Hi, HAProxy 2.2-dev5 was released on 2020/03/23. It added 99 new commits after version 2.2-dev4.
During these last two weeks a lot of time was spent cleaning up code, doc and reg-tests. Fortunately in addition there are still some more visible features: - a unique ID may now be sent and received in the PROXY protocol for connection tracing purposes along a chain. This is mostly useful for TCP-based protocols since in HTTP it may already be done with HTTP headers. - the default maxconn used to appear as lower than before for a number of users, because before 2.0 it used to be hard-coded to 2000 (even if FD limits were too low) and now we used to rely on the soft limit instead of the hard limit. This made haproxy use the least possible FDs as the upper bound. Now instead we rely on the hard limit, which makes more sense since the goal is to allow what's permitted. This will increase the default maxconn for users who don't set it and who don't touch their FD limit using "ulimit -n" on the command line. - it's possible to dump the crt-lists from the command line using "show crt-list" or "dump crt-list". - there's now the possibility to create an SSL certificate directly from the command line ("new ssl cert") though the commit message suggests some parts are still missing for it to be completely usable with crt-lists, which also hints why it doesn't appear yet in the doc so I don't know if I ought to speak about it or not :-) - idle server connections may now be reused between threads. This should significantly reduce the number of file descriptors for setups using a large number of threads, and significantly increase the reuse rate. Please not that this applies to *idle* connections (i.e. not used at all). Multiplexed connections like H2 or FCGI may still be used by a single thread at once, eventhough any thread can pick them first (but there are theorical plans to try to share them in 2.3). We're approaching the end of unplanned changes, so the goal will now be to mostly focus on finishing what's already started. Regarding the pending stuff I currently have in mind, I think there are still changes coming on the SSL side regarding runtime certificate management, there are pending changes on health checks to clean the horrible mess we have accumulated since 1.1, and I made one quick attempt at implementing TCP logs but I figured that it required one hour of work and probably one week of code refactoring bringing no value except avoiding code duplication, and I must confess I lost my motivation. We need to find the sweet spot between reworking the logs at the last minute and making sure we do something quick but forward-compatible from a configuration perspective. A few more improvements on FD management and idle connections are expected as well. If you have pending stuff on your side that you'd like to see merged in 2.2, please at least speak about it now, because code review takes a huge amount of time and those currently finishing their work cannot always be available to review some late changes. Please find the usual URLs below : Site index : http://www.haproxy.org/ Discourse : http://discourse.haproxy.org/ Slack channel : https://slack.haproxy.org/ Issue tracker : https://github.com/haproxy/haproxy/issues Sources : http://www.haproxy.org/download/2.2/src/ Git repository : http://git.haproxy.org/git/haproxy.git/ Git Web browsing : http://git.haproxy.org/?p=haproxy.git Changelog : http://www.haproxy.org/download/2.2/src/CHANGELOG Cyril's HTML doc : http://cbonte.github.io/haproxy-dconv/ Willy --- Complete changelog : Balvinder Singh Rawat (1): DOC: correct typo in alert message about rspirep David Carlier (1): BUILD: on ARM, must be linked to libatomic. Emeric Brun (1): BUG/MEDIUM: peers: resync ended with RESYNC_PARTIAL in wrong cases. Ilya Shipitsin (7): CLEANUP: assorted typo fixes in the code and comments CI: add spellcheck github action CI: travis: switch linux builds to clang-9 CI: travis: proper group output redirection together with travis_wait DOC: assorted typo fixes in the documentation CI: run travis-ci builds on push only, skip pull requests CI: temporarily disable unstable travis arm64 builds Kevin Zhu (1): BUG/MEDIUM: spoe: dup agent's engine_id string from trash.area Lukas Tribus (1): DOC: ssl: clarify security implications of TLS tickets Olivier Houchard (33): BUG/MINOR: buffers: MT_LIST_DEL_SAFE() expects the temporary pointer. BUG/MEDIUM: mt_lists: Make sure we set the deleted element to NULL; MINOR: mt_lists: Appease gcc. MINOR: lists: Implement function to convert list => mt_list and mt_list => list MINOR: servers: Kill priv_conns. MINOR: lists: fix indentation. BUG/MEDIUM: connections: Don't assume the connection has a valid session. BUG/MEDIUM: pools: Always update free_list in pool_gc(). MINOR: fd: Use a separate