Search squid archive

Re: Ubuntu Server 13.10. Squid 3.3.8. WARNING: external ACL 'memberof' queue overload

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



OK got it.
The basic issue is that the helper is trying to use ip?
I am trying to understand something about the docs and about the situation.
external_acl_type memberof %LOGIN /usr/lib/squid3/ext_ldap_group_acl -P -R -K -b "dc=dot,dc=lan" -f "(&(cn=%v)(memberOf=cn=%a,cn=Users,dc=dot,dc=lan))" -D nslcd-service@xxxxxxx -w "Pa77w0rd" -h ubuntu.dot.lan

Which the ext_ldap_group_acl that is provided by ? squid?
It is a helper which suppose to communicate with squid via STDIN\STDOUT and errors STDERR.

Correct me about the above if I am wrong.
This will might help also me to understand the meaning of ipv4\ipv6 in the docs about external_acl:
http://wiki.squid-cache.org/Features/IPv6#How_do_I_make_squid_use_IPv6_to_its_helpers.3F

I am still unsure what it tries to do but:
In linux "everything is a file" even the hardware suppose to be a file.
it is not always brought to the hands of the Admin to spare the replacement of a very pricey devices which should be left alone with a tested piece of internal firmware! Else then that Linux OS uses for example 3 channels of communication between the user terminal\screen to communicate with the user\admin. The whole communication channel is suppose to be "one" FD and I maybe wrong but STDIN\STDOUT\STDERR is a communication channel between a user and the computer in a command-line interaction.
There are many other ways to do that but leave it at that.

So a FD is a way for the kernel and other sources to communicate.
It can be a FILE on disk which has read\write channels or a TCP socket that has a read\write channel or a UDP socket which is a bit more complex to understand how it's a communication channel since it's a "datagram" channel.

There is also the "unix" socket which is called a *pipe* which I do not remember right now how it works since it cannot be used by a read+write channels in the same sec If I do remember right.

Squid as a server emulates for the software like the external_acl helper a communication channel as it(squid) was a terminal user that is now interacting the software\script. So squid has STDIN\STDOUT\STDERR on a "screen" (virtual inside the software) and then when a client sends a request squid by the ACLs rules "consults" the helper using STDIN(for the software while STDOUT for squid) and then consider the "offer" that correspond to the request in STDOUT(of the software while beaning squid STDIN) and any STDERR messages are logged into the cache.log.

So the external_acl helper is like an interviewer for each request basic "looks" such as src-IP and\or request-url and\or other parameters available to squid.

So as Amos suggested there is might be a miss configuration in squid ACLs order that forces the mentioned symptoms.

The logs can help determine the state of each request and the status of each ACL and while doing so You can see in the logs that the problem is still there.. "2013/11/13 20:29:13.689| WARNING: Cannot run '/usr/lib/squid3/ext_ldap_group_acl' process."

The line you see in the logs:
"2013/11/13 20:29:13.689| ERROR: Failed to create helper child read FD: TCP [::1]" Is a general line That you will see when the OS trying to bind some socket what ever it is using the TCP ipv6 protocol.

Disabling the ipv6 sockets from the Linux OS\kernel is not really possible since once it is enabled it is there unless in the next reboot you will not load it. (I am wrong in a case there was some changes in Linux kernel and ipv6 modules.)

There might be a chance of converting the STD channel from one channel to a TCP channel but I am not sure that the kernel developers will apply it so soon.

Try to force squid to bind the ipv4 of squid in http_port like:
http_port 127.0.0.1:3128

Which will might cause the comm bind error to be gone from the logs.

Here if you need me,
Eliezer

On 11/13/2013 09:36 PM, Andrey ‪ wrote:
I think helper tries to access the IPv6 of the server (I'am not sure!),
but IPv6 is disabled:
/etc/sysctl.conf

# Disable IPv6
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1

#Enable IPv4 forward
net.ipv4.ip_forward = 1
net.ipv4.conf_all.rp_filter=1

Here is the log without ipv4, well debug_options:82,9 84,9, I do not
know what is meaning of FD socket (No info on inet):





[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux