Hi, HAProxy 2.2.30 was released on 2023/06/12. It added 53 new commits after version 2.2.29.
In this release, we flush the pipe of the pending fixes : * The SPOE was fixed to limit the number of idle applets on edge cases. On sporadic bursts, it was possible to systematically start new applets because the SPOE processing frequency was lower than the messages rate, and this independently on the number of idle applets. The idle applets tracking was improved to be able to properly reuse them. This fix revealed a flaw in the way synchronous frames were handled, leading to a raise of the message processing latency. To fix this issue, in synchronous mode, a SPOE applet will now systematically try to send a frame when it is woken up, except if it is still waiting for a ACK frame after a receive attempt. Finally, a crash for engines configured on disabled proxies was fixed. SPOE engines must not be released for such proxies during the startup because some resources may be shared with other engines, for instance the ACLs. * The total boot time is now measured. It is used to postpone the startup of health checks. It is pretty useful for very large configurations taking up few seconds to start, to not schedule some servers' checks in past. This also helps to have a better distribution of health-checks when "spread-checks" option is used. In addition, the spread-checks is also used at boot time, making the load much smoother from the start. * The pool_gc() calls that were made a bit too often on stopping proxies were relaxed. Sometimes they were causing excess memory contention and were even competing against malloc_trim(). * It was possible to trigger the watchdog purging stick-tables on soft-stop. To not spend too much time purging expired entries, we now enforce a budget limitation and the purge is performed in several steps. In addition, memory is reclaimed only when entries are released. Indeed, this operation involves a call to malloc_trim() on glibc, which is rather expensive. * The read expiration date is now updated on synchronous sends for all streams except independent ones. This fixed an old bug when a filter is configured. Write activities on synchronous sends were lost. With slow clients uploading large object, it was possible to reach the server timeout. * An error is now reported during configuration parsing when the "len" argument of a stick table type contains incorrect characters. * The strict-sni documentation was updated to state it is possible to start without certificate on a bind line. * Aurélien fixed wrong report for tracking servers leaving drain state. He also centralized proxy and server stats updates on server state transition to be sure to not miss an update on some transitions. * An issue affecting the H1 multiplexer was fixed. If the response was fully transferred before the whole request is read, there was a risk that the channel is left open without any further processing. In the end, this caused the stream to enter a spinning loop which triggered an assertion failure crash. * Aborting pipelined HTTP/1.1 transfers could sometimes result in a high CPU usage until the timeout stroke. At first glance, we thought it was not possible to hit this bug on the 2.2 and 2.0. But, we were wrong. It could happen when the splicing is in-use on the response. The fix was thus backported * In the H2 multiplexer, we now take care to produce log messages on invalid requests. Many other minor fixes were fixed of course and this list is not exhaustive. Take a look at the following changelog if necessary. If it is ok for everyone, as it was suggested by Tim, the 2.2 could enter in its final stage by marking it as "Critical fixes only", thus 2 years before its EOL planned for Q2 2025. Any objection ? Thanks everyone for your help and your contributions. Please find the usual URLs below : Site index : https://www.haproxy.org/ Documentation : https://docs.haproxy.org/ Wiki : https://github.com/haproxy/wiki/wiki Discourse : https://discourse.haproxy.org/ Slack channel : https://slack.haproxy.org/ Issue tracker : https://github.com/haproxy/haproxy/issues Sources : https://www.haproxy.org/download/2.2/src/ Git repository : https://git.haproxy.org/git/haproxy-2.2.git/ Git Web browsing : https://git.haproxy.org/?p=haproxy-2.2.git Changelog : https://www.haproxy.org/download/2.2/src/CHANGELOG Dataplane API : https://github.com/haproxytech/dataplaneapi/releases/latest Pending bugs : https://www.haproxy.org/l/pending-bugs Reviewed bugs : https://www.haproxy.org/l/reviewed-bugs Code reports : https://www.haproxy.org/l/code-reports Latest builds : https://www.haproxy.org/l/dev-packages --- Complete changelog : Aurelien DARRAGON (12): MINOR: proxy/pool: prevent unnecessary calls to pool_gc() BUG/MEDIUM: proxy/sktable: prevent watchdog trigger on soft-stop BUG/MINOR: hlua: unsafe hlua_lua2smp() usage BUG/MINOR: log: fix memory error handling in parse_logsrv() BUG/MINOR: proxy: missing free in free_proxy for redirect rules BUG/MINOR: server: incorrect report for tracking servers leaving drain MINOR: server: explicitly commit state change in srv_update_status() BUG/MINOR: server: don't miss proxy stats update on server state transitions BUG/MINOR: server: don't miss server stats update on server state transitions BUG/MINOR: server: don't use date when restoring last_change from state file BUG/MINOR: cfgparse-tcp: leak when re-declaring interface from bind line BUG/MINOR: proxy: add missing interface bind free in free_proxy Christopher Faulet (15): DOC: config: Fix description of options about HTTP connection modes DOC: config: Add the missing tune.fail-alloc option from global listing DOC: config: Clarify the meaning of 'hold' in the 'resolvers' section BUG/MINOR: http-check: Don't set HTX_SL_F_BODYLESS flag with a log-format body BUG/MINOR: http-check: Skip C-L header for empty body when it's not mandatory BUG/MEDIUM: spoe: Don't set the default traget for the SPOE agent frontend BUG/MEDIUM: mux-h1: Wakeup H1C on shutw if there is no I/O subscription BUG/MEDIUM: Update read expiration date on synchronous send BUG/MINOR: tcp-rules: Don't shortened the inspect-delay when EOI is set DOC: config: Clarify conditions to shorten the inspect-delay for TCP rules MINOR: spoe: Don't stop disabled proxies BUG/MEDIUM: filters: Don't deinit filters for disabled proxies during startup BUG/MEDIUM: spoe: Don't start new applet if there are enough idle ones DOC: config: Fix bind/server/peer documentation in the peers section BUG/MINOR: spoe: Only skip sending new frame after a receive attempt David Carlier (1): BUILD: da: extends CFLAGS to support API v3 from 3.1.7 and onwards. Frédéric Lécaille (1): CONTRIB: Add vi file extensions to .gitignore Ilia Shipitsin (2): CI: switch to Fastly CDN to download LibreSSL BUILD: ssl: switch LibreSSL to Fastly CDN Ilya Shipitsin (2): CI: bump "actions/checkout" to v3 for cross zoo matrix CI: cirrus-ci: bump FreeBSD image to 13-1 Marcos de Oliveira (1): DOC/MINOR: reformat configuration.txt's "quoting and escaping" table Mariam John (1): DOC/MINOR: config: Fix typo in description for `ssl_bc` in configuration.txt Remi Tricot-Le Breton (1): BUG/MINOR: ssl: Use 'date' instead of 'now' in ocsp stapling callback William Lallemand (5): BUG/MINOR: mworker: stop doing strtok directly from the env BUG/MEDIUM: mworker: don't register mworker_accept_wrapper() when master FD is wrong BUG/MINOR: mworker: prevent incorrect values in uptime DOC: config: strict-sni allows to start without certificate BUG/MINOR: stick_table: alert when type len has incorrect characters Willy Tarreau (12): BUG/MINOR: ring: do not realign ring contents on resize BUG/MINOR: mux-h2: make sure the h2c task exists before refreshing it BUG/MEDIUM: mux-h2: erase h2c->wait_event.tasklet on error path BUG/MINOR: cfgparse: make sure to include openssl-compat BUG/MINOR: mux-h2: make sure to produce a log on invalid requests MINOR: checks: make sure spread-checks is used also at boot time MINOR: clock: measure the total boot time BUG/MINOR: checks: postpone the startup of health checks by the boot time BUILD: checks: fix build failure on macos after last fix BUG/MEDIUM: mux-h1: do not refrain from signaling errors after end of input SCRIPTS: publish-release: update the umask to keep group write access BUG/MINOR: debug: do not emit empty lines in thread dumps -- Christopher Faulet