Hi,
HAProxy 2.4.14 was released on 2022/02/25. It added 26 new commits
after version 2.4.13.
The main issues fixed in this version are:
- A major issue in the H2 multiplexer. An error during the response
processing, after the HEADERS frame parsing, led to a wakeup loop
consuming all the CPU because the error was not properly reported to the
upper layer. For instance, this happened if an invalid header value, an
invalid status code or a forbidden header was found in the
response. Note that only HAProxy >= 2.4 are affected by this issue.
- A FD leak on reload failures. When the master process is reloaded on a
new config, it will try to connect to the previous process' socket to
retrieve all known listening FDs to be reused by the new listeners. If
listeners were removed, their unused FDs are simply closed. However
there's a catch. In case a socket fails to bind, the master will cancel
its startup and switch to wait mode for a new operation to happen. In
this case it didn't close the possibly remaining FDs that were left
unused.
- A FD leak of a sockpair upon a failed reload. When starting HAProxy in
master-worker, the master pre-allocate a struct mworker_proc and do a
socketpair() before the configuration parsing. If the configuration
loading failed, the FD was never closed because they aren't part of
listener, they are not even in the fdtab.
- Some issues about errors on buffers allocation. First, in the H1
multiplexer. If we failed to send data because we failed to allocate the
H1 output buffer, the H1 stream was erroneously woken up. This led to a
wakeup loop to send more data while it is not possible because there is
no output buffer. Then, in process_stream(), if we failed to allocate
the channel response buffer while a connect or an analysis timeout
occurred, the stream was woken up in loop because its task was requeued
with an expired date. Now an error is reported when this happens and the
stream processing is interrupted.
Note there is a mechanism to deal with errors on buffers allocation.
Unfortunately, since the 1.7, this mechanism is broken. And it is even
worse now with the multiplexers. All this part must be refactored. But
for now, HAProxy may be partially frozen if too many entities are
waiting for a buffer.
- Some alignment problems that were found when using gcc-11 + RHEL8,
resulting in instant crashes on startup.
- An issue with multi-line ESMTP response in the mailer code.
- An issue in the resolvers code with domain names with a trailing dot. The
trailing dot was not ignored as expected and a junk character was added
at the end of the encoded part of the domain name.
The remaining is the usual bunch of fixes and improvements. As usual, people
using the 2.4 branch are encouraged to migrate to this version.
Thanks everyone for your help and your contributions!
Please find the usual URLs below :
Site index : http://www.haproxy.org/
Discourse : http://discourse.haproxy.org/
Slack channel : https://slack.haproxy.org/
Issue tracker : https://github.com/haproxy/haproxy/issues
Wiki : https://github.com/haproxy/wiki/wiki
Sources : http://www.haproxy.org/download/2.4/src/
Git repository : http://git.haproxy.org/git/haproxy-2.4.git/
Git Web browsing : http://git.haproxy.org/?p=haproxy-2.4.git
Changelog : http://www.haproxy.org/download/2.4/src/CHANGELOG
Cyril's HTML doc : http://cbonte.github.io/haproxy-dconv/
---
Complete changelog :
Christopher Faulet (6):
BUG/MINOR: sink: Use the right field in appctx context in release callback
BUG/MEDIUM: resolvers: Really ignore trailing dot in domain names
BUG/MEDIUM: htx: Be sure to have a buffer to perform a raw copy of a
message
BUG/MEDIUM: mux-h1: Don't wake h1s if mux is blocked on lack of output
buffer
BUG/MAJOR: mux-h2: Be sure to always report HTX parsing error to the app
layer
BUG/MEDIUM: stream: Abort processing if response buffer allocation fails
Ilya Shipitsin (4):
BUILD: adopt script/build-ssl.sh for OpenSSL-3.0.0beta2
CI: github actions: add OpenSSL-3.0.0 builds
CI: github actions: relax OpenSSL-3.0.0 version comparision
CI: github actions: update OpenSSL to 3.0.1
Lukas Tribus (1):
BUG/MINOR: mailers: negotiate SMTP, not ESMTP
William Lallemand (5):
BUG/MINOR: mworker: fix a FD leak of a sockpair upon a failed reload
BUILD: fix compilation for OpenSSL-3.0.0-alpha17
CI: github actions: -Wno-deprecated-declarations with OpenSSL 3.0.0
CI: github: switch to OpenSSL 3.0.0
BUG/MINOR: tools: url2sa reads ipv4 too far
Willy Tarreau (10):
MINOR: sock: move the unused socket cleaning code into its own function
BUG/MEDIUM: mworker: close unused transferred FDs on load failure
BUG/MEDIUM: fd: always align fdtab[] to 64 bytes
BUG/MAJOR: compiler: relax alignment constraints on certain structures
CI: ssl: enable parallel builds for OpenSSL on Linux
CI: ssl: do not needlessly build the OpenSSL docs
CI: ssl: keep the old method for ancient OpenSSL versions
BUG/MINOR: proxy: preset the error message pointer to NULL in
parse_new_proxy()
REGTESTS: fix the race conditions in 40be_2srv_odd_health_checks
CI: github: enable pool debugging by default
--
Christopher Faulet
