Hi, HAProxy 2.6.13 was released on 2023/05/02. It added 97 new commits after version 2.6.12.
This update is essentially equivalent to the update from 2.7.6 to 2.7.8 so I'm mostly copy-pasting and adjusting the relevant descriptions from Christopher's 2.7.7 announce (he did all the backports, we just wanted to grant a few more days to catch possible regressions). On the QUIC front, which represents ~25 commits, there were essentially three issues that could lead to visible problems: * The Congestion algorithms state was shared between connections instead of being private. This could trigger BUG_ON() and cause crashes. * Some contradictions in code could lead to very long loops sending empty packets (PADDING only packets). One visible effect was a very low throughput performance when the client serialized its requests. * The control window in congestion algorithms could be zero because of a wrong calculation and could lead to a SIGFPE crash. On soft-stop or reload, idle DNS session are now killed. Since 2.6.11, these sessions were no longer killed, preventing the process from finishing. In addition, we now force the connect timeout for the DNS resolution. The "resolve" timeout is used to set its value. Have no connect timeout was an issue for resolution over TCP. Connection failures might take quite long to report, leading to an excess of unusable DNS sessions in connecting state. It was especially visible on soft-stop because this prevented the process to quickly exit. Still on the DNS, errors are now properly handled when a response is consumed. This was an issue for truncated responses followed by an abort. The applet could ignore the abort and loop waiting for more data until a timeout is triggered. A similar issue was fixed in the syslog applet. Several bugs in lua part were fixed. First, except for lua tasks, it is no longer possible to register functions at runtime. It was clearly stated in the documentation, but nothing forbidden it in the code. An error is now triggered if this happens, preventing potential segfaults. Memory leaks on references were fixed and the lua locking was simplified to be re-entrant to prevent deadlocks. Aurélien fixed several issues on the servers management. The "visible" server list consistency was fixed. It was possible, at least in theory, to access an invalid server if several dynamic server deletions were performed while the list was accessed. For instance it might happen when the server list was dumped in the stats. He also fixed wrong report for tracking servers leaving drain state. Finally, he centralized proxy and server stats updates on server state transition to be sure to not miss an update on some transitions. The pool_gc() calls that were made a bit too often on stopping proxies were relaxed. Sometimes they were causing excess memory contention and were even competing against malloc_trim(). Aurélien has extended the internal listener API to better handle the resume operation. One noticeable effect is that listeners that have an ABNS abstract namespace socket can now support reload without crashing haproxy. (Note: this was already merged in 2.7 prior to 2.7.7, and left under observation for two versions before backporting to 2.6). The remaining are the usual bunch of bug fixes: * It was possible to trigger the watchdog purging stick-tables on soft-stop. To not spend too much time purging expired entries, we now enforce a budget limitation and the purge is performed in several steps. In addition, memory is reclaimed only when entries are released. Indeed, this operation involves a call to malloc_trim() on glibc, which is rather expensive. * It was possible for a thread to wait forever (well, till the watchdog notices) to become the exclusive owner of a file descriptor after it had lost it; this could happen with synchronous errors met in the DNS for example. * NUMA topology detection on FreeBSD was fixed. * It was not possible to use the lua filter API if used in conjunction with a "wait-for-body" action. Switching the