Re[2]: [ANNOUNCE] haproxy-1.8.0
Hi Willy. -- Originalnachricht -- Von: "Willy Tarreau" An: "Aleksandar Lazic" Cc: haproxy@formilux.org Gesendet: 27.11.2017 23:54:31 Betreff: Re: [ANNOUNCE] haproxy-1.8.0 Hi Aleks, On Mon, Nov 27, 2017 at 09:18:35PM +, Aleksandar Lazic wrote: > I'm pleased to announce that haproxy 1.8.0 is now officially released! Amazing ;-) So after 15 years working on this project you still manage to be amazed, I'm impressed ;-) You are right I wanted to say "great". Note to myself: I should not write mails when I'm in passing mood. Hm time flies, 15 years and still happy to be part of this great project. Thanks to all of us community members and the company behind the project ;-) I hope I'm not to sentimental. As usual the docker image is also updated. https://hub.docker.com/r/me2digital/haproxy18/ Thank you for maintaining this! Willy Regards Aleks
Re: [ANNOUNCE] haproxy-1.8.0
Hi Aleks, On Mon, Nov 27, 2017 at 09:18:35PM +, Aleksandar Lazic wrote: > > I'm pleased to announce that haproxy 1.8.0 is now officially released! > Amazing ;-) So after 15 years working on this project you still manage to be amazed, I'm impressed ;-) > As usual the docker image is also updated. > > https://hub.docker.com/r/me2digital/haproxy18/ Thank you for maintaining this! Willy
Re: [ANNOUNCE] haproxy-1.8.0
Hi.
-- Originalnachricht --
Von: "Willy Tarreau"
An: haproxy@formilux.org
Gesendet: 26.11.2017 19:57:35
Betreff: [ANNOUNCE] haproxy-1.8.0
Hi all,
After one year of intense development and almost one month of
debugging,
polishing, and cross-review work trying to prevent our respective
coworkers
from winning the first bug award, I'm pleased to announce that haproxy
1.8.0
is now officially released!
Amazing ;-)
As usual the docker image is also updated.
https://hub.docker.com/r/me2digital/haproxy18/
Best regards
Aleks
Since -rc4, a few last user-visible changes were brought :
- by default the master worker exits if any of its processes dies.
This
is done so that when certain processes are dedicated to certain
tasks,
we're not left with some features not working anymore. Imagine
having
7 SSL offloaders chaining to 1 HTTP frontend, and the last one
dying,
you don't want to keep the 7 useless frontends. By quitting, we give
a chance to a service manager to detect the problem and
alert/restart
the service. The behaviour is configurable though.
- we were not happy with "thread-map" vs "cpu-map", making these
difficult
to configure. Now "thread-map" was removed and the feature was
merged
into "cpu-map" which also supports process ranges and cpu ranges for
easier configuration.
- haproxy can now be built with native systemd support using
USE_SYSTEMD=1
and starting it with -Ws (systemd-aware master-worker mode).
- HTTP/2 will not schedule a graceful connection shutdown anymore when
seeing a "Connection: close" header in a response. Instead a new
HTTP
action "reject" has been implemented to work like its TCP
counter-part.
- the HTTP/2 gateway code now properly reassembles split Cookie
headers,
as mandated by the specification. Not doing it was causing some
issues
with certain application servers, and absolutely needed to be
addressed
before claiming that it works.
And here is a high level overview of the new features contributed to
1.8
(warning, the list is huge) :
- JSON stats (Simon Horman) : the stats socket's "show stat" and "show
info"
output can now be emitted in a structured JSON format which is more
convenient than CSV for some modern data processing frameworks.
- server templates (Frédéric Lécaille) : servers can be
pre-provisionned
in backends using a simple directive ("server-template"). It is then
possible to configure them at runtime over the CLI or DNS, making it
trivial to add/remove servers at run time without restarting. As a
side
effect of implementing this, all "server" keywords are now supported
on
the "default-server" line and it's possible to disable any of them
using
"no-". All settings changed at runtime are present in the
state
file so that upon reload no information is lost.
