmm, I checked on one of my boxen and there /etc/passwd has
>
> _squid
> ^------------! Note the underline.
>
> as account for this package, so you probably want
>
> _squid:\
>         :openfiles-cur=4096:\
>         :tc=daemon:
>
> in /etc/login.conf
>
> > It looks like it has no effect. Is this the way to go ? have I to change a
> > limit somewhere else ?
> >
> > Best regards,
> > Sven
> >
>
> HTH
> rru
>

about _ :

$ grep bgpd /etc/passwd /etc/login.conf

/etc/passwd:_bgpd:*:75:75:BGP Daemon:/var/empty:/sbin/nologin

/etc/login.conf:bgpd:\

Other test:

 Using ulimit -n 4096
my perl script open <1025> file


# cat /root/fds.pl #!/usr/bin/perl

use warnings;

use strict;

use v5.10;

use POSIX;

use File::Temp qw/tempfile/;

if (defined $ARGV[0] and $ARGV[0] =~ /^\d+$/) {

setuid ($ARGV[0]);

} else {

setuid ( 515 );

}

system('id');

my @fds = ();

while (0xBAD) {

my($fh, $filename) = tempfile();

last unless $fh; #but tempfile croak

push @fds, { fd=>$fh,n=>$filename};

}



END{

say 'Count:'.($#fds+1);

foreach my $fd (@fds) {

close $fd->{fd};

unlink $fd->{n};

}

}

Reply | Threaded
Open this post in threaded view
|

Re: Squid configuration

sven falempin
In reply to this post by Maxim Bourmistrov-5
On Wed, Dec 3, 2014 at 4:56 AM, mxb <[hidden email]> wrote:
> echo "max_filedescriptors 4096” >> /etc/squid/squid.conf

Thanks mxb, but squid got that by default , squidclient mgr:cache
answer 4096 to me

>
>> On 3 dec 2014, at 04:07, Einfach Jemand <[hidden email]> wrote:
>>
>> Am 03.12.2014 03:55, schrieb Steve Shockley:
>>> On 12/2/2014 8:49 PM, Einfach Jemand wrote:
>>>
>>>> Hmm, I checked on one of my boxen and there /etc/passwd has
>>>>
>>>> _squid
>>>> ^------------! Note the underline.
>>>>
>>>> as account for this package, so you probably want
>>>
>>> According to the package README:
>>>
>>> When started by rc.d(8) (i.e. via pkg_scripts in rc.conf.local or from
>>> "${RCDIR}/squid start") the appropriately-named login class is used
>>> automatically.
>>>
>>> So, the underline shouldn't be necessary.
>>
>> Yes, I have rechecked and that is correct, no underline/underscore needed.
>>
>> Directing someone looking for a solution into the wrong direction is no
>> good, please accept my apologies.
>>
>> Bye,
>> rru
>



--
---------------------------------------------------------------------------------------------------------------------
() ascii ribbon campaign - against html e-mail
/\

Reply | Threaded
Open this post in threaded view
|

Re: Squid configuration

sven falempin
In reply to this post by Steven Shockley
On Tue, Dec 2, 2014 at 9:55 PM, Steve Shockley
<[hidden email]> wrote:

> On 12/2/2014 8:49 PM, Einfach Jemand wrote:
>
>> Hmm, I checked on one of my boxen and there /etc/passwd has
>>
>> _squid
>> ^------------! Note the underline.
>>
>> as account for this package, so you probably want
>
>
> According to the package README:
>
> When started by rc.d(8) (i.e. via pkg_scripts in rc.conf.local or from
> "${RCDIR}/squid start") the appropriately-named login class is used
> automatically.
>
> So, the underline shouldn't be necessary.
>

 The login would be apply in a rc script ? I looked into that :

is that why the _ goes away ?

_name=$(basename $0)
[.. so name of the rc script is sed to get compiled login.conf info..]
getcap -f /etc/login.conf ${_name} 1>/dev/null 2>&1
[ but this only print stuff according to man page ]

 There is a rcexec  that force the usage of the login class

grep rcexec /etc/rc.d/*
unbound use it, but not squid.

