Hi,
HAProxy 2.7-dev1 was released on 2022/06/24. It added 131 new commits
after version 2.7-dev0.
There's not that much new stuff yet but plenty of small issues were
addressed, and it's already been 3 weeks since the release thus I figured
it was a perfect timing for a -dev1 for those who want to stay on the edge
without taking much risks.
In addition to the fixes that went into 2.6.1 already, some HTTP/3 issues
were addressed and a memory leak affecting QUIC was addressed as well (thanks
to @Tristan971 for his precious help on this one).
Aside fixes, a few improvements started already. First, and to finish on
QUIC, the QUICv2 version negotiation was implemented. This will allow us
to follow the progress on the QUICv2 drafts more closely.
On HTTP/2, the maintainer of the Lighttpd web server reported a nasty case
that he observed between curl and lighttpd which is very similar to the so
called "Silly Window Syndrom" in TCP where a difference of one byte between
a buffer size and a window size may progressively make the transfer
degenerate until almost all frames are 1-byte in size. It's not a bug in
any product, just a consequence of making certain standard-compliant stacks
interoperate. Some workarounds were placed in various components that
allowed the issue to appear. We did careful testing on haproxy and couldn't
produce it there, in part due to our buffer management that makes it
difficult to read exactly the sizes that produce the issue. But there's
nothing either that can strictly prevent it from happening (e.g. with a
sender using smaller frames maybe). So we implemented the workaround as
well, which will also result in sending slightly less frames during
uploads. The goal is to backport this once it has been exposed for a
while without trouble in 2.7.
Another noticeable improvement is the inclusion of a feature that had
been written in the now dead ROADMAP file for 15 years: multi-criteria
bandwidth limiting. It allows to combine multiple filters to enforce
bandwidth limitations on arbitrary criteria by looking at their total
rate in a stick table. Thus it's possible to have per-source, per-
destination, per-network, per-AS, per-interface bandwidth limits in
each direction. In addition there's a stream-specific pair of limits
(one per direction as well) that can even be adjusted on the fly. We
could for example imagine that a client sends a POST request to a
server, that the server responds with a 100-Continue and a header
indicating the max permitted upload bandwidth, and then the transfer
will be automatically capped. Quite frankly, I've been wanting this
for a long time to address the problem of buffer bloat on small links
(e.g. my old ADSL line), and here there's now an opportunity to
maintain a good quality of service without saturating links thanks to
this. I'm pretty sure that some users will be creative and may even
come up with ideas of improvements ;-)
We noticed during the initial QUIC tests that some users faced problems
because they were linking external Lua libs that were built with
incompatible versions of OpenSSL, resulting in some objects being
allocated with one lib and modified with the other, etc. Sometimes the
crash happened during the boot, sometimes at runtime. As this is a
nightmare to diagnose ("show libs" helped a lot there), there's now a
warning at boot when it's detected that some runtime libs bring some
incompatible dependencies by changing a few critical functions such as
malloc(), free() and a few OpenSSL functions. It's not perfect, it's
not rocket science either but it seems to do the job. I'm not totally
sold on the solution, so I'm interested in hearing about any unexpected
report so that we can see if we need to relax some checks (e.g. by
making a special case of openssl and comparing ABI versions maybe).
Such a mess reminded me why I was against adopting a module-oriented
architecture a decade ago :-)
And the rest is essentially cleanups, small refactorings, etc.
At the moment, this version is the most stable 2.7 as all known bugs were
fixed, and nothing risky was merged yet, so it's the right moment to play
with it, particularly if you want to test QUIC or bandwidth limiting.
Some more sensitive updates will come soon in various areas including
threading. The work on pushing the thread limit beyond 64 continues,
we're still far from it but the scheduler was updated so that a series
will be merged soon.
