Hi,
HAProxy 2.1.8 was released on 2020/07/31. It added 82 new commits
after version 2.1.7.
It's been more than a month since previous version, so fixes have started
to accumulate, for sure.
I'll try to summarize since most of these were already mentioned over
the last 2.2 releases:
- various DNS fixes (do-resolve was not thread-safe, would spin if
called as a final action, and there were memory leaks).
- missing memory barriers on certain threaded operations that
essentially affect non-x86 platforms (x86 is "forgiving")
- risk of looping (and abort) on channels that's triggered at least by
Lua cosockets attempting to read a complete line from truncated contents.
- spliced transfers could occasionally stall on certain sizes due to
an FD not always being re-enabled.
- the memcmp() in ebtree was dangerous as it could read past the end on
implementations that read multiple bytes at a time.
- FastCGI received a few fixes (small memory leak, risk of blocking on
empty stderr records, logs occasionally sent to the wrong stream, query
string being unexpectedly url-decoded).
- the hdr_ip() sample fetch could fail to properly parse an IPv4 address
due to a missing NUL character delimiter.
- loggers will not wait long on the writev() lock anymore, instead they'll
drop the log after a few hundreds attempts. This will prevent the
process from stalling then the watchdog killing the FD is mapped to an
on-disk file that stalls writes.
- upgraded HTTP requests (e.g. websocket) were experiencing a pause at
the beginning of the transfer.
- some spliced transfers of an exact buffer size could terminate on a
timeout because there was no more attempt to read input past the end,
hence detect the pending shutdown.
- there was a case of high CPU usage on splicing over HTTP/1 because
the connection and the stream were waking each other up on absence of
data.
- string comparisons with patterns (ACLs, ...) were performed by adding
a trailing nul character but didn't check if it would fit, occasionally
causing crashes (e.g. comparison with ALPN). Now short patterns are
duplicated first.
- pattern matching was still not thread-safe against parallel modifications
(set-map, del-map etc).
- "server" directives in peers and rings wouldn't resolve if an FQDN was
used, because they used to call str2sa_range() with resolve=0 like the
regular servers. Sadly, no error was spotted there so that would only
result in failed connection attempts.
- in case of parsing errors, the state file would not be properly closed,
and could even remain uninitialized.
- the crt-list parser could abort and fail in error after the first warning
- the "clear map" CLI operation could sometimes take so long on extremely
large maps that the watchdog could trigger. Now it proceeds in small
batches and lets the traffic flow normally.
- the "show sess" CLI operation could endlessly dump new streams if they
arrive fast enough (just like the pretty old "netstat -a"). Now instead
it will dump up to the last known stream at the moment is entered, which
means that instead of dumping more streams than reality, it may dump a
bit less if certain died in between. But it's now safe for use in scripts
and automated reports.
In addition, compatibility support for Lua 5.4 was backported so that those
who prefer to use 2.1 on their latest distros do not experience issues. The
"http-request deny" rules now support status codes 404, 410 and 413. Yves'
patch to allow spaces to be escaped on the CLI was finally backported so
that if you need to update user-agent strings via the CLI you will at last
be able to (just prepend a backslash in front of them).
A few other minor issues were addressed, and that's about all! It was long
but not that scary.
Usual stuff, nobody loves to deploy on Friday, but those still experiencing
issues on 2.1.7 might prefer to upgrade. Most of those who reported the
issues above are already running fine on a fixed snapshot and given that
there's little overlap between bugs and nothing really dramatic, if you're
on 2.1.7 and are not experiencing any of the issues above, it can wait until
next week or your return from vacation.
Please find the usual URLs below :
Site index : http://www.haproxy.org/
Discourse : http://discourse.haproxy.org/
Slack channel : https://slack.haproxy.org/
Issue tracker : https://github.com/haproxy/haproxy/issues
Wiki : https://github.com/haproxy/wiki/wiki
Sources : http://www.haproxy.org/download/2.1/src/
Git repository : http://git.haproxy.org/git/haproxy-2.1.git/
Git Web browsing : http://git.haproxy.org/?p=haproxy-2.1.git
Changelog : http://www.haproxy.org/download/2.1/src/CHANGELOG
Cyril's HTML doc : http://cbonte.github.io/haproxy-dconv/
Willy
---
Complete changelog :
Anthonin Bonnefoy (1):
MINOR: http: Add support for http 413 status
Baruch Siach (1):
BUILD: tools: fix build with static only toolchains
Christopher Faulet (29):
REGTESTS: Add missing OPENSSL to REQUIRE_OPTIONS for
compression/lua_validation
REGTEST: Add a simple script to tests errorfile directives in proxy
sections
MINOR: spoe: Don't systematically create new applets if processing rate
is low
BUG/MEDIUM: pattern: Add a trailing \0 to match strings only if possible
BUG/MINOR: mux-h1: Fix the splicing in TUNNEL mode
BUG/MINOR: mux-h1: Don't read data from a pipe if the mux is unable to
receive
BUG/MINOR: mux-h1: Disable splicing only if input data was processed
BUG/MEDIUM: mux-h1: Disable splicing for the conn-stream if read0 is
received
MINOR: mux-h1: Improve traces about the splicing
BUG/MEDIUM: mux-h1: Subscribe rather than waking up in h1_rcv_buf()
BUG/MEDIUM: connection: Continue to recv data to a pipe when the FD is
not ready
BUG/MINOR: backend: Remove CO_FL_SESS_IDLE if a client remains on the
last server
BUG/MEDIUM: mux-h1: Continue to process request when switching in tunnel
mode
BUG/MINOR: mux-fcgi: Handle empty STDERR record
BUG/MINOR: mux-fcgi: Set conn state to RECORD_P when skipping the record
padding
BUG/MINOR: mux-fcgi: Set flags on the right stream field for empty
FCGI_STDOUT
BUG/MEDIUM: channel: Be aware of SHUTW_NOW flag when output data are
peeked
REGEST: Add reg tests about error files
BUG/MAJOR: dns: Make the do-resolve action thread-safe
BUG/MEDIUM: dns: Release answer items when a DNS resolution is freed
BUG/MINOR: mux-fcgi: Don't url-decode the QUERY_STRING parameter anymore
BUG/MEDIUM: mux-h1: Wakeup the H1C in h1_rcv_buf() if more data are
expected
BUG/MEDIUM: mux-h1: Disable the splicing when nothing is received
BUG/MINOR: debug: Don't dump the lua stack if it is not initialized
MEDIUM: lua: Add support for the Lua 5.4
BUG/MEDIUM: dns: Don't yield in do-resolve action on a final evaluation
BUG/MINOR: tcp-rules: Set the inspect-delay when a tcp-response action
yields
MINOR: connection: Preinstall the mux for non-ssl connect
MINOR: stream-int: Be sure to have a mux to do sends and receives
Emeric Brun (2):
BUG/MEDIUM: log: issue mixing sampled to not sampled log servers.