I guess my perl script would have to do a strlimit after dropping
privilege to open 4096 files.


On the other hand, the class is supposed to be in master.passwd or be
to default:


name User's login name.
password User's encrypted password.
uid User's login user ID.
gid User's login group ID.
class User's general classification (see login.conf(5)).
change Password change time.
expire Account expiration time.
gecos General information about the user.
home_dir User's home directory.
shell User's login shell.


_squid:*:515:515:daemon:0:0:Squid Account:
_bgpd:*:75:75::0:0:BGP Daemon:/var/empty:/sbin/nologin


bgpd class is blank, squid is set to daemon.

Is bgpd correctly configured ? is squid using the daemon class ? am I
forced to use BSD::resources to strlimit in the perl script to
validate this ? is getcap doing something else than printing ?



--
---------------------------------------------------------------------------------------------------------------------
() ascii ribbon campaign - against html e-mail
/\

Reply | Threaded
Open this post in threaded view
|

Re: Squid configuration

Einfach Jemand
Am 03.12.2014 12:59, schrieb sven falempin:

> On Tue, Dec 2, 2014 at 9:55 PM, Steve Shockley
> <[hidden email]> wrote:
>> On 12/2/2014 8:49 PM, Einfach Jemand wrote:
>>
>>> Hmm, I checked on one of my boxen and there /etc/passwd has
>>>
>>> _squid
>>> ^------------! Note the underline.
>>>
>>> as account for this package, so you probably want
>>
>>
>> According to the package README:
>>
>> When started by rc.d(8) (i.e. via pkg_scripts in rc.conf.local or from
>> "${RCDIR}/squid start") the appropriately-named login class is used
>> automatically.
>>
>> So, the underline shouldn't be necessary.
>>
>
>  The login would be apply in a rc script ? I looked into that :
>
> is that why the _ goes away ?
>
> _name=$(basename $0)
> [.. so name of the rc script is sed to get compiled login.conf info..]
> getcap -f /etc/login.conf ${_name} 1>/dev/null 2>&1
> [ but this only print stuff according to man page ]
>
>  There is a rcexec  that force the usage of the login class
>
> grep rcexec /etc/rc.d/*
> unbound use it, but not squid.
>
> I guess my perl script would have to do a strlimit after dropping
> privilege to open 4096 files.
>
>
> On the other hand, the class is supposed to be in master.passwd or be
> to default:
>
>
> name User's login name.
> password User's encrypted password.
> uid User's login user ID.
> gid User's login group ID.
> class User's general classification (see login.conf(5)).
> change Password change time.
> expire Account expiration time.
> gecos General information about the user.
> home_dir User's home directory.
> shell User's login shell.
>
>
> _squid:*:515:515:daemon:0:0:Squid Account:
> _bgpd:*:75:75::0:0:BGP Daemon:/var/empty:/sbin/nologin
>
>
> bgpd class is blank, squid is set to daemon.
>
> Is bgpd correctly configured ?

Yes. It has an entry in /etc/login.conf

man rc.subr explains it:

-- quote --
daemon_class  Login class to run the daemon with, using su(1).  This is
              a read only variable that gets set by rc.subr itself.  It
              searches login.conf(5) for a login class that has the
              same name as the rc.d script itself and uses that.  If no
              such login class exists then ``daemon'' will be used.
-- end quote --

> is squid using the daemon class ?

Yes unless you have a stanze for squid in /etc/login.conf .
(And the README for the package advises you to create one)

A test _without_ a stanza for squid in /etc/login.conf and the first
line of /etc/rc.d/squid set to

