Re: [ANNOUNCE] haproxy-1.9.7
Hi Christopher. Am 26.04.2019 um 10:40 schrieb Christopher Faulet: > Le 26/04/2019 à 10:29, Aleksandar Lazic a écrit : >> >> THe new images are also available on docker hub. >> >> https://hub.docker.com/r/me2digital/haproxy19 >> https://hub.docker.com/r/me2digital/haproxy-19-boringssl >> >> With openssl 1.1.1b / Boringssl and prometheus-exporter. >> >> I don't see the exporter in the output of -vv as mentioned in the blog post >> https://www.haproxy.com/blog/haproxy-exposes-a-prometheus-metrics-endpoint/ >> >> The make line is this >> >> ### >> + make -C /usr/src/haproxy TARGET=linux2628 USE_PCRE=1 USE_OPENSSL=1 >> SSL_INC=/usr/local/openssl/include SSL_LIB=/usr/local/openssl/lib USE_ZLIB=1 >> USE_LINUX_SPLICE=1 USE_TFO=1 USE_PCRE_JIT=1 USE_LUA=1 USE_PTHREAD_PSHARED=1 >> USE_REGPARM=1 USE_GETADDRINFO=1 USE_THREAD=1 >> EXTRA_OBJS=contrib/prometheus-exporter/service-prometheus.o all install-bin >> make: Entering directory `/usr/src/haproxy' >> ... >> ### > > Hi Aleks, > > The Prometheus exporter was not backported in 1.9. The compilation doesn't > fail > because the EXTRA_OBJS variable only exists since the version 2.0-dev1 :) Oh yes, I have forgotten, living on the edge is sometimes confusing ;-) Time for haproxy-2 image ;-) Regards Aleks
Re: [ANNOUNCE] haproxy-1.9.7
Le 26/04/2019 à 10:29, Aleksandar Lazic a écrit : THe new images are also available on docker hub. https://hub.docker.com/r/me2digital/haproxy19 https://hub.docker.com/r/me2digital/haproxy-19-boringssl With openssl 1.1.1b / Boringssl and prometheus-exporter. I don't see the exporter in the output of -vv as mentioned in the blog post https://www.haproxy.com/blog/haproxy-exposes-a-prometheus-metrics-endpoint/ The make line is this ### + make -C /usr/src/haproxy TARGET=linux2628 USE_PCRE=1 USE_OPENSSL=1 SSL_INC=/usr/local/openssl/include SSL_LIB=/usr/local/openssl/lib USE_ZLIB=1 USE_LINUX_SPLICE=1 USE_TFO=1 USE_PCRE_JIT=1 USE_LUA=1 USE_PTHREAD_PSHARED=1 USE_REGPARM=1 USE_GETADDRINFO=1 USE_THREAD=1 EXTRA_OBJS=contrib/prometheus-exporter/service-prometheus.o all install-bin make: Entering directory `/usr/src/haproxy' ... ### Hi Aleks, The Prometheus exporter was not backported in 1.9. The compilation doesn't fail because the EXTRA_OBJS variable only exists since the version 2.0-dev1 :) -- Christopher Faulet
Re: [ANNOUNCE] haproxy-1.9.7
Am 25.04.2019 um 23:18 schrieb Christopher Faulet: > Hi, > > HAProxy 1.9.7 was released on 2019/04/25. It added 100 new commits after > version > 1.9.6. > > After a month since the last release, a huge number of bugs were addressed > into > this release. The most significant are fixes of 100% CPU usage issues. Olivier > and Willy worked hard on it. They fixed several bugs in the task scheduler and > improved it. Another issue concerned the streams and the way aborts was > handled. The flag reporting the abort on the stream-interface was cleared too > early. So the stream was not properly released, looping infinitely on > itself. Thanks to Maciej for helping Olivier investigating on this > issue. Finally, two bugs leading to a loop were fixed in the H2 multiplexer. > The > first one occurred when an incomplete frame was received and no more data was > available. The second one when the subscription to the send events was made > twice, which should never happen. This last issue was also able to lead to > random crashes. > > Willy, with the help of Maksim, fixed a locking problem in the round-robin LB > causing occasional crashes of HAProxy because of a divide by zero when the > next > server's position was computed. Willy also fixed an AB/BA locking issue in the > listener's accept code thanks to Olivier and his self-locked list. At the end, > all this part was reworked. The lock on the listener queue disappeared and the > accept code was significantly improved. As mentioned, Olivier implemented > self-locked lists. It is now safe to manipulate such lists with multiple > threads > without having to worry about concurrency issues. > > A very old bug on how HTTP sample fetches work was fixed. All HTTP sample > fetches were buggy because the channel used was chosen depending on the sample > direction and not on the keyword really used. The request channel was used > when > called during the request analysis and the response one was used when called > during the response analysis, regardless the sample really called. It could > cause a whole bunch of bugs, from undefined behavior because the data were > extracted from the wrong buffer to crash of HAProxy. > > Many bugs in the HTX part were fixed. The most significant was a problem of > data > corruption when an header was added while some data were already received. It > was addressed by defragmenting the HTX message. It is a quick and dirty fix, > waiting for a better solution. The TCP splicing was fixed in the H1 > multiplexer. The handling of the CONNECT method was refactored to work when h1 > and h2 are mixed (an h1 client sending requests to an h2 server or this > opposite). And finally, the option "http-tunnel" was deprecated in HTX. It is > still supported in legacy HTTP, but in HTX, this options is now ignored. > > Otherwise, as always, there was a bunch of bugfixes and changes here and > there. The most noticeable are: > >- A memory leak was fixed in the map converter. And now when a map file is > loaded, the default value is parsed only when it is present. This fixes > segfaults at parsing time when no default value is provided. > >- Pattern IDs are now assigned after checking the config validity. It > fixes a > bug where some map identifiers were not assigned (appearing as -1 in show > map). Thanks to Pavlos to report this bug. > >- Several bugs was fixed on the SPOE, mainly on the way fragmented frames > was > handled internally. > >- A bug was fixed in the peers. Peer sessions were not always cleanly reset > on release, resulting in a bad state for new sessions. In addition, the > CLI > command "show peers" was added. It dumps info about the peers