Re: Squid configuration
On Sat, Dec 6, 2014 at 9:20 AM, Stuart Henderson s...@spacehopper.org wrote:
On 2014-12-02, sven falempin sven.falem...@gmail.com wrote:
Hello,
I am more or less forced to test Squid.
OpenBSD test.my.domain 5.6 GENERIC.MP#333 amd64
I have two problems:
WARNING! Your cache is running out of filedescriptors
And probably have to read more about ICAP
suspending ICAP service for too many failures
My question is about the fds,
i tried to add
squid:\
:openfiles-cur=4096:\
:tc=daemon:
Follow the instructions in the pkg-readme exactly and let me know if you
still have problems. If you want to make adjustments to limits etc then
do that after trying the suggested configuration.
In your case you most likely have an invalid config, the openfiles-max
limit will probably be *lower* than your openfiles-cur. OpenBSD used to
accept this and use the higher limit, but a couple of releases ago this
was changed for posix compatibility. The example in the pkg-readme just
sets openfiles, overriding both -cur and -max.
into login.conf and did not forget to 'push' it
# cap_mkdb /etc/login.conf
# echo $?
0
You only have to run cap_mkdb if you already have a login.conf.db file.
Most people do not use these and just use the plaintext file instead.
And it checks the non space friendly syntax :-)
whith openfile
squid:\
:openfiles-cur=4096:\
:openfiles=4096:\
:tc=daemon:
I do not have to do ulimit manually before but stop at 1025, I didn't
call setrlimit
root@unicornD # su -l -c squid -s /bin/sh root -c perl /root/fds.pl
perl /rooperl /root/fds.pl
uid=515(_squid) gid=0(wheel) groups=0(wheel), 2(kmem), 3(sys), 4(tty),
5(operator), 20(staff), 31(guest)
ksh: ulimit: Permission denied
Error in tempfile() using template /tmp/XX: Could not create
temp file /tmp/4vncHRQHUt: No locks available at /root/fds.pl line 20.
Count:1025
setrlimit change nothing :
# cat /root/fds.pl
#!/usr/bin/perl
use warnings;
use strict;
use v5.10;
use POSIX;
use BSD::Resource;
use File::Temp qw/tempfile/;
if (defined $ARGV[0] and $ARGV[0] =~ /^\d+$/) {
setuid ($ARGV[0]);
} else {
setuid ( 515 );
}
system('id');
my $rc = setrlimit(RLIMIT_OPEN_MAX,4096,4096);
say 'ok' if ($rc);
my @fds = ();
while (0xBAD) {
my($fh, $filename) = tempfile();
last unless $fh;
push @fds, { fd=$fh,n=$filename};
}
END{
say 'Count:'.($#fds+1);
foreach my $fd (@fds) {
close $fd-{fd};
unlink $fd-{n};
}
}
It looks like it has no effect. Is this the way to go ? have I to change a
limit somewhere else ?
Best regards,
Sven
--
-
() ascii ribbon campaign - against html e-mail
/\
Re: Squid configuration
On 2014/12/07 15:57, sven falempin wrote:
On Sat, Dec 6, 2014 at 9:20 AM, Stuart Henderson s...@spacehopper.org wrote:
On 2014-12-02, sven falempin sven.falem...@gmail.com wrote:
Hello,
I am more or less forced to test Squid.
OpenBSD test.my.domain 5.6 GENERIC.MP#333 amd64
I have two problems:
WARNING! Your cache is running out of filedescriptors
And probably have to read more about ICAP
suspending ICAP service for too many failures
My question is about the fds,
i tried to add
squid:\
:openfiles-cur=4096:\
:tc=daemon:
Follow the instructions in the pkg-readme exactly and let me know if you
still have problems. If you want to make adjustments to limits etc then
do that after trying the suggested configuration.
In your case you most likely have an invalid config, the openfiles-max
limit will probably be *lower* than your openfiles-cur. OpenBSD used to
accept this and use the higher limit, but a couple of releases ago this
was changed for posix compatibility. The example in the pkg-readme just
sets openfiles, overriding both -cur and -max.
into login.conf and did not forget to 'push' it
# cap_mkdb /etc/login.conf
# echo $?
0
You only have to run cap_mkdb if you already have a login.conf.db file.
Most people do not use these and just use the plaintext file instead.
