Hi, HAProxy 2.4-dev8 was released on 2021/02/13. It added 105 new commits after version 2.4-dev7.
Quite a lot of new and interesting stuff got merged lately, and given all the recent activity in various areas and some late merging conflicts I expect that we'll still have some busy time smoothing every corner :-) Here are the latest main changes since 2.4-dev7: - dns: the DNS code was split into two parts, DNS itself (the protocol support) and the resolvers (used by servers and do-resolve). The DNS was extended to support TCP to speak with the servers. For the moment TCP servers are declared using the "server" keyword but I'd rather use the same "nameserver" and only play with the address than reuse "server" with all the unrelated keywords, since it's not doing anything related to the way we're using it in proxies. But this is a detail. A number of settings are still not configurable (communication timeouts, the 4 pipelined requests, etc). The goal was to perform all the difficult changes to the core code, the rest is mostly cosmetic ; - idle connections: while till now a number of outgoing connection parameters would automatically mark a connection private (proxy-proto, SNI, transparent mode, etc), now these parameters are saved with the connection and compared when trying to reuse a connection. This means for example that those using "sni req.hdr(host)" on their servers will finally be able to benefit from http-reuse. All tests pass successfully but we know by experience that this code area is very sensitive, which is also why I wanted it to get merged early. One of the new regtests triggers an issue with libressl, though we don't know yet if this is related to the new code or anything else. Some internal cleanups are still left to be done, such as dynamically allocating the structure holding that data so that it doesn't take RAM in front connections. But that's a detail compared to the rest of the change. - the work to make server settings more dynamic continues, and on the CLI it's now possible to change a server's check and agent's addresses and ports at run time. - the server-state parser was extended to start to take a v2 into account instead of risking to break compatibility between haproxy 2.3 and 2.4. But this also means that now we'll have to put down all the stuff we need to store there to avoid introducing a v3 in 2.5. - the prometheus exporter now exports some stick-tables stats, and continues its diet cure by sharing some fields description with the core stats. - the "defer-accept" bind keyword is now supported on FreeBSD via the accept filters. - a new "baseq" sample fetch function, similar to "pathq" but which concatenates the host name with the path, was added to be used in redirects or for statistics. - named defaults section: the optional name that can be placed on a "defaults" section may now be reused by other sections to indicate which one to load defaults from instead of the last one. The other sections must use "from ..." on the section's declaration line to do this. Note that even defaults sections support restarting from another one. This can be handy to centralize log-format, log servers and default timeouts for example. The other long-requested use case is to declare one common defaults section for TCP and another one for HTTP and derive everything from there. - very basic preprocessor-like .if/.elif/.else/.endif to ignore some config blocks. I've been wanting this for quite some time, and the expectation grew further with regtests and threads. So the goal is to be able to chose one config block or another based on a condition that is evaluated at boot time by the config parser. For now this is very limited, only the core logic is in place and it only supports the integer value of some text (or environment variables). What I'd like to do is to add a number of functions such as "defined(var)", "version_atleast(ver)", "supported(keyword)", "configured(option)" etc to allow to enable/disable some config blocks based on the build options or even some boot-time features detection. Features as simple as enabling/disabling "bind" lines depending on SSL support, or playing with "cpu-map" only when threads are set would be useful. And this could help several of us deal with rolling updates in production (e.g. the early days of HTX were a bit tricky on haproxy.org). We can add all such functions as needed with no rush. - two new data stypes stored in stick-tables, http_fail_cnt and http_fail_rate. These are equivalent to their http_err_* counter parts except that they count server-side failures (connection errors as well as relevant 5xx statuses). The goal is to considerably simplify some setups which used to implement URL-based circuit breaking by hand. - and the rest is the usual lot of doc fixes, regtests, CI updates, and cleanups. Now, regarding the next steps, I don't want to get new features anymore for 2.4. Share your code for reviews and tests if you want, but