Hi,
HAProxy 2.2-dev5 was released on 2020/03/23. It added 99 new commits
after version 2.2-dev4.
During these last two weeks a lot of time was spent cleaning up code,
doc and reg-tests. Fortunately in addition there are still some more
visible features:
- a unique ID may now be sent and received in the PROXY protocol
for connection tracing purposes along a chain. This is mostly useful
for TCP-based protocols since in HTTP it may already be done with
HTTP headers.
- the default maxconn used to appear as lower than before for a number
of users, because before 2.0 it used to be hard-coded to 2000 (even
if FD limits were too low) and now we used to rely on the soft limit
instead of the hard limit. This made haproxy use the least possible
FDs as the upper bound. Now instead we rely on the hard limit, which
makes more sense since the goal is to allow what's permitted. This
will increase the default maxconn for users who don't set it and who
don't touch their FD limit using "ulimit -n" on the command line.
- it's possible to dump the crt-lists from the command line using
"show crt-list" or "dump crt-list".
- there's now the possibility to create an SSL certificate directly
from the command line ("new ssl cert") though the commit message
suggests some parts are still missing for it to be completely usable
with crt-lists, which also hints why it doesn't appear yet in the
doc so I don't know if I ought to speak about it or not :-)
- idle server connections may now be reused between threads. This
should significantly reduce the number of file descriptors for
setups using a large number of threads, and significantly increase
the reuse rate. Please not that this applies to *idle* connections
(i.e. not used at all). Multiplexed connections like H2 or FCGI
may still be used by a single thread at once, eventhough any thread
can pick them first (but there are theorical plans to try to share
them in 2.3).
We're approaching the end of unplanned changes, so the goal will now be
to mostly focus on finishing what's already started. Regarding the
pending stuff I currently have in mind, I think there are still changes
coming on the SSL side regarding runtime certificate management, there
are pending changes on health checks to clean the horrible mess we have
accumulated since 1.1, and I made one quick attempt at implementing TCP
logs but I figured that it required one hour of work and probably one
week of code refactoring bringing no value except avoiding code
duplication, and I must confess I lost my motivation. We need to find
the sweet spot between reworking the logs at the last minute and making
sure we do something quick but forward-compatible from a configuration
perspective. A few more improvements on FD management and idle connections
are expected as well. If you have pending stuff on your side that you'd
like to see merged in 2.2, please at least speak about it now, because
code review takes a huge amount of time and those currently finishing
their work cannot always be available to review some late changes.
Please find the usual URLs below :
Site index : http://www.haproxy.org/
Discourse : http://discourse.haproxy.org/
Slack channel : https://slack.haproxy.org/
Issue tracker : https://github.com/haproxy/haproxy/issues
Sources : http://www.haproxy.org/download/2.2/src/
Git repository : http://git.haproxy.org/git/haproxy.git/
Git Web browsing : http://git.haproxy.org/?p=haproxy.git
Changelog : http://www.haproxy.org/download/2.2/src/CHANGELOG
Cyril's HTML doc : http://cbonte.github.io/haproxy-dconv/
Willy
---
Complete changelog :
Balvinder Singh Rawat (1):
DOC: correct typo in alert message about rspirep
David Carlier (1):
BUILD: on ARM, must be linked to libatomic.
Emeric Brun (1):
BUG/MEDIUM: peers: resync ended with RESYNC_PARTIAL in wrong cases.
Ilya Shipitsin (7):
CLEANUP: assorted typo fixes in the code and comments
CI: add spellcheck github action
CI: travis: switch linux builds to clang-9
CI: travis: proper group output redirection together with travis_wait
DOC: assorted typo fixes in the documentation
CI: run travis-ci builds on push only, skip pull requests
CI: temporarily disable unstable travis arm64 builds
Kevin Zhu (1):
BUG/MEDIUM: spoe: dup agent's engine_id string from trash.area
Lukas Tribus (1):
DOC: ssl: clarify security implications of TLS tickets
Olivier Houchard (33):
BUG/MINOR: buffers: MT_LIST_DEL_SAFE() expects the temporary pointer.
BUG/MEDIUM: mt_lists: Make sure we set the deleted element to NULL;
MINOR: mt_lists: Appease gcc.
MINOR: lists: Implement function to convert list => mt_list and mt_list
=> list
MINOR: servers: Kill priv_conns.
MINOR: lists: fix indentation.
BUG/MEDIUM: connections: Don't assume the connection has a valid session.
BUG/MEDIUM: pools: Always update free_list in pool_gc().
MINOR: fd: Use a separate lock for logs instead of abusing the fd lock.
MINOR: mux_pt: Don't try to remove the connection from the idle list.
MEDIUM: fd: Introduce a running mask, and use it instead of the spinlock.
MINOR: tasks: Provide the tasklet to the callback.
MINOR: wdt: Move the definitions of WDTSIG and DEBUGSIG into
types/signal.h.
BUG/MEDIUM: wdt: Don't ignore WDTSIG and DEBUGSIG in
__signal_process_queue().
MINOR: memory: Change the flush_lock to a spinlock, and don't get it in
alloc.
