Hi, HAProxy 2.2.26 was released on 2022/12/09. It added 80 new commits after version 2.2.25.
There hasn't been new 2.2 version since this summer. This one is thus quite huge and flush the pipe. Here are issues fixed in this release: * A major issue on sitck-tables were fixed about a possible crash if server name indexing is used to perform stickiness when the server is an applet. This is typically what happens when a "stick-store" rule is present in a backend featuring a "stats" directive. And at the end, to fix the bug, such rules must simply be ignored when the server is an applet. * A race condition on some global tasks was fixed. The stick-table expiration task and the listeners management task were concerned. These tasks may run on any thread. Both set their expiration date to TICK_ETERNITY. On the other hand, these task may be queued or scheduled from anywhere. The race was when the both happened at same time. Indeed it is forbidden to queue a task with no expiration date. To prevent any issue, a locking mechanism is now used. * There was an issue with the init sequence of tcp sink from a ring. The sink initialization was performed too early and some parts were not properly initialized, especially for SSL, causing crashes at runtime. * It was possible to trigger the watchdog because of an extreme contention on the proxy's lock while the libc was in malloc()/free(). It was mainly due to the errors capture. A call to free() was under the lock with no special reason. The object is now released outside of the proxy's lock. * The HTTP compression filter was fixed to properly handle rewrite errors. Indeed, on rewrite error, the compression is not performed. But in this case, we must be sure to remove the "Content-Encoding" header. * A crash during ring section parsing was fixed. If a "ring" section initialization failed (e.g. due to a duplicate name, invalid chars, or missing memory), any subsequent "server" statement found in the same section crashed the config parser by dereferencing the currently NULL cfg_sink. * A bug in resolvers was fixed. It was possible to experience a crash because of a use-after-free when a resolution was released. When a resolution was aborted, it was not removed from the tree referencing all pending requests. Thus it was still possible to get a reference on a resolution in the same time it was released. * There was a logic bug in processing of option http-restrict-req-hdr-names that could cause deletion of a wrong header or a crash when facing multiple forbidden chars. This was reported in issue #1822, analyzed and fixed by Mateusz Malek. * An old bug in the H2 mux may cause spurious stream resets when uploading and downloading at the same time from the same stream, due to the window update frames having to be delayed when the output is full, and sent later after the stream ID was reset. Those using POST to servers might have experienced such occasional issues and might want to check for any improvement there. This was reported in issue #1830 and diagnosed by David le Blanc. * Tim reported in issue #1799 that upon reload, and old process that failed to synchronize its tables with the new one could loop for a while without any pause and waste a lot of CPU doing this. * Reloading peers could compete on the local one and slow down or block the replication. * Reloading peers could interrupt a resync in progress if the retry timer triggered before the end. * In peers, messages about unkown table was not properly ignored. Those messages are now silently ignored and the upper layer continue the processing as it is done for any valid messages * Pause or resume a proxy from lua code could lead to some race because these operations were performed outside the proxy's lock. To fix the issue and prevent any trouble, the proxy's API was slightly refactored to be sure the proxy's lock is always acquired by low-level functions. * There was an undesired sharing of data between default-servers that could lead to double-frees concretized by crashes when checking the config. This was reported in issue #1804 by Fabiano Nunes. * There was a bug in the SPOE. In sync or pipelining modes, an unhealthy SPOA could led HAProxy to create