BUG/MEDIUM: resolve: fix init resolving for ring and peers section.
Florian Tham (2):
MINOR: http: Add 410 to http-request deny
MINOR: http: Add 404 to http-request deny
Harris Kaufmann (1):
BUG/MEDIUM: fcgi-app: fix memory leak in fcgi_flt_http_headers
Ilya Shipitsin (1):
BUG/MEDIUM: server: resolve state file handle leak on reload
Miroslav Zagorac (1):
BUG/MINOR: spoe: correction of setting bits for analyzer
Olivier Houchard (1):
BUG/MINOR: threads: Don't forget to init each thread toremove_lock.
Ryan O'Hara (1):
BUG/MINOR: systemd: Wait for network to be online
Tim Duesterhus (5):
REGTESTS: Add missing OPENSSL to REQUIRE_OPTIONS for lua/txn_get_priv
BUG/MEDIUM: fetch: Fix hdr_ip misparsing IPv4 addresses due to missing NUL
BUG/MINOR: http_act: don't check capture id in backend (2)
BUG/MINOR: sample: Free str.area in smp_check_const_bool
BUG/MINOR: sample: Free str.area in smp_check_const_meth
William Lallemand (9):
BUG/MINOR: ssl: fix ssl-{min,max}-ver with openssl < 1.1.0
BUG/MEDIUM: ssl: crt-list must continue parsing on ERR_WARN
BUG/MINOR: mworker/cli: fix the escaping in the master CLI
BUG/MINOR: mworker/cli: fix semicolon escaping in master CLI
REGTEST: http-rules: test spaces in ACLs
REGTEST: http-rules: test spaces in ACLs with master CLI
REGTEST: ssl: tests the ssl_f_* sample fetches
REGTEST: ssl: add some ssl_c_* sample fetches test
DOC: ssl: add "allow-0rtt" and "ciphersuites" in crt-list
Willy Tarreau (27):
BUG/MEDIUM: log: don't hold the log lock during writev() on a file
descriptor
BUG/MEDIUM: pattern: fix thread safety of pattern matching
BUILD: make dladdr1 depend on glibc version and not __USE_GNU
BUG/MINOR: http: make smp_fetch_body() report that the contents may change
BUG/MINOR: tcp-rules: tcp-response must check the buffer's fullness
BUG/MEDIUM: ebtree: use a byte-per-byte memcmp() to compare memory blocks
BUG/MINOR: spoe: add missing key length check before checking key names
MEDIUM: map: make the "clear map" operation yield
BUG/MINOR: http_ana: clarify connection pointer check on L7 retry
MINOR: cli: make "show sess" stop at the last known session
BUG/MINOR: proxy: fix dump_server_state()'s misuse of the trash
BUG/MINOR: proxy: always initialize the trash in show servers state
DOC: configuration: add missing index entries for
tune.pool-{low,high}-fd-ratio
DOC: configuration: fix alphabetical ordering for
tune.pool-{high,low}-fd-ratio
BUILD: haproxy: fix build error when RLIMIT_AS is not set
MINOR: connection: move the CO_FL_WAIT_ROOM cleanup to the reader only
DOC: configuration: remove obsolete mentions of H2 being converted to
HTTP/1.x
BUG/MEDIUM: lists: add missing store barrier on MT_LIST_BEHEAD()
BUG/MEDIUM: lists: add missing store barrier in MT_LIST_ADD/MT_LIST_ADDQ
CONTRIB: da: fix memory leak in dummy function da_atlas_open()
BUG/MEDIUM: server: fix possibly uninitialized state file on close
BUILD: ebtree: fix build on libmusl after recent introduction of
eb_memcmp()
MINOR: pools: increase MAX_BASE_POOLS to 64
BUILD: thread: add parenthesis around values of locking macros
BUG/MINOR: cfgparse: don't increment linenum on incomplete lines
SCRIPTS: announce-release: add the link to the wiki in the announce
messages
BUG/MEDIUM: backend: always attach the transport before installing the mux
Yves Lafon (1):
BUG/MINOR: cli: allow space escaping on the CLI
---