MEDIUM: sessions: Don't be responsible for connections anymore.
MEDIUM: servers: Split the connections into idle, safe, and available.
MINOR: fd: Implement fd_takeover().
MINOR: connections: Add a new mux method, "takeover".
MINOR: connections: Make the "list" element a struct mt_list instead of
list.
MINOR: connections: Add a flag to know if we're in the safe or idle list.
MEDIUM: connections: Attempt to get idle connections from other threads.
MEDIUM: mux_h1: Implement the takeover() method.
MEDIUM: mux_h2: Implement the takeover() method.
MEDIUM: mux_fcgi: Implement the takeover() method.
MEDIUM: connections: Kill connections even if we are reusing one.
BUG/MEDIUM: connections: Don't forget to decrement idle connection
counters.
BUG/MEDIUM: build: Fix compilation by spelling decl correctly.
BUILD/MEDIUM: fd: Declare fd_mig_lock as extern.
BUG/MINOR: connections: Make sure we free the connection on failure.
BUG/MEDIUM: h1: Make sure we subscribe before going into idle list.
BUG/MINOR: connections: Set idle_time before adding to idle list.
MINOR: muxes: Note that we can't usee a connection when added to the srv
idle.
Tim Duesterhus (8):
DOC: proxy_protocol: Reserve TLV type 0x05 as PP2_TYPE_UNIQUE_ID
MINOR: proxy_protocol: Ingest PP2_TYPE_UNIQUE_ID on incoming connections
MEDIUM: proxy_protocol: Support sending unique IDs using PPv2
CLEANUP: connection: Add blank line after declarations in PP handling
CLEANUP: connection: Stop directly setting an ist's .ptr
BUG/MINOR: pattern: Do not pass len = 0 to calloc()
BUG/MINOR: ssl: Do not free garbage pointers on memory allocation failure
BUG/MINOR: ssl: Correctly add the 1 for the sentinel to the number of
elements
William Lallemand (17):
CLEANUP: ssl: is_default is a bit in ckch_inst
BUG/MINOR: ssl/cli: sni_ctx' mustn't always be used as filters
CLEANUP: ssl: separate the directory loading in a new function
REORG: ssl: move ssl_sock_load_cert()
MINOR: ssl: pass ckch_inst to ssl_sock_load_ckchs()
MEDIUM: ssl: allow crt-list caching
MINOR: ssl: directories are loaded like crt-list
BUG/MINOR: ssl: can't open directories anymore
MINOR: ssl/cli: show/dump ssl crt-list
BUG/MINOR: ssl/cli: free the trash chunk in dump_crtlist
BUG/MINOR: ssl: memory leak in crtlist_parse_file()
BUG/MINOR: ssl: memleak of struct crtlist_entry
MINOR: ssl/cli: 'new ssl cert' command
MINOR: ssl/cli: show certificate status in 'show ssl cert'
BUG/MINOR: ssl: crtlist_dup_filters() must return NULL with fcount == 0
BUG/MINOR: ssl/cli: free BIO upon error in 'show ssl cert'
BUG/MINOR: ssl/cli: fix a potential NULL dereference
Willy Tarreau (29):
CLEANUP: remove support for Linux i686 vsyscalls
CLEANUP: drop support for USE_MY_ACCEPT4
CLEANUP: remove support for USE_MY_EPOLL
CLEANUP: remove support for USE_MY_SPLICE
CLEANUP: remove the now unused common/syscall.h
BUILD: make dladdr1 depend on glibc version and not __USE_GNU
BUILD: wdt: only test for SI_TKILL when compiled with thread support
BUILD: Makefile: the compiler-specific flags should all be in SPEC_CFLAGS
MINOR: init: move the maxsock calculation code to compute_ideal_maxsock()
MEDIUM: init: always try to push the FD limit when maxconn is set from -m
BUG/MAJOR: list: fix invalid element address calculation
BUILD: stream-int: fix a few includes dependencies
BUG/MEDIUM: random: align the state on 2*64 bits for ARM64
BUG/MINOR: haproxy: always initialize sleeping_thread_mask
BUG/MINOR: listener/mq: do not dispatch connections to remote threads
when stopping
BUG/MINOR: haproxy/threads: try to make all threads leave together
Revert "BUILD: travis-ci: enable s390x builds"
BUILD: travis-ci: enable regular s390x builds
MINOR: debug: add a new DISGUISE() macro to pass a value as identity
MINOR: debug: consume the write() result in BUG_ON() to silence a warning
MINOR: use DISGUISE() everywhere we deliberately want to ignore a result
BUILD: pools: silence build warnings with DEBUG_MEMORY_POOLS and DEBUG_UAF
CI: travis: revert to clang-7 for BoringSSL tests
BUILD: makefile: fix regex syntax in ARM platform detection
BUILD: makefile: fix expression again to detect ARM platform
CI: travis: re-enable ASAN on clang
REGTEST: increase timeouts on the seamless-reload test
BUG/MINOR: haproxy/threads: close a possible race in soft-stop detection
CLEANUP: haproxy/threads: don't check global_tasks_mask twice
---
