Am 25.04.2019 um 23:18 schrieb Christopher Faulet: > Hi, > > HAProxy 1.9.7 was released on 2019/04/25. It added 100 new commits after > version > 1.9.6. > > After a month since the last release, a huge number of bugs were addressed > into > this release. The most significant are fixes of 100% CPU usage issues. Olivier > and Willy worked hard on it. They fixed several bugs in the task scheduler and > improved it. Another issue concerned the streams and the way aborts was > handled. The flag reporting the abort on the stream-interface was cleared too > early. So the stream was not properly released, looping infinitely on > itself. Thanks to Maciej for helping Olivier investigating on this > issue. Finally, two bugs leading to a loop were fixed in the H2 multiplexer. > The > first one occurred when an incomplete frame was received and no more data was > available. The second one when the subscription to the send events was made > twice, which should never happen. This last issue was also able to lead to > random crashes. > > Willy, with the help of Maksim, fixed a locking problem in the round-robin LB > causing occasional crashes of HAProxy because of a divide by zero when the > next > server's position was computed. Willy also fixed an AB/BA locking issue in the > listener's accept code thanks to Olivier and his self-locked list. At the end, > all this part was reworked. The lock on the listener queue disappeared and the > accept code was significantly improved. As mentioned, Olivier implemented > self-locked lists. It is now safe to manipulate such lists with multiple > threads > without having to worry about concurrency issues. > > A very old bug on how HTTP sample fetches work was fixed. All HTTP sample > fetches were buggy because the channel used was chosen depending on the sample > direction and not on the keyword really used. The request channel was used > when > called during the request analysis and the response one was used when called > during the response analysis, regardless the sample really called. It could > cause a whole bunch of bugs, from undefined behavior because the data were > extracted from the wrong buffer to crash of HAProxy. > > Many bugs in the HTX part were fixed. The most significant was a problem of > data > corruption when an header was added while some data were already received. It > was addressed by defragmenting the HTX message. It is a quick and dirty fix, > waiting for a better solution. The TCP splicing was fixed in the H1 > multiplexer. The handling of the CONNECT method was refactored to work when h1 > and h2 are mixed (an h1 client sending requests to an h2 server or this > opposite). And finally, the option "http-tunnel" was deprecated in HTX. It is > still supported in legacy HTTP, but in HTX, this options is now ignored. > > Otherwise, as always, there was a bunch of bugfixes and changes here and > there. The most noticeable are: > > - A memory leak was fixed in the map converter. And now when a map file is > loaded, the default value is parsed only when it is present. This fixes > segfaults at parsing time when no default value is provided. > > - Pattern IDs are now assigned after checking the config validity. It > fixes a > bug where some map identifiers were not assigned (appearing as -1 in show > map). Thanks to Pavlos to report this bug. > > - Several bugs was fixed on the SPOE, mainly on the way fragmented frames > was > handled internally. > > - A bug was fixed in the peers. Peer sessions were not always cleanly reset > on release, resulting in a bad state for new sessions. In addition, the > CLI > command "show peers" was added. It dumps info about the peers configured > in > "peers" sections. > > - Nenad fixed a security issue in the TLS ticket key rotation. Whenever > HAProxy was reloaded with rotated keys, the resumption would be broken > for > previous encryption key. CVE-2019-11323 was assigned to this bug. > > - Build of HAProxy on AIX 5.1 was fixed. > > - Some small improvements were brought to the master-worker mode. The busy > polling was disabled on the master process to not waste a dedicated > processor on it. And an unambiguous status is now set on exit. > > - The global directive "set-dumpable" was added to enable core dumps. It's > always a pain to get a core dump when enabling user/group setting (which > disables the dumpable