* Wed Aug 31 2016 Dave Dykstra <dwd@fnal.gov> 2.7.STABLE9-27.1
- Upgrade to frontier-squid-2.7.STABLE9-27 tarball which has the
following release notes:
- When using compressed logs and SQUID_CLEAN_CACHE_ON_START is true
(both of which are default), then truncate the swap.state file
in ufs cache directories each time logs are rotated. Otherwise the
file grows without bounds.
- When using the 'restart' function, clean ufs cache directories the
same way as when doing 'start'.
- Change the default cache_dir size in squid.conf.proto to 10000 MB in
case someone deletes the default 10000 MB line in customize.sh.
* Fri Jun 17 2016 Dave Dykstra <dwd@fnal.gov> 2.7.STABLE9-26.1
- Upgrade to frontier-squid-2.7.STABLE9-26 tarball which has the
following release note:
- Change default minimum_expiry_time to 0 seconds. Without this
change, squid will not cache any objects that are loaded for the
first time during the last minute of their lifetime; instead, all
requests for that object during that minute are sent upstream. It
only affects squids that are fed by other squids.
* Thu May 12 2016 Dave Dykstra <dwd@fnal.gov> 2.7.STABLE9-25.1
- Upgrade to frontier-squid-2.7.STABLE9-25 tarball which has the
following release notes:
- Apply fix for reported security vulnerability CVE-2016-4554. It
is only for transparent proxies which is not the way frontier-squid
is normally used, but the patch is applied just in case. Also
discussed in http://bugs.squid-cache.org/show_bug.cgi?id=4501
and http://bugs.squid-cache.org/show_bug.cgi?id=4515.
- Add hepvm.cern.ch to the MAJOR_CVMFS acl.
* Wed Sep 02 2015 Dave Dykstra <dwd@fnal.gov> 2.7.STABLE9-24.2
- Add creation of config file in /usr/lib/tmpfiles.d to create /run/squid
directory on reboot of EL7-based systems.
* Thu Jun 04 2015 Dave Dykstra <dwd@fnal.gov> 2.7.STABLE9-24.1
- Upgrade to frontier-squid-2.7.STABLE9-24 tarball which has the
following release note:
- Fix the disabling of log compression with the SQUID_COMPRESS_LOGS=false
setting. The variable was not being honored in the nightly log rotate
cron, so log compression still happened at night. It was being
honored in the every 15 minute check, so if the maximum log size
was reached during the day it removed all the compressed files
that were rotated overnight, losing log history.
* Thu Apr 23 2015 Dave Dykstra <dwd@fnal.gov> 2.7.STABLE9-23.1
- Upgrade to frontier-squid-2.7.STABLE9-23 tarball which has the
following release notes:
- Back out the dividing up of file descriptors between multiple squids
that was added in frontier-squid-2.7.STABLE9-20. It was based on a
confusion over how the limit worked; the file descriptor limit works
per process and not per user.
- Support new configuration option SQUID_MULTI_PEERING=false to not
insert cache_peer parent settings when there are multiple squids.
By default when there are multiple squids, any squid other than the
first one reads from the first one like it always used to.
- Support using multiple squids for a reverse proxy. Formerly it
clobbered the http_port and cache_peer parent settings when using
multiple squids. Now it preserves any extra parameters on
http_port and sets SQUID_MULTI_PEERING=false if a cache_peer parent
setting already exists.
- Support awstats with multiple squids: invoke run_awstats.sh if it
exists (installed by frontier-awstats rpm) for the logs of all of
the squids and not just the first one. Requires frontier-awstats
rpm version 6.9-3.2 or newer to work properly.
- Don't invoke awstats if SQUID_SUFFIX is set (that is, in the
frontier-squid2 rpm) so it won't get invoked twice when it
is installed simultaneously with frontier-squid.
- Support a "daemon:" prefix on access_log and cache_log, a poorly
documented squid feature that uses a separate process to handle
writing to log files so the main squid process doesn't have to
wait for disk I/O. This was added because log compression was
observed on one machine to interfere with squid I/O accesses.
Make this the default for access_log.
- Run log rotation with ionice -n7.
