Re: Runaway process

2019-07-11 Thread Sander Klein 

On 2019-07-12 04:27, Willy Tarreau wrote:


If you can at least show the backtrace, this could be useful and we
can see if the core would be needed or not. Maybe this will match
another known bug.


This is the BT of yesterday:

---
GNU gdb (Debian 7.12-6) 7.12.0.20161007-git
Copyright (C) 2016 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later 


This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show 
copying"

and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
.
Find the GDB manual and other documentation resources online at:
.
For help, type "help".
Type "apropos word" to search for commands related to "word".
Attaching to process 27066
[New LWP 27067]
[New LWP 27068]
[New LWP 27069]
[Thread debugging using libthread_db enabled]
Using host libthread_db library 
"/lib/x86_64-linux-gnu/libthread_db.so.1".
0x7f08655ef303 in epoll_wait () at 
../sysdeps/unix/syscall-template.S:84

84  ../sysdeps/unix/syscall-template.S: No such file or directory.
(gdb) thread apply all bt

Thread 4 (Thread 0x7f084d058700 (LWP 27069)):
#0  0x7f08655ef303 in epoll_wait () at 
../sysdeps/unix/syscall-template.S:84

#1  0x562cea640f95 in ?? ()
#2  0x562cea6e6792 in ?? ()
#3  0x7f08c4a4 in start_thread (arg=0x7f084d058700) at 
pthread_create.c:456
#4  0x7f08655eed0f in clone () at 
../sysdeps/unix/sysv/linux/x86_64/clone.S:97


Thread 3 (Thread 0x7f084d859700 (LWP 27068)):
#0  0x562cea6af336 in ?? ()
#1  0x562cea73cd1d in si_cs_send ()
#2  0x562cea73d90a in si_update_both ()
#3  0x562cea6a1976 in process_stream ()
#4  0x562cea770728 in process_runnable_tasks ()
#5  0x562cea6e67c1 in ?? ()
#6  0x7f08c4a4 in start_thread (arg=0x7f084d859700) at 
pthread_create.c:456
#7  0x7f08655eed0f in clone () at 
../sysdeps/unix/sysv/linux/x86_64/clone.S:97


Thread 2 (Thread 0x7f084e05a700 (LWP 27067)):
#0  0x7f08655ef303 in epoll_wait () at 
../sysdeps/unix/syscall-template.S:84

#1  0x562cea640f95 in ?? ()
#2  0x562cea6e6792 in ?? ()
#3  0x7f08c4a4 in start_thread (arg=0x7f084e05a700) at 
pthread_create.c:456
#4  0x7f08655eed0f in clone () at 
../sysdeps/unix/sysv/linux/x86_64/clone.S:97


Thread 1 (Thread 0x7f0866e5c180 (LWP 27066)):
#0  0x7f08655ef303 in epoll_wait () at 
../sysdeps/unix/syscall-template.S:84

#1  0x562cea640f95 in ?? ()
#2  0x562cea6e6792 in ?? ()
#3  0x562cea63e96c in main ()
---

And today I had another one:

---
GNU gdb (Debian 7.12-6) 7.12.0.20161007-git
Copyright (C) 2016 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later 


This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show 
copying"

and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
.
Find the GDB manual and other documentation resources online at:
.
For help, type "help".
Type "apropos word" to search for commands related to "word".
Attaching to process 6982
[New LWP 6983]
[New LWP 6984]
[New LWP 6985]
[Thread debugging using libthread_db enabled]
Using host libthread_db library 
"/lib/x86_64-linux-gnu/libthread_db.so.1".
0x7fbdf0713303 in epoll_wait () at 
../sysdeps/unix/syscall-template.S:84

84  ../sysdeps/unix/syscall-template.S: No such file or directory.
(gdb) thread apply all bt

Thread 4 (Thread 0x7fbdd817c700 (LWP 6985)):
#0  0x5606dd570457 in ?? ()
#1  0x5606dd5fdd1d in si_cs_send ()
#2  0x5606dd5ff45d in si_cs_io_cb ()
#3  0x5606dd6319a6 in process_runnable_tasks ()
#4  0x5606dd5a77c1 in ?? ()
#5  0x7fbdf17904a4 in start_thread (arg=0x7fbdd817c700) at 
pthread_create.c:456
#6  0x7fbdf0712d0f in clone () at 
../sysdeps/unix/sysv/linux/x86_64/clone.S:97


Thread 3 (Thread 0x7fbdd897d700 (LWP 6984)):
#0  0x7fbdf0713303 in epoll_wait () at 
../sysdeps/unix/syscall-template.S:84

#1  0x5606dd501f95 in ?? ()
#2  0x5606dd5a7792 in ?? ()
#3  0x7fbdf17904a4 in start_thread (arg=0x7fbdd897d700) at 
pthread_create.c:456
#4  0x7fbdf0712d0f in clone () at 
../sysdeps/unix/sysv/linux/x86_64/clone.S:97


Thread 2 (Thread 0x7fbdd917e700 (LWP 6983)):
#0  0x7fbdf0713303 in epoll_wait () at 
../sysdeps/unix/syscall-template.S:84

#1  0x5606dd501f95 in ?? ()
#2  0x5606dd5a7792 in ?? ()
#3  0x7fbdf17904a4 in start_thread (arg=0x7fbdd917e700) at 
pthread_create.c:456
#4  0x7fbdf0712d0f in clone () at 
..

