Hi, HAProxy 2.8.3 was released on 2023/09/07. It added 49 new commits after version 2.8.2.
Some bugs were fixed on QUIC side. Malformed ACK frames are now properly ignored. A possible wakeup loop on client connection closure was also fixed. RTT sampling might be ignored is some rare cases, when now_ms wraps. It is now fixed. And RTT computation was also fixed to be more accurate. A basic support for Linux capabilities was added. For a while there has been the constraint of having to run as root for transparent proxying, and we're starting to see some cases where QUIC is not running in socket-per-connection mode due to the missing capability that would be needed to bind a privileged port. So following Linux capabilities are now supported: cap_net_raw, cap_net_admin and cap_net_bind_service. The mechanism was made OS-specific. It can be easily refined later for other OSes if needed. A new keyword "setcaps" is added to the global section, to enumerate the capabilities that must be kept when switching from root to non-root. This is ignored in other situations though. HAProxy has to be built with USE_LINUX_CAP=1 for this to be supported, which is enabled by default for linux-glibc, linux-glibc-legacy and linux-musl. Changes performed in the 2.8 on the stream-connector layer introduced several bugs that were fixed. Many were related to timeouts detection and stream's expiration date computation leading to sessions freeze, most of time with the stats applet or the CLI. To avoid any trouble in future with applets, if an applet is waiting for more room while an abort was reported, an error is now triggered. This way, even if an applet does not handle the error by its own, the session will be shutdown anyway. Specifically on the CLI applet, it is now possible to inhibit the client timeout for blocking commands. For instance, it is the case for "show events" command. An issue in the H1 chunked payload parsing was fixed by Chris Staite. H1 messages parsing could be blocked on the chunk size parsing because the output buffer was full. And once the buffer is emptied, the parsing was never restarted. This was fixed by parsing the chunk size anyway and blocking on the chunk payload. This is enough to restart the parsing when emptying the output buffer. sc-add-gpc and sc-set-gpt(0) actions are now allowed from tcp-request connection. According to the documentation, this was supposed to be supported. The SSL certificates replacement was broken in 2.6 when the ".crt" extension was handled as a default extension for a certificate. Without "ssl-load-extra-del-ext" option, the lookup for certificates with a ".crt" failed. This was fixed by removing ".crt" extension from default ones. It is now possible to configure the connect timeout and the number of retries for httpclients. To do so, two new global options were added: "httpclient.timeout.connect" and "httpclient.retries". Finally, xxhash was update to version 0.8.2 and some updates was also performed on plock. Thanks everyone for you help and your contributions ! Please find the usual URLs below : Site index : https://www.haproxy.org/ Documentation : https://docs.haproxy.org/ Wiki : https://github.com/haproxy/wiki/wiki Discourse : https://discourse.haproxy.org/ Slack channel : https://slack.haproxy.org/ Issue tracker : https://github.com/haproxy/haproxy/issues Sources : https://www.haproxy.org/download/2.8/src/ Git repository : https://git.haproxy.org/git/haproxy-2.8.git/ Git Web browsing : https://git.haproxy.org/?p=haproxy-2.8.git Changelog : https://www.haproxy.org/download/2.8/src/CHANGELOG Dataplane API : https://github.com/haproxytech/dataplaneapi/releases/latest Pending bugs : https://www.haproxy.org/l/pending-bugs Reviewed bugs : https://www.haproxy.org/l/reviewed-bugs Code reports : https://www.haproxy.org/l/code-reports Latest builds : https://www.haproxy.org/l/dev-packages --- Complete changelog : Amaury Denoyelle (1): BUG/MEDIUM: quic: fix tasklet_wakeup loop on connection closing Aurelien DARRAGON (6): BUG/MINOR: hlua: fix invalid use of lua_pop on error paths BUG/MINOR: stktable: allow sc-set-gpt(0) from tcp-request connection BUG/MINOR: stktable: allow sc-add-gpc from tcp-request connection BUG/MINOR: hlua_fcn: potentially unsafe stktable_data_ptr usage DOC: lua: fix core.register_action typo BUG/MINOR: hlua/action: incorrect message on E_YIELD error Chris Staite (1): BUG/MEDIUM: h1-htx: Ensure chunked parsing with full output buffer Christopher Faulet (12): DEBUG: applet: Properly report opposite SC expiration dates in traces BUG/MEDIUM: stconn: Update stream expiration date on blocked sends BUG/MINOR: stconn: Don't report blocked sends during connection establishment BUG/MEDIUM: stconn: Wake applets on sending path if there is a pending shutdown BUG/MEDIUM: stconn: Don't block sends if there is a pending shutdown BUG/MEDIUM: applet: Fix API for function to push new data in channels buffer BUG/MEDIUM: stconn: Report read activity when a stream is attached to front SC BUG/MEDIUM: applet: Report an error if applet request more room on aborted SC BUG/MEDIUM: stconn/stream: Forward shutdown on write timeout NUG/MEDIUM: stconn: Always update stream's expiration date after I/O BUG/MINOR: applet: Always expect data when CLI is waiting for a new command BUG/MINOR: ring/cli: Don't expect input data when showing events Frédéric Lécaille (4): BUG/MINOR: quic: Possible skipped RTT sampling BUG/MAJOR: quic: Really ignore malformed ACK frames. BUG/MINOR: quic: Wrong RTT adjusments BUG/MINOR: quic: Wrong RTT computation (srtt and rrt_var) Ilya Shipitsin (3): CI: do not use "groupinstall" for Fedora Rawhide builds CI: get rid of travis-ci wrapper for Coverity scan CI: fedora: fix "dnf" invocation syntax Johannes Naab (1): DOC: typo: fix sc-set-gpt references Remi Tricot-Le Breton (1): DOC: jwt: Add explicit list of supported algorithms Tim Duesterhus (2): REGTESTS: Do not use REQUIRE_VERSION for HAProxy 2.5+ (3) CI: Update to actions/checkout@v4 William Lallemand (5): BUILD: Makefile: add the USE_QUIC option to make help BUG/MINOR: ssl/cli: can't find ".crt" files when replacing a certificate DOC: configuration: update examples for req.ver MINOR: httpclient: allow to configure the retries MINOR: httpclient: allow to configure the timeout.connect Willy Tarreau (13): DEV: flags/show-sess-to-flags: properly decode fd.state SCRIPTS: git-show-backports: automatic ref and base detection with -m IMPORT: plock: also support inlining the int code MINOR: threads: inline the wait function for pthread_rwlock emulation MINOR: atomic: make sure to always relax after a failed CAS IMPORT: xxhash: update xxHash to version 0.8.2 BUG/MINOR: ssl_sock: fix possible memory leak on OOM BUILD: import: guard plock.h against multiple inclusion BUG/MINOR: stream: protect stream_dump() against incomplete streams DOC: config: mention uid dependency on the tune.quic.socket-owner option BUG/MINOR: checks: do not queue/wake a bounced check BUG/MINOR: stream: further protect stream_dump() against incomplete sessions MEDIUM: capabilities: enable support for Linux capabilities -- Christopher Faulet