- dynamic cookies (Olivier Houchard) : a dynamic cookie can be
generated
on the fly based on the transport address of a newly added server.
This
is important to be able to use server templates in stateful
environments.
- per-certificate "bind" configuration (Emmanuel Hocdet) : all the SSL
specific settings of the "bind" line may now be set per-certificate
in
the crtlist file. A common example involves requiring a client cert
for
certain domains only and not for others, all of them running on the
same
address:port.
- pipelined and asynchronous SPOE (Christopher Faulet) : it's an
important
improvement to the Stream Processing Offload Engine that allows
requests
to be streamed over existing connections without having to wait for
a
previous response. It significantly increases the message rate and
reduces
the need for parallel connections. Two example WAFs were introduced
as
contributions to make use of this improvement (mod_security and
mod_defender).
- seamless reloads (Olivier Houchard) : in order to work around some
issues
faced on Linux causing a few RST to be emitted for incoming
connections
during a reload operations despite SO_REUSEPORT being used, it is
now
possible for the new haproxy process to connect to the previous one
and
to retrieve existing listening sockets so that they are never
closed. Now
no connection breakage will be observed during a reload operation
anymore.
- PCRE2 support (David Carlier) : this new version of PCRE seems to be
making its way in some distros, so now we are compatible with it.
- hard-stop-after (Cyril Bonté) : this new global setting forces old
processes to quit after a delay consecutive to a soft reload
operation.
This is mostly used to avoid an accumulation of old processes in
some
environments where idle connections are kept with large timeouts.
- support for OpenSS
Re: [ANNOUNCE] haproxy-1.8.0
Congratulations! On Mon, Nov 27, 2017 at 8:41 AM, Arnall wrote: > Le 26/11/2017 à 19:57, Willy Tarreau a écrit : > >> Hi all, >> >> After one year of intense development and almost one month of debugging, >> polishing, and cross-review work trying to prevent our respective >> coworkers >> from winning the first bug award, I'm pleased to announce that haproxy >> 1.8.0 >> is now officially released! >> > > Congratulations to everyone involved ! > > Haproxy is trully a great product. > > >
Re: [ANNOUNCE] haproxy-1.8.0
Le 26/11/2017 à 19:57, Willy Tarreau a écrit : Hi all, After one year of intense development and almost one month of debugging, polishing, and cross-review work trying to prevent our respective coworkers from winning the first bug award, I'm pleased to announce that haproxy 1.8.0 is now officially released! Congratulations to everyone involved ! Haproxy is trully a great product.
Re: [ANNOUNCE] haproxy-1.8.0
On 26/11/2017 07:57 μμ, Willy Tarreau wrote: > Hi all, > > After one year of intense development and almost one month of debugging, > polishing, and cross-review work trying to prevent our respective coworkers > from winning the first bug award, I'm pleased to announce that haproxy 1.8.0 > is now officially released! > Congratulations to everyone involved in releasing HAProxy 1.8 version. Well done and keep up the hard and good work. Cheers, Pavlos signature.asc Description: OpenPGP digital signature
Re: [ANNOUNCE] haproxy-1.8.0
On 2017-11-26 19:57, Willy Tarreau wrote: Hi all, After one year of intense development and almost one month of debugging, polishing, and cross-review work trying to prevent our respective coworkers from winning the first bug award, I'm pleased to announce that haproxy 1.8.0 is now officially released! Woohoo! Thanks for the work. Greets, Sander Klein 0x2E78FBE8.asc Description: application/pgp-keys signature.asc Description: OpenPGP digital signature
Re: [ANNOUNCE] haproxy-1.8.0
On 27 Nov 2017 5:59 am, "Willy Tarreau" wrote:
Hi all,
After one year of intense development and almost one month of debugging,
polishing, and cross-review work trying to prevent our respective coworkers
from winning the first bug award, I'm pleased to announce that haproxy 1.8.0
is now officially released!
