Hi,
HAProxy 2.9-dev6 was released on 2023/09/22. It added 51 new commits
after version 2.9-dev5.
It looks like this version was mostly focused on bug fixes all around the
code and debugging improvements. I think we'll soon have to work on a new
series of stable versions.
Among the noticeable bugs fixed are:
- a possible crash in H2 when processing a response containing a DATA
frame after an 1xx response (or more generally before final headers).
- fixes for subtle Lua API changes between 5.3 and 5.4 related to
yielding operations.
- some fixes for http reverse-connect regarding server name resolution
and incorrectly set default maxconn.
- a possible case where deleting a server from the CLI was possible if
the server didn't have any streams anymore but was being retried on
by one stream. I.e. that stream still had a reference to it and could
possibly end up on it again after the retry.
- make sure not to interrupt responses that are delivered before requests
when the server terminates with a reset. That's particularly visible in
H2 with gRPC.
- master-worker mode failed to work with thread-groups > 1 due to the CLI
not being pinned to group 1 only.
- a possible crash in fcgi with stderr records due to a zero-copy operation
that should not be allowed in this case.
- a possible crash in QUIC since the recent updates to release memory
earlier.
Some reliability and bug detection improvements were made to the pools:
- the size rounding to try to merge similar sized pools was done a bit
too early, and affected the visible size of the pool. The problem is
that for buffers it would usually result in slightly larger buffers
than requested. It's usually not a problem for most structs but for
buffers it can be annoying because certain sizes might not be as
optimal as desired. Also, this would also affect the location where
we place the canary at the end of the allocated area, that is used to
detect overflows. Because of this, sometimes a single-byte overflow
was not detected. This is no longer the case now, just writing one
extra byte past the allocated size will be detected.
- we figured that just performing an abort when a pool corruption was
detected was not very helpful, because this required non-trivial
interactive memory inspection to figure the cause, and either the
developers had to blindly dictate lots of complicated gdb commands
to a bug reporter, or they'd have to ask for the core, none of which
is great. Now instead, when a pool corruption is detected, haproxy
will provide as many information as possible about the detected issue,
the pool name(s), call places, and even some contents near the end
in case of an overflow, so that most of the time the developers don't
need to request anything from the reporter. We may further improve
this depending on how it goes, we'll see.
Finally the new stuff:
- the "bytes()" converter can now take its offset and length from
variables as well as constants. This will permit to extract contents
from more complex protocols (i.e. skip/parse TLV fields etc).
- Lua can now register actions for the http-after-response rule sets
- the IPv4/IPv6 address parsers used in the config and pattern matching
were unified so that the various forms are properly usable everywhere.
Previously, certain (obsolete) encodings of IPv4 in IPv6 were not
always converted to IPv4 when needed.
- the lock used to consistently update the log servers' index when
using the sampling mechanism caused some bottlenecks and could be
replaced with atomic ops, resulting in ~4x faster log production.
- a few new sample fetch functions "bytes_in" and "bytes_out" to match
their siblings in log-format tags.
- some build fixes for CentOS 8 and USE_QUIC_OPENSSL_COMPAT, some CI
updates (provide gdb backtrace when possible), a few doc udpates and
a regtest improvements.
On a side note, some might have noticed that OpenSSL now dropped support
for their last decent branch 1.1.1 after releasing 1.1.1w on 09-11,
ignoring the requests for extending it while they're trying to fix their
3.x mess. This means that aside LTS distros, users are now left with only
the 3.x versions that are a total disaster in terms of performance. There's
not a single week without new questions about what alternative to choose
depending on the use cases (frontend, backend, QUIC, threads, CPU
architecture, distro support etc). Thus I've started a Wiki page about
what I know of the current situation (i.e. neither authoritative nor
perfectly accurate) and that we'll update as progress is being made with
alternatives:
https://github.com/haproxy/wiki/wiki/SSL-Libraries-Support-Status
The goal is to save everyone precious time by exposing the currently known
limitations affecting the available alternatives. It may also help distros
identify acceptable mid-term solutions depending on how well they'll cover
other software as well (curl, nginx and apache are important SSL users as
well).
Feedback from testers and from the libs maintainers is obviously welcome,
because the situation with OpenSSL has gotten worse than in 2014 after
Heartbleed since now nobody knows where to go. So the earlier we know what
works well, the better!
