Hi,
HAProxy 2.6-dev6 was released on 2022/04/16. It added 150 new commits
after version 2.6-dev5.
This release mostly focuses on integrating the second half of the merge
of the stream interface and conn_stream that I spoke about last week, and
it concludes this operation that was envisionned since the introduction of
the conn_stream in 1.8. While the change is very methodic, it touches many
places and there is a non-null risk that something was broken, hence the
reason for exposing this rework as soon as possible. There is no expected
change for users (aside a possible bug of course), but for developers it
will change the way to access the lower layers from the upper ones (it will
be simpler but for those like me who've used that since 1.4 or so, it will
take some time to get used to it).
QUIC saw a small batch of fixes and improvements (some are still pending).
One visible part is that the SSL sample fetch functions now work on QUIC
connections (e.g. ssl_fc or ssl_f_serial etc) and that the source address
is now properly retrieved. The destination address is still inaccurate,
the listener's address is retrieved (but if it's bound to an exact address
instead of 0.0.0.0, the correct one will be reported). The reason is the
limited API to retrieve the destination address of an incoming datagram.
We've found a possibility to explore soon on Linux.
A few TCP info sample fetch methods were enabled on MacOS.
A few long-pending issues were addressed, and these fixes will be backported
to affected versions, but there's nothing exceptional on this front.
After some discussion with William and Emeric around the build trouble made
by OpenSSL engines in OpenSSL 3.0 that dumps a torrent of warnings that hide
important ones, and the fact that users of engines usually build some or all
parts themselves, it was decided that engines are not enabled by default
anymore, but that they may be enabled by passing "USE_ENGINE=1" to make.
As such we now have the two following options:
- build with just USE_OPENSSL=1, engines are disabled, no warning should
be emitted. The SSL maintainers think it should be the default since
the future of engines in OpenSSL is uncertain due to the new "providers"
API that might possibly change certain settings in the future anyway.
- build with USE_OPENSSL=1 USE_ENGINE=1 to continue to enable engines.
In this case an extra option is passed to disable deprecation warnings
in OpenSSL so that the build should not emit any warning either, but
may also hide future deprecation warnings.
My personal suspicion is that distros will build without engines since
there is none that we're aware of that works out of the box without having
at least to touch openssl a little bit, and that advanced users will
continue to build their own optimized packages with this option enabled.
Time will tell, as usual.
Another improvement which is not related to the code, with the precious
help of Tim and Cyril, we could finally set up an automatic generation of
the HTML documentation. It's performed daily and published on github pages
at http://docs.haproxy.org.
William has also set up a build system that's triggered by the CI and that
produces packages of the latest development version for various distros.
The goal is to help users deploy development versions to participate to
the testing and benefit early from new features, as we know that till now
it used to require particular efforts and that not everyone has enough
time to think about rebuilding packages often. I'll let William expand on
this point regarding what's covered and how to use this.
Finally we've added links to remaining issues affecting the development
versions below (verified bugs, unqualified ones and automated code reports).
These are just shortcuts for filters in the issue tracker, but it's pleasant
to see that there are quite few left thus we're on a good trend.
LAST MINUTE:
------------
The deployment on haproxy.org crashed during the typing of this message.
I've pushed a fix that seems to have fixed it but I'll double-check with
Christopher next week if I'm fixing the bug of just hiding it. Please do
not deploy it in production before we send the signal that it's OK (we'll
emit a new version then).
