Re: Tests timeout on my ARM64 test VM

[Илья Шипицин]

once in a while I saw "reg-tests/compression/lua_validation.vtc" failed.
say 1 times out of 20.

it is slow and racy by nature.

also, seems 3 weeks of Linaro cloud are passed, 1 week is left.
I'll do more tries

ср, 11 мар. 2020 г. в 19:14, Martin Grigorov :

>
>
> On Wed, Mar 11, 2020 at 3:06 PM Илья Шипицин  wrote:
>
>> I will a look during next weekend
>>
>
> Thank you, Илья!
>
>
>>
>> BTW, I've managed to get Linaro VM :)
>>
>
> Congrats! :-)
>
>
>>
>> On Wed, Mar 11, 2020, 5:40 PM Martin Grigorov 
>> wrote:
>>
>>> Hi,
>>>
>>> On Mon, Mar 9, 2020 at 10:22 PM Martin Grigorov <
>>> martin.grigo...@gmail.com> wrote:
>>>
 Hi,

 I am not sure what have changed on my test ARM64 VM but the reg tests
 started timing out.
 Everything is fine on my dev machine (x86_64) and at Travis (
 https://travis-ci.com/haproxy/haproxy).
 I don't think it is ARM64 related. Most probably some OS setting or
 something.
 I've rebooted the system just to make sure it is not some busy port or
 opened file descriptor but
 it still fails the same way.

 Does someone see in the attached logs what could be the problem?

>>>
>>> Anyone can help me here ?
>>>
>>> Martin
>>>
>>>
 Thank you!

 Martin

>>>

Re: [PATCH[ special purpose weekly CI (spellcheck)

[Илья Шипицин]

сб, 14 мар. 2020 г. в 01:06, Willy Tarreau :

> On Fri, Mar 13, 2020 at 03:24:15PM +0100, William Lallemand wrote:
> > If you grep on BUILD: in the git log, this keyword does not mean
> > anything anymore. And this is confusing in my opinion. We could
> > introduce "CI: " instead.
>
> Good idea. I can adjust it.
>
> Ilya, just a question, what will be the impact of this ? Will we
> all be spammed or anything or are you the one volunteering to stand
> in front of the cannon ? :-)
>


yes, I will take care of it.



>
> Willy
>

Re: s390x and HAProxy?

[Willy Tarreau]

On Fri, Mar 13, 2020 at 04:50:12PM +0500,  ??? wrote:
> ??, 13 ???. 2020 ?. ? 16:48, Aleksandar Lazic :
> 
> > Mar 13, 2020 12:11:16 PM  ??? :
> >
> > > initial motivation was that article
> > >
> > > https://docs.travis-ci.com/user/multi-cpu-architectures
> >
> > Thanks for the link.
> >
> > > travis allows to run builds on various archs, why not to test ?
> >
> > Full Agreeing. ;-)
> >
> > Would be interesting if anyone use it on Host or power.
> >
> 
> there were issues related to haproxy on openwrt.
> I am not surprised if somebody runs on s390x

It's very possible. You often find annoyingly rigit applications in
such environments, for various legacy reasons (i.e. old application
ported to linux on the same machine but rewritten in Java for example).
And given that a lot of haproxy users use it as a Swiss Army Knife, it's
quite understandable that some place it there to adapt the application
to its legacy environment.

Regarding other archs like PPC64, I've been aware of some clouds running
on Power8 and using it several years ago. There was even a live deployment
demo of Ubuntu on Power8 run by Mark Shuttleworth during an IBM conference
showing how fast they could deploy an application on Ubuntu on this
setup and they installed haproxy with the application. So it might not
be as rare as one can think.

Anyway the main reason for testing other archs is to stress unusual code
parts (e.g. missing double-CAS but having threads etc), and detecting if
we did crap on an alignment issue for example.

Willy

Re: "warning" on reg-tests

[Willy Tarreau]

On Fri, Mar 13, 2020 at 11:18:42PM +0500,  ??? wrote:
> Hello,
> 
> there's always noise like that
> 
> 
> ***  h1   debug|[WARNING] 072/163523 (6090) : config : log format
> ignored for proxy 'testme' since it has no log address.
> ***  h1   debug|[WARNING] 072/163523 (6090) : config : log format
> ignored for frontend 'test_abns' since it has no log address.
> 
> 
> any special meaning to have logs misconfigured for reg-tests ? or we
> can reduce that noise ?

I observed a few of these that quite bothered me as well, but it's
difficult to spot the ones emitting errors. I remember we noted for
the todo list to add an option to turn warnings into errors, and we
still hadn't done it. It could be an excellent reason for doing it
now, we'd always start the tests with the option set and we'd
instantly know if there are warnings in the config.

Probably that a temporary solution could be to run a test with
--keep-logs and grep for WARNING in each of them :-/

Willy

Re: [PATCH[ special purpose weekly CI (spellcheck)

[Willy Tarreau]

On Fri, Mar 13, 2020 at 03:24:15PM +0100, William Lallemand wrote:
> If you grep on BUILD: in the git log, this keyword does not mean
> anything anymore. And this is confusing in my opinion. We could
> introduce "CI: " instead.

Good idea. I can adjust it.

Ilya, just a question, what will be the impact of this ? Will we
all be spammed or anything or are you the one volunteering to stand
in front of the cannon ? :-)

Willy

Re: Tests timeout on my ARM64 test VM

[Willy Tarreau]

Hi Martin,

On Fri, Mar 13, 2020 at 12:35:12PM +0200, Martin Grigorov wrote:
> Hi ,
> 
> Suddenly today the build is again green here!
> I didn't make any changes to my testing setup.
> It must be something on the OS level but I wasn't able to figure out what
> makes the HAProxy tests timeout in the last several days.

