Hi,
HAProxy 2.4-dev8 was released on 2021/02/13. It added 105 new commits
after version 2.4-dev7.
Quite a lot of new and interesting stuff got merged lately, and given
all the recent activity in various areas and some late merging conflicts
I expect that we'll still have some busy time smoothing every corner :-)
Here are the latest main changes since 2.4-dev7:
- dns: the DNS code was split into two parts, DNS itself (the protocol
support) and the resolvers (used by servers and do-resolve). The DNS
was extended to support TCP to speak with the servers. For the moment
TCP servers are declared using the "server" keyword but I'd rather
use the same "nameserver" and only play with the address than reuse
"server" with all the unrelated keywords, since it's not doing anything
related to the way we're using it in proxies. But this is a detail. A
number of settings are still not configurable (communication timeouts,
the 4 pipelined requests, etc). The goal was to perform all the
difficult changes to the core code, the rest is mostly cosmetic ;
- idle connections: while till now a number of outgoing connection
parameters would automatically mark a connection private (proxy-proto,
SNI, transparent mode, etc), now these parameters are saved with the
connection and compared when trying to reuse a connection. This means
for example that those using "sni req.hdr(host)" on their servers will
finally be able to benefit from http-reuse. All tests pass successfully
but we know by experience that this code area is very sensitive, which
is also why I wanted it to get merged early. One of the new regtests
triggers an issue with libressl, though we don't know yet if this is
related to the new code or anything else. Some internal cleanups are
still left to be done, such as dynamically allocating the structure
holding that data so that it doesn't take RAM in front connections.
But that's a detail compared to the rest of the change.
- the work to make server settings more dynamic continues, and on the
CLI it's now possible to change a server's check and agent's addresses
and ports at run time.
- the server-state parser was extended to start to take a v2 into
account instead of risking to break compatibility between haproxy
2.3 and 2.4. But this also means that now we'll have to put down all
the stuff we need to store there to avoid introducing a v3 in 2.5.
- the prometheus exporter now exports some stick-tables stats, and
continues its diet cure by sharing some fields description with the
core stats.
- the "defer-accept" bind keyword is now supported on FreeBSD via the
accept filters.
- a new "baseq" sample fetch function, similar to "pathq" but which
concatenates the host name with the path, was added to be used in
redirects or for statistics.
- named defaults section: the optional name that can be placed on a
"defaults" section may now be reused by other sections to indicate
which one to load defaults from instead of the last one. The other
sections must use "from ..." on the section's declaration line to
do this. Note that even defaults sections support restarting from
another one. This can be handy to centralize log-format, log servers
and default timeouts for example. The other long-requested use case
is to declare one common defaults section for TCP and another one
for HTTP and derive everything from there.
- very basic preprocessor-like .if/.elif/.else/.endif to ignore some
config blocks. I've been wanting this for quite some time, and the
expectation grew further with regtests and threads. So the goal is
to be able to chose one config block or another based on a condition
that is evaluated at boot time by the config parser. For now this
is very limited, only the core logic is in place and it only supports
the integer value of some text (or environment variables). What I'd
like to do is to add a number of functions such as "defined(var)",
"version_atleast(ver)", "supported(keyword)", "configured(option)"
etc to allow to enable/disable some config blocks based on the build
options or even some boot-time features detection. Features as
simple as enabling/disabling "bind" lines depending on SSL support,
or playing with "cpu-map" only when threads are set would be useful.
And this could help several of us deal with rolling updates in
production (e.g. the early days of HTX were a bit tricky on
haproxy.org). We can add all such functions as needed with no rush.
- two new data stypes stored in stick-tables, http_fail_cnt and
http_fail_rate. These are equivalent to their http_err_* counter parts
except that they count server-side failures (connection errors as well
as relevant 5xx statuses). The goal is to considerably simplify some
setups which used to implement URL-based circuit breaking by hand.
- and the rest is the usual lot of doc fixes, regtests, CI updates, and
cleanups.
Now, regarding the next steps, I don't want to get new features anymore
for 2.4. Share your code for reviews and tests if you want, but keep it
in your branch or ask for it to be merged into -next for 2.5. The efforts
must go on testing, fixing bugs, cleaning up all that remains, polishing
the doc (or even writing some, especially for the internal stuff for
developers), and improving the tooling.
Even though I'm particularly stubborn, I'm not stupidly rigid either.
First, some stuff is not yet fully decided as mentioned above (e.g.
DNS server syntax, server-state v2 fields, functions needed to form
conditions for ".if" etc). Second, experimental stuff is still welcome
provided that it's clearly marked as such and doesn't take any risk
with what we're trying to stabilize. I'm thinking about the ongoing
work being done by Fred on QUIC for example, maybe others, I don't
know. In general I'm still fine with taking all the small stuff that
extends what's already there provided that it doesn't represent the
slightest risk of regression. The rule is simple: we'll merge what we
would happily backport if 2.4 had already been released, plus maybe a
little bit more depending on the mood and how busy we are with what
remains.