Since -rc4, a few last user-visible changes were brought :
- by default the master worker exits if any of its processes dies. This
is done so that when certain processes are dedicated to certain tasks,
we're not left with some features not working anymore. Imagine having
7 SSL offloaders chaining to 1 HTTP frontend, and the last one dying,
you don't want to keep the 7 useless frontends. By quitting, we give
a chance to a service manager to detect the problem and alert/restart
the service. The behaviour is configurable though.
- we were not happy with "thread-map" vs "cpu-map", making these difficult
to configure. Now "thread-map" was removed and the feature was merged
into "cpu-map" which also supports process ranges and cpu ranges for
easier configuration.
- haproxy can now be built with native systemd support using USE_SYSTEMD=1
and starting it with -Ws (systemd-aware master-worker mode).
- HTTP/2 will not schedule a graceful connection shutdown anymore when
seeing a "Connection: close" header in a response. Instead a new HTTP
action "reject" has been implemented to work like its TCP counter-part.
- the HTTP/2 gateway code now properly reassembles split Cookie headers,
as mandated by the specification. Not doing it was causing some issues
with certain application servers, and absolutely needed to be addressed
before claiming that it works.
And here is a high level overview of the new features contributed to 1.8
(warning, the list is huge) :
- JSON stats (Simon Horman) : the stats socket's "show stat" and "show
info"
output can now be emitted in a structured JSON format which is more
convenient than CSV for some modern data processing frameworks.
- server templates (Frédéric Lécaille) : servers can be pre-provisionned
in backends using a simple directive ("server-template"). It is then
possible to configure them at runtime over the CLI or DNS, making it
trivial to add/remove servers at run time without restarting. As a side
effect of implementing this, all "server" keywords are now supported on
the "default-server" line and it's possible to disable any of them using
"no-". All settings changed at runtime are present in the state
file so that upon reload no information is lost.
- dynamic cookies (Olivier Houchard) : a dynamic cookie can be generated
on the fly based on the transport address of a newly added server. This
is important to be able to use server templates in stateful
environments.
- per-certificate "bind" configuration (Emmanuel Hocdet) : all the SSL
specific settings of the "bind" line may now be set per-certificate in
the crtlist file. A common example involves requiring a client cert for
certain domains only and not for others, all of them running on the same
address:port.
- pipelined and asynchronous SPOE (Christopher Faulet) : it's an important
improvement to the Stream Processing Offload Engine that allows requests
to be streamed over existing connections without having to wait for a
previous response. It significantly increases the message rate and
reduces
the need for parallel connections. Two example WAFs were introduced as
contributions to make use of this improvement (mod_security and
mod_defender).
- seamless reloads (Olivier Houchard) : in order to work around some
issues
faced on Linux causing a few RST to be emitted for incoming connections
during a reload operations despite SO_REUSEPORT being used, it is now
possible for the new haproxy process to connect to the previous one and
to retrieve existing listening sockets so that they are never closed.
Now
no connection breakage will be observed during a reload operation
anymore.
- PCRE2 support (David Carlier) : this new version of PCRE seems to be
making its way in some distros, so now we are compatible with it.
- hard-stop-after (Cyril Bonté) : this new global setting forces old
processes to quit after a delay consecutive to a soft reload operation.
This is mostly used to avoid an accumulation of old processes in some
environments where idle connections are kept with large timeouts.
- support for OpenSSL asynchronous crypto engines (Grant Zhang) : this
allows haproxy to defer the expensive crypto operations to external
hardware engines. Not only can it significantly improve the performance,
but it can also reduce the latency impact of slow crypto operations on
all other operations since haproxy switches to other tasks while the
engine is busy. This was successfully tested with Intel's Q
[ANNOUNCE] haproxy-1.8.0
Hi all,
After one year of intense development and almost one month of debugging,
polishing, and cross-review work trying to prevent our respective coworkers
from winning the first bug award, I'm pleased to announce that haproxy 1.8.0
is now officially released!