configured > in > "peers" sections. > >- Nenad fixed a security issue in the TLS ticket key rotation. Whenever > HAProxy was reloaded with rotated keys, the resumption would be broken > for > previous encryption key. CVE-2019-11323 was assigned to this bug. > >- Build of HAProxy on AIX 5.1 was fixed. > >- Some small improvements were brought to the master-worker mode. The busy > polling was disabled on the master process to not waste a dedicated > processor on it. And an unambiguous status is now set on exit. > >- The global directive "set-dumpable" was added to enable core dumps. It's > always a pain to get a core dump when enabling user/group setting (which > disables the dumpable flag on Linux), when using a chroot and/or when > HAProxy is started by a service management tool which requires complex > operations to just raise the core dump limit. It becomes much easier to > retrieve a core file by using this new directive. Temporarily moving the > chroot to a user-writable place generally enough. > >- Missing locks was added in set-map and add-acl HTTP rules. > >- The multithreading mode is now enabled on wurlf. And it is now compatible > with
[ANNOUNCE] haproxy-1.9.7
Hi, HAProxy 1.9.7 was released on 2019/04/25. It added 100 new commits after version 1.9.6. After a month since the last release, a huge number of bugs were addressed into this release. The most significant are fixes of 100% CPU usage issues. Olivier and Willy worked hard on it. They fixed several bugs in the task scheduler and improved it. Another issue concerned the streams and the way aborts was handled. The flag reporting the abort on the stream-interface was cleared too early. So the stream was not properly released, looping infinitely on itself. Thanks to Maciej for helping Olivier investigating on this issue. Finally, two bugs leading to a loop were fixed in the H2 multiplexer. The first one occurred when an incomplete frame was received and no more data was available. The second one when the subscription to the send events was made twice, which should never happen. This last issue was also able to lead to random crashes. Willy, with the help of Maksim, fixed a locking problem in the round-robin LB causing occasional crashes of HAProxy because of a divide by zero when the next server's position was computed. Willy also fixed an AB/BA locking issue in the listener's accept code thanks to Olivier and his self-locked list. At the end, all this part was reworked. The lock on the listener queue disappeared and the accept code was significantly improved. As mentioned, Olivier implemented self-locked lists. It is now safe to manipulate such lists with multiple threads without having to worry about concurrency issues. A very old bug on how HTTP sample fetches work was fixed. All HTTP sample fetches were buggy because the channel used was chosen depending on the sample direction and not on the keyword really used. The request channel was used when called during the request analysis and the response one was used when called during the response analysis, regardless the sample really called. It could cause a whole bunch of bugs, from undefined behavior because the data were extracted from the wrong buffer to crash of HAProxy. Many bugs in the HTX part were fixed. The most significant was a problem of data corruption when an header was added while some data were already received. It was addressed by defragmenting the HTX message. It is a quick and dirty fix, waiting for a better solution. The TCP splicing was fixed in the H1 multiplexer. The handling of the CONNECT method was refactored to work when h1 and h2 are mixed (an h1 client sending requests to an h2 server or this opposite). And finally, the option "http-tunnel" was deprecated in HTX. It is still supported in legacy HTTP, but in HTX, this options is now ignored. Otherwise, as always, there was a bunch of bugfixes and changes here and there. The most noticeable are: - A memory leak was fixed in the map converter. And now when a map file is loaded, the default value is parsed only when it is present. This fixes segfaults at parsing time when no default value is provided. - Pattern IDs are now assigned after checking the config validity. It fixes a bug where some map identifiers were not assigned (appearing as -1 in show map). Thanks to Pavlos to report this bug. - Several bugs was fixed on the SPOE, mainly on the way fragmented frames was handled internally. - A bug was fixed in the peers. Peer sessions were not always cleanly reset on release, resulting in a bad state for new sessions. In addition, the CLI command "show peers" was added. It dumps info about the peers configured in "peers" sections. - Nenad fixed a security issue in the TLS ticket key rotation. Whenever HAProxy was reloaded with rotated keys, the resumption would be broken for previous encryption key. CVE-2019-11323 was assigned to this bug. - Build of HAProxy on AIX 5.1 was fixed. - Some small improvements were brought to the master-worker mode. The busy polling was disabled on the master process to not waste a dedicated processor on it. And an unambiguous status is now set on exit. - The global directive "set-dumpable" was added to enable core dumps. It's always a pain to get a core dump when enabling user/group setting (which disables the dumpable flag on Linux), when using a chroot and/or when HAProxy is started by a service management tool which requires complex operations to just raise the core dump limit. It becomes much easier to retrieve a core file by using this new directive. Temporarily moving the chroot to a user-writable place generally enough. - Missing locks was added in set-map and add-acl HTTP rules. - The multithreading mode is now enabled on wurlf. And it is now compatible with the new buffer API, so it builds again on 1.9. WARNING: Device detection modules (51Degrees, DeviceAtlas and Wurfl) are not compatible with the HTX mode. Respective maintainers works on it. But for this release, don't enable the HTX if you need to use one
