Hi,
HAProxy 2.6.13 was released on 2023/05/02. It added 97 new commits
after version 2.6.12.
This update is essentially equivalent to the update from 2.7.6 to 2.7.8
so I'm mostly copy-pasting and adjusting the relevant descriptions from
Christopher's 2.7.7 announce (he did all the backports, we just wanted
to grant a few more days to catch possible regressions).
On the QUIC front, which represents ~25 commits, there were essentially
three issues that could lead to visible problems:
* The Congestion algorithms state was shared between connections
instead of being private. This could trigger BUG_ON() and cause
crashes.
* Some contradictions in code could lead to very long loops sending
empty packets (PADDING only packets). One visible effect was a very
low throughput performance when the client serialized its requests.
* The control window in congestion algorithms could be zero because of
a wrong calculation and could lead to a SIGFPE crash.
On soft-stop or reload, idle DNS session are now killed. Since 2.6.11,
these sessions were no longer killed, preventing the process from
finishing. In addition, we now force the connect timeout for the DNS
resolution. The "resolve" timeout is used to set its value. Have no
connect timeout was an issue for resolution over TCP. Connection
failures might take quite long to report, leading to an excess of
unusable DNS sessions in connecting state. It was especially visible on
soft-stop because this prevented the process to quickly exit. Still on
the DNS, errors are now properly handled when a response is
consumed. This was an issue for truncated responses followed by an
abort. The applet could ignore the abort and loop waiting for more data
until a timeout is triggered. A similar issue was fixed in the syslog
applet.
Several bugs in lua part were fixed. First, except for lua tasks, it is
no longer possible to register functions at runtime. It was clearly
stated in the documentation, but nothing forbidden it in the code. An
error is now triggered if this happens, preventing potential
segfaults. Memory leaks on references were fixed and the lua locking was
simplified to be re-entrant to prevent deadlocks.
Aurélien fixed several issues on the servers management. The "visible"
server list consistency was fixed. It was possible, at least in theory,
to access an invalid server if several dynamic server deletions were
performed while the list was accessed. For instance it might happen when
the server list was dumped in the stats. He also fixed wrong report for
tracking servers leaving drain state. Finally, he centralized proxy and
server stats updates on server state transition to be sure to not miss
an update on some transitions.
The pool_gc() calls that were made a bit too often on stopping proxies
were relaxed. Sometimes they were causing excess memory contention and
were even competing against malloc_trim().
Aurélien has extended the internal listener API to better handle the
resume operation. One noticeable effect is that listeners that have an
ABNS abstract namespace socket can now support reload without crashing
haproxy. (Note: this was already merged in 2.7 prior to 2.7.7, and left
under observation for two versions before backporting to 2.6).
The remaining are the usual bunch of bug fixes:
* It was possible to trigger the watchdog purging stick-tables on
soft-stop. To not spend too much time purging expired entries, we now
enforce a budget limitation and the purge is performed in several
steps. In addition, memory is reclaimed only when entries are
released. Indeed, this operation involves a call to malloc_trim() on
glibc, which is rather expensive.
* It was possible for a thread to wait forever (well, till the watchdog
notices) to become the exclusive owner of a file descriptor after it
had lost it; this could happen with synchronous errors met in the
DNS for example.
* NUMA topology detection on FreeBSD was fixed.
* It was not possible to use the lua filter API if used in conjunction
with a "wait-for-body" action. Switching the HTTP message in DATA
state preventing the call to most of lua filter functions. It was
fixed by keep the HTTP message in BODY state at this stage.
* The read expiration date is now updated on synchronous sends for all
streams except independent ones. This fixed an old bug when a filter
is configured. Write activities on synchronous sends were lost. With
slow clients uploading large object, it was possible to reach the
server timeout.
* ssl-min-ver and ss-max-ver parameters are now duplicated for bundles
in crt-list.
* An error is reported during configuration parsing if when the "len"
argument of a stick table type contains incorrect characters.
* DeviceAtlas compile options were updated to support the API v3 from
3.1.7 and onwards.
* The strict-sni documentation was updated to state it is possible to
start without certificate on a bind line.
