Normalize squid configuration against OSG upstream

[LincolnBryant]

Today we have a script that customizes squid.conf to do the following:
https://github.com/slateci/slate-catalog/blob/master/stable/osg-frontier-squid/osg-frontier-squid/templates/configmap.yaml#L11-L56

Customizing Squid.conf

What we do today

It first sets the IP range here:

acl NET_LOCAL src {{ .Values.SquidConf.IPRange }}

Then it sets the monitoring IP range:

 acl HOST_MONITOR src {{ .Values.SquidConf.MonitoringIPRange }}

Then it sets the Cache memory:

cache_mem {{ .Values.SquidConf.CacheMem }} MB

Then we configure the squid as appropriate depending on whether or not there is 1 worker or N workers:

    {{ if .Values.SquidConf.Workers }}
    workers {{ .Values.SquidConf.Workers }} # multiple worker case
    cache_dir ufs /var/cache/squid/squid${process_number} {{ .Values.SquidConf.CacheSize }} 16 256
    logformat awstats %>a kid${process_number} %un [%{%d/%b/%Y:%H:%M:%S}tl.%03tu %{%z}tl] "%rm %ru HTTP/%rv" %>Hs %<st %Ss:%Sh %tr "%{X-Frontier-Id}>h %{cvmfs-info}>h" "%{Referer}>h" "%{User-Agent}>h"
    visible_hostname '`uname -n`'/${process_number}
    {{ else }} # single worker case
    cache_dir ufs /var/cache/squid {{ .Values.SquidConf.CacheSize }} 16 256
    {{ end }}

Then we use some cpu affinity business to pin the squid processes to particular cores:

    {{ if .Values.SquidConf.Cpu_Affinity_Map }}
    cpu_affinity_map {{ .Values.SquidConf.Cpu_Affinity_Map }}
    {{ end }}

Set the logfile rotation:

    {{ if .Values.SquidConf.Logfile_Rotate }}
    logfile_rotate {{ .Values.SquidConf.Logfile_Rotate }}
    {{ end }}

What we need to do

We need to change how we customize squid.conf to follow OSG's upstream image. They have made 3 configuration parameters first class citizens:

1. squid.conf's acl NET_LOCAL src is set by the environment variable SQUID_IPRANGE. We should remove this customization, and instead populate the environment variable SQUID_IPRANGE in deployment.yaml
2. Likewise, cache_mem should be set by populating the environment variable SQUID_CACHE_MEM
3. Finally, cache_dir is set by an environment variable as well: SQUID_CACHE_DISK. This gets more complicated because we have two possible values for it depending on the mode in which squid is running (single worker or multiple workers)

For the configuration parameters that are not exposed as environment variables, we need to write some scripts as per https://github.com/opensciencegrid/docker-frontier-squid/blob/master/squid-customize.sh#L8-L19 that suggest making scipts that live in /etc/squid/customize.d.

We need to write a script that populates the following configuration parameters:

1. Monitoring IP range, i.e., injects the following config: acl HOST_MONITOR src {{ .Values.SquidConf.MonitoringIPRange }}
2. CPU affinity map, i.e.,

    {{ if .Values.SquidConf.Cpu_Affinity_Map }}
    cpu_affinity_map {{ .Values.SquidConf.Cpu_Affinity_Map }}
    {{ end }}

3. Logfile rotation

    {{ if .Values.SquidConf.Logfile_Rotate }}
    logfile_rotate {{ .Values.SquidConf.Logfile_Rotate }}
    {{ end }}

4. Modify cache dir and workers when we have a user request more than 1 squid worker, i.e., the configuration from here:

    {{ if .Values.SquidConf.Workers }}
    workers {{ .Values.SquidConf.Workers }} # multiple worker case
    cache_dir ufs /var/cache/squid/squid${process_number} {{ .Values.SquidConf.CacheSize }} 16 256
    logformat awstats %>a kid${process_number} %un [%{%d/%b/%Y:%H:%M:%S}tl.%03tu %{%z}tl] "%rm %ru HTTP/%rv" %>Hs %<st %Ss:%Sh %tr "%{X-Frontier-Id}>h %{cvmfs-info}>h" "%{Referer}>h" "%{User-Agent}>h"
    visible_hostname '`uname -n`'/${process_number}
    {{ else }} # single worker case
    cache_dir ufs /var/cache/squid {{ .Values.SquidConf.CacheSize }} 16 256
    {{ end }}

I am not sure if this needs to be a pre-awk shell script (i.e., needs to be named customize.d/[0-4]*.sh) or post-awk (customize.d/[5-9]*.sh)

[DrDaveD]

I think you've got the basic idea right. However I would think it would be better for you to generate a .awk script and bindmount that in, rather than making it a pre-awk shell script inside the container. The container doesn't have a mechanism for a shell script to generate awk code. (It is possible for the awk script to escape to shell and do any awk code generation wanted there but I don't think that makes things any easier for you.)