I really want 2.4.0 to work fine, because I'm fed up with spending 100%
of my time switching between browser tabs containing issues and in gdb
just because something was merged too quickly or not reverted in time
for a release. Now at least we have ~3 months to polish everything and
even to revert if we can't fix in time. I'd rather revert breakage
before the release than hack around it for 5 years in stable branches!
I'm aware of a number of things in the code which still need to be
cleaned up before 2.4:
- "struct connection" contains some QUIC stuff that I want to move,
and the idle conn indexing stuff that needs to be made dynamic ;
- "struct receiver" also contains some QUIC stuff that needs to move ;
- more configuration work on the DNS part ;
- I've faced a few monstrosities in the internal keyword parser API
that I want to address (basically add "const" in front of the
default proxy pointer for no less than 124 functions and their
prototypes) ;
A few other fixes/cleanups would be welcome if cleanly isolated. I'm
thinking about the ugly locking in peers/stick-tables for example. But
given that it's been there for a while this will not delay 2.4 anyway.
So far all of this looks totally within reach if 2.3 and 2.2 let us work
a bit. At least 2.4-dev8 swallowed 5k requests on haproxy.org over the
last hour without a glitch so that's a nice starting point :-)
Please find the usual URLs below :
Site index : http://www.haproxy.org/
Discourse : http://discourse.haproxy.org/
Slack channel : https://slack.haproxy.org/
Issue tracker : https://github.com/haproxy/haproxy/issues
Wiki : https://github.com/haproxy/wiki/wiki
Sources : http://www.haproxy.org/download/2.4/src/
Git repository : http://git.haproxy.org/git/haproxy.git/
Git Web browsing : http://git.haproxy.org/?p=haproxy.git
Changelog : http://www.haproxy.org/download/2.4/src/CHANGELOG
Cyril's HTML doc : http://cbonte.github.io/haproxy-dconv/
Willy
---
Complete changelog :
Amaury Denoyelle (22):
BUG/MINOR: backend: hold correctly lock when killing idle conn
MEDIUM: connection: protect idle conn lists with locks
MEDIUM: connection: replace idle conn lists by eb trees
MINOR: backend: search conn in idle/safe trees after available
MINOR: backend: search conn in idle tree after safe on always reuse
MINOR: connection: prepare hash calcul for server conns
MINOR: connection: use the srv pointer for the srv conn hash
MINOR: backend: compare conn hash for session conn reuse
MINOR: connection: use sni as parameter for srv conn hash
MINOR: reg-tests: test http-reuse with sni
MINOR: backend: rewrite alloc of stream target address
MINOR: connection: use dst addr as parameter for srv conn hash
MINOR: reg-test: test http-reuse with specific dst addr
MINOR: backend: rewrite alloc of connection src address
MINOR: connection: use src addr as parameter for srv conn hash
MINOR: connection: use proxy protocol as parameter for srv conn hash
MINOR: reg-tests: test http-reuse with proxy protocol
MINOR: doc: update http reuse for new eligilible connections
BUG/MINOR: backend: fix compilation without ssl
REGTESTS: adjust http_reuse_conn_hash requirements
REGTESTS: deactivate a failed test on CI in http_reuse_conn_hash
REGTESTS: fix sni used in http_reuse_conn_hash for libressl 3.3.0
Christopher Faulet (17):
BUG/MINOR: mux-h1: Don't emit extra CRLF for empty chunked messages
BUG/MINOR: mux-h1: Don't increment HTTP error counter for 408/500/501
errors
BUG/MINOR: http-ana: Don't increment HTTP error counter on internal errors
BUG/MEDIUM: mux-h1: Always set CS_FL_EOI for response in MSG_DONE state
BUG/MINOR: mux-h1: Fix data skipping for bodyless responses
BUG/MINOR: mux-h1: Don't blindly skip EOT block for non-chunked messages
BUG/MEDIUM: mux-h2: Add EOT block when EOM flag is set on an empty HTX
message
MINOR: mux-h1: Be sure EOM flag is set when processing end of outgoing
message
REGTESTS: Add a script to test payload skipping for bodyless HTTP
responses
CLEANUP: muxes: Remove useless calls to b_realign_if_empty()
BUG/MINOR: tools: Fix a memory leak on error path in parse_dotted_uints()
CLEANUP: queue: Remove useless tests on p or pp in
pendconn_process_next_strm()
BUG/MINOR: server: Fix server-state-file-name directive
CLEANUP: deinit: release global and per-proxy server-state variables on
deinit
CLEANUP: tcpcheck: Remove a useless test on port variable
BUG/MINOR: server: Don't call fopen() with server-state filepath set to
NULL
CLEANUP: server: Remove useless "filepath" variable in
apply_server_state()
David Carlier (1):
MINOR: tcp: add support for defer-accept on FreeBSD.