And it checks the non space friendly syntax :-)
whith openfile
squid:\
:openfiles-cur=4096:\
:openfiles=4096:\
:tc=daemon:
I do not have to do ulimit manually before but stop at 1025, I didn't
call setrlimit
root@unicornD # su -l -c squid -s /bin/sh root -c perl /root/fds.pl
perl /rooperl /root/fds.pl
uid=515(_squid) gid=0(wheel) groups=0(wheel), 2(kmem), 3(sys), 4(tty),
5(operator), 20(staff), 31(guest)
ksh: ulimit: Permission denied
Error in tempfile() using template /tmp/XX: Could not create
temp file /tmp/4vncHRQHUt: No locks available at /root/fds.pl line 20.
Count:1025
setrlimit change nothing :
# cat /root/fds.pl
#!/usr/bin/perl
use warnings;
use strict;
use v5.10;
use POSIX;
use BSD::Resource;
use File::Temp qw/tempfile/;
if (defined $ARGV[0] and $ARGV[0] =~ /^\d+$/) {
setuid ($ARGV[0]);
} else {
setuid ( 515 );
}
system('id');
my $rc = setrlimit(RLIMIT_OPEN_MAX,4096,4096);
say 'ok' if ($rc);
my @fds = ();
while (0xBAD) {
my($fh, $filename) = tempfile();
last unless $fh;
push @fds, { fd=$fh,n=$filename};
}
END{
say 'Count:'.($#fds+1);
foreach my $fd (@fds) {
close $fd-{fd};
unlink $fd-{n};
}
}
It looks like it has no effect. Is this the way to go ? have I to change a
limit somewhere else ?
Best regards,
Sven
--
-
() ascii ribbon campaign - against html e-mail
/\
I have no idea what you're trying to do here.
sthen@wc2-pl7:~:669$ tail -5 /etc/login.conf
squid:\
:datasize=infinity:\
:openfiles-max=1:\
:openfiles-cur=6000:\
:tc=default:
sthen@wc2-pl7:~:670$ sudo -c squid sh -c ulimit -a
time(cpu-seconds)unlimited
file(blocks) unlimited
coredump(blocks) unlimited
data(kbytes) 33554432
stack(kbytes)4096
lockedmem(kbytes)2029690
memory(kbytes) 6087328
nofiles(descriptors) 6000
processes128
Re: Squid configuration
On Sun, Dec 7, 2014 at 5:12 PM, Stuart Henderson s...@spacehopper.org wrote:
On 2014/12/07 15:57, sven falempin wrote:
On Sat, Dec 6, 2014 at 9:20 AM, Stuart Henderson s...@spacehopper.org
wrote:
On 2014-12-02, sven falempin sven.falem...@gmail.com wrote:
Hello,
I am more or less forced to test Squid.
OpenBSD test.my.domain 5.6 GENERIC.MP#333 amd64
I have two problems:
WARNING! Your cache is running out of filedescriptors
And probably have to read more about ICAP
suspending ICAP service for too many failures
My question is about the fds,
i tried to add
squid:\
:openfiles-cur=4096:\
:tc=daemon:
Follow the instructions in the pkg-readme exactly and let me know if you
still have problems. If you want to make adjustments to limits etc then
do that after trying the suggested configuration.
In your case you most likely have an invalid config, the openfiles-max
limit will probably be *lower* than your openfiles-cur. OpenBSD used to
accept this and use the higher limit, but a couple of releases ago this
was changed for posix compatibility. The example in the pkg-readme just
sets openfiles, overriding both -cur and -max.
into login.conf and did not forget to 'push' it
# cap_mkdb /etc/login.conf
# echo $?
0
You only have to run cap_mkdb if you already have a login.conf.db file.
Most people do not use these and just use the plaintext file instead.
And it checks the non space friendly syntax :-)
whith openfile
squid:\
:openfiles-cur=4096:\
:openfiles=4096:\
:tc=daemon:
I do not have to do ulimit manually before but stop at 1025, I didn't
call setrlimit
root@unicornD # su -l -c squid -s /bin/sh root -c perl /root/fds.pl
perl /rooperl /root/fds.pl
uid=515(_squid) gid=0(wheel) groups=0(wheel), 2(kmem), 3(sys), 4(tty),
5(operator), 20(staff), 31(guest)
ksh: ulimit: Permission denied
Error in tempfile() using template /tmp/XX: Could not create
temp file /tmp/4vncHRQHUt: No locks available at /root/fds.pl line 20.