Please find the usual URLs below :
Site index : https://www.haproxy.org/
Documentation : https://docs.haproxy.org/
Wiki : https://github.com/haproxy/wiki/wiki
Discourse : https://discourse.haproxy.org/
Slack channel : https://slack.haproxy.org/
Issue tracker : https://github.com/haproxy/haproxy/issues
Sources : https://www.haproxy.org/download/2.9/src/
Git repository : https://git.haproxy.org/git/haproxy.git/
Git Web browsing : https://git.haproxy.org/?p=haproxy.git
Changelog : https://www.haproxy.org/download/2.9/src/CHANGELOG
Dataplane API :
https://github.com/haproxytech/dataplaneapi/releases/latest
Pending bugs : https://www.haproxy.org/l/pending-bugs
Reviewed bugs : https://www.haproxy.org/l/reviewed-bugs
Code reports : https://www.haproxy.org/l/code-reports
Latest builds : https://www.haproxy.org/l/dev-packages
Willy
---
Complete changelog :
Amaury Denoyelle (6):
BUG/MINOR: proto_reverse_connect: fix preconnect with startup name
resolution
MINOR: proto_reverse_connect: prevent transparent server for pre-connect
BUG/MINOR: proto_reverse_connect: set default maxconn
MINOR: proto_reverse_connect: refactor preconnect failure
MINOR: proto_reverse_connect: remove unneeded wakeup
MINOR: proto_reverse_connect: emit log for preconnect
Aurelien DARRAGON (8):
BUG/MEDIUM: hlua: don't pass stale nargs argument to lua_resume()
BUG/MINOR: hlua/init: coroutine may not resume itself
BUG/MINOR: server: add missing free for server->rdr_pfx
MEDIUM: tools/ip: v4tov6() and v6tov4() rework
MINOR: pattern/ip: offload ip conversion logic to helper functions
MINOR: pattern: fix pat_{parse,match}_ip() function comments
MINOR: pattern/ip: simplify pat_match_ip() function
BUG/MEDIUM: server/cli: don't delete a dynamic server that has streams
Cedric Paillet (1):
BUG/MINOR: promex: fix backend_agg_check_status
Christopher Faulet (4):
BUG/MEDIUM: mux-fcgi: Don't swap trash and dbuf when handling STDERR
records
BUG/MEDIUM: master/cli: Pin the master CLI on the first thread of the
group 1
BUG/MAJOR: mux-h2: Report a protocol error for any DATA frame before
headers
BUG/MEDIUM: http-ana: Try to handle response before handling server abort
Emeric Brun (1):
MINOR: quic: handle external extra CIDs generator.
Frédéric Lécaille (3):
BUG/MINOR: quic: fdtab array underflow access
BUG/MEDIUM: quic: quic_cc_conn ->cntrs counters unreachable
BUG/MINOR: quic: Leak of frames to send.
Ilya Shipitsin (1):
CI: cirrus-ci: display gdb bt if any
Lokesh Jindal (2):
MEDIUM: sample: Enhances converter "bytes" to take variable names as
arguments
MEDIUM: sample: Small fix in function check_operator for eror reporting
Sébastien Gross (1):
MINOR: hlua: Add support for the "http-after-res" action
William Lallemand (6):
MINOR: samples: implement bytes_in and bytes_out samples
DOC: configuration: add %[req.ver] sample to %HV
DOC: configuration: add %[query] to %HQ
BUILD: quic: fix build on centos 8 and USE_QUIC_OPENSSL_COMPAT
REGTESTS: ssl: skip OCSP test w/ WolfSSL
REGTESTS: ssl: skip generate-certificates test w/ wolfSSL
Willy Tarreau (18):
DEBUG: pools: always record the caller for uncached allocs as well
DEBUG: pools: pass the caller pointer to the check functions and macros
DEBUG: pools: make pool_check_pattern() take a pointer to the pool
DEBUG: pools: inspect pools on fatal error and dump information found
DEBUG: pools: also print the item's pointer when crashing
DEBUG: pools: also print the value of the tag when it doesn't match
DEBUG: pools: print the contents surrounding the expected tag location
MEDIUM: pools: refine pool size rounding
MAJOR: import: update mt_list to support exponential back-off
CLEANUP: pools: simplify the pool expression when no pool was matched in
dump
BUG/MINOR: freq_ctr: fix possible negative rate with the scaled API
Revert "MAJOR: import: update mt_list to support exponential back-off"
MINOR: logs: clarify the check of the log range
MINOR: log: remove the unused curr_idx in struct smp_log_range
CLEANUP: logs: rename a confusing local variable "curr_rg" to "smp_rg"
MINOR: logs: use a single index to store the current range and index
MEDIUM: logs: atomically check and update the log sample index
CLEANUP: ring: rename the ring lock "RING_LOCK" instead of "LOGSRV_LOCK"
---