Since -rc4, a few last user-visible changes were brought :
- by default the master worker exits if any of its processes dies. This
is done so that when certain processes are dedicated to certain tasks,
we're not left with some features not working anymore. Imagine having
7 SSL offloaders chaining to 1 HTTP frontend, and the last one dying,
you don't want to keep the 7 useless frontends. By quitting, we give
a chance to a service manager to detect the problem and alert/restart
the service. The behaviour is configurable though.
- we were not happy with "thread-map" vs "cpu-map", making these difficult
to configure. Now "thread-map" was removed and the feature was merged
into "cpu-map" which also supports process ranges and cpu ranges for
easier configuration.
- haproxy can now be built with native systemd support using USE_SYSTEMD=1
and starting it with -Ws (systemd-aware master-worker mode).
- HTTP/2 will not schedule a graceful connection shutdown anymore when
seeing a "Connection: close" header in a response. Instead a new HTTP
action "reject" has been implemented to work like its TCP counter-part.
- the HTTP/2 gateway code now properly reassembles split Cookie headers,
as mandated by the specification. Not doing it was causing some issues
with certain application servers, and absolutely needed to be addressed
before claiming that it works.
And here is a high level overview of the new features contributed to 1.8
(warning, the list is huge) :
- JSON stats (Simon Horman) : the stats socket's "show stat" and "show info"
output can now be emitted in a structured JSON format which is more
convenient than CSV for some modern data processing frameworks.
- server templates (Frédéric Lécaille) : servers can be pre-provisionned
in backends using a simple directive ("server-template"). It is then
possible to configure them at runtime over the CLI or DNS, making it
trivial to add/remove servers at run time without restarting. As a side
effect of implementing this, all "server" keywords are now supported on
the "default-server" line and it's possible to disable any of them using
"no-". All settings changed at runtime are present in the state
file so that upon reload no information is lost.
- dynamic cookies (Olivier Houchard) : a dynamic cookie can be generated
on the fly based on the transport address of a newly added server. This
is important to be able to use server templates in stateful environments.
- per-certificate "bind" configuration (Emmanuel Hocdet) : all the SSL
specific settings of the "bind" line may now be set per-certificate in
the crtlist file. A common example involves requiring a client cert for
certain domains only and not for others, all of them running on the same
address:port.
- pipelined and asynchronous SPOE (Christopher Faulet) : it's an important
improvement to the Stream Processing Offload Engine that allows requests
to be streamed over existing connections without having to wait for a
previous response. It significantly increases the message rate and reduces
the need for parallel connections. Two example WAFs were introduced as
contributions to make use of this improvement (mod_security and
mod_defender).
- seamless reloads (Olivier Houchard) : in order to work around some issues
faced on Linux causing a few RST to be emitted for incoming connections
during a reload operations despite SO_REUSEPORT being used, it is now
possible for the new haproxy process to connect to the previous one and
to retrieve existing listening sockets so that they are never closed. Now
no connection breakage will be observed during a reload operation anymore.
- PCRE2 support (David Carlier) : this new version of PCRE seems to be
making its way in some distros, so now we are compatible with it.
- hard-stop-after (Cyril Bonté) : this new global setting forces old
processes to quit after a delay consecutive to a soft reload operation.
This is mostly used to avoid an accumulation of old processes in some
environments where idle connections are kept with large timeouts.
- support for OpenSSL asynchronous crypto engines (Grant Zhang) : this
allows haproxy to defer the expensive crypto operations to external
hardware engines. Not only can it significantly improve the performance,
but it can also reduce the latency impact of slow crypto operations on
all other operations since haproxy switches to other tasks while the
engine is busy. This was successfully tested with Intel's QAT and with
a home-made software engine. This