Count:1025
setrlimit change nothing :
# cat /root/fds.pl
#!/usr/bin/perl
use warnings;
use strict;
use v5.10;
use POSIX;
use BSD::Resource;
use File::Temp qw/tempfile/;
if (defined $ARGV[0] and $ARGV[0] =~ /^\d+$/) {
setuid ($ARGV[0]);
} else {
setuid ( 515 );
}
system('id');
my $rc = setrlimit(RLIMIT_OPEN_MAX,4096,4096);
say 'ok' if ($rc);
my @fds = ();
while (0xBAD) {
my($fh, $filename) = tempfile();
last unless $fh;
push @fds, { fd=$fh,n=$filename};
}
END{
say 'Count:'.($#fds+1);
foreach my $fd (@fds) {
close $fd-{fd};
unlink $fd-{n};
}
}
It looks like it has no effect. Is this the way to go ? have I to change a
limit somewhere else ?
Best regards,
Sven
--
-
() ascii ribbon campaign - against html e-mail
/\
I have no idea what you're trying to do here.
opening (tempfile) files to the failure point. then cleaning the mess
END{}, I got 1025 temp file opened then it fails.
Since I run squid after a ulimit or with the class, I didn't get the
fd warnings in log, but I didn't check how many files where open,
the test with fds.pl probably fails for another reason (No locks available).
Years using other opensource kernel learn me to trust nothing , the
result is the one expected when using
my($fh, $filename) = tempfile('/tmp/X',EXLOCK = 0);
to open files.
Clearly out of the squid subject.
I am on my sslBump issue now.
Thank you for the support :-)
sthen@wc2-pl7:~:669$ tail -5 /etc/login.conf
squid:\
:datasize=infinity:\
:openfiles-max=1:\
:openfiles-cur=6000:\
:tc=default:
sthen@wc2-pl7:~:670$ sudo -c squid sh -c ulimit -a
time(cpu-seconds)unlimited
file(blocks) unlimited
coredump(blocks) unlimited
data(kbytes) 33554432
stack(kbytes)4096
lockedmem(kbytes)2029690
memory(kbytes) 6087328
nofiles(descriptors) 6000
processes128
--
-
() ascii ribbon campaign - against html e-mail
/\
Re: Squid configuration
On 2014-12-02, sven falempin sven.falem...@gmail.com wrote: Hello, I am more or less forced to test Squid. OpenBSD test.my.domain 5.6 GENERIC.MP#333 amd64 I have two problems: WARNING! Your cache is running out of filedescriptors And probably have to read more about ICAP suspending ICAP service for too many failures My question is about the fds, i tried to add squid:\ :openfiles-cur=4096:\ :tc=daemon: Follow the instructions in the pkg-readme exactly and let me know if you still have problems. If you want to make adjustments to limits etc then do that after trying the suggested configuration. In your case you most likely have an invalid config, the openfiles-max limit will probably be *lower* than your openfiles-cur. OpenBSD used to accept this and use the higher limit, but a couple of releases ago this was changed for posix compatibility. The example in the pkg-readme just sets openfiles, overriding both -cur and -max. into login.conf and did not forget to 'push' it # cap_mkdb /etc/login.conf # echo $? 0 You only have to run cap_mkdb if you already have a login.conf.db file. Most people do not use these and just use the plaintext file instead. It looks like it has no effect. Is this the way to go ? have I to change a limit somewhere else ? Best regards, Sven
Re: Squid configuration
echo max_filedescriptors 4096” /etc/squid/squid.conf
On 3 dec 2014, at 04:07, Einfach Jemand rru@gmail.com wrote:
Am 03.12.2014 03:55, schrieb Steve Shockley:
On 12/2/2014 8:49 PM, Einfach Jemand wrote:
Hmm, I checked on one of my boxen and there /etc/passwd has
_squid
^! Note the underline.
as account for this package, so you probably want
According to the package README:
When started by rc.d(8) (i.e. via pkg_scripts in rc.conf.local or from
${RCDIR}/squid start) the appropriately-named login class is used
automatically.
So, the underline shouldn't be necessary.
