Hi,
HAProxy 2.9.5 was released on 2024/02/15. It added 48 new commits
after version 2.9.4.
In two weeks since 2.9.4, not much new stuff was fixed, but enough to
warrant a new version in order to flush the pipe:
- an issue discovered in 3.0-dev3 where applets using the new zero-copy
mechanism could sometimes stay stuck (I found the stats page frozen
during a rendering while it was using compression). Zero-copy from
applets was not implemented in 2.9, but after analysis, it turns out
that nothing guarantees this issue cannot happen as well with regular
connections, it's just less likely, hence the fix in 2.9.
- a rare deadlock was found on the pools code, it can be triggered at
stopping time and crash the old process. It's been there since 2.5,
and is difficult to trigger, but a user faced it and that's how we
learned about it (GH issue #2427, thanks to user @JB0925).
- we finished our round of analysis, documentation and fixes for the
QUIC congestion control code and figured a few causes of corner cases
that can occasionally cause more performance degradation than expected,
especially on the loss detection and reordering part. For this, a new
global setting "tune.quic.reorder-ratio" allows to indicate what portion
of the in flight window can appear to be reordered before declaring a
loss. There's now a separate counter per connection for the reordered
packets that will help us figure what's happening. Tests on degraded
networks showed a x10 performance increase with the new default setting.
- some more CLI commands were found to occasionally miss the trailing
line feed, possibly confusing scripts and APIs. These were corrected,
and a more general fix was applied to the command line processor to
make sure each command always finishes with exactly one LF.
- an issue fixed two months ago affecting how H2 detects errors was
finally backported. It sometimes reports server errors in the logs
("SD--") while the entire response was already delivered to the client.
That's the eternel issue of how long it takes to flush the last bytes
while there's a close pending, and who notices the close condition
first. The fix has been doing well on haproxy.org for 2 months and
doesn't indicate that any additional one would be needed, it was about
time to backport it.
- an OCSP update reference counting issue was fixed, which was apparently
causing some certificates to reference a just freed OCSP response. Also
on errors, the reported message from the OCSP updater was confusing
(this one is in issue #2432, thanks to Frank Wall for the report).
- when deleting a crt-list line from the CLI, a dangling pointer reference
could be left, with the possible effect of causing a crash. Apparently
it has been the case since 2.4 so it seems that not that many people
use "del ssl crt-list" or that the occurrence is quite rare.
- in some cases some applets (namely the CLI) would ignore their timeout
if the incoming communication channel was already half-closed, and the
connection hanging forever. It seems to be the same issue as the one
@brenc reported in issue #2429.
- the diag warnings (enabled using -dD) were not all run when checking
a config with "-c"! One would have to explicitly try to start the config
to run the last ones. The only missing ones were the duplicate server
cookie check.
- Abhijeet Rastogi found that we still didn't recommend to the PCRE2 over
PCRE that's no longer maintained. It was just an overlook and the doc
was updated.
- and the usual CI updates (support for cache API v4, thanks to Tim), doc
cleanups and updates.
And that's all. Quite honestly, despite some of them looking scary at
first glance, there's no emergency to update from 2.9.4 if you're not
facing exactly these issues, as the vast majority of them are either
very isolated in certain parts, or just unlikely to trigger. But if you
haven't yet upgraded to 2.9.4, just skip it for 2.9.5. The main point
here was first and foremost to make sure that those wishing to upgrade
from 2.8 to 2.9 have the same level of fixes.
