[PATCH] BUILD: makefile: Update feature flags for OpenBSD
Update the OpenBSD target features being enabled. I updated the list of features after noticing "BUILD: makefile: disable threads by default on OpenBSD". The Makefile utilizing gcc(1) by default resulted in utilizing our legacy and obsolete compiler (GCC 4.2.1) instead of the proper system compiler (Clang), which does support TLS. With "BUILD: makefile: change default value of CC from gcc to cc" that is resolved. diff --git a/Makefile b/Makefile index 934ca1666..197126db5 100644 --- a/Makefile +++ b/Makefile @@ -377,10 +377,11 @@ ifeq ($(TARGET),osx) EXPORT_SYMBOL = -export_dynamic endif -# OpenBSD 5.7 and above +# OpenBSD 6.3 and above ifeq ($(TARGET),openbsd) set_target_defaults = $(call default_opts, \ -USE_POLL USE_TPROXY USE_KQUEUE USE_ACCEPT4) +USE_POLL USE_TPROXY USE_THREAD USE_KQUEUE USE_ACCEPT4 USE_CLOSEFROM \ +USE_GETADDRINFO) endif # NetBSD
[PATCH 1/2] DOC: agent-check: fix typo in "fail" word expected reply
`tcpcheck_agent_expect_reply` expects "fail" not "failed" This should fix github issue #876 This can be backported to all maintained versions (i.e >= 1.6) as of today. Signed-off-by: William Dauchy --- doc/configuration.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/configuration.txt b/doc/configuration.txt index 309d076aa..97ff2e499 100644 --- a/doc/configuration.txt +++ b/doc/configuration.txt @@ -13073,7 +13073,7 @@ agent-check MAINT mode, thus it will not accept any new connections at all, and health checks will be stopped. - - The words "down", "failed", or "stopped", optionally followed by a + - The words "down", "fail", or "stopped", optionally followed by a description string after a sharp ('#'). All of these mark the server's operating state as DOWN, but since the word itself is reported on the stats page, the difference allows an administrator to know if the situation was -- 2.28.0
[PATCH 2/2] DOC: crt: advise to move away from cert bundle
especially when starting to use `new ssl cert` runtime API, it might become a bit confusing for users to mix bundle and single cert, especially when it comes to use the commit command: e.g.: - start the process with `crt` loading a bundle - use `set ssl cert my_cert.pem.ecdsa`: API detects it as a replacement of a bundle. - `commit` has to be done on the bundle: `commit ssl cert my_cert.pem` however: - add a new cert: `new ssl cert my_cert.pem.rsa`: added as a single certificate - `commit` has to be done on the certificate: `commit ssl cert my_cert.pem.rsa` this should resolve github issue #872 this should probably be backported in >= v2.2 in order to encourage people to move away from bundle certificates loading. Signed-off-by: William Dauchy --- doc/configuration.txt | 7 ++- doc/management.txt| 4 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/doc/configuration.txt b/doc/configuration.txt index 97ff2e499..87f35e984 100644 --- a/doc/configuration.txt +++ b/doc/configuration.txt @@ -12560,10 +12560,15 @@ crt connecting with "ecdsa.example.com" will only be able to use ECDSA cipher suites. With BoringSSL and Openssl >= 1.1.1 multi-cert is natively supported, no need to bundle certificates. ECDSA certificate will be preferred if client - support it. + supports it. If a directory name is given as the argument, haproxy will automatically search and load bundled files in that directory. + It is however recommended to move away from bundle loading, especially if you + want to use the runtime API to load new certificate which does not support + bundle. A recommended way to migrate is to set `ssl-load-extra-file` + parameter to `none` in global config so that each certificate is loaded as a + single one. OSCP files (.ocsp) and issuer files (.issuer) are supported with multi-cert bundling. Each certificate can have its own .ocsp and .issuer file. At this diff --git a/doc/management.txt b/doc/management.txt index adbad95d3..42e8ddbca 100644 --- a/doc/management.txt +++ b/doc/management.txt @@ -1725,6 +1725,10 @@ new ssl cert Create a new empty SSL certificate store to be filled with a certificate and added to a directory or a crt-list. This command should be used in combination with "set ssl cert" and "add ssl crt-list". + Note that bundle certificates are not supported; it is recommended to use + `ssl-load-extra-file none` in global config to avoid loading certificates as + bundle and then mixing with single certificates in the runtime API. This will + avoid confusion, especailly when it comes to the `commit` command. prompt Toggle the prompt at the beginning of the line and enter or leave interactive -- 2.28.0
Re: [PATCH] REGTESTS: replace "which" with POSIX "command"
On Sat, Sep 26, 2020, 1:39 PM Willy Tarreau wrote: > On Sat, Sep 26, 2020 at 01:21:22PM +0500, ??? wrote: > > Fedora docker also comes without "find" utility > > > > ## Gathering tests to run > ## > > ./scripts/run-regtests.sh: line 131: find: command not found > > ## Starting vtest ## > > Isn't it worth filing a bug report to whoever maintains that image ? > Because quite frankly, a UNIX-like system without the ubiquitous > "find" command is kind of pointless. It cannot even be a matter of > place at this point, since even busybox provides a working one if > they need. > I'll try to rewrite "find" usage to fail if it's missing > Willy >