#!/bin/sh -x

results in

root:/etc/rc.d:28# /etc/rc.d/squid start
+ daemon=/usr/local/sbin/squid
+ daemon_timeout=35
+ . /etc/rc.d/rc.subr
+ [ -n  ]
+ [ -n /usr/local/sbin/squid ]
+ unset _RC_DEBUG _RC_FORCE
+ getopts df c
+ shift 0
+ basename /etc/rc.d/squid
+ _name=squid
+ _RC_RUNDIR=/var/run/rc.d
+ _RC_RUNFILE=/var/run/rc.d/squid
+ _rc_do _rc_parse_conf
+ eval _rcflags=${squid_flags}
+ _rcflags=
+ eval _rcuser=${squid_user}
+ _rcuser=
+ eval _rctimeout=${squid_timeout}
+ _rctimeout=
+ getcap -f /etc/login.conf squid
+ > /dev/null
+ 2>&1
+ [ -z  ]
+ daemon_class=daemon
+ [ -z  ]
+ daemon_user=root
+ [ -z 35 ]
+ [ -n  ]
+ [ -n  ]
+ [ -n  ]
+ [ -n  ]
+ [ -n  ]
+ readonly daemon_class
+ unset _rcflags _rcuser _rctimeout
+ pexp=/usr/local/sbin/squid
+ rcexec=su -l -c daemon -s /bin/sh root -c
+ rc_cmd start
squid(ok)

The same _with_ a stanza for squid in /etc/login.conf gives

root:/etc/rc.d:34# /etc/rc.d/squid start

+ daemon=/usr/local/sbin/squid
+ daemon_timeout=35
+ . /etc/rc.d/rc.subr
+ [ -n  ]
+ [ -n /usr/local/sbin/squid ]
+ unset _RC_DEBUG _RC_FORCE
+ getopts df c
+ shift 0
+ basename /etc/rc.d/squid
+ _name=squid
+ _RC_RUNDIR=/var/run/rc.d
+ _RC_RUNFILE=/var/run/rc.d/squid
+ _rc_do _rc_parse_conf
+ eval _rcflags=${squid_flags}
+ _rcflags=
+ eval _rcuser=${squid_user}
+ _rcuser=
+ eval _rctimeout=${squid_timeout}
+ _rctimeout=
+ getcap -f /etc/login.conf squid
+ > /dev/null
+ 2>&1
+ daemon_class=squid
+ [ -z squid ]
+ [ -z  ]
+ daemon_user=root
+ [ -z 35 ]
+ [ -n  ]
+ [ -n  ]
+ [ -n  ]
+ [ -n  ]
+ [ -n  ]
+ readonly daemon_class
+ unset _rcflags _rcuser _rctimeout
+ pexp=/usr/local/sbin/squid
+ rcexec=su -l -c squid -s /bin/sh root -c
+ rc_cmd start
squid(ok)

> am I forced to use BSD::resources to strlimit in the perl script to
> validate this ?
> is getcap doing something else than printing ?

Yes, it returns $? which is used in rc.subr to set the login-class to
daemon when there is no service-specific stanza in /etc/login.conf

HTH
rru

Reply | Threaded
Open this post in threaded view
|

Re: Squid configuration

sven falempin
On Wed, Dec 3, 2014 at 4:11 PM, Einfach Jemand <[hidden email]> wrote:

