Hi Eliezer, I dont now if 3.3.x and 3.2.x *really need* more helpers to work, I just saw here http://www.squid-cache.org/Doc/config/external_acl_type/ that now we CAN start more helper process, and as I have resources I might start more of them just to have them up if needed in some point of time. So,"its not a bug, its a feature" hehehe...
But, about having more then 1 rock store, I dont know, I may have made some confusion when reading about SMP and cache_dir options diferent then "rock", maybe THAT is what is generating the "FATAL: Ipc::Mem::Segment::open failed to shm_open(/squid-squid-page-pool.shm): (2) No such file or directory" errors... I am not in work yet (had a long kernel's updates night) but I will test with only one rock store to check how things go... and, yes, ext_ldap_grou_helper is working like a charm, what is already half of the way for me... regards. -- Att... Ricardo Felipe Klein klein....@gmail.com On Tue, Jun 4, 2013 at 3:55 AM, Eliezer Croitoru <elie...@ngtech.co.il> wrote: > hey Ricardo. > > GOOD and Thanks! > I have seen this issue before but didn't had much time to handle it. > So now the ldap helper works fine?? > If I understand right there is something odd about the helpers code which > forces the admin to use more helpers then it used to be in 2.7 and 3.1. > > How about testing it and making sure it's a *bug* and file a bug together on > it? > > Why do you use couple rock store caches if they are all available to all the > workers? > > Eliezer > > > On 6/3/2013 8:15 PM, Ricardo Klein wrote: >> >> Hi Eliezer, >> >> I ended up making some changes on my /etc/init.d/squid to force >> pidfiles exclusion on /var/run/squid, because when I restart squid it >> does not always kill that files (but it end all processes). >> >> My new packages now have the init.d script with that changes and I >> have uploaded them here: >> http://webfiles.klein.inf.br/centos/squid-3.3.5-2.el6.src.rpm >> http://webfiles.klein.inf.br/centos/squid-3.3.5-2.el6.x86_64.rpm >> And, my selinux policyes too: >> http://webfiles.klein.inf.br/centos/squid_selinuxpolicy.tar.bz2 if you >> use any RHEL flavor. >> >> Btw, I have good performance when added some optins on >> ext_ldap_group_acl (children-max=50 children-startup=25 >> children-idle=25), and here is all the interesting part about it: >> #### SQUID.CONF parts #### >> cache_mem 2048 MB >> workers 6 >> cache_dir rock /var/spool/squid/cache1 4096 max-size=31000 >> swap-timeout=1000 max-swap-rate=100 >> cache_dir rock /var/spool/squid/cache2 4096 max-size=31000 >> swap-timeout=1000 max-swap-rate=100 >> cache_dir rock /var/spool/squid/cache3 4096 max-size=31000 >> swap-timeout=1000 max-swap-rate=100 >> cache_dir rock /var/spool/squid/cache4 4096 max-size=31000 >> swap-timeout=1000 max-swap-rate=100 >> cache_dir rock /var/spool/squid/cache5 4096 max-size=31000 >> swap-timeout=1000 max-swap-rate=100 >> cache_dir rock /var/spool/squid/cache6 4096 max-size=31000 >> swap-timeout=1000 max-swap-rate=100 >> >> cache_replacement_policy heap LFUDA >> >> logfile_daemon /usr/lib64/squid/log_file_daemon >> access_log daemon:/var/log/squid/access.log squid >> >> auth_param basic credentialsttl 20 minutes >> auth_param ntlm program /usr/bin/ntlm_auth >> --helper-protocol=squid-2.5-ntlmssp >> auth_param ntlm children 15 >> auth_param ntlm keep_alive on >> auth_param basic program /usr/bin/ntlm_auth >> --helper-protocol=squid-2.5-basic >> >> external_acl_type ldap_group