keep it in your branch or ask for it to be merged into -next for 2.5. The efforts must go on testing, fixing bugs, cleaning up all that remains, polishing the doc (or even writing some, especially for the internal stuff for developers), and improving the tooling. Even though I'm particularly stubborn, I'm not stupidly rigid either. First, some stuff is not yet fully decided as mentioned above (e.g. DNS server syntax, server-state v2 fields, functions needed to form conditions for ".if" etc). Second, experimental stuff is still welcome provided that it's clearly marked as such and doesn't take any risk with what we're trying to stabilize. I'm thinking about the ongoing work being done by Fred on QUIC for example, maybe others, I don't know. In general I'm still fine with taking all the small stuff that extends what's already there provided that it doesn't represent the slightest risk of regression. The rule is simple: we'll merge what we would happily backport if 2.4 had already been released, plus maybe a little bit more depending on the mood and how busy we are with what remains. I really want 2.4.0 to work fine, because I'm fed up with spending 100% of my time switching between browser tabs containing issues and in gdb just because something was merged too quickly or not reverted in time for a release. Now at least we have ~3 months to polish everything and even to revert if we can't fix in time. I'd rather revert breakage before the release than hack around it for 5 years in stable branches! I'm aware of a number of things in the code which still need to be cleaned up before 2.4: - "struct connection" contains some QUIC stuff that I want to move, and the idle conn indexing stuff that needs to be made dynamic ; - "struct receiver" also contains some QUIC stuff that needs to move ; - more configuration work on the DNS part ; - I've faced a few monstrosities in the internal keyword parser API that I want to address (basically add "const" in front of the default proxy pointer for no less than 124 functions and their prototypes) ; A few other fixes/cleanups would be welcome if cleanly isolated. I'm thinking about the ugly locking in peers/stick-tables for example. But given that it's been there for a while this will not delay 2.4 anyway. So far all of this looks totally within reach if 2.3 and 2.2 let us work a bit. At least 2.4-dev8 swallowed 5k requests on haproxy.org over the last hour without a glitch so that's a nice starting point :-) Please find the usual URLs below : Site index : http://www.haproxy.org/ Discourse : http://discourse.haproxy.org/ Slack channel : https://slack.haproxy.org/ Issue tracker : https://github.com/haproxy/haproxy/issues Wiki : https://github.com/haproxy/wiki/wiki Sources : http://www.haproxy.org/download/2.4/src/ Git repository : http://git.haproxy.org/git/haproxy.git/ Git Web browsing : http://git.haproxy.org/?p=haproxy.git Changelog : http://www.haproxy.org/download/2.4/src/CHANGELOG Cyril's HTML doc : http://cbonte.github.io/haproxy-dconv/ Willy --- Complete changelog : Amaury Denoyelle (22): BUG/MINOR: backend: hold correctly lock when killing idle conn MEDIUM: connection: protect idle conn lists with locks MEDIUM: connection: replace idle conn lists by eb trees MINOR: backend: search conn in idle/safe trees after available MINOR: backend: search conn in idle tree after safe on always reuse MINOR: connection: prepare hash calcul for server conns MINOR: connection: use the srv pointer for the srv conn hash MINOR: backend: compare conn hash for session conn reuse MINOR: connection: use sni as parameter for srv conn hash MINOR: reg-tests: test http-reuse with sni MINOR: backend: rewrite alloc of stream target address MINOR: connection: use dst addr as parameter for srv conn hash MINOR: reg-test: test http-reuse with specific dst addr MINOR: backend: rewrite alloc of connection src address MINOR: connection: use src addr as parameter for srv conn hash MINOR: connection: use proxy protocol as parameter for srv conn hash MINOR: reg-tests: test http-reuse with proxy protocol MINOR: doc: update http reuse for new eligilible connections BUG/MINOR: backend: fix compilation without ssl REGTESTS: adjust http_reuse_conn_hash requirements REGTESTS: deactivate a failed test on CI in http_reuse_conn_hash REGTESTS: fix sni used in http_reuse_conn_hash for libressl 3.3.0 Christopher Faulet (17): BUG/MINOR: mux-h1: Don't emit extra CRLF for empty chunked messages BUG/MINOR: mux-h1: Don't increment HTTP error counter for 408/500/501 errors BUG/MINOR: http-ana: Don't increment HTTP error counter on internal errors BUG/MEDIUM: mux-h1: Always set CS_FL_EOI for response in MSG_DONE state BUG/MINOR: mux-h1: Fix data skipping for bodyless responses BUG/MINOR: mux-h1: Don't blindly skip EOT block for non-chunked messages BUG/MEDIUM: mux-h2: Add EOT block when EOM flag is set on an empty HTX message MINOR: mux-h1: Be sure EOM flag is set when processing end of outgoing message