Re[2]: [ANNOUNCE] haproxy-1.8.0
Hi Willy. -- Originalnachricht -- Von: "Willy Tarreau" An: "Aleksandar Lazic" Cc: haproxy@formilux.org Gesendet: 27.11.2017 23:54:31 Betreff: Re: [ANNOUNCE] haproxy-1.8.0 Hi Aleks, On Mon, Nov 27, 2017 at 09:18:35PM +, Aleksandar Lazic wrote: > I'm pleased to announce that haproxy 1.8.0 is now officially released! Amazing ;-) So after 15 years working on this project you still manage to be amazed, I'm impressed ;-) You are right I wanted to say "great". Note to myself: I should not write mails when I'm in passing mood. Hm time flies, 15 years and still happy to be part of this great project. Thanks to all of us community members and the company behind the project ;-) I hope I'm not to sentimental. As usual the docker image is also updated. https://hub.docker.com/r/me2digital/haproxy18/ Thank you for maintaining this! Willy Regards Aleks
Re: [ANNOUNCE] haproxy-1.8.0
Hi Aleks, On Mon, Nov 27, 2017 at 09:18:35PM +, Aleksandar Lazic wrote: > > I'm pleased to announce that haproxy 1.8.0 is now officially released! > Amazing ;-) So after 15 years working on this project you still manage to be amazed, I'm impressed ;-) > As usual the docker image is also updated. > > https://hub.docker.com/r/me2digital/haproxy18/ Thank you for maintaining this! Willy
Re: [ANNOUNCE] haproxy-1.8.0
Hi. -- Originalnachricht -- Von: "Willy Tarreau" An: haproxy@formilux.org Gesendet: 26.11.2017 19:57:35 Betreff: [ANNOUNCE] haproxy-1.8.0 Hi all, After one year of intense development and almost one month of debugging, polishing, and cross-review work trying to prevent our respective coworkers from winning the first bug award, I'm pleased to announce that haproxy 1.8.0 is now officially released! Amazing ;-) As usual the docker image is also updated. https://hub.docker.com/r/me2digital/haproxy18/ Best regards Aleks Since -rc4, a few last user-visible changes were brought : - by default the master worker exits if any of its processes dies. This is done so that when certain processes are dedicated to certain tasks, we're not left with some features not working anymore. Imagine having 7 SSL offloaders chaining to 1 HTTP frontend, and the last one dying, you don't want to keep the 7 useless frontends. By quitting, we give a chance to a service manager to detect the problem and alert/restart the service. The behaviour is configurable though. - we were not happy with "thread-map" vs "cpu-map", making these difficult to configure. Now "thread-map" was removed and the feature was merged into "cpu-map" which also supports process ranges and cpu ranges for easier configuration. - haproxy can now be built with native systemd support using USE_SYSTEMD=1 and starting it with -Ws (systemd-aware master-worker mode). - HTTP/2 will not schedule a graceful connection shutdown anymore when seeing a "Connection: close" header in a response. Instead a new HTTP action "reject" has been implemented to work like its TCP counter-part. - the HTTP/2 gateway code now properly reassembles split Cookie headers, as mandated by the specification. Not doing it was causing some issues with certain application servers, and absolutely needed to be addressed before claiming that it works. And here is a high level overview of the new features contributed to 1.8 (warning, the list is huge) : - JSON stats (Simon Horman) : the stats socket's "show stat" and "show info" output can now be emitted in a structured JSON format which is more convenient than CSV for some modern data processing frameworks. - server templates (Frédéric Lécaille) : servers can be pre-provisionned in backends using a simple directive ("server-template"). It is then possible to configure them at runtime over the CLI or DNS, making it trivial to add/remove servers at run time without restarting. As a side effect of implementing this, all "server" keywords are now supported on the "default-server" line and it's possible to disable any of them using "no-". All settings changed at runtime are present in the state file so that upon reload no information is lost. - dynamic cookies (Olivier Houchard) : a dynamic cookie can be generated on the fly based on the transport address of a newly added server. This is important to be able to use server templates in stateful environments. - per-certificate "bind" configuration (Emmanuel Hocdet) : all the SSL specific settings of the "bind" line may now be set per-certificate in the crtlist file. A common example involves requiring a client cert for certain domains only and not for others, all of them running on the same address:port. - pipelined and asynchronous SPOE (Christopher Faulet) : it's an important improvement to the Stream Processing Offload Engine that allows requests to be streamed over existing connections without having to wait for a previous response. It significantly increases the message rate and reduces the need for parallel connections. Two example WAFs were introduced as contributions to make use of this improvement (mod_security and mod_defender). - seamless reloads (Olivier Houchard) : in order to work around some issues faced on Linux causing a few RST to be emitted for incoming connections during a reload operations despite SO_REUSEPORT being used, it is now possible for the new haproxy process to connect to the previous one and to retrieve existing listening sockets so that they are never closed. Now no connection breakage will be observed during a reload operation anymore. - PCRE2 support (David Carlier) : this new version of PCRE seems to be making its way in some distros, so now we are compatible with it. - hard-stop-after (Cyril Bonté) : this new global setting forces old processes to quit after a delay consecutive to a soft reload operation. This is mostly used to avoid an accumulation of old processes in some environments where idle connections are kept with large timeouts. - support for OpenSS
Re: [ANNOUNCE] haproxy-1.8.0
Congratulations! On Mon, Nov 27, 2017 at 8:41 AM, Arnall wrote: > Le 26/11/2017 à 19:57, Willy Tarreau a écrit : > >> Hi all, >> >> After one year of intense development and almost one month of debugging, >> polishing, and cross-review work trying to prevent our respective >> coworkers >> from winning the first bug award, I'm pleased to announce that haproxy >> 1.8.0 >> is now officially released! >> > > Congratulations to everyone involved ! > > Haproxy is trully a great product. > > >
Re: [ANNOUNCE] haproxy-1.8.0
Le 26/11/2017 à 19:57, Willy Tarreau a écrit : Hi all, After one year of intense development and almost one month of debugging, polishing, and cross-review work trying to prevent our respective coworkers from winning the first bug award, I'm pleased to announce that haproxy 1.8.0 is now officially released! Congratulations to everyone involved ! Haproxy is trully a great product.