Please find the usual URLs below :
Site index : http://www.haproxy.org/
Documentation : http://docs.haproxy.org/
Wiki : https://github.com/haproxy/wiki/wiki
Discourse : http://discourse.haproxy.org/
Slack channel : https://slack.haproxy.org/
Issue tracker : https://github.com/haproxy/haproxy/issues
Sources : http://www.haproxy.org/download/2.6/src/
Git repository : http://git.haproxy.org/git/haproxy.git/
Git Web browsing : http://git.haproxy.org/?p=haproxy.git
Changelog : http://www.haproxy.org/download/2.6/src/CHANGELOG
Pending bugs : http://www.haproxy.org/l/pending-bugs
Reviewed bugs : http://www.haproxy.org/l/reviewed-bugs
Code reports : http://www.haproxy.org/l/code-reports
Willy
---
Complete changelog :
Amaury Denoyelle (6):
BUG/MINOR: h3: fix build with DEBUG_H3
BUG/MINOR: mux-quic: prevent a crash in session_free on mux.destroy
BUG/MINOR: quic-sock: do not double free session on conn init failure
BUG/MINOR: quic: fix return value for error in start
MINOR: quic: emit CONNECTION_CLOSE on app init error
BUG/MEDIUM: quic: properly clean frames on stream free
Christopher Faulet (90):
BUG/MINOR: mux-h1: Don't release unallocated CS on error path
MINOR: applet: Make .init callback more generic
MINOR: conn-stream: Add flags to set the type of the endpoint
MEDIUM: applet: Set the appctx owner during allocation
MAJOR: conn-stream: Invert conn-stream endpoint and its context
REORG: Initialize the conn-stream by hand in cs_init()
MEDIUM: conn-stream: Add an endpoint structure in the conn-stream
MINOR: conn-stream: Move some CS flags to the endpoint
MEDIUM: conn-stream: Be able to pass endpoint to create a conn-stream
MEDIUM: conn-stream: Pre-allocate endpoint to create CS from muxes and
applets
REORG: applet: Uninline appctx_new function
MAJOR: conn-stream: Share endpoint struct between the CS and the
mux/applet
MEDIUM: conn-stream: Move remaning flags from CS to endpoint
MINOR: mux-pt: Rely on the endpoint instead of the conn-stream when
possible
MINOR: conn-stream: Add ISBACK conn-stream flag
MINOR: conn-stream: Add header file with util functions related to
conn-streams
MEDIUM: tree-wide: Use CS util functions instead of SI ones
MINOR: stream-int/txn: Move buffer for L7 retries in the HTTP transaction
CLEANUP: http-ana: Remove http_alloc_txn() function
MINOR: stream-int/stream: Move conn_retries counter in the stream
MINOR: stream: Simplify retries counter calculation
MEDIUM: stream-int/conn-stream: Move src/dst addresses in the conn-stream
MINOR: stream-int/conn-stream: Move half-close timeout in the conn-stream
MEDIUM: stream-int/stream: Use connect expiration instead of SI expiration
MINOR: stream-int/conn-stream: Report error to the CS instead of the SI
MEDIUM: conn-stream: Use endpoint error instead of conn-stream error
MINOR: channel: Use conn-streams as channel producer and consumer
MINOR: stream-int: Remove SI_FL_KILL_CON to rely on conn-stream endpoint
only
MINOR: mux-h2/mux-fcgi: Fully rely on CS_EP_KILL_CONN
MINOR: stream-int: Remove SI_FL_NOLINGER/NOHALF to rely on CS flags
instead
MINOR: stream-int: Remove SI_FL_DONT_WAKE to rely on CS flags instead
MINOR: stream-int: Remove SI_FL_INDEP_STR to rely on CS flags instead
MINOR: stream-int: Remove SI_FL_SRC_ADDR to rely on stream flags instead
CLEANUP: stream-int: Remove unused SI_FL_CLEAN_ABRT flag
MINOR: stream: Only save previous connection state for the server side
MEDIUM: stream-int: Move SI err_type in the stream
MEDIUM: stream-int/conn-stream: Move stream-interface state in the
conn-stream
MINOR: stream-int/stream: Move si_retnclose() in the stream scope