REGTESTS: Add a script to test payload skipping for bodyless HTTP responses CLEANUP: muxes: Remove useless calls to b_realign_if_empty() BUG/MINOR: tools: Fix a memory leak on error path in parse_dotted_uints() CLEANUP: queue: Remove useless tests on p or pp in pendconn_process_next_strm() BUG/MINOR: server: Fix server-state-file-name directive CLEANUP: deinit: release global and per-proxy server-state variables on deinit CLEANUP: tcpcheck: Remove a useless test on port variable BUG/MINOR: server: Don't call fopen() with server-state filepath set to NULL CLEANUP: server: Remove useless "filepath" variable in apply_server_state() David Carlier (1): MINOR: tcp: add support for defer-accept on FreeBSD. Emeric Brun (18): MINOR: ring: adds new ring_init function. CLEANUP: channel: fix comment in ci_putblk. BUG/MINOR: dns: add missing sent counter and parent id to dns counters. BUG/MINOR: resolvers: fix attribute packed struct for dns MINOR: resolvers: renames some resolvers internal types and removes dns prefix MINOR: resolvers: renames type dns_resolvers to resolvers. MINOR: resolvers: renames some resolvers specific types to not use dns prefix MINOR: resolvers: renames some dns prefixed types using resolv prefix. MINOR: resolvers: renames resolvers DNS_RESP_* errcodes RSLV_RESP_* MINOR: resolvers: renames resolvers DNS_UPD_* returncodes to RSLV_UPD_* MINOR: resolvers: rework prototype suffixes to split resolving and dns. MEDIUM: resolvers: move resolvers section parsing from cfgparse.c to dns.c MINOR: resolvers: replace nameserver's resolver ref by generic parent pointer MINOR: resolvers: rework dns stats prototype because specific to resolvers MEDIUM: resolvers: split resolving and dns message exchange layers. MEDIUM: resolvers/dns: split dns.c into dns.c and resolvers.c MEDIUM: dns: adds code to support pipelined DNS requests over TCP. MEDIUM: resolvers: add supports of TCP nameservers in resolvers. Ilya Shipitsin (6): BUILD: ssl: fix typo in HAVE_SSL_CTX_ADD_SERVER_CUSTOM_EXT macro BUILD: ssl: guard SSL_CTX_add_server_custom_ext with special macro CLEANUP: assorted typo fixes in the code and comments BUILD: ssl: guard SSL_CTX_set_msg_callback with SSL_CTRL_SET_MSG_CALLBACK macro CLEANUP: remove unused variable assigned found by Coverity CI: cirrus: update FreeBSD image to 12.2 William Dauchy (11): MINOR: contrib/prometheus-exporter: use stats desc when possible followup MEDIUM: contrib/prometheus-exporter: export base stick table stats CLEANUP: check: fix some typo in comments CLEANUP: tools: typo in `strl2irc` mention BUG/MINOR: server: re-align state file fields number MEDIUM: cli: add check-addr command MEDIUM: cli: add agent-port command MEDIUM: server: add server-states version 2 MEDIUM: server: support {check,agent}_addr, agent_port in server state MINOR: server: enhance error precision when applying server state DOC: tune: explain the origin of block size for ssl.cachesize William Lallemand (2): MEDIUM: ssl: add a rwlock for SSL server session cache MINOR: ssl: add SSL_SERVER_LOCK label in threads.h Willy Tarreau (27): BUG/MINOR: intops: fix mul32hi()'s off-by-one BUG/MINOR: freq_ctr: fix a wrong delay calculation in next_event_delay() MINOR: stick-tables/counters: add http_fail_cnt and http_fail_rate data types BUG/MEDIUM: config: don't pick unset values from last defaults section BUG/MINOR: stats: revert the change on ST_CONVDONE BUG/MINOR: cfgparse: do not mention "addr:port" as supported on proxy lines BUG/MINOR: http-htx: defpx must be a const in proxy_dup_default_conf_errors() BUG/MINOR: tcpheck: the source list must be a const in dup_tcpcheck_var() BUILD: proxy: add missing compression-t.h to proxy-t.h REORG: move init_default_instance() to proxy.c and pass it the defproxy pointer REORG: proxy: centralize the proxy allocation code into alloc_new_proxy() MEDIUM: proxy: only take defaults when a default proxy is passed. MINOR: proxy: move the defproxy freeing code to proxy.c MINOR: proxy: always properly reset the just freed default instance pointers BUG/MINOR: extcheck: proxy_parse_extcheck() must take a const for the defproxy BUG/MINOR: tcpcheck: proxy_parse_*check*() must take a const for the defproxy BUG/MINOR: server: parse_server() must take a const for the defproxy MINOR: cfgparse: move defproxy to cfgparse-listen as a static MINOR: proxy: add a new capability PR_CAP_DEF MINOR: cfgparse: check PR_CAP_DEF instead of comparing poiner against defproxy MINOR: cfgparse: use a pointer to the current default proxy MINOR: proxy: also store the name for a defaults section MINOR: proxy: support storing defaults sections into their own tree MEDIUM: proxy: store the default proxies in a tree by name MEDIUM: cfgparse: allow a proxy to designate the defaults section to use MINOR: peers/cli: do not dump the peers dictionaries by default on "show peers" MINOR: cfgparse: implement a simple if/elif/else/endif macro block handler Yves Lafon (1): MINOR: http: add baseq sample fetch ---