Hi, HAProxy 2.1.8 was released on 2020/07/31. It added 82 new commits after version 2.1.7.
It's been more than a month since previous version, so fixes have started to accumulate, for sure. I'll try to summarize since most of these were already mentioned over the last 2.2 releases: - various DNS fixes (do-resolve was not thread-safe, would spin if called as a final action, and there were memory leaks). - missing memory barriers on certain threaded operations that essentially affect non-x86 platforms (x86 is "forgiving") - risk of looping (and abort) on channels that's triggered at least by Lua cosockets attempting to read a complete line from truncated contents. - spliced transfers could occasionally stall on certain sizes due to an FD not always being re-enabled. - the memcmp() in ebtree was dangerous as it could read past the end on implementations that read multiple bytes at a time. - FastCGI received a few fixes (small memory leak, risk of blocking on empty stderr records, logs occasionally sent to the wrong stream, query string being unexpectedly url-decoded). - the hdr_ip() sample fetch could fail to properly parse an IPv4 address due to a missing NUL character delimiter. - loggers will not wait long on the writev() lock anymore, instead they'll drop the log after a few hundreds attempts. This will prevent the process from stalling then the watchdog killing the FD is mapped to an on-disk file that stalls writes. - upgraded HTTP requests (e.g. websocket) were experiencing a pause at the beginning of the transfer. - some spliced transfers of an exact buffer size could terminate on a timeout because there was no more attempt to read input past the end, hence detect the pending shutdown. - there was a case of high CPU usage on splicing over HTTP/1 because the connection and the stream were waking each other up on absence of data. - string comparisons with patterns (ACLs, ...) were performed by adding a trailing nul character but didn't check if it would fit, occasionally causing crashes (e.g. comparison with ALPN). Now short patterns are duplicated first. - pattern matching was still not thread-safe against parallel modifications (set-map, del-map etc). - "server" directives in peers and rings wouldn't resolve if an FQDN was used, because they used to call str2sa_range() with resolve=0 like the regular servers. Sadly, no error was spotted there so that would only result in failed connection attempts. - in case of parsing errors, the state file would not be properly closed, and could even remain uninitialized. - the crt-list parser could abort and fail in error after the first warning - the "clear map" CLI operation could sometimes take so long on extremely large maps that the watchdog could trigger. Now it proceeds in small batches and lets the traffic flow normally. - the "show sess" CLI operation could endlessly dump new streams if they arrive fast enough (just like the pretty old "netstat -a"). Now instead it will dump up to the last known stream at the moment is entered, which means that instead of dumping more streams than reality, it may dump a bit less if certain died in between. But it's now safe for use in scripts and automated reports. In addition, compatibility support for Lua 5.4 was backported so that those who prefer to use 2.1 on their latest distros do not experience issues. The "http-request deny" rules now support status codes 404, 410 and 413. Yves' patch to allow spaces to be escaped on the CLI was finally backported so that if you need to update user-agent strings via the CLI you will at last be able to (just prepend a backslash in front of them). A few other minor issues were addressed, and that's about all! It was long but not that scary. Usual stuff, nobody loves to deploy on Friday, but those still experiencing issues on 2.1.7 might prefer to upgrade. Most of those who reported the issues above are already running fine on a fixed snapshot and given that there's little overlap between bugs and nothing really dramatic, if you're on 2.1.7 and are not experiencing any of the issues above, it can wait until next week or your return from vacation. Please find the usual URLs below : Site index : http://www.haproxy.org/ Discourse : http://discourse.haproxy.org/ Slack channel : https://slack.haproxy.org/ Issue tracker : https://github.com/haproxy/haproxy/issues Wiki : https://github.com/haproxy/wiki/wiki Sources : http://www.haproxy.org/download/2.1/src/ Git repository : http://git.haproxy.org/git/haproxy-2.1.git/ Git Web browsing : http://git.haproxy.org/?p=haproxy-2.1.git Changelog : http://www.haproxy.org/download/2.1/src/CHANGELOG Cyril's HTML doc : http://cbonte.github.io/haproxy-dconv/ Willy --- Complete changelog : Anthonin Bonnefoy (1): MINOR: http: Add support for http 413 status Baruch Siach (1): BUILD: tools: fix build with static only toolchains Christopher Faulet (29): REGTESTS: Add missing OPENSSL to REQUIRE_OPTIONS for compression/lua_validation REGTEST: Add a simple script to tests errorfile directives in proxy sections MINOR: spoe: Don't systematically create new applets if processing rate is low BUG/MEDIUM: pattern: Add a