stover'tes', chto
na rabochih stanciyah propisany lokal'nye DNS servera.
Esli na brandmauere ili proksi servere rabotaet DNS server (chto yavlyaetsya
horoshej ideej IMHO) pust' rabochie stancii ispol'zuyut ego.
5 Opisanie raboty
5.1 Kak posmotret' sistemnuyu statistiku raboty Squid?
V sostav distributiva Squid vhodit CGI utilita cachemgr.cgi dlya
prosmotra statistiki squid cherez brauzer. Dlya bol'shej informacii obratites'
k razdelu, posvyashchennomu cachemgr.cgi.
5.2 CHto ya mogu uznat' iz log fajlov?
Fajly soderzhat razlichnuyu informaciyu o zagruzke i proizvoditel'nostie Squid.
V log pishutsya krome informacii o dostupe, eshche i sistemnye oshibki i informaciya
o potreblenii resursov, takih, naprimer, kak pamyat' ili diskovoe prostranstvo.
Nizhe opisan format log fajlov Squid:
access.log, obshchij format:
Host Ident - [D/M/Yr:H:M:S TZ] "Method URL" Status Size
access.log, Squid 1.0 rodnoj format:
Time Elapsed Host Status/HTTP/Hier_Status Size Method URL
access.log, Squid 1.1 rodnoj format:
Time Elapsed Host Status/HTTP Size Method URL Ident Hier_Status/Hier_Host
hierarchy.log, tol'ko Squid 1.0:
[D/M/Yr:H:M:S TZ] URL Hier_Status Hier_Host
Zdes' opisanie formata raznyh komponentov log:
-
Host
-
IP adresa zaprashivaemyh hostov (v versii v1.1, esli zadano mozhet byt' FQDN).
-
Ident
-
Obychno '-'. V versii 1.1 otvet Ident (RFC 931), esli zadano.
-
Method
-
GET, HEAD, POST dlya TCP zaprosov ili ICP_QUERY dlya UDP zaprosov.
-
URL
-
Zaprashivaemyj obฎekt.
-
Status
-
Rezul'tat zaprosa (TCP_HIT dlya ranee keshiruemyh obฎektov, TCP_MISS esli
zaprashivaemyj obฎekt vzyat ne iz lokal'nogo kesha, UDP_HIT i UDP_MISS to
zhe dlya bratskih zaprosov).
-
HTTP
-
Vozvrashchaemyj HTTP kod: 200 dlya udachnyh, 000 dlya UDP zaprosov, 403 dlya perenapravlenij,
500 dlya oshibok, i t.d.
-
Size
-
Kolichestvo bajt peredannyh klientu.
-
Hier_Status
-
Rezul'tat zaprosov k bratskim/roditel'skim kesham. Mozhet byt' PARENT_MISS,
SIBLING_HIT i t.d.
-
Hier_Host
-
Host, s kotorogo vzyat obฎekt.
-
Time
-
Vremya s Jan 1, 1970 v millisekundah.
-
Elapsed
-
Zatrachennoe vremya v millisekundah.
5.3 Kakie log fajly ya mogu udalyat'?
CHtoby sohranit' log fajly, luchshe poslat' processu squid signal USR1.
|to privedet k tomu, chto tekushchie log fajly budut zakryty i pereimenovany.
Posle etogo mozhno udalyat' starye log fajly. Naprimer,esli Vash fajl squid.pid
nahoditsya v/usr/local/squid/logs/squid.pid (kak zadano v squid.conf)
nado sdelat' sleduyushchee:
kill -USR1 `cat /usr/local/squid/logs/squid.pid`
Primechanie: Stroka logfile_rotate v squid.conf
delaet neobyazatel'nym ruchnoe udalenie staryh log fajlov. Prosto ustanovite
znachenie logfile_rotate v zhelaemuyu velichinu. Kak tol'ko znachenie
logfile_rotate budet dostignuto, staryj log budet udalen avtomaticheski.
Vystavite nuzhnoe znachenie logfile_rotate i propishite v crontab
posylku squid 'u signala SIGUSR1, naprimer v polnoch' kazhdogo
dnya:
0 0 * * * /bin/kill -USR1 `cat /usr/local/squid/logs/squid.pid`
Edinstvennyj fajl, kotryj nel'zya udalyat' eto log,
kotoryj obychno nahoditsya v pervoj cache_dir direktorii. |tot fajl
soderzhiit dannye, neobhodimye dlya vosstanovleniya kesha prizapuske Squid.
Udalenie etogo fajla privedet k potere kesha.
5.4 Kak mne najti samyj bol'shoj obฎekt kesha?
sort -r -n +4 -5 access.log | awk '{print $5, $7}' | head -25
5.5 YA hochu perezapustit' Squid s chistym keshem
Pervyj sposob, dobavit' -z v komandnoj stroke.
Drugoj, vozmozhno bolee prostoj, udalit' fajl log iz direktorii
cache_dir.
6 Kesh-menedzher
[Contributed by Jonathan Larmour <JLarmour@origin-at.co.uk>]
6.1 CHto takoe kesh-menedzher?
Kesh-menedzher (cachemgr.cgi) eto CGI utilita dlya prosmotra statistiki
rabotayushchego processa squid. Kesh-menedzher eto prostoj sposob upravleniya
keshem i prosmotra statistiki bez zahoda na server.