HTTP message in DATA state preventing the call to most of lua filter functions. It was fixed by keep the HTTP message in BODY state at this stage. * The read expiration date is now updated on synchronous sends for all streams except independent ones. This fixed an old bug when a filter is configured. Write activities on synchronous sends were lost. With slow clients uploading large object, it was possible to reach the server timeout. * ssl-min-ver and ss-max-ver parameters are now duplicated for bundles in crt-list. * An error is reported during configuration parsing if when the "len" argument of a stick table type contains incorrect characters. * DeviceAtlas compile options were updated to support the API v3 from 3.1.7 and onwards. * The strict-sni documentation was updated to state it is possible to start without certificate on a bind line. Thanks to all those who helped with these fixes and to Christopher for dealing with the backports. Please find the usual URLs below : Site index : https://www.haproxy.org/ Documentation : https://docs.haproxy.org/ Wiki : https://github.com/haproxy/wiki/wiki Discourse : https://discourse.haproxy.org/ Slack channel : https://slack.haproxy.org/ Issue tracker : https://github.com/haproxy/haproxy/issues Sources : https://www.haproxy.org/download/2.6/src/ Git repository : https://git.haproxy.org/git/haproxy-2.6.git/ Git Web browsing : https://git.haproxy.org/?p=haproxy-2.6.git Changelog : https://www.haproxy.org/download/2.6/src/CHANGELOG Dataplane API : https://github.com/haproxytech/dataplaneapi/releases/latest Pending bugs : https://www.haproxy.org/l/pending-bugs Reviewed bugs : https://www.haproxy.org/l/reviewed-bugs Code reports : https://www.haproxy.org/l/code-reports Latest builds : https://www.haproxy.org/l/dev-packages Willy --- Complete changelog : Amaury Denoyelle (6): BUG/MINOR: task: allow to use tasklet_wakeup_after with tid -1 BUG/MINOR: quic: transform qc_set_timer() as a reentrant function BUG/MINOR: mux-quic: properly handle STREAM frame alloc failure BUG/MINOR: quic: prevent buggy memcpy for empty STREAM MINOR: mux-quic: do not set buffer for empty STREAM frame MINOR: mux-quic: do not allocate Tx buf for empty STREAM frame Aurelien DARRAGON (33): MINOR: proxy/pool: prevent unnecessary calls to pool_gc() BUG/MINOR: backend: make be_usable_srv() consistent when stopping MINOR: server: add SRV_F_DELETED flag BUG/MINOR: server/del: fix srv->next pointer consistency BUG/MINOR: stats: properly handle server stats dumping resumption BUG/MINOR: sink: free forward_px on deinit() BUG/MINOR: log: free log forward proxies on deinit() BUG/MINOR: hlua: enforce proper running context for register_x functions CLEANUP: hlua: fix conflicting comment in hlua_ctx_destroy() MINOR: proto_uxst: add resume method MINOR: listener/api: add lli hint to listener functions MINOR: listener: add relax_listener() function MINOR: listener: workaround for closing a tiny race between resume_listener() and stopping MINOR: listener: make sure we don't pause/resume bypassed listeners BUG/MEDIUM: listener: fix pause_listener() suspend return value handling BUG/MINOR: listener: fix resume_listener() resume return value handling BUG/MEDIUM: resume from LI_ASSIGNED in default_resume_listener() MINOR: listener: pause_listener() becomes suspend_listener() BUG/MEDIUM: listener/proxy: fix listeners notify for proxy resume MEDIUM: proto_ux: properly suspend named UNIX listeners MINOR: proto_ux: ability to dump ABNS names in error messages MINOR: hlua: add simple hlua reference handling API BUG/MINOR: hlua: fix reference leak in core.register_task() BUG/MINOR: hlua: fix reference leak in hlua_post_init_state() BUG/MINOR: hlua: prevent function and table reference leaks on errors MINOR: hlua: simplify lua locking BUG/MEDIUM: hlua: prevent deadlocks with main lua lock BUG/MEDIUM: proxy/sktable: prevent watchdog trigger on soft-stop BUG/MINOR: server: incorrect report for tracking servers leaving drain MINOR: server: explicitly commit state change in