Hi, HAProxy 2.6-dev2 was released on 2022/02/25. It added 212 new commits after version 2.6-dev1.
First, there was the usual bag of bug fixes for such a dev release (~35), as well as a few build fixes. As usual there are ~50 updates to QUIC; certain small but annoying internal architecture limitations are currently being addressed, so I wouldn't be surprised to see a steady flow of patches in that area in the next releases. The main focus for this version is: - end of the migration to OpenSSL 3.0's native API, except for the engines, which will continue to work with the old API for now, and will need to be architected differently for the new one (probably long and tedious work, not even sure if any engine adopted that yet). - first pass of conn_stream rework. The addition of the muxes in 1.8 forced us to insert new layers in order not to break existing stuff but these ones need to be progressively remerged with other adjacent layers to reduce the risks of bugs bugs, improve performance and maintainability. The goal is to pass through less layers between muxes and streams so that we can get back to a more linear architecture like we had in 1.6 with more direct communications between layers. Easier said than done, but at least that first series now looked stable enough to be merged instead of being continually rebased. More work is expected there in the forthcoming weeks, so that we have a solid base that will help backport fixes from 2.7-dev to 2.6 later without taking risks. - the master CLI now supports a debug mode via "mcli-debug-mode on" that allows all regular CLI commands to be visible and accessible for the master process, in order to debug it (e.g. see connections to workers etc). Expert-mode is also available and a set of flags indicating the current mode are now displayed in the prompt. - httpclient updates, to support forcing a destination and setting a transfer timeout. - improved debugging of the memory pools: now instead of fiddling with build-time options to enable/disable certain debugging features, it becomes possible to enable/disable them from the command line by passing some memory debugging keywords after "-dM". The build-time options still exist and only fix the default settings. - small improvements to the BUG_ON() macro and its cousins. More are expected to come soon so that we can start to stuff them at plenty of other places in the code and allow the level of validation to be adjusted at build time, and more importantly that the reasonable checks remain active by default. - basic pool debugging and first-level BUG_ON() are now enabled by default in the makefile. - the CI now runs with full debugging turned on, and Coverity now also covers QUIC - a few new regtests, mainly for SSL stuff. I sincerely hope that the long series of painful bugs that kept us away from coding is far behind and that we'll soon be able to add more entries above. Stable branches 2.3 and older should see a release next week I think. Please find the usual URLs below : Site index : http://www.haproxy.org/ Discourse : http://discourse.haproxy.org/ Slack channel : https://slack.haproxy.org/ Issue tracker : https://github.com/haproxy/haproxy/issues Wiki : https://github.com/haproxy/wiki/wiki Sources : http://www.haproxy.org/download/2.6/src/ Git repository : http://git.haproxy.org/git/haproxy.git/ Git Web browsing : http://git.haproxy.org/?p=haproxy.git Changelog : http://www.haproxy.org/download/2.6/src/CHANGELOG Cyril's HTML doc : http://cbonte.github.io/haproxy-dconv/ Willy --- Complete changelog : Amaury Denoyelle (30): MINOR: h3: hardcode the stream id of control stream MINOR: mux-quic: remove quic_transport_params_update MINOR: quic: rename local tid variable MINOR: quic: remove unused xprt rcv_buf operation MINOR: quic: take out xprt snd_buf operation MINOR: quic: use a global dghlrs for each thread BUG/MEDIUM: quic: fix crash on CC if mux not present MINOR: qpack: fix typo in trace BUG/MINOR: quic: fix FIN stream signaling BUG/MINOR: h3: fix the header length for QPACK decoding MINOR: h3: remove transfer-encoding header MINOR: h3: add