Re: [PATCH] MEDIUM: config: Add user/group options to program section

2019-07-11 Thread Willy Tarreau 
On Fri, Jul 12, 2019 at 11:50:25AM +0800, Andrew Heberle wrote:
> Hi Willy,
> 
> It looks like my mailer was mangling the tabs so I'm hoping
> my (first) attempt at using git send-patch is more
> successful.
> 
> I have also updated the commit message.

Looks much better indeed :-) I'll let William check this, he can
merge it if he's OK with this update.

Thank you!
Willy

[PATCH] MEDIUM: config: Add user/group options to program section

2019-07-11 Thread Andrew Heberle 
This patch adds "user" and "group" config options to the "program"
section so the configured command can be run as a different user.
---
 doc/configuration.txt  |  8 ++
 include/types/global.h |  2 ++
 src/mworker-prog.c | 70 ++
 3 files changed, 80 insertions(+)

diff --git a/doc/configuration.txt b/doc/configuration.txt
index a46384bf..98940a0e 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -2232,6 +2232,14 @@ command  [arguments*]
   mandatory option of the program section. Arguments containing spaces must
   be enclosed in quotes or double quotes or be prefixed by a backslash.
 
+user 
+  Changes the executed command user ID to the  from /etc/passwd.
+  See also "group".
+
+group 
+  Changes the executed command group ID to the  from /etc/group.
+  See also "user".
+
 option start-on-reload
 no option start-on-reload
   Start (or not) a new instance of the program upon a reload of the master.
diff --git a/include/types/global.h b/include/types/global.h
index df0111c7..b6ba6737 100644
--- a/include/types/global.h
+++ b/include/types/global.h
@@ -215,6 +215,8 @@ struct mworker_proc {
int timestamp;
struct server *srv; /* the server entry in the master proxy */
struct list list;
+   int uid;
+   int gid;
 };
 
 extern struct global global;
diff --git a/src/mworker-prog.c b/src/mworker-prog.c
index ba52406e..1d401a3c 100644
--- a/src/mworker-prog.c
+++ b/src/mworker-prog.c
@@ -15,6 +15,7 @@
 #include 
 #include 
 #include 
+#include 
 #include 
 #include 
 #include 
@@ -91,6 +92,23 @@ int mworker_ext_launch_all()
mworker_cleanlisteners();
mworker_cleantasks();
 
+   /* setgid / setuid */
+   if (child->gid != -1) {
+   if (getgroups(0, NULL) > 0 && 
setgroups(0, NULL) == -1)
+   ha_warning("[%s.main()] Failed 
to drop supplementary groups. Using 'gid'/'group'"
+   " without 'uid'/'user' 
is generally useless.\n", child->command[0]);
+
+   if (setgid(child->gid) == -1) {
+   ha_alert("[%s.main()] Cannot 
set gid %d.\n", child->command[0], child->gid);
+   exit(1);
+   }
+   }
+
+   if (child->uid != -1 && setuid(child->uid) == 
-1) {
+   ha_alert("[%s.main()] Cannot set uid 
%d.\n", child->command[0], child->gid);
+   exit(1);
+   }
+
execvp(child->command[0], child->command);
 
ha_alert("Cannot execute %s: %s\n", 
child->command[0], strerror(errno));
@@ -143,6 +161,8 @@ int cfg_parse_program(const char *file, int linenum, char 
**args, int kwm)
ext_child->ipc_fd[0] = -1;
ext_child->ipc_fd[1] = -1;
ext_child->options |= PROC_O_START_RELOAD; /* restart the 
programs by default */
+   ext_child->uid = -1;
+   ext_child->gid = -1;
LIST_INIT(&ext_child->list);
 
list_for_each_entry(child, &proc_list, list) {
@@ -219,6 +239,56 @@ int cfg_parse_program(const char *file, int linenum, char 
**args, int kwm)
err_code |= ERR_ALERT | ERR_FATAL;
goto error;
}
+   } else if (!strcmp(args[0], "user")) {
+   struct passwd *ext_child_user;
+   if (*(args[1]) == '\0') {
+   ha_alert("parsing [%s:%d]: '%s' expects a user name.\n",
+file, linenum, args[0]);
+   err_code |= ERR_ALERT | ERR_FATAL;
+   goto error;
+   }
+
+   if (alertif_too_many_args(1, file, linenum, args, &err_code))
+   goto error;
+
+   if (ext_child->uid != -1) {
+   ha_alert("parsing [%s:%d] : user/uid already specified. 
Continuing.\n", file, linenum);
+   err_code |= ERR_ALERT;
+   goto out;
+   }
+
+   ext_child_user = getpwnam(args[1]);
+   if (ext_child_user != NULL) {
+   ext_child->uid = (int)ext_child_user->pw_uid;
+   } else {
+   ha_alert("parsing [%s:%d] : cannot find user id for 
'%s' (%d:%s)\n", file, linenum, args[1], errno, strerror(errno));
+   err_code |= ERR_ALERT | ERR_FATAL;
+   }
+   } else if (!strcmp(args[0], "group")) {
+   struct group *ext_child_group;
+   if (*(a

Re: [PATCH] MEDIUM: config: Add user/group options to program section

2019-07-11 Thread Andrew Heberle 
Hi Willy,

It looks like my mailer was mangling the tabs so I'm hoping
my (first) attempt at using git send-patch is more
successful.