trailing \0 to match strings only if possible BUG/MINOR: mux-h1: Fix the splicing in TUNNEL mode BUG/MINOR: mux-h1: Don't read data from a pipe if the mux is unable to receive BUG/MINOR: mux-h1: Disable splicing only if input data was processed BUG/MEDIUM: mux-h1: Disable splicing for the conn-stream if read0 is received MINOR: mux-h1: Improve traces about the splicing BUG/MEDIUM: mux-h1: Subscribe rather than waking up in h1_rcv_buf() BUG/MEDIUM: connection: Continue to recv data to a pipe when the FD is not ready BUG/MINOR: backend: Remove CO_FL_SESS_IDLE if a client remains on the last server BUG/MEDIUM: mux-h1: Continue to process request when switching in tunnel mode BUG/MINOR: mux-fcgi: Handle empty STDERR record BUG/MINOR: mux-fcgi: Set conn state to RECORD_P when skipping the record padding BUG/MINOR: mux-fcgi: Set flags on the right stream field for empty FCGI_STDOUT BUG/MEDIUM: channel: Be aware of SHUTW_NOW flag when output data are peeked REGEST: Add reg tests about error files BUG/MAJOR: dns: Make the do-resolve action thread-safe BUG/MEDIUM: dns: Release answer items when a DNS resolution is freed BUG/MINOR: mux-fcgi: Don't url-decode the QUERY_STRING parameter anymore BUG/MEDIUM: mux-h1: Wakeup the H1C in h1_rcv_buf() if more data are expected BUG/MEDIUM: mux-h1: Disable the splicing when nothing is received BUG/MINOR: debug: Don't dump the lua stack if it is not initialized MEDIUM: lua: Add support for the Lua 5.4 BUG/MEDIUM: dns: Don't yield in do-resolve action on a final evaluation BUG/MINOR: tcp-rules: Set the inspect-delay when a tcp-response action yields MINOR: connection: Preinstall the mux for non-ssl connect MINOR: stream-int: Be sure to have a mux to do sends and receives Emeric Brun (2): BUG/MEDIUM: log: issue mixing sampled to not sampled log servers. BUG/MEDIUM: resolve: fix init resolving for ring and peers section. Florian Tham (2): MINOR: http: Add 410 to http-request deny MINOR: http: Add 404 to http-request deny Harris Kaufmann (1): BUG/MEDIUM: fcgi-app: fix memory leak in fcgi_flt_http_headers Ilya Shipitsin (1): BUG/MEDIUM: server: resolve state file handle leak on reload Miroslav Zagorac (1): BUG/MINOR: spoe: correction of setting bits for analyzer Olivier Houchard (1): BUG/MINOR: threads: Don't forget to init each thread toremove_lock. Ryan O'Hara (1): BUG/MINOR: systemd: Wait for network to be online Tim Duesterhus (5): REGTESTS: Add missing OPENSSL to REQUIRE_OPTIONS for lua/txn_get_priv BUG/MEDIUM: fetch: Fix hdr_ip misparsing IPv4 addresses due to missing NUL BUG/MINOR: http_act: don't check capture id in backend (2) BUG/MINOR: sample: Free str.area in smp_check_const_bool BUG/MINOR: sample: Free str.area in smp_check_const_meth William Lallemand (9): BUG/MINOR: ssl: fix ssl-{min,max}-ver with openssl < 1.1.0 BUG/MEDIUM: ssl: crt-list must continue parsing on ERR_WARN BUG/MINOR: mworker/cli: fix the escaping in the master CLI BUG/MINOR: mworker/cli: fix semicolon escaping in master CLI REGTEST: http-rules: test spaces in ACLs REGTEST: http-rules: test spaces in ACLs with master CLI REGTEST: ssl: tests the ssl_f_* sample fetches REGTEST: ssl: add some ssl_c_* sample fetches test DOC: ssl: add "allow-0rtt" and "ciphersuites" in crt-list Willy Tarreau (27): BUG/MEDIUM: log: don't hold the log lock during writev() on a file descriptor BUG/MEDIUM: pattern: fix thread safety of pattern matching BUILD: make dladdr1 depend on glibc version and not __USE_GNU BUG/MINOR: http: make smp_fetch_body() report that the contents may change BUG/MINOR: tcp-rules: tcp-response must check the buffer's fullness BUG/MEDIUM: ebtree: use a byte-per-byte memcmp() to compare memory blocks BUG/MINOR: spoe: add missing key length check before checking key names MEDIUM: map: make the "clear map" operation yield BUG/MINOR: http_ana: clarify connection pointer check on L7 retry MINOR: cli: make "show sess" stop at the last known session BUG/MINOR: proxy: fix dump_server_state()'s misuse of the trash BUG/MINOR: proxy: always initialize the trash in show servers state DOC: configuration: add missing index entries for tune.pool-{low,high}-fd-ratio DOC: configuration: fix alphabetical ordering for tune.pool-{high,low}-fd-ratio BUILD: haproxy: fix build error when RLIMIT_AS is not set MINOR: connection: move the CO_FL_WAIT_ROOM cleanup to the reader only DOC: configuration: remove obsolete mentions of H2 being converted to HTTP/1.x BUG/MEDIUM: lists: add missing store barrier on MT_LIST_BEHEAD() BUG/MEDIUM: lists: add missing store barrier in MT_LIST_ADD/MT_LIST_ADDQ CONTRIB: da: fix memory leak in dummy function da_atlas_open() BUG/MEDIUM: server: fix possibly uninitialized state file on close BUILD: ebtree: fix build on libmusl after recent introduction of eb_memcmp() MINOR: pools: increase MAX_BASE_POOLS to 64 BUILD: thread: add parenthesis around values of locking macros BUG/MINOR: cfgparse: don't increment linenum on incomplete lines SCRIPTS: announce-release: add the link to the wiki in the announce messages BUG/MEDIUM: backend: always attach the transport before installing the mux Yves Lafon (1): BUG/MINOR: cli: allow space escaping on the CLI ---