Hi, HAProxy 2.9.5 was released on 2024/02/15. It added 48 new commits after version 2.9.4.
In two weeks since 2.9.4, not much new stuff was fixed, but enough to warrant a new version in order to flush the pipe: - an issue discovered in 3.0-dev3 where applets using the new zero-copy mechanism could sometimes stay stuck (I found the stats page frozen during a rendering while it was using compression). Zero-copy from applets was not implemented in 2.9, but after analysis, it turns out that nothing guarantees this issue cannot happen as well with regular connections, it's just less likely, hence the fix in 2.9. - a rare deadlock was found on the pools code, it can be triggered at stopping time and crash the old process. It's been there since 2.5, and is difficult to trigger, but a user faced it and that's how we learned about it (GH issue #2427, thanks to user @JB0925). - we finished our round of analysis, documentation and fixes for the QUIC congestion control code and figured a few causes of corner cases that can occasionally cause more performance degradation than expected, especially on the loss detection and reordering part. For this, a new global setting "tune.quic.reorder-ratio" allows to indicate what portion of the in flight window can appear to be reordered before declaring a loss. There's now a separate counter per connection for the reordered packets that will help us figure what's happening. Tests on degraded networks showed a x10 performance increase with the new default setting. - some more CLI commands were found to occasionally miss the trailing line feed, possibly confusing scripts and APIs. These were corrected, and a more general fix was applied to the command line processor to make sure each command always finishes with exactly one LF. - an issue fixed two months ago affecting how H2 detects errors was finally backported. It sometimes reports server errors in the logs ("SD--") while the entire response was already delivered to the client. That's the eternel issue of how long it takes to flush the last bytes while there's a close pending, and who notices the close condition first. The fix has been doing well on haproxy.org for 2 months and doesn't indicate that any additional one would be needed, it was about time to backport it. - an OCSP update reference counting issue was fixed, which was apparently causing some certificates to reference a just freed OCSP response. Also on errors, the reported message from the OCSP updater was confusing (this one is in issue #2432, thanks to Frank Wall for the report). - when deleting a crt-list line from the CLI, a dangling pointer reference could be left, with the possible effect of causing a crash. Apparently it has been the case since 2.4 so it seems that not that many people use "del ssl crt-list" or that the occurrence is quite rare. - in some cases some applets (namely the CLI) would ignore their timeout if the incoming communication channel was already half-closed, and the connection hanging forever. It seems to be the same issue as the one @brenc reported in issue #2429. - the diag warnings (enabled using -dD) were not all run when checking a config with "-c"! One would have to explicitly try to start the config to run the last ones. The only missing ones were the duplicate server cookie check. - Abhijeet Rastogi found that we still didn't recommend to the PCRE2 over PCRE that's no longer maintained. It was just an overlook and the doc was updated. - and the usual CI updates (support for cache API v4, thanks to Tim), doc cleanups and updates. And that's all. Quite honestly, despite some of them looking scary at first glance, there's no emergency to update from 2.9.4 if you're not facing exactly these issues, as the vast majority of them are either very isolated in certain parts, or just unlikely to trigger. But if you haven't yet upgraded to 2.9.4, just skip it for 2.9.5. The main point here was first and foremost to make sure that those wishing to upgrade from 2.8 to 2.9 have the same level of fixes. Please