Dansguardian 2.12.0.3 Signal 11
-
Well, so far a child process hasn't dropped out, however I now have a load of ntlm failed auth's?
Do you have ntlm auth set? I'ts working and logging some failures or it's not working?
This version is compiled for high load, do you think it's running faster?
-
A link with ? https://bugzilla.mozilla.org/show_bug.cgi?id=828236
-
Well, so far a child process hasn't dropped out, however I now have a load of ntlm failed auth's?
Do you have ntlm auth set? I'ts working and logging some failures or it's not working?
This version is compiled for high load, do you think it's running faster?
I do have ntlm auth set, did have it in conjunction with basic, but it doesnt seem to matter if thats enabled or not.
NTLM auth is working, I am getting usernames in the logs, nobody has complained they cant get on yet… I wonder if its a piece of software attempting to auth..Well, it seems marginally faster. Still getting the occasional redirect not being followed. I have all the tunables in the dansguardian.conf set for "suggested for large site" settings.
I wonder if I should upgrade squid.
-
well, that worked yesterday (despite the ntlm auth errors), but today we are back to the same signal 11's.
I have gone back to 2.12.0.2 for now.
-
I also have some of these errors - although it sounds like you're seeing it more often. I did a little googling and it seems that this issue with DG under freeBSD has existed for a long time. I didn't find any definitive answers, but most suggestions for fixing it centered around changing the DG settings - such as max children, max spare children, and max age of children. I bumped some of these settings up yesterday and will let you know the results…
well, that worked yesterday (despite the ntlm auth errors), but today we are back to the same signal 11's.
I have gone back to 2.12.0.2 for now.
-
With the latest version you can adjust maxchildren (maximun value) with your system
For example on linux :ulimit -n 8192 -> new ./configure option = with-filedescriptors=8192 = dansguardian.conf maxchildren=8192
Maybe this is a clue ? Perhaps this version was compiled with too much high value for the system ? Can you play with ulimit ?
How many process are running when the crash appear ? ps -edf | grep dansguard | wc -l -
With the latest version you can adjust maxchildren (maximun value) with your system
For example on linux :ulimit -n 8192 -> new ./configure option = with-filedescriptors=8192 = dansguardian.conf maxchildren=8192
Maybe this is a clue ? Perhaps this version was compiled with too much high value for the system ? Can you play with ulimit ?
How many process are running when the crash appear ? ps -edf | grep dansguard | wc -lWell you can adjust the max/min children in the conf file, but it didn't seem to make much difference, same config file with the previous version (minus the bits added for that particular version) works. I'm afraid I cant count the processes, rolled back to 2.12.0.2 and don't currently have a dev box running only production.
If I get a chance I will run up a vm for it "later" -
Well you can adjust the max/min children in the conf file, but it didn't seem to make much difference, same config file with the previous version (minus the bits added for that particular version) works. I'm afraid I cant count the processes, rolled back to 2.12.0.2 and don't currently have a dev box running only production.
If I get a chance I will run up a vm for it "later"Yea, I'm still having he problem. About ever other day I get a half dozen or so DG processes ending with signal 11. Are you saying one of the versions doesn't do this? If so, which one?
-
Signal 11 means that the program accessed a memory location that was not assigned to it, the strange thing that there is no problem in Linux (with dansguardian 2.12.0.5)
Please, Can you post your maxchildren value ? More than 1024 ?
And if someone know the value of FD_SETSIZE in types.h (or posix_types.h) and typesizes.h with FreeBSD ?
Also can you post the compilation option (dansguardian -v)No problem at all with 2.12.0.2 ?
Thanks
-
Signal 11 means that the program accessed a memory location that was not assigned to it, the strange thing that there is no problem in Linux (with dansguardian 2.12.0.5)
Please, Can you post your maxchildren value ? More than 1024 ?
And if someone know the value of FD_SETSIZE in types.h (or posix_types.h) and typesizes.h with FreeBSD ?
Also can you post the compilation option (dansguardian -v)No problem at all with 2.12.0.2 ?
Thanks
Based on some notes here http://contentfilter.futuragts.com/wiki/doku.php?id=faq (see FAQ 26b)
I have bumped the following sysctl values (in loader.conf.local):
kern.ipc.shmseg=512
kern.ipc.shmmni=512
kern.ipc.semmni=512
kern.ipc.msgssz=64
kern.ipc.shm_use_phys=1at the moment, I have maxchildren set to 120 and maxsparechildren at 48
-
I am running 2.12.0.3 pkg v.0.1.7_3 and have not seen this issue at all.
All of the setting I am using are the default.
-
I am running 2.12.0.3 pkg v.0.1.7_3 and have not seen this issue at all.
mschiek01 told me some time ago an issue with a specific perl version.
