Hi, HAProxy 2.1.0 was released on 2019/11/25. It added 45 new commits after version 2.1-dev5.
As some might have noticed, the last week was quite calm except the last few days with a few unexpected bugs to deal with. But that's better than having bugs immediately after the release forcing a new version to be emitted, so I'm not complaining :-) For those not following development closely, 2.1 is a stable branch that will be maintained till around Q1 2021, and is mostly aimed at experienced users, just like 1.9 was. The most sensitive changes since 2.0 that may possibly burn you include : - improvements to multi-threading: it's now possible to wake up a tasklet scheduled on another thread. The multi-queue connection listener now exploits these multi-threaded tasklets to further increase its performance and decrease latency (it used to rely on the heavier tasks in 2.0). - fd-cache removal: I/O handlers are now updated directly from the pollers, and I/O completion enable/disable the pollers. It could theorically result in more calls to epoll_ctl() if we missed something but practically speaking we've seen a boost of ~20% of connection rate thanks to this. Any report of regression on a corner case workload is welcome. - legacy HTTP mode removal, HTX is now mandatory. That's it. As planned, only HTX remains implemented, and with the drop of the 18-years old HTTP engine that had become extremely difficult to maintain and adapt to new features, we also got rid of a large number of tricky corner cases and pending bugs. Still we know that HTX remains young but given that it's already required for H2 backends, L7 retries, fastcgi, prometheus and I don't remember what else, it didn't make sense to keep an old mechanism conflicting with existing features and preventing from cleaning them up. By the way, this also implied the removal of the old deprecated "http-tunnel" mode. And for the user-visible stuff, we can enumerate this : - support of FastCGI servers (FastCGI is basically a different encoding of HTTP, it was an obvious next step with HTX always on). For some simple setups, it can simplify deployments by avoiding the need for multiple layers. - merging of same certificates: this will boot much faster on configs with insane amounts of certificates (10k-100k) and will save a lot of memory when multiple bind lines use the same certificate. - support of runtime certificate updates. It's now possible to change existing certs without reloading. Creation is yet another challenge and I understood that there are also some limitations to certain situations where updates are still not possible (though an error message will indicate it). - logging to CLI: it's now possible to log to a ring buffer that can be consulted from the CLI. This can help when logs are exported far away and there's no local storage to keep a recent history. - tracing of H1/H2/FCGI: the 3 HTTP-based protocols received lots of trace points which can dynamically enabled at run time at various verbosity levels and triggers in order to observe what is happening, entering/leaving haproxy. At a low verbosity level this can simply be used as a live request logger from the CLI. - the prometheus-exporter now supports filtering exported metrics by scope. The principle is to avoid dumping everything when only servers or frontends are required for example. - all stats metrics include a human readable description of what the metric is and what it relates to. This is visible using "show info desc" or "show stat typed desc". - new directives to work around bogus web applications which incorrectly expect that some HTTP header fields match a certain case. This feature was backported to 2.0.10 to ease transition to HTX. - some long-obsolete keywords were now removed. These include the reqadd, reqdel, reqrep, etc that were designed in version 1.1 to match a full line from the incoming stream using regexes. They were totally emulated for a while and since 1.9 with HTX it became a total mess as the request had to be reformatted on the fly just for the purpose of matching a regex. Not to mention the mess of these "(^[^\ ]\+)" rules to match a method before a path. The config parser will suggest what to use instead when facing such a rule. - strict-limits: we've all been used to see haproxy warn on startup that it didn't have enough FDs to allocate the required number of connections but startup nevertheless. A number of people got caught in production with this, especially more recently with systemd where warnings do not appear on the console by default anymore. The new "strict-limits" directive makes haproxy refuse to start when conditions are not met. It is not enabled by default but the default will change in 2.3 to be turned on in order to avoid surprises. You have one more year to check your configs :-) - peers can now log! And they can be observed using "show peers". Thus if you experience loss of stick-table synchronization you'll have more ways to observe what is happening. - the gpt0 value stored in stick-tables can now be set from an expression. In short this allows you to store any arbitrary 32-bit value into a stick-table and see it replicated to all peers. This might be exploited to share useful information (thresholds, server counts, etc), or even do very ugly things by using multiple static keys. - the DNS resolvers can now ignore the weights advertised in SRV records. The reason is that some users use the DNS to define the perimeter of the farm and an agent to define the weight. - new sample fetch functions and converters, such as sha2, srv_name, srv_queue, uuid, fc_pp_authority, http_auth_{pass,type,user}. The pattern lookup cache is now thread-local so that there's no more lock contention in setups involving many regex/case insensitive lookups from ACLs or maps. - it's now possible to specify the uid/gid of external programs. - "haproxy -v" will not indicate the support status of the version you're running (development, stable, LTS), an EOL when known (for