6.2 Kak ego ustanovit'?
Prezhde vsego eto zavisit ot web servera, kotoryj Vy ispol'zuete. Nizhe Vy
najdete instrukcii po nastrojke CERN i Apache serverov dlya pol'zovaniya
cachemgr.cgi.
Posle togo kak Vy izmenili konfiguracionnye fajly servera, nuzhno ili
perezapustit' web server, libo poslat' emu SIGHUP, chtoby on pereschital
fajly nastrojki.
Kogda Vy zakonchite konfigurirovat' web server, to smozhete podklyuchit'sya
brauzerom k kesh-menedzheru po URL:
http://www.example.com/Squid/cgi-bin/cachemgr.cgi
6.3 Nastrojka CERN httpd 3.0 dlya raboty s kesh-menedzherom
Vo-pervyh, sleduet ubedit'sya, chto tol'ko ukazannye rabochie stancii imeyut
dostup k kesh-menedzheru. Ih nado zadat' v CERN httpd.conf, a ne v
squid.conf.
Protection MGR-PROT {
Mask @(workstation.example.com)
}
Mozhno zadavat' shablonami, IP adresami, v tom chisle i cherez zapyatuyu. Vozmozhny
i drugie sposoby zashchity. Obratites' k dokumentacii po serveru.
Takzhe sleduet dobavit':
Protect /Squid/* MGR-PROT
Exec /Squid/cgi-bin/*.cgi /usr/local/squid/bin/*.cgi
chtoby otmetit' dlya MGR-PROT, chto skript vypolnyaemyj.
6.4 Nastrojka Apache dlya raboty s kesh-menedzherom
Snachala ubedites', chto direktoriya cgi-bin propisana v ScriptAlias
v fajle srm.conf Vashego Apache, kak-to tak:
ScriptAlias /Squid/cgi-bin/ /usr/local/squid/cgi-bin/
Ne sovetuem delat' ScriptAlias na vsyu direktoriyu /usr/local/squid/bin
gde lezhat binarniki Squid.
Zatem, nado zadat' rabochie stancii imeyushchie dostup k kesh-menedzheru. |to
zadaetsya v fajle access.conf Apache, a ne v squid.conf. V
konce access.conf, vstav'te:
<Location /Squid/cgi-bin/cachemgr.cgi>
order deny,allow
deny from all
allow from workstation.example.com
</Location>
Mozhno vpisat' neskol'ko strok, mozhno dobavit' domeny ili seti.
Takzhe, cachemgr.cgi mozhet byt' zashchishchen parolem. Nado dobavit'
sleduyushchie stroki v access.conf:
<Location /Squid/cgi-bin/cachemgr.cgi>
AuthUserFile /path/to/password/file
AuthGroupFile /dev/null
AuthName User/Password Required
AuthType Basic
<Limit GET>
require user cachemanager
</Location>
V dokumentacii Apache Vy najdete informaciyu ob ispol'zovanii htpasswd
dlya zadaniya parolya.
6.5 Zadanie ACL (spiska pol'zovatelej) dlya kesh-menedzhera
v squid.conf
Po umolchaniyu dostup k kesh-menedzheru zadan v squid.conf tak:
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl all src 0.0.0.0/0.0.0.0
So sleduyushchimi pravami:
http_access deny manager !localhost
http_access allow all
Pervaya zapis' v ACL nuzhna dlya kesh-menedzhera, tak kak on dlya oprosa squid
ispol'zuet special'nyj cache_object protokol. Mozhete sami poprobovat':
telnet mycache.example.com 3128
GET cache_object://mycache.example.com/info HTTP/1.0
Po umolchaniyu, esli zapros dlya cache_object, i zapros ne s lokal'noj
mashiny, to dostup budet zakryt, v protivnom sluchae - otkryt.
Fakticheski, tak kak dostup razreshen tol'ko s lokal'noj mashiny, to v
pole cachemgr.cgi mozhno ukazat' v kachestve kesh hosta localhost.
My rekomenduem sleduyushchee:
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl example src 123.123.123.123/255.255.255.255
acl all src 0.0.0.0/0.0.0.0
Gde 123.123.123.123 eto IP adres Vashego web servera. Zatem izmenite
pravila tak:
http_access deny manager !localhost !example
http_access allow all
Po umolchaniyu podrazumevaetsya, chto web server nahoditsya na toj zhe mashine,
chto i squid. Uchtite, chto obrashchenie kesh-menedzhera k squid proishodit
cherez web server, a ne brauzer. Tak chto, esli Vash web server nahoditsya
gde-to v drugom meste, IP adres web servera, na kotorom ustanovlen cachemgr.cgi
dolzhen byt' ukazan vmesto example v vysheprivedennom primere.
Ne zabyvajte kazhdyj raz posle izmeneniya squid.conf posylat' SIGHUP
squid'u.
6.6 Pochemu on sprashivaet u menya kakoj-to parol' i URL?
Esli Vy posmotrite v vypadayushchem spiske, to uvidite, chto parol' nuzhen tol'ko
dlya ostanovki kesha, a URL nuzhen dlya obnovleniya obฎekta (to est', povtornogo
polucheniya ego s ishodnogo servera). Dlya polucheniya informacii ot cachemgr.cgi
parol' ne trebuetsya.