* Sat Jan 31 2015 Dave Dykstra <dwd@fnal.gov> 2.7.STABLE9-22.1
- Upgrade to frontier-squid-2.7.STABLE9-22 tarball which has the
following release notes:
- Apply patch from Debian that was backported from a denial of
service vulnerability reported for squid3 in CVE-2014-3609,
having to do with an invalid "Range" header request.
- Make slight correction to MAJOR_CVMFS acl regular expression.
- Expand the server names allowed at RAL in the ATLAS_FRONTIER acl.
- On final un-install, remove the generated configuration files used
for running multiple squids at /etc/squid/.squid-*.conf
* Thu Dec 04 2014 Dave Dykstra <dwd@fnal.gov> 2.7.STABLE9-21.1
- Upgrade to frontier-squid-2.7.STABLE9-21 tarball which has the
following release notes:
- Fix redirection of stderr in the hourly and daily crons so error
messages properly go to squidcron.log.
- Only require the minimum 4096 file descriptors when doing one
of the commands that contain "start" (that is, "start", "restart",
or "condrestart") with multiple squids.
- Add the script that generates squid.conf to the list of files that
trigger regenerating squid.conf if they're newer than squid.conf.
- Only generate the per-squid configuration files used with multiple
squids when squid.conf is newer than them.
* Fri Nov 07 2014 Dave Dykstra <dwd@fnal.gov> 2.7.STABLE9-20.1
- Upgrade to frontier-squid-2.7.STABLE9-20 tarball which has the
following release notes:
- Increase the maximum number of squids that may be started from 4
to 16
- When running N > 1 squids, limit each squid to the hard limit on
file descriptors divided by N. This limiting greatly reduces or
eliminates the number of failed accesses to cache files indicated
by TCP_SWAPFAIL_MISS entries in access.log. Require a minimum of
4096 file descriptors for each squid, unless customize.sh sets a
value below the calculated limit.
- Support use of SQUID_SUFFIX to add a suffix to all the files.
This is not supported for use in the standalone tarball, just
for use within an rpm.
- Add logrotate as a dependency
* Wed Sep 17 2014 Dave Dykstra <dwd@fnal.gov> 2.7.STABLE9-19.1
- Upgrade to frontier-squid-2.7.STABLE9-19 tarball, which has the
following release notes:
- Make the default SQUID_MAX_ACCESS_LOG be 5G instead of 1G unless
log compression is disabled. This should take about the same
maximum space (~11Gbytes) as uncompressed log files did with a
max size of 1G.
- Add the TRIUMF CVMFS stratum 1 to the list in MAJOR_CVMFS.
* Thu Sep 04 2014 Dave Dykstra <dwd@fnal.gov> 2.7.STABLE9-18.1
- Upgrade to frontier-squid-2.7.STABLE9-18 tarball, which has the
following release notes:
- Protect rotate operations with a lock, because now that they
compress files they can take a long time. This is especially
important for the one minute between the daily cron and the
first hourly cron.
- Fix bug introduced in last release where if access_log is set to
"none", the cache log is rotated every 15 minutes.
* Sat Aug 23 2014 Dave Dykstra <dwd@fnal.gov> 2.7.STABLE9-17.1
- Remove the cache when doing a full uninstall
- When $FRONTIER_USER is not the default value 'squid', automatically
manage the /etc/cron.d/frontier-squid.cron.rpmnew file that is always
created
- Upgrade to frontier-squid-2.7.STABLE9-17 tarball, which has the
following release notes:
- Update the CERN Hungary Data Center's LHCOPN IP address range in
the HOST_MONITOR access control list from the incorrect
188.185.0.0/17 to the correct 188.184.128.0/17 and 188.185.128.0/17.
- Add commented-out acls CMS_FRONTIER, ATLAS_FRONTIER, and MAJOR_CVMFS
that can be uncommented and used in place of RESTRICT_DEST to
restrict outgoing connections to the corresponding servers. This
allows updating the lists via frontier-squid package upgrades
rather than requiring individual administrators to know how to keep
the lists up to date.
- Include the real time zone in the access.log timestamp instead of
always +0000, and include milliseconds after the seconds.