We've had issues with the abns test on other platforms in the past,
namely s390x and ppc64le. It used to occasionally break on x86_64 as
well but far less frequently. It was affected by two bugs that were
solved yesterday after a few days of investigation and testing. We've
seen yet another failure again on ppc64 while it was expected not to
fail, so I'd be careful before claiming victory. However the abns
test is extremely time sensitive and uses short delays around 15ms to
try to trigger the issue, and in a VM it is possible to see this
happen from time to time due to noisy neighbors. That's why I'm
staying extremely prudent on the verdict. The PPC64 machine I tested
on is provided by Minicloud and is a VM running on a real CPU, so it's
much less affected by timing issues. I've run the test several hundreds
of times in a row and couldn't make it fail anymore.

So don't worry too much if it appeared and disappeared. The change
that emphasized it was the increase in default maxconn (304e17eb8),
apparently just due to a slightly longer startup time! And the ones
expected to have fixed it are between bdb00c5d and 4b3f27b included.

Note that I didn't manage to make it fail on arm64 (real machine,
SolidRun's Macchiatobin).

Hoping this clarifies the situation.

Regards,
Willy

"warning" on reg-tests

[Илья Шипицин]

Hello,

there's always noise like that


***  h1   debug|[WARNING] 072/163523 (6090) : config : log format
ignored for proxy 'testme' since it has no log address.
***  h1   debug|[WARNING] 072/163523 (6090) : config : log format
ignored for frontend 'test_abns' since it has no log address.


any special meaning to have logs misconfigured for reg-tests ? or we
can reduce that noise ?

Cheers,

Ilya Shipitcin

Re: [PATCH] BUILD: Avoid warning about ignoring write()'s return value in BUG_ON()

[Willy Tarreau]

On Fri, Mar 13, 2020 at 05:41:14PM +0100, Tim Düsterhus wrote:
> Willy,
> 
> Am 13.03.20 um 17:34 schrieb Willy Tarreau:
> > Indeed, just found it in my queue. However we usually use it
> > differently, with the function instead of the variable. Do you
> > mind if I adapt it ?
> > 
> 
> I attempted to use the function, but it didn't compile. I guess because
> of a circular dependency. If it's a small obvious change feel free to
> adapt the patch. If it requires larger changes please fix it yourself
> and ignore my patch.

OK, I'll check when I have a few minutes. I think that since we now
have this ALREADY_CHECKED() macro that's used to prevent gcc from
seeing null-derefs where they can't happen, we can use it as well
to pretend we've consumed the result from such occasional syscalls
and even remove the shut_* macro.

Cheers,
Willy

Re: [PATCH] BUILD: Avoid warning about ignoring write()'s return value in BUG_ON()

[Tim Düsterhus]

Willy,

Am 13.03.20 um 17:34 schrieb Willy Tarreau:
> Indeed, just found it in my queue. However we usually use it
> differently, with the function instead of the variable. Do you
> mind if I adapt it ?
> 

I attempted to use the function, but it didn't compile. I guess because
of a circular dependency. If it's a small obvious change feel free to
adapt the patch. If it requires larger changes please fix it yourself
and ignore my patch.

Best regards
Tim Düsterhus

Re: [PATCH] BUILD: Avoid warning about ignoring write()'s return value in BUG_ON()

[Willy Tarreau]

On Fri, Mar 13, 2020 at 12:23:26PM +0100, Tim Düsterhus wrote:
> Willy,
> 
> Am 09.03.20 um 17:05 schrieb Tim Duesterhus:
> > gcc complains (non-rightfully):
> > 
> >> include/common/buf.h: In function 'br_head_pick':
> >> include/common/debug.h:62:4: warning: ignoring return value of 'write', 
> >> declared with attribute warn_unused_result [-Wunused-result]
> >> (void)write(2, msg, strlen(msg));  \
> >> ^
> >> include/common/debug.h:57:35: note: in expansion of macro '__BUG_ON'
> >>  #define _BUG_ON(cond, file, line) __BUG_ON(cond, file, line)
> >>^
> >> include/common/debug.h:56:22: note: in expansion of macro '_BUG_ON'
> >>  #define BUG_ON(cond) _BUG_ON(cond, __FILE__, __LINE__)
> >>   ^
> >> include/common/buf.h:1011:2: note: in expansion of macro 'BUG_ON'
> >>   BUG_ON(r->area != BUF_RING.area);
> >>   ^
> 
> While checking my list of outgoing patches I noticed that this one
> wasn't acknowledged yet. It will become important with:
> https://github.com/haproxy/haproxy/issues/546

Indeed, just found it in my queue. However we usually use it
differently, with the function instead of the variable. Do you
mind if I adapt it ?

Willy

Re: [PATCH 2/3] MINOR: proxy_protocol: Ingest PP2_TYPE_UNIQUE_ID on incoming connections

[Tim Düsterhus]

Willy,

Am 13.03.20 um 14:18 schrieb Willy Tarreau:
> I was willing to take it as is but since I had a comment for the last
> one and I know that many times when reworking a patch we spot things
> we wish has been done differently in the previous ones, I let you
> decide what suits you best :-) If you want me to take it now I can.

In fact I added a blank line in that patch.

The v2-series is good from my side. I don't plan any more changes. If
you are happy as well then please take it.

Best regards
Tim Düsterhus

Re: [PATCH[ special purpose weekly CI (spellcheck)

[William Lallemand]

On Fri, Mar 13, 2020 at 07:05:15PM +0500, Илья Шипицин wrote:
> Willy, can we apply this?
> 
> I scheduled it on tuesday every week.
> 
> вт, 10 мар. 2020 г. в 12:12, Илья Шипицин :
> 
> > Hello,
> >
> > I implemented spell check CI.
> > it is a bit noisy, however, I hope we will polish it soon.
> >
> > Cheers,
> > Ilya Shipitcin
> >

Can we introduce a new prefix in the commit subject? Because I keep seeing
"BUILD:" for things that are specific to the CI, sometimes its BUILD: :
sometimes it's only "BUILD:". 

If you grep on BUILD: in the git log, this keyword does not mean
anything anymore. And this is confusing in my opinion. We could
introduce "CI: " instead.

-- 
William Lallemand

Re: [PATCH[ special purpose weekly CI (spellcheck)

[Илья Шипицин]

Willy, can we apply this?

I scheduled it on tuesday every week.

