[squid-dev] Build failed in Jenkins: trunk-x64-openbsd-54 #303

[noc]

See 

Changes:

[Amos Jeffries] ext_kerberos_ldap_group_acl: Heimdal support improvements

* fix build errors on FreeBSD with Heimdal library

* remove PAC support from being built when not needed

* update man(8) page documentation po4a syntax

--
[...truncated 2956 lines...]
ccache g++ -DHAVE_CONFIG_H-I../../../.. -I../../../../include  
-I../../../../lib -I../../../../src  -I../../../include -I/usr/local/include 
-I/usr/include/kerberosV  -I/usr/include/kerberosV   -I../../../../libltdl 
-I../../../../helpers/external_acl/kerberos_ldap_group  -Wall -Wpointer-arith 
-Wwrite-strings -Wcomments -Wshadow -Werror -pipe -D_REENTRANT -g -O2 
-march=native -MT support_log.o -MD -MP -MF .deps/support_log.Tpo -c -o 
support_log.o 
../../../../helpers/external_acl/kerberos_ldap_group/support_log.cc
mv -f .deps/support_log.Tpo .deps/support_log.Po
/usr/local/bin/bash ../../../libtool  --tag=CXX--mode=link ccache g++  
-Wall -Wpointer-arith -Wwrite-strings -Wcomments -Wshadow -Werror -pipe 
-D_REENTRANT -g -O2 -march=native   -g -lpthread -o ext_kerberos_ldap_group_acl 
kerberos_ldap_group.o support_group.o  support_netbios.o support_member.o  
support_krb5.o support_ldap.o  support_sasl.o support_resolv.o  
support_lserver.o support_log.o ../../../lib/libmiscencoding.la  
../../../compat/libcompat-squid.la -L/usr/lib -lgssapi -lkrb5 -lasn1 
-lcrypto -lwind -lroken -lcom_err -lheimbase -L/usr/lib -lkrb5 -lasn1 -lcrypto 
-lwind -lroken -lcom_err -lheimbase   -lm 
libtool: link: ccache g++ -Wall -Wpointer-arith -Wwrite-strings -Wcomments 
-Wshadow -Werror -pipe -D_REENTRANT -g -O2 -march=native -g -o 
ext_kerberos_ldap_group_acl kerberos_ldap_group.o support_group.o 
support_netbios.o support_member.o support_krb5.o support_ldap.o support_sasl.o 
support_resolv.o support_lserver.o support_log.o  
../../../lib/.libs/libmiscencoding.a ../../../compat/.libs/libcompat-squid.a 
-lpthread -L/usr/lib -lgssapi -lkrb5 -lasn1 -lcrypto -lwind -lroken -lcom_err 
-lheimbase -lm
Making all in time_quota
ccache g++ -DHAVE_CONFIG_H  
-DDEFAULT_QUOTA_DB=\"
-I../../../.. -I../../../../include  -I../../../../lib -I../../../../src  
-I../../../include -I/usr/local/include -I/usr/include/kerberosV  
-I/usr/include/kerberosV   -I../../../../libltdl  -Wall -Wpointer-arith 
-Wwrite-strings -Wcomments -Wshadow -Werror -pipe -D_REENTRANT -g -O2 