- Add the "cvmfs-info" header to the same double-quoted log entry that
now has "X-Frontier-Id". Since no client sends both headers, only
one will show at a time; frontier entries will end with " -" and
cvmfs entries will start with "- ". Cvmfs clients currently only
send cvmfs-info if configured with CVMFS_SEND_INFO_HEADER=yes so
if that's not the case their log entries will show "- -".
- Accept SQUID_MAX_ACCESS_LOG as the variable setting the maximum
access log file size in place of LARGE_ACCESS_LOG (which is still
accepted for backward compatibility). Also if the value ends in
'M' it indicates megabytes and if it ends in 'G' it indicates
gigabytes; the default is bytes.
- Run the "hourly" cron 4 times an hour, to catch faster when a log
file has gone over the max size limit.
- Compress log files by default, using logrotate. If environment
variable SQUID_COMPRESS_LOGS is exported and set to 'false', fall
back to the previous method of telling squid to rotate the log
files without compression. In either case the logfile_rotate
configuration parameter is used to define the maximum number of
rotated files. If frontier-awstats is also installed, the first
file is left uncompressed. When switching either way between
compressed and uncompressed, removes all log files of the old type.
- Rotate cache.log even if the access_log configuration parameter is
"none".
- Add a new "removecache" option to the init script to simply remove
all of the cache, for use when removing the package.
* Sat May 11 2013 Dave Dykstra <dwd@fnal.gov> 2.7.STABLE9-16.1
- Fix /etc/init.d/frontier-squid so if an alternate $FRONTIER_USER is
set in /etc/squid/squidconf, then it will verify the existence of
that user's home directory rather than the squid user's home directory.
- Update to frontier-squid-2.7.STABLE9-16 tarball which rearranged the
/etc/init.d script to be easier to modify at post-install time by
the rpm, and which changed the delay after starting squid from 3 to
10 seconds before checking to see if it is running. That was the
previous delay before the changes in the last release, and a system
with 2 squids and slow disk access while cleaning cache in the
background apparently didn't get started within 3 seconds.
* Fri May 10 2013 Dave Dykstra <dwd@fnal.gov> 2.7.STABLE9-15.1
- Create the squid user's home directory if it doesn't exist at install
time, because on RHEL6-derived systems a missing home directory prevents
cron from running the squid log rotation.
- Update to frontier-squid-2.7.STABLE9-15 tarball which has the following
release notes:
- Put squidcron.log in the same directory as cache.log rather than
access.log, in case the access_log option is set to "none". In
the previous version it would put squidcron.log in the squid
user's home directory if access_log was "none".
- Change the init.d startup script to abort with an error message if
the squid user's home directory does not exist, because on
RHEL6-derived systems if a user's home directory doesn't exist then
cron won't run the user's jobs.
- Run squid without the -S option so it will never run an audit of
the cache files. During a normal start the cache is deleted so
it doesn't matter, and the audit operation can take a very long
time on a large cache during a restart. Also an analysis showed
that the typical types of errors the audit catches (missing files)
are survivable.
- Allow multiple background cache cleans to be happening at the same
time, in case the cache is very large and someone does multiple
stop/start operations.
- Add environment variable SQUID_CLEAN_CACHE_ON_START which defaults
to true and when set to false prevents clearing the cache on start.
It can be set and exported in the package's /etc/sysconfig file.
* Thu Feb 07 2013 Dave Dykstra <dwd@fnal.gov> 2.7.STABLE9-13.5
- Change /var/cache/squid and /var/log/squid to be %ghost and created in
the post install step in case someone had relocated them with a symlink.
A symlink in one of those places with the previous version caused the
target of the symlink to get changed to root ownership.