Yes, I have rechecked and that is correct, no underline/underscore needed.
Directing someone looking for a solution into the wrong direction is no
good, please accept my apologies.
Bye,
rru
Re: Squid configuration
On Tue, Dec 2, 2014 at 8:49 PM, Einfach Jemand rru@gmail.com wrote:
Hi,
Am 02.12.2014 22:46, schrieb sven falempin:
Hello,
I am more or less forced to test Squid.
OpenBSD test.my.domain 5.6 GENERIC.MP#333 amd64
I have two problems:
WARNING! Your cache is running out of filedescriptors
And probably have to read more about ICAP
suspending ICAP service for too many failures
My question is about the fds,
i tried to add
squid:\
:openfiles-cur=4096:\
:tc=daemon:
into login.conf and did not forget to 'push' it
# cap_mkdb /etc/login.conf
# echo $?
0
Hmm, I checked on one of my boxen and there /etc/passwd has
_squid
^! Note the underline.
as account for this package, so you probably want
_squid:\
:openfiles-cur=4096:\
:tc=daemon:
in /etc/login.conf
It looks like it has no effect. Is this the way to go ? have I to change a
limit somewhere else ?
Best regards,
Sven
HTH
rru
about _ :
$ grep bgpd /etc/passwd /etc/login.conf
/etc/passwd:_bgpd:*:75:75:BGP Daemon:/var/empty:/sbin/nologin
/etc/login.conf:bgpd:\
Other test:
Using ulimit -n 4096
my perl script open 1025 file
# cat /root/fds.pl #!/usr/bin/perl
use warnings;
use strict;
use v5.10;
use POSIX;
use File::Temp qw/tempfile/;
if (defined $ARGV[0] and $ARGV[0] =~ /^\d+$/) {
setuid ($ARGV[0]);
} else {
setuid ( 515 );
}
system('id');
my @fds = ();
while (0xBAD) {
my($fh, $filename) = tempfile();
last unless $fh; #but tempfile croak
push @fds, { fd=$fh,n=$filename};
}
END{
say 'Count:'.($#fds+1);
foreach my $fd (@fds) {
close $fd-{fd};
unlink $fd-{n};
}
}
Re: Squid configuration
On Wed, Dec 3, 2014 at 4:56 AM, mxb m...@alumni.chalmers.se wrote:
echo max_filedescriptors 4096” /etc/squid/squid.conf
Thanks mxb, but squid got that by default , squidclient mgr:cache
answer 4096 to me
On 3 dec 2014, at 04:07, Einfach Jemand rru@gmail.com wrote:
Am 03.12.2014 03:55, schrieb Steve Shockley:
On 12/2/2014 8:49 PM, Einfach Jemand wrote:
Hmm, I checked on one of my boxen and there /etc/passwd has
_squid
^! Note the underline.
as account for this package, so you probably want
According to the package README:
When started by rc.d(8) (i.e. via pkg_scripts in rc.conf.local or from
${RCDIR}/squid start) the appropriately-named login class is used
automatically.
So, the underline shouldn't be necessary.
Yes, I have rechecked and that is correct, no underline/underscore needed.
Directing someone looking for a solution into the wrong direction is no
good, please accept my apologies.
Bye,
rru
--
-
() ascii ribbon campaign - against html e-mail
/\
Re: Squid configuration
On Tue, Dec 2, 2014 at 9:55 PM, Steve Shockley
steve.shock...@shockley.net wrote:
On 12/2/2014 8:49 PM, Einfach Jemand wrote:
Hmm, I checked on one of my boxen and there /etc/passwd has
_squid
^! Note the underline.
as account for this package, so you probably want
According to the package README:
When started by rc.d(8) (i.e. via pkg_scripts in rc.conf.local or from
${RCDIR}/squid start) the appropriately-named login class is used
automatically.
So, the underline shouldn't be necessary.
The login would be apply in a rc script ? I looked into that :
is that why the _ goes away ?
_name=$(basename $0)
[.. so name of the rc script is sed to get compiled login.conf info..]
getcap -f /etc/login.conf ${_name} 1/dev/null 21
[ but this only print stuff according to man page ]
There is a rcexec that force the usage of the login class
grep rcexec /etc/rc.d/*
unbound use it, but not squid.
I guess my perl script would have to do a strlimit after dropping
privilege to open 4096 files.