I have also updated the commit message.

Thanks.

Regards,

Andrew Heberle

Re: [PATCH] MEDIUM: config: Add user/group options to program section

2019-07-11 Thread Willy Tarreau 
Hi Andrew,

On Fri, Jul 12, 2019 at 09:12:42AM +0800, Andrew Heberle wrote:
> This patch adds "user" and "group" config options to the "program"
> section so the configured command can be run as a different user.
> 
> I re-used the setuid/setgid code from "haproxy.c" for this so I'm
> hoping there are not terrible bugs I've introduced :)

Thanks for this. However the description above is exactly what should
have been placed into the commit message which currently is empty.

Also, you have indentation issues below :

> --- a/include/types/global.h
> +++ b/include/types/global.h
> @@ -215,6 +215,8 @@ struct mworker_proc {
>int timestamp;
>struct server *srv; /* the server entry in the master proxy */
>struct list list;
> +   int uid;
> +   int gid;
> };

See above, the patch is mangled, tabs were replaced with spaces.
Same below :

> --- a/src/mworker-prog.c
> +++ b/src/mworker-prog.c
> @@ -15,6 +15,7 @@
> #include 
> #include 
> #include 
> +#include 
> #include 
> #include 
> #include 
> @@ -91,6 +92,23 @@ int mworker_ext_launch_all()
>mworker_cleanlisteners();
>mworker_cleantasks();
> +   /* setgid / setuid */
> +   if (child->gid != -1) {
> +   if (getgroups(0, NULL) > 0 && setgroups(0, NULL) == -1)
> +   ha_warning("[%s.main()] Failed to drop
> supplementary groups. Using 'gid'/'group'"
> +   " without 'uid'/'user' is generally
> useless.\n", child->command[0]);

It might be your mailer, but it could also be your editor. It looks like
each tab was replaced with series of 4 spaces.

Thanks,
Willy

Re: Runaway process

2019-07-11 Thread Willy Tarreau 
Hi Sander,

On Thu, Jul 11, 2019 at 01:28:50PM +0200, Sander Klein wrote:
> On 2019-07-11 12:27, Tim Düsterhus wrote:
> > Try attaching to the process with `gdb -p 12345` with 12345 being the
> > process ID. Then:
> > 
> > 1. Get a backtrace for all threads: thread apply all bt
> > 2. Generate a core file: generate-core-file
> > 
> > If you are also able to connect to the stats socket of that process then
> > the following might be helpful as well:
> > 
> > 1. show info
> > 2. show fd
> > 3. show activity
> > 4. show sess all
> 
> I've created the backtrace and the core file. I couldn't connect to the
> stats socket anymore so no info on that.
> 
> If a dev is interested I can send it.

If you can at least show the backtrace, this could be useful and we
can see if the core would be needed or not. Maybe this will match
another known bug.

Thanks!
Willy

[PATCH] MEDIUM: config: Add user/group options to program section

2019-07-11 Thread Andrew Heberle 
This patch adds "user" and "group" config options to the "program"
section so the configured command can be run as a different user.

I re-used the setuid/setgid code from "haproxy.c" for this so I'm
hoping there are not terrible bugs I've introduced :)

Regards,

Andrew Heberle

>From 571715863738524e3f01fa842f8816f181777b89 Mon Sep 17 00:00:00 2001
From: Andrew Heberle 
Date: Thu, 11 Jul 2019 10:57:19 +0800
Subject: [PATCH] MEDIUM: config: Add user/group options to program section

---
doc/configuration.txt | 8 ++
include/types/global.h | 2 ++
src/mworker-prog.c | 70 ++
3 files changed, 80 insertions(+)

