Re: [ANNOUNCE] haproxy-2.0.7
Hi. Am 27.09.19 um 16:29 schrieb Christopher Faulet: > Hi, > > HAProxy 2.0.7 was released on 2019/09/27. It added 20 new commits > after version 2.0.6. Image is updated. https://hub.docker.com/r/me2digital/haproxy20-centos ``` HA-Proxy version 2.0.7 2019/09/27 - https://haproxy.org/ Build options : TARGET = linux-glibc CPU = generic CC = gcc CFLAGS = -O2 -g -fno-strict-aliasing -Wdeclaration-after-statement -fwrapv -Wno-unused-label -Wno-sign-compare -Wno-unused-parameter -Wno-old-style-declaration -Wno-ignored-qualifiers -Wno-clobbered -Wno-missing-field-initializers -Wtype-limits OPTIONS = USE_PCRE=1 USE_PCRE_JIT=1 USE_PTHREAD_PSHARED=1 USE_REGPARM=1 USE_OPENSSL=1 USE_LUA=1 USE_SLZ=1 Feature list : +EPOLL -KQUEUE -MY_EPOLL -MY_SPLICE +NETFILTER +PCRE +PCRE_JIT -PCRE2 -PCRE2_JIT +POLL -PRIVATE_CACHE +THREAD +PTHREAD_PSHARED +REGPARM -STATIC_PCRE -STATIC_PCRE2 +TPROXY +LINUX_TPROXY +LINUX_SPLICE +LIBCRYPT +CRYPT_H -VSYSCALL +GETADDRINFO +OPENSSL +LUA +FUTEX +ACCEPT4 -MY_ACCEPT4 -ZLIB +SLZ +CPU_AFFINITY +TFO +NS +DL +RT -DEVICEATLAS -51DEGREES -WURFL -SYSTEMD -OBSOLETE_LINKER +PRCTL +THREAD_DUMP -EVPORTS Default settings : bufsize = 16384, maxrewrite = 1024, maxpollevents = 200 Built with multi-threading support (MAX_THREADS=64, default=1). Built with OpenSSL version : OpenSSL 1.1.1d 10 Sep 2019 Running on OpenSSL version : OpenSSL 1.1.1d 10 Sep 2019 OpenSSL library supports TLS extensions : yes OpenSSL library supports SNI : yes OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2 TLSv1.3 Built with Lua version : Lua 5.3.5 Built with network namespace support. Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND Built with libslz for stateless compression. Compression algorithms supported : identity("identity"), deflate("deflate"), raw-deflate("deflate"), gzip("gzip") Built with PCRE version : 8.32 2012-11-30 Running on PCRE version : 8.32 2012-11-30 PCRE library supports JIT : yes Encrypted password support via crypt(3): yes Built with the Prometheus exporter as a service Available polling systems : epoll : pref=300, test result OK poll : pref=200, test result OK select : pref=150, test result OK Total: 3 (3 usable), will use epoll. Available multiplexer protocols : (protocols marked as cannot be specified using 'proto' keyword) h2 : mode=HTXside=FE|BE mux=H2 h2 : mode=HTTP side=FEmux=H2 : mode=HTXside=FE|BE mux=H1 : mode=TCP|HTTP side=FE|BE mux=PASS Available services : prometheus-exporter Available filters : [SPOE] spoe [COMP] compression [CACHE] cache [TRACE] trace ``` > This release fixes several issues in the H2 multiplexer, among which 2 major > bugs about the way received frames are handled on the error path. The first > one > comes from the first age of the H2 multiplexer. During frames demultiplexing, > when an error is reported on a stream, payload of the current frame must be > drained to allow parsing of the following frames. This part was buggy. All the > announced frame length was systematically drained and not only the available > part of it. For frames partially received, too many data were drained from the > demux buffer, leaving it in a buggy state and thus corrupting the memory on > the > next receives. This old bug is certainly responsible of many hardly > reproducible and unresolved issues and also crashes. The second major bug is > about a desync of the HPACK decoder. HEADERS frames received for an unknown or > already closed stream were simply ignored. As stated in RFC7540#5.1, those > frames must be skipped. But because they carry a compression state they must > still be processed before being dropped to keep the HPACK decoder > synchronized. > Because those HEADERS frame were not decoded, the HPACK decoder was able to be > out of sync. It is a major bug because it led to a mix-up of headers for the > following streams. > > A regression on the checks was fixed. In the 2.0.6, when default checks was > enabled (not "option *-check"), some failures on connect were erroneously > reported, making checks failed. What was valid for the 2.1 proved wrong for > the > 2.0 because of the FD cache, still here in 2.0 and earlier. Other checks are > not > concerned. And an issue about the thread-safety of external checks was also > fixed. > > A bug in the SPOE was fixed by Kevin Zhu. The same engine-id was used when > nbproc was more than 1. So, in async mode, an agent receiving a NOTIFY frame > from a process was able to send the ACK to another process. So thanks to > Kevin, > now a different engine-id is generated for each process. In addition, a > similar > change was made when several threads are started, making the SPOE async mode > compatible with multithreaded configuration. > > Krisztián Kovács fixed 2 issues about the namespaces. First, he fixed a FD > leak
[ANNOUNCE] haproxy-2.0.7
