Hi,
HAProxy 2.7.5 was released on 2023/03/17. It added 26 new commits
after version 2.7.4.
This version primarily focuses on fixes:
- Christopher fixed the issue mentioned last week affecting the CLI on UNIX
sockets that was causing some connections not to close properly, so the
workaround consisting in increasing "stats maxconn" is no longer needed.
- The security researchers team "CertiK Skyfall Team" found a possible
crash in the QPACK decoder used by HTTP/3 due to an insufficiently
checked index causing an out-of-bounds read.
- Some SSL-only errors could be reported at the connection level but that
error prevented the mux H1 from consulting and flushing last data and
the error, possibly causing loops involving mux-h1 until the stream
times out and closes.
- A recent fix for the idle connections was insufficient and/or incorrect,
because it could result in a connection removal being counted twice, and
the number of idle conns either growing a lot, or underflowing. The effect
could be an excess of idle connections to a server possibly preventing new
connections from establishing.
- Upon reload, health checks were not properly stopped in pure backends,
that was only done in listen sections because only proxies having
listeners were stopped. This has been the case since 2.4 despite the
doc, and resolvers experienced the same since 2.6.
- It could happen that in HTTP/1 the 408-Request-timeout wasn't delivered
to the client because the timeout was promoted to error, preventing any
future write from being done.
- Aurélien found that fc_dst_port() and fc_dst_is_local() could
occasionally fail because a condition was placed on the ability to
retrieve the source instead of the destination, so if the destination
had already been retrieved it would work otherwise not.
- Fred addressed a few possible QUIC crashes related to invalid stream frame
lengths triggering assertions.
- The H2 mux supports chaining multiple buffers at the connection level in
order to store the data from many streams. However if a connection is
severely congested, we could go back to the initial single-buffer situation
where releasing a few kB of data would cause all waiting streams to be
woken up, with only one of them succeeding in sending something. The
symptoms are a lower H2 bit rate, a high CPU usage, an important presence
of sc_conn_io_cb() in the run queue in "show tasks" (typically 90% of
places) and 5-20 times more calls to sc_conn_io_cb() from
h2_resume_each_sending_h2s() than other ones in "show profiling tasks".
The correct way of proceeding consists in only restarting streams once
the ring of connection buffers goes down to a single buffer. This also
reduces memory usage under congestion.
- The recent fix for multiple "bind fd@0" that could crash on start was
finally backported.
- The H2 mux was always sending its data using short SSL records, which
explains why the performance was not as good as with HTTP/1. The reason
is that the dynamic SSL records predates the muxes, and that the
mechanism involved to use them was moved to the mux-H1 during the
transition, without the mux-H2 being aware that there was something to
be done. Now we continue to use small records when sending single
buffers, but we use large records when sending more than one record,
indicating large objects are being downloaded in parallel or that the
link is congested.
- The H2 mux could sometimes crash when detaching a stream on a congested
connection with no client timeout.
- Some rare bind errors on UNIX sockets were not correctly reported on
startup.
And there were a few tiny improvements as well:
- the support for constant limits in the bandwidth limiter was backported
as planned 2 months ago
- the H2 traces can now dump H2 headers (useful for debugging)
- a few more fields are printed in "show fd"
- a suboptimal recv() sequence in the HTTP/1 mux resulted in a short
16-byte recv() call for objects larger than bufsize-maxrewrite. This
was addressed.
Please find the usual URLs below :
Site index : https://www.haproxy.org/
Documentation : https://docs.haproxy.org/
Wiki : https://github.com/haproxy/wiki/wiki
Discourse : https://discourse.haproxy.org/
Slack channel : https://slack.haproxy.org/
Issue tracker : https://github.com/haproxy/haproxy/issues
Sources : https://www.haproxy.org/download/2.7/src/
Git repository : https://git.haproxy.org/git/haproxy-2.7.git/
Git Web browsing : https://git.haproxy.org/?p=haproxy-2.7.git
Changelog : https://www.haproxy.org/download/2.7/src/CHANGELOG
Dataplane API :
https://github.com/haproxytech/dataplaneapi/releases/latest
Pending bugs : https://www.haproxy.org/l/pending-bugs
Reviewed bugs : https://www.haproxy.org/l/reviewed-bugs
Code reports : https://www.haproxy.org/l/code-reports
Latest builds : https://www.haproxy.org/l/dev-packages
Willy
---
Complete changelog :
Aurelien DARRAGON (4):
BUG/MINOR: tcp_sample: fix a bug in fc_dst_port and fc_dst_is_local
sample fetches
BUG/MINOR: proto_ux: report correct error when bind_listener fails
BUG/MINOR: protocol: fix minor memory leak in protocol_bind_all()
BUG/MINOR: sock_unix: match finalname with tempname in sock_unix_addrcmp()
Christopher Faulet (11):
BUG/MEDIUM: mux-pt: Set EOS on error on sending path if read0 was received
BUG/MINOR: mux-h1: Don't report an H1C error on client timeout
BUG/MEDIUM: proxy: properly stop backends on soft-stop
BUG/MEDIUM: resolvers: Properly stop server resolutions on soft-stop
DEBUG: cli/show_fd: Display connection error code
DEBUG: ssl-sock/show_fd: Display SSL error code
BUG/MEDIUM: mux-h1: Don't block SE_FL_ERROR if EOS is not reported on H1C
BUG/MEDIUM: connection: Preserve flags when a conn is removed from an
idle list
MEDIUM: bwlim: Support constants limit or period on set-bandwidth-limit
actions
BUG/MINOR: mux-h2: Fix possible null pointer deref on h2c in
_h2_trace_header()
BUG/MEDIUM: spoe: Don't set the default traget for the SPOE agent frontend
Frédéric Lécaille (2):
BUG/MINOR: quic: Missing STREAM frame length updates
BUG/MINOR: quic: Missing STREAM frame data pointer updates
Willy Tarreau (9):
BUG/MINOR: mux-h2: make sure the h2c task exists before refreshing it
MINOR: buffer: add br_single() to check if a buffer ring has more than
one buf
BUG/MEDIUM: mux-h2: only restart sending when mux buffer is decongested
BUG/MINOR: mux-h2: set CO_SFL_STREAMER when sending lots of data
BUG/MEDIUM: listener: duplicate inherited FDs if needed
MINOR: h2: add h2_phdr_to_ist() to make ISTs from pseudo headers
MEDIUM: mux-h2/trace: add tracing support for headers
BUG/MAJOR: qpack: fix possible read out of bounds in static table
OPTIM: mux-h1: limit first read size to avoid wrapping
---