diff --git a/doc/configuration.txt b/doc/configuration.txt
index a46384bf..98940a0e 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -2232,6 +2232,14 @@ command  [arguments*]
mandatory option of the program section. Arguments containing spaces must
be enclosed in quotes or double quotes or be prefixed by a backslash.
+user 
+ Changes the executed command user ID to the  from /etc/passwd.
+ See also "group".
+
+group 
+ Changes the executed command group ID to the  from /etc/group.
+ See also "user".
+
option start-on-reload
no option start-on-reload
Start (or not) a new instance of the program upon a reload of the master.
diff --git a/include/types/global.h b/include/types/global.h
index df0111c7..b6ba6737 100644
--- a/include/types/global.h
+++ b/include/types/global.h
@@ -215,6 +215,8 @@ struct mworker_proc {
   int timestamp;
   struct server *srv; /* the server entry in the master proxy */
   struct list list;
+   int uid;
+   int gid;
};
extern struct global global;
diff --git a/src/mworker-prog.c b/src/mworker-prog.c
index ba52406e..1d401a3c 100644
--- a/src/mworker-prog.c
+++ b/src/mworker-prog.c
@@ -15,6 +15,7 @@
#include 
#include 
#include 
+#include 
#include 
#include 
#include 
@@ -91,6 +92,23 @@ int mworker_ext_launch_all()
   mworker_cleanlisteners();
   mworker_cleantasks();
+   /* setgid / setuid */
+   if (child->gid != -1) {
+   if (getgroups(0, NULL) > 0 && setgroups(0, NULL) == -1)
+   ha_warning("[%s.main()] Failed to drop
supplementary groups. Using 'gid'/'group'"
+   " without 'uid'/'user' is generally
useless.\n", child->command[0]);
+
+   if (setgid(child->gid) == -1) {
+   ha_alert("[%s.main()] Cannot set gid %d.\n",
child->command[0], child->gid);
+   exit(1);
+   }
+   }
+
+   if (child->uid != -1 && setuid(child->uid) == -1) {
+   ha_alert("[%s.main()] Cannot set uid %d.\n",
child->command[0], child->gid);
+   exit(1);
+   }
+
   execvp(child->command[0], child->command);
   ha_alert("Cannot execute %s: %s\n", child->command[0],
strerror(errno));
@@ -143,6 +161,8 @@ int cfg_parse_program(const char *file, int
linenum, char **args, int kwm)
   ext_child->ipc_fd[0] = -1;
   ext_child->ipc_fd[1] = -1;
   ext_child->options |= PROC_O_START_RELOAD; /* restart the
programs by default */
+   ext_child->uid = -1;
+   ext_child->gid = -1;
   LIST_INIT(&ext_child->list);
   list_for_each_entry(child, &proc_list, list) {
@@ -219,6 +239,56 @@ int cfg_parse_program(const char *file, int
linenum, char **args, int kwm)
   err_code |= ERR_ALERT | ERR_FATAL;
   goto error;
   }
+   } else if (!strcmp(args[0], "user")) {
+   struct passwd *ext_child_user;
+   if (*(args[1]) == '\0') {
+   ha_alert("parsing [%s:%d]: '%s' expects a user name.\n",
+file, linenum, args[0]);
+   err_code |= ERR_ALERT | ERR_FATAL;
+   goto error;
+   }
+
+   if (alertif_too_many_args(1, file, linenum, args, &err_code))
+   goto error;
+
+   if (ext_child->uid != -1) {
+   ha_alert("parsing [%s:%d] : user/uid already specified.
Continuing.\n", file, linenum);
+   err_code |= ERR_ALERT;
+   goto out;
+   }
+
+   ext_child_user = getpwnam(args[1]);
+   if (ext_child_user != NULL) {
+   ext_child->uid = (int)ext_child_user->pw_uid;
+   } else {
+   ha_alert("parsing [%s:%d] : cannot find user id for '%s'
(%d:%s)\n", file, linenum, args[1], errno, strerror(errno));
+   err_code |= ERR_ALERT | ERR_FATAL;
+   }
+   } else if (!strcmp(args[0], "group")) {
+   struct group *ext_child_group;
+   if (*(args[1]) == '\0') {
+   ha_alert("parsing [%s:%d]: '%s' expects a group name.\n",
+file, linenum, args[0]);
+   err_code |= ERR_ALERT | ERR_FATAL;
+   goto error;
+   }
+
+   if (alertif_too_many_args(1, file, linenum, args, &err_code))
+   goto error;
+
+   if (ext_child->gid != -1) {
+   ha_alert("parsing [%s:%d] : group/gid already spe

Re: Unify equal acl between backends

2019-07-11 Thread Lukas Tribus 
Hello Ricardo,


On Thu, 11 Jul 2019 at 10:01, Ricardo Fraile  wrote:
> I tried to set the list under single and double quotes, the error
> disappears but it didn't work. Using () and {} still had the error.
> Setting only one extension works, two, only with the first on the list.
>
> What is the right assignment to use in setenv?

setenv pxstatic ".gif .jpg .png"
setenv pxstatic '.gif .jpg .png'
setenv pxstatic .gif\ .jpg\ .png

all works fine (meaning the env is correctly set).

This is not a env var issue, but it looks like the config/acl
subsystem does not handle multiple patterns correctly when env vars
are used.

I have filed issue #165 for this:

https://github.com/haproxy/haproxy/issues/165


Let see if we can fix it.


cheers,
lukas

Re: Upgrade from 1.7 to 2.0 = increased CPU usage

2019-07-11 Thread Lukas Tribus 
Hello Elias,

On Thu, 11 Jul 2019 at 17:05, Elias Abacioglu
 wrote:
>
> I just reverted back to haproxy 1.7 now.
> To be more accurate, CPU idle is around ~48% for core 2-3.

I suggest to wait for 2.0.2 or pull the current 2.0 git tree.

2.0.1 just contains too many bugs at this point.