MINOR: stream-int/backend: Move si_connect() in the backend scope
MINOR: stream-int/conn-stream: Move si_conn_ready() in the conn-stream
scope
MINOR: conn-stream/connection: Move SHR/SHW modes in the connection scope
MEDIUM: conn-stream: Be prepared to fail to attach a cs to a mux
MEDIUM: stream-int/conn-stream: Handle I/O subscriptions in the
conn-stream
MINOR: conn-stream: Rename CS functions dedicated to connections
MINOR: stream-int/conn-stream: Move si_shut* and si_chk* in conn-stream
scope
MEDIUM: stream-int/conn-stream: Move si_ops in the conn-stream scope
MINOR: applet: Use the CS to register and release applets instead of SI
MINOR: connection: unconst mux's get_fist_cs() callback function
MINOR: stream-int/connection: Move conn_si_send_proxy() in the connection
scope
REORG: stream-int: Export si_cs_recv(), si_cs_send() and si_cs_process()
REORG: stream-int: Move si_is_conn_error() in the header file
REORG: conn-stream: Move cs_shut* and cs_chk* in cs_utils
REORG: conn-stream: Move cs_app_ops in conn_stream.c
MINOR: stream-int-conn-stream: Move si_update_* in conn-stream scope
MINOR: stream-int/stream: Move si_update_both in stream scope
MEDIUM: conn-stream/applet: Add a data callback for applets
MINOR: stream-int/conn-stream: Move stream_int_read0() in the conn-stream
scope
MINOR: stream-int/conn-stream: Move stream_int_notify() in the
conn-stream scope
MINOR: stream-int/conn-stream: Move si_cs_io_cb() in the conn-stream scope
MINOR: stream-int/conn-stream: Move si_sync_recv/send() in conn-stream
scope
MINOR: conn-stream: Move si_conn_cb in the conn-stream scope
MINOR: stream-int/conn-stream Move si_is_conn_error() in the conn-stream
scope
MINOR: stream-int/conn-stream: Move si_alloc_ibuf() in the conn-stream
scope
CLEANUP: stream-int: Remove unused SI functions
MEDIUM: stream-int/conn-stream: Move blocking flags from SI to CS
MEDIUM: stream-int/conn-stream: Move I/O functions to conn-stream
REORG: stream-int/conn-stream: Move remaining functions to conn-stream
MINOR: stream: Use conn-stream to report server error
MINOR: http-ana: Use CS to perform L7 retries
MEDIUM: stream: Don't use the stream-int anymore in process_stream()
MINOR: conn-stream: Remove the stream-interface from the conn-stream
DEV: flags: No longer dump SI flags
CLEANUP: tree-wide: Remove any ref to stream-interfaces
CLEANUP: conn-stream: Don't export internal functions
DOC: conn-stream: Add comments on functions of the new CS api
MEDIUM: check: Use a new conn-stream for each health-check run
CLEANUP: muxes: Remove MX_FL_CLEAN_ABRT flag
MINOR: conn-stream: Use a dedicated function to conditionally remove a CS
CLEANUP: conn-stream: rename cs_register_applet() to cs_applet_create()
MINOR: muxes: Improve show_fd callbacks to dump endpoint flags
MINOR: mux-h1: Rely on the endpoint instead of the conn-stream when
possible
MINOR: muxes: Don't expect to have a mux without connection in destroy
callback
MINOR: muxes: Don't handle proto upgrade for muxes not supporting it
MINOR: muxes: Don't expect to call release function with no mux defined
MINOR: conn-stream: Use unsafe functions to get conn/appctx in
cs_detach_endp
BUG/MEDIUM: mux-h1: Don't request more room on partial trailers
BUILD: http-client: Avoid dead code when compiled without SSL support
BUG/MEDIUM: connection: Don't crush context pointer location if it is a CS
BUG/MEDIUM: fcgi-app: Use http_msg flags to know if C-L header can be
added
BUG/MEDIUM: compression: Don't forget to update htx_sl and http_msg flags
David CARLIER (2):
MINOR: tcp_sample: clarifying samples support per os, for further
expansion.