-march=native -MT ext_time_quota_acl.o -MD -MP -MF .deps/ext_time_quota_acl.Tpo 
-c -o ext_time_quota_acl.o 
../../../../helpers/external_acl/time_quota/ext_time_quota_acl.cc
mv -f .deps/ext_time_quota_acl.Tpo .deps/ext_time_quota_acl.Po
/usr/local/bin/bash ../../../libtool  --tag=CXX--mode=link ccache g++ -Wall 
-Wpointer-arith -Wwrite-strings -Wcomments -Wshadow -Werror -pipe -D_REENTRANT  
-g -O2 -march=native  -g -lpthread -o ext_time_quota_acl ext_time_quota_acl.o 
../../../compat/libcompat-squid.la
libtool: link: ccache g++ -Wall -Wpointer-arith -Wwrite-strings -Wcomments 
-Wshadow -Werror -pipe -D_REENTRANT -g -O2 -march=native -g -o 
ext_time_quota_acl ext_time_quota_acl.o  
../../../compat/.libs/libcompat-squid.a -lpthread
Making all in unix_group
ccache g++ -DHAVE_CONFIG_H-I../../../.. -I../../../../include  
-I../../../../lib -I../../../../src  -I../../../include -I/usr/local/include 
-I/usr/include/kerberosV  -I/usr/include/kerberosV   -I../../../../libltdl  
-Wall -Wpointer-arith -Wwrite-strings -Wcomments -Wshadow -Werror -pipe 
-D_REENTRANT -g -O2 -march=native -MT check_group.o -MD -MP -MF 
.deps/check_group.Tpo -c -o check_group.o 
../../../../helpers/external_acl/unix_group/check_group.cc
mv -f .deps/check_group.Tpo .deps/check_group.Po
/usr/local/bin/bash ../../../libtool  --tag=CXX--mode=link ccache g++ -Wall 
-Wpointer-arith -Wwrite-strings -Wcomments -Wshadow -Werror -pipe -D_REENTRANT  
-g -O2 -march=native  -g -lpthread -o ext_unix_group_acl check_group.o 
../../../lib/libmiscencoding.la  ../../../compat/libcompat-squid.la   -lm 
libtool: link: ccache g++ -Wall -Wpointer-arith -Wwrite-strings -Wcomments 
-Wshadow -Werror -pipe -D_REENTRANT -g -O2 -march=native -g -o 
ext_unix_group_acl check_group.o  ../../../lib/.libs/libmiscencoding.a 
../../../compat/.libs/libcompat-squid.a -lpthread -lm
Making all in wbinfo_group
sed -e 's,[@]PERL[@],/usr/bin/perl,g' 
<../../../../helpers/external_acl/wbinfo_group/ext_wbinfo_group_acl.pl.in 
>ext_wbinfo_group_acl || (/bin/rm -f -f ext_wbinfo_group_acl ; exit 1)
pod2man ext_wbinfo_group_acl ext_wbinfo_group_acl.8
Making all in log_daemon
Making all in DB
sed -e 's,[@]PERL[@],/usr/bin/perl,g' 
<../../../../helpers/log_daemon/DB/log_db_daemon.pl.in >log_db_daemon || 
(/bin/rm -f -f log_db_daemon ; exit 1)
pod2man log_db_daemon log_db_daemon.8
Making all in file
ccache g++ -DHAVE_CO