children-max=50 children-startup=25 >> children-idle=25 %LOGIN /usr/lib64/squid/ext_ldap_group_acl -P -S -R >> -b "DC=MYDOMAIN,DC=local" -D >> "CN=squid,OU=Internet,OU=Infra-estrutura,DC=MYDOMAIN,DC=local" -w >> MYPASSWORD -f >> "(&(objectclass=person)(sAMAccountName=%v)(memberof=cn=%a,OU=Internet,OU=Infra-estrutura,DC=MYDOMAIN,DC=local))" >> -h <IPADDRESS> >> >> authenticate_ttl 600 seconds >> #### /SQUID.CONF parts #### >> >> Anyway, I still have some errors like this one when using more then 2 >> workers (but squid still working): >> >> Squid Cache (Version 3.3.5): Terminated abnormally. >> CPU Usage: 0.068 seconds = 0.054 user + 0.014 sys >> Maximum Resident Size: 76000 KB >> Page faults with physical i/o: 0 >> FATAL: Ipc::Mem::Segment::open failed to >> shm_open(/squid-squid-page-pool.shm): (2) No such file or directory >> >> I am going to test it in production to see how it perform and tell you >> here ok? >> -- >> Att... >> >> Ricardo Felipe Klein >> klein....@gmail.com >> >> >> On Mon, Jun 3, 2013 at 9:37 AM, Ricardo Klein <klein....@gmail.com> wrote: >>> >>> Eliezer, >>> >>> you didnt compiled LDAP_group external acl, see your ./configure line: >>> '--enable-external-acl-helpers=wbinfo_group,kerberos_ldap_group,AD_group' >>> >>> My: >>> >>> --enable-external-acl-helpers="file_userip,LDAP_group,kerberos_ldap_group,session,unix_group,wbinfo_group" >>> >>> But I will try to rebuild your package with LDAP_group enabled >>> -- >>> Att... >>> >>> Ricardo Felipe Klein >>> klein....@gmail.com >>> >>> >>> On Mon, Jun 3, 2013 at 8:53 AM, Ricardo Klein <klein....@gmail.com> >>> wrote: >>>> >>>> Eliezer, >>>> >>>> You mean change permissions on /dev/shm? It is already "world writeable" >>>> [root@theroutertwo ~]# ll /dev/shm >>>> total 0 >>>> drwxrwxrwt. 2 root root 40 Jun 1 12:16 . >>>> >>>> (maybe I am doing the hole shm thing wrong) >>>> >>>> Btw I will test your package this morning (it is monday morning here in >>>> Brazil now) and tell you how it goes. >>>> >>>> -- >>>> Att... >>>> >>>> Ricardo Felipe Klein >>>> klein....@gmail.com >>>> >>>> >>>> On Mon, Jun 3, 2013 at 7:58 AM, Eliezer Croitoru <elie...@ngtech.co.il> >>>> wrote: >>>>> >>>>> >>>>> Yes it works. >>>>> If you need some SHM thing just change the ownership of the directory. >>>>> it will solve most of the problems. >>>>> If there is some SPEC expert here I will be happy to get some help to >>>>> do >>>>> this change in the SPEC file instead of doing it manually. >>>>> >>>>> Eliezer >>>>> >>>>> >>>>> On 6/1/2013 11:50 PM, Ricardo Klein wrote: >>>>>> >>>>>> >>>>>> Eliezer, >>>>>> >>>>>> nice, you already have the package I need... Did you package works >>>>>> with ldap_group external acl? >>>>>> I will try it and check if your package works with my conf, this SHM >>>>>> error is driving me crazy. >>>>>> -- >>>>>> Att... >>>>>> >>>>>> Ricardo Felipe Klein >>>>>> klein....@gmail.com >>>>>> >>>>>> >>>>>> On Sat, Jun 1, 2013 at 5:28 PM, Eliezer Croitoru >>>>>> <elie...@ngtech.co.il> >>>>>> wrote: >>>>>>> >>>>>>> >>>>>>> Hey Ricardo, >>>>>>> >>>>>>> If you can build an RPM and store it it will be helpful for many >>>>>>> people. >>>>>>> it will also add redundancy to my RPM and an alternative to mine. >>>>>>> http://www1.ngtech.co.il/rpm/centos/6/x86_64/ >>>>>>> if you want the SRPM this is where mine is stored: >>>>>>> http://www1.ngtech.co.il/rpm/centos/6/x86_64/SRPM/ >>>>>>> >>>>>>> Eliezer >>>>>>> >>>>>>> >>>>>>> On 6/1/2013 3:01 PM, Ricardo Klein wrote: >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> Amos, >>>>>>>> >>>>>>>> great thanks, I will fix this mess I did in the ./configure and try >>>>>>>> again. If I can build an RPM package for CentOS 6.4 (and it should >>>>>>>> work in RHEL 6.4 too) there is any interest I put this in somewhere >>>>>>>> people can download it? >>>>>>>> -- >>>>>>>> Att... >>>>>>>> >>>>>>>> Ricardo Felipe Klein >>>>>>>> klein....