[squid-users] Re: squid_kerb_auth high CPU usage

From: Markus Moeller <huaraz_at_moeller.plus.com>
Date: Wed, 24 Jun 2009 20:23:38 +0100

Could you add the following to your squid startup script ?

export KRB5RCACHETYPE=none

This should disable the cache and I don't think it is a big security risk.
Could you report back if this improves the CPU load ?

Thank you very much
Markus

"Markus Moeller" <huaraz_at_moeller.plus.com> wrote in message
news:h1ttrg$bek$1_at_ger.gmane.org...
> Hi,
>
> TBH I haven't had yet a chance to do performance testing of my helper.
> What you are seeing is the Kerberos replay protection cache. HTTP is the
> part of the service principal and 501 is the uid of the process.
> Depending on the request/sec it can be quite a bit as each request will be
> authenticated. If I find time I will check which part of the helper is
> creating the load.
>
> Regards
> Markus
>
> "J.J." <jayjayjay_at_gmx.de> wrote in message
> news:20090624140826.52200_at_gmx.net...
>> hi Everybody!
>>
>> i have a problem with authentication helper squid_kerb_auth.
>> It's consuming too much CPU. 15 min Load average from the squid server is
>> about 5, 5 min average peaks upto 13, see top output
>>
>> top - 13:48:13 up 15:45, 5 users, load average: 8.23, 6.21, 4.85
>> Tasks: 175 total, 2 running, 173 sleeping, 0 stopped, 0 zombie
>> Cpu(s): 11.0%us, 25.6%sy, 0.0%ni, 45.6%id, 16.3%wa, 0.2%hi, 1.3%si,
>> 0.0%st
>> Mem: 2073876k total, 2020008k used, 53868k free, 251548k buffers
>> Swap: 2031608k total, 640k used, 2030968k free, 1029856k cached
>>
>> The Cache serves about 350 Users, OS is Fedora 10.
>>
>> From stracing a helper process i saw its opening/writing/reading from and
>> to "/var/tmp/HTTP_501" , which is a 150-200k file, growing and shrinking
>> all the time, containing all the Usernames a few times.
>>
>> Kerberos as itself works as intended. I already changed number of helper
>> childs, did not help.
>>
>> I found no suspicious alerts in the cache log or other system logs, just
>> high CPU Usage.
>>
>> Does anybody know if this behaviour is OK, or how to debug it?
>>
>> This HTTP_501 file, which contains every Username more than redundant,
>> also makes me curious, as HTTP 501 is error code for "not implemented"
>>
>> Anybody with Kerberos Config here that can help me with this?
>>
>> Thanks!
>>
>> Regards
>>
>> jay
>>
>>
>> ---krb5.conf
>>
>> [logging]
>> default = SYSLOG:VERBOSE:USER
>>
>> [libdefaults]
>> default_realm = XXXX
>> dns_lookup_realm = false
>> dns_lookup_kdc = false
>> default_keytab_name = FILE:/etc/krb5.keytab
>> clockskew = 300
>>
>> ...
>>
>> [appdefaults]
>> pam =
>> {
>> debug = false
>> ticket_lifetime = 36000
>> renew_lifetime = 36000
>> forwardable = true
>> krb4_convert = false
>> }
>>
>> --
>> GRATIS für alle GMX-Mitglieder: Die maxdome Movie-FLAT!
>> Jetzt freischalten unter http://portal.gmx.net/de/go/maxdome01
>>
>
>
>
Received on Wed Jun 24 2009 - 19:23:54 MDT

This archive was generated by hypermail 2.2.0 : Thu Jun 25 2009 - 12:00:04 MDT