Hi, HAProxy 2.8-dev10 was released on 2023/05/07. It added 77 new commits after version 2.8-dev9.
It took me a while to release this one because I was concerned by a persistent non-sensical warning reported in the CI under fedora+gcc-13 (https://github.com/haproxy/haproxy/actions/runs/4792247381/jobs/8523545589) and I wanted to tackle it before tagging. In the end I should have built it from sources instead of trying to find it packaged in a distro I had running on a machine, because that didn't save me time at all! Anyway, in the end the conclusion is that the test in the CI was run with a very early development gcc version (13.0.1), but the released version (13.1) doesn't emit this warning anymore, so most likely the next batch of updates to the fedora image in the CI will get rid of it. The bug that we observed a few times on haproxy.org and that was causing some sessions not to expire or some transfers to add a long pause at the end was finally explained and fixed. Christophre found that one part of it, the one that was disabling expirations, was caused by an insufficient update in the H2 mux related to the recent internal API updates. And the second part, causing some pauses at the end of transfers, was caused by the fact that a filter (here the compression filter) can consume data without waking up the producing side that might be waiting for more room. This is a direct consequence of the cleaner internal API where components no longer step over each others' toes, it can reveal some long-burried design mistakes. Instead of deploying a new unmaintainable hack it was decided to take some advance on the initially planned changes that we initially considered as optimisations and not strictly required ones, but the result is much cleaner (in details, now when a producer cannot write data into a channel, it indicates how much it needs to try again). This has simplified the code and revealed a few other fragile areas that were potentially at risk of participating to a bug in the future, and that were addressed as well. Aurélien finished writing is example Lua-based reimplementation of the mailers mechanism (examples/lua/mailers.lua). This permitted to assess what was still possibly missing in the event handlers API and in the Lua bindings to do that. A new "Queue" class was added and a few new bindings were added to "Proxy" and "Server". The result is a fully customizable alternative to the mailers, that relies on the existing mailers section and just disables the existing mailers code. With the long complaints that mailers were not very customizable, and the architectural and functional limitations caused by the fact that they were only scripted tcp checks under the hood, the new solution should satisfy anyone who needs to pass extra information, perform complementary checks, format the output differently, send to multiple addresses, etc. For this, one only needs to load the mailers.lua file using a regular "lua-load" call. On this specific point, I think it would be reasonable to deprecate the current mailers code for 2.9 and 3.0 and to completely remove it in 3.1. This may require that we decide how such Lua extensions should be packaged by default to ease the users' life. We could even go as far as thinking about automatically loading some of them from a well-defined location maybe (e.g. loading mailers.lua when no other one is specified). There's no emergency on this, but I would like the various existing users to start to think about it. I addressed the thread dump single-buffer limitation that was affecting both "show thread" and the panic code. Interestingly, changing the way threads are dumped to permit them to be dumped one at a time allowed to get rid of the previous complicated mechanism that only saw incremental improvements over something that was not fit anymore, and the new approach is much simpler, more reliable and will even use less CPU since it does not require all threads to gather at the same time anymore. Something like 200-300 lines of complex synchronization code were removed by improving this ;-) Likewise, "show activity" is now interruptible and can dump its contents into multiple buffers, so it won't return truncated outputs anymore when dealing with more than a few tens of threads. Finally the cpu-map parser limitation that prevented it from supporting commas was lifted. In the end it was trivial, all the code was there, there was just a flag to remove! Tim's fix for the "TotalSplicedBytesOut" name in "show info" was merged. If your monitoring or stats rely on the previously incorrect name "TotalSplicdedBytesOut" you may possibly see a change (though that's extremely unlikely). Amaury reworked the "show quic" command so that it works more like a "netstat" for QUIC by default and dumps one formatted entry per line. It now takes an argument to show the full dump. A few minor updates to the QUIC error handling and reporting were also merged. William implemented new options to allow the HAProxy and a TLS client to choose which server signature algorithm they can negotiate during the handshake. I'm not skilled enough in SSL to know exactly what it provides but it was apparently necessary in the case described in this issue: https://github.com/haproxy/haproxy/issues/2081 A fix for CRL checks under wolfSSL was merged as well, because by default some tests were failing due to wolfSSL enabling CRL checks by default even when there is no CRL. On this point, we've made great progress with the wolfSSL team, with whom haproxy's SSL developers are in regular contact, and who's very engaged in providing full coverage with their stack. We're now at a point where there remain a few minor glitches and differences with OpenSSL, that are mostly identified and should all be addressed in forthcoming versions of the lib, but overall I'm confident that by the time 2.8 is released, wolfSSL will be usable as a default lib for the vast majority of users. This would mean QUIC for the masses, and a much lower locking overhead than OpenSSL 3 that is shipped with recent distros and is roughly 5-10 times slower on server usage, and just not