Re: [ANNOUNCE] haproxy-1.9.4

[Aleksandar Lazic]

Am 06.02.2019 um 17:19 schrieb Willy Tarreau:
> Hi Aleks,
> 
> On Wed, Feb 06, 2019 at 05:16:58PM +0100, Aleksandar Lazic wrote:
>> Maybe this patch was to late for 1.9.4 please can you consider to add it
>> to 2.0 and later 1.9.5, thanks.
>>
>> https://www.mail-archive.com/haproxy@formilux.org/msg32693.html
> 
> I wanted to check it with Christopher first but I know he's busy working
> on some extremely boring stuff, and don't want to risk trading his stuff
> for a review :-)

;-)

> I'll also have to correct a number of spelling mistakes so better be sure
> before doing this.

Ah cool. thanks.

BTW:

the openssl reg-tests was passed without errors

https://gitlab.com/aleks001/haproxy19-centos/-/jobs/157330203

## Starting vtest ##
Testing with haproxy version: 1.9.4
0 tests failed, 0 tests skipped, 35 tests passed

the boringssl reg-tests passed with errors.

https://gitlab.com/aleks001/haproxy-19-boringssl/-/jobs/157330626
## Starting vtest ##
Testing with haproxy version: 1.9.4
#top  TEST ./reg-tests/connection/b0.vtc FAILED (8.790) exit=2
1 tests failed, 0 tests skipped, 34 tests passed
## Gathering results ##



> Thanks!
> Willy

Regards
Aleks

Re: [ANNOUNCE] haproxy-1.9.4

[Willy Tarreau]

Hi Aleks,

On Wed, Feb 06, 2019 at 05:16:58PM +0100, Aleksandar Lazic wrote:
> Maybe this patch was to late for 1.9.4 please can you consider to add it
> to 2.0 and later 1.9.5, thanks.
> 
> https://www.mail-archive.com/haproxy@formilux.org/msg32693.html

I wanted to check it with Christopher first but I know he's busy working
on some extremely boring stuff, and don't want to risk trading his stuff
for a review :-)

I'll also have to correct a number of spelling mistakes so better be sure
before doing this.

Thanks!
Willy

Re: [ANNOUNCE] haproxy-1.9.4

[Aleksandar Lazic]

Hi willy.

Am 06.02.2019 um 15:25 schrieb Willy Tarreau:
> Hi,
> 
> HAProxy 1.9.4 was released on 2019/02/06. It added 65 new commits
> after version 1.9.3.

Images are updated.

https://hub.docker.com/r/me2digital/haproxy-19-boringssl
https://hub.docker.com/r/me2digital/haproxy19

Maybe this patch was to late for 1.9.4 please can you consider to add it
to 2.0 and later 1.9.5, thanks.

