Hi,
HAProxy 2.0.27 was released on 2022/01/26. It added 49 new commits
after version 2.0.26.
This addresses a small regression in 2.0.26 in legacy mode on the
authorization header field parser, and a bunch of other fixes:
- possible crash on master CLI when trying to enter an old pid when
in prompt mode
- there was a risk of frozen stream or spinning loop when combining
layer-7 retries with some filters because an analyser responsible
for releasing the filter was dropped. This was fixed.
- on reload we used to transfer listening sockets by packs of 253 between
the old and the new process but it looks like for whatever reason on
musl 253 doesn't work and the limit is 252. It might be caused by a
slightly different layout for the message. So the limit was lowered by
one as this will definitely not affect reload time!
- a previous fix for a risk of crash on shutdown in the resolvers code
was reverted as it used to cause an endless loop on this version.
- Daniel Jakots fixed the build with libreSSL 3.5 and newer (some macros
didn't work anymore).
- the build warning with clang on i386 was addressed, as well as with
clang on Solaris.
- the problem where the SNI could be set again on a reused server
connection was fixed
- fixed some usual "maybe unused" warnings on old compilers for
unusual platform (gcc-4.7 on MIPS with threads disabled).
- William fixed a bug in the master-worker when the master is executed in
wait mode (only after a reload failure in 2.4 and older). In this case,
the master must never try to to get the listeners FD from the previous
process using _getsocks on the stats socket. Otherwise, if a reload
fails, the master exists with a EXIT_FAILURE status, killing all the
workers.
- some processing issues on the CLI that could arise with pipelining
clients were fixed.
- the CLI's "show version" was backported to help with diagnostics and
to uniformize APIs between versions.
- various minor doc updates and typo fixes
- some regtest and CI backports to ease stable maintainers' job
In addition, I'm taking this opportunity to mention that we're currently
facing a small bunch of very strange and non-reproducible bugs (which is
why we've been postponing this release, to make sure it was not affected
by a possible regression). Among the current issues under investigation,
the following ones immediately come to my mind:
- a rare crash in the libc's allocator when called from openssl's
SSL_Free() function in some 2.4 and/or 2.5 versions, which very likely
indicates a use-after-free. It was reported by Christian in issue
#1494 a month ago and we're still digging. Since then we got one,
maybe two other reports. Some tooling was developped to try to nail
it down, so if some of you would like to check for the presence of
recent segfaults in their system logs and share info here or in that
issue, you're welcome.
- in issue #1522, it appears that some connections may not always be
closed in pure TCP mode between haproxy and the servers. It was
confirmed that the behavior changed between 2.2 and 2.4 but for now
we don't even know if it's a side effect of some more important change
(that needs to be better documented or that requires different default
settings) or a connection leak bug.
- strange blocking of the master CLI between 2.5-dev2 and 2.5.0 in issue
#1512. This helped figure (and fix) some related bugs but not this one
yet. Similar experience welcome here as well.
- something looking like an FD leak during reloads and maybe startup as
well, reported in private, between 2.5.0 and 2.5.1, to the point that
some listeners fail to rebind after a few reloads. No clue yet either.
Given that these issues take a lot of time to reproduce in field, look a
bit random, and are never observed in other environments, they consume a
huge amount of time to analyse and to try to emit hypothesis and patches
to dig further. For this reason if you've observed similar trouble, don't
be shy and please share your info so that we can get back to doing more
useful stuff ASAP. Thanks!
Please find the usual URLs below :
Site index : http://www.haproxy.org/
Discourse : http://discourse.haproxy.org/
Slack channel : https://slack.haproxy.org/
Issue tracker : https://github.com/haproxy/haproxy/issues
Wiki : https://github.com/haproxy/wiki/wiki
Sources : http://www.haproxy.org/download/2.0/src/
Git repository : http://git.haproxy.org/git/haproxy-2.0.git/
Git Web browsing : http://git.haproxy.org/?p=haproxy-2.0.git
Changelog : http://www.haproxy.org/download/2.0/src/CHANGELOG
Cyril's HTML doc : http://cbonte.github.io/haproxy-dconv/
Willy
---
Complete changelog :
Amaury Denoyelle (2):
BUG/MINOR: backend: do not set sni on connection reuse
BUG/MINOR: backend: restore the SF_SRV_REUSED flag original purpose
Christopher Faulet (6):
BUG/MEDIUM: cli: Properly set stream analyzers to process one command at
a time
DOC: spoe: Clarify use of the event directive in spoe-message section
DOC: config: Specify %Ta is only available in HTTP mode
BUG/MEDIUM: http-ana: Preserve response's FLT_END analyser on L7 retry
BUG/MEDIUM: cli: Never wait for more data on client shutdown
BUG/MEDIUM: htx: Adjust length to add DATA block in an empty HTX buffer
Daniel Jakots (1):
BUILD: ssl: unbreak the build with newer libressl
David Carlier (1):
BUILD/MINOR: fix solaris build with clang.
Ilya Shipitsin (12):
CI: Github Actions: enable prometheus exporter
CI: Github Actions: remove LibreSSL-3.0.2 builds
CI: Github Actions: enable BoringSSL builds
CI: Github Action: run "apt-get update" before packages restore
CI: github actions: update LibreSSL to 3.3.0
CI: github actions: enable 51degrees feature
CI: GitHub Actions: enable daily Coverity scan
CI: github actions: build several popular "contrib" tools
CI: github actions: switch to stable LibreSSL release
CI: github actions: update LibreSSL to 3.2.5
CI: Github Actions: switch to LibreSSL-3.3.3
BUILD: scripts/build-ssl.sh: use "uname" instead of ${TRAVIS_OS_NAME}
Thierry Fournier (1):
DOC: fix misspelled keyword "resolve_retries" in resolvers
Tim Duesterhus (12):
CI: Expand use of GitHub Actions for CI
CI: Stop hijacking the hosts file
CI: Pass the github.event_name to matrix.py
CI: Clean up Windows CI
CI: Pin VTest to a known good commit
CI: Fix DEBUG_STRICT definition for Coverity
CI: Fix the coverity builds
Revert "CI: Pin VTest to a known good commit"
CLEANUP: peers: Remove unused static function `free_dcache`
CLEANUP: peers: Remove unused static function `free_dcache_tx`
CLEANUP: ssl: Remove useless loop in tlskeys_list_get_next()
CLEANUP: ssl: Remove useless local variable in tlskeys_list_get_next()
William Lallemand (4):
MINOR: cli: "show version" displays the current process version
BUG/MEDIUM: mworker/cli: crash when trying to access an old PID in prompt
mode
BUG/MINOR: cli: fix _getsocks with musl libc
BUG/MEDIUM: mworker: don't use _getsocks in wait mode
Willy Tarreau (10):
CI: Github Actions: temporarily disable BoringSSL builds
BUILD: makefile: add entries to build common debugging tools
REGTESTS: mark the abns test as broken again
BUILD: general: always pass unsigned chars to is* functions
MINOR: ssl: make tlskeys_list_get_next() take a list element
Revert "BUG/MEDIUM: resolvers: always check a valid item in query_list"
BUG/MINOR: http: fix recent regression on authorization in legacy mode
BUILD: cli: clear a maybe-unused warning on some older compilers
BUILD: makefile: add -Wno-atomic-alignment to work around clang abusive
warning
CLEANUP: ssl: make ssl_sock_free_srv_ctx() zero the pointers after free
---
