Re: Squid configuration
On Sat, Dec 6, 2014 at 9:20 AM, Stuart Henderson s...@spacehopper.org wrote: On 2014-12-02, sven falempin sven.falem...@gmail.com wrote: Hello, I am more or less forced to test Squid. OpenBSD test.my.domain 5.6 GENERIC.MP#333 amd64 I have two problems: WARNING! Your cache is running out of filedescriptors And probably have to read more about ICAP suspending ICAP service for too many failures My question is about the fds, i tried to add squid:\ :openfiles-cur=4096:\ :tc=daemon: Follow the instructions in the pkg-readme exactly and let me know if you still have problems. If you want to make adjustments to limits etc then do that after trying the suggested configuration. In your case you most likely have an invalid config, the openfiles-max limit will probably be *lower* than your openfiles-cur. OpenBSD used to accept this and use the higher limit, but a couple of releases ago this was changed for posix compatibility. The example in the pkg-readme just sets openfiles, overriding both -cur and -max. into login.conf and did not forget to 'push' it # cap_mkdb /etc/login.conf # echo $? 0 You only have to run cap_mkdb if you already have a login.conf.db file. Most people do not use these and just use the plaintext file instead. And it checks the non space friendly syntax :-) whith openfile squid:\ :openfiles-cur=4096:\ :openfiles=4096:\ :tc=daemon: I do not have to do ulimit manually before but stop at 1025, I didn't call setrlimit root@unicornD # su -l -c squid -s /bin/sh root -c perl /root/fds.pl perl /rooperl /root/fds.pl uid=515(_squid) gid=0(wheel) groups=0(wheel), 2(kmem), 3(sys), 4(tty), 5(operator), 20(staff), 31(guest) ksh: ulimit: Permission denied Error in tempfile() using template /tmp/XX: Could not create temp file /tmp/4vncHRQHUt: No locks available at /root/fds.pl line 20. Count:1025 setrlimit change nothing : # cat /root/fds.pl #!/usr/bin/perl use warnings; use strict; use v5.10; use POSIX; use BSD::Resource; use File::Temp qw/tempfile/; if (defined $ARGV[0] and $ARGV[0] =~ /^\d+$/) { setuid ($ARGV[0]); } else { setuid ( 515 ); } system('id'); my $rc = setrlimit(RLIMIT_OPEN_MAX,4096,4096); say 'ok' if ($rc); my @fds = (); while (0xBAD) { my($fh, $filename) = tempfile(); last unless $fh; push @fds, { fd=$fh,n=$filename}; } END{ say 'Count:'.($#fds+1); foreach my $fd (@fds) { close $fd-{fd}; unlink $fd-{n}; } } It looks like it has no effect. Is this the way to go ? have I to change a limit somewhere else ? Best regards, Sven -- - () ascii ribbon campaign - against html e-mail /\
Re: Squid configuration
On 2014/12/07 15:57, sven falempin wrote: On Sat, Dec 6, 2014 at 9:20 AM, Stuart Henderson s...@spacehopper.org wrote: On 2014-12-02, sven falempin sven.falem...@gmail.com wrote: Hello, I am more or less forced to test Squid. OpenBSD test.my.domain 5.6 GENERIC.MP#333 amd64 I have two problems: WARNING! Your cache is running out of filedescriptors And probably have to read more about ICAP suspending ICAP service for too many failures My question is about the fds, i tried to add squid:\ :openfiles-cur=4096:\ :tc=daemon: Follow the instructions in the pkg-readme exactly and let me know if you still have problems. If you want to make adjustments to limits etc then do that after trying the suggested configuration. In your case you most likely have an invalid config, the openfiles-max limit will probably be *lower* than your openfiles-cur. OpenBSD used to accept this and use the higher limit, but a couple of releases ago this was changed for posix compatibility. The example in the pkg-readme just sets openfiles, overriding both -cur and -max. into login.conf and did not forget to 'push' it # cap_mkdb /etc/login.conf # echo $? 