Hi,

HAProxy 2.1.0 was released on 2019/11/25. It added 45 new commits
after version 2.1-dev5.

As some might have noticed, the last week was quite calm except the last
few days with a few unexpected bugs to deal with. But that's better than
having bugs immediately after the release forcing a new version to be
emitted, so I'm not complaining :-)

For those not following development closely, 2.1 is a stable branch that
will be maintained till around Q1 2021, and is mostly aimed at experienced
users, just like 1.9 was.

The most sensitive changes since 2.0 that may possibly burn you include :
  - improvements to multi-threading: it's now possible to wake up a
    tasklet scheduled on another thread. The multi-queue connection
    listener now exploits these multi-threaded tasklets to further
    increase its performance and decrease latency (it used to rely on
    the heavier tasks in 2.0).

  - fd-cache removal: I/O handlers are now updated directly from the
    pollers, and I/O completion enable/disable the pollers. It could
    theorically result in more calls to epoll_ctl() if we missed
    something but practically speaking we've seen a boost of ~20% of
    connection rate thanks to this. Any report of regression on a
    corner case workload is welcome.

  - legacy HTTP mode removal, HTX is now mandatory. That's it. As
    planned, only HTX remains implemented, and with the drop of the
    18-years old HTTP engine that had become extremely difficult to
    maintain and adapt to new features, we also got rid of a large
    number of tricky corner cases and pending bugs. Still we know
    that HTX remains young but given that it's already required for
    H2 backends, L7 retries, fastcgi, prometheus and I don't remember
    what else, it didn't make sense to keep an old mechanism conflicting
    with existing features and preventing from cleaning them up. By the
    way, this also implied the removal of the old deprecated "http-tunnel"
    mode.

And for the user-visible stuff, we can enumerate this :
  - support of FastCGI servers (FastCGI is basically a different encoding
    of HTTP, it was an obvious next step with HTX always on). For some
    simple setups, it can simplify deployments by avoiding the need for
    multiple layers.

  - merging of same certificates: this will boot much faster on configs
    with insane amounts of certificates (10k-100k) and will save a lot of
    memory when multiple bind lines use the same certificate.

  - support of runtime certificate updates. It's now possible to change
    existing certs without reloading. Creation is yet another challenge
    and I understood that there are also some limitations to certain
    situations where updates are still not possible (though an error
    message will indicate it).

  - logging to CLI: it's now possible to log to a ring buffer that can
    be consulted from the CLI. This can help when logs are exported far
    away and there's no local storage to keep a recent history.

  - tracing of H1/H2/FCGI: the 3 HTTP-based protocols received lots of
    trace points which can dynamically enabled at run time at various
    verbosity levels and triggers in order to observe what is happening,
    entering/leaving haproxy. At a low verbosity level this can simply
    be used as a live request logger from the CLI.

  - the prometheus-exporter now supports filtering exported metrics by
    scope. The principle is to avoid dumping everything when only servers
    or frontends are required for example.

  - all stats metrics include a human readable description of what the
    metric is and what it relates to. This is visible using "show info desc"
    or "show stat typed desc".

  - new directives to work around bogus web applications which incorrectly
    expect that some HTTP header fields match a certain case. This feature
    was backported to 2.0.10 to ease transition to HTX.

  - some long-obsolete keywords were now removed. These include the reqadd,
    reqdel, reqrep, etc that were designed in version 1.1 to match a full
    line from the incoming stream using regexes. They were totally emulated
    for a while and since 1.9 with HTX it became a total mess as the request
    had to be reformatted on the fly just for the purpose of matching a regex.
    Not to mention the mess of these "(^[^\ ]\+)" rules to match a method
    before a path. The config parser will suggest what to use instead when
    facing such a rule.

  - strict-limits: we've all been used to see haproxy warn on startup that
    it didn't have enough FDs to allocate the required number of connections
    but startup nevertheless. A number of people got caught in production
    with this, especially more recently with systemd where warnings do not
    appear on the console by default anymore. The new "strict-limits"
    directive makes haproxy refuse to start when conditions are not met. It
    is not enabled by default but the default will change in 2.3 to be turned
    on in order to avoid surprises. You have one more year to check your
    configs :-)

  - peers can now log! And they can be observed using "show peers". Thus
    if you experience loss of stick-table synchronization you'll have more
    ways to observe what is happening.

  - the gpt0 value stored in stick-tables can now be set from an expression.
    In short this allows you to store any arbitrary 32-bit value into a
    stick-table and see it replicated to all peers. This might be exploited
    to share useful information (thresholds, server counts, etc), or even
    do very ugly things by using multiple static keys.

  - the DNS resolvers can now ignore the weights advertised in SRV records.
    The reason is that some users use the DNS to define the perimeter of the
    farm and an agent to define the weight.

  - new sample fetch functions and converters, such as sha2, srv_name,
    srv_queue, uuid, fc_pp_authority, http_auth_{pass,type,user}. The pattern
    lookup cache is now thread-local so that there's no more lock contention
    in setups involving many regex/case insensitive lookups from ACLs or maps.

  - it's now possible to specify the uid/gid of external programs.

  - "haproxy -v" will not indicate the support status of the version you're
    running (development, stable, LTS), an EOL when known (for stable
    releases), and a link to the bugs page so that it's easier for anyone
    to figure if the version is up to date and what known bugs affect it.

For developers, some internal documentation was added (HTX API and initcalls).
As usual it's not as much as I'd like to have but we're making progress on
this front.