Emeric Brun (18):
MINOR: ring: adds new ring_init function.
CLEANUP: channel: fix comment in ci_putblk.
BUG/MINOR: dns: add missing sent counter and parent id to dns counters.
BUG/MINOR: resolvers: fix attribute packed struct for dns
MINOR: resolvers: renames some resolvers internal types and removes dns
prefix
MINOR: resolvers: renames type dns_resolvers to resolvers.
MINOR: resolvers: renames some resolvers specific types to not use dns
prefix
MINOR: resolvers: renames some dns prefixed types using resolv prefix.
MINOR: resolvers: renames resolvers DNS_RESP_* errcodes RSLV_RESP_*
MINOR: resolvers: renames resolvers DNS_UPD_* returncodes to RSLV_UPD_*
MINOR: resolvers: rework prototype suffixes to split resolving and dns.
MEDIUM: resolvers: move resolvers section parsing from cfgparse.c to dns.c
MINOR: resolvers: replace nameserver's resolver ref by generic parent
pointer
MINOR: resolvers: rework dns stats prototype because specific to resolvers
MEDIUM: resolvers: split resolving and dns message exchange layers.
MEDIUM: resolvers/dns: split dns.c into dns.c and resolvers.c
MEDIUM: dns: adds code to support pipelined DNS requests over TCP.
MEDIUM: resolvers: add supports of TCP nameservers in resolvers.
Ilya Shipitsin (6):
BUILD: ssl: fix typo in HAVE_SSL_CTX_ADD_SERVER_CUSTOM_EXT macro
BUILD: ssl: guard SSL_CTX_add_server_custom_ext with special macro
CLEANUP: assorted typo fixes in the code and comments
BUILD: ssl: guard SSL_CTX_set_msg_callback with SSL_CTRL_SET_MSG_CALLBACK
macro
CLEANUP: remove unused variable assigned found by Coverity
CI: cirrus: update FreeBSD image to 12.2
William Dauchy (11):
MINOR: contrib/prometheus-exporter: use stats desc when possible followup
MEDIUM: contrib/prometheus-exporter: export base stick table stats
CLEANUP: check: fix some typo in comments
CLEANUP: tools: typo in `strl2irc` mention
BUG/MINOR: server: re-align state file fields number
MEDIUM: cli: add check-addr command
MEDIUM: cli: add agent-port command
MEDIUM: server: add server-states version 2
MEDIUM: server: support {check,agent}_addr, agent_port in server state
MINOR: server: enhance error precision when applying server state
DOC: tune: explain the origin of block size for ssl.cachesize
William Lallemand (2):
MEDIUM: ssl: add a rwlock for SSL server session cache
MINOR: ssl: add SSL_SERVER_LOCK label in threads.h
Willy Tarreau (27):
BUG/MINOR: intops: fix mul32hi()'s off-by-one
BUG/MINOR: freq_ctr: fix a wrong delay calculation in next_event_delay()
MINOR: stick-tables/counters: add http_fail_cnt and http_fail_rate data
types
BUG/MEDIUM: config: don't pick unset values from last defaults section
BUG/MINOR: stats: revert the change on ST_CONVDONE
BUG/MINOR: cfgparse: do not mention "addr:port" as supported on proxy
lines
BUG/MINOR: http-htx: defpx must be a const in
proxy_dup_default_conf_errors()
BUG/MINOR: tcpheck: the source list must be a const in dup_tcpcheck_var()
BUILD: proxy: add missing compression-t.h to proxy-t.h
REORG: move init_default_instance() to proxy.c and pass it the defproxy
pointer
REORG: proxy: centralize the proxy allocation code into alloc_new_proxy()
MEDIUM: proxy: only take defaults when a default proxy is passed.
MINOR: proxy: move the defproxy freeing code to proxy.c
MINOR: proxy: always properly reset the just freed default instance
pointers
BUG/MINOR: extcheck: proxy_parse_extcheck() must take a const for the
defproxy
BUG/MINOR: tcpcheck: proxy_parse_*check*() must take a const for the
defproxy
BUG/MINOR: server: parse_server() must take a const for the defproxy
MINOR: cfgparse: move defproxy to cfgparse-listen as a static
MINOR: proxy: add a new capability PR_CAP_DEF
MINOR: cfgparse: check PR_CAP_DEF instead of comparing poiner against
defproxy
MINOR: cfgparse: use a pointer to the current default proxy
MINOR: proxy: also store the name for a defaults section
MINOR: proxy: support storing defaults sections into their own tree
MEDIUM: proxy: store the default proxies in a tree by name
MEDIUM: cfgparse: allow a proxy to designate the defaults section to use
MINOR: peers/cli: do not dump the peers dictionaries by default on "show
peers"
MINOR: cfgparse: implement a simple if/elif/else/endif macro block handler
Yves Lafon (1):
MINOR: http: add baseq sample fetch
---