On the other hand, the class is supposed to be in master.passwd or be
to default:
name User's login name.
password User's encrypted password.
uid User's login user ID.
gid User's login group ID.
class User's general classification (see login.conf(5)).
change Password change time.
expire Account expiration time.
gecos General information about the user.
home_dir User's home directory.
shell User's login shell.
_squid:*:515:515:daemon:0:0:Squid Account:
_bgpd:*:75:75::0:0:BGP Daemon:/var/empty:/sbin/nologin
bgpd class is blank, squid is set to daemon.
Is bgpd correctly configured ? is squid using the daemon class ? am I
forced to use BSD::resources to strlimit in the perl script to
validate this ? is getcap doing something else than printing ?
--
-
() ascii ribbon campaign - against html e-mail
/\
Re: Squid configuration
Am 03.12.2014 12:59, schrieb sven falempin:
On Tue, Dec 2, 2014 at 9:55 PM, Steve Shockley
steve.shock...@shockley.net wrote:
On 12/2/2014 8:49 PM, Einfach Jemand wrote:
Hmm, I checked on one of my boxen and there /etc/passwd has
_squid
^! Note the underline.
as account for this package, so you probably want
According to the package README:
When started by rc.d(8) (i.e. via pkg_scripts in rc.conf.local or from
${RCDIR}/squid start) the appropriately-named login class is used
automatically.
So, the underline shouldn't be necessary.
The login would be apply in a rc script ? I looked into that :
is that why the _ goes away ?
_name=$(basename $0)
[.. so name of the rc script is sed to get compiled login.conf info..]
getcap -f /etc/login.conf ${_name} 1/dev/null 21
[ but this only print stuff according to man page ]
There is a rcexec that force the usage of the login class
grep rcexec /etc/rc.d/*
unbound use it, but not squid.
I guess my perl script would have to do a strlimit after dropping
privilege to open 4096 files.
On the other hand, the class is supposed to be in master.passwd or be
to default:
name User's login name.
password User's encrypted password.
uid User's login user ID.
gid User's login group ID.
class User's general classification (see login.conf(5)).
change Password change time.
expire Account expiration time.
gecos General information about the user.
home_dir User's home directory.
shell User's login shell.
_squid:*:515:515:daemon:0:0:Squid Account:
_bgpd:*:75:75::0:0:BGP Daemon:/var/empty:/sbin/nologin
bgpd class is blank, squid is set to daemon.
Is bgpd correctly configured ?
Yes. It has an entry in /etc/login.conf
man rc.subr explains it:
-- quote --
daemon_class Login class to run the daemon with, using su(1). This is
a read only variable that gets set by rc.subr itself. It
searches login.conf(5) for a login class that has the
same name as the rc.d script itself and uses that. If no
such login class exists then ``daemon'' will be used.
-- end quote --
is squid using the daemon class ?
Yes unless you have a stanze for squid in /etc/login.conf .
(And the README for the package advises you to create one)
A test _without_ a stanza for squid in /etc/login.conf and the first
line of /etc/rc.d/squid set to
#!/bin/sh -x
results in
root:/etc/rc.d:28# /etc/rc.d/squid start
+ daemon=/usr/local/sbin/squid
+ daemon_timeout=35
+ . /etc/rc.d/rc.subr
+ [ -n ]
+ [ -n /usr/local/sbin/squid ]
+ unset _RC_DEBUG _RC_FORCE
+ getopts df c
+ shift 0
+ basename /etc/rc.d/squid
+ _name=squid
+ _RC_RUNDIR=/var/run/rc.d
+ _RC_RUNFILE=/var/run/rc.d/squid
+ _rc_do _rc_parse_conf
+ eval _rcflags=${squid_flags}
+ _rcflags=
+ eval _rcuser=${squid_user}
+ _rcuser=
+ eval _rctimeout=${squid_timeout}
+ _rctimeout=
+ getcap -f /etc/login.conf squid