documentation on h3_decode_qcs MINOR: h3: set properly HTX EOM/BODYLESS on HEADERS parsing MINOR: mux-quic: implement rcv_buf MINOR: mux-quic: set EOS on rcv_buf MINOR: h3: set CS_FL_NOT_FIRST MINOR: h3: report frames bigger than rx buffer MINOR: h3: extract HEADERS parsing in a dedicated function MINOR: h3: implement DATA parsing MINOR: h3: report error on HEADERS/DATA parsing MINOR: h3: remove unused return value on decode_qcs MINOR: mux-quic: fix a possible null dereference in qc_timeout_task MINOR: quic: do not modify offset node if quic_rx_strm_frm in tree MINOR: h3: fix compiler warning variable set but not used MINOR: mux-quic: fix uninitialized return on qc_send MINOR: quic: fix handling of out-of-order received STREAM frames BUG/MEDIUM: quic: fix received ACK stream calculation MINOR: quic: adjust buffer handling for STREAM transmission MINOR: quic: liberate the TX stream buffer after ACK processing MINOR: quic: add a TODO for a memleak frame on ACK consume Andrew McDermott (1): BUG/MAJOR: http/htx: prevent unbounded loop in http_manage_server_side_cookies Christian Ruppert (1): DOC: Fix usage/examples of deprecated ACLs Christopher Faulet (53): BUG/MINOR: httpclient: Revisit HC request and response buffers allocation BUG/MEDIUM: httpclient: Xfer the request when the stream is created MINOR: httpclient: Don't limit data transfer to 1024 bytes BUG/MEDIUM: htx: Be sure to have a buffer to perform a raw copy of a message BUG/MEDIUM: mux-h1: Don't wake h1s if mux is blocked on lack of output buffer BUG/MAJOR: mux-h2: Be sure to always report HTX parsing error to the app layer DEBUG: stream-int: Check CS_FL_WANT_ROOM is not set with an empty input buffer BUG/MEDIUM: stream: Abort processing if response buffer allocation fails MINOR: stream-int: Handle appctx case first when releasing the endpoint MINOR: connection: Be prepared to handle conn-stream with no connection MINOR: stream: Handle appctx case first when creating a new stream MINOR: connection: Add a function to detach a conn-stream from the connection MINOR: stream-int: Add function to reset a SI endpoint MINOR: stream-int: Add function to attach a connection to a SI MINOR: stream-int: Be able to allocate a CS without connection MEDIUM: stream: No longer release backend conn-stream on connection retry MEDIUM: stream: Allocate backend CS when the stream is created REORG: conn_stream: move conn-stream stuff in dedicated files MEDIUM: conn-stream: No longer access connection field directly MEDIUM: conn-stream: Be prepared to use an appctx as conn-stream endpoint MAJOR: conn_stream/stream-int: move the appctx to the conn-stream MEDIUM: applet: Set the conn-stream as appctx owner instead of the stream-int MEDIUM: conn_stream: Add a pointer to the app object into the conn-stream MINOR: stream: Add pointer to front/back conn-streams into stream struct MINOR: stream: Slightly rework stream_new to separate CS/SI initialization MINOR: stream-int: Always access the stream-int via the conn-stream MINOR: backend: Always access the stream-int via the conn-stream MINOR: stream: Always access the stream-int via the conn-stream MINOR: http-ana: Always access the stream-int via the conn-stream MINOR: cli: Always access the stream-int via the conn-stream MINOR: log: Always access the stream-int via the conn-stream MINOR: frontend: Always access the stream-int via the conn-stream MINOR: proxy: Always access the stream-int via the conn-stream MINOR: peers: Always access the stream-int via the conn-stream MINOR: debug: Always access the stream-int via the conn-stream MINOR: hlua: Always access the stream-int via the conn-stream MINOR: cache: Always access the stream-int via the conn-stream MINOR: dns: Always access the stream-int via the conn-stream MINOR: http-act: Always access the stream-int via the conn-stream MINOR: httpclient: Always access the stream-int via the conn-stream MINOR: tcp-act: Always access the stream-int via the conn-stream MINOR: sink: Always access the stream-int via the conn-stream MINOR: conn-stream: Rename cs_detach() to cs_detach_endp() CLEANUP: conn-stream: Don't export conn-stream