6.7 YA hochu udalenno ostanovit' kesh. Kakoj parol'?
V squid.conf est' direktiva cachemgr_passwd.
6.8 Kak sdelat', chtoby v pole cache host po umolchaniyu
bylo imya moego kesha?
Najdite v fajle Makefile.in sleduyushchuyu stroku:
HOST_OPT = # -DCACHEMGR_HOSTNAME="getfullhostname()"
Esli web server s cachemgr.cgi zapushchen na toj zhe mashine, chto i Squid
prosto uberite #. Esli zhe web server kakoj-to drugoj, to:
HOST_OPT = -DCACHEMGR_HOSTNAME=\"mycache.example.com\"
Posle etih izmenenij sleduet perekompilirovat' i pereustanovit' cachemgr.cgi.
6.9 Kakaya raznica mezhdu TCP i UDP soedineniyami Squid?
Brauzery i keshi ispol'zuyut TCP soedineniya dlya polucheniya obฎektov s web
serverov ili keshej. UDP soedineniya ispol'zuyutsya kogda drugoj kesh ispol'zuet
Vash v kachestve bratskogo ili roditel'skogo na predmet nalichiya nuzhnogo obฎekta.
UDP soedineniya eto ICP zaprosy.
6.10 On govorit, chto srok hraneniya kesha istechet v 1970
godu!
Ne volnujtes'. Obychnoe (i v obshchem-to razumnoe) povedenie squid eto
perezapisyvat' obฎekty, srok hraneniya kotoryh istek.
6.11 CHto znachat zapisi meta-dannyh?
-
StoreEntry
-
Zapis' opisyvaet obฎekt kesha.
-
IPCacheEntry
-
Zapis' v keshe DNS.
-
Hash link
-
Zveno v strukture hesh-tablicy.
-
URL strings
-
Sami stroki URL, ukazyvayushchie na nomer obฎekta v keshe, pozvolyayushchie obrashchat'sya
k StoreEntry.
V osnovnom pohozhe na log fajl v direktorii cache:
-
PoolMemObject structures
-
Informaciya ob obฎektah nahodyashchihsya v pamyati, (naprimer, v processe peredachi).
-
Pool for Request structures
-
Informaciya o kazhdom zaprose.
-
Pool for in-memory object
-
Prostranstvo dlya prinyatyh obฎektov.
6.12 Pool for in-memory object ogromen i ne stanovitsya
men'she! |to chto utechka pamyati?
Net. |tot pul tol'ko uvelichivaetsya. On raven samomu bol'shomu obฎektu kogda
libo keshiruemomu squid . Esli Vy ne hotite, chtoby on byl takogo
razmera, umen'shite znachenie cache_mem i razmer obฎektov dlya gopher,
http i ftp v squid.conf.
6.13 Znachenie polya "Total accounted" ne sovpadaet s
razmerom zanimaemym moim squid!
Esli eto znachenie blizko k upomyanotumu, ne volnujtes'. Esli squid
zanimaet namnogo bol'she, vozmozhno eto utechka pamyati, i vse chto mozhno delat'
eto zhdat' novyh patchej i vremya ot vremeni perezapuskat' squid.
Esli squid zanimaet gorazdo men'she, chem v etom pole, bud'te ostorozhny!
CHto-to ne tak, sleduet perezapustit' squid.
6.14 V razdele utilization, chto est' Other?
Other eto kategoriya, v katoruyu popadayut obฎekty ne popavshie ni
v kakuyu druguyu.
6.15 V razdele utilization, pochemu kolonka Transfer
KB/sec vsegda nulevaya?
|ta kolonka soderzhit gruboe priblizhenie otnosheniya peredannyh dannyh k polnomu
vremeni raboty kesha. |ti dannye nenadezhnye i prakticheski bespoleznye.
6.16 V razdele utilization, chto znachit Object Count?
CHislo obฎektov dannogo tipa, nahodyashchihsya v dannyj moment v keshe.
6.17 V razdele utilization, chto znachit Max/Current/Min
KB?
|to otnositsya k uvelichivaemomu/tekushchemu/umen'shaemomu razmeru vseh obฎektov
etogo tipa.
6.18 O chem razdel I/O?
|to gistogrammy chisla bajt vzyatyh iz seti vyzovom read(2). Dovol'no
polezny dlya opredeleniya maksimal'nogo razmera buferov.
6.19 CHto nahoditsya v razdele Objects?
Preduprezhdenie: v etom razdele Vash brauzer poluchit spisok
vseh URL kesha i statistiku o nih. On mozhet byt' ochen', ochen' bol'shim. Inogda
on mozhet byt' bol'she, chem dostupnaya Vashemu klientu pamyat'! Veroyatno
Vam eta informaciya nikogda ne ponadobitsya.
6.20 Dlya chego razdel VM Objects?
VM Objects eto obฎekty nahodyashchiesya v virtual'noj pamyati. |ti obฎekty
uzhe skacheny i nahodyatsya v pamyati dlya bystrogo dostupa k nim.