+ /dev/null
+ 21
+ [ -z ]
+ daemon_class=daemon
+ [ -z ]
+ daemon_user=root
+ [ -z 35 ]
+ [ -n ]
+ [ -n ]
+ [ -n ]
+ [ -n ]
+ [ -n ]
+ readonly daemon_class
+ unset _rcflags _rcuser _rctimeout
+ pexp=/usr/local/sbin/squid
+ rcexec=su -l -c daemon -s /bin/sh root -c
+ rc_cmd start
squid(ok)
The same _with_ a stanza for squid in /etc/login.conf gives
root:/etc/rc.d:34# /etc/rc.d/squid start
+ daemon=/usr/local/sbin/squid
+ daemon_timeout=35
+ . /etc/rc.d/rc.subr
+ [ -n ]
+ [ -n /usr/local/sbin/squid ]
+ unset _RC_DEBUG _RC_FORCE
+ getopts df c
+ shift 0
+ basename /etc/rc.d/squid
+ _name=squid
+ _RC_RUNDIR=/var/run/rc.d
+ _RC_RUNFILE=/var/run/rc.d/squid
+ _rc_do _rc_parse_conf
+ eval _rcflags=${squid_flags}
+ _rcflags=
+ eval _rcuser=${squid_user}
+ _rcuser=
+ eval _rctimeout=${squid_timeout}
+ _rctimeout=
+ getcap -f /etc/login.conf squid
+ /dev/null
+ 21
+ daemon_class=squid
+ [ -z squid ]
+ [ -z ]
+ daemon_user=root
+ [ -z 35 ]
+ [ -n ]
+ [ -n ]
+ [ -n ]
+ [ -n ]
+ [ -n ]
+ readonly daemon_class
+ unset _rcflags _rcuser _rctimeout
+ pexp=/usr/local/sbin/squid
+ rcexec=su -l -c squid -s /bin/sh root -c
+ rc_cmd start
squid(ok)
am I forced to use BSD::resources to strlimit in the perl script to
validate this ?
is getcap doing something else than printing ?
Yes, it returns $? which is used in rc.subr to set the login-class to
daemon when there is no service-specific stanza in /etc/login.conf
HTH
rru
Re: Squid configuration
On Wed, Dec 3, 2014 at 4:11 PM, Einfach Jemand rru@gmail.com wrote:
Am 03.12.2014 12:59, schrieb sven falempin:
On Tue, Dec 2, 2014 at 9:55 PM, Steve Shockley
steve.shock...@shockley.net wrote:
On 12/2/2014 8:49 PM, Einfach Jemand wrote:
Hmm, I checked on one of my boxen and there /etc/passwd has
_squid
^! Note the underline.
as account for this package, so you probably want
According to the package README:
When started by rc.d(8) (i.e. via pkg_scripts in rc.conf.local or from
${RCDIR}/squid start) the appropriately-named login class is used
automatically.
So, the underline shouldn't be necessary.
The login would be apply in a rc script ? I looked into that :
is that why the _ goes away ?
_name=$(basename $0)
[.. so name of the rc script is sed to get compiled login.conf info..]
getcap -f /etc/login.conf ${_name} 1/dev/null 21
[ but this only print stuff according to man page ]
There is a rcexec that force the usage of the login class
grep rcexec /etc/rc.d/*
unbound use it, but not squid.
I guess my perl script would have to do a strlimit after dropping
privilege to open 4096 files.
On the other hand, the class is supposed to be in master.passwd or be
to default:
name User's login name.
password User's encrypted password.
uid User's login user ID.
gid User's login group ID.
class User's general classification (see login.conf(5)).
change Password change time.
expire Account expiration time.
gecos General information about the user.
home_dir User's home directory.
shell User's login shell.
_squid:*:515:515:daemon:0:0:Squid Account:
_bgpd:*:75:75::0:0:BGP Daemon:/var/empty:/sbin/nologin
bgpd class is blank, squid is set to daemon.
Is bgpd correctly configured ?
Yes. It has an entry in /etc/login.conf
man rc.subr explains it:
-- quote --
daemon_class Login class to run the daemon with, using su(1). This is
a read only variable that gets set by rc.subr itself. It
searches login.conf(5) for a login class that has the
same name as the rc.d script itself and uses that. If no
such login class exists then ``daemon'' will be used.
-- end quote --
is squid using the daemon class ?
Yes unless you have a stanze for squid in /etc/login.conf .
