HTX mode causes problems with VMWare Horizon View Zero Clients

[Andrew Heberle]

Hi All,

We have a virtual desktop deployment under VMWare Horizon View that
uses PCoIP Zero clients that stopped working after upgrading the load
balancers in front of the internal Connection Servers (the virtual
desktop broker) from 1.8.12 to 2.0.7.

After putting in "no option http-use-htx" these clients work fine.

This is not a problem overall with HAProxy as other devices using a
different client (mobile, PC etc) are fine, so it is obviously an edge
case that affects this particular device, but I thought it important
to report as it is still a regression between 1.8 and 2.0.

Ive got logs, version info and config in this email, but understand
that more info is likely to be required in order to get to the bottom
of this...and fully understand this may be a client/device specific
bug, rather than a HAProxy one.

More logs and traces can be gathered as required.

This is running on Alpine Linux 3.10, so its a musl based build:

HA-Proxy version 2.0.7 2019/09/27 - https://haproxy.org/
Build options :
  TARGET  = linux-glibc
  CPU = generic
  CC  = gcc
  CFLAGS  = -Os -fomit-frame-pointer
  OPTIONS = USE_PCRE=1 USE_OPENSSL=1 USE_LUA=1 USE_ZLIB=1 USE_NS=1

Feature list : +EPOLL -KQUEUE -MY_EPOLL -MY_SPLICE +NETFILTER +PCRE
-PCRE_JIT -PCRE2 -PCRE2_JIT +POLL -PRIVATE_CACHE +THREAD
-PTHREAD_PSHARED -REGPARM -STATIC_PCRE -STATIC_PCRE2 +TPROXY
+LINUX_TPROXY +LINUX_SPLICE +LIBCRYPT +CRYPT_H -VSYSCALL +GETADDRINFO
+OPENSSL +LUA +FUTEX +ACCEPT4 -MY_ACCEPT4 +ZLIB -SLZ +CPU_AFFINITY
+TFO +NS +DL +RT -DEVICEATLAS -51DEGREES -WURFL -SYSTEMD
-OBSOLETE_LINKER +PRCTL +THREAD_DUMP -EVPORTS

Default settings :
  bufsize = 16384, maxrewrite = 1024, maxpollevents = 200

Built with multi-threading support (MAX_THREADS=64, default=2).
Built with OpenSSL version : OpenSSL 1.1.1d  10 Sep 2019
Running on OpenSSL version : OpenSSL 1.1.1d  10 Sep 2019
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2 TLSv1.3
Built with Lua version : Lua 5.3.5
Built with network namespace support.
Built with transparent proxy support using: IP_TRANSPARENT
IPV6_TRANSPARENT IP_FREEBIND
Built with zlib version : 1.2.11
Running on zlib version : 1.2.11
Compression algorithms supported : identity("identity"),
deflate("deflate"), raw-deflate("deflate"), gzip("gzip")
Built with PCRE version : 8.43 2019-02-23
Running on PCRE version : 8.43 2019-02-23
PCRE library supports JIT : no (USE_PCRE_JIT not set)
Encrypted password support via crypt(3): yes

Available polling systems :
  epoll : pref=300,  test result OK
   poll : pref=200,  test result OK
 select : pref=150,  test result OK
Total: 3 (3 usable), will use epoll.

Available multiplexer protocols :
(protocols marked as  cannot be specified using 'proto' keyword)
  h2 : mode=HTXside=FE|BE mux=H2
  h2 : mode=HTTP   side=FEmux=H2
: mode=HTXside=FE|BE mux=H1
: mode=TCP|HTTP   side=FE|BE mux=PASS

Available services : none

Available filters :
[SPOE] spoe
[COMP] compression
[CACHE] cache
[TRACE] trace

Here is the config in question (with the option to disable HTX still in place):

# VMware View Connection Server Defaults
defaults
# Default to HTTP mode
mode http
no option http-use-htx

# Retry another server on connection failure
option redispatch

# Timeouts
timeout connect5s
timeout http-keep-alive1s
timeout http-request   15s
timeout queue  30s
timeout tarpit 1m
timeout client 300s
timeout server 300s

# Logging options
option httplog
option dontlognull
log global

# Set default balancing algorithm
balance leastconn

# Default server check options
default-server inter 5s rise 2 fall 3

# Maximum connections
maxconn 2

# VMware View Connection Server Front-End
frontend fe_viewcs
# Listen on HTTP (80) and HTTPS (443)
bind 172.16.0.134:80
bind 172.16.0.134:443 ssl crt viewcs.pem

# Redirect HTTP -> HTTPS
redirect scheme https code 301 if !{ ssl_fc }

# Remove Origin header to resolve
https://kb.vmware.com/kb/2144768 as per
https://support.f5.com/csp/article/K65620682
http-request del-header Origin

# Use View Connection Server Back-End
use_backend be_viewcs

# View Connection Server Back-End
backend be_viewcs
# Maintain affinity based on JSESSIONID cookie
stick match req.cook(JSESSIONID)
stick store-response res.cook(JSESSIONID)
stick-table type string size 2k expire 1h peers peers_global

# Health check
option httpchk GET /broker/xml/ HTTP/1.1\r\nHost:\
viewfqdn\r\nConnection:\ Close\r\n\r\n
option log-health-checks
   

HAProxy 1.8.21: One CPU core stuck at 100%

[Amin Shayan]

Hello,

I've several installations with different config and usage on 1.8.21 and no
problem so far. I found one installation on a cluster of 6 servers, which
all of them had one cpu core stuck at 100% and Idle_pct lower than 10.
I've played with nproc and nbthread and other values with no luck so
upgraded from 1.8.21 to 1.8.21-ba3abe-12 and it was the same.
After comparing other installations with this one found that this is the
only cluster with allow-0rtt enabled. removed allow-0rtt from bind options
and it didn't happen in last 10 days!

Hope it helps to have more stable 1.8.22 :)

Sincerely,
Amin Shayan

freebsd builds are broken for few days

[Илья Шипицин]

https://cirrus-ci.com/github/haproxy/haproxy

I'll bisect if noone else knows what's going on