Hi,
HAProxy 2.7-dev4 was released on 2022/08/20. It added 80 new commits
after version 2.7-dev3.
Well, it's clearly visible that it's still the vacation period, as there
is very few new stuff, almost only bug fixes! The build and bug fixes
spread about everywhere and correspond to those that landed into 2.6.3,
plus a number of QUIC-related stability issues.
Now what's left aside bug fixes:
- a new CLI command "add ssl ca-file" allows to append new certificates
to an existing ca-file instead of replacing them all at once. This can
be used as a workaround for the limited size of what may be uploaded
via "set ssl ca-file" (one tune.bufsize max).
- the table_expire() and table_idle() converters can return the remaining
time before a key will expire in a table, as well as how long ago a
given key was last seen. That's useful for rate limiting in order to
send a retry-after header, and may also be used to revalidate credentials,
present a captcha, or just kick a user session during a version rollover
for example.
- for debugging purposes, rings can now be backed by a file. Technically
speaking, the storage area may now be allocated from an mmapped file
instead of using malloc(). This is convenient for post-mortem analysis
where traces of last events are sometimes needed, but the traffic makes
them problematic to retrieve (and chaining socat to tail just for this
eats a lot of resources). Thus in this mode there's nothing to tail nor
read, just let the ring accumulate traces, and once the process dies,
pass it through a new tool ("haring") that will dump all the events.
This *may* be used by experienced admins for advanced debugging, but
please do not complain if you back it on an on-disk file and it slows
down your traffic due to swapping or disk I/Os.
- multiple HTTP/3 cookie headers are now merged, as required by the
spec. This was first reported by Gabriel Tzagkarakis in issue #1818,
- QUIC traces were significantly reworked to be much more precise (hence
more verbose) but they make analysis much more efficient and accurate.
- more debugging facilities: now the pool allocations are also tracked
by the memory profiler, so that it is easier to spot a leak or some
code parts using too much memory. The CPU overhead is not big, roughly
3-5% compared to the profiler before this change, which is nothing
compared to the improved observability. The memstats advanced debugger
now also reports function names and pool usage as well.
- better handling of stream closures and error in QUIC, QPACK and H3
- some early QUIC code that relies on expensive openssl calls was made
more efficient by keeping the crypto context to avoid repeated memory
allocations. As much as possible some parts using pool_zalloc() were
turned to the less expensive pool_alloc(). The application send()
path was simplified. Finally some locks in the Rx code that were no
longer needed could be removed. So overall the QUIC code should eat a
little bit less CPU.
Those running development versions on their servers may want to upgrade
to this one, because the low amount of changes compared to the high number
of fixes should give it a stability level that is above average.
Oh, and as a reminder, there are only 2 weeks left to submit a proposal
for a talk to the haproxyconf (https://www.haproxyconf.com/). If you think
you're having an unusual use case, or if some friends or coworkers said
"oh that's smart" when you explained your setup, you should really consider
putting your shyness aside and proposing a presentation ;-)
Please find the usual URLs below :
Site index : http://www.haproxy.org/
Documentation : http://docs.haproxy.org/
Wiki : https://github.com/haproxy/wiki/wiki
Discourse : http://discourse.haproxy.org/
Slack channel : https://slack.haproxy.org/
Issue tracker : https://github.com/haproxy/haproxy/issues
Sources : http://www.haproxy.org/download/2.7/src/
Git repository : http://git.haproxy.org/git/haproxy.git/
Git Web browsing : http://git.haproxy.org/?p=haproxy.git
Changelog : http://www.haproxy.org/download/2.7/src/CHANGELOG
Pending bugs : http://www.haproxy.org/l/pending-bugs
Reviewed bugs : http://www.haproxy.org/l/reviewed-bugs
Code reports : http://www.haproxy.org/l/code-reports
Latest builds : http://www.haproxy.org/l/dev-packages
Willy
---
Complete changelog :
Amaury Denoyelle (26):
CLEANUP: mux-quic: remove loop on sending frames
MINOR: quic: replace custom buf on Tx by default struct buffer
MINOR: quic: release Tx buffer on each send
MINOR: quic: refactor datagram commit in Tx buffer