Lukas

Re: Server IP address not being preserved from server state file

2019-07-11 Thread Jerome Magnin 
Hi

On Thu, Jul 11, 2019 at 12:15:19PM -0400, Shaun Tarves wrote:
> Hi -
> 
> I am trying to determine why my servers' IP address is not being preserved
> through a reload when written to the server state file. I'm using version
> 1.9.8 on alpine linux.
> 
> CONFIGURATION:
> global
>   server-state-file /usr/local/etc/haproxy/haproxy.state
> 
> defaults
>   load-server-state-from-file global
> 
> backend rdp-proxy
>   mode tcp
> 
> 
>   server-template rdp 1-5 0.0.0.0:443 disabled init-addr last
> 
> During some time, the servers' IP addresses and/or ports are configured
> through the stats socket.
> 
> Right before restarting, I dump the server state using show servers state
> and it correctly shows me the configured server information:
> 11 rdp-proxy 1 rdp1 172.18.0.2 2 4 1 1 778186 1 0 0 8 0 0 0 - 80 -
> 11 rdp-proxy 2 rdp2 172.18.0.3 2 4 1 1 778186 1 0 0 8 0 0 0 - 80 -
> 11 rdp-proxy 3 rdp3 0.0.0.0 0 5 1 1 778186 1 0 0 8 0 0 0 - 443 -
> 11 rdp-proxy 4 rdp4 0.0.0.0 0 5 1 1 778186 1 0 0 8 0 0 0 - 443 -
> 11 rdp-proxy 5 rdp5 0.0.0.0 0 5 1 1 778186 1 0 0 8 0 0 0 - 443 -
> 
> 
> When I reload via the HUP or USR2 signals, all server information (admin
> state, port, etc.) is correctly restored EXCEPT the IP address, as seen
> below:
> 11 rdp-proxy 1 rdp1 0.0.0.0 2 4 1 1 778186 1 0 4 8 0 0 0 - 80 -
> 11 rdp-proxy 2 rdp2 0.0.0.0 2 4 1 1 778186 1 0 4 8 0 0 0 - 80 -
> 11 rdp-proxy 3 rdp3 0.0.0.0 0 5 1 1 778186 1 0 0 8 0 0 0 - 443 -
> 11 rdp-proxy 4 rdp4 0.0.0.0 0 5 1 1 778186 1 0 0 8 0 0 0 - 443 -
> 11 rdp-proxy 5 rdp5 0.0.0.0 0 5 1 1 778186 1 0 0 8 0 0 0 - 443 -

if you declare the server address with an IP on the server line, the IP from
server state file will never be used. If you want to use it you need to declare
the server address with a name and not an address, like this:

server-template rdp 1-5 foo.bar disabled init-addr last,1.2.3.4

this will set the IP to 1.2.3.4 by default, and you can change it with the stats
socket. when you reload, you will use the IP from the server state file.

cheers,
Jérôme

Server IP address not being preserved from server state file

2019-07-11 Thread Shaun Tarves 
Hi -

I am trying to determine why my servers' IP address is not being preserved
through a reload when written to the server state file. I'm using version
1.9.8 on alpine linux.

CONFIGURATION:
global
  server-state-file /usr/local/etc/haproxy/haproxy.state

defaults
  load-server-state-from-file global

backend rdp-proxy
  mode tcp


  server-template rdp 1-5 0.0.0.0:443 disabled init-addr last

During some time, the servers' IP addresses and/or ports are configured
through the stats socket.

Right before restarting, I dump the server state using show servers state
and it correctly shows me the configured server information:
11 rdp-proxy 1 rdp1 172.18.0.2 2 4 1 1 778186 1 0 0 8 0 0 0 - 80 -
11 rdp-proxy 2 rdp2 172.18.0.3 2 4 1 1 778186 1 0 0 8 0 0 0 - 80 -
11 rdp-proxy 3 rdp3 0.0.0.0 0 5 1 1 778186 1 0 0 8 0 0 0 - 443 -
11 rdp-proxy 4 rdp4 0.0.0.0 0 5 1 1 778186 1 0 0 8 0 0 0 - 443 -
11 rdp-proxy 5 rdp5 0.0.0.0 0 5 1 1 778186 1 0 0 8 0 0 0 - 443 -


When I reload via the HUP or USR2 signals, all server information (admin
state, port, etc.) is correctly restored EXCEPT the IP address, as seen
below:
11 rdp-proxy 1 rdp1 0.0.0.0 2 4 1 1 778186 1 0 4 8 0 0 0 - 80 -
11 rdp-proxy 2 rdp2 0.0.0.0 2 4 1 1 778186 1 0 4 8 0 0 0 - 80 -
11 rdp-proxy 3 rdp3 0.0.0.0 0 5 1 1 778186 1 0 0 8 0 0 0 - 443 -
11 rdp-proxy 4 rdp4 0.0.0.0 0 5 1 1 778186 1 0 0 8 0 0 0 - 443 -
11 rdp-proxy 5 rdp5 0.0.0.0 0 5 1 1 778186 1 0 0 8 0 0 0 - 443 -

Re: Upgrade from 1.7 to 2.0 = increased CPU usage

2019-07-11 Thread Elias Abacioglu 
I just reverted back to haproxy 1.7 now.
To be more accurate, CPU idle is around ~48% for core 2-3.

