Hi,
HAProxy 2.1.12 was released on 2021/03/18. It added 75 new commits
after version 2.1.11.
The 2.1 branch is planned to be EOL this quarter. There are no longer bug
reports for this specific branch. Thus, it is probably the last 2.1
release. Except if there are critical bugs in next few weeks, no further
release should be expected. You should have no reason to deploy it anymore
in a production environment. Use the 2.2 instead. No specific support should
no longer be expected on the 2.1.
Here is the unsorted list of main fixes for this release :
* Willy fixed a bug in the frequency counters because they were using the
thread's own time as the start of the current period leading to
non-monotonic updates in case of contention. See the commit message for
details. Now, freq counters rely on a global monotonic time.
* An issue leading to possible infinite loops because of a double locking
effect in the mt lists was fixed by Olivier. If MT_LIST_TRY_ADDQ()
macro, it was possible to try to lock twice the same element, making the
second lock attempt to fail in loop. It happens when there is exactly
one element in the mt-list and we try to add it again into the same
list.
* The filters part was fixed to be sure the end analyzer (flt_end_analyse)
is always called for the request and the response, especially when the
request analysis is finished before the response start.
* William fixed possible bugs about the listeners. Listeners are not
necessarily present when the client is an applet (peers, spoe, Lua) and
we need to be careful when updating counters. It was too hard to say
whether those could be triggered but there was at least one way
consisting in adding TCP rules to an SPOE backend.
* Dragan addressed a long-standing issue in the way variables are used as
arguments to converters. First they were never locked, resulting in bad
things when accessing shared variables in the "proc" scope. And the
argument was improperly checked: if it didn't parse it was implicitly a
variable, but that could die in some circumstances (such as truncated
base64 values to "base64"). Dragan had no other option but to add
boot-time config checks that may trigger errors on currently invalid
configs that silently validate. If it proves to be problematic, we could
try to replace the error with a warning and use whatever we find
reliable enough.
* Willy fixed a thread-safety issue when a stream was killed on a
hard-stop or when using "shutdown sessions" over the CLI. The streams
list was not locked. This issue might lead to a crash if an already dead
stream was shut down. Now, these operations are using thread_isolate()
to guarantee no other threads are running in same time.
* Willy als fixed a time wrapping issue in this function, a bug introduced
with the feature, more than 10 years ago, preventing some health-checks
to be immediately triggered half of the time.
* Two bugs were fixed on the H1 multiplexer. The first one is a
regression. The client side might be blocked at the end of a transaction
if a "Connection: upgrade" was found in a response other than
101-Switching-Protocol, preventing the following request to be
parsed. This happened because of a missing flag on the H1 connection on
the server side, keeping it attached to the stream. The second one was
an issue with the responses to CONNECT requests other than 200-Ok. If
the requested tunnel establishment was not performed by a server, the
end of the transaction was not properly detected, closing the connection
on the client side.
* Willy fixed another very old bug (13 years !) about queue and tarpit
timeouts picked from the last defaults section during the configuration
check validity. Looking at the wrong defaults section. It should be the
one before the evaluated proxy. The worst part of it is that it might
have randomly worked by accident for some configurations when there was
a single defaults section, but has certainly caused too short queue
expirations once another defaults section was added later in the file
with these explicitly defined.
* The SPOE filter was improved in multi-threaded mode. The SPOE applets
are now killed if there are pending connections. This is important to
not let queued sessions waiting forever. SPOE connections are persistent
and sticky to a thread. Thus with a low maxconn value, for instance 1,
some threads might hold all available slots, leaving other threads with
no free slots.
* An issue was fixed on the DNS resolvers, about the loading of obsoletes
server ip/port when a server-state file was used. These information were
not reset when an server resolution failed or when obsoletes SRV records
were removed.
* The server-state-file-name directive was fixed. Since the beginning, in
contrary to what the documentation said, this directive was not able to
be used with no parameter. To use the backend name as file name, the
undocumented parameter "use-backend-name" had to be used instead. Now,
both modes are supported. Another issue about the server-state file was
fixed. If the name of local server-state file was too long, the fopen()
function was called with a NULL file name. Finally, the RMAINT admin
mode is now ignored when a server state is loaded. Before, when this
admin mode was set, an error was reported, preventing the server state
to be loaded.
* The tracked sessions counter was not atomically incremented, resulting
in occasional slightly off values.