I'd also like to address special thanks the people who help with QA and
bug reports, as overall we've improved the quality of our releases. And
more specifically I'm thinking about the developers who still feel quite
concerned by any bug in their code and who jump on reports. I'm thinking
about Lukas Tribus who's helping everyone on the Discourse forum, helping
with GitHub issues and running tests, and who very likely is the person
on this planet who knows haproxy the best by know for having dealt with
several thousands reports. I'm thinking about Ilya Shipitsin who maintains
the Travis and Cirrus CI and sorts out Coverity reports. Even if we still
have a number of false positives on this last one, at least these ones
remain at a manageable level and managed to find real bugs, so I consider
that the overall balance is positive. And this will force us to improve
our comments in the code so that false positives are not turned into
issues. And I'd also like to thank Tim Düsterhus who is co-maintaining
the issue tracker with Lukas. For now bug reports remain quite manageable
and constitute a significant improvement over the previous situation,
helping us save time and head scratching. We have the usual very active
participants on the list responding a lot to those asking for help, with
Aleksandar, Jarno and Patrick being the most active ones. And of course,
a big thanks to all the testers and users taking the time to report issues,
collect traces, and to test the proposed fixes, as most of the time the
bugs can only be reproduced in the reporter's environment. This help is
invaluable and must continue. All of this pays off : we started to run
development versions in production on haproxy.org since 2.0-dev without
ever meeting any single issue. The server is currently running 2.1-dev5
and will be updated to 2.1.0. This is not something we could reasonably
do in the past so we're making progress.

Enough talking. I've pushed everything to the public places and created
2.2-dev0. I think that this time I got everything right for the release
(and I took notes). Please do not hesitate to report broken links or
anything that does not work.

Please find the usual URLs below :
   Site index       : http://www.haproxy.org/
   Discourse        : http://discourse.haproxy.org/
   Slack channel    : https://slack.haproxy.org/
   Issue tracker    : https://github.com/haproxy/haproxy/issues
   Sources          : http://www.haproxy.org/download/2.1/src/
   Git repository   : http://git.haproxy.org/git/haproxy-2.1.git/
   Git Web browsing : http://git.haproxy.org/?p=haproxy-2.1.git
   Changelog        : http://www.haproxy.org/download/2.1/src/CHANGELOG
   Cyril's HTML doc : http://cbonte.github.io/haproxy-dconv/

Willy
---
Complete changelog since 2.1-dev5:
Christopher Faulet (9):
      BUG/MEDIUM: stream-int: Don't loose events on the CS when an EOS is 
reported
      MINOR: contrib/prometheus-exporter: filter exported metrics by scope
      MINOR: contrib/prometheus-exporter: Add a param to ignore servers in 
maintenance
      BUILD: debug: Avoid warnings in dev mode with -02 because of some BUG_ON 
tests
      BUG/MINOR: mux-h1: Fix tunnel mode detection on the response path
      BUG/MINOR: http-ana: Properly catch aborts during the payload forwarding
      DOC: Update http-buffer-request description to remove the part about 
chunks
      BUG/MINOR: stream-int: Fix si_cs_recv() return value
      DOC: Add documentation about the use-service action

Daniel Corbett (1):
      MEDIUM: dns: Add resolve-opts "ignore-weight"

Emmanuel Hocdet (2):
      BUG/MINOR: ssl: ssl_pkey_info_index ex_data can store a dereferenced 
pointer
      BUG/MINOR: ssl: fix crt-list neg filter for openssl < 1.1.1

Eric Salama (1):
      BUILD/MINOR: ssl: fix compiler warning about useless statement

Frédéric Lécaille (5):
      MINOR: peers: Alway show the table info for disconnected peers.
      MINOR: peers: Add TX/RX heartbeat counters.
      MINOR: peers: Add debugging information to "show peers".
      BUG/MINOR: peers: Wrong null "server_name" data field handling.
      BUG/MINOR: peers: "peer alive" flag not reset when deconnecting.

Lukas Tribus (1):
      BUG/MINOR: ssl: fix curve setup with LibreSSL

Tim Duesterhus (1):
      BUG/MINOR: ssl: Stop passing dynamic strings as format arguments

William Dauchy (4):
      BUG/MINOR: init: fix set-dumpable when using uid/gid
      MINOR: init: avoid code duplication while setting identify
      MINOR: ssl: fix possible null dereference in error handling
      CLEANUP: ssl: check if a transaction exists once before setting it

William Lallemand (6):
      MINOR: ssl/cli: 'abort ssl cert' deletes an on-going transaction
      BUG/MEDIUM: mworker: don't fill the -sf argument with -1 during the reexec
      MINOR: ssl: ssl_sock_prepare_ctx() return an error code
      MEDIUM: ssl/cli: apply SSL configuration on SSL_CTX during commit
      MINOR: ssl/cli: display warning during 'commit ssl cert'
      BUG/MINOR: cli: fix out of bounds in -S parser

Willy Tarreau (15):
      DOC: internal: document the init calls
      MINOR: version: report the version status in "haproxy -v"
      MINOR: version: emit the link to the known bugs in output of "haproxy -v"
      MINOR: ist: add ist_find_ctl()
      BUG/MAJOR: h2: reject header values containing invalid chars
      BUG/MAJOR: h2: make header field name filtering stronger
      BUG/MAJOR: mux-h2: don't try to decode a response HEADERS frame in idle 
state
      MINOR: h2: add a function to report H2 error codes as strings
      MINOR: mux-h2/trace: report the connection and/or stream error code
      SCRIPTS: create-release: show the correct origin name in suggested 
commands
      SCRIPTS: git-show-backports: add "-s" to proposed cherry-pick commands
      BUG/MEDIUM: trace: fix a typo causing an incorrect startup error
      BUILD: reorder the objects in the makefile
      DOC: mention in INSTALL haproxy 2.1 is a stable stable version
      MINOR: version: indicate that this version is stable

---

Reply via email to