0 You only have to run cap_mkdb if you already have a login.conf.db file. Most people do not use these and just use the plaintext file instead. And it checks the non space friendly syntax :-) whith openfile squid:\ :openfiles-cur=4096:\ :openfiles=4096:\ :tc=daemon: I do not have to do ulimit manually before but stop at 1025, I didn't call setrlimit root@unicornD # su -l -c squid -s /bin/sh root -c perl /root/fds.pl perl /rooperl /root/fds.pl uid=515(_squid) gid=0(wheel) groups=0(wheel), 2(kmem), 3(sys), 4(tty), 5(operator), 20(staff), 31(guest) ksh: ulimit: Permission denied Error in tempfile() using template /tmp/XX: Could not create temp file /tmp/4vncHRQHUt: No locks available at /root/fds.pl line 20. Count:1025 setrlimit change nothing : # cat /root/fds.pl #!/usr/bin/perl use warnings; use strict; use v5.10; use POSIX; use BSD::Resource; use File::Temp qw/tempfile/; if (defined $ARGV[0] and $ARGV[0] =~ /^\d+$/) { setuid ($ARGV[0]); } else { setuid ( 515 ); } system('id'); my $rc = setrlimit(RLIMIT_OPEN_MAX,4096,4096); say 'ok' if ($rc); my @fds = (); while (0xBAD) { my($fh, $filename) = tempfile(); last unless $fh; push @fds, { fd=$fh,n=$filename}; } END{ say 'Count:'.($#fds+1); foreach my $fd (@fds) { close $fd-{fd}; unlink $fd-{n}; } } It looks like it has no effect. Is this the way to go ? have I to change a limit somewhere else ? Best regards, Sven -- - () ascii ribbon campaign - against html e-mail /\ I have no idea what you're trying to do here. sthen@wc2-pl7:~:669$ tail -5 /etc/login.conf squid:\ :datasize=infinity:\ :openfiles-max=1:\ :openfiles-cur=6000:\ :tc=default: sthen@wc2-pl7:~:670$ sudo -c squid sh -c ulimit -a time(cpu-seconds)unlimited file(blocks) unlimited coredump(blocks) unlimited data(kbytes) 33554432 stack(kbytes)4096 lockedmem(kbytes)2029690 memory(kbytes) 6087328 nofiles(descriptors) 6000 processes128
Re: Squid configuration
On Sun, Dec 7, 2014 at 5:12 PM, Stuart Henderson s...@spacehopper.org wrote: On 2014/12/07 15:57, sven falempin wrote: On Sat, Dec 6, 2014 at 9:20 AM, Stuart Henderson s...@spacehopper.org wrote: On 2014-12-02, sven falempin sven.falem...@gmail.com wrote: Hello, I am more or less forced to test Squid. OpenBSD test.my.domain 5.6 GENERIC.MP#333 amd64 I have two problems: WARNING! Your cache is running out of filedescriptors And probably have to read more about ICAP suspending ICAP service for too many failures My question is about the fds, i tried to add squid:\ :openfiles-cur=4096:\ :tc=daemon: Follow the instructions in the pkg-readme exactly and let me know if you still have problems. If you want to make adjustments to limits etc then do that after trying the suggested configuration. In your case you most likely have an invalid config, the openfiles-max limit will probably be *lower* than your openfiles-cur. OpenBSD used to accept this and use the higher limit, but a couple of releases ago this was changed for posix compatibility. The example in the pkg-readme just sets openfiles, overriding both -cur and -max. into login.conf and did not forget to 'push' it # cap_mkdb /etc/login.conf # echo $? 0 You only have to run cap_mkdb if you already have a login.conf.db file. Most people do not use these and just use the plaintext file instead. And it checks the non space friendly syntax :-) whith openfile squid:\ :openfiles-cur=4096:\ :openfiles=4096:\ :tc=daemon: I do not have to do ulimit manually before but stop at 1025, I didn't call setrlimit root@unicornD # su -l -c squid -s /bin/sh root -c perl /root/fds.pl perl /rooperl /root/fds.pl uid=515(_squid) gid=0(wheel) groups=0(wheel), 2(kmem), 3(sys), 4(tty), 5(operator), 20(staff), 31(guest) ksh: ulimit: Permission denied Error in tempfile() using template /tmp/XX: Could not create temp file /tmp/4vncHRQHUt: No locks available at /root/fds.pl line 20. Count:1025 setrlimit change nothing : # cat /root/fds.pl #!