[DrDaveD]

For example, for number 2 you'd do something like

    {{ if .Values.SquidConf.Cpu_Affinity_Map }}
    setoption("cpu_affinity_map", "{{ .Values.SquidConf.Cpu_Affinity_Map }}")
    {{ end }}

[LincolnBryant]

Thanks @DrDaveD !

[muali14]

Hi @DrDaveD,

I am having some difficulty getting the setoption function to work. I added a file "20-slate.awk" under customized.d for testing and its content was:

[root@e9bd680b2c5c squid]# cat customize.d/20-slate.awk 
setoption("cpu_affinity_map", "process_numbers=1,2,3,4 cores=2,3,4,5")
[root@e9bd680b2c5c squid]# 

But it didn't seem to make a difference. I am not sure if I am suppose to add some additional quotes to above or not?

I tried to run the customize.sh script manually without adding any custom .awk files. The script doesn't return! When I run it in debug mode I get:

$ podman run  -it  opensciencegrid/frontier-squid:fresh bash
[root@104fa09ecbf7 /]# cd /etc/squid/
[root@104fa09ecbf7 squid]# /bin/bash -x ./customize.sh 
++ dirname ./customize.sh
+ cd ./customize.d
+ for f in [0-4]*.sh
+ '[' -f 10-checkvars.sh ']'
+ . 10-checkvars.sh
++ '[' -z '10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 fc00::/7 fe80::/10' ']'
++ '[' -z '128 MB' ']'
++ '[' -z 10000 ']'
++ '[' -z /var/cache/squid ']'
++ for f in *.awk
+++ cat 10-stdvars.awk
++ eval 'echo '\''setoption("acl NET_LOCAL src", "'\''$SQUID_IPRANGE'\''")
setoption("cache_mem", "'\''$SQUID_CACHE_MEM'\''")
setoptionparameter("cache_dir", 3, "'\''$SQUID_CACHE_DISK'\''")
setoptionparameter("cache_dir", 2, "'\''$SQUID_CACHE_DISK_LOCATION'\''")'\'''
+++ echo 'setoption("acl NET_LOCAL src", "10.0.0.0/8' 172.16.0.0/12 192.168.0.0/16 fc00::/7 'fe80::/10")
setoption("cache_mem", "128' 'MB")
setoptionparameter("cache_dir", 3, "10000")
setoptionparameter("cache_dir", 2, "/var/cache/squid")'
++ for f in *.awk
+++ cat 90-print.awk
++ eval 'echo '\''print'\'''
+++ echo print
+ awk --file ../customhelps.awk --source '{
setoption("acl NET_LOCAL src", "10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 fc00::/7 fe80::/10")
setoption("cache_mem", "128 MB")
setoptionparameter("cache_dir", 3, "10000")
setoptionparameter("cache_dir", 2, "/var/cache/squid")
print
}'

Is the above behavior of the script expected? Isn't it suppose to process pre and post awk scripts and any custom .awk files and then return\exit?

[DrDaveD]

customize.sh is run by systemctl start frontier-squid with /etc/squid/squid.conf.frontierdefault as stdin and squid.conf there as stdout. So yes if you give it no stdin it is expected to hang. It should execute the custom awk files, yes, but I do not see that you bind-mounted in 20-slate.awk into the podman container example.

[DrDaveD]

I don't have podman working but here's what I did with docker:

$ cat 20-slate.awk
setoption("cpu_affinity_map", "process_numbers=1,2,3,4 cores=2,3,4,5")
$ docker run --privileged  -v $PWD/20-slate.awk:/etc/squid/customize.d/20-slate.awk opensciencegrid/frontier-squid:fresh bash
[root@dwdosgdev /]# cd /etc/squid
[root@dwdosgdev squid]# ls -l customize.d
total 44
-rw-r--r--. 1 root root 540 Feb 21 01:04 10-checkvars.sh
-rw-r--r--. 1 root root 221 Feb 21 01:04 10-stdvars.awk
-rw-r--r--. 1 3382 9996  71 Feb 22 19:50 20-slate.awk
-rw-r--r--. 1 root root   6 Feb 21 01:04 90-print.awk
[root@dwdosgdev squid]# ./customize.sh <squid.conf.frontierdefault >squid.conf
[root@dwdosgdev squid]# grep ^cpu_affinity squid.conf
cpu_affinity_map process_numbers=1,2,3,4 cores=2,3,4,5
[root@dwdosgdev squid]#

[muali14]

Thanks a lot @DrDaveD
That was very helpful! I did initially mount the .awk file when I was testing on a K8s cluster but I didn't have the file name starts with a numeric character. Since that didn't work I started looking into running the customize.sh script manually and testing outside K8s. I thought only pre and post awk script names need to start with a digit but I was wrong. Adding numeric characters to the .awk file name resolve the issue.

Thanks again!

[muali14]

This has been addressed, and the chart configurations have been normalized against OSG upstream.