@gmail.com >>>>>>>> >>>>>>>> >>>>>>>> On Sat, Jun 1, 2013 at 12:39 AM, Amos Jeffries >>>>>>>> <squ...@treenet.co.nz> >>>>>>>> wrote: >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> On 1/06/2013 7:40 a.m., Ricardo Klein wrote: >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Hi there, >>>>>>>>>> >>>>>>>>>> I am trying to build squid on CentOS 6.4 64bits with >>>>>>>>>> external_acl_helper "ldap_group", but my ./configure log says: >>>>>>>>>> configure: external acl helper ldap_group ... found but cannot be >>>>>>>>>> built >>>>>>>>>> I have fired a but in the bugtrack, but, if any of you know what >>>>>>>>>> is >>>>>>>>>> wrong, please tell me so I can cancel that bugtracker. >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> The script detecting external-acl-helpers entries has a bug >>>>>>>>> displaying >>>>>>>>> the >>>>>>>>> wrong message for the error. It will report "found but cannot be >>>>>>>>> built" >>>>>>>>> for >>>>>>>>> both the found and not-found error cases. In your situation I >>>>>>>>> believe >>>>>>>>> the >>>>>>>>> helpers as named cannot be found at all due to incorrect >>>>>>>>> ./configure >>>>>>>>> options. >>>>>>>>> >>>>>>>>> Details inline with your options... >>>>>>>>> >>>>>>>>> >>>>>>>>>> Here is my ./configure options: >>>>>>>>>> ./configure \ >>>>>>>>>> --prefix=/usr \ >>>>>>>>>> --exec-prefix=/usr \ >>>>>>>>>> --bindir=/usr/bin \ >>>>>>>>>> --sbindir=/usr/sbin \ >>>>>>>>>> --sysconfdir=/etc \ >>>>>>>>>> --datadir=/usr/share \ >>>>>>>>>> --includedir=/usr/include \ >>>>>>>>>> --libdir=/usr/lib64 \ >>>>>>>>>> --libexecdir=/usr/libexec \ >>>>>>>>>> --sharedstatedir=/var/lib \ >>>>>>>>>> --mandir=/usr/share/man \ >>>>>>>>>> --infodir=/usr/share/info \ >>>>>>>>>> --enable-internal-dns \ >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> internal-dns is enabeld by default. You can omit this. >>>>>>>>> >>>>>>>>> >>>>>>>>>> --disable-strict-error-checking \ >>>>>>>>>> --exec_prefix=/usr \ >>>>>>>>>> --libexecdir=/usr/lib64/squid \ >>>>>>>>>> --localstatedir=/var \ >>>>>>>>>> --datadir=/usr/share/squid \ >>>>>>>>>> --sysconfdir=/etc/squid \ >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> You already specified several of the above batch of options >>>>>>>>> (datadir, >>>>>>>>> sysconfdir, libexecdir) with different values. This may cause >>>>>>>>> unexpected >>>>>>>>> results when installing. >>>>>>>>> And "--exec_prefix" does not exist. There is a different >>>>>>>>> "--exec-prefix" >>>>>>>>> option earlier which will be used ... so more unexpected results >>>>>>>>> when >>>>>>>>> installing. >>>>>>>>> >>>>>>>>>> --with-logdir=$LOCALSTATEDIR/log/squid \ >>>>>>>>>> --with-pidfile=$LOCALSTATEDIR/run/squid.pid \ >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>>> --disable-dependency-tracking \ >>>>>>>>>> --enable-arp-acl \ >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> "--enable-arp-acl" does not exit. The replacement --enable-eui is >>>>>>>>> already >>>>>>>>> enabled by default, so all you need do