pool MAJOR: stream/conn_stream: Move the stream-interface into the conn-stream CLEANUP: stream-int: rename si_reset() to si_init() MINOR: conn-stream: Release a CS when both app and endp are detached MINOR: stream: Don't destroy conn-streams but detach app and endp MAJOR: check: Use a persistent conn-stream for health-checks CLEANUP: conn-stream: Remove cs_destroy() CLEANUP: backend: Don't export connect_server anymore BUG/MINOR: h3/hq_interop: Fix CS and stream creation BUILD: tree-wide: Avoid warnings about undefined entities retrieved from a CS Frédéric Lécaille (23): MINOR: quic: Do not modify a marked as consumed datagram MINOR: quic: Wrong datagram buffer passed to quic_lstnr_dgram_dispatch() MINOR: quic: Remove a useless test in quic_get_dgram_dcid() MINOR: quic: Remove an RX buffer useless lock MINOR: quic: Variable used before being checked in ha_quic_add_handshake_data() MINOR: quic: EINTR error ignored MINOR: quic: Potential overflow expression in qc_parse_frm() MINOR: quic: Possible overflow in qpack_get_varint() CLEANUP: h3: Unreachable target in h3_uqs_init() MINOR: quic: Possible memleak in qc_new_conn() MINOR: quic: Useless statement in quic_crypto_data_cpy() MINOR: quic: Wrong smoothed rtt initialization MINOR: quic: Wrong loss delay computation MINOR: quic: Code never reached in qc_ssl_sess_init() MINOR: quic: ha_quic_set_encryption_secrets without server specific code MINOR: quic: Avoid warning about NULL pointer dereferences MINOR: quic: Useless test in quic_lstnr_dghdlr() MINOR: quic: Non checked returned value for cs_new() in hq_interop_decode_qcs() MINOR: h3: Dead code in h3_uqs_init() MINOR: quic: Non checked returned value for cs_new() in h3_decode_qcs() MINOR: quic: Possible frame parsers array overrun MINOR: quic: Do not retransmit too much packets. MINOR: quic: Move quic_rxbuf_pool pool out of xprt part Ilya Shipitsin (3): BUILD: ssl: adjust guard for X509_get_X509_PUBKEY(x) REGTESTS: ssl: skip show_ssl_ocspresponse.vtc when BoringSSL is used CI: enable QUIC for Coverity scan Lukas Tribus (1): BUG/MINOR: mailers: negotiate SMTP, not ESMTP Remi Tricot-Le Breton (28): BUG/MINOR: ssl: Remove empty lines from "show ssl ocsp-response <id>" output CLEANUP: ssl: Remove unused ssl_sock_create_cert function MINOR: ssl: Use high level OpenSSL APIs in sha2 converter MINOR: ssl: Remove EC_KEY related calls when preparing SSL context REGTESTS: ssl: Add test for "curves" and "ecdhe" SSL options MINOR: ssl: Remove EC_KEY related calls when creating a certificate REGTESTS: ssl: Add test for "generate-certificates" SSL option MINOR: ssl: Remove call to SSL_CTX_set_tlsext_ticket_key_cb with OpenSSLv3 MINOR: ssl: Remove call to HMAC_Init_ex with OpenSSLv3 MINOR: ssl: Remove call to ERR_func_error_string with OpenSSLv3 MINOR: ssl: Remove call to ERR_load_SSL_strings with OpenSSLv3 REGTESTS: ssl: Add tests for DH related options MINOR: ssl: Create HASSL_DH wrapper structure MINOR: ssl: Add ssl_sock_get_dh_from_bio helper function MINOR: ssl: Factorize ssl_get_tmp_dh and append a cbk to its name MINOR: ssl: Add ssl_sock_set_tmp_dh helper function MINOR: ssl: Add ssl_sock_set_tmp_dh_from_pkey helper function MINOR: ssl: Add ssl_new_dh_fromdata helper function MINOR: ssl: Build local DH of right size when needed MINOR: ssl: Set default dh size to 2048 MEDIUM: ssl: Replace all DH objects by EVP_PKEY on OpenSSLv3 (via HASSL_DH type) MINOR: ssl: Remove calls to SSL_CTX_set_tmp_dh_callback on OpenSSLv3 BUG/MINOR: jwt: Double free in deinit function BUG/MINOR: jwt: Missing pkey free during cleanup BUG/MINOR: jwt: Memory leak if same key is used in multiple jwt_verify calls BUG/MINOR: ssl: Add missing return value check in ssl_ocsp_response_print BUG/MINOR: ssl: Fix leak in "show ssl ocsp-response" CLI command BUG/MINOR: ssl: Missing return value check in ssl_ocsp_response_print William Lallemand (15): DOC: management: rework the Master CLI section DOC: management: add expert and experimental mode in 9.4.1 CLEANUP: cleanup a commentary in pcli_parse_request() BUG/MINOR: mworker/cli: don't display help on master applet MINOR: mworker/cli: mcli-debug-mode enables every command MINOR: mworker/cli: add flags in the prompt BUG/MINOR: mworker: does not erase the pidfile upon reload BUG/MINOR: httpclient/cli: display junk characters in vsn BUG/MINOR: httpclient: reinit flags in httpclient_start() MINOR: httpclient: sets an alternative destination MINOR: httpclient/lua: add 'dst' optionnal field BUG/MINOR: tools: url2sa reads ipv4 too far MINOR: httpclient/lua: ability to set a server timeout BUG/MINOR: httpclient/lua: missing pop for new timeout parameter DOC: httpclient/lua: fix the type of the dst parameter Willy Tarreau (57): BUG/MEDIUM: pools: ensure items are always large enough for the pool_cache_item BUG/MINOR: pools: always flush pools about to be destroyed CLEANUP: pools: don't needlessly set a call mark during refilling of caches DEBUG: pools: add extra sanity checks when picking objects from a local cache DEBUG: pools: let's add reverse mapping from cache heads to thread and pool DEBUG: pools: replace the link pointer with the caller's address on pool_free() BUG/MAJOR: sched: prevent rare concurrent wakeup of multi-threaded tasks BUG/MAJOR: spoe: properly detach all agents when releasing the applet REGTESTS: server: close an occasional race on dynamic_server_ssl.vtc REGTESTS: peers: leave a bit more time to peers to synchronize BUG/MEDIUM: h2/hpack: fix emission of HPACK DTSU after settings change BUG/MINOR: mux-h2: update the session's idle delay before creating the stream CLEANUP: httpclient/cli: fix indentation alignment of the help message BUG/MEDIUM: httpclient: limit transfers to the maximum available room DEBUG: buffer: check in __b_put_blk() whether the buffer room is respected MINOR: pools: mark most static pool configuration variables as read-mostly CLEANUP: pools: remove the now unused pool_is_crowded() REGTESTS: fix the race conditions in 40be_2srv_odd_health_checks CLEANUP: httpclient: initialize the client in stage INIT not REGISTER CLEANUP: muxes: do not use a dynamic trash in list_mux_protos() CLEANUP: vars: move the per-process variables initialization to vars.c CLEANUP: init: remove the ifdef on HAPROXY_MEMMAX MINOR: pools: disable redundant poisonning on pool_free() MINOR: pools: introduce a new pool_debugging global variable MINOR: pools: switch the fail-alloc test to runtime only MINOR: pools: switch DEBUG_DONT_SHARE_POOLS to runtime MINOR: pools: add a new debugging flag POOL_DBG_COLD_FIRST MINOR: pools: add a new debugging flag POOL_DBG_INTEGRITY MINOR: pools: make the global pools a runtime option. MEDIUM: pools: replace CONFIG_HAP_POOLS with a runtime "NO_CACHE" flag. MINOR: pools: store the allocated size for each pool MINOR: pools: get rid of POOL_EXTRA MINOR: pools: replace DEBUG_POOL_TRACING with runtime POOL_DBG_CALLER MINOR: pools: replace DEBUG_MEMORY_POOLS with runtime POOL_DBG_TAG MINOR: pools: add a debugging flag for memory poisonning option MEDIUM: initcall: move STG_REGISTER earlier MEDIUM: init: split the early initialization in its own function MINOR: init: extract args parsing to their own function MEDIUM: init: handle arguments earlier MINOR: pools: delegate parsing of command line option -dM to a new function MINOR: pools: support setting debugging options using -dM BUILD: makefile: enable both DEBUG_STRICT and DEBUG_MEMORY_POOLS by default CI: github: enable pool debugging by default DOC: internal: update the pools API to mention boot-time settings DOC: design: add design thoughts for later simplification of the pools DOC: design: commit the temporary design notes on thread groups BUG/MINOR: proxy: preset the error message pointer to NULL in parse_new_proxy() BUILD: stream: fix build warning with older compilers BUG/MINOR: debug: fix get_tainted() to properly read an atomic value DEBUG: move the tainted stuff to bug.h for easier inclusion DEBUG: cleanup back trace generation DEBUG: cleanup BUG_ON() configuration DEBUG: mark ABORT_NOW() as unreachable DBEUG: add a new WARN_ON() macro DEBUG: make the _BUG_ON() macro return the condition DEBUG: add a new WARN_ON_ONCE() macro DEBUG: report BUG_ON() and WARN_ON() in the tainted flags ---