* The smp_is_safe() function was fixed. Zero size string samples were not
systematically considered as unsafe. In some circumstances, it was
possible to consider such samples as safe by reading one byte after the
buffer.
* Address assignment for address-less servers was fixed to be able to
handle IPv4 and IPv6 by setting the right address family.
* The set-dst action was buggy. The original port was not set for IPv4
address. It was a problem for UNIX sockets, the port was not set to 0
and had an undefined value.
* The processing of the HTTP originalto action was fixed to only consider
the destination address. The address family of the source address was
tested and not the destination one.
* Jérôme fixed a bug about the "strict-limits" global option when it is
used in conjunction with master-worker. With this option, when a
setrlimit fails, HAproxy must always exit. But it was only done when the
master-worker mode wasn't used. It now works as expected.
* A memory leak was fixed by Rémi on the error path of the sample
expression parser and allocation failures are now handled when the
concat() converter is called.
* An issue in filters (compression, spoe, etc) could block response
headers in empty responses with no content-length.
* There was a risk of temporary CLOSE_WAIT on aborted H2 connections since
the recent fixes for truncated responses. Note that these ones would
vanish on timeout anyway, hence it was more annoying than dramatic.
* The CLI's "abort ssl cert" would purge the old instead of new SSL info.
* Errors on connections would not prevent SSL handshake from being
performed, leading to wasted CPU cycles that could sometimes maintain
the load artificially high during contention.
* An alignment issue in the XXHash code affecting ARMv6/v7 running in
32-bit mode on 64-bit kernels was addressed ; it could cause bus errors
and crashes in 32-bit chroots or containers when using the pattern LRU
cache.
* Lua's core.get_info() got broken in previous version due to the missing
definition of INF_BUILD_INFO in stats.
* a few other really minor issues were addressed
Thanks everyone for your help and your contributions !
Please find the usual URLs below :
Site index : http://www.haproxy.org/
Discourse : http://discourse.haproxy.org/
Slack channel : https://slack.haproxy.org/
Issue tracker : https://github.com/haproxy/haproxy/issues
Wiki : https://github.com/haproxy/wiki/wiki
Sources : http://www.haproxy.org/download/2.1/src/
Git repository : http://git.haproxy.org/git/haproxy-2.1.git/
Git Web browsing : http://git.haproxy.org/?p=haproxy-2.1.git
Changelog : http://www.haproxy.org/download/2.1/src/CHANGELOG
Cyril's HTML doc : http://cbonte.github.io/haproxy-dconv/
---
Complete changelog :
Adis Nezirovic (1):
BUG/MEDIUM: stats: add missing INF_BUILD_INFO definition
Amaury Denoyelle (2):
BUG/MINOR: config: fix leak on proxy.conn_src.bind_hdr_name
BUG/MINOR: backend: hold correctly lock when killing idle conn
Baptiste Assmann (1):
BUG/MINOR: resolvers: new callback to properly handle SRV record errors
Bertrand Jacquin (2):
BUG/MINOR: mworker: define _GNU_SOURCE for strsignal()
BUILD/MINOR: lua: define _GNU_SOURCE for LLONG_MAX
Christopher Faulet (31):
BUG/MINOR: init: Use a dynamic buffer to set HAPROXY_CFGFILES env variable
BUG/MEDIUM: filters/htx: Fix data forwarding when payload length is
unknown
BUG/MINOR: stick-table: Always call smp_fetch_src() with a valid arg list
BUG/MINOR: http-ana: Don't increment HTTP error counter on internal errors
BUG/MEDIUM: mux-h1: Always set CS_FL_EOI for response in MSG_DONE state
BUG/MINOR: tools: Fix a memory leak on error path in parse_dotted_uints()
BUG/MINOR: server: Fix server-state-file-name directive
CLEANUP: deinit: release global and per-proxy server-state variables on
deinit
BUG/MINOR: server: Don't call fopen() with server-state filepath set to
NULL
BUG/MINOR: server: Remove RMAINT from admin state when loading server
state
BUG/MINOR: sample: Always consider zero size string samples as unsafe
BUG/MINOR: server: Init params before parsing a new server-state line
BUG/MINOR: server: Be sure to cut the last parsed field of a server-state
line
BUG/MEDIUM: mux-h1: Fix handling of responses to CONNECT other than 200-ok
BUG/MEDIUM: resolvers: Reset server address and port for obselete SRV
records
BUG/MEDIUM: resolvers: Reset address for unresolved servers
BUG/MINOR: mux-h1: Immediately report H1C errors from h1_snd_buf()
BUG/MINOR: http-ana: Only consider dst address to process originalto
option
BUG/MINOR: tcp-act: Don't forget to set the original port for IPv4
set-dst rule
BUG/MINOR: connection: Use the client's dst family for adressless servers
BUG/MEDIUM: spoe: Kill applets if there are pending connections and nbthread
> 1
DOC: spoe: Add a note about fragmentation support in HAProxy
BUG/MINOR: http-ana: Don't increment HTTP error counter on read
error/timeout
BUG/MINOR: hlua: Don't strip last non-LWS char in
hlua_pushstrippedstring()
BUG/MEDIUM: filters: Set CF_FL_ANALYZE on channels when filters are
attached
BUG/MINOR: proxy/session: Be sure to have a listener to increment its
counters
BUG/MINOR: session: Add some forgotten tests on session's listener
BUG/MINOR: resolvers: Consider server to have no IP on DNS resolution
error
BUG/MINOR: resolvers: Reset server address on DNS error only on status
change
BUG/MINOR: resolvers: Add missing case-insensitive comparisons of DNS
hostnames
MINOR: version: Set the EOL of the 2.1 branch
David CARLIER (1):
BUG/MINOR: threads: Fixes the number of possible cpus report for Mac.