* Tue Feb 05 2013 Dave Dykstra <dwd@fnal.gov> 2.7.STABLE9-13.4
- Add /var/cache/squid, /var/log/squid, and /var/run/squid to the list
of directories installed; they had been accidentally left out
* Tue Feb 05 2013 Dave Dykstra <dwd@fnal.gov> 2.7.STABLE9-13.3
- Change the chkconfig behavior to more precisely match Redhat squid's
package; an administrator will now have to do "chkconfig frontier-squid on"
instead of "chkconfig --add frontier-squid"
- Do a few other internal cleanup things to frontier-squid.spec
* Sat Feb 02 2013 Dave Dykstra <dwd@fnal.gov> 2.7.STABLE9-13.2
- Make /etc/squid/squid.conf a %ghost file so if someone is upgrading
from a non-frontier squid it won't be overwritten
* Sat Feb 02 2013 Dave Dykstra <dwd@fnal.gov> 2.7.STABLE9-13.1
- Update to frontier-squid-2.7.STABLE9-13 tarball which moves the
output of cron jobs from daily.log in the directory the cron scripts
are in (/etc/squid/cron) to the directory of the other squid
logs (default /var/log/squid).
- Remove the ability to use --prefix at rpm install time to
relocate, because this greatly simplifies the rpm code including
no longer needing to install .proto files with the package.
- Change the cron jobs from being run from the squid user's
/var/spool/cron (crontab) file to instead being run from
/etc/cron.d/frontier-squid.cron.
- When a user id (default "squid") needs to be created, create it
as a system account (that is, with a UID lower than the value of
UID_MIN in /etc/login.defs).
- If the requested group (default "squid") is missing, create it
just like a missing user id.
- Set the ownership of all files under /etc/squid to be the squid
user instead of leaving some as root.
- Remove execute permission from files in /etc/squid that don't
need it.
- Remove bogus squid doc files from /usr/share/doc.
- Move the restart of a running process from the post-uninstall to the
post-install actions. Note: this has a side effect of causing it to
restart twice the first time a package is upgraded from the previous
style to this style.
- Move the release notes to the rpm changelog.
* Sat Jan 26 2013 Dave Dykstra <dwd@fnal.gov> 2.7.STABLE9-12.1
- Update to frontier-squid-2.7.STABLE9-12 tarball which only
changes a comment in customize.sh so it can make more sense for
the rpm
- Change initial install to not start squid or do chkconfig -add
to match what the standard Redhat squid rpm does
- Change upgrades so squid will only be restarted if it was
running at the time of the upgrade
- Fix bug that prevented stopping squid when removing the rpm
while squid is running
* Tue Jan 15 2013 Dave Dykstra <dwd@fnal.gov> 2.7.STABLE9-11.1
- Update to frontier-squid-2.7.STABLE9-11 tarball, which adds the
Referer and User-Agent headers to the default logformat, and
includes the upstream squid source so it self-contained.
- Fix a rpm spec bug that kept rpmbuild -ba from working
* Sat Dec 22 2012 Dave Dykstra <dwd@fnal.gov> 2.7.STABLE9-10.1
- Update to frontier-squid-2.7.STABLE9-10 tarball, which changes
the default SNMP monitoring addresses accepted to be all of the
WLCG addresses at the main CERN center and the backup CERN
Hungary data center, and disables the ICP port by default
- Remove sl5 from the rpm name, as the rpm works for both sl5 & sl6
* Thu Sep 06 2012 David Front <dfront@gmail.com> 2.7.STABLE9-8.1
- Change the init.d 'rotate' command to first remove the oldest log
files, rather than asking squid to do it, because it can take a long
time to delete large access logs and squid stops servicing requests
during the rotate process.
* Fri Aug 03 2012 David Front <dfront@gmail.com> 2.7.STABLE9-7.1
- Use a fix of Dave Dykstra: fixed a small bug in the frontier-squid tarball
that prevented the hourly cron from reading /etc/sysconfig/frontier-squid
for the setting of the LARGE_ACCESS_LOG variable, so it was impossible for
the user to be able to control the size of the log files kept.