/usr/bin/perl use warnings; use strict; use v5.10; use POSIX; use BSD::Resource; use File::Temp qw/tempfile/; if (defined $ARGV[0] and $ARGV[0] =~ /^\d+$/) { setuid ($ARGV[0]); } else { setuid ( 515 ); } system('id'); my $rc = setrlimit(RLIMIT_OPEN_MAX,4096,4096); say 'ok' if ($rc); my @fds = (); while (0xBAD) { my($fh, $filename) = tempfile(); last unless $fh; push @fds, { fd=$fh,n=$filename}; } END{ say 'Count:'.($#fds+1); foreach my $fd (@fds) { close $fd-{fd}; unlink $fd-{n}; } } It looks like it has no effect. Is this the way to go ? have I to change a limit somewhere else ? Best regards, Sven -- - () ascii ribbon campaign - against html e-mail /\ I have no idea what you're trying to do here. opening (tempfile) files to the failure point. then cleaning the mess END{}, I got 1025 temp file opened then it fails. Since I run squid after a ulimit or with the class, I didn't get the fd warnings in log, but I didn't check how many files where open, the test with fds.pl probably fails for another reason (No locks available). Years using other opensource kernel learn me to trust nothing , the result is the one expected when using my($fh, $filename) = tempfile('/tmp/X',EXLOCK = 0); to open files. Clearly out of the squid subject. I am on my sslBump issue now. Thank you for the support :-) sthen@wc2-pl7:~:669$ tail -5 /etc/login.conf squid:\ :datasize=infinity:\ :openfiles-max=1:\ :openfiles-cur=6000:\ :tc=default: sthen@wc2-pl7:~:670$ sudo -c squid sh -c ulimit -a time(cpu-seconds)unlimited file(blocks) unlimited coredump(blocks) unlimited data(kbytes) 33554432 stack(kbytes)4096 lockedmem(kbytes)2029690 memory(kbytes) 6087328 nofiles(descriptors) 6000 processes128 -- - () ascii ribbon campaign - against html e-mail /\
Re: Squid configuration
On 2014-12-02, sven falempin sven.falem...@gmail.com wrote: Hello, I am more or less forced to test Squid. OpenBSD test.my.domain 5.6 GENERIC.MP#333 amd64 I have two problems: WARNING! Your cache is running out of filedescriptors And probably have to read more about ICAP suspending ICAP service for too many failures My question is about the fds, i tried to add squid:\ :openfiles-cur=4096:\ :tc=daemon: Follow the instructions in the pkg-readme exactly and let me know if you still have problems. If you want to make adjustments to limits etc then do that after trying the suggested configuration. In your case you most likely have an invalid config, the openfiles-max limit will probably be *lower* than your openfiles-cur. OpenBSD used to accept this and use the higher limit, but a couple of releases ago this was changed for posix compatibility. The example in the pkg-readme just sets openfiles, overriding both -cur and -max. into login.conf and did not forget to 'push' it # cap_mkdb /etc/login.conf # echo $? 0 You only have to run cap_mkdb if you already have a login.conf.db file. Most people do not use these and just use the plaintext file instead. It looks like it has no effect. Is this the way to go ? have I to change a limit somewhere else ? Best regards, Sven
Re: Squid configuration