6.21 CHto znachit AVG RTT?
Average Round Trip Time. Pokazyvaet srednee vremya, proshedshee ot posylki
ICP ping do prihoda otveta.
6.22 V razdele IP cache , kakaya raznica mezhdu hit, negative
hit i miss?
HIT znachit, chto dokument najden v keshe. MISS, chto ne najden. Negative hit
oznachaet, chto on nahodilsya v keshe, no ne sushchestvuet.
6.23 CHto znachit soderzhimoe razdela IP cache?
Hostname eto imya, kotoroe sleduet preobrazovat'.
Dlya kolonki Flags:
-
C
-
Keshirovan.
-
N
-
Ne keshirovan.
-
P
-
Zapros otlozhen dlya posylki.
-
D
-
Zapros poslan i ozhidaetsya otvet.
-
L
-
Zapis' blokirovana, potomu chto vystupaet v roli roditelya ili brata.
V kolonke TTL predstavleny "Time To Live" (to est', kak dolgo
zapis' v keshe dejstvitel'na). (Mozhet byt' otricatel'nym, esli srok hraneniya
dokumenta istek.)
Kolonka N eto chislo IP adresov, kotorye imeet dannyj hostname.
V konce stroki perechisleny ostal'nye IP adresa, otnosyashchiesya k etoj zapisi
v IP cache.
6.24 Kak analizirovat' ispol'zovanie pamyati iz dannyh
cachemgr.cgi?
Vzglyanite na stranicu Cache Information Vashego cachemgr.cgi.
Naprimer:
Memory usage for squid via mallinfo():
Total space in arena: 94687 KB
Ordinary blocks: 32019 KB 210034 blks
Small blocks: 44364 KB 569500 blks
Holding blocks: 0 KB 5695 blks
Free Small blocks: 6650 KB
Free Ordinary blocks: 11652 KB
Total in use: 76384 KB 81%
Total free: 18302 KB 19%
Meta Data:
StoreEntry 246043 x 64 bytes = 15377 KB
IPCacheEntry 971 x 88 bytes = 83 KB
Hash link 2 x 24 bytes = 0 KB
URL strings = 11422 KB
Pool MemObject structures 514 x 144 bytes = 72 KB ( 70 free)
Pool for Request structur 516 x 4380 bytes = 2207 KB ( 2121 free)
Pool for in-memory object 6200 x 4096 bytes = 24800 KB ( 22888 free)
Pool for disk I/O 242 x 8192 bytes = 1936 KB ( 1888 free)
Miscellaneous = 2600 KB
total Accounted = 58499 KB
V pervoj stroke mallinfo() soobshchaet, chto ispol'zuetsyar 94M. |to
znachenie blizko k tomu, chto pokazyvaet top (97M).
Iz etih 94M, 81% (76M) real'no ispol'zuetsya v etot moment. Ostal'noe
vysvobozhdeno, ili zarezervirovano malloc(3) i poka ne ispol'zuetsya.
Iz 76M ispol'zuemyh, mozhno rasschityvat' na 58.5M (76%). Ostal'noe otvedeno
pod vyzovy malloc(3).
Spisok Meta Data soderzhit informaciyu o tom, kuda potrachena
dostupnaya pamyat'. 45% ushlo na StoreEntry i hranenie URL strok.
Drugie 42% potracheny na hranenie obฎektov v virtual'noj pamyati, poka oni
dostavlyayutsya klientam (Pool for in-memory object).
Razmery pula zadayutsya v squid.conf. V versii 1.0, oni neskol'ko
tupovatye: tam hranitsya stek neispol'zovannyh stranic, vmesto togo chtoby
osvobozhdat' etot blok. V Pool for in-memory object, razmer etogo
steka sostavlyaet 1/2 cache_mem. Razmer Pool for disk I/O
zhestko zadan v 200. Dlya MemObject i Request eto 1/8 velichiny
FD_SETSIZE.
Esli Vam nuzhno snizit' kolichestvo pamyati processa, my rekomenduem umen'shit'
maksimal'nye razmery obฎektov v strokah 'http', 'ftp' i 'gopher' konfiguracii.
Takzhe mozhno umen'shit' cache_mem. No esli sdelat' cache_mem
slishkom malen'kim, to nekotorye obฎekty mogut ne sohranyat'sya na disk pri
bol'shoj zagruzke. Novye versii Squid pozvolyayut zadat' memory_pools
off otklyuchaya takim obrazom pul svobodnoj pamyati.
6.25 CHto takoe fqdncache i chem otlichaetsya ot ipcache?
IPCache soderzhit dannye o preobrazovanii Hostname v IP-Number, a FQDNCache
soderzhit obratnye dannye.