find the usual URLs below : Site index : https://www.haproxy.org/ Documentation : https://docs.haproxy.org/ Wiki : https://github.com/haproxy/wiki/wiki Discourse : https://discourse.haproxy.org/ Slack channel : https://slack.haproxy.org/ Issue tracker : https://github.com/haproxy/haproxy/issues Sources : https://www.haproxy.org/download/2.9/src/ Git repository : https://git.haproxy.org/git/haproxy-2.9.git/ Git Web browsing : https://git.haproxy.org/?p=haproxy-2.9.git Changelog : https://www.haproxy.org/download/2.9/src/CHANGELOG Dataplane API : https://github.com/haproxytech/dataplaneapi/releases/latest Pending bugs : https://www.haproxy.org/l/pending-bugs Reviewed bugs : https://www.haproxy.org/l/reviewed-bugs Code reports : https://www.haproxy.org/l/code-reports Latest builds : https://www.haproxy.org/l/dev-packages Willy --- Complete changelog : Abhijeet Rastogi (1): DOC: install: recommend pcre2 Aurelien DARRAGON (4): BUILD: debug: remove leftover parentheses in ABORT_NOW() DOC: config: fix misplaced "txn.conn_retries" DOC: config: fix typos for "bytes_{in,out}" DOC: config: fix misplaced "bytes_{in,out}" Christopher Faulet (12): BUG/MEDIUM: stconn: Allow expiration update when READ/WRITE event is pending BUG/MEDIUM: stconn: Don't check pending shutdown to wake an applet up CLEANUP: stconn: Move SE flags set by app layer at the end of the bitfield MINOR: stconn: Rename SE_FL_MAY_FASTFWD and reorder bitfield MINOR: stconn: Add SE flag to announce zero-copy forwarding on consumer side MINOR: muxes: Announce support for zero-copy forwarding on consumer side BUG/MAJOR: stconn: Check support for zero-copy forwarding on both sides MINOR: muxes/applet: Simplify checks on options to disable zero-copy forwarding BUG/MEDIUM: mux-h2: Switch pending error to error if demux buffer is empty BUG/MEDIUM: mux-h2: Only Report H2C error on read error if demux buffer is empty BUG/MEDIUM: mux-h2: Don't report error on SE if error is only pending on H2C BUG/MEDIUM: mux-h2: Don't report error on SE for closed H2 streams Frederic Lecaille (9): BUG/MINOR: quic: Wrong ack ranges handling when reaching the limit. BUILD: quic: Variable name typo inside a BUG_ON(). CLEANUP: quic: Code clarifications for QUIC CUBIC (RFC 9438) BUG/MINOR: quic: fix possible integer wrap around in cubic window calculation MINOR: quic: Stop using 1024th of a second. BUG/MEDIUM: quic: Wrong K CUBIC calculation. MINOR: quic: Update K CUBIC calculation (RFC 9438) MINOR: quic: Dynamic packet reordering threshold MINOR: quic: Add a counter for reordered packets Remi Tricot-Le Breton (10): BUG/MINOR: ssl: Fix error message after ssl_sock_load_ocsp call BUG/MINOR: ssl: Duplicate ocsp update mode when dup'ing ckch BUG/MINOR: ssl: Clear the ckch instance when deleting a crt-list line MINOR: ssl: Use OCSP_CERTID instead of ckch_store in ckch_store_build_certid BUG/MEDIUM: ocsp: Separate refcount per instance and per store BUG/MINOR: ssl: Destroy ckch instances before the store during deinit BUG/MINOR: ssl: Reenable ocsp auto-update after an "add ssl crt-list" REGTESTS: ssl: Fix empty line in cli command input REGTESTS: ssl: Add OCSP related tests BUG/MEDIUM: ssl: Fix crash when calling "update ssl ocsp-response" when an update is ongoing Tim Duesterhus (1): CI: Update to actions/cache@v4 Willy Tarreau (11): BUG/MINOR: diag: always show the version before dumping a diag warning BUG/MINOR: diag: run the final diags before quitting when using -c MINOR: compiler: add a new DO_NOT_FOLD() macro to prevent code folding MINOR: debug: make sure calls to ha_crash_now() are never merged MINOR: debug: make ABORT_NOW() store the caller's line number when using abort MINOR: debug: make BUG_ON() catch build errors even without DEBUG_STRICT DOC: internal: update missing data types in peers-v2.0.txt BUG/MINOR: vars/cli: fix missing LF after "get var" output BUG/MEDIUM: cli: fix once for all the problem of missing trailing LFs BUILD: address a few remaining calloc(size, n) cases BUG/MEDIUM: pool: fix rare risk of deadlock in pool_flush() ---