echo max_filedescriptors 4096” /etc/squid/squid.conf On 3 dec 2014, at 04:07, Einfach Jemand rru@gmail.com wrote: Am 03.12.2014 03:55, schrieb Steve Shockley: On 12/2/2014 8:49 PM, Einfach Jemand wrote: Hmm, I checked on one of my boxen and there /etc/passwd has _squid ^! Note the underline. as account for this package, so you probably want According to the package README: When started by rc.d(8) (i.e. via pkg_scripts in rc.conf.local or from ${RCDIR}/squid start) the appropriately-named login class is used automatically. So, the underline shouldn't be necessary. Yes, I have rechecked and that is correct, no underline/underscore needed. Directing someone looking for a solution into the wrong direction is no good, please accept my apologies. Bye, rru
Re: Squid configuration
On Tue, Dec 2, 2014 at 8:49 PM, Einfach Jemand rru@gmail.com wrote: Hi, Am 02.12.2014 22:46, schrieb sven falempin: Hello, I am more or less forced to test Squid. OpenBSD test.my.domain 5.6 GENERIC.MP#333 amd64 I have two problems: WARNING! Your cache is running out of filedescriptors And probably have to read more about ICAP suspending ICAP service for too many failures My question is about the fds, i tried to add squid:\ :openfiles-cur=4096:\ :tc=daemon: into login.conf and did not forget to 'push' it # cap_mkdb /etc/login.conf # echo $? 0 Hmm, I checked on one of my boxen and there /etc/passwd has _squid ^! Note the underline. as account for this package, so you probably want _squid:\ :openfiles-cur=4096:\ :tc=daemon: in /etc/login.conf It looks like it has no effect. Is this the way to go ? have I to change a limit somewhere else ? Best regards, Sven HTH rru about _ : $ grep bgpd /etc/passwd /etc/login.conf /etc/passwd:_bgpd:*:75:75:BGP Daemon:/var/empty:/sbin/nologin /etc/login.conf:bgpd:\ Other test: Using ulimit -n 4096 my perl script open 1025 file # cat /root/fds.pl #!/usr/bin/perl use warnings; use strict; use v5.10; use POSIX; use File::Temp qw/tempfile/; if (defined $ARGV[0] and $ARGV[0] =~ /^\d+$/) { setuid ($ARGV[0]); } else { setuid ( 515 ); } system('id'); my @fds = (); while (0xBAD) { my($fh, $filename) = tempfile(); last unless $fh; #but tempfile croak push @fds, { fd=$fh,n=$filename}; } END{ say 'Count:'.($#fds+1); foreach my $fd (@fds) { close $fd-{fd}; unlink $fd-{n}; } }
Re: Squid configuration
On Wed, Dec 3, 2014 at 4:56 AM, mxb m...@alumni.chalmers.se wrote: echo max_filedescriptors 4096” /etc/squid/squid.conf Thanks mxb, but squid got that by default , squidclient mgr:cache answer 4096 to me On 3 dec 2014, at 04:07, Einfach Jemand rru@gmail.com wrote: Am 03.12.2014 03:55, schrieb Steve Shockley: On 12/2/2014 8:49 PM, Einfach Jemand wrote: Hmm, I checked on one of my boxen and there /etc/passwd has _squid ^! Note the underline. as account for this package, so you probably want According to the package README: When started by rc.d(8) (i.e. via pkg_scripts in rc.conf.local or from ${RCDIR}/squid start) the appropriately-named login class is used automatically. So, the underline shouldn't be necessary. Yes, I have rechecked and that is correct, no underline/underscore needed. Directing someone looking for a solution into the wrong direction is no good, please accept my apologies. Bye, rru -- - () ascii ribbon campaign - against html e-mail /\
Re: Squid configuration