On Thu, Jul 11, 2019 at 4:38 PM Elias Abacioglu <
elias.abacio...@deltaprojects.com> wrote:

> Hi,
>
> I just upgraded HAproxy from 1.7.11 to 2.0.1.
>
> After the upgrade with the same configuration as in 1.7 CPU went from
> 35-40% idle for core 2-3 to ~0% using a setup like this:
>   #   (P#0) - process 1 - NIC/IRQ
>   #   (P#1) - process 2 - NIC/IRQ
>   #   (P#2) - process 3 - HAP
>   #   (P#3) - process 4 - HAP
>
> i.e.
>   nbproc 4
>   cpu-map 1 0
>   cpu-map 2 1
>   cpu-map 3 2
>   cpu-map 4 3
> and having all the bind lines like this:
>   bind *:80 process 3
>   bind *:80 process 4
> (yes, I know having 4 processes instead of 2 unnecessary, but this is
> because it was easier to do via Chef)
>
> So then I tried tweaking the configuration.
>   nbproc 2
>   nbthread 1
> with cpu-map like:
>   cpu-map auto:1-2 2-3
> or like this:
>   cpu-map 1 2
>   cpu-map 2 3
> and having all the bind lines like this:
>   bind *:80 process 1
>   bind *:80 process 2
>
> Still CPU idle at ~0% for core 2 and 3.
>
> I also tried multithreaded mode.
>   nbproc 1
>   nbthread 2
> with cpu-map:
>   cpu-map auto:1/1-2 2-3
> and also:
>   cpu-map 1/1 2
>   cpu-map 1/2 3
> and in multithreaded mode bind lines like this:
> bind *:80
>
> CPU idle at ~0%
>
> Is haproxy 2.x less efficient than 1.7 when it comes to performance or am
> I doing something wrong?
> Hopefully I'm doing something wrong.
> Any advice?
>
> /Elias
>

Upgrade from 1.7 to 2.0 = increased CPU usage

2019-07-11 Thread Elias Abacioglu 
Hi,

I just upgraded HAproxy from 1.7.11 to 2.0.1.

After the upgrade with the same configuration as in 1.7 CPU went from
35-40% idle for core 2-3 to ~0% using a setup like this:
  #   (P#0) - process 1 - NIC/IRQ
  #   (P#1) - process 2 - NIC/IRQ
  #   (P#2) - process 3 - HAP
  #   (P#3) - process 4 - HAP

i.e.
  nbproc 4
  cpu-map 1 0
  cpu-map 2 1
  cpu-map 3 2
  cpu-map 4 3
and having all the bind lines like this:
  bind *:80 process 3
  bind *:80 process 4
(yes, I know having 4 processes instead of 2 unnecessary, but this is
because it was easier to do via Chef)

So then I tried tweaking the configuration.
  nbproc 2
  nbthread 1
with cpu-map like:
  cpu-map auto:1-2 2-3
or like this:
  cpu-map 1 2
  cpu-map 2 3
and having all the bind lines like this:
  bind *:80 process 1
  bind *:80 process 2

Still CPU idle at ~0% for core 2 and 3.

I also tried multithreaded mode.
  nbproc 1
  nbthread 2
with cpu-map:
  cpu-map auto:1/1-2 2-3
and also:
  cpu-map 1/1 2
  cpu-map 1/2 3
and in multithreaded mode bind lines like this:
bind *:80

CPU idle at ~0%

Is haproxy 2.x less efficient than 1.7 when it comes to performance or am I
doing something wrong?
Hopefully I'm doing something wrong.
Any advice?

/Elias

Re: FW: HAProxy??

2019-07-11 Thread Bruno Henc 
Hello Austin, for any sales inquiries regarding HAProxy Enterprise 
Edition please contact sales @ haproxy . com or use


the webform at https://www.haproxy.com/contact-us/ .

The mailing list is for the discussion of HAProxy Community Edition.

I have forward your email to the sales team which will reach out to you 
with further information.


Regards,

On 7/11/19 3:15 PM, Austin Getz wrote:


Hello Team,

Can you please provide two quotes for the below for ETS?




--
Bruno Henc
Support Engineer
HAProxy Technologies - Powering your uptime!
375 Totten Pond Road, Suite 302 | Waltham, MA 02451, US
+1 (844) 222-4340 | www.haproxy.com

Re: FW: HAProxy??

2019-07-11 Thread Aleksandar Lazic 
Dear Austin Getz.

Am 11.07.2019 um 15:15 schrieb Austin Getz:
> Hello Team,
> 
> Can you please provide two quotes for the below for ETS?
> 
> ETS Needs to purchase the Enterprise Edition of HA Proxy
> (https://www.haproxy.com/products/haproxy-enterprise-edition/) so that we have
> support from the vendor and can maintain high availability in AWS. We will
> require two licenses: one for PROD and one for non-PROD – quantities subject 
> to
> change.

I strongly suggest to contact cont...@haproxy.com for the enterprise edition.

Fyi: this is the public mailing list for the OSS project.

Current Archive: https://www.mail-archive.com/haproxy@formilux.org/

> Thank you.

