Hi,
HAProxy 2.9-dev9 was released on 2023/11/04. It added 42 new commits
after version 2.9-dev8.
This version was mostly focused on fixing issues introduced during
2.9-dev, which is a good indication that things are calming down and
stabilizing. A few of them could cause crashes.
Aside bug fixes come some improvements:
- QUIC connections are now accounted for, both in terms of connections
and SSL connections. Thus the maxsslconn should now work, for
example.
- stick-tables now support pushing incoming non-aggregable data to
another table. This is useful in cluster setups where each node
tracks activity to its local table and also watches the neighbors'
tables. Some info such as server_id, gpt etc work differently in that
the last update overrides all values. But trying to perform
stickiness in such setups wouldn't work (or requires separate tables
which is not always convenient). Now placing "write-to table-foo" on
a stick-table line will automatically refresh the equivalent entry in
table-foo when a peer sends an update for such data, so so that the
local table can be used both for counters and tags or stickiness.
- it's now possible to set arbitrary PROXY Protocol fields in outgoing
server connections with the new "set-proxy-v2-tlv-fmt()" directive.
It will no longer be required to abuse the unique-id header for this,
as I've heard in the past.
- Lua's logging can now be selectively enabled for stderr and for
loggers, and by default stderr will only be used if no loggers are
available (so as to avoid log duplication for those who collect
stderr and logs at the same place).
- a new pair of sample fetch functions "req.cook_names" and
"res.cook_names" return the list of the cookie names found in the
request and response respectively. This can be used to improve
logging or to quickly validate that a request has everything needed
to be reliably processed.
- initialization errors caused by stick-tables will now be a bit more
verbose; till now a memory allocation failure would just have reported
"failed to initialize stick-table foo" without more explanation.
- the config check performed by the systemd unit file on reloads is no
longer marked quiet, because that apparently hides errors un reloads.
Now errors and warnings will be visible in "systemctl status".
- the H2 mux uses significantly less memory and is up to 40-60% more
CPU-efficient on large transfers thanks to a faster recycling of the
buffers that significantly increases the probability of performing
zero-copy operations.
- the panic dumps are progressively getting smarter by trying to detect
some likely causes and giving some hints. For example if a call to
malloc_trim() is detected in the trace, a suggestion to disable it
will be emitted. Similarly if a thread is waiting on the Lua lock
while some "lua-load" directives are in used, an invitation to try
"lua-load-per-thread" will be emitted. And if a watchdog triggers
inside Lua, some possible causes will be proposed (including the
fact that maybe the script depends on some external unsafe library).
- wolfssl-5.6.4 was finally issued and is in a much better shape than
5.6.3 for haproxy compatibility, without requiring to close directly
from github, so docs were updated to reflect this.
- some doc updates as usual
I'm glad to see we could finally merge in time all the pending stuff that
has been floating around for some time, it will let us focus on bug fixing
and cleanups now. Thanks to those who pinged me again in time ;-)
Some issues and limitations are still present:
- when using the reverse-http, if an SNI is needed on the server line,
please make sure to use a constant expression (e.g. sni str("foo")),
as the lack of a session during the pre-connect phase would currently
crash on non-constant expressions.
- the cases where large numbers of buffers remain allocated was finally
found and I even have a tested fix for it. It "just" needs to be
committed and documented, as usual.
- with Amaury and Christopher we've identified a class of problems that
are responsible for the occasional process_stream() loops that some
like Tristan have been witnessing recently. There are essentially two
causes, one that's easy to fix, caused by a difference in the way two
layers check for available room in a buffer, and another one, more
subtle, related to the way we calculate the next activity timeout for
a given condition. Some of them are not always properly shut or may be
re-armed after certain events (e.g. end of transfer) and we'll need to
carefully review these use cases to see how to address them. It's a
bit tricky.
We're still on track for a release around the end of this month. Tests are
still really necessary, especially if you've been waiting for a feature in
this version. It would be bad to wait for the release to test it, spot a
bug, and have to wait for a next stable release! The pending issues above
do not prevent the code from working at all, as we can see on haproxy.org
and the few other places that run 2.9-dev. Running some dev "just" requires
a certain level of control of one's production (typically ease of rollback
in case anything would go wrong).