[squid-dev] Build failed in Jenkins: trunk-x64-centos-6-clang #475

[noc]

See 

Changes:

[Amos Jeffries] ext_kerberos_ldap_group_acl: Heimdal support improvements

* fix build errors on FreeBSD with Heimdal library

* remove PAC support from being built when not needed

* update man(8) page documentation po4a syntax

--
[...truncated 3765 lines...]
sed -e 's,[@]PERL[@],/usr/bin/perl,g' 
<../../../../helpers/basic_auth/DB/basic_db_auth.pl.in >basic_db_auth || 
(/bin/rm -f -f basic_db_auth ; exit 1)
pod2man basic_db_auth basic_db_auth.8
make[4]: Leaving directory 
`
Making all in LDAP
make[4]: Entering directory 
`
ccache clang++ -DHAVE_CONFIG_H   -I../../../.. -I../../../../include 
-I../../../../lib -I../../../../src -I../../../include -Werror 
-Qunused-arguments -Wno-deprecated-register  -D_REENTRANT -g -O2 -std=c++11 -MT 
basic_ldap_auth.o -MD -MP -MF .deps/basic_ldap_auth.Tpo -c -o basic_ldap_auth.o 
../../../../helpers/basic_auth/LDAP/basic_ldap_auth.cc
mv -f .deps/basic_ldap_auth.Tpo .deps/basic_ldap_auth.Po
/bin/sh ../../../libtool --tag=CXX   --mode=link ccache clang++ -Werror 
-Qunused-arguments -Wno-deprecated-register  -D_REENTRANT -g -O2 -std=c++11  -g 
-o basic_ldap_auth basic_ldap_auth.o ../../../lib/libmiscencoding.la 
../../../compat/libcompat-squid.la  -lldap -llber 
libtool: link: ccache clang++ -Werror -Qunused-arguments 
-Wno-deprecated-register -D_REENTRANT -g -O2 -std=c++11 -g -o basic_ldap_auth 
basic_ldap_auth.o  ../../../lib/.libs/libmiscencoding.a 
../../../compat/.libs/libcompat-squid.a -lldap -llber
make[4]: Leaving directory 
`
Making all in NCSA
make[4]: Entering directory 
`
ccache clang++ -DHAVE_CONFIG_H   -I../../../.. -I../../../../include 
-I../../../../lib -I../../../../src -I../../../include
-I../../../../helpers/basic_auth/NCSA  -Werror -Qunused-arguments 
-Wno-deprecated-register  -D_REENTRANT -g -O2 -std=c++11 -MT basic_ncsa_auth.o 
-MD -MP -MF .deps/basic_ncsa_auth.Tpo -c -o basic_ncsa_auth.o 
../../../../helpers/basic_auth/NCSA/basic_ncsa_auth.cc
ccache clang++ -DHAVE_CONFIG_H   -I../../../.. -I../../../../include 
-I../../../../lib -I../../../../src -I../../../include
-I../../../../helpers/basic_auth/NCSA  -Werror -Qunused-arguments 
-Wno-deprecated-register  -D_REENTRANT -g -O2 -std=c++11 -MT crypt_md5.o -MD 
-MP -MF .deps/crypt_md5.Tpo -c -o crypt_md5.o 
../../../../helpers/basic_auth/NCSA/crypt_md5.cc
mv -f .deps/crypt_md5.Tpo .deps/crypt_md5.Po
mv -f .deps/basic_ncsa_auth.Tpo .deps/basic_ncsa_auth.Po
/bin/sh ../../../libtool --tag=CXX   --mode=link ccache clang++ -Werror 
-Qunused-arguments -Wno-deprecated-register  -D_REENTRANT -g -O2 -std=c++11  -g 
-o basic_ncsa_auth basic_ncsa_auth.o crypt_md5.o 
../../../lib/libmisccontainers.la ../../../lib/libmiscencoding.la 
../../../compat/libcompat-squid.la  -lnettle -lcrypt  -lm -lnsl -lresolv -lcap 
-lrt -ldl -ldl 
libtool: link: ccache clang++ -Werror -Qunused-arguments 
-Wno-deprecated-register -D_REENTRANT -g -O2 -std=c++11 -g -o basic_ncsa_auth 
basic_ncsa_auth.o crypt_md5.o  ../../../lib/.libs/libmisccontainers.a 
../../../lib/.libs/libmiscencoding.a ../../../compat/.libs/libcompat-squid.a 
-lnettle -lcrypt -lm -lnsl -lresolv -lcap -lrt -ldl
make[4]: Leaving directory 
`
Making all in NIS
make[4]: Entering directory 
`
ccache clang++ -DHAVE_CONFIG_H   -I../../../.. -I../../../../include 
-I../../../../lib -I../../../../src -I../../../include
-I../../../../helpers/basic_auth/NIS  -Werror -Qunused-arguments 
-Wno-deprecated-register  -D_REENTRANT -g -O2 -std=c++11 -MT basic_nis_auth.o 
-MD -MP -MF .deps/basic_nis_auth.Tpo -c -o basic_nis_auth.o 
../../../../helpers/basic_auth/NIS/basic_nis_auth.cc
ccache clang++ -DHAVE_CONFIG_H   -I../../../.. -I../../../../include 
-I../../../../lib -I../../../../src -I../../../include
-I../../../../helpers/basic_auth/NIS  -Werror -Qunused-arguments 
-Wno-deprecated-register  -D_REENTRANT -g -O2 -std=c++11 -MT nis_support.o -MD 
-MP -MF .deps/nis_support.Tpo -c -o nis_support.o 
../../../../helpers/basic_auth/NIS/nis_support.cc
mv -f .deps/basic_nis_auth.Tpo .deps/basic_nis_auth.Po
mv -f .deps/nis_support.Tpo .deps/nis_support.Po
/bin/sh ../../../libtool --tag