On Tue, Dec 2, 2014 at 9:55 PM, Steve Shockley steve.shock...@shockley.net wrote: On 12/2/2014 8:49 PM, Einfach Jemand wrote: Hmm, I checked on one of my boxen and there /etc/passwd has _squid ^! Note the underline. as account for this package, so you probably want According to the package README: When started by rc.d(8) (i.e. via pkg_scripts in rc.conf.local or from ${RCDIR}/squid start) the appropriately-named login class is used automatically. So, the underline shouldn't be necessary. The login would be apply in a rc script ? I looked into that : is that why the _ goes away ? _name=$(basename $0) [.. so name of the rc script is sed to get compiled login.conf info..] getcap -f /etc/login.conf ${_name} 1/dev/null 21 [ but this only print stuff according to man page ] There is a rcexec that force the usage of the login class grep rcexec /etc/rc.d/* unbound use it, but not squid. I guess my perl script would have to do a strlimit after dropping privilege to open 4096 files. On the other hand, the class is supposed to be in master.passwd or be to default: name User's login name. password User's encrypted password. uid User's login user ID. gid User's login group ID. class User's general classification (see login.conf(5)). change Password change time. expire Account expiration time. gecos General information about the user. home_dir User's home directory. shell User's login shell. _squid:*:515:515:daemon:0:0:Squid Account: _bgpd:*:75:75::0:0:BGP Daemon:/var/empty:/sbin/nologin bgpd class is blank, squid is set to daemon. Is bgpd correctly configured ? is squid using the daemon class ? am I forced to use BSD::resources to strlimit in the perl script to validate this ? is getcap doing something else than printing ? -- - () ascii ribbon campaign - against html e-mail /\
Re: Squid configuration
Am 03.12.2014 12:59, schrieb sven falempin: On Tue, Dec 2, 2014 at 9:55 PM, Steve Shockley steve.shock...@shockley.net wrote: On 12/2/2014 8:49 PM, Einfach Jemand wrote: Hmm, I checked on one of my boxen and there /etc/passwd has _squid ^! Note the underline. as account for this package, so you probably want According to the package README: When started by rc.d(8) (i.e. via pkg_scripts in rc.conf.local or from ${RCDIR}/squid start) the appropriately-named login class is used automatically. So, the underline shouldn't be necessary. The login would be apply in a rc script ? I looked into that : is that why the _ goes away ? _name=$(basename $0) [.. so name of the rc script is sed to get compiled login.conf info..] getcap -f /etc/login.conf ${_name} 1/dev/null 21 [ but this only print stuff according to man page ] There is a rcexec that force the usage of the login class grep rcexec /etc/rc.d/* unbound use it, but not squid. I guess my perl script would have to do a strlimit after dropping privilege to open 4096 files. On the other hand, the class is supposed to be in master.passwd or be to default: name User's login name. password User's encrypted password. uid User's login user ID. gid User's login group ID. class User's general classification (see login.conf(5)). change Password change time. expire Account expiration time. gecos General information about the user. home_dir User's home directory. shell User's login shell. _squid:*:515:515:daemon:0:0:Squid Account: _bgpd:*:75:75::0:0:BGP Daemon:/var/empty:/sbin/nologin bgpd class is blank, squid is set to daemon. Is bgpd correctly configured ? Yes. It has an entry in /etc/login.conf man rc.subr explains it: -- quote -- daemon_class Login class to run the daemon with, using su(1). This is a read only variable that gets set by rc.subr itself. It searches login.conf(5) for a login class that has the same name as the rc.d script itself and uses that. If no such login class exists then ``daemon'' will be used. -- end quote -- is squid using the daemon class ? Yes unless you have a stanze for squid in /etc/login.conf . (And the README for the package advises you to create one) A test _without_ a stanza for squid in /etc/login.conf and the first line of /etc/rc.d/squid set to #!