(And the README for the package advises you to create one)
A test _without_ a stanza for squid in /etc/login.conf and the first
line of /etc/rc.d/squid set to
#!/bin/sh -x
results in
root:/etc/rc.d:28# /etc/rc.d/squid start
+ daemon=/usr/local/sbin/squid
+ daemon_timeout=35
+ . /etc/rc.d/rc.subr
+ [ -n ]
+ [ -n /usr/local/sbin/squid ]
+ unset _RC_DEBUG _RC_FORCE
+ getopts df c
+ shift 0
+ basename /etc/rc.d/squid
+ _name=squid
+ _RC_RUNDIR=/var/run/rc.d
+ _RC_RUNFILE=/var/run/rc.d/squid
+ _rc_do _rc_parse_conf
+ eval _rcflags=${squid_flags}
+ _rcflags=
+ eval _rcuser=${squid_user}
+ _rcuser=
+ eval _rctimeout=${squid_timeout}
+ _rctimeout=
+ getcap -f /etc/login.conf squid
+ /dev/null
+ 21
+ [ -z ]
+ daemon_class=daemon
+ [ -z ]
+ daemon_user=root
+ [ -z 35 ]
+ [ -n ]
+ [ -n ]
+ [ -n ]
+ [ -n ]
+ [ -n ]
+ readonly daemon_class
+ unset _rcflags _rcuser _rctimeout
+ pexp=/usr/local/sbin/squid
+ rcexec=su -l -c daemon -s /bin/sh root -c
+ rc_cmd start
squid(ok)
The same _with_ a stanza for squid in /etc/login.conf gives
root:/etc/rc.d:34# /etc/rc.d/squid start
+ daemon=/usr/local/sbin/squid
+ daemon_timeout=35
+ . /etc/rc.d/rc.subr
+ [ -n ]
+ [ -n /usr/local/sbin/squid ]
+ unset _RC_DEBUG _RC_FORCE
+ getopts df c
+ shift 0
+ basename /etc/rc.d/squid
+ _name=squid
+ _RC_RUNDIR=/var/run/rc.d
+ _RC_RUNFILE=/var/run/rc.d/squid
+ _rc_do _rc_parse_conf
+ eval _rcflags=${squid_flags}
+ _rcflags=
+ eval _rcuser=${squid_user}
+ _rcuser=
+ eval _rctimeout=${squid_timeout}
+ _rctimeout=
+ getcap -f /etc/login.conf squid
+ /dev/null
+ 21
+ daemon_class=squid
+ [ -z squid ]
+ [ -z ]
+ daemon_user=root
+ [ -z 35 ]
+ [ -n ]
+ [ -n ]
+ [ -n ]
+ [ -n ]
+ [ -n ]
+ readonly daemon_class
+ unset _rcflags _rcuser _rctimeout
+ pexp=/usr/local/sbin/squid
+ rcexec=su -l -c squid -s /bin/sh root -c
+ rc_cmd start
squid(ok)
am I forced to use BSD::resources to strlimit in the perl script to
validate this ?
is getcap doing something else than printing ?
Yes, it returns $? which is used in rc.subr to set the login-class to
daemon when there is no service-specific stanza in /etc/login.conf
HTH
rru
Ich verstehe jetzt
the answer to the BSD::resources is yes apparently
# su -l -c squid -s /bin/sh root -c perl /root/fds.pl
uid=515(_squid) gid=0(wheel) groups=0(wheel), 2(kmem), 3(sys), 4(tty),
5(operator), 20(staff), 31(guest)
ksh: ulimit: Permission denied
Error in tempfile() using template /tmp/XX: Could not create
temp file /tmp/f7PQGePzoX: Too many open files at /root/fds.pl line
20.
