lp://staging/~cprov/squid/snap

Branch merges

Propose for merging

No branches dependent on this one.

Rejected for merging into lp://staging/~squid/squid/trunk

Alex Rousskov: Needs Fixing on 2016-06-16

Diff: 204 lines (+188/-0)

3 files modified

parts/plugins/x-squid.py (+81/-0)
snapcraft.yaml (+24/-0)
squid.conf (+83/-0)

api

Related source package recipes

No recipes using this branch. (?)

Create packaging recipe

Related snap packages

Related bugs

Bug #1585056: snapd not give privileges to squid3

Undecided

Confirmed

Link a bug report

Related blueprints

14715. By Celso Providelo on 2016-06-16

Snapcraft setup.

14714. By Alex Rousskov on 2016-06-15

Do not make bogus recvmsg(2) calls when closing UDS sockets.

comm_empty_os_read_buffers() assumes that all non-blocking
FD_READ_METHODs can read into an opaque buffer filled with random
characters. That assumption is wrong for UDS sockets that require an
initialized msghdr structure. Feeding random data to recvmsg(2) leads to
confusing errors, at best. Squid does not log those errors, but they
are visible in, for example, strace:

  recvmsg(17, 0x7fffbb, MSG_DONTWAIT) = -1 EMSGSIZE (Message too long)

comm_empty_os_read_buffers() is meant to prevent TCP RST packets. The
function now ignores UDS sockets that are not used for TCP.

TODO: Useless reads may also exist for UDP and some TCP sockets.

14713. By Amos Jeffries on 2016-06-15

Bug 4504: Too many WARNING: Ignoring error setting CA certificate locations

14712. By Source Maintenance <email address hidden> on 2016-06-14

SourceFormat Enforcement

14711. By Marcos Felipe Mello on 2016-06-14

Bug 4516: security_file_certgen man page update

14710. By Alex Rousskov on 2016-06-14

Fixed Server::maybeMakeSpaceAvailable() logic.

This change fixes logic bugs that mostly affect performance: In micro-
tests, this change gives 10% performance improvement for intercepted
"fast peek at SNI and splice" SslBump configurations. Similar
improvement is expected for future plain HTTP/2 parsers.

maybeMakeSpaceAvailable() is called with an essentially random inBuf.
The method must prepare inBuf for the next network read. The old code
was not doing that [well enough], leading to performance problems.

In some environments, inBuf often ends up having tiny space exceeding 2
bytes (e.g., 6 bytes). This happens, for example, when Squid creates and
parses a fake CONNECT request. The old code often left such tiny inBufs
"as is" because we tried to ensure that we have at least 2 bytes to read
instead of trying to provide a reasonable number of buffer space for the
next network read. Tiny buffers naturally result in tiny network reads,
which are very inefficient, especially for non-incremental parsers.

I have removed the explicit "2 byte" space checks: Both the new and the
old code do not _guarantee_ that at least 2 bytes of buffer space are
always available, and the caller does not check that condition either.
If some other code relies on it, more fixes will be needed (but this
change is not breaking that guarantee -- either it was broken earlier or
was never fully enforced). In practice, only buffers approaching
Config.maxRequestBufferSize limit may violate this guarantee AFAICT, and
those buffers ought to be rare, so the bug, if any, remains unnoticed.

Another subtle maybeMakeSpaceAvailable() problem was that the code
contained its own buffer capacity increase algorithm (n^2 growth).
However, increasing buffer capacity exponentially does not make much
sense because network read sizes are not going to increase
exponentially. Also, memAllocStringmemAllocate() overwrites n^2 growth
with its own logic. Besides, it is buffer _space_, not the total
capacity that should be increased. More work is needed to better match
Squid buffer size for from-user network reads with the TCP stack buffers
and traffic patterns.

Both the old and the new code reallocate inBuf MemBlobs. However, the
new code leaves "reallocate or memmove" decision to the new
SBuf::reserve(), opening the possibility for future memmove
optimizations that SBuf/MemBlob do not currently support.

It is probably wrong that inBuf points to an essentially random MemBlob
outside Server control but this change does not attempt to fix that.

14709. By Christos Tsantilas on 2016-06-14

TLS Authority Key Identifier certificate extension

This patch add support for mimicking TLS Authority Key Identifier certificate
extension in Squid generated TLS certificates: If the origin server certificate
has that extension, the generated certificate (via the ssl_crtd daemon or
internally) should have the same extension, with the same set of fields if
possible.

This is a Measurement Factory project

14708. By Alex Rousskov on 2016-06-14

Added a script to find kid-specific cache.log lines.

14707. By Amos Jeffries on 2016-06-14

Cleanup cppunit detection and use

The cppunit-config tool has apparently been replaced by pkg-config .pc
file years ago and is now in the process of being removed from some OS.
Notably Fedora.

Which means our present way of detecting it for use by "make check" will
increasingly fail.

This converts configure.ac to using the pkg-config method of detection
and updates the --with-cppunit-basedir parameter to --without-cppunit
matching our naming and usage scheme for other similar options. If a
=PATH is explicitly provided cppunit is assumed to exist at that
location without configure-time checking.

14706. By Alex Rousskov on 2016-06-13

Destructed objects that were never born are not alive.

Such objects are typical in partial logs that are missing some
construction events.