/bin/sh -x results in root:/etc/rc.d:28# /etc/rc.d/squid start + daemon=/usr/local/sbin/squid + daemon_timeout=35 + . /etc/rc.d/rc.subr + [ -n ] + [ -n /usr/local/sbin/squid ] + unset _RC_DEBUG _RC_FORCE + getopts df c + shift 0 + basename /etc/rc.d/squid + _name=squid + _RC_RUNDIR=/var/run/rc.d + _RC_RUNFILE=/var/run/rc.d/squid + _rc_do _rc_parse_conf + eval _rcflags=${squid_flags} + _rcflags= + eval _rcuser=${squid_user} + _rcuser= + eval _rctimeout=${squid_timeout} + _rctimeout= + getcap -f /etc/login.conf squid + /dev/null + 21 + [ -z ] + daemon_class=daemon + [ -z ] + daemon_user=root + [ -z 35 ] + [ -n ] + [ -n ] + [ -n ] + [ -n ] + [ -n ] + readonly daemon_class + unset _rcflags _rcuser _rctimeout + pexp=/usr/local/sbin/squid + rcexec=su -l -c daemon -s /bin/sh root -c + rc_cmd start squid(ok) The same _with_ a stanza for squid in /etc/login.conf gives root:/etc/rc.d:34# /etc/rc.d/squid start + daemon=/usr/local/sbin/squid + daemon_timeout=35 + . /etc/rc.d/rc.subr + [ -n ] + [ -n /usr/local/sbin/squid ] + unset _RC_DEBUG _RC_FORCE + getopts df c + shift 0 + basename /etc/rc.d/squid + _name=squid + _RC_RUNDIR=/var/run/rc.d + _RC_RUNFILE=/var/run/rc.d/squid + _rc_do _rc_parse_conf + eval _rcflags=${squid_flags} + _rcflags= + eval _rcuser=${squid_user} + _rcuser= + eval _rctimeout=${squid_timeout} + _rctimeout= + getcap -f /etc/login.conf squid + /dev/null + 21 + daemon_class=squid + [ -z squid ] + [ -z ] + daemon_user=root + [ -z 35 ] + [ -n ] + [ -n ] + [ -n ] + [ -n ] + [ -n ] + readonly daemon_class + unset _rcflags _rcuser _rctimeout + pexp=/usr/local/sbin/squid + rcexec=su -l -c squid -s /bin/sh root -c + rc_cmd start squid(ok) am I forced to use BSD::resources to strlimit in the perl script to validate this ? is getcap doing something else than printing ? Yes, it returns $? which is used in rc.subr to set the login-class to daemon when there is no service-specific stanza in /etc/login.conf HTH rru
Re: Squid configuration
On Wed, Dec 3, 2014 at 4:11 PM, Einfach Jemand rru@gmail.com wrote: Am 03.12.2014 12:59, schrieb sven falempin: On Tue, Dec 2, 2014 at 9:55 PM, Steve Shockley steve.shock...@shockley.net wrote: On 12/2/2014 8:49 PM, Einfach Jemand wrote: Hmm, I checked on one of my boxen and there /etc/passwd has _squid ^! Note the underline. as account for this package, so you probably want According to the package README: When started by rc.d(8) (i.e. via pkg_scripts in rc.conf.local or from ${RCDIR}/squid start) the appropriately-named login class is used automatically. So, the underline shouldn't be necessary. The login would be apply in a rc script ? I looked into that : is that why the _ goes away ? _name=$(basename $0) [.. so name of the rc script is sed to get compiled login.conf info..] getcap -f /etc/login.conf ${_name} 1/dev/null 21 [ but this only print stuff according to man page ] There is a rcexec that force the usage of the login class grep rcexec /etc/rc.d/* unbound use it, but not squid. I guess my perl script would have to do a strlimit after dropping privilege to open 4096 files. On the other hand, the class is supposed to be in master.passwd or be to default: name User's login name. password User's encrypted password. uid User's login user ID. gid User's login group ID. class User's general classification (see login.conf(5)). change Password change time. expire Account expiration time. gecos General information about the user. home_dir User's home directory. shell User's login shell. _squid:*:515:515:daemon:0:0:Squid Account: _bgpd:*:75:75::0:0:BGP Daemon:/var/empty:/sbin/nologin