MINOR: quic: skip sending if no frame to send in io-cb
BUG/MINOR: mux-quic: open stream on STOP_SENDING
BUG/MINOR: quic: fix crash on handshake io-cb for null next enc level
MINOR: mux-quic: adjust enter/leave traces
MINOR: mux-quic: define protocol error traces
CLEANUP: mux-quic: adjust traces level
MINOR: mux-quic: define new traces
BUG/MEDIUM: mux-quic: fix crash due to invalid trace arg
BUG/MINOR: mux-quic: fix crash with traces in qc_detach()
CLEANUP: exclude haring with .gitignore
MINOR: quic: adjust quic_frame flag manipulation
MINOR: h3: report error on control stream close
MINOR: qpack: report error on enc/dec stream close
BUG/MEDIUM: mux-quic: reject uni stream ID exceeding flow control
MINOR: mux-quic: adjust traces on stream init
MINOR: mux-quic: add missing args on some traces
MINOR: quic: refactor application send
BUG/MINOR: quic: do not notify MUX on frame retransmit
BUG/MEDIUM: quic: fix crash on MUX send notification
REORG: h2: extract cookies concat function in http_htx
REGTESTS: add test for HTTP/2 cookies concatenation
MEDIUM: h3: concatenate multiple cookie headers
Emeric Brun (2):
BUG/MAJOR: log-forward: Fix log-forward proxies not fully initialized
BUG/MAJOR: log-forward: Fix ssl layer not initialized on bind even if
configured
Frédéric Lécaille (21):
BUG/MEDIUM: quic: Wrong packet length check in qc_do_rm_hp()
MINOR: quic: Too much useless traces in qc_build_frms()
BUG/MEDIUM: quic: Missing AEAD TAG check after removing header protection
MINOR: quic: Replace pool_zalloc() by pool_malloc() for fake datagrams
MEDIUM: quic: xprt traces rework
MINOR: quic: Remove useless lock for RX packets
BUG/MINOR: quic: Possible infinite loop in
quic_build_post_handshake_frames()
CLEANUP: quic: Remove trailing spaces
BUG/MEDIUM: quic: Possible use of uninitialized <odcid> variable in
qc_lstnr_params_init()
BUG/MEDIUM: quic: Wrong use of <token_odcid> in qc_lsntr_pkt_rcv()
BUG/MINOR: quic: memleak on wrong datagram receipt
BUG/MINOR: quic: MIssing check when building TX packets
BUG/MINOR: quic: Wrong status returned by qc_pkt_decrypt()
MINOR: stick-table: Add table_expire() and table_idle() new converters
BUG/MINOR: quic: Missing initializations for ducplicated frames.
BUG/MINOR: quic: Possible crashes when dereferencing ->pkt quic_frame
struct member
MINOR: quic: Add frame addresses to QUIC_EV_CONN_PRSAFRM event traces
BUG/MINOR: quic: Wrong splitted duplicated frames handling
MINOR: quic: Add the QUIC connection to mux traces
MINOR: quic: Trace fix in qc_release_frm()
MINOR: quic: Add reusable cipher contexts for header protection
Mateusz Malek (1):
BUG/MEDIUM: http-ana: fix crash or wrong header deletion by
http-restrict-req-hdr-names
William Lallemand (3):
BUG/MINOR: ssl/cli: error when the ca-file is empty
MINOR: ssl: handle ca-file appending in cafile_entry
MINOR: ssl/cli: implement "add ssl ca-file"
Willy Tarreau (27):
MINOR: debug: make the mem_stats section aligned to void*
MINOR: debug: store and report the pool's name in struct mem_stats
MINOR: debug: also store the function name in struct mem_stats
MINOR: debug/memstats: automatically determine first column size
MINOR: debug/memstats: permit to pass the size to free()
BUG/MEDIUM: quic: always remove the connection from the accept list on
close
BUG/MEDIUM: poller: use fd_delete() to release the poller pipes
BUG/MEDIUM: task: relax one thread consistency check in task_unlink_wq()
BUILD: stconn: fix build warning at -O3 about possible null sc
BUG/MEDIUM: ring: fix too lax 'size' parser
BUILD: ring: forward-declare struct appctx to avoid a build warning
MINOR: ring: support creating a ring from a linear area
MINOR: ring: add support for a backing-file
DEV: haring: add a simple utility to read file-backed rings
DEV: haring: support remapping LF in contents with CR VT
BUILD: sink: replace S_IRUSR, S_IWUSR with their octal value
MINOR: ring: archive a previous file-backed ring on startup
MINOR: memprof: export the minimum definitions for memory profiling
MINOR: pool/memprof: report pool alloc/free in memory profiling
MINOR: pools/memprof: store and report the pool's name in each bin
MINOR: chunk: inline alloc_trash_chunk()
MINOR: applet: add a function to reset the svcctx of an applet
BUG/MEDIUM: cli: always reset the service context between commands
BUG/MEDIUM: mux-h2: do not fiddle with ->dsi to indicate demux is idle
MINOR: mux-h2/traces: report transition to SETTINGS1 before not after
MINOR: mux-h2: make streams know if they need to send more data
BUG/MINOR: mux-h2: send a CANCEL instead of ES on truncated writes
---
