Description of problem: squidGuard utilises the CPU to much on Fedora 13. Running as a redirector for squid with 10 children on a quad core intel cpu with 4 gigabytes of memory, it stresses the system so much that no process is responsive anymore. Version-Release number of selected component (if applicable): squidGuard-1.4-8.fc13.i686 squid-3.1.4-2.fc13.i686 How reproducible: Always. Steps to Reproduce: 1. Install squid and squidGuard on Fedora 13. 2. Enable the redirector and 10 chilren in the squid.conf 3. Add some larger blacklists to squidGuard and observe in top. Actual results: After a while, cpu's become 0.0 idle. Expected results: CPU utilization being whthin acceptable ranges. Additional info:
Jon, Can you confirm this bug? I really need help with this. I think that before the upgrade from fc12 to fc13 everything was ok. But I need to know if it is something that I have done wrong, or that it really is some issue with squid + squidGuard running in Fedora 13. This is because squidguard is used here in a production environment to protect a small group of about 50 users. They currently have no protection. SquidGuard logs are being used (sarg) to monitor their behaviour on the net. If it cannot be solved, I need to start thinking about a different alternative. perhaps dansguard. Regards, Eddie.
BTW: If I start squid the following is in the messages log: Jul 5 10:31:56 ls2ka kernel: type=1400 audit(1278318716.088:32224): avc: denied { write } for pid=9834 comm="squidGuard" name="tmp" dev=sda2 ino=1267316 scontext=unconfined_u:system_r:squid_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir Jul 5 10:31:56 ls2ka kernel: type=1400 audit(1278318716.088:32225): avc: denied { add_name } for pid=9834 comm="squidGuard" name="BDB09834" scontext=unconfined_u:system_r:squid_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir Jul 5 10:31:56 ls2ka kernel: type=1400 audit(1278318716.088:32226): avc: denied { create } for pid=9834 comm="squidGuard" name="BDB09834" scontext=unconfined_u:system_r:squid_t:s0 tcontext=unconfined_u:object_r:tmp_t:s0 tclass=file Jul 5 10:31:56 ls2ka kernel: type=1400 audit(1278318716.088:32227): avc: denied { read write open } for pid=9834 comm="squidGuard" name="BDB09834" dev=sda2 ino=1267393 scontext=unconfined_u:system_r:squid_t:s0 tcontext=unconfined_u:object_r:tmp_t:s0 tclass=file Jul 5 10:31:56 ls2ka kernel: type=1400 audit(1278318716.088:32228): avc: denied { remove_name } for pid=9834 comm="squidGuard" name="BDB09834" dev=sda2 ino=1267393 scontext=unconfined_u:system_r:squid_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir Jul 5 10:31:56 ls2ka kernel: type=1400 audit(1278318716.088:32229): avc: denied { unlink } for pid=9834 comm="squidGuard" name="BDB09834" dev=sda2 ino=1267393 scontext=unconfined_u:system_r:squid_t:s0 tcontext=unconfined_u:object_r:tmp_t:s0 tclass=file
I think i have found someting. If I remove the "adult" section from squidGuard.conf, the problem is gone.
Sorry for the silence, my hair's pretty much been on fire. I can't imagine what would have changed between F-12 and F-13, the version's the same. Is the removal of the adult section still helping?
Yes, it is. Maybe something has changed in the adult list which gives problems when it needs to be processed by squidGuard. I encountered something similar when I tried to use the list from Adblock in squidGuard without converting it first. But I don't know what to look for. The script I use to convert the adblock's easylist is a script I picked up somewhere from the world wide web. It would make things easier if I could use some shell script to check blocking lists on their contents. Is there some sort of script available ore do you know how to make it? Regards, Eddie.
Is there some documentation available which describes how entries should be made in a blocking list in squidGuard?