Re: [squid-dev] [PATCH] remove error_message fromkerberos_ldap_group

[Amos Jeffries]

On 18/02/2015 11:35 a.m., Markus Moeller wrote:
> Hi Amos,
> 
> Apologies this based on an observation that if KRB5 checks are fine but
> GSSAPI not the PAC section would be compiled but the main part of the
> helper not which did not make sense.
> 
> in helpers/negotiate_auth/kerberos/negotiate_kerberos_pac.cc
> * whats this?
> 
> I hope I addressed the rest in the attached.
> 
> Markus


Applied to trunk as rev.13929

Amos


___
squid-dev mailing list
squid-dev@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-dev

Re: [squid-dev] [squid-users] Squid latency at ApacheCon 2014 in comparison between Squid, NGINX, Apache Traffic Server, Varnish and Apache

[Amos Jeffries]

On 18/02/2015 3:58 a.m., Anna Jonna Armannsdottir wrote:
> Hi everybody! 
> My question may be rather theoretical, but in essence I need to know if
> Squid really has a flaw regarding latency for connections where
> keepalive is on. 
> 
> At ApacheCon 2014, Bryan Call presented slides where slides nr. 40 to 49
> show where he writes on slide 46 about Squid: 
> "Worst median latency for keep-alive benchmarks" . 
> The slides are here:
> http://www.slideshare.net/bryan_call/choosing-a-proxy-server-apachecon-2014 
> The configuration for Squid is shown on slide nr. 36. To my eyes it
> looks a little over simplistic. I hope he has not configured Squid
> correctly and that somebody here can point me at better configuration
> that expressly does not have latency of many seconds and a 95 percentile
> of over 10 seconds. Those numbers were achieved by mesurement using
> CoAdvisor 
> ( see
> http://coad.measurement-factory.com/cgi-bin/coad/FaqCgi?item_id=ALL )
> 


Thank you for pointing this out. Its nice to see someone other than me
mentioning '00K RPS rates for Squid, even if it is just lab tests.

We also usually end up with some performance improvements whenever
anyone tests anything. This time could be the I/O latency :-)
[cc'ing the squid-dev mailign list in case anyone there want to also
respond or pick up the challenge of improving latency.]


> My intent, is to use Squid with CARP or VRRP as a reverse proxy and load
> balancer for a cluster of webservers. 
> 
> My main reason for using Squid rather than NGINX or ATX or Varnish is
> Squid's superior protocol compliance. Byan Call's demostrated latency 
> gives me reasons for concern. 

Its not clear on a few points that are needed for replication of the
results:

* what software versions he is using.

We had a lot of trouble with Varnish vs Squid benchmarks where the
latest Varnish was being compared to a 10-year-older Squid version. In
our tests a conteporary Squid proved to be within 20% of Varnish speed,
but the published documents showed orders of magnitude difference.

Also, event driven software like Squid has a "sweet spot" for peak
performance balancing CPU between processing I/O queue or event queue.
At that spot latency is quite low, go higher and the event processing
increases it, go lower and modern CPUs decrease their power usage to
reduce available cycles. 1K clients looks suspiciously like its just
over the sweet spot for the currently most popular squid-3 versions. I
like to see what a comparison looks like with +/- 200 clients.


* How many cores the test machine had for the proxy to use.

Its not clear if his testing was on a machine with 25+ physical cores.
If not then there is worker contention for CPU time going on.

Squid was historically designed to make the most of a single-core CPU,
all that design is still present in each worker so its best to allocate
only one worker per CPU with a spare core for the OS (virtual or
hyperthreaded cores dont count). There is also threading in Squid
(contrary to slide 29), but that is mostly for disk I/O so he can be
forgiven for ignoring it.

Its not clear how many worker processes or thread httpd or Varnish are
using. Maybe their defaults which are quite high.

NginX is also stuck with 24 workers. They are more lightweight than
Squid ones, however...