Please find the usual URLs below :
Site index : http://www.haproxy.org/
Documentation : http://docs.haproxy.org/
Wiki : https://github.com/haproxy/wiki/wiki
Discourse : http://discourse.haproxy.org/
Slack channel : https://slack.haproxy.org/
Issue tracker : https://github.com/haproxy/haproxy/issues
Sources : http://www.haproxy.org/download/2.7/src/
Git repository : http://git.haproxy.org/git/haproxy.git/
Git Web browsing : http://git.haproxy.org/?p=haproxy.git
Changelog : http://www.haproxy.org/download/2.7/src/CHANGELOG
Pending bugs : http://www.haproxy.org/l/pending-bugs
Reviewed bugs : http://www.haproxy.org/l/reviewed-bugs
Code reports : http://www.haproxy.org/l/code-reports
Latest builds : http://www.haproxy.org/l/dev-packages
Willy
---
Complete changelog :
Amaury Denoyelle (23):
MINOR: connection: support HTTP/3.0 for smp_*_http_major fetch
MINOR: h3: add h3c pointer into h3s instance
MINOR: mux-quic: simplify decode_qcs API
MINOR: mux-quic/h3: adjust demuxing function return values
BUG/MINOR: h3: fix return value on decode_qcs on error
BUG/MINOR: h3: fix incorrect BUG_ON assert on SETTINGS parsing
BUG/MINOR: h3: fix frame type definition
BUG/MEDIUM: h3: fix SETTINGS parsing
BUG/MEDIUM: mux-quic: fix flow control connection Tx level
MINOR: mux-quic: complete BUG_ON on TX flow-control enforcing
BUG/MINOR: mux-quic: fix memleak on frames rejected by transport
BUG/MEDIUM: mux-quic: fix segfault on flow-control frame cleanup
MINOR: qpack: add comments and remove a useless trace
MINOR: qpack: reduce dependencies on other modules
BUG/MINOR: qpack: support header litteral name decoding
MINOR: qpack: add ABORT_NOW on unimplemented decoding
BUG/MINOR: h3/qpack: deal with too many headers
MINOR: qpack: improve decoding function
MINOR: qpack: implement standalone decoder tool
BUG/BUILD: h3: fix wrong label name
BUG/MINOR: quic: purge conn Rx packet list on release
BUG/MINOR: quic: free rejected Rx packets
BUG/MINOR: qpack: abort on dynamic index field line decoding
Benoit DOLEZ (1):
BUILD: quic: fix anonymous union for gcc-4.4
Christopher Faulet (51):
BUG/MINOR: ssl_ckch: Free error msg if commit changes on a cert entry
fails
BUG/MINOR: ssl_ckch: Free error msg if commit changes on a CA/CRL entry
fails
BUG/MEDIUM: ssl_ckch: Don't delete a cert entry if it is being modified
BUG/MEDIUM: ssl_ckch: Don't delete CA/CRL entry if it is being modified
BUG/MINOR: ssl_ckch: Don't duplicate path when replacing a cert entry
BUG/MINOR: ssl_ckch: Don't duplicate path when replacing a CA/CRL entry
BUG/MEDIUM: ssl_ckch: Rework 'commit ssl cert' to handle full buffer cases
BUG/MEDIUM: ssl_ckch: Rework 'commit ssl ca-file' to handle full buffer
cases
BUG/MEDIUM: ssl/crt-list: Rework 'add ssl crt-list' to handle full buffer
cases
BUG/MEDIUM: httpclient: Don't remove HTX header blocks before duplicating
them
BUG/MEDIUM: httpclient: Rework CLI I/O handler to handle full buffer cases
MEDIUM: httpclient: Don't close CLI applet at the end of a response
MEDIUM: http-ana: Always report rewrite failures as PRXCOND in logs
REGTESTS: abortonclose: Add a barrier to not mix up log messages
REGTESTS: http_request_buffer: Increase client timeout to wait "slow"
clients
CLEANUP: ssl_ckch: Use corresponding enum for
commit_cacrlfile_ctx.cafile_type
MINOR: ssl_ckch: Simplify I/O handler to commit changes on CA/CRL entry
BUG/MINOR: ssl_ckch: Use right type for old entry in show_crlfile_ctx
BUG/MINOR: ssl_ckch: Dump CRL transaction only once if show command yield
BUG/MINOR: ssl_ckch: Dump CA transaction only once if show command yield
BUG/MINOR: ssl_ckch: Dump cert transaction only once if show command yield
BUG/MINOR: ssl_ckch: Init right field when parsing "commit ssl crl-file"
cmd
CLEANUP: ssl_ckch: Remove unused field in commit_cacrlfile_ctx structure
MINOR: ssl_ckch: Simplify structure used to commit changes on CA/CRL
entries
MINOR: ssl_ckch: Remove service context for "set ssl cert" command
MINOR: ssl_ckch: Remove service context for "set ssl ca-file" command
MINOR: ssl_ckch: Remove service context for "set ssl crl-file" command
BUG/MINOR: ssl_ckch: Fix possible uninitialized value in show_cert I/O
handler
BUG/MINOR: ssl_ckch: Fix possible uninitialized value in show_cafile I/O
handler
BUG/MINOR: ssl_ckch: Fix possible uninitialized value in show_crlfile I/O
handler
BUILD: ssl_ckch: Fix build error about a possible uninitialized value
BUG/MINOR: ssl_ckch: Fix another possible uninitialized value
REGTESTS: http_abortonclose: Extend supported versions
REGTESTS: restrict_req_hdr_names: Extend supported versions
BUG/MINOR: trace: Test server existence for health-checks to get proxy