> Am 03.12.2014 12:59, schrieb sven falempin:
>> On Tue, Dec 2, 2014 at 9:55 PM, Steve Shockley
>> <[hidden email]> wrote:
>>> On 12/2/2014 8:49 PM, Einfach Jemand wrote:
>>>
>>>> Hmm, I checked on one of my boxen and there /etc/passwd has
>>>>
>>>> _squid
>>>> ^------------! Note the underline.
>>>>
>>>> as account for this package, so you probably want
>>>
>>>
>>> According to the package README:
>>>
>>> When started by rc.d(8) (i.e. via pkg_scripts in rc.conf.local or from
>>> "${RCDIR}/squid start") the appropriately-named login class is used
>>> automatically.
>>>
>>> So, the underline shouldn't be necessary.
>>>
>>
>>  The login would be apply in a rc script ? I looked into that :
>>
>> is that why the _ goes away ?
>>
>> _name=$(basename $0)
>> [.. so name of the rc script is sed to get compiled login.conf info..]
>> getcap -f /etc/login.conf ${_name} 1>/dev/null 2>&1
>> [ but this only print stuff according to man page ]
>>
>>  There is a rcexec  that force the usage of the login class
>>
>> grep rcexec /etc/rc.d/*
>> unbound use it, but not squid.
>>
>> I guess my perl script would have to do a strlimit after dropping
>> privilege to open 4096 files.
>>
>>
>> On the other hand, the class is supposed to be in master.passwd or be
>> to default:
>>
>>
>> name User's login name.
>> password User's encrypted password.
>> uid User's login user ID.
>> gid User's login group ID.
>> class User's general classification (see login.conf(5)).
>> change Password change time.
>> expire Account expiration time.
>> gecos General information about the user.
>> home_dir User's home directory.
>> shell User's login shell.
>>
>>
>> _squid:*:515:515:daemon:0:0:Squid Account:
>> _bgpd:*:75:75::0:0:BGP Daemon:/var/empty:/sbin/nologin
>>
>>
>> bgpd class is blank, squid is set to daemon.
>>
>> Is bgpd correctly configured ?
>
> Yes. It has an entry in /etc/login.conf
>
> man rc.subr explains it:
>
> -- quote --
> daemon_class  Login class to run the daemon with, using su(1).  This is
>               a read only variable that gets set by rc.subr itself.  It
>               searches login.conf(5) for a login class that has the
>               same name as the rc.d script itself and uses that.  If no
>               such login class exists then ``daemon'' will be used.
> -- end quote --
>
>> is squid using the daemon class ?
>
> Yes unless you have a stanze for squid in /etc/login.conf .
> (And the README for the package advises you to create one)
>
> A test _without_ a stanza for squid in /etc/login.conf and the first
> line of /etc/rc.d/squid set to
>
> #!/bin/sh -x
>
> results in
>
> root:/etc/rc.d:28# /etc/rc.d/squid start
> + daemon=/usr/local/sbin/squid
> + daemon_timeout=35
> + . /etc/rc.d/rc.subr
> + [ -n  ]
> + [ -n /usr/local/sbin/squid ]
> + unset _RC_DEBUG _RC_FORCE
> + getopts df c
> + shift 0
> + basename /etc/rc.d/squid
> + _name=squid
> + _RC_RUNDIR=/var/run/rc.d
> + _RC_RUNFILE=/var/run/rc.d/squid
> + _rc_do _rc_parse_conf
> + eval _rcflags=${squid_flags}
> + _rcflags=
> + eval _rcuser=${squid_user}
> + _rcuser=
> + eval _rctimeout=${squid_timeout}
> + _rctimeout=
> + getcap -f /etc/login.conf squid
> + > /dev/null
> + 2>&1
> + [ -z  ]
> + daemon_class=daemon
> + [ -z  ]
> + daemon_user=root
> + [ -z 35 ]
> + [ -n  ]
> + [ -n  ]
> + [ -n  ]
> + [ -n  ]
> + [ -n  ]
> + readonly daemon_class
> + unset _rcflags _rcuser _rctimeout
> + pexp=/usr/local/sbin/squid
> + rcexec=su -l -c daemon -s /bin/sh root -c
> + rc_cmd start
> squid(ok)
>
> The same _with_ a stanza for squid in /etc/login.conf gives
>
> root:/etc/rc.d:34# /etc/rc.d/squid start
>
> + daemon=/usr/local/sbin/squid
> + daemon_timeout=35
> + . /etc/rc.d/rc.subr
> + [ -n  ]
> + [ -n /usr/local/sbin/squid ]
> + unset _RC_DEBUG _RC_FORCE
> + getopts df c
> + shift 0
> + basename /etc/rc.d/squid
> + _name=squid
> + _RC_RUNDIR=/var/run/rc.d
> + _RC_RUNFILE=/var/run/rc.d/squid
> + _rc_do _rc_parse_conf
> + eval _rcflags=${squid_flags}
> + _rcflags=
> + eval _rcuser=${squid_user}
> + _rcuser=
> + eval _rctimeout=${squid_timeout}
> + _rctimeout=
> + getcap -f /etc/login.conf squid
> + > /dev/null
> + 2>&1
> + daemon_class=squid
> + [ -z squid ]
> + [ -z  ]
> + daemon_user=root
> + [ -z 35 ]
> + [ -n  ]
> + [ -n  ]
> + [ -n  ]
> + [ -n  ]
> + [ -n  ]
> + readonly daemon_class
> + unset _rcflags _rcuser _rctimeout
> + pexp=/usr/local/sbin/squid
> + rcexec=su -l -c squid -s /bin/sh root -c
> + rc_cmd start
> squid(ok)
>
>> am I forced to use BSD::resources to strlimit in the perl script to
>> validate this ?
>> is getcap doing something else than printing ?
>
> Yes, it returns $? which is used in rc.subr to set the login-class to
> daemon when there is no service-specific stanza in /etc/login.conf
>
> HTH
> rru
>

