Hi, HAProxy 3.1-dev3 was released on 2024/07/10. It added 35 new commits after version 3.1-dev2.
This version mostly addresses some issues affecting dev2, a few of which could cause crashes. Some of them are marked for backporting because they also affect older versions (races between server address updates and deletion, and a few things like this). There's a fix for the handling of the Transfer-encoding header in the H1 mux that was reported by Ben Kallus. It's believed to be harmless as the only server that was found to be confused cannot parse a second request, but we'll backport it soon. Another change that will need to be backported after some time concerns the handling of default FD limits. For a few decades, operating systems would advertise safe limits (i.e. those they were able to deal with based on their amount of RAM). We've seen a few attempts at bumping the hard limit beyond 1 billion FDs many years ago that were reverted due to breaking many apps. Now it seems it's coming back, via systemd-256 setting the hard-limit from the kernel's nr_open variable (which in itself is not necessarily a bad thing -- proof that I'm not always bashing systemd, only when needed :-)). But with some machines showing extreme nr_open (I still don't know why) we're back to square one where it's possible for haproxy to try to start with a limit set to one billion FDs. Not only this would eat at least 64GB of RAM just for the fdtab itself, it also takes ages to start, and fortunately the watchdog quickly puts an end to this mess... We already have an fd-hard-limit global setting that allows to fix a hard limit to the number of FDs, but not everyone knows about it nor uses it. What we've found to be the most reasonable is to consider that fd-hard-limit now has a default value of 1048576, which matches what was almost always the default hard limit, so that when not set, it's like it used to be till now. That's sufficient for the vast majority of use cases, and trust me, the rare users who need to support more than 500k concurrent connections are pretty much aware of all related tunables and already make use of them, so it's expected that nobody should observe any change. I think that after some time we'll start to backport it, at least to the latest LTS (3.0) so as to make distro packagers' lives easier. We may have to backport it to older versions as well if they ask for it. As such, feedback on this version, especially from those with large setups such as Ricardo, Felipe and Christian, would be much appreciated so that we know if any corner cases need to be adjusted for example. Among other changes, the mt_lists that were added and reverted from 2.9 were finally fixed and added back. This time I'm no longer observing the massive gain with QUIC because the stack has improved since then and likely puts less pressure on memory writes; the perf is now well beyond what it was with the fix a year ago. That's good news in any case. Some doc updates (the obsolete architecture guide that I thought dropped was still lying there after 18 years, now I got rid of it), cleanups, and an attempt from Ilya at running the QUIC interop in the weekly CI, this can definitely be cool, we'll see how it goes. Some more important changes are coming soon, so I expect that next versions will become a bit funkier. Thus if you want to give a test to 3.1-dev but don't feel like taking too many risks, this one should be the best choice for a while. And I'm still trying to free some time for the pending reviews (I have not forgotten you but stuff that depends on multiple persons cannot always wait). Please find the usual URLs below : Site index : https://www.haproxy.org/ Documentation : https://docs.haproxy.org/ Wiki : https://github.com/haproxy/wiki/wiki Discourse : https://discourse.haproxy.org/ Slack channel : https://slack.haproxy.org/ Issue tracker : https://github.com/haproxy/haproxy/issues Sources : https://www.haproxy.org/download/3.1/src/ Git repository : https://git.haproxy.org/git/haproxy.git/ Git Web browsing : https://git.haproxy.org/?p=haproxy.git Changelog : https://www.haproxy.org/download/3.1/src/CHANGELOG Dataplane API : https://github.com/haproxytech/dataplaneapi/releases/latest Pending bugs : https://www.haproxy.org/l/pending-bugs Reviewed bugs : https://www.haproxy.org/l/reviewed-bugs Code reports : https://www.haproxy.org/l/code-reports Latest builds : https://www.haproxy.org/l/dev-packages Willy --- Complete changelog : Amaury Denoyelle (11): BUG/MEDIUM: server: fix race on server_atomic_sync() CLEANUP: quic: cleanup prototypes related to CIDs handling CLEANUP: quic: remove non-existing quic_cid_tree definition MINOR: quic: remove access to CID global tree outside of quic_cid module REORG: quic: remove quic_cid_trees reference from proto_quic MINOR: quic: add 2 BUG_ON() on datagram dispatch MINOR: quic: ensure quic_conn is never removed on thread affinity rebind MINOR: proto: extend connection thread rebind API BUG/MEDIUM: quic: prevent crash on accept queue full DEV: flags/quic: decode quic_conn flags MINOR: quic: rename "ssl error" trace Christopher Faulet (7): BUG/MINOR: promex: Remove Help prefix repeated twice for each metric BUG/MEDIUM: hlua/cli: Fix lua CLI commands to work with applet's buffers BUG/MEDIUM: peers: Fix crash when syncing learn state of a peer without appctx BUG/MINOR: h1: Fail to parse empty transfer coding names BUG/MINOR: h1: Reject empty coding name as last transfer-encoding value BUG/MEDIUM: h1: Reject empty Transfer-encoding header BUG/MEDIUM: spoe: Be sure to create a SPOE applet if none on the current thread Frederic Lecaille (1): BUG/MINOR: quic: Wrong datagram building when probing. Ilia Shipitsin (2): CI: add weekly QUIC Interop regression against LibreSSL CI: weekly QUIC Interop: try to fix private image Valentine Krasnobaeva (3): MEDIUM: init: set default for fd_hard_limit via DEFAULT_MAXFD DOC: configuration: update maxconn description BUG/MEDIUM: init: fix fd_hard_limit default in compute_ideal_maxconn William Lallemand (5): DOC: configuration: add details about crt-store in bind "crt" keyword DOC: configuration: more details about the master-worker mode BUG/MINOR: jwt: don't try to load files with HMAC algorithm BUG/MINOR: jwt: fix variable initialisation MINOR: ssl/sample: ssl_c_san returns a comma separated list of SAN Willy Tarreau (6): BUG/MEDIUM: quic: fix possible exit from qc_check_dcid() without unlocking OPTIM: pool: improve needed_avg cache line access pattern MAJOR: import: update mt_list to support exponential back-off (try #2) BUILD: listener: silence a build warning about unused value without threads DOC: architecture: remove the totally outdated architecture manual SCRIPTS: create-release: no more need to skip architecture.txt ---
