On Wed, Jun 17, 2015 at 5:08 PM, Willy Tarreau <wi...@haproxy.com> wrote:
> Hi all,
>
> the impatient readers among you will have noticed that it's been almost 3
> weeks since I sent the e-mail announcing the imminent release of 1.6-dev2.
> That end of merge window has been a nightmare and is not finished, but I
> thought it would be wise to issue dev2 anyway so that people can test the
> stuff that has been merged anyway. Lesson learned, for 1.7 we'll have a
> much shorter merge window so that people don't have enough time to push
> that much stuff at the last minute :-)
>
> To be honnest, I'm far from being satisfied with this version. It's as huge
> as dev1 (344 commits) despite some things still being pending. Also noticed
> quite a number of areas that need to be fixed / cleaned up etc. So at least
> the feature freeze is a good thing.
>
> Reading the changelog since 1.6-dev1, in no particular order, I've found :
>
> - DNS-based server name resolution : haproxy is now able to periodically
> ask a set of resolvers for the IP address of some servers and to update
> them without restarting. This will make life much easier for people
> running in AWS where IP address change randomly. Some more stuff was
> planned for this such as marking the server as unresolvable if resolving
> fails, but we found that people would probably like to have a configurable
> behaviour. Feedback on this is desired and will drive the next steps.
>
> - peers protocol v2 : haproxy 1.6 and 1.5 will not be able to synchronize
> their stick tables but on the other hand the new protocol is much better
> and more extensible. First it uses a single connection regardless of the
> number of tables to synchronize. Second it will support synchronizing
> much more than just stick tables. For now it replicates all stick-tables
> contents (including gpc, etc...). This allows reloads to keep entries,
> rates, etc... as well as to pass them to a backup node in case of a
> switchover. It's very likely that during 1.7 development we'll further
> extend the amount of information that can be exchanged.
>
> - peers support nbproc > 1 as long as they're referenced by a single
> process,
> and peers sections can be disabled (useful for debugging).
>
> - config : removed a few deprecated keywords (eg: "reqsetbe"). I wanted to
> remove "block" as well, and appsession. On the first one I'm not sure,
> on the second one only Aleks (the author of the feature) provided some
> feedback and agreed it was probably time for it to go. Expect that we'd
> get rid of them soon if nobody objects.
>
> - pattern cache : a small lru cache applies to pattern matching when it
> runs from a list (eg: case insensitive string match, regex, etc). This
> can significantly speed up host header matching or regex matching
> against a huge list.
>
> - support for stateless zip compression with libslz : this doesn't waste
> memory anymore and compresses about 3 times faster than zlib, at a lower
> compression ratio.
>
> - support for session/transaction/request/response variables : using the
> "set-var" action in {tcp,http}-{request-response} rulesets, it's possible
> to assign the result of a sample expression to a variable allocated on the
> fly and which lasts for all the session, the transaction or just the
> ephemeral processing being done on the request or response. This makes
> it possible to keep copies of certain request information and reuse them
> in the response for example. Some work is still pending on this part,
> in particular the ability to use variables with in all arithmetic
> converters which currently only take a constant.
>
> - support for declared captures : sometimes it's desired to capture in
> the backend or response path but that was not possible since only the
> frontend can assign a capture slot. The solution consists in making
> it possible to declare a capture slot in the frontend for later use.
>
> - servers: in addition to DNS, it's possible to change a server's IP address
> from the CLI.
>
> - ssl: it's now possible to forge SSL certs on the fly. That's convenient
> when haproxy has to be deployed in front of proxies which already work
> like this.
>
> - device identification : two companies, 51Degrees and DeviceAtlas,
> provided patches to add support for their respective libs. We're
> starting to see some demand for such features due to the abundance
> of smartphones, tablets and I don't-know-what, and both libs come
> with a free device database, so it seems to be the right timing.
> The README was updated for both, there you'll find how to build with
> either solution (or both, I checked and they don't break each other).
> It would be interesting to get feedback on these features, especially
> from people who already have access to the full databases and who see
> a benefit in moving this processing to haproxy instead of having one
> different implementation per application server. More information is
> available below for each of them respectively :
>
> https://deviceatlas.com/deviceatlas-haproxy-module
> https://github.com/51Degreesmobi/51Degrees-C
>
> - ssl: default DH param groups were replaced with custom ones in order
> to limit the exposure in case of a targetted attack.