Re: [PATCH] REGTESTS: replace "which" with POSIX "command"
On Sat, Sep 26, 2020 at 01:21:22PM +0500, ??? wrote: > Fedora docker also comes without "find" utility > > ## Gathering tests to run ## > ./scripts/run-regtests.sh: line 131: find: command not found > ## Starting vtest ## Isn't it worth filing a bug report to whoever maintains that image ? Because quite frankly, a UNIX-like system without the ubiquitous "find" command is kind of pointless. It cannot even be a matter of place at this point, since even busybox provides a working one if they need. Willy
Re: [ANNOUNCE] haproxy-2.3-dev5
On Fri, Sep 25, 2020 at 09:55:46PM +0200, Christopher Faulet wrote: > Hi, > > HAProxy 2.3-dev5 was released on 2020/09/25. It added 104 new commits > after version 2.3-dev4. Thanks for doing this one, Christopher, you definitely saved me quite some time, allowing me to progress further on the listeners :-) (...) > All this description is probably a bit cryptic and it does not do Willy's > work justice. It was amazingly hard and painful to unmangle. But, it was a > mandatory step to add the QUIC support. The next changes to come in this > area are about the way listeners, receivers and proxies are started, > stopped, paused or resumed. I'm starting to see the end of the tunnel there (well just a little bit of light), as well as some stuff that will still cause some trouble but overall we're soon about to be able to declare a QUIC listener, with a stream protocol for the upper layers with datagram for the lower ones. This will also remove a lot of the ugly tricks that were needed for the log forwarder (such as the fake "bind" lines that silently ignore unknown keywords). Among the upcoming changes that I mentioned a while ago that I'd still like to see done before 2.3, there was: - setting log-send-hostname by default - enabling tune.fd.edge-triggered by default - changing the way "http-reuse safe" works for backend H2 connections to avoid mixing two clients over the same connection and avoid head of line blocking We're already at end of September, we must really finish quickly what's still in progress and think about stabilizing. I know we've been late on 2.2 but that didn't remove development time on 2.3 since all that was done before 2.2 was released is still there :-) So let's say that what is not merged in two weeks by 9th october will go to -next so that we still have a few weeks left to fix bugs, test and document. In addition I'd like that for 2.4 we further shorten the merge window, that's still far too long, as we spend most of the bug-fixing time after the release instead of before, which is counter-productive. So we'll need to have pending stuff in -next anyway. Cheers, Willy
Re: [PATCH] REGTESTS: replace "which" with POSIX "command"
сб, 26 сент. 2020 г. в 13:14, Willy Tarreau : > Hi Ilya, > > On Sat, Sep 26, 2020 at 11:58:48AM +0500, ??? wrote: > > Hello, > > > > I've found that "socat" was not properly detected under Fedora docker > image. > > Thanks, now applied. > > > (maybe we should introduce "set -e" as well) > > This could be an idea, indeed. But overall any error will be spotted one > way or another. > Fedora docker also comes without "find" utility ## Gathering tests to run ## ./scripts/run-regtests.sh: line 131: find: command not found ## Starting vtest ## Testing with haproxy version: 2.3-dev5 No tests found that meet the required criteria [root@fbf7e85bfd94 haproxy]# echo $? 0 [root@fbf7e85bfd94 haproxy]# > > Willy >
Re: [PATCH] REGTESTS: replace "which" with POSIX "command"
Hi Ilya, On Sat, Sep 26, 2020 at 11:58:48AM +0500, ??? wrote: > Hello, > > I've found that "socat" was not properly detected under Fedora docker image. Thanks, now applied. > (maybe we should introduce "set -e" as well) This could be an idea, indeed. But overall any error will be spotted one way or another. Willy
[PATCH] REGTESTS: replace "which" with POSIX "command"
Hello, I've found that "socat" was not properly detected under Fedora docker image. (maybe we should introduce "set -e" as well) Cheers, Ilya Shipitcin From 0063a45f37c18f305ea3e1155c87e071ccce7600 Mon Sep 17 00:00:00 2001 From: Ilya Shipitsin Date: Sat, 26 Sep 2020 11:54:27 +0500 Subject: [PATCH] REGTESTS: use "command" instead of "which" for better POSIX compatibility for example, "which" is not installed by default in Fedora docker image. --- scripts/run-regtests.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/scripts/run-regtests.sh b/scripts/run-regtests.sh index af25a6075..7bcc394cf 100755 --- a/scripts/run-regtests.sh +++ b/scripts/run-regtests.sh @@ -191,8 +191,8 @@ _findtests() { done for requiredbin in $require_binaries; do - which $requiredbin >/dev/null 2>&1 - if [ "$?" -eq "1" ]; then + if ! command -v $requiredbin >/dev/null 2>&1 + then echo " Skip $i because '"$requiredbin"' is not installed" skiptest=1 fi -- 2.26.2