Dragan Dosen (2):
BUG/MINOR: sample: secure convs that accept base64 string and var name as
args
BUG/MEDIUM: vars: make functions vars_get_by_{name,desc} thread-safe
Emeric Brun (1):
CLEANUP: channel: fix comment in ci_putblk.
Frédéric Lécaille (2):
BUG/MINOR: peers: Wrong "new_conn" value for "show peers" CLI command.
MINOR: contrib: Make the wireshark peers dissector compile for more
distribs.
Jerome Magnin (1):
BUG/MINOR: init: enforce strict-limits when using master-worker
Olivier Houchard (3):
BUG/MEDIUM: dns: Consider the fact that dns answers are case-insensitive
BUG/MEDIUM: lists: Lock the element while we check if it is in a list.
BUG/MEDIUM: lists: Avoid an infinite loop in MT_LIST_TRY_ADDQ().
Remi Tricot-Le Breton (1):
BUG/MINOR: sample: Memory leak of sample_expr structure in case of error
Tim Duesterhus (1):
BUG/MINOR: mux-h2: Fix typo in scheme adjustment
William Dauchy (2):
BUG/MINOR: sample: check alloc_trash_chunk return value in concat()
BUG/MINOR: server: re-align state file fields number
William Lallemand (5):
BUG/MINOR: ssl: init tmp chunk correctly in ssl_sock_load_sctl_from_file()
BUG/MEDIUM: ssl/cli: abort ssl cert is freeing the old store
BUILD: Makefile: move REGTESTST_TYPE default setting
BUG/MINOR: ssl/cli: potential null pointer dereference in "set ssl cert"
BUG/MEDIUM: session: NULL dereference possible when accessing the listener
Willy Tarreau (19):
BUG/MINOR: mux_h2: missing space between "st" and ".flg" in the "show fd"
helper
BUG/MEDIUM: mux-h2: fix read0 handling on partial frames
DOC: management: fix "show resolvers" alphabetical ordering
BUG/MEDIUM: ssl: check a connection's status before computing a handshake
BUG/MINOR: xxhash: make sure armv6 uses memcpy()
BUG/MEDIUM: mux-h2: handle remaining read0 cases
BUG/MEDIUM: mux-h2: do not quit the demux loop before setting END_REACHED
BUG/MEDIUM: config: don't pick unset values from last defaults section
BUG/MINOR: stats: revert the change on ST_CONVDONE
BUG/MINOR: cfgparse: do not mention "addr:port" as supported on proxy
lines
BUG/MINOR: session: atomically increment the tracked sessions counter
BUG/MINOR: checks: properly handle wrapping time in __health_adjust()
BUG/MEDIUM: proxy: use thread-safe stream killing on hard-stop
BUG/MEDIUM: cli/shutdown sessions: make it thread-safe
BUG/MINOR: proxy: wake up all threads when sending the hard-stop signal
BUG/MINOR: ssl: don't truncate the file descriptor to 16 bits in debug
mode
CLEANUP: tcp-rules: add missing actions in the tcp-request error message
MINOR: time: export the global_now variable
BUG/MINOR: freq_ctr/threads: make use of the last updated global time
--
Christopher Faulet