Please find the usual URLs below :
Site index : https://www.haproxy.org/
Documentation : https://docs.haproxy.org/
Wiki : https://github.com/haproxy/wiki/wiki
Discourse : https://discourse.haproxy.org/
Slack channel : https://slack.haproxy.org/
Issue tracker : https://github.com/haproxy/haproxy/issues
Sources : https://www.haproxy.org/download/2.9/src/
Git repository : https://git.haproxy.org/git/haproxy.git/
Git Web browsing : https://git.haproxy.org/?p=haproxy.git
Changelog : https://www.haproxy.org/download/2.9/src/CHANGELOG
Dataplane API :
https://github.com/haproxytech/dataplaneapi/releases/latest
Pending bugs : https://www.haproxy.org/l/pending-bugs
Reviewed bugs : https://www.haproxy.org/l/reviewed-bugs
Code reports : https://www.haproxy.org/l/code-reports
Latest builds : https://www.haproxy.org/l/dev-packages
Willy
---
Complete changelog :
Aleksandar Lazic (1):
DOC: internal: filters: fix reference to entities.pdf
Alexander Stephan (2):
MINOR: server: Add parser support for set-proxy-v2-tlv-fmt
MINOR: connection: Send out generic, user-defined server TLVs
Amaury Denoyelle (10):
BUG/MINOR: backend: fix wrong BUG_ON for avail conn
BUG/MAJOR: backend: fix idle conn crash under low FD
MINOR: backend: refactor insertion in avail conns tree
BUG/MINOR: quic: do not consider idle timeout on CLOSING state
MINOR: frontend: implement a dedicated actconn increment function
BUG/MINOR: ssl: use a thread-safe sslconns increment
MEDIUM: quic: count quic_conn instance for maxconn
MEDIUM: quic: count quic_conn for global sslconns
BUG/MINOR: mux-quic: fix early close if unset client timeout
BUG/MINOR: proto_reverse_connect: support SNI on active connect
Aurelien DARRAGON (10):
BUG/MEDIUM: server/log: "mode log" after server keyword causes crash
MINOR: connection: add conn_pr_mode_to_proto_mode() helper func
BUG/MEDIUM: server: "proto" not working for dynamic servers
MINOR: server: add helper function to detach server from proxy list
MINOR: proxy/stktable: add resolve_stick_rule helper function
BUG/MINOR: stktable: missing free in parse_stick_table()
BUG/MINOR: cfgparse/stktable: fix error message on stktable_init() failure
MINOR: stktable: stktable_init() sets err_msg on error
MINOR: stktable: check if a type should be used as-is
MEDIUM: stktable/peers: "write-to" local table on peer updates
Christopher Faulet (1):
BUG/MINOR: tcpcheck: Report hexstring instead of binary one on check
failure
Ruei-Bang Chen (1):
MINOR: sample: Add fetcher for getting all cookie names
Tristan (2):
MINOR: lua: Add flags to configure logging behaviour
MINOR: lua: change tune.lua.log.stderr default from 'on' to 'auto'
William Lallemand (7):
BUG/MINOR: ssl: load correctly @system-ca when ca-base is define
BUG/MINOR: ssl: suboptimal certificate selection with TLSv1.3 and dual
ECDSA/RSA
REGTESTS: ssl: update the filters test for TLSv1.3 and sigalgs
BUG/MEDIUM: ssl: segfault when cipher is NULL
MEDIUM: systemd: be more verbose about the reload
CI: github: update wolfSSL to 5.6.4
DOC: install: update the wolfSSL required version
Willy Tarreau (8):
DEBUG: mux-h2/flags: fix list of h2c flags used by the flags decoder
DEBUG: add a tainted flag when ha_panic() is called
DEBUG: lua: add tainted flags for stuck Lua contexts
DEBUG: pools: detect that malloc_trim() is in progress
BUG/MEDIUM: pattern: don't trim pools under lock in pat_ref_purge_range()
MINOR: mux-h2: always use h2_send() in h2_done_ff(), not h2_process()
OPTIM: mux-h2: call h2_send() directly from h2_snd_buf()
BUG/MINOR: server: remove some incorrect free() calls on null elements
---