>
> - config: support for quotes (nor more backslashes needed before spaces),
> and stricter control of argument counts so that people who write invalid
> configs where words were silently ignored don't get trapped anymore. The
> long-deprecated syntax consisting in putting the ip:port on the "listen"
> line has now been removed as well since it didn't support any bind option
> and used to regularly confuse users.
>
> - config: environment variables can be used everywhere inside double-quotes,
> not just in listening addresses.
>
> - stats: the CSV dump now knows how to properly quote strings containing
> commas or quotes. This will make it possible to start adding many counters
> there (those who are only present in the HTML dump for now).
>
> - http-response now supports "redirect" rules. That's sometimes useful to
> replace a 500 server error with a nice page.
>
> - config: duplicated backend names or server names are now completely
> detected and better reported so that it's easy to know what needs to be
> fixed.
>
> - multiple redispatches are now possible on configurable retry intervals
> when connection fails to a server.
>
> - url_param() and body_param() can check for multiple (or any) parameter.
> That can be used as a preliminary cleanup for certain invalid requests.
>
> - TLS key loading from file and update on the CLI : this will save some
> reloads for some users and provide better security to SSL users.
>
> - "option http-buffer-request" allows request processing to be deferred
> until the request body is received, thus it's possible to look up a
> routing key in a POST body (eg: user id).
>
> - "option http-ignore-probes" to silent 400/408 on preconnect, and to
> avoid counting errors in this case.
>
> - support for HTTP/0.9 is now disabled by default. It's totally useless
> and can lead to some security issues by making it easier to forge
> requests from foreign protocols. In addition, some extra cleanups to
> comply with RFC7230 were applied. "RTSP" is now allowed as a protocol
> name for those who want to load-balance RTSP farms (parses like HTTP
> for basic needs).
>
> - lua: implemented a simple memory allocator which makes it possible to
> limit memory usage.
>
> - lots of internal changes (applets now run independantly from streams,
> sample fetch API changed, etc...).
>
> I couldn't complete the response processing changes that I had to interrupt
> 3 weeks ago to review patches. So most likely this will be postponed to 1.7.
> We still have a huge amount of work to do to clean what we have. For example
> session variables are still attached to the stream while they need to move
> to the session (and the internal variables API must already change for this).
> The stick-tables still use old types and we could simplify their code by
> moving that to the common sample types (and remove a conversion stage).
>
> We still have pending the patch to retrieve/restore server states across
> reloads. It needs more work to improve lookups to better resist to config
> changes (otherwise why would people restart?). We realized that the notion
> of "state" differs depending on the use case. Some will want to keep only
> the up/down status. Others might want to keep the dynamic weights and
> anything that was updated on the CLI, while others would probably prefer
> to ensure the CLI is dropped upon reloads since the CLI is here to adjust
> what can be done without restarting, etc. I hope to be able to merge that
> soon so that we can get some feedback about it. It definitely is useful
> but we don't know clearly where we want to go with this.
>
> As indicated 3 weeks ago, future changes should have a limited impact
> on code stability (unless they fix bugs of course), and on configuration
> so that early adopters can quickly update when they face a bug that is
> fixed. If you're developing something great and intrusive, please keep
> it for when 1.7 opens.
>
> I was told that current version could fail to build on OpenBSD, but there's
> a patch floating around for this so hopefully this will be resolved soon.
>
> Last point, very recently I got a request from someone who desired a bit
> more signatures in the release process. I don't want to make the whole
> workflow a pain, but at least now I've switched to signed tags, which is
> easy to do and happens only once in a while.
>
> I'm not appending the changelog, it's too large and boring, really.
>
> Usual URLs below :
> Site index : http://www.haproxy.org/
> Sources : http://www.haproxy.org/download/1.6/src/devel/
> Git repository : http://git.haproxy.org/git/haproxy.git/
> Git Web browsing : http://git.haproxy.org/?p=haproxy.git
> Changelog : http://www.haproxy.org/download/1.6/src/CHANGELOG
> Cyril's HTML doc :
> http://cbonte.github.com/haproxy-dconv/configuration-1.6.html
>
> Regards,
> Willy
>
>
It's a great release!!!!
Looking forward to play with it!
Note that in my lab, 1.6-dev performs slightly better than 1.5.
Baptiste