usable at all as a client. We'll try to establish a list of differences and limitations before the release, but maybe we'll have there an option for the future LTS distros to finally enable QUIC for a few core components, while keeping openssl for what it's good at: generating certificates on the command line. Time will tell. And the rest is minor cleanups and fixes as usual. I consider that this version is free of known issues. If you have not yet started to test it, please give it a try. I would hate to get reports of "this stopped working between 2.7 and 2.8" after the release. At the very least use it to check your configs (with -c) and confirm you're not seeing new warnings that you disagree with. Please find the usual URLs below : Site index : https://www.haproxy.org/ Documentation : https://docs.haproxy.org/ Wiki : https://github.com/haproxy/wiki/wiki Discourse : https://discourse.haproxy.org/ Slack channel : https://slack.haproxy.org/ Issue tracker : https://github.com/haproxy/haproxy/issues Sources : https://www.haproxy.org/download/2.8/src/ Git repository : https://git.haproxy.org/git/haproxy.git/ Git Web browsing : https://git.haproxy.org/?p=haproxy.git Changelog : https://www.haproxy.org/download/2.8/src/CHANGELOG Dataplane API : https://github.com/haproxytech/dataplaneapi/releases/latest Pending bugs : https://www.haproxy.org/l/pending-bugs Reviewed bugs : https://www.haproxy.org/l/reviewed-bugs Code reports : https://www.haproxy.org/l/code-reports Latest builds : https://www.haproxy.org/l/dev-packages Willy --- Complete changelog : Abhijeet Rastogi (1): REGTESTS: add success test, "set server" via fqdn Amaury Denoyelle (8): BUG/MINOR: mux-quic: prevent quic_conn error code to be overwritten MINOR: mux-quic: add trace event for local error MINOR: mux-quic: wake up after recv only if avail data MINOR: mux-quic: adjust local error API MINOR: mux-quic: report local error on stream endpoint asap MINOR: mux-quic: close connection asap on local error MINOR: quic: add format argument for "show quic" MINOR: quic: implement oneline format for "show quic" Aurelien DARRAGON (30): BUG/MINOR: time: fix NS_TO_TV macro MINOR: hlua_fcn: fix Server.is_draining() return type MINOR: hlua_fcn: add Server.is_backup() MINOR: hlua_fcn: add Server.is_dynamic() MINOR: hlua_fcn: add Server.tracking() MINOR: hlua_fcn: add Server.get_trackers() MINOR: hlua_fcn: add Server.get_proxy() MINOR: hlua_fcn: add Server.get_pend_conn() and Server.get_cur_sess() MINOR: hlua_fcn: add Proxy.get_srv_act() and Proxy.get_srv_bck() DOC: lua/event: add ServerEvent class header MINOR: server/event_hdl: publish macro helper MINOR: server/event_hdl: add SERVER_STATE event OPTIM: server: publish UP/DOWN events from STATE change MINOR: hlua: expose SERVER_STATE event MINOR: server/event_hdl: add SERVER_ADMIN event MINOR: hlua: expose SERVER_ADMIN event MINOR: checks/event_hdl: SERVER_CHECK event MINOR: hlua/event_hdl: expose SERVER_CHECK event MINOR: mailers/hlua: disable email sending from lua MINOR: hlua: expose proxy mailers EXAMPLES: add lua mailers script to replace tcpcheck mailers BUG/MINOR: hlua: spinning loop in hlua_socket_handler() MINOR: server: fix message report when IDRAIN is set and MAINT is cleared CLEANUP: hlua: hlua_register_task() may longjmp REGTESTS: use lua mailer script for mailers tests MINOR: hlua: declare hlua_{ref,pushref,unref} functions MINOR: hlua: declare hlua_gethlua() function MINOR: hlua: declare hlua_yieldk() function MINOR: hlua_fcn: add Queue class EXAMPLES: mailqueue for lua mailers script Christopher Faulet (11): BUG/MEDIUM: mux-h2: Properly handle end of request to expect data from server BUG/MINOR: mux-h2: Also expect data when waiting for a tunnel establishment MINOR: cli: Use applet API to write output message MINOR: stats: Use the applet API to write data MINOR: peers: Use the applet API to send message MINOR: stconn: Add a field to specify the room needed by the SC to progress MEDIUM: tree-wide: Change sc API to specify required free space to progress BUG/MEDIUM: stconn: Unblock SC from stream if there is enough room to progrees MEDIUM: applet: Check room needed to unblock opposite SC when data was consumed MEDIUM: stconn: Check room needed to unblock SC on fast-forward MEDIUM: stconn: Check room needed to unblock opposite SC when data was sent Tim Duesterhus (1): BUG/MINOR: stats: fix typo in `TotalSplicedBytesOut` field name William Lallemand (5): MINOR: ssl: disable CRL checks with WolfSSL when no CRL file BUG/MINOR: ssl/sample: x509_v_err_str converter output when not found REGTESTS: ssl: simplify X509_V code check in ssl_client_auth.vtc MINOR: ssl: allow to change the server signature algorithm MINOR: ssl: allow to change the signature algorithm for client authentication Willy Tarreau (21): BUG/MINOR: stream/cli: fix stream age calculation in "show sess" MINOR: debug: clarify "debug dev stream" help message DEBUG: cli: add "debug dev task" to show/wake/expire/kill tasks and tasklets BUILD: cli: fix build on Windows due to isalnum() implemented as a macro MINOR: activity: use a single macro to iterate over all fields MINOR: activity: show the line header inside the SHOW_VAL macro MINOR: activity: iterate over all fields in a main loop for dumping MINOR: activity: allow "show activity" to restart dumping on any line MINOR: activity: allow "show activity" to restart in the middle of a line DEV: haring: automatically disable DEBUG_STRICT DEV: haring: update readme to suggest using the same build options for haring BUG/MINOR: debug: fix incorrect profiling status reporting in show threads MINOR: debug: permit the "debug dev loop" to run under isolation BUG/MINOR: debug: do not emit empty lines in thread dumps MEDIUM: debug: simplify the thread dump mechanism MINOR: debug: write panic dump to stderr one thread at a time MINOR: debug: make "show threads" properly iterate over all threads CLEANUP: debug: remove the now unused ha_thread_dump_all_to_trash() MINOR: config: allow cpu-map to take commas in lists of ranges CLEANUP: fix a few reported typos in code comments DOC: fix a few reported typos in the config and install doc ---