BUG/MINOR: checks: Properly handle email alerts in trace messages
BUG/MEDIUM: mailers: Set the object type for check attached to an email
alert
REGTESTS: healthcheckmail: Update the test to be functionnal again
REGTESTS: healthcheckmail: Relax health-check failure condition
BUG/MINOR: tcp-rules: Make action call final on read error and delay
expiration
CLEANUP: check: Remove useless tests on check's stream-connector
BUG/MEDIUM: stconn: Don't wakeup applet for send if it won't consume data
BUG/MEDIUM: cli: Notify cli applet won't consume data during request
processing
BUG/MEDIUM: stream: Properly handle destructive client connection upgrades
MINOR: stream: Rely on stconn flags to abort stream destructive upgrade
CLEANUP: stconn: Don't expect to have no sedesc on detach
BUG/MINOR: log: Properly test connection retries to fix dontlog-normal
option
BUG/MINOR: http-ana: Set method to HTTP_METH_OTHER when an HTTP txn is
created
BUG/MINOR: http-fetch: Use integer value when possible in "method" sample
fetch
MINOR: freq_ctr: Add a function to get events excess over the current
period
MEDIUM: bwlim: Add support of bandwith limitation at the stream level
Frédéric Lécaille (19):
BUG/MINOR: quic: Stop hardcoding Retry packet Version field
MINOR: quic: Add several nonce and key definitions for Retry tag
BUG/MINOR: quic: Wrong PTO calculation
MINOR: quic: Parse long packet version from qc_parse_hd_form()
CLEANUP: quid: QUIC draft-28 no more supported
MEDIUM: quic: Add QUIC v2 draft support
MINOR: quic: Released QUIC TLS extension for QUIC v2 draft
MEDIUM: quic: Compatible version negotiation implementation (draft-08)
CLEANUP: quic: Remove any reference to boringssl
BUILD: quic: Wrong HKDF label constant variable initializations
BUG/MINOR: quic: Unexpected half open connection counter wrapping
BUG/MINOR: quic_stats: Duplicate "quic_streams_data_blocked_bidi" field
name
BUG/MINOR: quic: Acknowledgement must be forced during handshake
MINOR: quic: Dump version_information transport parameter
BUG/MINOR: quic: Missing acknowledgments for trailing packets
BUG/MINOR: quic: Wrong reuse of fulfilled dgram RX buffer
BUG/MAJOR: quic: Big RX dgrams leak when fulfilling a buffer
BUG/MAJOR: quic: Big RX dgrams leak with POST requests
BUILD: quic+h3: 32-bit compilation errors fixes
Glenn Strauss (1):
OPTIM: mux-h2: increase h2_settings_initial_window_size default to 64k
Remi Tricot-Le Breton (1):
BUG/MINOR: ssl: Do not look for key in extra files if already in pem
Tim Duesterhus (1):
CLEANUP: Re-apply xalloc_size.cocci (2)
William Lallemand (3):
BUG/MEDIUM: ssl/cli: crash when crt inserted into a crt-list
REGTESTS: ssl: add the same cert for client/server
BUG/MEDIUM: mworker: use default maxconn in wait mode
Willy Tarreau (31):
BUILD: compiler: implement unreachable for older compilers too
DEV: tcploop: reorder options in the usage message
DEV: tcploop: make the current address the default address
DEV: tcploop: make it possible to change the target address of a connect()
DEV: tcploop: factor out the socket creation
DEV: tcploop: permit port 0 to ease handling of default options
DEV: tcploop: add a new "bind" command to bind to ip/port.
DEV: tcploop: add minimal UDP support
MEDIUM: mux-h2: try to coalesce outgoing WINDOW_UPDATE frames
BUG/MINOR: cli/stats: add missing trailing LF after JSON outputs
BUG/MINOR: server: do not enable DNS resolution on disabled proxies
BUG/MINOR: cli/stats: add missing trailing LF after "show info json"
DOC: design: update the notes on thread groups
MINOR: task: move profiling bit to per-thread
CLEANUP: quic: use task_new_on() for single-threaded tasks
MINOR: tinfo: remove the global thread ID bit (tid_bit)
CLEANUP: hlua: check for at least 2 threads on a task
MINOR: thread: get rid of MAX_THREADS_MASK
OPTIM: task: do not consult shared WQ when we're already full
DOC: design: update the task vs thread affinity requirements
BUG/MINOR: task: fix thread assignment in tasklet_kill()
MINOR: hlua: don't dump empty entries in hlua_traceback()
MINOR: hlua: add a new hlua_show_current_location() function
MEDIUM: debug: add a tainted flag when a shared library is loaded
MEDIUM: debug: detect redefinition of symbols upon dlopen()
MINOR: intops: add a function to return a valid bit position from a mask
TESTS: add a unit test for one_among_mask()
BUILD: ssl_ckch: fix "maybe-uninitialized" build error on gcc-9.4 + ARM
BUG/MINOR: stream: only free the req/res captures when set
CLEANUP: pool/tree-wide: remove suffix "_pool" from certain pool names
MEDIUM: debug: improve DEBUG_MEM_STATS to also report pool alloc/free
---