Best regards
Aleks

> *Austin Getz *| SHI International Corp |Inside Account Manager |
> austin_g...@shi.com | _www.shi.com_
> 
> Office:732-868-8910 | Fax: 732-868-8911
> 
> https://myshi.com/marketing/companystandards/PublishingImages/2014-05-01_SHI.jpg
> 
> 
> */Innovative Solutions. World Class Support./**/ /* 
> 
> https://myshi.com/marketing/companystandards/PublishingImages/2014-02-21_Connect.pnghttps://myshi.com/marketing/companystandards/PublishingImages/2014-02-21_Facebook.png
> https://myshi.com/marketing/companystandards/PublishingImages/2014-02-21_Twitter.png
> https://myshi.com/marketing/companystandards/PublishingImages/2014-02-21_LinkedIn.png
> https://myshi.com/marketing/companystandards/PublishingImages/2014-02-21_RSS.png
> https://myshi.com/marketing/companystandards/PublishingImages/2014-05-01_YouTube.png
> 
> 
>  
> 
>  
> 
>   
> 
> This message has originated from an *External Source*. Please use proper
> judgment and caution when opening attachments, clicking links, or responding 
> to
> this email.
> 
>  
> 
> 
> 
> Tom,
> 
>  
> 
> ETS Needs to purchase the Enterprise Edition of HA Proxy
> (https://www.haproxy.com/products/haproxy-enterprise-edition/) so that we have
> support from the vendor and can maintain high availability in AWS. We will
> require two licenses: one for PROD and one for non-PROD – quantities subject 
> to
> change.
> 
>  
> 
> Do you work with HAProxy?
> 
>  
> 
> Regards,
> 
>  
> 
> Glenn
> 
>  
> 
>  
> 
> 
> 
> This e-mail and any files transmitted with it may contain privileged or
> confidential information. It is solely for use by the individual for whom it 
> is
> intended, even if addressed incorrectly. If you received this e-mail in error,
> please notify the sender; do not disclose, copy, distribute, or take any 
> action
> in reliance on the contents of this information; and delete it from your 
> system.
> Any other use of this e-mail is prohibited.
> 
>  
> 
> Thank you for your compliance.
> 
>

FW: HAProxy??

2019-07-11 Thread Austin Getz 
Hello Team,

Can you please provide two quotes for the below for ETS?

ETS Needs to purchase the Enterprise Edition of HA Proxy 
(https://www.haproxy.com/products/haproxy-enterprise-edition/) so that we have 
support from the vendor and can maintain high availability in AWS. We will 
require two licenses: one for PROD and one for non-PROD – quantities subject to 
change.

Thank you.

Austin Getz | SHI International Corp |Inside Account Manager | 
austin_g...@shi.com | www.shi.com
Office:732-868-8910 | Fax: 732-868-8911
[https://myshi.com/marketing/companystandards/PublishingImages/2014-05-01_SHI.jpg]
Innovative Solutions. World Class Support.
[https://myshi.com/marketing/companystandards/PublishingImages/2014-02-21_Connect.png][https://myshi.com/marketing/companystandards/PublishingImages/2014-02-21_Facebook.png][https://myshi.com/marketing/companystandards/PublishingImages/2014-02-21_Twitter.png][https://myshi.com/marketing/companystandards/PublishingImages/2014-02-21_LinkedIn.png][https://myshi.com/marketing/companystandards/PublishingImages/2014-02-21_RSS.png][https://myshi.com/marketing/companystandards/PublishingImages/2014-05-01_YouTube.png]



This message has originated from an External Source. Please use proper judgment 
and caution when opening attachments, clicking links, or responding to this 
email.



Tom,

ETS Needs to purchase the Enterprise Edition of HA Proxy 
(https://www.haproxy.com/products/haproxy-enterprise-edition/) so that we have 
support from the vendor and can maintain high availability in AWS. We will 
require two licenses: one for PROD and one for non-PROD – quantities subject to 
change.

Do you work with HAProxy?

Regards,

Glenn




This e-mail and any files transmitted with it may contain privileged or 
confidential information. It is solely for use by the individual for whom it is 
intended, even if addressed incorrectly. If you received this e-mail in error, 
please notify the sender; do not disclose, copy, distribute, or take any action 
in reliance on the contents of this information; and delete it from your 
system. Any other use of this e-mail is prohibited.


Thank you for your compliance.

Re: Runaway process

2019-07-11 Thread Sander Klein 

On 2019-07-11 12:27, Tim Düsterhus wrote:

Try attaching to the process with `gdb -p 12345` with 12345 being the
process ID. Then:

1. Get a backtrace for all threads: thread apply all bt
2. Generate a core file: generate-core-file

If you are also able to connect to the stats socket of that process 
then

the following might be helpful as well:

1. show info
2. show fd
3. show activity
4. show sess all


I've created the backtrace and the core file. I couldn't connect to the 
stats socket anymore so no info on that.


If a dev is interested I can send it.

Regards,

Sander

0x2E78FBE8.asc
Description: application/pgp-keys


signature.asc
Description: OpenPGP digital signature

Re: Runaway process

2019-07-11 Thread Tim Düsterhus 
Sander,

Am 11.07.19 um 08:48 schrieb Sander Klein:
> I seem to have runaway HAProxy process since yesterday evening around
> 20:50. This process is eating up 100% CPU continously. (HAProxy 1.9.8)
> 
> Of course I can just kill it and go on with my life, but I was wondering
> if there was any interest to see if we can uncover a bug here. If so,
> please let me know what you need from me.
> 

Try attaching to the process with `gdb -p 12345` with 12345 being the
process ID. Then:

1. Get a backtrace for all threads: thread apply all bt
2. Generate a core file: generate-core-file

If you are also able to connect to the stats socket of that process then
the following might be helpful as well:

1. show info
2. show fd
3. show activity
4. show sess all

Afterwards you should be able to kill the process, because you extracted
all relevant information. Keep the core file somewhere safe, do not send
it to the list, it contains very private information such as TLS private
keys. It might be helpful in case a developer needs additional
information, though.