Try to unistall package, remove all perl versions using pkg_delete on console and then try a dansguardian package reinstall.
-
I'm also suffering this issue.
Lots of Signal 11 messages show up when the system is under load - about 40 office users with normal daily activities such as web browsing, email,…
I am using 2.0.2-RELEASE (i386) with patched Dans for web uploads
-
Based on some notes here http://contentfilter.futuragts.com/wiki/doku.php?id=faq (see FAQ 26b)
I have bumped the following sysctl values (in loader.conf.local):
kern.ipc.shmseg=512
kern.ipc.shmmni=512
kern.ipc.semmni=512
kern.ipc.msgssz=64
kern.ipc.shm_use_phys=1at the moment, I have maxchildren set to 120 and maxsparechildren at 48
Still getting them…
I'm not really wanting to try a "reinstall" though... This is a fresh install of pfSense 2.0.3 64 bit and the only packages that I've added are:
-
Cron
-
File Manager
-
vHosts
-
Dansguardian
-
Squid 3
I'm currently using the patched dansguardian 2.12.0.3 (just copied over the executable).
-
-
Please, can you try this latest version and let me know if it works (better) for you ? http://numsys.eu/search.php?search=Squid
-
Please, can you try this latest version and let me know if it works (better) for you ? http://numsys.eu/search.php?search=Squid
I'll compile it and push to my repo.
Fredb, nice to see you on pfsense forum :)
Most work I did on dansguardian 2.12 was for this package on pfsense.
-
Hi,
Your work is included in "my" dansguardian versionI hope, if I can …, rewrite the engine with kqueue for *BSD and epool for Linux and remove the old select() call, maybe this point is a part of problem signal 11
-
2.12.0.6 compiled and pushed to my repo.
amd64
http://e-sac.siteseguro.ws/packages/amd64/8/All/dansguardian-2.12.0.6.tbzi386
http://e-sac.siteseguro.ws/packages//8/All/dansguardian-2.12.0.6.tbzboth complied with maxfiles=8192
Also, I've removed squid ports compile depend. It will not force any squid version anymore.
-
Configuration files http://numsys.eu/dansguardian/
Requires
Proxy timeout
Set tcp timeout between the Proxy and DansGuardian
Min 5 - Max 100
proxytimeout = 20
Proxy header exchange
Set timeout between the Proxy and DansGuardian
Min 20 - Max 300
proxyexchange = 20
Pconn timeout
how long a persistent connection will wait for other requests
squid apparently defaults to 1 minute (persistent_request_timeout),
so wait slightly less than this to avoid duff pconns.
Min 5 - Max 300
pcontimeout = 55
Now you can can disabled some (if) unused values, like maxcontentramcachescansize, I think It should be interesting about signal 11 and a potential memory leak.
-
Configuration files http://numsys.eu/dansguardian/
Requires
Proxy timeout
Set tcp timeout between the Proxy and DansGuardian
Min 5 - Max 100
proxytimeout = 20
Proxy header exchange
Set timeout between the Proxy and DansGuardian
Min 20 - Max 300
proxyexchange = 20
Pconn timeout
how long a persistent connection will wait for other requests
squid apparently defaults to 1 minute (persistent_request_timeout),
so wait slightly less than this to avoid duff pconns.
Min 5 - Max 300
pcontimeout = 55
Now you can can disabled some (if) unused values, like maxcontentramcachescansize, I think It should be interesting about signal 11 and a potential memory leak.
Marcello… are you going to add these config settings to the UI? If I manually add them to the config files, will they be dropped when I save via the UI?
-
Marcello… are you going to add these config settings to the UI?
yes. you can force it on dansguardian.inc near
$proxytimeout=($dansguardian['proxytimeout']?$dansguardian['proxytimeout']:"30");
If I manually add them to the config files, will they be dropped when I save via the UI?
Yes.
-
yes. you can force it on dansguardian.inc near
$proxytimeout=($dansguardian['proxytimeout']?$dansguardian['proxytimeout']:"30");
Thanks - No problem… I'll add them on my setup.
-
yes. you can force it on dansguardian.inc near
The easiest thing to do was to just add them into dansguardian.conf.template - so that's what I did for now.
Up and running with 2.12.0.6 - I'll keep you posted…!!!
Thanks!
-
If You See Something, please try to reduce your unused values to 0
-
If You See Something, please try to reduce your unused values to 0
Besides "maxcontentramcachescansize", which ones are no longer used?
-
Yes, options with maxsomething, for example those for AV scan, but not now please
EDIT: Only those you don't use of courseMax content filter size
Sometimes web servers label binary files as text which can be very
large which causes a huge drain on memory and cpu resources.
To counter this, you can limit the size of the document to be
filtered and get it to just pass it straight through.
This setting also applies to content regular expression modification.