Naprimer:
==============================================================================
IP Cache Contents:
Hostname Flags lstref TTL N [IP-Number]
gorn.cc.fh-lippe.de C 0 21581 1 193.16.112.73
lagrange.uni-paderborn.de C 6 21594 1 131.234.128.245
www.altavista.digital.com C 10 21299 4 204.123.2.75 204.74.103.37 204.123.2.66 204.123.2.69
2/ftp.symantec.com DL 1583 -772855 0
Flags: C --> V keshe
D --> Otpravlen
N --> Ne keshirovan
L --> Blokirovan
lstref: Vremya s momenta poslednego ispol'zovaniya
TTL: Time-To-Live (vremya zhizni) poka ne istechet srok hraneniya informacii
N: CHislo adresov
==============================================================================
FQDN Cache Contents:
IP-Number Flags TTL(?) N Hostname]
130.149.17.15 C -45570 1 andele.cs.tu-berlin.de
194.77.122.18 C -58133 1 komet.teuto.de
206.155.117.51 N -73747 0
Flags: C --> V keshe
D --> Otpravlen
N --> Ne keshirovan
L --> Blokirovan
TTL: Time-To-Live
N: CHislo imen
7 Troubleshooting
7.1 Pochemu u menya net dostupa k proksi: "Proxy Access
Denied"?
Esli squid rabotaet v rezhime httpd-uskoritelya, to vse HTTP zaprosy
on perenapravlyaet na HTTP server, no ne rabotaet kak proksi. Esli Vy hotite,
chtoby Vash kesh takzhe otrabatyval proksi-HTTP zaprosy, nado sdelat' sleduyushchee:
http_accel_with_proxy on
Takzhe, vozmozhno Vy nepravil'no zadali ACL. Prover'te fajly access.log
i squid.conf.
7.2 Ne rabotaet local_domain.
Squid keshiruet obฎekty iz lokal'nogo domena.
Direktiva local_domain ne zapreshchaet keshirovat' lokal'nye obฎekty.
Ona predotvrashchaet ispol'zovanie bratskih keshej dlya lokal'nyh obฎektov.
Esli Vam vse taki eto nuzhno, to vospol'zujtes' opciyami cache_stoplist
ili http_stop (v zavisimosti ot versii).
7.3 Kogda kesh pytaetsya poluchit' obฎekt s bratskogo kesha,
poluchaet Connection Refused, dazhe kogda tot kesh schitaet, chto obฎekt
poluchen uspeshno.
Esli ICP port vernyj, a HTTP port-net, to ICP zaprosy budut posylat'sya
normal'no, a ICP otvety zastavyat kesh dumat', chto vse v poryadke, no sami
obฎekty budut propadat'. Esli bratskij kesh izmeniit svoj http_port,
to u Vas budut te zhe problemy nekotoroe vremya do uvedomleniya.
7.4 Ne hvataet fajlovyh deskriptorov
|to byvaet, kogda poyavlyaetsya soobshchenie Too many open files. Vozmozhno
iz-za operacionnoj sistemy s nizkim chislom fajlovyh deskriptorov. |tot
predel obychno mozhno zadat' v yadre ili pri pomoshchi drugih sredstv. Sushchestvuet
dva puti ischerpat' limit fajlovyh deskriptorov: pervyj, eto limit na kazhdyj
process, vtoroj - na obshchee chislo deskriptorov na vse processy.
Dlya Linux, est' patch filehandle.patch.linux
ot Michael O'Reilly <michael@metal.iinet.net.au>.
Dlya Solaris, dobav'te sleduyushchee v fajl /etc/system:
set rlim_fd_max = 4096
set rlim_fd_cur = 1024
Takzhe sleduet zadat' #define SQUID_FD_SETSIZE v include/config.h
v to zhe znachenie, chto i rlim_fd_max. Ne sleduet zadavat' men'she
4096.
Solaris select(2) pozvolyaet zadat' tol'ko 1024 deskriptora,
esli nado bol'she otredaktirujte src/Makefile i razreshite $(USE_POLL_OPT).
Potom peresoberite squid.
Dlya FreeBSD (ot Torsten Sturm <torsten.sturm@axis.de>):
-
Kak uznat' maksimal'noe znachenie fajlovyh deskriptorov?
-
Po komande sysctl -a znachenie kern.maxfilesperproc.
-
Kak ih uvelichit'?
-
sysctl -w kern.maxfiles=XXXX
sysctl -w kern.maxfilesperproc=XXXX
Vnimanie: Uvelichivaya znacheniya, uchityvajte sootnoshenie
maxfiles > maxfilesperproc.
-
Kakoj verhnij predel?
-
YA ne dumayu, chto est' formal'noe ogranichenie vnutri yadra. Ved' struktury
pod dannye vydelyayutsya dinamicheski. Na praktike zhe, mogut voznikat' neponyatnye
yavleniya (naprimer, yadro budet tratit' slishkom mnogo vremeni na poisk v
tablicah).
Dlya bol'shinstva BSD-sistem (SunOS, 4.4BSD, OpenBSD, FreeBSD, NetBSD, BSD/OS,
386BSD, Ultrix) mozhno reshit' zadachu "v lob" (trebuetsya peresborka yadra):
-
Kak uznat' maksimal'noe znachenie fajlovyh deskriptorov?
-
Po komande pstat -T znachenie files, obychno otobrazhaemoe
kak otnoshenie current/maximum.
-
Kak uvelichit' eto znachenie?
-
Pervyj metod - uvelichit' znachenie peremennoj maxusers v konfiguracii
yadra i peresobrat' ego. |to ochen' bystryj i prostoj metod, no privodit
k uvelicheniyu ryada drugih peremennyh, menyat' kotorye Vam mozhet i ne nado.
-
A sushchestvuet bolee tochnyj sposob?