Thanks to all those who helped with these fixes and to Christopher for
dealing with the backports.
Please find the usual URLs below :
Site index : https://www.haproxy.org/
Documentation : https://docs.haproxy.org/
Wiki : https://github.com/haproxy/wiki/wiki
Discourse : https://discourse.haproxy.org/
Slack channel : https://slack.haproxy.org/
Issue tracker : https://github.com/haproxy/haproxy/issues
Sources : https://www.haproxy.org/download/2.6/src/
Git repository : https://git.haproxy.org/git/haproxy-2.6.git/
Git Web browsing : https://git.haproxy.org/?p=haproxy-2.6.git
Changelog : https://www.haproxy.org/download/2.6/src/CHANGELOG
Dataplane API :
https://github.com/haproxytech/dataplaneapi/releases/latest
Pending bugs : https://www.haproxy.org/l/pending-bugs
Reviewed bugs : https://www.haproxy.org/l/reviewed-bugs
Code reports : https://www.haproxy.org/l/code-reports
Latest builds : https://www.haproxy.org/l/dev-packages
Willy
---
Complete changelog :
Amaury Denoyelle (6):
BUG/MINOR: task: allow to use tasklet_wakeup_after with tid -1
BUG/MINOR: quic: transform qc_set_timer() as a reentrant function
BUG/MINOR: mux-quic: properly handle STREAM frame alloc failure
BUG/MINOR: quic: prevent buggy memcpy for empty STREAM
MINOR: mux-quic: do not set buffer for empty STREAM frame
MINOR: mux-quic: do not allocate Tx buf for empty STREAM frame
Aurelien DARRAGON (33):
MINOR: proxy/pool: prevent unnecessary calls to pool_gc()
BUG/MINOR: backend: make be_usable_srv() consistent when stopping
MINOR: server: add SRV_F_DELETED flag
BUG/MINOR: server/del: fix srv->next pointer consistency
BUG/MINOR: stats: properly handle server stats dumping resumption
BUG/MINOR: sink: free forward_px on deinit()
BUG/MINOR: log: free log forward proxies on deinit()
BUG/MINOR: hlua: enforce proper running context for register_x functions
CLEANUP: hlua: fix conflicting comment in hlua_ctx_destroy()
MINOR: proto_uxst: add resume method
MINOR: listener/api: add lli hint to listener functions
MINOR: listener: add relax_listener() function
MINOR: listener: workaround for closing a tiny race between
resume_listener() and stopping
MINOR: listener: make sure we don't pause/resume bypassed listeners
BUG/MEDIUM: listener: fix pause_listener() suspend return value handling
BUG/MINOR: listener: fix resume_listener() resume return value handling
BUG/MEDIUM: resume from LI_ASSIGNED in default_resume_listener()
MINOR: listener: pause_listener() becomes suspend_listener()
BUG/MEDIUM: listener/proxy: fix listeners notify for proxy resume
MEDIUM: proto_ux: properly suspend named UNIX listeners
MINOR: proto_ux: ability to dump ABNS names in error messages
MINOR: hlua: add simple hlua reference handling API
BUG/MINOR: hlua: fix reference leak in core.register_task()
BUG/MINOR: hlua: fix reference leak in hlua_post_init_state()
BUG/MINOR: hlua: prevent function and table reference leaks on errors
MINOR: hlua: simplify lua locking
BUG/MEDIUM: hlua: prevent deadlocks with main lua lock
BUG/MEDIUM: proxy/sktable: prevent watchdog trigger on soft-stop
BUG/MINOR: server: incorrect report for tracking servers leaving drain
MINOR: server: explicitly commit state change in srv_update_status()
BUG/MINOR: server: don't miss proxy stats update on server state
transitions
BUG/MINOR: server: don't miss server stats update on server state
transitions
BUG/MINOR: server: don't use date when restoring last_change from state
file
Christopher Faulet (13):
Revert "BUG/MEDIUM: stconn: Don't rearm the read expiration date if EOI
was reached"
BUG/MEDIUM: channel: Improve reports for shut in co_getblk()
BUG/MEDIUM: dns: Properly handle error when a response consumed
MINOR: http-ana: Add a HTTP_MSGF flag to state the Expect header was
checked
BUG/MINOR: http-ana: Don't switch message to DATA when waiting for payload
BUG/MEDIUM: dns: Kill idle DNS sessions during stopping stage
BUG/MINOR: resolvers: Wakeup DNS idle task on stopping
BUG/MEDIUM: resolvers: Force the connect timeout for DNS resolutions
BUG/MINOR: stream: Fix test on SE_FL_ERROR on the wrong entity
REGTESTS: fix the race conditions in log_uri.vtc
BUG/MEDIUM: log: Properly handle client aborts in syslog applet
CLEANUP: backend: Remove useless debug message in assign_server()
BUG/MEDIUM: Update read expiration date on synchronous send
David Carlier (1):
BUILD: da: extends CFLAGS to support API v3 from 3.1.7 and onwards.