Ich verstehe jetzt

the answer to the BSD::resources is yes apparently

# su -l -c squid -s  /bin/sh root -c "perl /root/fds.pl"
uid=515(_squid) gid=0(wheel) groups=0(wheel), 2(kmem), 3(sys), 4(tty),
5(operator), 20(staff), 31(guest)
ksh: ulimit: Permission denied
Error in tempfile() using template /tmp/XXXXXXXXXX: Could not create
temp file /tmp/f7PQGePzoX: Too many open files at /root/fds.pl line
20.
Count:125


--
---------------------------------------------------------------------------------------------------------------------
() ascii ribbon campaign - against html e-mail
/\

Reply | Threaded
Open this post in threaded view
|

Re: Squid configuration

Stuart Henderson
In reply to this post by sven falempin
On 2014-12-02, sven falempin <[hidden email]> wrote:

> Hello,
>
> I am more or less forced to test Squid.
> OpenBSD test.my.domain 5.6 GENERIC.MP#333 amd64
>
> I have two problems:
>
><<
> WARNING! Your cache is running out of filedescriptors
>>>
>
> And probably have to read more about ICAP
><<
> suspending ICAP service for too many failures
>>>
>
>
> My question is about the fds,
> i tried to add
>
> squid:\
>         :openfiles-cur=4096:\
>         :tc=daemon:

Follow the instructions in the pkg-readme exactly and let me know if you
still have problems. If you want to make adjustments to limits etc then
do that after trying the suggested configuration.

In your case you most likely have an invalid config, the openfiles-max
limit will probably be *lower* than your openfiles-cur. OpenBSD used to
accept this and use the higher limit, but a couple of releases ago this
was changed for posix compatibility. The example in the pkg-readme just
sets openfiles, overriding both -cur and -max.

> into login.conf and did not forget to 'push' it
>
> # cap_mkdb /etc/login.conf
> # echo $?
> 0

You only have to run cap_mkdb if you already have a login.conf.db file.
Most people do not use these and just use the plaintext file instead.

> It looks like it has no effect. Is this the way to go ? have I to change a
> limit somewhere else ?
>
> Best regards,
> Sven

Reply | Threaded
Open this post in threaded view
|

Re: Squid configuration

sven falempin
On Sat, Dec 6, 2014 at 9:20 AM, Stuart Henderson <[hidden email]> wrote:

> On 2014-12-02, sven falempin <[hidden email]> wrote:
>> Hello,
>>
>> I am more or less forced to test Squid.
>> OpenBSD test.my.domain 5.6 GENERIC.MP#333 amd64
>>
>> I have two problems:
>>
>><<
>> WARNING! Your cache is running out of filedescriptors
>>>>
>>
>> And probably have to read more about ICAP
>><<
>> suspending ICAP service for too many failures
>>>>
>>
>>
>> My question is about the fds,
>> i tried to add
>>
>> squid:\
>>         :openfiles-cur=4096:\
>>         :tc=daemon:
>
> Follow the instructions in the pkg-readme exactly and let me know if you
> still have problems. If you want to make adjustments to limits etc then
> do that after trying the suggested configuration.
>
> In your case you most likely have an invalid config, the openfiles-max
> limit will probably be *lower* than your openfiles-cur. OpenBSD used to
> accept this and use the higher limit, but a couple of releases ago this
> was changed for posix compatibility. The example in the pkg-readme just
> sets openfiles, overriding both -cur and -max.
>
>> into login.conf and did not forget to 'push' it
>>
>> # cap_mkdb /etc/login.conf
>> # echo $?
>> 0
>
> You only have to run cap_mkdb if you already have a login.conf.db file.
> Most people do not use these and just use the plaintext file instead.
>