stable releases), and a link to the bugs page so that it's easier for anyone to figure if the version is up to date and what known bugs affect it. For developers, some internal documentation was added (HTX API and initcalls). As usual it's not as much as I'd like to have but we're making progress on this front. I'd also like to address special thanks the people who help with QA and bug reports, as overall we've improved the quality of our releases. And more specifically I'm thinking about the developers who still feel quite concerned by any bug in their code and who jump on reports. I'm thinking about Lukas Tribus who's helping everyone on the Discourse forum, helping with GitHub issues and running tests, and who very likely is the person on this planet who knows haproxy the best by know for having dealt with several thousands reports. I'm thinking about Ilya Shipitsin who maintains the Travis and Cirrus CI and sorts out Coverity reports. Even if we still have a number of false positives on this last one, at least these ones remain at a manageable level and managed to find real bugs, so I consider that the overall balance is positive. And this will force us to improve our comments in the code so that false positives are not turned into issues. And I'd also like to thank Tim Düsterhus who is co-maintaining the issue tracker with Lukas. For now bug reports remain quite manageable and constitute a significant improvement over the previous situation, helping us save time and head scratching. We have the usual very active participants on the list responding a lot to those asking for help, with Aleksandar, Jarno and Patrick being the most active ones. And of course, a big thanks to all the testers and users taking the time to report issues, collect traces, and to test the proposed fixes, as most of the time the bugs can only be reproduced in the reporter's environment. This help is invaluable and must continue. All of this pays off : we started to run development versions in production on haproxy.org since 2.0-dev without ever meeting any single issue. The server is currently running 2.1-dev5 and will be updated to 2.1.0. This is not something we could reasonably do in the past so we're making progress. Enough talking. I've pushed everything to the public places and created 2.2-dev0. I think that this time I got everything right for the release (and I took notes). Please do not hesitate to report broken links or anything that does not work. Please find the usual URLs below : Site index : http://www.haproxy.org/ Discourse : http://discourse.haproxy.org/ Slack channel : https://slack.haproxy.org/ Issue tracker : https://github.com/haproxy/haproxy/issues Sources : http://www.haproxy.org/download/2.1/src/ Git repository : http://git.haproxy.org/git/haproxy-2.1.git/ Git Web browsing : http://git.haproxy.org/?p=haproxy-2.1.git Changelog : http://www.haproxy.org/download/2.1/src/CHANGELOG Cyril's HTML doc : http://cbonte.github.io/haproxy-dconv/ Willy --- Complete changelog since 2.1-dev5: Christopher Faulet (9): BUG/MEDIUM: stream-int: Don't loose events on the CS when an EOS is reported MINOR: contrib/prometheus-exporter: filter exported metrics by scope MINOR: contrib/prometheus-exporter: Add a param to ignore servers in maintenance BUILD: debug: Avoid warnings in dev mode with -02 because of some BUG_ON tests BUG/MINOR: mux-h1: Fix tunnel mode detection on the response path BUG/MINOR: http-ana: Properly catch aborts during the payload forwarding DOC: Update http-buffer-request description to remove the part about chunks BUG/MINOR: stream-int: Fix si_cs_recv() return value DOC: Add documentation about the use-service action Daniel Corbett (1): MEDIUM: dns: Add resolve-opts "ignore-weight" Emmanuel Hocdet (2): BUG/MINOR: ssl: ssl_pkey_info_index ex_data can store a dereferenced pointer BUG/MINOR: ssl: fix crt-list neg filter for openssl < 1.1.1 Eric Salama (1): BUILD/MINOR: ssl: fix compiler warning about useless statement Frédéric Lécaille (5): MINOR: peers: Alway show the table info for disconnected peers. MINOR: peers: Add TX/RX heartbeat counters. MINOR: peers: Add debugging information to "show peers". BUG/MINOR: peers: Wrong null "server_name" data field handling. BUG/MINOR: peers: "peer alive" flag not reset when deconnecting. Lukas Tribus (1): BUG/MINOR: ssl: fix curve setup with LibreSSL Tim Duesterhus (1): BUG/MINOR: ssl: Stop passing dynamic strings as format arguments William Dauchy (4): BUG/MINOR: init: fix set-dumpable when using uid/gid MINOR: init: avoid code duplication while setting identify MINOR: ssl: fix possible null dereference in error handling CLEANUP: ssl: check if a transaction exists once before setting it William Lallemand (6): MINOR: ssl/cli: 'abort ssl cert' deletes an on-going transaction BUG/MEDIUM: mworker: don't fill the -sf argument with -1 during the reexec MINOR: ssl: ssl_sock_prepare_ctx() return an error code MEDIUM: ssl/cli: apply SSL configuration on SSL_CTX during commit MINOR: ssl/cli: display warning during 'commit ssl cert' BUG/MINOR: cli: fix out of bounds in -S parser Willy Tarreau (15): DOC: internal: document the init calls MINOR: version: report the version status in "haproxy -v" MINOR: version: emit the link to the known bugs in output of "haproxy -v" MINOR: ist: add ist_find_ctl() BUG/MAJOR: h2: reject header values containing invalid chars BUG/MAJOR: h2: make header field name filtering stronger BUG/MAJOR: mux-h2: don't try to decode a response HEADERS frame in idle state MINOR: h2: add a function to report H2 error codes as strings MINOR: mux-h2/trace: report the connection and/or stream error code SCRIPTS: create-release: show the correct origin name in suggested commands SCRIPTS: git-show-backports: add "-s" to proposed cherry-pick commands BUG/MEDIUM: trace: fix a typo causing an incorrect startup error BUILD: reorder the objects in the makefile DOC: mention in INSTALL haproxy 2.1 is a stable stable version MINOR: version: indicate that this version is stable ---