select(2) won't handle more than 1024 file descriptors. Compile with -DUSE_POLL if you need more than 1024 descriptors.
libmalloc.a is leaky. Squid's configure does not use -lmalloc on Solaris.
by David J N Begley.
DNS lookups can be slow because of some mysterious thing called ncsd. You should edit /etc/nscd.conf and make it say:
enable-cache hosts no
Apparently nscd serialises DNS queries thus slowing everything down when an application (such as Squid) hits the resolver hard. You may notice something similar if you run a log processor executing many DNS resolver queries - the resolver starts to slow.. right.. down.. . . .
by Jason Armistead.
The /etc/nsswitch.conf file determines the order of searches for lookups (amongst other things). You might only have it set up to allow NIS and HOSTS files to work. You definately want the "hosts:" line to include the word dns, e.g.:
hosts: nis dns [NOTFOUND=return] files
by Chris Tilbury.
Our site cache is running on a Solaris 2.6 machine. We use NIS to distribute authentication and local hosts information around and in common with our multiuser systems, we run a slave NIS server on it to help the response of NIS queries.
We were seeing very high name-ip lookup times (avg ~2sec) and ip->name lookup times (avg ~8 sec), although there didn't seem to be that much of a problem with response times for valid sites until the cache was being placed under high load. Then, performance went down the toilet.
After some time, and a bit of detective work, we found the problem. On Solaris 2.6, if you have a local NIS server running (ypserv) and you have NIS in your /etc/nsswitch.conf hosts entry, then check the flags it is being started with. The 2.6 ypstart script checks to see if there is a resolv.conf file present when it starts ypserv. If there is, then it starts it with the -d option.
This has the same effect as putting the YP_INTERDOMAIN key in the hosts table -- namely, that failed NIS host lookups are tried against the DNS by the NIS server.
This is a bad thing(tm)! If NIS itself tries to resolve names using the DNS, then the requests are serialised through the NIS server, creating a bottleneck (This is the same basic problem that is seen with nscd). Thus, one failing or slow lookup can, if you have NIS before DNS in the service switch file (which is the most common setup), hold up every other lookup taking place.
If you're running in this kind of setup, then you will want to make sure that
We changed these here, and saw our average lookup times drop by up to an order of magnitude (~150msec for name-ip queries and ~1.5sec for ip-name queries, the latter still so high, I suspect, because more of these fail and timeout since they are not made so often and the entries are frequently non-existent anyway).
Solaris 2.x - tuning your TCP/IP stack and more by Jens-S. Vöckler
We have found that with FreeBSD-2.2.2-RELEASE, there some bugs with T/TCP. FreeBSD will try to use T/TCP if you've enabled the ``TCP Extensions.'' To disable T/TCP, use sysinstall to disable TCP Extensions, or edit /etc/rc.conf and set
tcp_extensions="NO" # Allow RFC1323 & RFC1544 extensions (or NO).
or add this to your /etc/rc files:
sysctl -w net.inet.tcp.rfc1644=0
We noticed an odd thing with some of Squid's interprocess communication. Often, output from the dnsserver processes would NOT be read in one chunk. With full debugging, it looks like this:
1998/04/02 15:18:48| comm_select: FD 46 ready for reading 1998/04/02 15:18:48| ipcache_dnsHandleRead: Result from DNS ID 2 (100 bytes) 1998/04/02 15:18:48| ipcache_dnsHandleRead: Incomplete reply ....other processing occurs... 1998/04/02 15:18:48| comm_select: FD 46 ready for reading 1998/04/02 15:18:48| ipcache_dnsHandleRead: Result from DNS ID 2 (9 bytes) 1998/04/02 15:18:48| ipcache_parsebuffer: parsing: $name www.karup.com $h_name www.karup.inter.net $h_len 4 $ipcount 2 38.15.68.128 38.15.67.128 $ttl 2348 $end
Interestingly, it is very common to get only 100 bytes on the first read. When two read() calls are required, this adds additional latency to the overall request. On our caches running Digital Unix, the median dnsserver response time was measured at 0.01 seconds. On our FreeBSD cache, however, the median latency was 0.10 seconds.
Here is a simple patch to fix the bug:
===================================================================
RCS file: /home/ncvs/src/sys/kern/uipc_socket.c,v
retrieving revision 1.40
retrieving revision 1.41
diff -p -u -r1.40 -r1.41
--- src/sys/kern/uipc_socket.c 1998/05/15 20:11:30 1.40
+++ /home/ncvs/src/sys/kern/uipc_socket.c 1998/07/06 19:27:14 1.41
@@ -31,7 +31,7 @@
* SUCH DAMAGE.
*
* @(#)uipc_socket.c 8.3 (Berkeley) 4/15/94
- * $Id: FAQ.sgml,v 1.40 1998/08/11 22:34:23 wessels Exp $
+ * $Id: FAQ.sgml,v 1.40 1998/08/11 22:34:23 wessels Exp $
*/
#include <sys/param.h>
@@ -491,6 +491,7 @@ restart:
mlen = MCLBYTES;
len = min(min(mlen, resid), space);
} else {
+ atomic = 1;
nopages:
len = min(min(mlen, resid), space);
/*
Another technique which may help, but does not fix the bug, is to increase the kernel's mbuf size. The default is 128 bytes. The MSIZE symbol is defined in /usr/include/machine/param.h. However, to change it we added this line to our kernel configuration file:
options MSIZE="256"
/var/yp/Makefile has the following section:
# The following line encodes the YP_INTERDOMAIN key into the hosts.byname
# and hosts.byaddr maps so that ypserv(8) will do DNS lookups to resolve
# hosts not in the current domain. Commenting this line out will disable
# the DNS lookups.
B=-b
You will want to comment out the B=-b line so that ypserv does not
do DNS lookups.
If you compile both libgnumalloc.a and Squid with cc, the mstats() function returns bogus values. However, if you compile libgnumalloc.a with gcc, and Squid with cc, the values are correct.
Some people report difficulties compiling squid on BSD/OS.
Try a different version of Linux. We have recieved many reports of this ``bug'' from people running Linux 2.0.30. The bind(2) system call should NEVER give this error when binding to port 0.
Some users have reported that setting cache_effective_user
to nobody under Linux does not work.
However, it appears that using any cache_effective_user other
than nobody will succeed. One solution is to create a
user account for Squid and set cache_effective_user to that.
Alternately you can change the UID for the nobody account
from 65535 to 65534.
Another problem is that RedHat 5.0 Linux seems to have a broken setresuid() function. There are two ways to fix this. Before running configure:
% setenv ac_cv_func_setresuid no
% ./configure ...
% make clean
% make install
Or after running configure, manually edit include/autoconf.h.in and
change the HAVE_SETRESUID line to:
#define HAVE_SETRESUID 0