bgpd class is blank, squid is set to daemon. Is bgpd correctly configured ? Yes. It has an entry in /etc/login.conf man rc.subr explains it: -- quote -- daemon_class Login class to run the daemon with, using su(1). This is a read only variable that gets set by rc.subr itself. It searches login.conf(5) for a login class that has the same name as the rc.d script itself and uses that. If no such login class exists then ``daemon'' will be used. -- end quote -- is squid using the daemon class ? Yes unless you have a stanze for squid in /etc/login.conf . (And the README for the package advises you to create one) A test _without_ a stanza for squid in /etc/login.conf and the first line of /etc/rc.d/squid set to #!/bin/sh -x results in root:/etc/rc.d:28# /etc/rc.d/squid start + daemon=/usr/local/sbin/squid + daemon_timeout=35 + . /etc/rc.d/rc.subr + [ -n ] + [ -n /usr/local/sbin/squid ] + unset _RC_DEBUG _RC_FORCE + getopts df c + shift 0 + basename /etc/rc.d/squid + _name=squid + _RC_RUNDIR=/var/run/rc.d + _RC_RUNFILE=/var/run/rc.d/squid + _rc_do _rc_parse_conf + eval _rcflags=${squid_flags} + _rcflags= + eval _rcuser=${squid_user} + _rcuser= + eval _rctimeout=${squid_timeout} + _rctimeout= + getcap -f /etc/login.conf squid + /dev/null + 21 + [ -z ] + daemon_class=daemon + [ -z ] + daemon_user=root + [ -z 35 ] + [ -n ] + [ -n ] + [ -n ] + [ -n ] + [ -n ] + readonly daemon_class + unset _rcflags _rcuser _rctimeout + pexp=/usr/local/sbin/squid + rcexec=su -l -c daemon -s /bin/sh root -c + rc_cmd start squid(ok) The same _with_ a stanza for squid in /etc/login.conf gives root:/etc/rc.d:34# /etc/rc.d/squid start + daemon=/usr/local/sbin/squid + daemon_timeout=35 + . /etc/rc.d/rc.subr + [ -n ] + [ -n /usr/local/sbin/squid ] + unset _RC_DEBUG _RC_FORCE + getopts df c + shift 0 + basename /etc/rc.d/squid + _name=squid + _RC_RUNDIR=/var/run/rc.d + _RC_RUNFILE=/var/run/rc.d/squid + _rc_do _rc_parse_conf + eval _rcflags=${squid_flags} + _rcflags= + eval _rcuser=${squid_user} + _rcuser= + eval _rctimeout=${squid_timeout} + _rctimeout= + getcap -f /etc/login.conf squid + /dev/null + 21 + daemon_class=squid + [ -z squid ] + [ -z ] + daemon_user=root + [ -z 35 ] + [ -n ] + [ -n ] + [ -n ] + [ -n ] + [ -n ] + readonly daemon_class + unset _rcflags _rcuser _rctimeout + pexp=/usr/local/sbin/squid + rcexec=su -l -c squid -s /bin/sh root -c + rc_cmd start squid(ok) am I forced to use BSD::resources to strlimit in the perl script to validate this ? is getcap doing something else than printing ? Yes, it returns $? which is used in rc.subr to set the login-class to daemon when there is no service-specific stanza in /etc/login.conf HTH rru Ich verstehe jetzt the answer to the BSD::resources is yes apparently # su -l -c squid -s /bin/sh root -c perl /root/fds.pl uid=515(_squid) gid=0(wheel) groups=0(wheel), 2(kmem), 3(sys), 4(tty), 5(operator), 20(staff), 31(guest) ksh: ulimit: Permission denied Error in tempfile() using template /tmp/XX: Could not create temp file /tmp/f7PQGePzoX: Too many open files at /root/fds.pl line 20. Count:125 --
Re: Squid configuration
Hi, Am 02.12.2014 22:46, schrieb sven falempin: Hello, I am more or less forced to test Squid. OpenBSD test.my.domain 5.6 GENERIC.MP#333 amd64 I have two problems: WARNING! Your cache is running out of filedescriptors And probably have to read more about ICAP suspending ICAP service for too many failures My question is about the fds, i tried to add squid:\ :openfiles-cur=4096:\ :tc=daemon: into login.conf and did not forget to 'push' it # cap_mkdb /etc/login.conf # echo $? 0 Hmm, I checked on one of my boxen and there /etc/passwd has _squid ^! Note the underline. as account for this package, so you probably want _squid:\ :openfiles-cur=4096:\ :tc=daemon: in /etc/login.conf It looks like it has no effect. Is this the way to go ? have I to change a limit somewhere else ? Best regards, Sven HTH rru