Re: [ANNOUNCE] haproxy-1.8.0
On 26/11/2017 07:57 μμ, Willy Tarreau wrote: > Hi all, > > After one year of intense development and almost one month of debugging, > polishing, and cross-review work trying to prevent our respective coworkers > from winning the first bug award, I'm pleased to announce that haproxy 1.8.0 > is now officially released! > Congratulations to everyone involved in releasing HAProxy 1.8 version. Well done and keep up the hard and good work. Cheers, Pavlos signature.asc Description: OpenPGP digital signature
Re: [ANNOUNCE] haproxy-1.8.0
On 2017-11-26 19:57, Willy Tarreau wrote: Hi all, After one year of intense development and almost one month of debugging, polishing, and cross-review work trying to prevent our respective coworkers from winning the first bug award, I'm pleased to announce that haproxy 1.8.0 is now officially released! Woohoo! Thanks for the work. Greets, Sander Klein 0x2E78FBE8.asc Description: application/pgp-keys signature.asc Description: OpenPGP digital signature
Re: [ANNOUNCE] haproxy-1.8.0
On 27 Nov 2017 5:59 am, "Willy Tarreau" wrote: Hi all, After one year of intense development and almost one month of debugging, polishing, and cross-review work trying to prevent our respective coworkers from winning the first bug award, I'm pleased to announce that haproxy 1.8.0 is now officially released! Since -rc4, a few last user-visible changes were brought : - by default the master worker exits if any of its processes dies. This is done so that when certain processes are dedicated to certain tasks, we're not left with some features not working anymore. Imagine having 7 SSL offloaders chaining to 1 HTTP frontend, and the last one dying, you don't want to keep the 7 useless frontends. By quitting, we give a chance to a service manager to detect the problem and alert/restart the service. The behaviour is configurable though. - we were not happy with "thread-map" vs "cpu-map", making these difficult to configure. Now "thread-map" was removed and the feature was merged into "cpu-map" which also supports process ranges and cpu ranges for easier configuration. - haproxy can now be built with native systemd support using USE_SYSTEMD=1 and starting it with -Ws (systemd-aware master-worker mode). - HTTP/2 will not schedule a graceful connection shutdown anymore when seeing a "Connection: close" header in a response. Instead a new HTTP action "reject" has been implemented to work like its TCP counter-part. - the HTTP/2 gateway code now properly reassembles split Cookie headers, as mandated by the specification. Not doing it was causing some issues with certain application servers, and absolutely needed to be addressed before claiming that it works. And here is a high level overview of the new features contributed to 1.8 (warning, the list is huge) : - JSON stats (Simon Horman) : the stats socket's "show stat" and "show info" output can now be emitted in a structured JSON format which is more convenient than CSV for some modern data processing frameworks. - server templates (Frédéric Lécaille) : servers can be pre-provisionned in backends using a simple directive ("server-template"). It is then possible to configure them at runtime over the CLI or DNS, making it trivial to add/remove servers at run time without restarting. As a side effect of implementing this, all "server" keywords are now supported on the "default-server" line and it's possible to disable any of them using "no-". All settings changed at runtime are present in the state file so that upon reload no information is lost. - dynamic cookies (Olivier Houchard) : a dynamic cookie can be generated on the fly based on the transport address of a newly added server. This is important to be able to use server templates in stateful environments. - per-certificate "bind" configuration (Emmanuel Hocdet) : all the SSL specific settings of the "bind" line may now be set per-certificate in the crtlist file. A common example involves requiring a client cert for certain domains only and not for others, all of them running on the same address:port. - pipelined and asynchronous SPOE (Christopher Faulet) : it's an important improvement to the Stream Processing Offload Engine that allows requests to be streamed over existing connections without having to wait for a previous response. It significantly increases the message rate and reduces the need for parallel connections. Two example WAFs were introduced as contributions to make use of this improvement (mod_security and mod_defender). - seamless reloads (Olivier Houchard) : in order to work around some issues faced on Linux causing a few RST to be emitted for incoming connections during a reload operations despite SO_REUSEPORT being used, it is now possible for the new haproxy process to connect to the previous one and to retrieve existing listening sockets so that they are never closed. Now no connection breakage will be observed during a reload operation anymore. - PCRE2 support (David Carlier) : this new version of PCRE seems to be making its way in some distros, so now we are compatible with it. - hard-stop-after (Cyril Bonté) : this new global setting forces old processes to quit after a delay consecutive to a soft reload operation. This is mostly used to avoid an accumulation of old processes in some environments where idle connections are kept with large timeouts. - support for OpenSSL asynchronous crypto engines (Grant Zhang) : this allows haproxy to defer the expensive crypto operations to external hardware engines. Not only can it significantly improve the performance, but it can also reduce the latency impact of slow crypto operations on all other operations since haproxy switches to other tasks while the engine is busy. This was successfully tested with Intel's Q