ATS is configured with 3 "lightweight threads" which should work
stunningly well for anything at or above a single quad-core CPU.


* whether the test is done over a network link, or the loccalhost
machien is oping with both the leint and proxy and server


Some oddities:

* on slide 40-41 I am surprised to see that both ATS and Varnish are
supplying more responses per second than the test client was reportedly
sending. Note how its "100K rated limited", but they reach above 100K RPS.


* If you look closely there is a 5x reduction in latency by closing TCP
connections immediately after processing one request. Despite Squid
processing quite a lot more code in the close case. The CPU usage
numbers do match the extra processing though. This maybe something we
could improve.


* slide 28 mention of open()/locking - those are completely irrelevant
to properly written event processing. Though its common to see
*threading* processing model people write code like that. As if an event
was a thread that could pause.



* Not sure if its an oddity since its so common, but there is a clearly
a biased review.

Listing only how others compare to ATS features rather than how they all
stand overall. Slide 44 claim of "Best cache implementation" seems a
little rich given the lack of HTTP/1.1 features shown - fastest
responding in these tests perhapse. Claim of Apache community as a
bonus, but no mention of others having any communities. Probably other
suble things.


> 
> I spent the last weeks searching but I have not found anything that
> seems to counter Mr. Call's claim. On behalf of the Squid developers and
> users, I would be wery grateful if anybody could sho

Re: [squid-dev] [PATCH] remove error_message fromkerberos_ldap_group

[Markus Moeller]

Hi Amos,

Apologies this based on an observation that if KRB5 checks are fine but 
GSSAPI not the PAC section would be compiled but the main part of the helper 
not which did not make sense.


in helpers/negotiate_auth/kerberos/negotiate_kerberos_pac.cc
* whats this?

I hope I addressed the rest in the attached.

Markus

"Amos Jeffries"  wrote in message news:54e28fbb.9090...@treenet.co.nz...

On 17/02/2015 11:57 a.m., Markus Moeller wrote:


Hi Amos,

   Please find attached a patch to replace error_message with
krb5_get_error_message.




in .../ext_kerberos_ldap_group_acl.8:

* just a note that the - characters need to be \-escaped. Ican do a
followup docs patch on this since all the other options need it as well.


in .../kerberos_ldap_group/support_krb5.cc

* missing whitespace empty line after k5_error2()

* please deduplicate shared code betweenk5_error2() and k5_error() and
make them static:

+static void
+k5_error(const char* msg, krb5_error_code code)
+{
+k5_error(msg, "", code);
+}
+
+static void
+k5_error2(const char* msg, char* msg2, krb5_error_code code)
+{
+const char *errmsg;
+errmsg = krb5_get_error_message(kparam.context, code);
+error((char *) "%s| %s: ERROR: %s%s : %s\n", LogTime(), PROGRAM,
msg, msg2, errmsg);
+#if HAVE_KRB5_FREE_ERROR_MESSAGE
+krb5_free_error_message(kparam.context, errmsg);
+#elif HAVE_KRB5_FREE_ERROR_STRING
+krb5_free_error_string(kparam.context, (char *)errmsg);
+#else
+xfree(errmsg);
+#endif
+}

... and the code calling k5_error2() place the trailing SP character
inside their msg1 parameter string.


in helpers/negotiate_auth/kerberos/negotiate_kerberos_pac.cc
* whats this?


Amos

___
squid-dev mailing list
squid-dev@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-dev 


krb5_error_message_2.patch
Description: Binary data
___
squid-dev mailing list
squid-dev@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-dev

Re: [squid-dev] [PATCH] sslproxy_options in peek-and-splice mode

[Tsantilas Christos]

On 02/17/2015 02:49 AM, Amos Jeffries wrote:

On 14/02/2015 8:25 a.m., Amos Jeffries wrote:

On 13/02/2015 11:52 p.m., Tsantilas Christos wrote:


A new patch, which also adds a Must clause for bumping step in
Ssl::PeerConnector::initializeSsl method.






Was applied as trunk rev.13928


yep, sorry



Amos

___
squid-dev mailing list
squid-dev@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-dev