Re: Squid configuration
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 12/02/2014 08:49 PM, Einfach Jemand wrote: Hmm, I checked on one of my boxen and there /etc/passwd has _squid ^! Note the underline. as account for this package, so you probably want _squid:\ I'm pretty sure it's supposed to be 'squid', as the daemon name is supposed to be used. The example given in 5.6's default /etc/login.conf uses 'bgpd', despite the fact that bgpd runs as the user '_bgpd'. Sven, make sure the syntax is identical to that of the bgpd example. It'd probably be easiest just to duplicate it and replace what you need to. Things like using spaces rather than tabs can easily cause silent errors. iQIcBAEBCAAGBQJUfm9dAAoJELxHvGCsI27Nv2wP/j71JWZX1sHkYmIZeIm9hRrD YwZwazYILx/Bu4U3JDQLGWYebeu+d3cr05hnd/v3Z+FvXqb3TIwNTG+UL0QgHIOK PGPTXzvih2uJ9RKXG5VUTvtNSqzl6a9+trs4B82A45tEu5uHjYo6YX53a0K+QJBH uGqys8g5ggHzixqOETccZIIKBxUAq5esyU6UIXQiykvt/3X+ikYNJeH2QDf0Tov/ sYAzQObCuw2CvdYJajK6iftl6rJt+Zpz7hIMVbr/mTi/1ldH+l68IoBSYw1n7EnT Vq9jxVD+6oY25CIc48Tcb9UcJwsRcywc20F2+rRKvYaZjaUzPNtkCZ8TKFaDaEHe M9cwqhp+ckxYxzs4BhxqtWNKprOQJ3W3tphGc8pdh+SSdXHdy67mZun2GYN5qWfu WrqrMRKXE+GlXgtnvOAsUcJ7FUN7S052R0K6+/off96RK+/HMpFsXIgWxKGohO5V nFUu6g+/gMOye1svmJDmg5jUr+DjqnpqPEadHN4yxAFaKXu05lbG7X2XwJFe4N2P kCJN8M4PzLxxgL5XlQoRLQ4A5FrxU29h4ST2b24ZbrDNLTncrsEUo/fs5A9YC0xl jbjiLSUsg6ZixrF+4jnBrdinUIwjekW61es5mnoRhuG0qN2+YZrwjkhaiUTflENL elmLg8e6dF3O9jEZxImi =07gk -END PGP SIGNATURE-
Re: Squid configuration
On 12/2/2014 4:46 PM, sven falempin wrote: WARNING! Your cache is running out of filedescriptors I have Squid on 5.4 amd64, which may or may not be the same. And probably have to read more about ICAP suspending ICAP service for too many failures Do you need ICAP? I think it's primarily for web filtering or virus/DLP scans. My question is about the fds, i tried to add squid:\ :openfiles-cur=4096:\ :tc=daemon: into login.conf Is there a reason you chose a different config than suggested in the port README? squid:\ :datasize=1500M:\ :openfiles=4096:\ :tc=daemon: Does setting openfiles-cur also increase openfiles-max if it's not specified? Based on http://marc.info/?l=openbsd-miscm=140698839413081, it appears not.
Re: Squid configuration
On 12/2/2014 8:49 PM, Einfach Jemand wrote: Hmm, I checked on one of my boxen and there /etc/passwd has _squid ^! Note the underline. as account for this package, so you probably want According to the package README: When started by rc.d(8) (i.e. via pkg_scripts in rc.conf.local or from ${RCDIR}/squid start) the appropriately-named login class is used automatically. So, the underline shouldn't be necessary.
Re: Squid configuration
Am 03.12.2014 03:55, schrieb Steve Shockley: On 12/2/2014 8:49 PM, Einfach Jemand wrote: Hmm, I checked on one of my boxen and there /etc/passwd has _squid ^! Note the underline. as account for this package, so you probably want According to the package README: When started by rc.d(8) (i.e. via pkg_scripts in rc.conf.local or from ${RCDIR}/squid start) the appropriately-named login class is used automatically. So, the underline shouldn't be necessary. Yes, I have rechecked and that is correct, no underline/underscore needed. Directing someone looking for a solution into the wrong direction is no good, please accept my apologies. Bye, rru