Please find the usual URLs below :
Site index : https://www.haproxy.org/
Documentation : https://docs.haproxy.org/
Wiki : https://github.com/haproxy/wiki/wiki
Discourse : https://discourse.haproxy.org/
Slack channel : https://slack.haproxy.org/
Issue tracker : https://github.com/haproxy/haproxy/issues
Sources : https://www.haproxy.org/download/2.9/src/
Git repository : https://git.haproxy.org/git/haproxy-2.9.git/
Git Web browsing : https://git.haproxy.org/?p=haproxy-2.9.git
Changelog : https://www.haproxy.org/download/2.9/src/CHANGELOG
Dataplane API :
https://github.com/haproxytech/dataplaneapi/releases/latest
Pending bugs : https://www.haproxy.org/l/pending-bugs
Reviewed bugs : https://www.haproxy.org/l/reviewed-bugs
Code reports : https://www.haproxy.org/l/code-reports
Latest builds : https://www.haproxy.org/l/dev-packages
Willy
---
Complete changelog :
Abhijeet Rastogi (1):
DOC: install: recommend pcre2
Aurelien DARRAGON (4):
BUILD: debug: remove leftover parentheses in ABORT_NOW()
DOC: config: fix misplaced "txn.conn_retries"
DOC: config: fix typos for "bytes_{in,out}"
DOC: config: fix misplaced "bytes_{in,out}"
Christopher Faulet (12):
BUG/MEDIUM: stconn: Allow expiration update when READ/WRITE event is
pending
BUG/MEDIUM: stconn: Don't check pending shutdown to wake an applet up
CLEANUP: stconn: Move SE flags set by app layer at the end of the bitfield
MINOR: stconn: Rename SE_FL_MAY_FASTFWD and reorder bitfield
MINOR: stconn: Add SE flag to announce zero-copy forwarding on consumer
side
MINOR: muxes: Announce support for zero-copy forwarding on consumer side
BUG/MAJOR: stconn: Check support for zero-copy forwarding on both sides
MINOR: muxes/applet: Simplify checks on options to disable zero-copy
forwarding
BUG/MEDIUM: mux-h2: Switch pending error to error if demux buffer is empty
BUG/MEDIUM: mux-h2: Only Report H2C error on read error if demux buffer
is empty
BUG/MEDIUM: mux-h2: Don't report error on SE if error is only pending on
H2C
BUG/MEDIUM: mux-h2: Don't report error on SE for closed H2 streams
Frederic Lecaille (9):
BUG/MINOR: quic: Wrong ack ranges handling when reaching the limit.
BUILD: quic: Variable name typo inside a BUG_ON().
CLEANUP: quic: Code clarifications for QUIC CUBIC (RFC 9438)
BUG/MINOR: quic: fix possible integer wrap around in cubic window
calculation
MINOR: quic: Stop using 1024th of a second.
BUG/MEDIUM: quic: Wrong K CUBIC calculation.
MINOR: quic: Update K CUBIC calculation (RFC 9438)
MINOR: quic: Dynamic packet reordering threshold
MINOR: quic: Add a counter for reordered packets
Remi Tricot-Le Breton (10):
BUG/MINOR: ssl: Fix error message after ssl_sock_load_ocsp call
BUG/MINOR: ssl: Duplicate ocsp update mode when dup'ing ckch
BUG/MINOR: ssl: Clear the ckch instance when deleting a crt-list line
MINOR: ssl: Use OCSP_CERTID instead of ckch_store in
ckch_store_build_certid
BUG/MEDIUM: ocsp: Separate refcount per instance and per store
BUG/MINOR: ssl: Destroy ckch instances before the store during deinit
BUG/MINOR: ssl: Reenable ocsp auto-update after an "add ssl crt-list"
REGTESTS: ssl: Fix empty line in cli command input
REGTESTS: ssl: Add OCSP related tests
BUG/MEDIUM: ssl: Fix crash when calling "update ssl ocsp-response" when
an update is ongoing
Tim Duesterhus (1):
CI: Update to actions/cache@v4
Willy Tarreau (11):
BUG/MINOR: diag: always show the version before dumping a diag warning
BUG/MINOR: diag: run the final diags before quitting when using -c
MINOR: compiler: add a new DO_NOT_FOLD() macro to prevent code folding
MINOR: debug: make sure calls to ha_crash_now() are never merged
MINOR: debug: make ABORT_NOW() store the caller's line number when using
abort
MINOR: debug: make BUG_ON() catch build errors even without DEBUG_STRICT
DOC: internal: update missing data types in peers-v2.0.txt
BUG/MINOR: vars/cli: fix missing LF after "get var" output
BUG/MEDIUM: cli: fix once for all the problem of missing trailing LFs
BUILD: address a few remaining calloc(size, n) cases
BUG/MEDIUM: pool: fix rare risk of deadlock in pool_flush()
---