* Wed Jun 27 2012 David Front <dfront@gmail.com> 2.7.STABLE9-6.1
- Use new release of frontier-squid tarball. The most significant
new feature is that multiple squids can be started on the same
port. For details of that feature and other tarball changes, see
http://frontier.cern.ch/dist/frontier-squid-releasenotes.txt
- Use more of the tarball directly, especially the proto files
- Use the full version of the rpm to identify the squid process in
SNMP monitoring
- A small technical change at the spec file to support source rpms for
frontier rpms
- Use symbolic link to unproto.sh to simplify source tar ball creation
* Thu Jun 14 2012 David Front <dfront@gmail.com> 2.7.STABLE9-5.24
- Following the recommendation of Dave Dykstra, change /etc/squid/squid.conf
to be %ghost at the spec file, and hence not installed by the rpm
but yes removed at rpm uninstall. As a result, the one line place
holder of this file is no more needed, and also no need to check for
small file when testing if this config file should be regenerated,
at fn-local-squid.sh.proto.
* Thu Apr 19 2012 David Front <dfront@gmail.com> 2.7.STABLE9-5.23
- Change the default NET_LOCAL at /etc/squid/customize.sh to be
10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 rather than 0.0.0.0/32
Related: At release notes for frontier-squid-2.7.STABLE9-5:
at http://frontier.cern.ch/dist/frontier-squid-releasenotes.txt:
Remove the hidden default of always allowing incoming access to
private network addresses 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16.
Instead, make that default explicit in the first customize.sh that
is generated so if the administrator doesn't want that it can be
easily changed.
* Thu Dec 22 2011 David Front <dfront@gmail.com> 2.7.STABLE9-5.22
- Change $AWSTATS_SCRIPT at fn-local-squid.sh.proto
from /etc/awstats/squid_rotate_run_awstats.sh
to /etc/awstats/run_awstats.sh
* Wed Dec 21 2011 David Front <dfront@gmail.com> 2.7.STABLE9-5.21
- Undo the following, from frontier-squid-2.7.STABLE9-5.15, because
not accepted by Dave Dykstra:
'Create squid.conf only if it does not exist or at start, not at
stop or status.'
Hence, once squid.conf has to be recreated, it will be created at
each call to fn-local-squid.sh.
A (unpleasent) consequence of this:
If fontier-squid is running,
and any of the following variables is going to be changed at the new
configuration:
1 CACHE_DIR
2 CACHE_LOG
3 ACCESS_LOG
4 PID_FILENAME
the new configuration that will be created at
service frontier-squid stop
will not be aware of the previou related value,
and as a result may cause various failures.
This rare situation should be handled manually by the administrator.
The following help file may be consulted to do this:
http://frontier.cern.ch/dist/rpms/frontierRpmInstallationError.txt
* Mon Dec 19 2011 David Front <dfront@gmail.com> 2.7.STABLE9-5.20
- Conditionally call the awstats script, if it exists,
to prevent related bugs and simplify the code
* Mon Dec 12 2011 David Front <dfront@gmail.com> 2.7.STABLE9-5.19
- src/frontier-squid-utils/bin/fn-local-squid.sh.proto:
Fix bug, change for $PIDINODE, as suggested by Dave Dykstra, at
https://savannah.cern.ch/bugs/?89488#comment32
* Fri Dec 09 2011 David Front <dfront@gmail.com> 2.7.STABLE9-5.18
- Apply patch by Dave Dykstra on frontier-squid-utils/bin/fn-local-squid.sh.proto:
https://savannah.cern.ch/support/download.php?file_id=22825
* Wed Nov 30 2011 David Front <dfront@gmail.com> 2.7.STABLE9-5.17
- Attempt to complete supporting rpm verify, command:'rpm -V':
-- Do not remove *.unproto files (after usage).
-- Do less attribute checks to files:
/etc/squid/cachemgr.conf
/etc/squid/customize.sh
/etc/squid/squid.conf
* Mon Nov 28 2011 David Front <dfront@gmail.com> 2.7.STABLE9-5.16
- Supporting rpm verify, command:'rpm -V':
-- Add the prefix '%verify(not user group)' to each %files entry,
in order to prevent complaints from 'rpm -V', like:
.....UG. <fileName>
-- Note, however, that 'rpm -V' may still create misleading complaints like:
missing ... <fileName>.proto
* Wed Nov 23 2011 David Front <dfront@gmail.com> 2.7.STABLE9-5.15
- Change default pid_filename to be /var/run/squid/squid.pid
- Change directory and file defaults: ownership to be:
frontierUser:frontierGroup, and mode to be: 755
- Attempt to correct bug: replace squid.conf.default by
squid.conf.proto at src/frontier-squid-utils/etc
- Refuse to answer a service status query while building a configuration
file
- Create squid.conf only if it does not exist or at start, not at stop
or status
- Fix bug at postinstall.sh, previously attempted to stop non existing
service: squid
* Fri Nov 11 2011 David Front <dfront@gmail.com> 2.7.STABLE9-5.14
- Fix bugs related to frontier group and automicatic creation of
default log, run and cache dirs.