https://www.mail-archive.com/haproxy@formilux.org/msg32693.html

Regards
Aleks

> The main focus in terms of time spent was clearly on end-to-end H2
> correctness, which involves both the H2 protocol itself and the idle
> connections management. It's difficult to enumerate in details all the
> issues that were addressed, but these generally range from not failing
> a connection when failing a stream can be sufficient to counting the
> number of pre-allocated streams on an idle idle outgoing connection to
> make sure it still has stream IDs left. Some server-side idle timeout
> errors could occasionally lead to the whole connection being closed.
> 
> One check was added to prevent an HTX frontend from dynamically branching
> to a non-HTX backend (and conversely), as only the static branches were
> addressed till now.
> 
> There were some improvements on memory allocation failures, a number of
> places were not tested anymore (or this was new code). Ah and a memory
> leak on the unique_id was addressed (it could happen with TCP instances
> when declared in a defaults section).
> 
> Etags are now rewritten from strong to weak by the compression. I had no
> idea this concept of weak vs strong existed at all :-)
> 
> And in addition to this, yesterday two other interesting problems were
> reported and addressed :
>   - the first one is about using certain L7 features at the load balancing
> layer (such as "balance hdr") in HTX mode which could crash haproxy.
> It was in fact caused by the loss of one patch during the multiple
> liftings of the code prior to the merge. That's now fixed. I'm still
> amazed we managed to lose only one patch in this ocean of code!
>  
>   - the other one is quite nasty and impacts all supported versions. Haproxy
> currently performs very deep compatibility tests on your rules, frontends
> and backends after parsing the configuration. But a corner case remained
> by which it was possible to have a frontend bound on, say, processes
> 1 and 2, tracking a key stored in a table present only in process 1 that
> would in turn rely on peers on process 1 as well. Here there is a problem,
> when the frontend receives connections on process 2, the resolved pointers
> for the table end up pointing to a completely different location in a
> parallel universe, then peers are activated to push the data while the
> section has been deallocated... So the relevant checks have been added
> to make sure that a process doesn't try to interact with a section that
> is not present for this process. This covers the track-sc* actions, the
> sc_* sample keywords, and SPOE filters. I was extremely cautious to cover
> the strict minimum so as not to impact any harmless config. It *is*
> possible that one of your config will refuse to load if it is already
> bogus. Please note that if this happens, it means this config is wrong
> and already presents the risk of random crashes. *Do not* rollback if
> this happens, please ask for help here instead. (I in fact expect that
> nobody will see these errors, meaning that the amount of complex and
> bogus configs in field is rather low).
> 
> The rest is pretty low impact and standard.
> 
> Please find the usual URLs below :
>Site index   : http://www.haproxy.org/
>Discourse: http://discourse.haproxy.org/
>Slack channel: https://slack.haproxy.org/
>Issue tracker: https://github.com/haproxy/haproxy/issues
>Sources  : http://www.haproxy.org/download/1.9/src/
>Git repository   : http://git.haproxy.org/git/haproxy-1.9.git/
>Git Web browsing : http://git.haproxy.org/?p=haproxy-1.9.git
>Changelog: http://www.haproxy.org/download/1.9/src/CHANGELOG
>Cyril's HTML doc : http://cbonte.github.io/haproxy-dconv/
> 
> Willy
> ---
> Complete changelog :
> Christopher Faulet (2):
>   BUG/MEDIUM: mux-h1: Don't add "transfer-encoding" if message-body is 
> forbidden
>   BUG/MAJOR: htx/backend: Make all tests on HTTP messages compatible with 
> HTX
> 
> Jérôme Magnin (1):
>   DOC: add a missing space in the documentation for bc_http_major
> 
> Kevin Zhu (1):
>   BUG/MINOR: deinit: tcp_rep.inspect_rules not deinit, add to deinit
> 
> Olivier Houchard (11):
>   BUG/MEDIUM: connections: Don't forget to remove CO_FL_SESS_IDLE.
>   MINOR: xref: Add missing barriers.
>   BUG/MEDIUM: peers: Handle mux creation failure.
>   BUG/MEDIUM: checks: Check that conn_install_mux succeeded.
>   BUG/MEDIUM: servers: Only 

[ANNOUNCE] haproxy-1.9.4

[Willy Tarreau]

Hi,

HAProxy 1.9.4 was released on 2019/02/06. It added 65 new commits
after version 1.9.3.

The main focus in terms of time spent was clearly on end-to-end H2
correctness, which involves both the H2 protocol itself and the idle
connections management. It's difficult to enumerate in details all the
issues that were addressed, but these generally range from not failing
a connection when failing a stream can be sufficient to counting the
number of pre-allocated streams on an idle idle outgoing connection to
make sure it still has stream IDs left. Some server-side idle timeout
errors could occasionally lead to the whole connection being closed.

One check was added to prevent an HTX frontend from dynamically branching
to a non-HTX backend (and conversely), as only the static branches were
addressed till now.