Count:125
--
Re: Squid configuration
Hi, Am 02.12.2014 22:46, schrieb sven falempin: Hello, I am more or less forced to test Squid. OpenBSD test.my.domain 5.6 GENERIC.MP#333 amd64 I have two problems: WARNING! Your cache is running out of filedescriptors And probably have to read more about ICAP suspending ICAP service for too many failures My question is about the fds, i tried to add squid:\ :openfiles-cur=4096:\ :tc=daemon: into login.conf and did not forget to 'push' it # cap_mkdb /etc/login.conf # echo $? 0 Hmm, I checked on one of my boxen and there /etc/passwd has _squid ^! Note the underline. as account for this package, so you probably want _squid:\ :openfiles-cur=4096:\ :tc=daemon: in /etc/login.conf It looks like it has no effect. Is this the way to go ? have I to change a limit somewhere else ? Best regards, Sven HTH rru
Re: Squid configuration
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 12/02/2014 08:49 PM, Einfach Jemand wrote: Hmm, I checked on one of my boxen and there /etc/passwd has _squid ^! Note the underline. as account for this package, so you probably want _squid:\ I'm pretty sure it's supposed to be 'squid', as the daemon name is supposed to be used. The example given in 5.6's default /etc/login.conf uses 'bgpd', despite the fact that bgpd runs as the user '_bgpd'. Sven, make sure the syntax is identical to that of the bgpd example. It'd probably be easiest just to duplicate it and replace what you need to. Things like using spaces rather than tabs can easily cause silent errors. iQIcBAEBCAAGBQJUfm9dAAoJELxHvGCsI27Nv2wP/j71JWZX1sHkYmIZeIm9hRrD YwZwazYILx/Bu4U3JDQLGWYebeu+d3cr05hnd/v3Z+FvXqb3TIwNTG+UL0QgHIOK PGPTXzvih2uJ9RKXG5VUTvtNSqzl6a9+trs4B82A45tEu5uHjYo6YX53a0K+QJBH uGqys8g5ggHzixqOETccZIIKBxUAq5esyU6UIXQiykvt/3X+ikYNJeH2QDf0Tov/ sYAzQObCuw2CvdYJajK6iftl6rJt+Zpz7hIMVbr/mTi/1ldH+l68IoBSYw1n7EnT Vq9jxVD+6oY25CIc48Tcb9UcJwsRcywc20F2+rRKvYaZjaUzPNtkCZ8TKFaDaEHe M9cwqhp+ckxYxzs4BhxqtWNKprOQJ3W3tphGc8pdh+SSdXHdy67mZun2GYN5qWfu WrqrMRKXE+GlXgtnvOAsUcJ7FUN7S052R0K6+/off96RK+/HMpFsXIgWxKGohO5V nFUu6g+/gMOye1svmJDmg5jUr+DjqnpqPEadHN4yxAFaKXu05lbG7X2XwJFe4N2P kCJN8M4PzLxxgL5XlQoRLQ4A5FrxU29h4ST2b24ZbrDNLTncrsEUo/fs5A9YC0xl jbjiLSUsg6ZixrF+4jnBrdinUIwjekW61es5mnoRhuG0qN2+YZrwjkhaiUTflENL elmLg8e6dF3O9jEZxImi =07gk -END PGP SIGNATURE-
Re: Squid configuration
On 12/2/2014 4:46 PM, sven falempin wrote: WARNING! Your cache is running out of filedescriptors I have Squid on 5.4 amd64, which may or may not be the same. And probably have to read more about ICAP suspending ICAP service for too many failures Do you need ICAP? I think it's primarily for web filtering or virus/DLP scans. My question is about the fds, i tried to add squid:\ :openfiles-cur=4096:\ :tc=daemon: into login.conf Is there a reason you chose a different config than suggested in the port README? squid:\ :datasize=1500M:\ :openfiles=4096:\ :tc=daemon: Does setting openfiles-cur also increase openfiles-max if it's not specified? Based on http://marc.info/?l=openbsd-miscm=140698839413081, it appears not.
Re: Squid configuration
On 12/2/2014 8:49 PM, Einfach Jemand wrote:
Hmm, I checked on one of my boxen and there /etc/passwd has
_squid
^! Note the underline.
as account for this package, so you probably want
According to the package README:
When started by rc.d(8) (i.e. via pkg_scripts in rc.conf.local or from
${RCDIR}/squid start) the appropriately-named login class is used
automatically.
So, the underline shouldn't be necessary.
Re: Squid configuration
Am 03.12.2014 03:55, schrieb Steve Shockley:
On 12/2/2014 8:49 PM, Einfach Jemand wrote:
Hmm, I checked on one of my boxen and there /etc/passwd has
_squid
^! Note the underline.
as account for this package, so you probably want
According to the package README:
When started by rc.d(8) (i.e. via pkg_scripts in rc.conf.local or from
${RCDIR}/squid start) the appropriately-named login class is used
automatically.
So, the underline shouldn't be necessary.
Yes, I have rechecked and that is correct, no underline/underscore needed.
Directing someone looking for a solution into the wrong direction is no
good, please accept my apologies.
Bye,
rru