вт, 10 мар. 2020 г. в 12:12, Илья Шипицин :

> Hello,
>
> I implemented spell check CI.
> it is a bit noisy, however, I hope we will polish it soon.
>
> Cheers,
> Ilya Shipitcin
>

Re: [PATCH 2/3] MINOR: proxy_protocol: Ingest PP2_TYPE_UNIQUE_ID on incoming connections

[Willy Tarreau]

On Fri, Mar 13, 2020 at 11:57:14AM +0100, Tim Düsterhus wrote:
> Willy,
> 
> Am 13.03.20 um 08:44 schrieb Willy Tarreau:
> >> I've added the new `struct connection` member at the end. Please check
> >> whether you think that is the appropriate place for it or if it should
> >> be moved somewhere else because of holes or caches.
> > 
> > I'm seeing that the struct connection has become huge (160 bytes now)
> 
> I suspected something like that, that's why I specifically mentioned
> that piece.
> 
> > But for now I'm OK with taking your patch above.
> > 
> 
> I'm not seeing anything in git, yet.
> 
> Is the patch okay as-is and you are just looking into the `struct
> connection` refactoring before actually taking it or would you like me
> to make any changes to it?

I was willing to take it as is but since I had a comment for the last
one and I know that many times when reworking a patch we spot things
we wish has been done differently in the previous ones, I let you
decide what suits you best :-) If you want me to take it now I can.

Willy

Re: s390x and HAProxy?

[Илья Шипицин]

пт, 13 мар. 2020 г. в 16:48, Aleksandar Lazic :

> Mar 13, 2020 12:11:16 PM Илья Шипицин :
>
> > initial motivation was that article
> >
> > https://docs.travis-ci.com/user/multi-cpu-architectures
>
> Thanks for the link.
>
> > travis allows to run builds on various archs, why not to test ?
>
> Full Agreeing. ;-)
>
> Would be interesting if anyone use it on Host or power.
>

there were issues related to haproxy on openwrt.
I am not surprised if somebody runs on s390x



>
> > пт, 13 мар. 2020 г. в 16:07, Aleksandar Lazic < al-hapr...@none.at >:
> >
> >
> > > Hi.
> > >
> > > I'm wondering that this target is tested.
> > >
> http://git.haproxy.org/?p=haproxy.git;a=commitdiff;h=d726386421dcd184ca2518d17332f82e9cd79f2d
> > >
> > > Are there really user which runs HAProxy on Host? 8-O
> > > How perform HAProxy on that platform?
> > >
> > > Regards
> > > Aleks
>
>
>

Re: s390x and HAProxy?

[Aleksandar Lazic]

Mar 13, 2020 12:11:16 PM Илья Шипицин :

> initial motivation was that article
>
> https://docs.travis-ci.com/user/multi-cpu-architectures

Thanks for the link.

> travis allows to run builds on various archs, why not to test ?

Full Agreeing. ;-)

Would be interesting if anyone use it on Host or power.

> пт, 13 мар. 2020 г. в 16:07, Aleksandar Lazic < al-hapr...@none.at >:
>
>
> > Hi.
> >
> > I'm wondering that this target is tested.
> > http://git.haproxy.org/?p=haproxy.git;a=commitdiff;h=d726386421dcd184ca2518d17332f82e9cd79f2d
> >
> > Are there really user which runs HAProxy on Host? 8-O
> > How perform HAProxy on that platform?
> >
> > Regards
> > Aleks

[PATCH v2 4/4] CLEANUP: connection: Add blank line after declarations in PP handling

[Tim Duesterhus]

Willy,

squash this one if you like.

Best regards
Tim Düsterhus

Apply with `git am --scissors` to automatically cut the commit message.

-- >8 --
This adds the missing blank lines in `make_proxy_line_v2` and
`conn_recv_proxy`. It also adjusts the type of the temporary variable
used for the return value of `recv` to be `ssize_t` instead of `int`.
---
 src/connection.c | 5 -
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/connection.c b/src/connection.c
index ba0e0fcd1..dd20cdcfd 100644
--- a/src/connection.c
+++ b/src/connection.c
@@ -802,7 +802,8 @@ int conn_recv_proxy(struct connection *conn, int flag)
 * fail.
 */
while (1) {
-   int len2 = recv(conn->handle.fd, trash.area, trash.data, 0);
+   ssize_t len2 = recv(conn->handle.fd, trash.area, trash.data, 0);
+
if (len2 < 0 && errno == EINTR)
continue;
if (len2 != trash.data)
@@ -1437,6 +1438,7 @@ int make_proxy_line_v2(char *buf, int buf_len, struct 
server *srv, struct connec
 
if (srv->pp_opts & SRV_PP_V2_CRC32C) {
uint32_t zero_crc32c = 0;
+
if ((buf_len - ret) < sizeof(struct tlv))
return 0;
tlv_crc32c_p = (void *)((struct tlv *)[ret])->value;
@@ -1486,6 +1488,7 @@ int make_proxy_line_v2(char *buf, int buf_len, struct 
server *srv, struct connec
if (srv->pp_opts & SRV_PP_V2_SSL) {
struct tlv_ssl *tlv;
int ssl_tlv_len = 0;
+
if ((buf_len - ret) < sizeof(struct tlv_ssl))
return 0;
tlv = (struct tlv_ssl *)[ret];
-- 
2.25.1

[PATCH v2 3/4] MEDIUM: proxy_protocol: Support sending unique IDs using PPv2

[Tim Duesterhus]

Willy,

here I removed the BUG_ON() and added the blank lines you requested.

> > +   BUG_ON(sess != conn->owner); /* XXX is this correct? */
> 
> I'm pretty sure this one will break from time to time, maybe during
> retries or when reusing an idle connection or something. Better drop
> it. You don't really care who's the owner of the connection you're
> using anyway. In case of multiplexing it could be anyone because
> the connection will plugged onto by several streams before it's
> finally connected and once it's OK and the sending code starts, you
> have no way to tell whether the selected stream is the one that asked
> for the connection first.
> 

Then it served the purpose well, you've taken a look at my assumptions to check
whether `strm_sess()` is the correct thing to use :-)

> So modulo the very few minor stuff above I'm overall OK without your
> patch, just let me know if you have any question.

No, the review was crystal clear.

Best regards
Tim Düsterhus

Apply with `git am --scissors` to automatically cut the commit message.

-- >8 --
This patch adds the `unique-id` option to `proxy-v2-options`. If this
option is set a unique ID will be generated based on the `unique-id-format`
while sending the proxy protocol v2 header and stored as the unique id for
the first stream of the connection.

This feature is meant to be used in `tcp` mode. It works on HTTP mode, but
might result in inconsistent unique IDs for the first request on a keep-alive
connection, because the unique ID for the first stream is generated earlier
than the others.

Now that we can send unique IDs in `tcp` mode the `%ID` log variable is made
available in TCP mode.
---
 doc/configuration.txt | 24 +++
 include/proto/connection.h|  4 +-
 include/types/server.h|  1 +
 .../proxy_protocol_send_unique_id.vtc | 42 +++
 src/connection.c  | 20 +++--
 src/log.c |  2 +-
 src/server.c  |  2 +
 src/stream_interface.c| 11 +++--
 8 files changed, 90 insertions(+), 16 deletions(-)
 create mode 100644 reg-tests/connection/proxy_protocol_send_unique_id.vtc

diff --git a/doc/configuration.txt b/doc/configuration.txt
index 57f777a78..cc5fbf2d0 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -12657,13 +12657,23 @@ send-proxy-v2
   this section and send-proxy" option of the "bind" keyword.
 
 proxy-v2-options [,]*
-  The "proxy-v2-options" parameter add option to send in PROXY protocol version
-  2 when "send-proxy-v2" is used. Options available are "ssl" (see also
-  send-proxy-v2-ssl), "cert-cn" (see also "send-proxy-v2-ssl-cn"), 
"ssl-cipher":
-  name of the used cipher, "cert-sig": signature algorithm of the used
-  certificate, "cert-key": key algorithm of the used certificate), "authority":
-  host name value passed by the client (only sni from a tls connection is
-  supported), "crc32c": checksum of the proxy protocol v2 header.
+  The "proxy-v2-options" parameter add options to send in PROXY protocol
+  version 2 when "send-proxy-v2" is used. Options available are:
+
+  - ssl   : See also "send-proxy-v2-ssl".
+  - cert-cn   : See also "send-proxy-v2-ssl-cn".
+  - ssl-cipher: Name of the used cipher.
+  - cert-sig  : Signature algorithm of the used certificate.
+  - cert-key  : Key algorithm of the used certificate
+  - authority : Host name value passed by the client (only SNI from a TLS
+connection is supported).
+  - crc32c: Checksum of the PROXYv2 header.
+  - unique-id : Send a unique ID generated using the frontend's
+"unique-id-format" within the PROXYv2 header.
+This unique-id is primarily meant for "mode tcp". It can
+lead to unexpected results in "mode http", because the
+generated unique ID is also used for the first HTTP request
+within a Keep-Alive connection.
 
 send-proxy-v2-ssl
   The "send-proxy-v2-ssl" parameter enforces use of the PROXY protocol version
diff --git a/include/proto/connection.h b/include/proto/connection.h
index 9b8eb8ad3..ecc03de8a 100644
--- a/include/proto/connection.h
+++ b/include/proto/connection.h
@@ -47,9 +47,9 @@ int conn_fd_check(struct connection *conn);
 
 /* receive a PROXY protocol header over a connection */
 int conn_recv_proxy(struct connection *conn, int flag);
-int make_proxy_line(char *buf, int buf_len, struct server *srv, struct 
connection *remote);
+int make_proxy_line(char *buf, int buf_len, struct server *srv, struct 
connection *remote, struct stream *strm);
 int make_proxy_line_v1(char *buf, int buf_len, struct sockaddr_storage *src, 
struct sockaddr_storage *dst);
-int make_proxy_line_v2(char *buf, int buf_len, struct server *srv, struct 
connection *remote);
+int make_proxy_line_v2(char *buf, int buf_len, struct server *srv, struct 

[PATCH v2 1/4] DOC: proxy_protocol: Reserve TLV type 0x05 as PP2_TYPE_UNIQUE_ID

[Tim Duesterhus]

Willy,

this one has not been modified compared to v1.

Best regards
Tim Düsterhus

Apply with `git am --scissors` to automatically cut the commit message.

-- >8 --
This reserves and defines TLV type 0x05.
---
 doc/proxy-protocol.txt | 20 
 include/types/connection.h |  1 +
 2 files changed, 17 insertions(+), 4 deletions(-)

diff --git a/doc/proxy-protocol.txt b/doc/proxy-protocol.txt
index 26f86a345..fc1ca4a04 100644
--- a/doc/proxy-protocol.txt
+++ b/doc/proxy-protocol.txt
@@ -1,4 +1,4 @@
-2017/03/10Willy Tarreau
+2020/03/05Willy Tarreau
HAProxy Technologies
The PROXY protocol
  Versions 1 & 2
@@ -27,6 +27,7 @@ Revision history
 reserved TLV type ranges, added TLV documentation, clarified
 string encoding. With contributions from Andriy Palamarchuk
 (Amazon.com).
+   2020/03/05 - added the unique ID TLV type (Tim Düsterhus)
 
 
 1. Background
@@ -538,6 +539,7 @@ The following types have already been registered for the 
 field :
 #define PP2_TYPE_AUTHORITY  0x02
 #define PP2_TYPE_CRC32C 0x03
 #define PP2_TYPE_NOOP   0x04
+#define PP2_TYPE_UNIQUE_ID  0x05
 #define PP2_TYPE_SSL0x20
 #define PP2_SUBTYPE_SSL_VERSION 0x21
 #define PP2_SUBTYPE_SSL_CN  0x22
@@ -602,7 +604,17 @@ bytes. Can be used for data padding or alignment. Note 
that it can be used
 to align only by 3 or more bytes because a TLV can not be smaller than that.
 
 
-2.2.5. The PP2_TYPE_SSL type and subtypes
+2.2.5. PP2_TYPE_UNIQUE_ID
+
+The value of the type PP2_TYPE_UNIQUE_ID is an opaque byte sequence of up to
+128 bytes generated by the upstream proxy that uniquely identifies the
+connection.
+
+The unique ID can be used to easily correlate connections across multiple
+layers of proxies, without needing to look up IP addresses and port numbers.
+
+
+2.2.6. The PP2_TYPE_SSL type and subtypes
 
 For the type PP2_TYPE_SSL, the value is itself a defined like this :
 
@@ -654,13 +666,13 @@ In all cases, the string representation (in UTF8) of the 
Common Name field
 using the TLV format and the type PP2_SUBTYPE_SSL_CN. E.g. "example.com".
 
 
-2.2.6. The PP2_TYPE_NETNS type
+2.2.7. The PP2_TYPE_NETNS type
 
 The type PP2_TYPE_NETNS defines the value as the US-ASCII string representation
 of the namespace's name.
 
 
-2.2.7. Reserved type ranges
+2.2.8. Reserved type ranges
 
 The following range of 16 type values is reserved for application-specific
 data and will be never used by the PROXY Protocol. If you need more values
diff --git a/include/types/connection.h b/include/types/connection.h
index bfd6547ee..0c2d960b9 100644
--- a/include/types/connection.h
+++ b/include/types/connection.h
@@ -558,6 +558,7 @@ struct proxy_hdr_v2 {
 #define PP2_TYPE_AUTHORITY  0x02
 #define PP2_TYPE_CRC32C 0x03
 #define PP2_TYPE_NOOP   0x04
+#define PP2_TYPE_UNIQUE_ID  0x05
 #define PP2_TYPE_SSL0x20
 #define PP2_SUBTYPE_SSL_VERSION 0x21
 #define PP2_SUBTYPE_SSL_CN  0x22
-- 
2.25.1

[PATCH v2 2/4] MINOR: proxy_protocol: Ingest PP2_TYPE_UNIQUE_ID on incoming connections

[Tim Duesterhus]

Willy,

In this one I added a blank line after declaration that you missed during
review.

Best regards
Tim Düsterhus

Apply with `git am --scissors` to automatically cut the commit message.

-- >8 --
This patch reads a proxy protocol v2 provided unique ID and makes it
available using the `fc_pp_unique_id` fetch.
---
 doc/configuration.txt |  4 +++
 include/proto/connection.h|  5 +++
 include/types/connection.h|  1 +
 reg-tests/stream/unique-id-from-proxy.vtc | 38 
 src/connection.c  | 42 +++
 5 files changed, 90 insertions(+)
 create mode 100644 reg-tests/stream/unique-id-from-proxy.vtc

diff --git a/doc/configuration.txt b/doc/configuration.txt
index 33425a6c6..57f777a78 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -15131,6 +15131,10 @@ fc_pp_authority : string
   Returns the authority TLV sent by the client in the PROXY protocol header,
   if any.
 
+fc_pp_unique_id : string
+  Returns the unique ID TLV sent by the client in the PROXY protocol header,
+  if any.
+
 fc_rcvd_proxy : boolean
   Returns true if the client initiated the connection with a PROXY protocol
   header.
diff --git a/include/proto/connection.h b/include/proto/connection.h
index fb264d2b5..9b8eb8ad3 100644
--- a/include/proto/connection.h
+++ b/include/proto/connection.h
@@ -325,6 +325,7 @@ static inline void conn_init(struct connection *conn)
conn->src = NULL;
conn->dst = NULL;
conn->proxy_authority = NULL;
+   conn->proxy_unique_id = IST_NULL;
 }
 
 /* sets  as the connection's owner */
@@ -458,6 +459,10 @@ static inline void conn_free(struct connection *conn)
pool_free(pool_head_authority, conn->proxy_authority);
conn->proxy_authority = NULL;
}
+   if (isttest(conn->proxy_unique_id)) {
+   pool_free(pool_head_uniqueid, conn->proxy_unique_id.ptr);
+   conn->proxy_unique_id = IST_NULL;
+   }
 
/* By convention we always place a NULL where the ctx points to if the
 * mux is null. It may have been used to store the connection as a
diff --git a/include/types/connection.h b/include/types/connection.h
index 0c2d960b9..30cb895ff 100644
--- a/include/types/connection.h
+++ b/include/types/connection.h
@@ -469,6 +469,7 @@ struct connection {
char *proxy_authority;/* Value of authority TLV received via 
PROXYv2 */
unsigned int idle_time; /* Time the connection was 
added to the idle list, or 0 if not in the idle list */
uint8_t proxy_authority_len;  /* Length of authority TLV received via 
PROXYv2 */
+   struct ist proxy_unique_id;  /* Value of the unique ID TLV received via 
PROXYv2 */
 };
 
 /* PROTO token registration */
diff --git a/reg-tests/stream/unique-id-from-proxy.vtc 
b/reg-tests/stream/unique-id-from-proxy.vtc
new file mode 100644
index 0..81ee3dea9
--- /dev/null
+++ b/reg-tests/stream/unique-id-from-proxy.vtc
@@ -0,0 +1,38 @@
+varnishtest "Check that we are able to read a unique-id from PROXYv2"
+
+#REQUIRE_VERSION=2.2
+
+feature ignore_unknown_macro
+
+haproxy h1 -conf {
+defaults
+mode http
+timeout connect 1s
+timeout client  1s
+timeout server  1s
+
+frontend echo
+bind "fd@${fe1}" accept-proxy
+http-after-response set-header echo %[fc_pp_unique_id,hex]
+http-request return status 200
+} -start
+
+client c1 -connect ${h1_fe1_sock} {
+# PROXY v2 signature
+sendhex "0d 0a 0d 0a 00 0d 0a 51 55 49 54 0a"
+# version + PROXY
+sendhex "21"
+# TCP4
+sendhex "11"
+# length of the address (12) + length of the TLV (8)
+sendhex "00 14"
+# 127.0.0.1 42 127.0.0.1 1337
+sendhex "7F 00 00 01 7F 00 00 01 00 2A 05 39"
+# PP2_TYPE_UNIQUE_ID + length of the value + "12345"
+sendhex "05 00 05 31 32 33 34 35"
+
+txreq -url "/"
+rxresp
+expect resp.status == 200
+expect resp.http.echo == "3132333435"
+} -run
diff --git a/src/connection.c b/src/connection.c
index 4e3a92f0c..728c0ec39 100644
--- a/src/connection.c
+++ b/src/connection.c
@@ -755,6 +755,22 @@ int conn_recv_proxy(struct connection *conn, int flag)
conn->proxy_authority_len = tlv_len;
break;
}
+   case PP2_TYPE_UNIQUE_ID: {
+   const struct ist tlv = ist2((const char 
*)tlv_packet->value, tlv_len);
+
+   if (tlv.len > UNIQUEID_LEN)
+   goto bad_header;
+   conn->proxy_unique_id.ptr = 
pool_alloc(pool_head_uniqueid);
+   if (!isttest(conn->proxy_unique_id))
+   goto fail;
+   if (istcpy(>proxy_unique_id, tlv, 
UNIQUEID_LEN) < 0) {
+ 

Re: [PATCH] BUILD: Avoid warning about ignoring write()'s return value in BUG_ON()

[Tim Düsterhus]

Willy,

Am 09.03.20 um 17:05 schrieb Tim Duesterhus:
> gcc complains (non-rightfully):
> 
>> include/common/buf.h: In function ‘br_head_pick’:
>> include/common/debug.h:62:4: warning: ignoring return value of ‘write’, 
>> declared with attribute warn_unused_result [-Wunused-result]
>> (void)write(2, msg, strlen(msg));  \
>> ^
>> include/common/debug.h:57:35: note: in expansion of macro ‘__BUG_ON’
>>  #define _BUG_ON(cond, file, line) __BUG_ON(cond, file, line)
>>^
>> include/common/debug.h:56:22: note: in expansion of macro ‘_BUG_ON’
>>  #define BUG_ON(cond) _BUG_ON(cond, __FILE__, __LINE__)
>>   ^
>> include/common/buf.h:1011:2: note: in expansion of macro ‘BUG_ON’
>>   BUG_ON(r->area != BUF_RING.area);
>>   ^

While checking my list of outgoing patches I noticed that this one
wasn't acknowledged yet. It will become important with:
https://github.com/haproxy/haproxy/issues/546

Best regards
Tim Düsterhus

Re: [PATCH 3/3] MEDIUM: proxy_protocol: Support sending unique IDs using PPv2

[Tim Düsterhus]

Willy,
Ilya,

Am 13.03.20 um 12:06 schrieb Willy Tarreau:
>> I just realized that BUG_ON is not active by default (should we add
>> DEBUG_STRICT=1 to CI?). The check in there does not even compile (facepalm).
> 
> Yes, definitely a good idea.

I've filed an issue for the CI expert Ilya to look into that:
https://github.com/haproxy/haproxy/issues/546

Best regards
Tim Düsterhus

Re: s390x and HAProxy?

[Илья Шипицин]

initial motivation was that article
https://docs.travis-ci.com/user/multi-cpu-architectures

travis allows to run builds on various archs, why not to test ?

пт, 13 мар. 2020 г. в 16:07, Aleksandar Lazic :

> Hi.
>
> I'm wondering that this target is tested.
>
> http://git.haproxy.org/?p=haproxy.git;a=commitdiff;h=d726386421dcd184ca2518d17332f82e9cd79f2d
>
> Are there really user which runs HAProxy on Host? 8-O
> How perform HAProxy on that platform?
>
> Regards
> Aleks
>
>
>
>

Re: [PATCH 3/3] MEDIUM: proxy_protocol: Support sending unique IDs using PPv2

[Willy Tarreau]

On Fri, Mar 06, 2020 at 01:15:40PM +0100, Tim Duesterhus wrote:
> @@ -1466,6 +1466,20 @@ int make_proxy_line_v2(char *buf, int buf_len, struct 
> server *srv, struct connec
>   ret += make_tlv([ret], (buf_len - ret), 
> PP2_TYPE_AUTHORITY, value_len, value);
>   }
>   }
> + 
> + if (srv->pp_opts & SRV_PP_V2_UNIQUE_ID) {
> + struct session* sess = strm_sess(strm);
> + BUG_ON(sess != conn->owner); /* XXX is this correct? */

I'm pretty sure this one will break from time to time, maybe during
retries or when reusing an idle connection or something. Better drop
it. You don't really care who's the owner of the connection you're
using anyway. In case of multiplexing it could be anyone because
the connection will plugged onto by several streams before it's
finally connected and once it's OK and the sending code starts, you
have no way to tell whether the selected stream is the one that asked
for the connection first.

> + struct ist unique_id = stream_generate_unique_id(strm, 
> >fe->format_unique_id);
> + value = unique_id.ptr;
> + value_len = unique_id.len;

Also above, please do two things:
  - always leave a blank line between declarations and statements, that
allow to quickly spot where variables are declared
  - and as such please don't place BUG_ON() in the declarations since
it's code :-)

> + if (value_len >= 0) {
> + if ((buf_len - ret) < sizeof(struct tlv))
> + return 0;
> + ret += make_tlv([ret], (buf_len - ret), 
> PP2_TYPE_UNIQUE_ID, value_len, value);
> + }
> + }
>  
>  #ifdef USE_OPENSSL
>   if (srv->pp_opts & SRV_PP_V2_SSL) {
> diff --git a/src/log.c b/src/log.c
> index 8f502ac7e..2cac07486 100644
> --- a/src/log.c
> +++ b/src/log.c
> @@ -137,7 +137,7 @@ static const struct logformat_type logformat_keywords[] = 
> {
>   { "CC", LOG_FMT_CCLIENT, PR_MODE_HTTP, LW_REQHDR, NULL },  /* client 
> cookie */
>   { "CS", LOG_FMT_CSERVER, PR_MODE_HTTP, LW_RSPHDR, NULL },  /* server 
> cookie */
>   { "H", LOG_FMT_HOSTNAME, PR_MODE_TCP, LW_INIT, NULL }, /* Hostname */
> - { "ID", LOG_FMT_UNIQUEID, PR_MODE_HTTP, LW_BYTES, NULL }, /* Unique ID 
> */
> + { "ID", LOG_FMT_UNIQUEID, PR_MODE_TCP, LW_BYTES, NULL }, /* Unique ID */
>   { "ST", LOG_FMT_STATUS, PR_MODE_TCP, LW_RESP, NULL },   /* status code 
> */
>   { "T", LOG_FMT_DATEGMT, PR_MODE_TCP, LW_INIT, NULL },   /* date GMT */
>   { "Ta", LOG_FMT_Ta, PR_MODE_HTTP, LW_BYTES, NULL },  /* Time active 
> (tr to end) */
> diff --git a/src/server.c b/src/server.c
> index 965570222..908439d00 100644
> --- a/src/server.c
> +++ b/src/server.c
> @@ -656,6 +656,8 @@ static int srv_parse_proxy_v2_options(char **args, int 
> *cur_arg,
>   newsrv->pp_opts |= SRV_PP_V2_AUTHORITY;
>   } else if (!strcmp(p, "crc32c")) {
>   newsrv->pp_opts |= SRV_PP_V2_CRC32C;
> + } else if (!strcmp(p, "unique-id")) {
> + newsrv->pp_opts |= SRV_PP_V2_UNIQUE_ID;
>   } else
>   goto fail;
>   }
> diff --git a/src/stream_interface.c b/src/stream_interface.c
> index 47cbd9693..d4acea8bc 100644
> --- a/src/stream_interface.c
> +++ b/src/stream_interface.c
> @@ -354,9 +354,11 @@ int conn_si_send_proxy(struct connection *conn, unsigned 
> int flag)
>   if (cs && cs->data_cb == _conn_cb) {
>   struct stream_interface *si = cs->data;
>   struct conn_stream *remote_cs = 
> objt_cs(si_opposite(si)->end);
> + struct stream *strm = si_strm(si);

Same here, a blank line please, even though I know you were not the first
one to miss it.

>   ret = make_proxy_line(trash.area, trash.size,
> objt_server(conn->target),
> -   remote_cs ? remote_cs->conn : 
> NULL);
> +   remote_cs ? remote_cs->conn : 
> NULL,
> +   strm);
>   /* We may not have a conn_stream yet, if we don't
>* know which mux to use, because it will be decided
>* during the SSL handshake. In this case, there should
(...)

So modulo the very few minor stuff above I'm overall OK without your
patch, just let me know if you have any question.

Thanks!
Willy

Re: [PATCH 3/3] MEDIUM: proxy_protocol: Support sending unique IDs using PPv2

[Willy Tarreau]

On Mon, Mar 09, 2020 at 05:07:38PM +0100, Tim Düsterhus wrote:
> Willy,
> 
> Am 06.03.20 um 13:15 schrieb Tim Duesterhus:
> > is acceptable. There's also a `BUG_ON` left in the patch, because I wasn't
> > sure if I should grab the session from the stream or from the connection.
> 
> I just realized that BUG_ON is not active by default (should we add
> DEBUG_STRICT=1 to CI?). The check in there does not even compile (facepalm).

Yes, definitely a good idea.

Willy

s390x and HAProxy?

[Aleksandar Lazic]

Hi.

I'm wondering that this target is tested.
http://git.haproxy.org/?p=haproxy.git;a=commitdiff;h=d726386421dcd184ca2518d17332f82e9cd79f2d

Are there really user which runs HAProxy on Host? 8-O
How perform HAProxy on that platform?

Regards
Aleks

Re: [PATCH 2/3] MINOR: proxy_protocol: Ingest PP2_TYPE_UNIQUE_ID on incoming connections

[Tim Düsterhus]

Willy,

Am 13.03.20 um 08:44 schrieb Willy Tarreau:
>> I've added the new `struct connection` member at the end. Please check
>> whether you think that is the appropriate place for it or if it should
>> be moved somewhere else because of holes or caches.
> 
> I'm seeing that the struct connection has become huge (160 bytes now)

I suspected something like that, that's why I specifically mentioned
that piece.

> But for now I'm OK with taking your patch above.
> 

I'm not seeing anything in git, yet.

Is the patch okay as-is and you are just looking into the `struct
connection` refactoring before actually taking it or would you like me
to make any changes to it?

Best regards
Tim Düsterhus

Re: Tests timeout on my ARM64 test VM

[Martin Grigorov]

Hi Илья,

Suddenly today the build is again green here!
I didn't make any changes to my testing setup.
It must be something on the OS level but I wasn't able to figure out what
makes the HAProxy tests timeout in the last several days.

Regards,
Martin

On Wed, Mar 11, 2020 at 4:13 PM Martin Grigorov 
wrote:

>
>
> On Wed, Mar 11, 2020 at 3:06 PM Илья Шипицин  wrote:
>
>> I will a look during next weekend
>>
>
> Thank you, Илья!
>
>
>>
>> BTW, I've managed to get Linaro VM :)
>>
>
> Congrats! :-)
>
>
>>
>> On Wed, Mar 11, 2020, 5:40 PM Martin Grigorov 
>> wrote:
>>
>>> Hi,
>>>
>>> On Mon, Mar 9, 2020 at 10:22 PM Martin Grigorov <
>>> martin.grigo...@gmail.com> wrote:
>>>
 Hi,

 I am not sure what have changed on my test ARM64 VM but the reg tests
 started timing out.
 Everything is fine on my dev machine (x86_64) and at Travis (
 https://travis-ci.com/haproxy/haproxy).
 I don't think it is ARM64 related. Most probably some OS setting or
 something.
 I've rebooted the system just to make sure it is not some busy port or
 opened file descriptor but
 it still fails the same way.

 Does someone see in the attached logs what could be the problem?

>>>
>>> Anyone can help me here ?
>>>
>>> Martin
>>>
>>>
 Thank you!

 Martin

>>>

Re: [PATCH 2/3] MINOR: proxy_protocol: Ingest PP2_TYPE_UNIQUE_ID on incoming connections

[Willy Tarreau]

On Fri, Mar 13, 2020 at 08:44:59AM +0100, Willy Tarreau wrote:
> I'm seeing that the struct connection has become huge (160 bytes now)

By the way, regarding this, I'm seeing this order of criticity in terms
of structures sizes:

 1) struct fdtab : 64 bytes, cache-line-aligned, shared between threads,
no room for negociation, the only way to add something is to replace
something else with an added benefit.
 2) struct tasklet : 48 bytes, shares the first 32 or so with struct task
(must alias), we don't want it to go beyond a cache line
 3) struct task: 160 bytes already :-(  Must be very carefully arranged
to group fields used together as close as possible to benefit from
the appear in the cache line when accessed
 4) struct connection: 160 bytes, many of which are never used. I'd love
to shrink it down to 128 by moving PPv2 away from it
 5) struct session: 184 bytes, nor optimized, 3 cache lines already,
could get a bit more love.
 6) struct conn_stream: 40 bytes, OK to grow up to a cache line
 7) struct stream (1 kB) and all others at the same level.

Willy

Re: [PATCH 2/3] MINOR: proxy_protocol: Ingest PP2_TYPE_UNIQUE_ID on incoming connections

[Willy Tarreau]

Hi Tim,

On Fri, Mar 06, 2020 at 01:15:39PM +0100, Tim Duesterhus wrote:
> For the whole unique ID processing I've used the new `ist` helpers, it
> might make sense to update the authority processing to make use of ist
> in a future CLEANUP patch.
> 
> I've added the new `struct connection` member at the end. Please check
> whether you think that is the appropriate place for it or if it should
> be moved somewhere else because of holes or caches.

I'm seeing that the struct connection has become huge (160 bytes now)
and is going to be inflated by 10% with this change. The authority used
to save a few bytes by keeping the length on a uint8_t but that's still
a detail. I think that the real problem is the proxy protocol processing
here. It's very rarely used by those where the connection size matters,
and when we look at it, we can see :
  proxy_netns (8)
  proxy_authority (8)
  proxy_authority_len (1)
  proxy_unique_id  (16)

That's a total of 33 bytes (well, 40-48 in practice due to holes around)
that are there only for the proxy proto. What could possibly be done to
improve the situation would be to create a pool of proxy-proto entries
which would contain room for netns, auth and unique_id and which would
be allocated on the fly when receiving such TLV fields. We'd only
inflate it when adding new fields and that would only eat memory in
such a case. Thinking that the change above alone is enough to go back
to 128 bytes hence two cache lines makes me really tempted to have a
look at it.

But for now I'm OK with taking your patch above.

Willy

[PATCH] BUG/MEDIUM: spoe: Use unique engine_id for all agents in all scopes

[Kevin Zhu]

Hi again
In version 2.1.3:
When config spoe engine proxys > 1, the function "srandom" will run more
than one times, it will make some engine_id duplicated, and the SPOA
is group SPOP connections by engine_id when option async is on, the
ack will reply to the wrong SPOE.

This patch should backport to 2.0 and 1.9.

My pleasure
Kevin
From 512e4aca8e3ffd57fb3f12581ede6d8e8d624319 Mon Sep 17 00:00:00 2001
From: Kevin Zhu 
Date: Fri, 13 Mar 2020 14:40:46 +0800
Subject: [PATCH] BUG/MEDIUM: spoe: Use unique engine_id for all agents in all
 scopes

When config spoe engine proxys > 1, the function "srandom" will run more
than one times, it will make some engine_id duplicated, and the SPOA
is group SPOP connections by engine_id when option async is on, the
ack will reply to the wrong SPOE.
---
 src/flt_spoe.c | 7 +--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/src/flt_spoe.c b/src/flt_spoe.c
index 930ac8d..2181138 100644
--- a/src/flt_spoe.c
+++ b/src/flt_spoe.c
@@ -3118,14 +3118,17 @@ spoe_init_per_thread(struct proxy *p, struct flt_conf *fconf)
 {
 	struct spoe_config *conf = fconf->conf;
 	struct spoe_agent *agent = conf->agent;
+	static int	init = 0;
 
-	/* Use a != seed per process */
-	if (relative_pid > 1 && tid == 0)
+	if (HA_ATOMIC_LOAD() == 0) {
+		HA_ATOMIC_STORE(, 1);
 		srandom(now_ms * pid);
+	}
 
 	agent->rt[tid].engine_id = generate_pseudo_uuid();
 	if (agent->rt[tid].engine_id == NULL)
 		return -1;
+
 	return 0;
 }
 
-- 
2.7.4

[PATCH] BUG/MEDIUM: spoe: dup agent's engine_id string from trash.area

[Kevin Zhu]

Hi
The agent's engine_id forgot to dup from trash, all engine_ids point to the
same address "", the engine_id changed at run time and will
double-free when release agents and trash.

Kevin
From 674ba1e318cb561a1650db98030e12939e604171 Mon Sep 17 00:00:00 2001
From: Kevin Zhu 
Date: Fri, 13 Mar 2020 10:39:51 +0800
Subject: [PATCH] BUG/MEDIUM: spoe: dup agent's engine_id string from
 trash.area

The agent's engine_id forgot to dup from trash, all engine_ids point to
the same address "", the engine_id changed at run time and will
double free when release agents and trash.
---
 src/flt_spoe.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/flt_spoe.c b/src/flt_spoe.c
index df080d8..57c2246 100644
--- a/src/flt_spoe.c
+++ b/src/flt_spoe.c
@@ -258,7 +258,7 @@ static char *
 generate_pseudo_uuid()
 {
 	ha_generate_uuid();
-	return trash.area;
+	return my_strndup(trash.area, trash.data);
 }
 
 
-- 
2.7.4