The value must not be higher than maxcontentramcachescansize
The size is in Kibibytes - eg 2048 = 2Mb
use 0 to set it to maxcontentramcachescansize
maxcontentfiltersize = 0 -> If weightedphrasemode = 0
Max content ram cache scan size
This is only used if you use a content scanner plugin such as AV
This is the max size of file that DG will download and cache
in RAM. After this limit is reached it will cache to disk
This value must be less than or equal to maxcontentfilecachescansize.
The size is in Kibibytes - eg 10240 = 10Mb
use 0 to set it to maxcontentfilecachescansize
This option may be ignored by the configured download manager.
maxcontentramcachescansize = 0 if no AV
Max content file cache scan size
This is only used if you use a content scanner plugin such as AV
This is the max size file that DG will download
so that it can be scanned or virus checked.
This value must be greater or equal to maxcontentramcachescansize.
The size is in Kibibytes - eg 10240 = 10Mb
maxcontentfilecachescansize = 0 if no AV
-
OK… good info, but I can't change any of them anyway. I'm using weightedphrasemode=1 and I'm also doing virus scanning...
Thanks
-
kernel: pid 53406 (dansguardian), uid 106: exited on signal 11
Just got another one… :-[
-
Just got another one… :-[
[/quote]How many on older version.
this latest version suports max clients=8192
-
If you play with maxagechildren it change something ?
I mean maxagechildren = 10 more signal 11 than maxagechildren = 15000 ? -
Just got another one… :-[
[/quote]How many on older version.
this latest version suports max clients=8192
So far it doesn't seem like I'm getting as many. I've only had one in the last 24 hours and I was getting a half dozen or so. I'll try playing with MaxAgeChildren as well…
-
Traffic as usual ? more or less ?
-
Traffic as usual ? more or less ?
Haven't been monitoring total traffic well enough to know. I dropped MaxAgeChildren from 4000 down to 1000 after my last post and I got 5 more signal 11's last night…
I'll bump it up to about 8000 and see what happens.
-
Traffic as usual ? more or less ?
Haven't been monitoring total traffic well enough to know. I dropped MaxAgeChildren from 4000 down to 1000 after my last post and I got 5 more signal 11's last night…
I'll bump it up to about 8000 and see what happens.
So If I understand right
With 4000 -> 1
With 1000 -> 4Interresting …
Another question, did you restart DG each day ?
-
Another question, did you restart DG each day ?
I didn't manually restart it… but I believe saving the setting (in the UI) would have at least done a soft restart... and it was 5 of them at 1000.
BTW... Bumped it up to 8000 and had 3 more last night.
-
Ok thank, can you try with 300 ?
There is nothing in the log just before signal 11 , and no complaint from users ?
Are you agree to test a special version which should help us ? I hope without problem … -
BTW… Bumped it up to 8000 and had 3 more last night.
Last night ? Without activity ?
Please restart the process, and take a look for signal 11 (also with soft restart if you can) -
http://numsys.eu/dansguardian/pfsense/ This test package contains two changes
- Fixed dansguardian -N was broken with recent 2.12.0.3
- Change behaviour when a child die (just a test for Freebsd) also add some informations in syslog
I'm focused about child die because DG seem works good although signal 11 is a critical message, so maybe there is a problem only when it exit.
But perhaps I'm wrong and the user just refresh and take an another process, very hard to test without having a working Freebsd …If someone can try, I need
- Just run this version and post here the syslog part with signal 11 , if the problem still present also try to run with dansguardian -N (no background)
But the best way is to make a debug version --with-dgdebug=on and run dg with dansguardian -N /tmp/debug and post the file somewhere (after one signal 11 of course)
Be careful dansguardian -N reduce performance
-
http://numsys.eu/dansguardian/pfsense/ This test package contains two changes
- Fixed dansguardian -N was broken with recent 2.12.0.3
- Change behaviour when a child die (just a test for Freebsd) also add some informations in syslog
I'm focused about child die because DG seem works good although signal 11 is a critical message, so maybe there is a problem only when it exit.
But perhaps I'm wrong and the user just refresh and take an another process, very hard to test without having a working Freebsd …If someone can try, I need
- Just run this version and post here the syslog part with signal 11 , if the problem still present also try to run with dansguardian -N (no background)
But the best way is to make a debug version --with-dgdebug=on and run dg with dansguardian -N /tmp/debug and post the file somewhere (after one signal 11 of course)
Be careful dansguardian -N reduce performance
Is this version compiled to run under freebsd 64 bit?
-
Is this version compiled to run under freebsd 64 bit?
I'ts only the source code.
I've compiled it for amd64. Check on my repo.
http://e-sac.siteseguro.ws/packages/amd64/8/All/dansguardian-2.12.0.6.sig11.tbz