flag on Linux), when using a chroot and/or when > HAProxy is started by a service management tool which requires complex > operations to just raise the core dump limit. It becomes much easier to > retrieve a core file by using this new directive. Temporarily moving the > chroot to a user-writable place generally enough. > > - Missing locks was added in set-map and add-acl HTTP rules. > > - The multithreading mode is now enabled on wurlf. And it is now compatible > with the new buffer API, so it builds again on 1.9. > > WARNING: Device detection modules (51Degrees, DeviceAtlas and Wurfl) are not > compatible with the HTX mode. Respective maintainers works on it. But for this > release, don't enable the HTX if you need to use one of them. > > There is still an unresolved issue when the SSL is heavily used with multiple > threads. It is unclear for now what the problem is, but an extra latency has > been observed by a user. After digging, we suspect a problem with OpenSSL. You > can have more details on this issue on Github (issue #67). > > > Please find the usual URLs below : > Site index : http://www.haproxy.org/ > Discourse : http://discourse.haproxy.org/ > Slack channel : https://slack.haproxy.org/ > Issue tracker : https://github.com/haproxy/haproxy/issues > Sources : http://www.haproxy.org/download/1.9/src/ > Git repository : http://git.haproxy.org/git/haproxy-1.9.git/ > Git Web browsing : http://git.haproxy.org/?p=haproxy-1.9.git > Changelog : http://www.haproxy.org/download/1.9/src/CHANGELOG > Cyril's HTML doc : http://cbonte.github.io/haproxy-dconv/ >
THe new images are also available on docker hub. https://hub.docker.com/r/me2digital/haproxy19 https://hub.docker.com/r/me2digital/haproxy-19-boringssl With openssl 1.1.1b / Boringssl and prometheus-exporter. I don't see the exporter in the output of -vv as mentioned in the blog post https://www.haproxy.com/blog/haproxy-exposes-a-prometheus-metrics-endpoint/ The make line is this ### + make -C /usr/src/haproxy TARGET=linux2628 USE_PCRE=1 USE_OPENSSL=1 SSL_INC=/usr/local/openssl/include SSL_LIB=/usr/local/openssl/lib USE_ZLIB=1 USE_LINUX_SPLICE=1 USE_TFO=1 USE_PCRE_JIT=1 USE_LUA=1 USE_PTHREAD_PSHARED=1 USE_REGPARM=1 USE_GETADDRINFO=1 USE_THREAD=1 EXTRA_OBJS=contrib/prometheus-exporter/service-prometheus.o all install-bin make: Entering directory `/usr/src/haproxy' ... ### ### HA-Proxy version 1.9.7 2019/04/25 - https://haproxy.org/ Build options : TARGET = linux2628 CPU = generic CC = gcc CFLAGS = -O2 -g -fno-strict-aliasing -Wdeclaration-after-statement -fwrapv -Wno-unused-label -Wno-sign-compare -Wno-unused-parameter -Wno-old-style-declaration -Wno-ignored-qualifiers -Wno-clobbered -Wno-missing-field-initializers -Wtype-limits OPTIONS = USE_LINUX_SPLICE=1 USE_GETADDRINFO=1 USE_ZLIB=1 USE_REGPARM=1 USE_THREAD=1 USE_OPENSSL=1 USE_LUA=1 USE_PCRE=1 USE_PCRE_JIT=1 USE_TFO=1 Default settings : maxconn = 2000, bufsize = 16384, maxrewrite = 1024, maxpollevents = 200 Built with OpenSSL version : OpenSSL 1.1.1b 26 Feb 2019 Running on OpenSSL version : OpenSSL 1.1.1b 26 Feb 2019 OpenSSL library supports TLS extensions : yes OpenSSL library supports SNI : yes OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2 TLSv1.3 Built with Lua version : Lua 5.3.5 Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND Built with zlib version : 1.2.7 Running on zlib version : 1.2.7 Compression algorithms supported : identity("identity"), deflate("deflate"), raw-deflate("deflate"), gzip("gzip") Built with PCRE version : 8.32 2012-11-30 Running on PCRE version : 8.32 2012-11-30 PCRE library supports JIT : yes Encrypted password support via crypt(3): yes Built with multi-threading support. Available polling systems : epoll : pref=300, test result OK poll : pref=200, test result OK select : pref=150, test result OK Total: 3 (3 usable), will use epoll. Available multiplexer protocols : (protocols marked as <default> cannot be specified using 'proto' keyword) h2 : mode=HTX side=FE|BE h2 : mode=HTTP side=FE <default> : mode=HTX side=FE|BE <default> : mode=TCP|HTTP side=FE|BE Available filters : [SPOE] spoe [COMP] compression [CACHE] cache [TRACE] trace ### The full build logs are here https://gitlab.com/aleks001/haproxy19-centos/-/jobs/202879752 https://gitlab.com/aleks001/haproxy-19-boringssl/-/jobs/202897599 Regards Aleks > --- > Complete changelog : [snipp]