tac_plus forks multiple perl childs #87
-
|
Hello Marc. root 7262 1 0 14:34 ? 00:00:00 tac_plus: 0 connections, accepting up to 600 more
root 7263 7262 0 14:34 ? 00:00:00 tac_plus: 0 connections
root 7264 7263 0 14:34 ? 00:00:00 perl /usr/local/lib/mavis/mavis_tacplus_mysql_ldap.pl
root 7265 7263 0 14:34 ? 00:00:00 perl /usr/local/lib/mavis/mavis_tacplus_mysql_ldap.pl
root 7266 7263 0 14:34 ? 00:00:00 perl /usr/local/lib/mavis/mavis_tacplus_mysql_ldap.pl
root 7267 7263 0 14:34 ? 00:00:00 perl /usr/local/lib/mavis/mavis_tacplus_mysql_ldap.plIs this a feature or something I have configured incorrectly? If it is a feature, what is its role and how can it be used and managed? |
Beta Was this translation helpful? Give feedback.
Replies: 8 comments
-
|
Hi Olexander, these Perl processes form a helper process pool that handles authentication/authorization via an external database. Generally, the number of those processes can be controlled via a "child (min|max) = ..." directive, and the default for minimum is indeed 4, so your process listing looks fine to me. I don't remember whether the 2017 defaults were different. Also, mavis_tacplus_mysql_ldap.pl isn't part of my code base. I think that's from TACACSGUI (by Aleksey Mochalin). Cheers, Marc |
Beta Was this translation helpful? Give feedback.
-
|
Hi Marc. |
Beta Was this translation helpful? Give feedback.
-
|
Hi Olexander, the Perl processes are single-threaded and blocking, so running more than one will allow for concurrent backend queries (authentication, authorization). Depending on the speed of the backend (mySQL/LDAP) this may or may not be noticeable. If your older installation did get along with just one Perl process running, then the more recent version will, too. There's been no change in behavior. tac_plus by default (this can be disabled) uses in-memory caching, so typically only a small fraction of TACACS+ requests will need the help of the Perl scripts. Cheers, Marc |
Beta Was this translation helpful? Give feedback.
-
|
Yes, I am aware of the cache, and in the old version I even had difficulties - when one user could have different rights to different devices, although Perl defined a group for the user, the cache stubbornly returned the last known entry of the user group for all devices. I had to either disable the cache (which is not rational) or distribute different services across different entities of the tac_plus daemon. In the new version, at first glance, this has been eliminated, perhaps several perl processes played a role in this. Thanks for this again. |
Beta Was this translation helpful? Give feedback.
-
|
Hi Marc One more question - I also noticed that when the service is restarted (systemctl restart tac_plus), the child processes are not interrupted immediately, but only after 1-2 minutes. ps -ef | grep tac
root 72101 1 0 Feb20 ? 00:00:02 tac_plus: 0 connections, accepting up to 600 more
root 72102 72101 0 Feb20 ? 00:00:01 tac_plus: 0 connections
root 72103 72102 0 Feb20 ? 00:00:00 perl /usr/local/lib/mavis/mavis_tacplus_mysql_ldap.pl
root 72104 72102 0 Feb20 ? 00:00:00 perl /usr/local/lib/mavis/mavis_tacplus_mysql_ldap.pl
root 72105 72102 0 Feb20 ? 00:00:00 perl /usr/local/lib/mavis/mavis_tacplus_mysql_ldap.pl
root 72106 72102 0 Feb20 ? 00:00:00 perl /usr/local/lib/mavis/mavis_tacplus_mysql_ldap.pl
systemctl restart tac_plus
ps -ef | grep tac
root 72102 1 0 Feb20 ? 00:00:01 tac_plus: 0 connections
root 72103 72102 0 Feb20 ? 00:00:00 perl /usr/local/lib/mavis/mavis_tacplus_mysql_ldap.pl
root 72104 72102 0 Feb20 ? 00:00:00 perl /usr/local/lib/mavis/mavis_tacplus_mysql_ldap.pl
root 72105 72102 0 Feb20 ? 00:00:00 perl /usr/local/lib/mavis/mavis_tacplus_mysql_ldap.pl
root 72106 72102 0 Feb20 ? 00:00:00 perl /usr/local/lib/mavis/mavis_tacplus_mysql_ldap.pl
root 92011 1 0 09:27 ? 00:00:00 tac_plus: 0 connections, accepting up to 600 more
root 92012 92011 0 09:27 ? 00:00:00 tac_plus: 0 connections
root 92013 92012 7 09:27 ? 00:00:00 perl /usr/local/lib/mavis/mavis_tacplus_mysql_ldap.pl
root 92014 92012 7 09:27 ? 00:00:00 perl /usr/local/lib/mavis/mavis_tacplus_mysql_ldap.pl
root 92015 92012 7 09:27 ? 00:00:00 perl /usr/local/lib/mavis/mavis_tacplus_mysql_ldap.pl
root 92016 92012 7 09:27 ? 00:00:00 perl /usr/local/lib/mavis/mavis_tacplus_mysql_ldap.plFor myself (I only have one daemon on host), I eliminated this by editing function stop in /etc/init.d/tac_plus changing 'kill -9 $PID' to 'kill -9 $(pidof tac_plus)'
stop () {
PID=`cat $PIDFILE 2>/dev/null`
/bin/echo -n "Stopping $NAME: "
if [ "x$PID" = "x" ]
then
echo "failed ($NAME is not running)"
else
kill -9 $(pidof tac_plus) 2>/dev/null
#kill -9 $PID 2>/dev/null
rm -f $PIDFILE
echo "done."
fi
} |
Beta Was this translation helpful? Give feedback.
-
|
Hi Olexander, having the child daemons terminate when the master reloads is currently not an option as the individual worker processes don't remember connections, they just add them to the event processing logic. I might change that behavior, eventually, but that will take some time. Cheers, Marc |
Beta Was this translation helpful? Give feedback.
-
|
Hi Olexander, adfe834 reduces wait time to 2 seconds, I think that's fine for now. Cheers, Marc |
Beta Was this translation helpful? Give feedback.
-
|
Hi Marc Have a good day :) |
Beta Was this translation helpful? Give feedback.
Hi Olexander,
adfe834 reduces wait time to 2 seconds, I think that's fine for now.
Cheers,
Marc