a huge number of applets to process queued messages, slowing down all processing. * Characters escaping process in log messages was not correctly processing strings coming from sample fetches truncating the output string. * Agent-check could be delayed by ~200ms due to TCP QUICKACK being disabled by default. * Reading from the rings could also occasionally freeze at high rate if the reader had to stop due to a buffer full while the writer had already stopped due to a ring full. * A 60s delay could be experienced after stopping HAProxy. This was happening when a signal was received before entering the poller and without any activity on the process. In mworker mode, if a worker exited and the SIGCHLD signal was delivered at the right time to the master, this one could be stuck for 60s. The timeout is now set to 0 in this specific case. * An issue during the argument parsing when sample fetches or converters are called from lua was fixed to avoid crashes on failure and to properly handle implicit stick-table. * The pgsql healthcheck was update to support new authentication methods. Now AUTH_REQ_GSS, AUTH_REQ_GSS and AUTH_REQ_SASL are supported. * A memory leak was fixed when some TXN variables were defined from a tcp-request ruleset for an HTTP session. Indeed, in this case, these variables were lost because of an extra list initialization during the HTTP transaction creation. * smtpchk healthcheck now gracefully close SMTP transaction by sending a QUIT message. * Error handling during http replies parsing was fixed to prevent any crash during arguments parsing while a log-format body was expected but not evaluated yet. * Headers case adjustment in H1 is now available for TCP proxies. It was an issue for HTTP health-checks on backend side or for TCP connections upgraded to HTTP on frontend side. Thanks everyone for your help and your contributions. Please find the usual URLs below : Site index : https://www.haproxy.org/ Documentation : https://docs.haproxy.org/ Wiki : https://github.com/haproxy/wiki/wiki Discourse : https://discourse.haproxy.org/ Slack channel : https://slack.haproxy.org/ Issue tracker : https://github.com/haproxy/haproxy/issues Sources : https://www.haproxy.org/download/2.2/src/ Git repository : https://git.haproxy.org/git/haproxy-2.2.git/ Git Web browsing : https://git.haproxy.org/?p=haproxy-2.2.git Changelog : https://www.haproxy.org/download/2.2/src/CHANGELOG Dataplane API : https://github.com/haproxytech/dataplaneapi/releases/latest Pending bugs : https://www.haproxy.org/l/pending-bugs Reviewed bugs : https://www.haproxy.org/l/reviewed-bugs Code reports : https://www.haproxy.org/l/code-reports Latest builds : https://www.haproxy.org/l/dev-packages --- Complete changelog : Aurelien DARRAGON (4): BUG/MEDIUM: proxy: ensure pause_proxy() and resume_proxy() own PROXY_LOCK BUG/MINOR: log: improper behavior when escaping log data DOC: configuration: missing 'if' in tcp-request content example BUG/MINOR: http_ana/txn: don't re-initialize txn and req var lists Christopher Faulet (30): MINOR: peers: Use a dedicated reconnect timeout when stopping the local peer BUG/MEDIUM: peers: limit reconnect attempts of the old process on reload BUG/MINOR: peers: Use right channel flag to consider the peer as connected MINOR: server: Constify source server to copy its settings REORG: server: Export srv_settings_cpy() function BUG/MEDIUM: proxy: Perform a custom copy for default server settings BUG/MINOR: tcpcheck: Disable QUICKACK only if data should be sent after connect BUG/MEDIUM: spoe: Properly update streams waiting for a ACK in async mode BUG/MEDIUM: peers: Add connect and server timeut to peers proxy BUG/MEDIUM: peers: Don't use resync timer when local resync is in progress BUG/MEDIUM: peers: Don't start resync on reload if local peer is not up-to-date BUG/MINOR: tcpcheck: Disable QUICKACK for default tcp-check (with no rule) REGTESTS: http_request_buffer: Add a barrier to not mix up log messages BUG/MINOR: h1: Support headers case adjustment for TCP proxies REGTESTS: healthcheckmail: Relax matching on the healthcheck log message BUILD: ssl-ckch: Fix GCC warning about a if statement always true REGTESTS: 4be_1srv_smtpchk_httpchk_layer47errors: Return valid SMTP replies BUG/MEDIUM: resolvers: Remove aborted resolutions from query_ids tree DOC: config: Fix pgsql-check documentation to make user param mandatory BUG/MINOR: http-fetch: Update method after a prefetch in smp_fetch_meth() BUG/MINOR: mux-h1: Account consumed output data on synchronous connection error MINOR: smtpchk: Update expect rule to fully match replies to EHLO commands BUG/MEDIUM: compression: handle rewrite errors when updating response headers BUG/MAJOR: stick-table: don't process store-response rules for applets BUG/MINOR: http-htx: Fix error handling during parsing http replies BUG/MINOR: resolvers: Set port before IP address when processing SRV records BUG/MEDIUM: listener: Fix race condition when updating the global mngmt task BUILD: peers: Remove unused variables Revert "CI: switch to the "latest" LibreSSL" Revert "CI: determine actual OpenSSL version dynamically" Emeric Brun (2): BUG/MEDIUM: sink: bad init sequence on tcp sink from a ring. BUG/MEDIUM: peers: messages about unkown tables not correctly ignored Fatih Acar (1): BUG/MINOR: checks: update pgsql regex on auth packet Ilya Shipitsin (5): CI: cirrus-ci: bump FreeBSD image to 13-1 CI: SSL: use proper version generating when "latest" semantic is used CI: SSL: temporarily stick to LibreSSL=3.5.3 CI: add monthly gcc cross compile jobs CI: switch to the "latest" LibreSSL Mateusz Malek (1): BUG/MEDIUM: http-ana: fix crash or wrong header deletion by http-restrict-req-hdr-names Matthias Wirth (1): BUG/MINOR: signals/poller: ensure wakeup from signals Olivier Houchard (2): BUG/MEDIUM: lua: Don't crash in hlua_lua2arg_check on failure BUG/MEDIUM: lua: handle stick table implicit arguments right. Remi Tricot-Le Breton (2): BUG/MINOR: ssl: Memory leak of AUTHORITY_KEYID struct when loading issuer BUG/MINOR: ssl: ocsp structure not freed properly in case of error Tim Duesterhus (2): CI: Replace the deprecated `::set-output` command by writing to $GITHUB_OUTPUT in matrix.py CI: Replace the deprecated `::set-output` command by writing to $GITHUB_OUTPUT in workflow definition William Lallemand (5): BUG/MINOR: resolvers: return the correct value in resolvers_finalize_config() DOC: configuration: do-resolve doesn't work with a port in the string BUG/MINOR: signals/poller: set the poller timeout to 0 when there are signals DOC: management: add forgotten "show startup-logs" BUG/MINOR: ssl: don't initialize the keylog callback when not required Willy Tarreau (24): BUG/MINOR: ring/cli: fix a race condition between the writer and the reader BUG/MINOR: sink: fix a race condition between the writer and the reader BUILD: http: silence an uninitialized warning affecting gcc-5 BUG/MEDIUM: mux-h2: do not fiddle with ->dsi to indicate demux is idle BUG/MEDIUM: captures: free() an error capture out of the proxy lock BUILD: fd: fix a build warning on the DWCAS SCRIPTS: announce-release: update some URLs to https BUILD: http_fetch: silence an uninitiialized warning with gcc-4/5/6 at -Os BUG/MAJOR: stick-tables: do not try to index a server name for applets BUG/MINOR: server: make sure "show servers state" hides private bits BUG/MEDIUM: stick-table: fix a race condition when updating the expiration task CI: emit the compiler's version in the build reports DOC: config: fix alphabetical ordering of global section BUG/MEDIUM: ring: fix creation of server in uninitialized ring BUG/MINOR: pool/cli: use ullong to report total pool usage in bytes BUG/MINOR: server/idle: at least use atomic stores when updating max_used_conns BUILD: listener: fix build warning on global_listener_rwlock without threads DOC: config: provide some configuration hints for "http-reuse" DOC: config: clarify the fact that SNI should not be used in HTTP scenarios DOC: config: mention that a single monitor-uri rule is supported DOC: config: explain how default matching method for ACL works DOC: config: clarify the fact that "retries" is not just for connections DOC: config: clarify the -m dir and -m dom pattern matching methods SCRIPTS: announce-release: add a link to the data plane API wrightlaw (1): BUG/MINOR: smtpchk: SMTP Service check should gracefully close SMTP transaction -- Christopher Faulet