-
Najti fajl param.c v ishodnikah yadra i izmenit' sootnoshenie mezhdu
maxusers i maksimal'nym chislom otkrytyh fajlov po nizheprivedennym
vyrazheniyam.
Vot neskol'ko primerov:
-
SunOS
-
Izmenite znachenie nfile v /usr/kvm/sys/conf.common/param.c
menyaya znacheniya v etom vyrazhenii:
int nfile = 16 * (NPROC + 16 + MAXUSERS) / 10 + 64;
Gde NPROC opredelyaetsya kak:
#define NPROC (10 + 16 * MAXUSERS)
-
FreeBSD (nachinaya s yadra 2.1.6)
-
Ochen' pohozhe na SunOS, otredaktirujte /usr/src/sys/conf/param.c
vychisliv sootnoshenie mezhdu peremennymi maxusers, maxfiles
i maxfilesperproc:
int maxfiles = NPROC*2;
int maxfilesperproc = NPROC*2;
Gde NPROC zadan kak:
#define NPROC (20 + 16 * MAXUSERS)
Ogranichenie chisla deskriptorov na process takzhe mozhet byt' zadano v
konfiguracii yadra etoj direktivoj:
options OPEN_MAX=128
-
BSD/OS (nachinaya s yadra 2.1)
-
Poprav'te /usr/src/sys/conf/param.c i zadajte maxfiles
v sootvetstvii s:
int maxfiles = 3 * (NPROC + MAXUSERS) + 80;
Gde NPROC zadan kak:
#define NPROC (20 + 16 * MAXUSERS)
Takzhe sleduet zadat' znachenie OPEN_MAX, chtoby izmenit' ogranichenie
chisla deskriptorov na process.
Zamechanie: Posle peresborki yadra neobhodimo otkompilirovat' zanovo
Squid. Konfiguracionnyj skript Squid'a opredelyaet skol'ko fajlovyh deskriptorov
dostupno, tak chto nado zapustit' skript zanovo. Naprimer:
cd squid-1.1.x
make realclean
./configure --prefix=/usr/local/squid
make
7.5 Moj squid periodicheski vyvalivaetsya s oshibkoj,
chto ne mozhet malloc(3) bol'she pamyati, no u menya dostatochno OZU!
Krome ogranicheniya na chislo fajlovyh deskriptorov, mnogie sistemy imeyut
ogranichenie na kolichestvo pamyati, vydelyaemoe processu, v osobennosti ne-root
processam. BSD/OS imeet dovol'no nizkij predel, kotoryj Vy mozhete uvelichit'.
Izmenite fajl konfiguracii yadra, dobaviv eti stroki:
options DFLDSIZ=67108864 # 64 meg default max data size (was 16)
options MAXDSIZ=134217728 # 128 meg max data size (was 64)
Peresoberite yadro i perezagruzite mashinu.
V Digital UNIX, otredaktirujte fajl /etc/sysconfigtab i dobav'te
stroku...
proc:
per-proc-data-size=1073741824
Ili, v csh, ispol'zuya komandu limit ...
zpoprp.zpo.dec.com> limit datasize 1024M
Redaktirovanie /etc/sysconfigtab trebuet perezagruzki, a komanda
limit - net.
7.6 CHto za strannye stroki ob udalenii obฎektov?
Naprimer:
97/01/23 22:31:10| Removed 1 of 9 objects from bucket 3913
97/01/23 22:33:10| Removed 1 of 5 objects from bucket 4315
97/01/23 22:35:40| Removed 1 of 14 objects from bucket 6391
Obychnye stroki log fajla, no oni ne znachat, chto squid dostig cache_swap_high.
Na stranice cache information vcachemgr.cgi najdite stroku tipa
etoj:
Storage LRU Expiration Age: 364.01 days
Obฎekty, kotorye ne ispol'zovalis' dannoe kolichestvo vremeni, udalyayutsya
kak rezul'tat regulyarnyh rabot. Vy mozhete zadat' sobstvennoe znachenie LRU
Expiration Age pri pomoshchi reference_age v konfiguracionnom
fajle.
7.7 Pochemu ya ne mogu zadat' cache_effective_user
v nobody pod Linux?
Neskol'ko pol'zovatelej soobshchali, chto oni ne mogut zadat' cache_effective_user
v nobody pod Linux i server soobshchaet:
FATAL: Don't run Squid as root, set 'cache_effective_user'!
Odnako, esli ustanovit' cache_effective_user ne v nobody,
to vse OK. Pervoe reshenie, eto sozdat' pol'zovatelya dlya Squid i ustanovit'
dlya nego cache_effective_user.
Takzhe mozhno pomenyat' UID nobody s 65535 na 65534.
7.8 Mogu ya ukazat' Windows NT FTP serveru vyvodit' direktorii
v Unix formate?
Pochemu by i net! Vyberite sleduyushchie punkty menyu:
-
Start
-
Programs
-
Microsoft Internet Server (Common)
-
Internet Service Manager
Dvazhdy shchelknite na ftp.
Dal'she nado vybrat' server (dolzhen byt' tol'ko odin), potom vyberite
"Properties" iz menyu, zakladku "directories", budet opciya "Directory listing
style." Vyberite "Unix" type, a ne "MS-DOS" type.
