Hello community, here is the log from the commit of package haproxy for openSUSE:Factory checked in at 2014-06-25 15:24:23 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/haproxy (Old) and /work/SRC/openSUSE:Factory/.haproxy.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "haproxy" Changes: -------- --- /work/SRC/openSUSE:Factory/haproxy/haproxy.changes 2014-05-23 07:27:53.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.haproxy.new/haproxy.changes 2014-06-25 15:24:39.000000000 +0200 @@ -1,0 +2,123 @@ +Tue Jun 24 15:55:48 UTC 2014 - [email protected] + +- install the vim file into the versioned directory and dont cover + the current symlink with a directory + +------------------------------------------------------------------- +Tue Jun 24 13:00:39 UTC 2014 - [email protected] + +- add Requires to vim to make the ownership of the vim directory + clear and not break any symlink handling the vim package might + use. + +------------------------------------------------------------------- +Tue Jun 24 12:23:55 UTC 2014 - [email protected] + +- update to 1.5.1 + - BUG/MINOR: config: http-request replace-header arg typo + - BUG/MINOR: ssl: rejects OCSP response without nextupdate. + - BUG/MEDIUM: ssl: Fix to not serve expired OCSP responses. + - BUG/MINOR: ssl: Fix OCSP resp update fails with the same + certificate configured twice. (cherry picked from commit + 1d3865b096b43b9a6d6a564ffb424ffa6f1ef79f) + - BUG/MEDIUM: Consistently use 'check' in process_chk + - BUG/MAJOR: session: revert all the crappy client-side timeout + changes + - BUG/MINOR: logs: properly initialize and count log sockets +- drop haproxy-1.5.0_consistently_use_check.patch: + included upstream + +------------------------------------------------------------------- +Tue Jun 24 09:51:25 UTC 2014 - [email protected] + +- Install vim file to a more appropriate location + +------------------------------------------------------------------- +Mon Jun 23 09:19:04 UTC 2014 - [email protected] + +- added pre macro for systemd service file + +------------------------------------------------------------------- +Mon Jun 23 08:28:06 UTC 2014 - [email protected] + +- Use better systemd detection consistently + +------------------------------------------------------------------- +Sun Jun 22 19:48:11 UTC 2014 - [email protected] + +- pull commit 9ac7cabaf9945fb92c96cb92f5ea85235f54f7d6: + Consistently use 'check' in process_chk + I am not entirely sure that this is a bug, but it seems + to me that it may cause a problem if there agent-check is + configured and there is some kind of error making a connection + for it. + adds patch haproxy-1.5.0_consistently_use_check.patch + +------------------------------------------------------------------- +Fri Jun 20 14:37:21 UTC 2014 - [email protected] + +- update to 1.5.0 + For people who don't follow the development versions, 1.5 expands + 1.4 with many new features and performance improvements, + including native SSL support on both sides with SNI/NPN/ALPN and + OCSP stapling, IPv6 and UNIX