Hi, HAProxy 2.0.7 was released on 2019/09/27. It added 20 new commits after version 2.0.6. This release fixes several issues in the H2 multiplexer, among which 2 major bugs about the way received frames are handled on the error path. The first one comes from the first age of the H2 multiplexer. During frames demultiplexing, when an error is reported on a stream, payload of the current frame must be drained to allow parsing of the following frames. This part was buggy. All the announced frame length was systematically drained and not only the available part of it. For frames partially received, too many data were drained from the demux buffer, leaving it in a buggy state and thus corrupting the memory on the next receives. This old bug is certainly responsible of many hardly reproducible and unresolved issues and also crashes. The second major bug is about a desync of the HPACK decoder. HEADERS frames received for an unknown or already closed stream were simply ignored. As stated in RFC7540#5.1, those frames must be skipped. But because they carry a compression state they must still be processed before being dropped to keep the HPACK decoder synchronized. Because those HEADERS frame were not decoded, the HPACK decoder was able to be out of sync. It is a major bug because it led to a mix-up of headers for the following streams. A regression on the checks was fixed. In the 2.0.6, when default checks was enabled (not "option *-check"), some failures on connect were erroneously reported, making checks failed. What was valid for the 2.1 proved wrong for the 2.0 because of the FD cache, still here in 2.0 and earlier. Other checks are not concerned. And an issue about the thread-safety of external checks was also fixed. A bug in the SPOE was fixed by Kevin Zhu. The same engine-id was used when nbproc was more than 1. So, in async mode, an agent receiving a NOTIFY frame from a process was able to send the ACK to another process. So thanks to Kevin, now a different engine-id is generated for each process. In addition, a similar change was made when several threads are started, making the SPOE async mode compatible with multithreaded configuration. Krisztián Kovács fixed 2 issues about the namespaces. First, he fixed a FD leak in master-worker mode. The FDs opened during namespaces configuration parsing were not closed when the master process was re-executing itself, effectively leaking the fds and preventing destruction of namespaces no longer present in the configuration. Then, he fixed a bug during the soft shutdown, introducing a cleanup function that closes all namespace file descriptors by iterating over the namespace ebtree. Finally, the usual bunch of bug fixes here and there. The CLI command "show table" was fixed to properly handle the data type argument. The implicit h2 upgrade from an h1 connection is now really performed on the first request only. The H2 multiplexer was slightly improved, avoiding the wake up of streams before the mux is ready. In the Prometheus exporter, average times (QTIME, CTIME, RTIME and TTIME) are now returned in seconds using a float representation instead of in milliseconds, making those metrics consistent with their announced type. As usual, all users of the 2.0 are encouraged to upgrade. But if you are using HTTP/2, you must upgrade as soon as possible. --- Complete changelog : Christopher Faulet (13): BUG/MEDIUM: stick-table: Properly handle "show table" with a data type argument BUG/MINOR: mux-h2: Be sure to have a connection to unsubcribe BUG/MAJOR: mux-h2: Handle HEADERS frames received after a RST_STREAM frame BUG/MINOR: stream-int: Process connection/CS errors first in si_cs_send() BUG/MEDIUM: stream-int: Process connection/CS errors during synchronous sends BUG/MINOR: mux-h2: Use the dummy error when decoding headers for a closed stream BUG/MAJOR: mux_h2: Don't consume more payload than received for skipped frames BUG/MINOR: mux-h1: Do h2 upgrade only on the first request MINOR: spoe: Improve generation of the engine-id MINOR: spoe: Support the async mode with several threads MINOR: stats: Add the support of float fields in stats BUG/MINOR: contrib/prometheus-exporter: Return the time averages in seconds DOC: Fix documentation about the cli command to get resolver stats Kevin Zhu (1): BUG/MEDIUM: spoe: Use a different engine-id per process Krisztian Kovacs (1): BUG/MEDIUM: namespace: close open namespaces during soft shutdown Krisztián Kovács (kkovacs) (1): BUG/MEDIUM: namespace: fix fd leak in master-worker mode Willy Tarreau (4): BUG/MEDIUM: check/threads: make external checks run exclusively on thread 1 BUG/MEDIUM: checks: make sure the connection is ready before trying to recv BUG/MINOR: mux-h2: do not wake up blocked streams before the mux is ready BUG/MEDIUM: mux-h2: don't reject valid frames on closed streams --