lock for logs instead of abusing the fd lock. MINOR: mux_pt: Don't try to remove the connection from the idle list. MEDIUM: fd: Introduce a running mask, and use it instead of the spinlock. MINOR: tasks: Provide the tasklet to the callback. MINOR: wdt: Move the definitions of WDTSIG and DEBUGSIG into types/signal.h. BUG/MEDIUM: wdt: Don't ignore WDTSIG and DEBUGSIG in __signal_process_queue(). MINOR: memory: Change the flush_lock to a spinlock, and don't get it in alloc. MEDIUM: sessions: Don't be responsible for connections anymore. MEDIUM: servers: Split the connections into idle, safe, and available. MINOR: fd: Implement fd_takeover(). MINOR: connections: Add a new mux method, "takeover". MINOR: connections: Make the "list" element a struct mt_list instead of list. MINOR: connections: Add a flag to know if we're in the safe or idle list. MEDIUM: connections: Attempt to get idle connections from other threads. MEDIUM: mux_h1: Implement the takeover() method. MEDIUM: mux_h2: Implement the takeover() method. MEDIUM: mux_fcgi: Implement the takeover() method. MEDIUM: connections: Kill connections even if we are reusing one. BUG/MEDIUM: connections: Don't forget to decrement idle connection counters. BUG/MEDIUM: build: Fix compilation by spelling decl correctly. BUILD/MEDIUM: fd: Declare fd_mig_lock as extern. BUG/MINOR: connections: Make sure we free the connection on failure. BUG/MEDIUM: h1: Make sure we subscribe before going into idle list. BUG/MINOR: connections: Set idle_time before adding to idle list. MINOR: muxes: Note that we can't usee a connection when added to the srv idle. Tim Duesterhus (8): DOC: proxy_protocol: Reserve TLV type 0x05 as PP2_TYPE_UNIQUE_ID MINOR: proxy_protocol: Ingest PP2_TYPE_UNIQUE_ID on incoming connections MEDIUM: proxy_protocol: Support sending unique IDs using PPv2 CLEANUP: connection: Add blank line after declarations in PP handling CLEANUP: connection: Stop directly setting an ist's .ptr BUG/MINOR: pattern: Do not pass len = 0 to calloc() BUG/MINOR: ssl: Do not free garbage pointers on memory allocation failure BUG/MINOR: ssl: Correctly add the 1 for the sentinel to the number of elements William Lallemand (17): CLEANUP: ssl: is_default is a bit in ckch_inst BUG/MINOR: ssl/cli: sni_ctx' mustn't always be used as filters CLEANUP: ssl: separate the directory loading in a new function REORG: ssl: move ssl_sock_load_cert() MINOR: ssl: pass ckch_inst to ssl_sock_load_ckchs() MEDIUM: ssl: allow crt-list caching MINOR: ssl: directories are loaded like crt-list BUG/MINOR: ssl: can't open directories anymore MINOR: ssl/cli: show/dump ssl crt-list BUG/MINOR: ssl/cli: free the trash chunk in dump_crtlist BUG/MINOR: ssl: memory leak in crtlist_parse_file() BUG/MINOR: ssl: memleak of struct crtlist_entry MINOR: ssl/cli: 'new ssl cert' command MINOR: ssl/cli: show certificate status in 'show ssl cert' BUG/MINOR: ssl: crtlist_dup_filters() must return NULL with fcount == 0 BUG/MINOR: ssl/cli: free BIO upon error in 'show ssl cert' BUG/MINOR: ssl/cli: fix a potential NULL dereference Willy Tarreau (29): CLEANUP: remove support for Linux i686 vsyscalls CLEANUP: drop support for USE_MY_ACCEPT4 CLEANUP: remove support for USE_MY_EPOLL CLEANUP: remove support for USE_MY_SPLICE CLEANUP: remove the now unused common/syscall.h BUILD: make dladdr1 depend on glibc version and not __USE_GNU BUILD: wdt: only test for SI_TKILL when compiled with thread support BUILD: Makefile: the compiler-specific flags should all be in SPEC_CFLAGS MINOR: init: move the maxsock calculation code to compute_ideal_maxsock() MEDIUM: init: always try to push the FD limit when maxconn is set from -m BUG/MAJOR: list: fix invalid element address calculation BUILD: stream-int: fix a few includes dependencies BUG/MEDIUM: random: align the state on 2*64 bits for ARM64 BUG/MINOR: haproxy: always initialize sleeping_thread_mask BUG/MINOR: listener/mq: do not dispatch connections to remote threads when stopping BUG/MINOR: haproxy/threads: try to make all threads leave together Revert "BUILD: travis-ci: enable s390x builds" BUILD: travis-ci: enable regular s390x builds MINOR: debug: add a new DISGUISE() macro to pass a value as identity MINOR: debug: consume the write() result in BUG_ON() to silence a warning MINOR: use DISGUISE() everywhere we deliberately want to ignore a result BUILD: pools: silence build warnings with DEBUG_MEMORY_POOLS and DEBUG_UAF CI: travis: revert to clang-7 for BoringSSL tests BUILD: makefile: fix regex syntax in ARM platform detection BUILD: makefile: fix expression again to detect ARM platform CI: travis: re-enable ASAN on clang REGTEST: increase timeouts on the seamless-reload test BUG/MINOR: haproxy/threads: close a possible race in soft-stop detection CLEANUP: haproxy/threads: don't check global_tasks_mask twice ---