Best regards
Tim Düsterhus

Re: 1.9 external health checks fail suddenly

2019-07-11 Thread Willy Tarreau 
Hi Veiko,

On Wed, Jul 10, 2019 at 09:10:35AM +, Veiko Kukk wrote:
> On 2019-07-09 14:29, Willy Tarreau wrote:
> > I didn't have a patch but just did it. It was only compile-tested,
> > please verify that it works as expected on a non-sensitive machine
> > first!
> 
> Hi, Willy
> 
> Against what version should I run this patch?

against your version. Normally it should work for 1.9 to 2.1.

Willy

Re: [PATCH] DOC: Fix typos and grammer in configuration.txt

2019-07-11 Thread Willy Tarreau 
Hello John,

On Wed, Jul 10, 2019 at 03:54:12PM -0500, John Roesler wrote:
> Hello,
> 
> I have attached a patch containing typo and minor grammar corrections in
> the configuration.txt file.
> 
> I appreciate all the work the HAProxy team does and I hope my small
> contribution will be well received.

Of course it is! Many thanks for this, now merged.

Willy

Re: [PATCH] BUG/MEDIUM da fetch mode

2019-07-11 Thread Willy Tarreau 
Hi David,

On Wed, Jul 10, 2019 at 09:22:44PM +0100, David Carlier wrote:
> here a little fix spotted with the fetch mode, thus explicitly set the
> output to string type.

Now applied, thank you.

Willy

Re: Unify equal acl between backends

2019-07-11 Thread Ricardo Fraile 
Hello,

On Wed, 2019-07-10 at 16:09 +0200, Lukas Tribus wrote:
> Hello Ricardo,
> 
> 
> On Wed, 10 Jul 2019 at 15:38, Ricardo Fraile 
> wrote:
> > Hello,
> > 
> > 
> > I have multiple backends and some of them share the same acl for
> > the
> > static content, as example:
> > 
> > 
> > backend back-1
> > acl no-cookie path_end .gif .jpg .png (+15 more)
> > ignore-persist if no-cookie
> > ...
> > 
> > backend back-2
> > acl no-cookie path_end .gif .jpg .png (+15 more)
> > ignore-persist if no-cookie
> > ...
> > 
> > 
> > I try to look for a solution to define once the "acl no-cookie" but
> > I
> > can't find a workaround because it only works if I define it under
> > the
> > same backend.
> > 
> > As middle step, I tried with env vars but it didn't work:
> > 
> > global
> > setenv px-static .gif .jpg .png
> > 
> > backend back-1
> > acl no-cookie path_end ${px-static}
> > ignore-persist if no-cookie
> 
> Two issues with your use of env vars:
> 
> - must be in double quotes
> - must contain only alphanumerical characters and underscore
> 
> So I suggest
> setenv pxstatic .gif .jpg .png
> 
> and
> acl no-cookie path_end "$pxstatic"
> 
> Also read:
> https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcbonte.github.io%2Fhaproxy-dconv%2F1.9%2Fconfiguration.html%232.3&data=02%7C01%7C%7Cc2d173a38dcf4f74c6f108d7054048e4%7Cd78b7929c2a34897ae9a7d8f8dc1a1cf%7C0%7C0%7C636983645968605647&sdata=lCLgmDfHJRAbfW8q%2BEM6o%2BhsBsZzD6P53EVGdy7zFmo%3D&reserved=0
> 
> 
> If you want to do more, you can set a txn variable in the frontend
> (http-request set-var(txn.nocookie) 1 if no-cookie), based on your
> ACL
> and use that variable in the backend (ignore-persist if {
> var(txn.nocookie) 1 }).
> 
> 
> cheers,
> lukas


Setting the suggested configuration doesn't work in v1.8, it looks like
setenv have a limit in the number of arguments:


global
setenv pxstatic .gif .jpg .png

backend xx
acl no-cookie path_end "$pxstatic"
ignore-persist if no-cookie


# haproxy -c -f haproxy.cfg 
[ALERT] 191/092843 (85340) : parsing [haproxy.cfg:18] : 'setenv' cannot
handle unexpected argument '.png'.
[WARNING] 191/092843 (85340) : parsing acl keyword 'path_end' :
  no pattern to match against were provided, so this ACL will never
match.
  If this is what you intended, please add '--' to get rid of this
warning.
  If you intended to match only for existence, please use '-m found'.
  If you wanted to force an int to match as a bool, please use '-m
bool'.

[ALERT] 191/092843 (85340) : Error(s) found in configuration file :
haproxy.cfg
[ALERT] 191/092843 (85340) : Fatal errors found in configuration.

I tried to set the list under single and double quotes, the error
disappears but it didn't work. Using () and {} still had the error.
Setting only one extension works, two, only with the first on the list.

What is the right assignment to use in setenv?


The alternative configuration that Aleksandar pointed, it works, but I
prefer to have this small list under the main file.



Thanks for the info,