is to remove the above >>>>>>>>> option. >>>>>>>>> >>>>>>>>>> --enable-follow-x-forwarded-for \ >>>>>>>>>> --enable-auth \ >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> NP: auth is enabled by default, and when omitted will be >>>>>>>>> auto-enabled >>>>>>>>> by >>>>>>>>> the >>>>>>>>> below helpers options anyway. You can omit "--enable-auth" >>>>>>>>> entirely. >>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> --enable-basic-auth-helpers=LDAP,MSNT,NCSA,PAM,SMB,YP,getpwnam,multi-domain-NTLM,SASL,DB,squid_radius_auth >>>>>>>>>> --enable-ntlm-auth-helpers=smb_lm,no_check,fakeauth \ >>>>>>>>>> --enable-digest-auth-helpers=password,ldap,eDirectory \ >>>>>>>>>> --enable-negotiate-auth-helpers=squid_kerb_auth \ >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> The auth build options underwent a major change in the squid-3.2 >>>>>>>>> series. >>>>>>>>> --enable-X-auth-helpers options no longer exist. >>>>>>>>> Squid ./configure script is ignoring the above auth helper options >>>>>>>>> and >>>>>>>>> using >>>>>>>>> the default versions of the new --enable-auth-X options. >>>>>>>>> >>>>>>>>> For example your basic auth helpers line should be: >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> --enable-auth-basic="LDAP,MSNT,NCSA,PAM,SMB,NIS,getpwnam,MSNT-multi-domain,SASL,DB,RADIUS" >>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> --enable-external-acl-helpers=ip_user,ldap_group,session,unix_group,wbinfo_group >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> You are not getting build problems with the auth helpers because >>>>>>>>> the >>>>>>>>> entire >>>>>>>>> configure --enable-* option name changed and the broken ones above >>>>>>>>> are >>>>>>>>> ignored in favour of the auto-detected helpers. >>>>>>>>> The external-acl-helpers option however did not change, so you hit >>>>>>>>> error >>>>>>>>> messages trying to build the differently named helpers. >>>>>>>>> >>>>>>>>> Run "ls -1 helpers/*/" to see all the new helper names. Note that >>>>>>>>> the >>>>>>>>> list >>>>>>>>> here is case sensitive. >>>>>>>>> >>>>>>>>> >>>>>>>>>> --enable-cache-digests \ >>>>>>>>>> --enable-cachemgr-hostname=localhost \ >>>>>>>>>> --enable-delay-pools \ >>>>>>>>>> --enable-epoll \ >>>>>>>>>> --enable-icap-client \ >>>>>>>>>> --enable-ident-lookups \ >>>>>>>>>> --enable-linux-netfilter \ >>>>>>>>>> --enable-referer-log \ >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> --enable-referer-log no longer exists. It is a built-in squid.conf >>>>>>>>> logformat >>>>>>>>> type instead now. >>>>>>>>> >>>>>>>>>> --enable-removal-policies=heap,lru \ >>>>>>>>>> --enable-snmp \ >>>>>>>>>> --enable-ssl \ >>>>>>>>>> --enable-storeio=aufs,diskd,ufs \ >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> NP: with 3.2 and later you probably want to build "rock" cache type >>>>>>>>> as >>>>>>>>> well. >>>>>>>>> >>>>>>>>>> --enable-useragent-log \ >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> --enable-useragent-log no longer exists. It is a built-in >>>>>>>>> squid.conf >>>>>>>>> logformat type instead now. >>>>>>>>> >>>>>>>>> >>>>>>>>>> --enable-wccpv2 \ >>>>>>>>>> --enable-esi \ >>>>>>>>>> --with-aio \ >>>>>>>>>> --with-default-user=squid \ >>>>>>>>>> --with-filedescriptors=30000 \ >>>>>>>>>> --with-dl \ >>>>>>>>>> --with-openssl \ >>>>>>>>>> --with-pthreads >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> Amos >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>> >>>> >