There were some improvements on memory allocation failures, a number of
places were not tested anymore (or this was new code). Ah and a memory
leak on the unique_id was addressed (it could happen with TCP instances
when declared in a defaults section).

Etags are now rewritten from strong to weak by the compression. I had no
idea this concept of weak vs strong existed at all :-)

And in addition to this, yesterday two other interesting problems were
reported and addressed :
  - the first one is about using certain L7 features at the load balancing
layer (such as "balance hdr") in HTX mode which could crash haproxy.
It was in fact caused by the loss of one patch during the multiple
liftings of the code prior to the merge. That's now fixed. I'm still
amazed we managed to lose only one patch in this ocean of code!
 
  - the other one is quite nasty and impacts all supported versions. Haproxy
currently performs very deep compatibility tests on your rules, frontends
and backends after parsing the configuration. But a corner case remained
by which it was possible to have a frontend bound on, say, processes
1 and 2, tracking a key stored in a table present only in process 1 that
would in turn rely on peers on process 1 as well. Here there is a problem,
when the frontend receives connections on process 2, the resolved pointers
for the table end up pointing to a completely different location in a
parallel universe, then peers are activated to push the data while the
section has been deallocated... So the relevant checks have been added
to make sure that a process doesn't try to interact with a section that
is not present for this process. This covers the track-sc* actions, the
sc_* sample keywords, and SPOE filters. I was extremely cautious to cover
the strict minimum so as not to impact any harmless config. It *is*
possible that one of your config will refuse to load if it is already
bogus. Please note that if this happens, it means this config is wrong
and already presents the risk of random crashes. *Do not* rollback if
this happens, please ask for help here instead. (I in fact expect that
nobody will see these errors, meaning that the amount of complex and
bogus configs in field is rather low).

The rest is pretty low impact and standard.

Please find the usual URLs below :
   Site index   : http://www.haproxy.org/
   Discourse: http://discourse.haproxy.org/
   Slack channel: https://slack.haproxy.org/
   Issue tracker: https://github.com/haproxy/haproxy/issues
   Sources  : http://www.haproxy.org/download/1.9/src/
   Git repository   : http://git.haproxy.org/git/haproxy-1.9.git/
   Git Web browsing : http://git.haproxy.org/?p=haproxy-1.9.git
   Changelog: http://www.haproxy.org/download/1.9/src/CHANGELOG
   Cyril's HTML doc : http://cbonte.github.io/haproxy-dconv/

Willy
---
Complete changelog :
Christopher Faulet (2):
  BUG/MEDIUM: mux-h1: Don't add "transfer-encoding" if message-body is 
forbidden
  BUG/MAJOR: htx/backend: Make all tests on HTTP messages compatible with 
HTX

Jérôme Magnin (1):
  DOC: add a missing space in the documentation for bc_http_major

Kevin Zhu (1):
  BUG/MINOR: deinit: tcp_rep.inspect_rules not deinit, add to deinit

Olivier Houchard (11):
  BUG/MEDIUM: connections: Don't forget to remove CO_FL_SESS_IDLE.
  MINOR: xref: Add missing barriers.
  BUG/MEDIUM: peers: Handle mux creation failure.
  BUG/MEDIUM: checks: Check that conn_install_mux succeeded.
  BUG/MEDIUM: servers: Only destroy a conn_stream we just allocated.
  BUG/MEDIUM: servers: Don't add an incomplete conn to the server idle list.
  BUG/MEDIUM: checks: Don't try to set ALPN if connection failed.
  BUG/MEDIUM: h2: In h2_send(), stop the loop if we failed to alloc a buf.
  BUG/MEDIUM: servers: Close the connection if we failed to install the mux.
  BUG/MEDIUM: buffer: Make sure b_is_null handles buffers waiting for 
allocation.
  BUG/MEDIUM: stream: Don't forget to free s->unique_id in stream_free().

Tim Duesterhus (2):