And it checks the non space friendly syntax :-)

whith openfile

squid:\
:openfiles-cur=4096:\
:openfiles=4096:\
:tc=daemon:

I do not have to do ulimit manually before but stop at 1025, I didn't
call setrlimit


root@unicornD # su -l -c squid -s /bin/sh root -c "perl /root/fds.pl"
perl /roo"perl /root/fds.pl" <

uid=515(_squid) gid=0(wheel) groups=0(wheel), 2(kmem), 3(sys), 4(tty),
5(operator), 20(staff), 31(guest)

ksh: ulimit: Permission denied

Error in tempfile() using template /tmp/XXXXXXXXXX: Could not create
temp file /tmp/4vncHRQHUt: No locks available at /root/fds.pl line 20.

Count:1025


setrlimit change nothing :


# cat /root/fds.pl

#!/usr/bin/perl

use warnings;

use strict;

use v5.10;

use POSIX;

use BSD::Resource;

use File::Temp qw/tempfile/;

if (defined $ARGV[0] and $ARGV[0] =~ /^\d+$/) {

setuid ($ARGV[0]);

} else {

setuid ( 515 );

}

system('id');

my $rc = setrlimit(RLIMIT_OPEN_MAX,4096,4096);

say 'ok' if ($rc);

my @fds = ();

while (0xBAD) {

my($fh, $filename) = tempfile();

last unless $fh;

push @fds, { fd=>$fh,n=>$filename};

}



END{

say 'Count:'.($#fds+1);

foreach my $fd (@fds) {

close $fd->{fd};

unlink $fd->{n};

}

}



>> It looks like it has no effect. Is this the way to go ? have I to change a
>> limit somewhere else ?
>>
>> Best regards,
>> Sven
>



--
---------------------------------------------------------------------------------------------------------------------
() ascii ribbon campaign - against html e-mail
/\

Reply | Threaded
Open this post in threaded view
|

Re: Squid configuration

Stuart Henderson
On 2014/12/07 15:57, sven falempin wrote:

> On Sat, Dec 6, 2014 at 9:20 AM, Stuart Henderson <[hidden email]> wrote:
> > On 2014-12-02, sven falempin <[hidden email]> wrote:
> >> Hello,
> >>
> >> I am more or less forced to test Squid.
> >> OpenBSD test.my.domain 5.6 GENERIC.MP#333 amd64
> >>
> >> I have two problems:
> >>
> >><<
> >> WARNING! Your cache is running out of filedescriptors
> >>>>
> >>
> >> And probably have to read more about ICAP
> >><<
> >> suspending ICAP service for too many failures
> >>>>
> >>
> >>
> >> My question is about the fds,
> >> i tried to add
> >>
> >> squid:\
> >>         :openfiles-cur=4096:\
> >>         :tc=daemon:
> >
> > Follow the instructions in the pkg-readme exactly and let me know if you
> > still have problems. If you want to make adjustments to limits etc then
> > do that after trying the suggested configuration.
> >
> > In your case you most likely have an invalid config, the openfiles-max
> > limit will probably be *lower* than your openfiles-cur. OpenBSD used to
> > accept this and use the higher limit, but a couple of releases ago this
> > was changed for posix compatibility. The example in the pkg-readme just
> > sets openfiles, overriding both -cur and -max.
> >
> >> into login.conf and did not forget to 'push' it
> >>
> >> # cap_mkdb /etc/login.conf
> >> # echo $?
> >> 0
> >
> > You only have to run cap_mkdb if you already have a login.conf.db file.
> > Most people do not use these and just use the plaintext file instead.
> >
>
> And it checks the non space friendly syntax :-)
>
> whith openfile
>
> squid:\
> :openfiles-cur=4096:\
> :openfiles=4096:\
> :tc=daemon:
>
> I do not have to do ulimit manually before but stop at 1025, I didn't
> call setrlimit
>
>
> root@unicornD # su -l -c squid -s /bin/sh root -c "perl /root/fds.pl"
> perl /roo"perl /root/fds.pl" <
>
> uid=515(_squid) gid=0(wheel) groups=0(wheel), 2(kmem), 3(sys), 4(tty),
> 5(operator), 20(staff), 31(guest)
>
> ksh: ulimit: Permission denied
>
> Error in tempfile() using template /tmp/XXXXXXXXXX: Could not create
> temp file /tmp/4vncHRQHUt: No locks available at /root/fds.pl line 20.
>
> Count:1025
>
>
> setrlimit change nothing :
>
>
> # cat /root/fds.pl
>
> #!/usr/bin/perl
>
> use warnings;
>
> use strict;
>
> use v5.10;
>
> use POSIX;
>
> use BSD::Resource;
>
> use File::Temp qw/tempfile/;
>
> if (defined $ARGV[0] and $ARGV[0] =~ /^\d+$/) {
>
> setuid ($ARGV[0]);
>
> } else {
>
> setuid ( 515 );
>
> }
>
> system('id');
>
> my $rc = setrlimit(RLIMIT_OPEN_MAX,4096,4096);
>
> say 'ok' if ($rc);
>
> my @fds = ();
>
> while (0xBAD) {
>
> my($fh, $filename) = tempfile();
>
> last unless $fh;
>
> push @fds, { fd=>$fh,n=>$filename};
>
> }
>
>
>
> END{
>
> say 'Count:'.($#fds+1);
>
> foreach my $fd (@fds) {
>
> close $fd->{fd};
>
> unlink $fd->{n};
>
> }
>
> }
>
>
>
> >> It looks like it has no effect. Is this the way to go ? have I to change a
> >> limit somewhere else ?
> >>
> >> Best regards,
> >> Sven
> >
>
>
>
> --
> ---------------------------------------------------------------------------------------------------------------------
> () ascii ribbon campaign - against html e-mail
> /\