MINOR: tcp_sample: extend support for get_tcp_info to macOs.
Frédéric Lécaille (1):
BUG/MINOR: quic: Avoid starting the mux if no ALPN sent by the client
Ilya Shipitsin (2):
DOC: adjust QUIC instruction in INSTALL
CI: cirrus: switch to FreeBSD-13.0
Tim Duesterhus (2):
CI: Update to actions/checkout@v3
CI: Update to actions/cache@v3
William Lallemand (2):
BUILD: ssl: add USE_ENGINE and disable the openssl engine by default
CI: github actions: disable -Wno-deprecated
Willy Tarreau (45):
CLEANUP: connection: reduce the with of the mux dump output
BUG/MINOR: stats: define the description' background color in dark color
scheme
BUILD: makefile: pass USE_ENGINE to cflags
BUILD: xprt-quic: replace ERR_func_error_string() with
ERR_peek_error_func()
DOC: install: document the fact that SSL engines are not enabled by
default
BUILD: makefile: silence unbearable OpenSSL deprecation warnings
MINOR: sock: check configured limits at the sock layer, not the listener's
MINOR: connection: add a new flag CO_FL_FDLESS on fd-less connections
MINOR: connection: add conn_fd() to retrieve the FD only when it exists
MINOR: stream: only dump connections' FDs when they are valid
MINOR: connection: use conn_fd() when displaying connection errors
MINOR: connection: skip FD-based syscalls for FD-less connections
MEDIUM: connection: panic when calling FD-specific functions on FD-less
conns
MINOR: mux-quic: properly set the flags and name fields
MINOR: connection: rearrange conn_get_src/dst to be a bit more extensible
MINOR: protocol: add get_src() and get_dst() at the protocol level
MINOR: quic-sock: provide a pair of get_src/get_dst functions
MEDIUM: ssl: improve retrieval of ssl_sock_ctx and SSL detection
MEDIUM: ssl: stop using conn->xprt_ctx to access the ssl_sock_ctx
MEDIUM: xprt-quic: implement get_ssl_sock_ctx()
MEDIUM: quic: move conn->qc into conn->handle
BUILD: ssl: fix build warning with previous changes to ssl_sock_ctx
BUILD: ssl: add an unchecked version of __conn_get_ssl_sock_ctx()
MINOR: ssl: refine the error testing for fc_err and fc_err_str
BUG/MINOR: sock: do not double-close the accepted socket on the error path
MINOR: log: add '~' to frontend when the transport layer provides SSL
BUILD/DEBUG: lru: fix printf format in debug code
BUILD: peers: adjust some printf format to silence cppcheck
BUILD/DEBUG: hpack-tbl: fix format string in standalone debug code
BUILD/DEBUG: hpack: use unsigned int in printf format in debug code
BUILD: halog: fix some incorrect signs in printf formats for integers
BUG/MINOR: mux-h2: do not send GOAWAY if SETTINGS were not sent
BUG/MINOR: cache: do not display expired entries in "show cache"
BUILD: debug: mark the __start_mem_stats/__stop_mem_stats symbols as weak
BUILD: initcall: mark the __start_i_* symbols as weak, not global
BUG/MINOR: mux-h2: do not use timeout http-keep-alive on backend side
BUG/MINOR: mux-h2: use timeout http-request as a fallback for
http-keep-alive
BUILD: sched: workaround crazy and dangerous warning in Clang 14
BUILD: compiler: use a more portable set of asm(".weak") statements
BUG/MEDIUM: stream: do not abort connection setup too early
CLEANUP: extcheck: do not needlessly preset the server's address/port
MINOR: extcheck: fill in the server's UNIX socket address when known
SCRIPTS: announce-release: update the doc's URL
DOC: lua: update a few doc URLs
SCRIPTS: announce-release: add shortened links to pending issues
---
