Hi. Am 27.09.19 um 16:29 schrieb Christopher Faulet: > Hi, > > HAProxy 2.0.7 was released on 2019/09/27. It added 20 new commits > after version 2.0.6.
Image is updated. https://hub.docker.com/r/me2digital/haproxy20-centos ``` HA-Proxy version 2.0.7 2019/09/27 - https://haproxy.org/ Build options : TARGET = linux-glibc CPU = generic CC = gcc CFLAGS = -O2 -g -fno-strict-aliasing -Wdeclaration-after-statement -fwrapv -Wno-unused-label -Wno-sign-compare -Wno-unused-parameter -Wno-old-style-declaration -Wno-ignored-qualifiers -Wno-clobbered -Wno-missing-field-initializers -Wtype-limits OPTIONS = USE_PCRE=1 USE_PCRE_JIT=1 USE_PTHREAD_PSHARED=1 USE_REGPARM=1 USE_OPENSSL=1 USE_LUA=1 USE_SLZ=1 Feature list : +EPOLL -KQUEUE -MY_EPOLL -MY_SPLICE +NETFILTER +PCRE +PCRE_JIT -PCRE2 -PCRE2_JIT +POLL -PRIVATE_CACHE +THREAD +PTHREAD_PSHARED +REGPARM -STATIC_PCRE -STATIC_PCRE2 +TPROXY +LINUX_TPROXY +LINUX_SPLICE +LIBCRYPT +CRYPT_H -VSYSCALL +GETADDRINFO +OPENSSL +LUA +FUTEX +ACCEPT4 -MY_ACCEPT4 -ZLIB +SLZ +CPU_AFFINITY +TFO +NS +DL +RT -DEVICEATLAS -51DEGREES -WURFL -SYSTEMD -OBSOLETE_LINKER +PRCTL +THREAD_DUMP -EVPORTS Default settings : bufsize = 16384, maxrewrite = 1024, maxpollevents = 200 Built with multi-threading support (MAX_THREADS=64, default=1). Built with OpenSSL version : OpenSSL 1.1.1d 10 Sep 2019 Running on OpenSSL version : OpenSSL 1.1.1d 10 Sep 2019 OpenSSL library supports TLS extensions : yes OpenSSL library supports SNI : yes OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2 TLSv1.3 Built with Lua version : Lua 5.3.5 Built with network namespace support. Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND Built with libslz for stateless compression. Compression algorithms supported : identity("identity"), deflate("deflate"), raw-deflate("deflate"), gzip("gzip") Built with PCRE version : 8.32 2012-11-30 Running on PCRE version : 8.32 2012-11-30 PCRE library supports JIT : yes Encrypted password support via crypt(3): yes Built with the Prometheus exporter as a service Available polling systems : epoll : pref=300, test result OK poll : pref=200, test result OK select : pref=150, test result OK Total: 3 (3 usable), will use epoll. Available multiplexer protocols : (protocols marked as <default> cannot be specified using 'proto' keyword) h2 : mode=HTX side=FE|BE mux=H2 h2 : mode=HTTP side=FE mux=H2 <default> : mode=HTX side=FE|BE mux=H1 <default> : mode=TCP|HTTP side=FE|BE mux=PASS Available services : prometheus-exporter Available filters : [SPOE] spoe [COMP] compression [CACHE] cache [TRACE] trace ``` > This release fixes several issues in the H2 multiplexer, among which 2 major > bugs about the way received frames are handled on the error path. The first > one > comes from the first age of the H2 multiplexer. During frames demultiplexing, > when an error is reported on a stream, payload of the current frame must be > drained to allow parsing of the following frames. This part was buggy. All the > announced frame length was systematically drained and not only the available > part of it. For frames partially received, too many data were drained from the > demux buffer, leaving it in a buggy state and thus corrupting the memory on > the > next receives. This old bug is certainly responsible of many hardly > reproducible and unresolved issues and also crashes. The second major bug is > about a desync of the HPACK decoder. HEADERS frames received for an unknown or > already closed stream were simply ignored. As stated in RFC7540#5.1, those > frames must be skipped. But because they carry a compression state they must > still be processed before being dropped to keep the HPACK decoder > synchronized. > Because those HEADERS frame were not decoded, the HPACK decoder was able to be > out of sync. It is a major bug because it led to a mix-up of headers for the > following streams. > > A regression on the checks was fixed. In the 2.0.6, when default checks was > enabled (not "option *-check"), some failures on connect were erroneously > reported, making checks failed. What was valid for the 2.1 proved wrong for > the > 2.0 because of the FD cache, still here in 2.0 and earlier. Other checks are > not > concerned. And an issue about the thread-safety of external checks was also > fixed. > > A bug in the SPOE was fixed by Kevin Zhu. The same engine-id was used when > nbproc was more than 1. So, in async mode, an agent receiving a NOTIFY frame > from a process was able to send the ACK to another process. So thanks to > Kevin, > now a different engine-id is generated for each process. In addition, a > similar > change was made when several threads are started, making the SPOE async mode > compatible with multithreaded configuration. > > Krisztián Kovács fixed 2 issues about the namespaces. First, he fixed a FD > leak > in master-worker mode. The FDs opened during namespaces configuration parsing > were not closed when the master process was re-executing itself, effectively > leaking the fds and preventing destruction of namespaces no longer present in > the configuration. Then, he fixed a bug during the soft shutdown, introducing > a > cleanup function that closes all namespace file descriptors by iterating over > the namespace ebtree. > > Finally, the usual bunch of bug fixes here and there. The CLI command "show > table" was fixed to properly handle the data type argument. The implicit h2 > upgrade from an h1 connection is now really performed on the first request > only. The H2 multiplexer was slightly improved, avoiding the wake up of > streams > before the mux is ready. In the Prometheus exporter, average times (QTIME, > CTIME, RTIME and TTIME) are now returned in seconds using a float > representation > instead of in milliseconds, making those metrics consistent with their > announced > type. > > As usual, all users of the 2.0 are encouraged to upgrade. But if you are using > HTTP/2, you must upgrade as soon as possible. > > --- > Complete changelog : [snipp]