srv_update_status() BUG/MINOR: server: don't miss proxy stats update on server state transitions BUG/MINOR: server: don't miss server stats update on server state transitions BUG/MINOR: server: don't use date when restoring last_change from state file Christopher Faulet (13): Revert "BUG/MEDIUM: stconn: Don't rearm the read expiration date if EOI was reached" BUG/MEDIUM: channel: Improve reports for shut in co_getblk() BUG/MEDIUM: dns: Properly handle error when a response consumed MINOR: http-ana: Add a HTTP_MSGF flag to state the Expect header was checked BUG/MINOR: http-ana: Don't switch message to DATA when waiting for payload BUG/MEDIUM: dns: Kill idle DNS sessions during stopping stage BUG/MINOR: resolvers: Wakeup DNS idle task on stopping BUG/MEDIUM: resolvers: Force the connect timeout for DNS resolutions BUG/MINOR: stream: Fix test on SE_FL_ERROR on the wrong entity REGTESTS: fix the race conditions in log_uri.vtc BUG/MEDIUM: log: Properly handle client aborts in syslog applet CLEANUP: backend: Remove useless debug message in assign_server() BUG/MEDIUM: Update read expiration date on synchronous send David Carlier (1): BUILD: da: extends CFLAGS to support API v3 from 3.1.7 and onwards. Frédéric Lécaille (33): BUG/MINOR: quic: Wrong use of now_ms timestamps (cubic algo) BUG/MINOR: quic: Wrong use of now_ms timestamps (newreno algo) BUG/MINOR: quic: Missing max_idle_timeout initialization for the connection BUG/MINOR: quic: Wrong rtt variance computing BUG/MINOR: quic: Cubic congestion control window may wrap MINOR: quic: Add missing traces in cubic algorithm implementation BUG/MINOR: quic: Remaining useless statements in cubic slow start callback BUG/MAJOR: quic: Congestion algorithms states shared between the connection BUG/MINOR: quic: Remove useless BUG_ON() in newreno and cubic algo implementation BUG/MINOR: quic: Possible wrong PTO computing MINOR: quic: Trace fix in quic_pto_pktns() (handshaske status) BUG/MINOR: quic: Wrong packet number space probing before confirmed handshake MINOR: quic: Modify qc_try_rm_hp() traces MINOR: quic: Dump more information at proto level when building packets MINOR: quic: Add a trace for packet with an ACK frame BUG/MINOR: quic: Ignored less than 1ms RTTs MINOR: quic: Add connection flags to traces BUG/MINOR: quic: Possible wrapped values used as ACK tree purging limit. BUG/MINOR: quic: SIGFPE in quic_cubic_update() MINOR: quic: Remove a useless test about probing in qc_prep_pkts() BUG/MINOR: quic: Wrong Application encryption level selection when probing BUG/MINOR: quic: Stop removing ACK ranges when building packets MINOR: quic: Do not allocate too much ack ranges BUG/MINOR: quic: Unchecked buffer length when building the token BUG/MINOR: quic: Wrong Retry token generation timestamp computing MINOR: quic: Add traces to qc_kill_conn() MINOR: quic: Add trace to debug idle timer task issues BUG/MINOR: quic: Possible crashes in qc_idle_timer_task() BUG/MEDIUM: quic: Code sanitization about acknowledgements requirements MINOR: quic: Add <pto_count> to the traces MINOR: quic: Display the packet number space flags in traces MINOR: quic: Move traces at proto level BUG/MINOR: quic: Useless probing retransmission in draining or killing state Ilya Shipitsin (2): CI: bump "actions/checkout" to v3 for cross zoo matrix CI: cirrus-ci: bump FreeBSD image to 13-1 Marcos de Oliveira (1): DOC/MINOR: reformat configuration.txt's "quoting and escaping" table Olivier Houchard (1): BUG/MEDIUM: fd: don't wait for tmask to stabilize if we're not in it. Remi Tricot-Le Breton (1): BUG/MINOR: ssl: ssl-(min|max)-ver parameter not duplicated for bundles in crt-list William Lallemand (2): DOC: config: strict-sni allows to start without certificate BUG/MINOR: stick_table: alert when type len has incorrect characters Willy Tarreau (4): BUG/MINOR: cfgparse: make sure to include openssl-compat BUG/MINOR: config: fix NUMA topology detection on FreeBSD BUILD: sock_inet: forward-declare struct receiver BUILD: proto_tcp: export the correct names for proto_tcpv[46] ---