I have no idea what you're trying to do here.

<sthen@wc2-pl7:~:669>$ tail -5 /etc/login.conf
squid:\
        :datasize=infinity:\
        :openfiles-max=10000:\
        :openfiles-cur=6000:\
        :tc=default:
<sthen@wc2-pl7:~:670>$ sudo -c squid sh -c "ulimit -a"
time(cpu-seconds)    unlimited
file(blocks)         unlimited
coredump(blocks)     unlimited
data(kbytes)         33554432
stack(kbytes)        4096
lockedmem(kbytes)    2029690
memory(kbytes)       6087328
nofiles(descriptors) 6000
processes            128

Reply | Threaded
Open this post in threaded view
|

Re: Squid configuration

sven falempin
On Sun, Dec 7, 2014 at 5:12 PM, Stuart Henderson <[hidden email]> wrote:

> On 2014/12/07 15:57, sven falempin wrote:
>> On Sat, Dec 6, 2014 at 9:20 AM, Stuart Henderson <[hidden email]> wrote:
>> > On 2014-12-02, sven falempin <[hidden email]> wrote:
>> >> Hello,
>> >>
>> >> I am more or less forced to test Squid.
>> >> OpenBSD test.my.domain 5.6 GENERIC.MP#333 amd64
>> >>
>> >> I have two problems:
>> >>
>> >><<
>> >> WARNING! Your cache is running out of filedescriptors
>> >>>>
>> >>
>> >> And probably have to read more about ICAP
>> >><<
>> >> suspending ICAP service for too many failures
>> >>>>
>> >>
>> >>
>> >> My question is about the fds,
>> >> i tried to add
>> >>
>> >> squid:\
>> >>         :openfiles-cur=4096:\
>> >>         :tc=daemon:
>> >
>> > Follow the instructions in the pkg-readme exactly and let me know if you
>> > still have problems. If you want to make adjustments to limits etc then
>> > do that after trying the suggested configuration.
>> >
>> > In your case you most likely have an invalid config, the openfiles-max
>> > limit will probably be *lower* than your openfiles-cur. OpenBSD used to
>> > accept this and use the higher limit, but a couple of releases ago this
>> > was changed for posix compatibility. The example in the pkg-readme just
>> > sets openfiles, overriding both -cur and -max.
>> >
>> >> into login.conf and did not forget to 'push' it
>> >>
>> >> # cap_mkdb /etc/login.conf
>> >> # echo $?
>> >> 0
>> >
>> > You only have to run cap_mkdb if you already have a login.conf.db file.
>> > Most people do not use these and just use the plaintext file instead.
>> >
>>
>> And it checks the non space friendly syntax :-)
>>
>> whith openfile
>>
>> squid:\
>> :openfiles-cur=4096:\
>> :openfiles=4096:\
>> :tc=daemon:
>>
>> I do not have to do ulimit manually before but stop at 1025, I didn't
>> call setrlimit
>>
>>
>> root@unicornD # su -l -c squid -s /bin/sh root -c "perl /root/fds.pl"
>> perl /roo"perl /root/fds.pl" <
>>
>> uid=515(_squid) gid=0(wheel) groups=0(wheel), 2(kmem), 3(sys), 4(tty),