Frédéric Lécaille (33):
BUG/MINOR: quic: Wrong use of now_ms timestamps (cubic algo)
BUG/MINOR: quic: Wrong use of now_ms timestamps (newreno algo)
BUG/MINOR: quic: Missing max_idle_timeout initialization for the
connection
BUG/MINOR: quic: Wrong rtt variance computing
BUG/MINOR: quic: Cubic congestion control window may wrap
MINOR: quic: Add missing traces in cubic algorithm implementation
BUG/MINOR: quic: Remaining useless statements in cubic slow start callback
BUG/MAJOR: quic: Congestion algorithms states shared between the
connection
BUG/MINOR: quic: Remove useless BUG_ON() in newreno and cubic algo
implementation
BUG/MINOR: quic: Possible wrong PTO computing
MINOR: quic: Trace fix in quic_pto_pktns() (handshaske status)
BUG/MINOR: quic: Wrong packet number space probing before confirmed
handshake
MINOR: quic: Modify qc_try_rm_hp() traces
MINOR: quic: Dump more information at proto level when building packets
MINOR: quic: Add a trace for packet with an ACK frame
BUG/MINOR: quic: Ignored less than 1ms RTTs
MINOR: quic: Add connection flags to traces
BUG/MINOR: quic: Possible wrapped values used as ACK tree purging limit.
BUG/MINOR: quic: SIGFPE in quic_cubic_update()
MINOR: quic: Remove a useless test about probing in qc_prep_pkts()
BUG/MINOR: quic: Wrong Application encryption level selection when probing
BUG/MINOR: quic: Stop removing ACK ranges when building packets
MINOR: quic: Do not allocate too much ack ranges
BUG/MINOR: quic: Unchecked buffer length when building the token
BUG/MINOR: quic: Wrong Retry token generation timestamp computing
MINOR: quic: Add traces to qc_kill_conn()
MINOR: quic: Add trace to debug idle timer task issues
BUG/MINOR: quic: Possible crashes in qc_idle_timer_task()
BUG/MEDIUM: quic: Code sanitization about acknowledgements requirements
MINOR: quic: Add <pto_count> to the traces
MINOR: quic: Display the packet number space flags in traces
MINOR: quic: Move traces at proto level
BUG/MINOR: quic: Useless probing retransmission in draining or killing
state
Ilya Shipitsin (2):
CI: bump "actions/checkout" to v3 for cross zoo matrix
CI: cirrus-ci: bump FreeBSD image to 13-1
Marcos de Oliveira (1):
DOC/MINOR: reformat configuration.txt's "quoting and escaping" table
Olivier Houchard (1):
BUG/MEDIUM: fd: don't wait for tmask to stabilize if we're not in it.
Remi Tricot-Le Breton (1):
BUG/MINOR: ssl: ssl-(min|max)-ver parameter not duplicated for bundles in
crt-list
William Lallemand (2):
DOC: config: strict-sni allows to start without certificate
BUG/MINOR: stick_table: alert when type len has incorrect characters
Willy Tarreau (4):
BUG/MINOR: cfgparse: make sure to include openssl-compat
BUG/MINOR: config: fix NUMA topology detection on FreeBSD
BUILD: sock_inet: forward-declare struct receiver
BUILD: proto_tcp: export the correct names for proto_tcpv[46]
---