- If /etc/squid/squidconf file is missing, do not create it but rather
assume that the forntier user is squid
* Fri Oct 28 2011 David Front <dfront@gmail.com> 2.7.STABLE9-5.13
- The group of frontier user is not controlled anymore.
(Whatever group this user has, is used for chmod files from root to
frontier user.)
* Mon Oct 24 2011 David Front <dfront@gmail.com> 2.7.STABLE9-5.12
- Commenting out error if /etc/squid/squid.conf is writable
* Sat Oct 22 2011 David Front <dfront@gmail.com> 2.7.STABLE9-5.11
- %defaultsquidgroup should be 'squid' and not 'users', as it was by
mistake previously
- Change the default of logs dir to be under standard /var/log rather
than /var/logs as it used to be
- Avoid directory names that begin by //
* Fri Sep 23 2011 David Front <dfront@gmail.com> 2.7.STABLE9-5.10
- Do clean cache at initial restart
* Wed Sep 21 2011 David Front <dfront@gmail.com> 2.7.STABLE9-5.9
- Attempt to handle an installation error related to a (mysterious)
/etc/init.d/frontier-squid.sh sybmolic link by taking care to rm
such files at rpm remove
* Tue Sep 20 2011 David Front <dfront@gmail.com> 2.7.STABLE9-5.8
- Another code change attempting to avoid recursive erasal of / at rpm
upgrade
- rpm rearranged to use the files at frontier-squid tarball as much as
possible, avoid duplicating such files where not needed
- Fix failure to upgrade frontier-squid rpm while previous release is running,
by replacing the command /sbin/service frontier-squid start
by the command /sbin/service frontier-squid restart
at postinstall.sh, in this case
- In case of failure at %post, change the error messages to be more clear,
referring to 'as if' installed, as explained at
http://frontier.cern.ch/dist/rpms/frontierRpmInstallationError.txt
* Sat Aug 13 2011 David Front <dfront@gmail.com> 2.7.STABLE9-5.7
- Attempt to avoid recursive erasal of / at rpm upgrade
* Sat Jul 30 2011 David Front <dfront@gmail.com> 2.7.STABLE9-5.6
- Fix bug: Change order of post install operations, to prevent
possible attempt to refer to file /etc/squid/squid.conf before it
has been created.
- Instead of removing /etc/squid/squid.conf.old at rpm uninstall, do:
/bin/mv /etc/squid/squid.conf.old `mktemp /tmp/squid.conf.oldXXXX`
* Thu Jul 28 2011 David Front <dfront@gmail.com> 2.7.STABLE9-5.5
- Fix bug at fn-local-squid.sh.template that prevents log rotation of
squid logs if awstats rpm is not installed
* Thu Jul 21 2011 David Front <dfront@gmail.com> 2.7.STABLE9-5.4
- For #3 at https://savannah.cern.ch/bugs/?77447:
Like, squid standard rpm, do create the user with the safest
permission (nologin as shell and no password).
- Support non /data base dir (edited at /etc/squid/customize.sh)
* Sat Jun 11 2011 David Front <dfront@gmail.com> 2.7.STABLE9-5.3
* Thu Apr 21 2011 David Front <dfront@gmail.com> 2.7.STABLE9-5.2
- Initial release
Originating from http://grid-deployment.web.cern.ch/grid-deployment/flavia/frontier-squid-2.7.STABLE9-5.1.sl5.src.rpm
Changes:
- Added examples for customize.sh:
/etc/squid/customize.sh.example_launchpad_CERN
/etc/squid/customize.sh.example_non_launchpad_CERN