[ANNOUNCE] haproxy-1.8.0
Hi all, After one year of intense development and almost one month of debugging, polishing, and cross-review work trying to prevent our respective coworkers from winning the first bug award, I'm pleased to announce that haproxy 1.8.0 is now officially released! Since -rc4, a few last user-visible changes were brought : - by default the master worker exits if any of its processes dies. This is done so that when certain processes are dedicated to certain tasks, we're not left with some features not working anymore. Imagine having 7 SSL offloaders chaining to 1 HTTP frontend, and the last one dying, you don't want to keep the 7 useless frontends. By quitting, we give a chance to a service manager to detect the problem and alert/restart the service. The behaviour is configurable though. - we were not happy with "thread-map" vs "cpu-map", making these difficult to configure. Now "thread-map" was removed and the feature was merged into "cpu-map" which also supports process ranges and cpu ranges for easier configuration. - haproxy can now be built with native systemd support using USE_SYSTEMD=1 and starting it with -Ws (systemd-aware master-worker mode). - HTTP/2 will not schedule a graceful connection shutdown anymore when seeing a "Connection: close" header in a response. Instead a new HTTP action "reject" has been implemented to work like its TCP counter-part. - the HTTP/2 gateway code now properly reassembles split Cookie headers, as mandated by the specification. Not doing it was causing some issues with certain application servers, and absolutely needed to be addressed before claiming that it works. And here is a high level overview of the new features contributed to 1.8 (warning, the list is huge) : - JSON stats (Simon Horman) : the stats socket's "show stat" and "show info" output can now be emitted in a structured JSON format which is more convenient than CSV for some modern data processing frameworks. - server templates (Frédéric Lécaille) : servers can be pre-provisionned in backends using a simple directive ("server-template"). It is then possible to configure them at runtime over the CLI or DNS, making it trivial to add/remove servers at run time without restarting. As a side effect of implementing this, all "server" keywords are now supported on the "default-server" line and it's possible to disable any of them using "no-". All settings changed at runtime are present in the state file so that upon reload no information is lost. - dynamic cookies (Olivier Houchard) : a dynamic cookie can be generated on the fly based on the transport address of a newly added server. This is important to be able to use server templates in stateful environments. - per-certificate "bind" configuration (Emmanuel Hocdet) : all the SSL specific settings of the "bind" line may now be set per-certificate in the crtlist file. A common example involves requiring a client cert for certain domains only and not for others, all of them running on the same address:port. - pipelined and asynchronous SPOE (Christopher Faulet) : it's an important improvement to the Stream Processing Offload Engine that allows requests to be streamed over existing connections without having to wait for a previous response. It significantly increases the message rate and reduces the need for parallel connections. Two example WAFs were introduced as contributions to make use of this improvement (mod_security and mod_defender). - seamless reloads (Olivier Houchard) : in order to work around some issues faced on Linux causing a few RST to be emitted for incoming connections during a reload operations despite SO_REUSEPORT being used, it is now possible for the new haproxy process to connect to the previous one and to retrieve existing listening sockets so that they are never closed. Now no connection breakage will be observed during a reload operation anymore. - PCRE2 support (David Carlier) : this new version of PCRE seems to be making its way in some distros, so now we are compatible with it. - hard-stop-after (Cyril Bonté) : this new global setting forces old processes to quit after a delay consecutive to a soft reload operation. This is mostly used to avoid an accumulation of old processes in some environments where idle connections are kept with large timeouts. - support for OpenSSL asynchronous crypto engines (Grant Zhang) : this allows haproxy to defer the expensive crypto operations to external hardware engines. Not only can it significantly improve the performance, but it can also reduce the latency impact of slow crypto operations on all other operations since haproxy switches to other tasks while the engine is busy. This was successfully tested with Intel's QAT and with a home-made software engine. This