--Oskar Pearson <oskar@is.co.za>
7.9 Pochemu tak chasto poyavlyayutsya soobshcheniya ERR_NO_CLIENTS_BIG_OBJ?
|to znachit, chto zaprashivaemyj obฎekt nahodilsya v rezhime "Udalit' pozzhe"
i pol'zovatel' otkazalsya ot peredachi. Obฎekt popadet v rezhim "Udalit' pozzhe"
esli on:
-
bol'she, chem maximum_object_size
-
dostavlen s sosednego kesha, u kotorogo ustanovlena opciya proxy-only.
7.10 Pochemu Squid trebuet tak mnogo pamyati!?
Squid potomu takoj bystryj i mozhet obrabatyvat' odnovremenno neskol'ko
zaprosov, chto ispol'zuet mnogo pamyati. Dlya nachala, prosmotrite eti razdely
FAQ:
Takzhe mozhno povysit' proizvoditel'nost' linkuya Squid s vneshnej malloc bibliotekoj.
My rekomenduem:
7.11 Pochemu ya poluchayu "Ignoring MISS from non-peer x.x.x.x"?
Vy poluchaete ICP MISS (cherez UDP) s roditel'skogo ili bratskogo kesha, chej
IP adres Vashemu keshu ne izvesten. |to mozhet byt' v dvuh sluchayah.
(1) Esli na tom konce neskol'ko interfejsov i pakety idut s togo, kotoryj
ne propisan v DNS. Voobshche-to, eto ih problema. Vy mozhete skazat' im ili
propisat' IP adres interfejsa v DNS, ili ispol'zovat' opciyu Squid 'udp_outgoing_address'.
Naprimer:
# (squid.conf roditel'skogo kesha)
#
udp_outgoing_address proxy.parent.com
# (Vash squid.conf)
#
cache_host proxy.parent.com parent 3128 3130
(2) Takzhe eto soobshchenie budet poyavlyat'sya pri posylke ICP zaprosov na neskol'ko
adresov. Dlya obespecheniya bezopasnosti, Squid trebuet zadaniya v konfiguracii
spiska drugih keshej, slushayushchih gruppu adresov. Esli neizvestnyj kesh slushaet
etot adres i shlet otvety, vash kesh budet pisat' v log eti soobshcheniya. CHtoby
ispravit' nado, libo skazat' etomu keshu perestat' slushat' adresa, ili,
esli on zakonnyj, dobav'te ego v fajl konfiguracii.
8 Kak Squid rabotaet?
8.1 Kakie obฎekty keshiruyutsya?
Obฎekty Internet takie kak fajl, dokument, ili otvet na zapros sleduyushchih
servisov: FTP, HTTP, ili gopher. Klient zaprashivaet obฎekt Internet s keshiruyushchego
proksi, proksi server poluchaet obฎekt (libo s hosta, ukazannogo v URL,
libo s roditel'skogo ili bratskogo kesha), perepravlyaya ego klientu.
8.2 CHto za protokol ICP?
ICP eto protokol ispol'zuemyj dlya obshcheniya keshej squid. ICP protokol opisan
v Internet Cache Protocol, 2 proekte dokumenta, nahodyashchemsya po adresu http://www.nlanr.net/Cache/ICP/ICP-id.txt.
ICP prezhde vsego ispol'zuetsya v ierarhii keshej dlya poiska opredelennyh
obฎektov v bratskih keshah. Esli squid ne nahodit nuzhnogo dokumenta, to
posylaet ICP zapros bratskim kesham, kotorye v svoyu ochered' otvechayut ICP
otvetami "HIT" ("popadanie") ili "MISS" ("promah"). Zatem kesh ispol'zuet
otvety dlya vybora pri pomoshchi kakogo kesha razreshat' svoi otvety MISS.
ICP takzhe podderzhivaet slozhnye peredachi mnozhestva obฎektov cherez odno
TCP soedinenie. ICP sejchas rabotaet poverh UDP. Tekushchie versii Squid takzhe
podderzhivayut mnozhestvennye zaprosy ICP.
8.3 CHto takoe dnsserver?
Dnsserver eto process iniciiruemyj squid dlya preobrazovaniya
domennyh imen v IP adresa. Neobhodimost' voznikaet iz-za togo, chto funkciya
gethostbyname(3) blokiruet vyzyvayushchij process do zazresheniya DNS
zaprosa.
U Squid ne dolzhen blokirovat'sya process vvoda/vyvoda, poetomu DNS obrashcheniya
vypolneny kak vneshnij k osnovnomu process. Processy dnsserver ne
keshiruyut zaprosy DNS, eto delaetsya samim squid`om.
8.4 Dlya chego nuzhna programmftpget?
Programma ftpget eto FTP klient, ispol'zuyushchijsya dlya skachivaniya fajlov
s FTP serverov. Iz-za togo, chto FTP protokol neprostoj, proshche vypolnit'
ego otdel'no ot osnovnogo koda squid.
8.5 FTP PUT ne rabotaet
Pohozhe,chto FTP put ne rabotaet cherez squid. Mozhno li kak-nibud' eto
ispravit' i/ili vedetsya li kakaya-nibud' rabota v etom napravlenii.