sockets are supported everywhere, + full HTTP keep-alive for better support of NTLM and improved + efficiency in static farms, HTTP/1.1 compression (deflate, gzip) + to save bandwidth, PROXY protocol versions 1 and 2 on both sides, + data sampling on everything in request or response, including + payload, ACLs can use any matching method with any input sample + maps and dynamic ACLs updatable from the CLI stick-tables support + counters to track activity on any input sample custom format for + logs, unique-id, header rewriting, and redirects, improved health + checks (SSL, scripted TCP, check agent, ...), much more scalable + configuration supports hundreds of thousands of backends and + certificates without sweating. + + For all the details see /usr/share/doc/packages/haproxy/CHANGELOG + +- enable tcp fast open if the kernel is recent enough +- enable PCRE JIT if PCRE is recent enough +- enable openssl support! + - haproxy can finally terminate ssl itself and also talk SSL to + the backend servers. + - including SNI/NPN/ALPN support. + new buildrequires openssl and pkgconfig +- enable deflate support + new buildrequires zlib-devel +- enable transparent proxy support +- enable usage of accept4. reduces the syscall amount. +- enable building and installing of halog +- install vim file into the correct place +- dropped patches: + 0001-MEDIUM-add-systemd-service.patch + 0002-MEDIUM-add-haproxy-systemd-wrapper.patch + 0003-MEDIUM-New-cli-option-Ds-for-systemd-compatibility.patch + 0004-BUG-MEDIUM-systemd-wrapper-don-t-leak-zombie-process.patch + 0005-BUILD-stdbool-is-not-portable-again.patch + 0006-MEDIUM-haproxy-systemd-wrapper-Use-haproxy-in-same-d.patch + 0007-MEDIUM-systemd-wrapper-Kill-child-processes-when-int.patch + 0008-LOW-systemd-wrapper-Write-debug-information-to-stdou.patch + 0009-openSUSE-Configure-haproxy-user.patch + 0010-openSUSE-Fix-path-to-PCRE-library.patch + 0011-BUILD-MINOR-systemd-fix-compiler-warning-about-unuse.patch + 0012-BUG-MEDIUM-systemd-wrapper-fix-locating-of-haproxy-b.patch + 0013-MINOR-systemd-wrapper-re-execute-on-SIGUSR2.patch + 0014-MINOR-systemd-wrapper-improve-logging.patch + 0015-MINOR-systemd-wrapper-propagate-exit-status.patch +- added haproxy-1.2.16_config_haproxy_user.patch: + (replaces 0009-openSUSE-Configure-haproxy-user.patch) +- added haproxy-1.5_check_config_before_start.patch: + systemd allows us to run other things before we start the final + daemon. use this to check the configuration before launching. +- added haproxy-makefile_lib.patch + (replaces 0010-openSUSE-Fix-path-to-PCRE-library.patch) +- added sec-options.patch: + allow it more easily to build haproxy with PIE, stackprotector + and relro. all those options are enabled on our build. +- added apparmor profile + usr.sbin.haproxy.apparmor + local.usr.sbin.haproxy.apparmor +- change the conditionals for systemd to use bcond_with to make it + more obvious what we are guarding. + +------------------------------------------------------------------- Old: ---- 0001-MEDIUM-add-systemd-service.patch 