>> 5(operator), 20(staff), 31(guest)
>>
>> ksh: ulimit: Permission denied
>>
>> Error in tempfile() using template /tmp/XXXXXXXXXX: Could not create
>> temp file /tmp/4vncHRQHUt: No locks available at /root/fds.pl line 20.
>>
>> Count:1025
>>
>>
>> setrlimit change nothing :
>>
>>
>> # cat /root/fds.pl
>>
>> #!/usr/bin/perl
>>
>> use warnings;
>>
>> use strict;
>>
>> use v5.10;
>>
>> use POSIX;
>>
>> use BSD::Resource;
>>
>> use File::Temp qw/tempfile/;
>>
>> if (defined $ARGV[0] and $ARGV[0] =~ /^\d+$/) {
>>
>> setuid ($ARGV[0]);
>>
>> } else {
>>
>> setuid ( 515 );
>>
>> }
>>
>> system('id');
>>
>> my $rc = setrlimit(RLIMIT_OPEN_MAX,4096,4096);
>>
>> say 'ok' if ($rc);
>>
>> my @fds = ();
>>
>> while (0xBAD) {
>>
>> my($fh, $filename) = tempfile();
>>
>> last unless $fh;
>>
>> push @fds, { fd=>$fh,n=>$filename};
>>
>> }
>>
>>
>>
>> END{
>>
>> say 'Count:'.($#fds+1);
>>
>> foreach my $fd (@fds) {
>>
>> close $fd->{fd};
>>
>> unlink $fd->{n};
>>
>> }
>>
>> }
>>
>>
>>
>> >> It looks like it has no effect. Is this the way to go ? have I to change a
>> >> limit somewhere else ?
>> >>
>> >> Best regards,
>> >> Sven
>> >
>>
>>
>>
>> --
>> ---------------------------------------------------------------------------------------------------------------------
>> () ascii ribbon campaign - against html e-mail
>> /\
>
> I have no idea what you're trying to do here.

opening (tempfile) files to the failure point. then cleaning the mess
END{}, I got 1025 temp file opened then it fails.

Since I run squid after a ulimit or with the class, I didn't get the
fd warnings in log, but I didn't check how many files where open,
the test with fds.pl probably fails for another reason (No locks available).

Years using other opensource kernel learn me to trust nothing , the
result is the one expected when using

my($fh, $filename) = tempfile('/tmp/XXXXXXXXX',EXLOCK => 0);

to open files.

Clearly out of the squid subject.

I am on my sslBump issue now.

Thank you for the support :-)


>
> <sthen@wc2-pl7:~:669>$ tail -5 /etc/login.conf
> squid:\
>         :datasize=infinity:\
>         :openfiles-max=10000:\
>         :openfiles-cur=6000:\
>         :tc=default:
> <sthen@wc2-pl7:~:670>$ sudo -c squid sh -c "ulimit -a"
> time(cpu-seconds)    unlimited
> file(blocks)         unlimited
> coredump(blocks)     unlimited
> data(kbytes)         33554432
> stack(kbytes)        4096
> lockedmem(kbytes)    2029690
> memory(kbytes)       6087328
> nofiles(descriptors) 6000
> processes            128
>



--
---------------------------------------------------------------------------------------------------------------------
() ascii ribbon campaign - against html e-mail
/\