Na dannyj moment net, dlya podderzhki etogo nuzhna budet programma ftpput.
8.6 CHto takoe ierarhiya keshej? CHto takoe roditel'skie
i bratskie keshi?
Ierarhiya keshej eto struktura keshiruyushchih proksi-serverov raspolozhennyh logicheski
kak roditel'skij/dochernij i bratskij uzly, takim obrazom, chto keshi blizhajshie
k kanalu v Internet yavlyayutsya roditelyami tem, kotorye nahodyatsya dal'she ot
tochki vhoda v Internet. Roditel'skie keshi obrabatyvayut "promahi" dochernih.
Inache govorya, kogda kesh zaprashivaet obฎekt s roditelya, i u togo v keshe
ego ne okazyvaetsya, roditel'skij kesh skachivaet obฎekt, keshiruet ego, i
peredaet dochernemu. Takim obrazom, pri pomoshchi ierarhii dostigaetsya maksimal'naya
razgruzka kanala, snizhaetsya ispol'zovanie vneshnih serverov Internet i poluchaetsya
bol'shee chislo "popadanij" dochernih keshej, po sravneniyu s roditel'skimi,
za schet bol'shego kesha poslednih.
Krome roditel'skih/dochernih otnoshenij, squid podderzhivaet ponyatie bratskih
keshej, to est' nahodyashchihsya na odnom urovne ierarhii, prizvannyh raspredelit'
nagruzku. Kazhdyj kesh v ierarhii nezavisimo ni ot kogo reshaet otkuda brat'
obฎekt, libo s servera v Internet, libo s roditel'skogo ili bratskogo kesha,
ispol'zuya prostoj mehanizm razresheniya. Bratskie keshi ne budut zabirat'
obฎekt dlya drugogo kesha togo zhe urovnya, poluchiv ot nih "promah".
8.7 Kakov algoritm razresheniya kesha Squid?
-
Razoslat' ICP zaprosy vsem sootvetstvuyushchim bratskim kesham
-
Dozhdat'sya vseh otvetov, prishedshih v techenie zadannogo vremeni (po umolchaniyu
dve sekundy).
-
Poluchiv pervyj otvet HIT nachat' skachivanie obฎekta , ili
-
Vzyat' obฎekt s pervogo roditel'skogo kesha, otvetivshego MISS (zavisit ot
vesovyh koefficientov), ili
-
Zabrat' obฎekt iz Internet
Algoritm stanovitsya otchasti bolee slozhnym pri vklyuchenii v shemu brandmauera.
Direktiva single_parent_bypass predotvrashchaet rassylku ICP zaprosov,
v sluchae kogda sootvetstvuyushchij bratskij kesh eto roditel'skij (to est',
esli bol'she neotkuda brat' obฎekt, zachem naprasno zaprashivat'?)
8.8 Nad kakimi vozmozhnostyami Squid razrabotchiki sejchas
rabotayut?
Est' neskol'ko otkrytyh proektov kasayushchihsya luchshego avtomaticheskogo vyravnivaniya
nagruzki, takzhe (dinamicheskogo i staticheskogo) vybora roditel'skih keshej,
routinga, mnozhestvennyh kesh-kesh obrashchenij i luchshego raspoznavaniya URL,
kotorye ne nado keshirovat'.
Tekushchij spisok budushchih vozmozhnostej, dostupen zdes' http://squid.nlanr.net/Squid/Devel/todo.html.
Razrabotchikam budushchih versij sleduet obratit'sya syuda http://squid.nlanr.net/Squid/Devel/.
8.9 Gde najti informaciyu o zagruzke Internet trafika
Zagruzku mozhno oharakterizovat' kak tyazhest' vozlagaemaya pol'zovatelem ili
gruppoj pol'zovatelej na sistemu. Ponimanie prirody zagruzki ochen' vazhno
pri upravlenii proizvoditel'nost'yu sistemy. Esli Vy interesuetes' zagruzkoj
Internet trafika, to dlya nachala shodite syuda http://www.nlanr.net/NA/.
8.10 Kakie preimushchestva keshirovaniya sovmestno s keshiruyushchej
sistemoj NLANR?
Preimushchestva ierarhicheskogo keshirovaniya zaklyuchayutsya v snizhenii zagruzki
kanala, umen'shenii vremeni dostupa, luchshej ustojchivosti k sboyam. Keshi verhnego
urovnya obsluzhivayut zaprosy nizhestoyashchih..Esli srednij procent popadaniya
kraevogo kesha 50%, polovina vseh ssylok kraevyh keshej dolzhna obrabatyvat'sya
cherez kesh vtorogo urovnya, nezheli napryamuyu s ishodnogo hosta. Esli etot
kesh vtorogo urovnya soderzhit bol'shinstvo zaprashivaemyh dokumentov, to vyigrysh
dostigaetsya, no esli kesh verhnego urovnya chashche vsego ne imeet nuzhnyj dokument,
ili peregruzhen, to vremya dostupa vmesto snizheniya uvelichivaetsya.
8.11 Gde najti informaciyu po brandmaueram?
Smotrite spisok rassylki i FAQ zdes' http://www.greatcircle.com/firewalls/
$Id: footer,v 1.3 1997/03/13 16:19:52 wessels Exp $