0002-MEDIUM-add-haproxy-systemd-wrapper.patch 0003-MEDIUM-New-cli-option-Ds-for-systemd-compatibility.patch 0004-BUG-MEDIUM-systemd-wrapper-don-t-leak-zombie-process.patch 0005-BUILD-stdbool-is-not-portable-again.patch 0006-MEDIUM-haproxy-systemd-wrapper-Use-haproxy-in-same-d.patch 0007-MEDIUM-systemd-wrapper-Kill-child-processes-when-int.patch 0008-LOW-systemd-wrapper-Write-debug-information-to-stdou.patch 0009-openSUSE-Configure-haproxy-user.patch 0010-openSUSE-Fix-path-to-PCRE-library.patch 0011-BUILD-MINOR-systemd-fix-compiler-warning-about-unuse.patch 0012-BUG-MEDIUM-systemd-wrapper-fix-locating-of-haproxy-b.patch 0013-MINOR-systemd-wrapper-re-execute-on-SIGUSR2.patch 0014-MINOR-systemd-wrapper-improve-logging.patch 0015-MINOR-systemd-wrapper-propagate-exit-status.patch haproxy-1.4.25.tar.gz New: ---- haproxy-1.2.16_config_haproxy_user.patch haproxy-1.5.1.tar.gz haproxy-1.5_check_config_before_start.patch haproxy-makefile_lib.patch local.usr.sbin.haproxy.apparmor sec-options.patch usr.sbin.haproxy.apparmor ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ haproxy.spec ++++++ --- /var/tmp/diff_new_pack.zG62nH/_old 2014-06-25 15:24:40.000000000 +0200 +++ /var/tmp/diff_new_pack.zG62nH/_new 2014-06-25 15:24:40.000000000 +0200 @@ -13,59 +13,54 @@ # published by the Open Source Initiative. # Please submit bugfixes or comments via http://bugs.opensuse.org/ -# +%if 0%{?suse_version} >= 1230 +%bcond_without tcp_fast_open +%else +%bcond_with tcp_fast_open +%endif +%if 0%{?suse_version} >= 1310 +%bcond_without systemd +%else +%bcond_with systemd +%endif + +%if 0%{?suse_version} > 1140 +%bcond_without pcre_jit +%else +%bcond_with pcre_jit +%endif +%bcond_without apparmor Name: haproxy -Version: 1.4.25 +Version: 1.5.1 Release: 0 # # -%if 0%{?suse_version} >= 1230 -BuildRequires: pkgconfig(systemd) -%endif BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: libgcrypt-devel BuildRequires: pcre-devel +BuildRequires: zlib-devel +BuildRequires: openssl-devel +BuildRequires: pkg-config BuildRequires: udev +%if %{with systemd} +BuildRequires: pkgconfig(systemd) +%endif +BuildRequires: vim %define pkg_name haproxy %define pkg_home /var/lib/%{pkg_name} # Url: http://haproxy.1wt.eu/ -Source: http://haproxy.1wt.eu/download/1.4/src/haproxy-%{version}.tar.gz +Source: http://haproxy.1wt.eu/download/1.5/src/haproxy-%{version}.tar.gz Source1: %{pkg_name}.init Source2: http://haproxy.1wt.eu/download/contrib/haproxy.vim -# PATCH-FEATURE-UPSTREAM -Patch1: 0001-MEDIUM-add-systemd-service.patch -# PATCH-FEATURE-UPSTREAM -Patch2: 0002-MEDIUM-add-haproxy-systemd-wrapper.patch -# PATCH-FIX-UPSTREAM -Patch3: 0003-MEDIUM-New-cli-option-Ds-for-systemd-compatibility.patch -# PATCH-FIX-UPSTREAM -Patch4: 0004-BUG-MEDIUM-systemd-wrapper-don-t-leak-zombie-process.patch -# PATCH-FIX-UPSTREAM -Patch5: 0005-BUILD-stdbool-is-not-portable-again.patch -# PATCH-FIX-UPSTREAM -Patch6: 0006-MEDIUM-haproxy-systemd-wrapper-Use-haproxy-in-same-d.patch -# PATCH-FIX-UPSTREAM -Patch7: 0007-MEDIUM-systemd-wrapper-Kill-child-processes-when-int.patch -# PATCH-FIX-UPSTREAM -Patch8: 0008-LOW-systemd-wrapper-Write-debug-information-to-stdou.patch -# PATCH-FIX-OPENSUSE -Patch9: 0009-openSUSE-Configure-haproxy-user.patch -# PATCH-FIX-OPENSUSE -Patch10: 0010-openSUSE-Fix-path-to-PCRE-library.patch -# PATCH-FIX-UPSTREAM -Patch11: 0011-BUILD-MINOR-systemd-fix-compiler-warning-about-unuse.patch -# PATCH-FIX-UPSTREAM -Patch12: 0012-BUG-MEDIUM-systemd-wrapper-fix-locating-of-haproxy-b.patch -# PATCH-FIX-UPSTREAM -Patch13: 0013-MINOR-systemd-wrapper-re-execute-on-SIGUSR2.patch -# PATCH-FIX-UPSTREAM -Patch14: 0014-MINOR-systemd-wrapper-improve-logging.patch -# PATCH-FIX-UPSTREAM -Patch15: 0015-MINOR-systemd-wrapper-propagate-exit-status.patch - +Source3: usr.sbin.haproxy.apparmor +Source4: local.usr.sbin.haproxy.apparmor +Patch1: haproxy-1.2.16_config_haproxy_user.patch +Patch2: haproxy-makefile_lib.patch +Patch3: sec-options.patch +Patch4: haproxy-1.5_check_config_before_start.patch Source99: haproxy-rpmlintrc # Summary: The Reliable, High Performance TCP/HTTP Load Balancer @@ -73,10 +68,14 @@ Group: Productivity/Networking/Web/Proxy Provides: %{name}-doc = %{version} Obsoletes: %{name}-doc < %{version} - -%if 0%{?suse_version} >= 1230 +Provides: haproxy-1.5 = %{version} +Obsoletes: haproxy-1.5 < %{version} +# this requires is not strictly needed. we only need it for the ownership of the vim data dir +Requires: vim +%if %{with systemd} %{?systemd_requires} %endif +%{!?vim_data_dir:%global vim_data_dir /usr/share/vim/%(readlink /usr/share/vim/current)} %description HAProxy implements an event-driven, mono-process model which enables support @@ -91,40 +90,54 @@ %prep %setup -q -%patch1 -p1 -%patch2 -p1 -%patch3 -p1 +%patch1 +%patch2 +%patch3 %patch4 -p1 -%patch5 -p1 -%patch6 -p1 -%patch7 -p1 -%patch8 -p1 -%patch9 -p1 -%patch10 -p1 -%patch11 -p1 -%patch12 -p1 -%patch13 -p1 -%patch14 -p1 -%patch15 -p1 %build %{__make} \ TARGET=linux26 \ CPU="%{_target_cpu}" \ USE_PCRE=1 \ + %if %{with pcre_jit} + USE_PCRE_JIT=1 \ + %endif USE_LIBCRYPT=1 \ + USE_OPENSSL=1 \ + USE_ZLIB=1 \ + USE_NETFILTER=1 \ + %ifarch %ix86 + USE_REGPARM=1 \ + %endif + USE_TPROXY=1 \ + USE_LINUX_TPROXY=1 \ + USE_LINUX_SPLICE=1 \ + USE_ACCEPT4=1 \ + USE_CPU_AFFINITY=1 \ + USE_GETADDRINFO=1 \ + USE_GETSOCKNAME=1 \ + USE_PIE=1 \ + USE_STACKPROTECTOR=1 \ + USE_RELRO_NOW=1 \ +%if %{with tcp_fast_open} + USE_TFO=1 \ +%endif LIB="%{_lib}" \ - DEBUG="%{optflags} -fno-strict-aliasing" - -%{__make} PREFIX="%{_prefix}" -C contrib/systemd + PREFIX="%{_prefix}" \ + DEBUG_CFLAGS="%{optflags}" +make -C contrib/systemd PREFIX="%{_prefix}" +make -C contrib/halog PREFIX="%{_prefix}" \ + DEFINE="%{optflags} -pie -fpie -fstack-protector -Wl,-z,relro,-z,now" %install %{__install} -D -m 0755 %{pkg_name} %{buildroot}%{_sbindir}/%{pkg_name} %{__install} -D -m 0644 examples/%{pkg_name}.cfg %{buildroot}%{_sysconfdir}/%{pkg_name}/%{pkg_name}.cfg -%if 0%{?suse_version} >= 1230 +%{__install} -D -m 0755 contrib/halog/halog %{buildroot}%{_sbindir}/haproxy-halog +%if %{with systemd} %{__install} -D -m 0755 haproxy-systemd-wrapper %{buildroot}%{_sbindir}/haproxy-systemd-wrapper -%{__install} -D -m 0755 contrib/systemd/%{pkg_name}.service %{buildroot}%{_unitdir}/%{pkg_name}.service +%{__install} -D -m 0644 contrib/systemd/%{pkg_name}.service %{buildroot}%{_unitdir}/%{pkg_name}.service ln -sf /sbin/service %{buildroot}%{_sbindir}/rc%{pkg_name} %else %{__install} -D -m 0755 %{S:1} %{buildroot}%{_sysconfdir}/init.d/%{pkg_name} @@ -132,9 +145,14 @@ %endif %{__install} -d -m 0755 %{buildroot}%{pkg_home} -%{__install} -D -m 0644 %{S:2} %{buildroot}%{_datadir}/%{pkg_name}/%{pkg_name}.vim +%{__install} -D -m 0644 %{S:2} %{buildroot}%{vim_data_dir}/syntax/%{pkg_name}.vim %{__install} -D -m 0644 doc/%{pkg_name}.1 %{buildroot}%{_mandir}/man1/%{pkg_name}.1 -gzip %{buildroot}%{_mandir}/man1/%{pkg_name}.1 +%if %{with apparmor} +%{__install} -D -m 0644 %{S:3} %{buildroot}/etc/apparmor.d/usr.sbin.haproxy +%{__install} -D -m 0644 %{S:4} %{buildroot}/etc/apparmor.d/local/usr.sbin.haproxy +%endif + +%{__rm} examples/haproxy.spec %if 0%{?suse_version} < 1230 %clean @@ -144,11 +162,9 @@ %pre /usr/sbin/groupadd -r %{pkg_name} &>/dev/null ||: /usr/sbin/useradd -g %{pkg_name} -s /bin/false -r -c "user for %{pkg_name}" -d %{pkg_home} %{pkg_name} &>/dev/null ||: -%if 0%{?suse_version} >= 1230 - %service_add_pre %{pkg_name}.service -%endif -%if 0%{?suse_version} >= 1230 +%if %{with systemd} +%service_add_pre %{pkg_name}.service %post %service_add_post %{pkg_name}.service @@ -176,12 +192,11 @@ %files %defattr(-,root,root,-) %doc CHANGELOG README LICENSE -%doc ROADMAP TODO doc/* examples +%doc ROADMAP doc/* examples/ +%doc contrib/netsnmp-perl/ contrib/selinux/ %dir %{_sysconfdir}/%{pkg_name} %config(noreplace) %{_sysconfdir}/%{pkg_name}/%{pkg_name}.cfg - -%if 0%{?suse_version} >= 1230 - +%if %{with systemd} %{_unitdir}/%{pkg_name}.service %{_sbindir}/haproxy-systemd-wrapper @@ -192,9 +207,16 @@ %endif %{_sbindir}/haproxy +%{_sbindir}/haproxy-halog %{_sbindir}/rchaproxy %{pkg_home} -%doc %{_mandir}/man1/%{pkg_name}.1.gz -%{_datadir}/%{pkg_name} +%{_mandir}/man1/%{pkg_name}.1.gz +%{vim_data_dir}/syntax/%{pkg_name}.vim +%if %{with apparmor} +%dir /etc/apparmor.d/ +%dir /etc/apparmor.d/local/ +%config(noreplace) /etc/apparmor.d/usr.sbin.haproxy +%config(noreplace) /etc/apparmor.d/local/usr.sbin.haproxy +%endif %changelog ++++++ haproxy-1.2.16_config_haproxy_user.patch ++++++ Index: examples/examples.cfg =================================================================== --- examples/examples.cfg.orig +++ examples/examples.cfg @@ -3,8 +3,8 @@ # log 127.0.0.1 local1 maxconn 4000 ulimit-n 8000 - uid 0 - gid 0 + user haproxy + group haproxy # chroot /tmp # nbproc 2 # daemon Index: examples/haproxy.cfg =================================================================== --- examples/haproxy.cfg.orig +++ examples/haproxy.cfg @@ -5,9 +5,9 @@ log 127.0.0.1 local1 notice #log loghost local0 info maxconn 4096 - chroot /usr/share/haproxy - uid 99 - gid 99 + chroot /var/lib/haproxy + user haproxy + group haproxy daemon #debug #quiet ++++++ haproxy-1.4.25.tar.gz -> haproxy-1.5.1.tar.gz ++++++ ++++ 111784 lines of diff (skipped) ++++++ haproxy-1.5_check_config_before_start.patch ++++++ diff --git a/contrib/systemd/haproxy.service.in b/contrib/systemd/haproxy.service.in index 1a3d2c0..9b3b72a 100644 --- a/contrib/systemd/haproxy.service.in +++ b/contrib/systemd/haproxy.service.in @@ -3,6 +3,7 @@ Description=HAProxy Load Balancer After=network.target [Service] +ExecStartPre=@SBINDIR@/haproxy -f /etc/haproxy/haproxy.cfg -c -q ExecStart=@SBINDIR@/haproxy-systemd-wrapper -f /etc/haproxy/haproxy.cfg -p /run/haproxy.pid ExecReload=/bin/kill -USR2 $MAINPID Restart=always ++++++ haproxy-makefile_lib.patch ++++++ Index: Makefile =================================================================== --- Makefile.orig +++ Makefile @@ -567,7 +567,7 @@ ifneq ($(USE_PCRE)$(USE_STATIC_PCRE)$(US PCREDIR := $(shell pcre-config --prefix 2>/dev/null || echo /usr/local) ifneq ($(PCREDIR),) PCRE_INC := $(PCREDIR)/include -PCRE_LIB := $(PCREDIR)/lib +PCRE_LIB := $(PCREDIR)/$(LIB) endif ifeq ($(USE_STATIC_PCRE),) ++++++ local.usr.sbin.haproxy.apparmor ++++++ # Site-specific additions and overrides for usr.sbin.haproxy.apparmor ++++++ sec-options.patch ++++++ Index: Makefile =================================================================== --- Makefile.orig 2014-06-05 19:23:53.559663353 +0200 +++ Makefile 2014-06-05 19:29:01.679662808 +0200 @@ -594,6 +594,35 @@ OPTIONS_CFLAGS += -DUSE_TFO BUILD_OPTIONS += $(call ignore_implicit,USE_TFO) endif +# PIE +ifneq ($(USE_PIE),) +OPTIONS_CFLAGS += -DUSE_PIE +BUILD_OPTIONS += $(call ignore_implicit,USE_PIE) +OPTIONS_LDFLAGS += -pie +# still need to figure out how to express this conditional in the makefile +# %ifarch s390 s390x %sparc +# PIEFLAGS="-fPIE" +# %else +# PIEFLAGS="-fpie" +# %endif +# PIE_FLAGS.s390 = -fPIE +# PIE_FLAGS.i386 = -fpie +# SEC_FLAGS += $(PIE_FLAGS.$(ARCH)) +OPTIONS_CFLAGS += -fpie +endif + +ifneq ($(USE_STACKPROTECTOR),) +OPTIONS_CFLAGS += -DUSE_STACKPROTECTOR +BUILD_OPTIONS += $(call ignore_implicit,USE_STACKPROTECTOR) +OPTIONS_CFLAGS += -fstack-protector +endif + +ifneq ($(USE_RELRO_NOW),) +OPTIONS_CFLAGS += -DUSE_RELRO_NOW +BUILD_OPTIONS += $(call ignore_implicit,USE_RELRO_NOW) +OPTIONS_LDFLAGS += -Wl,-z,relro,-z,now +endif + # This one can be changed to look for ebtree files in an external directory EBTREE_DIR := ebtree ++++++ usr.sbin.haproxy.apparmor ++++++ #include <tunables/global> /usr/sbin/haproxy { #include <abstractions/base> #include <abstractions/nameservice> capability net_bind_service, capability setgid, capability setuid, capability kill, capability sys_resource, capability sys_chroot, # those are needed for the stats socket creation capability chown, capability fowner, capability fsetid, network tcp, /etc/haproxy/* r, /var/lib/haproxy/stats rwl, /var/lib/haproxy/stats.*.bak rwl, /var/lib/haproxy/stats.*.tmp rwl, /{,var/}run/haproxy.pid rw, # Site-specific additions and overrides. See local/README for details. #include <local/usr.sbin.haproxy> } -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
