Hi,
HAProxy 2.2.5 was released on 2020/11/04. It added 60 new commits
after version 2.2.4.
The previous release is now quite old and this one fixes several bugs, some
may lead to crash. Thus, if you are running on the 2.2.X, it is probably a
good idea to update. Here are the details about this release :
Some bugs was fixed on the H2 multiplexer. The first bug is a possible
infinite loop in the function responsible to send data triggering the
watchdog. It happens when the H2 connection timed out with its mbuf ring
full. In this situation, we know it is no longer possible to send anything,
thus an error is reported and the mbuf ring is released, but it is still
marked as full. Unfortunately, in the sending function, the error is not
caught. Because the mbuf ring is marked as full we loop infinitely on it to
send nonexistent data. The second bug also affects the FCGI multiplexer. The
shutdown for reads may be handled too early on streams, especially when
there are still pending unparsed input data. When that happens, streams are
aborted too early, leading to truncated responses. The last bug is about few
"SC" reported in logs during reloads when the H2 is used on the backend
side. This happens because a graceful shutdown is performed on all H2
connections, via GOAWAY frames, while it should only be done on the
frontends ones.
Some bugs was also fixed in the H1 multiplexer. The first one is a possible
crash when bad messages are captured. The session is retrieved using the
connection owner instead of the H1 stream. But this one may be undefined if
the connection was moved at some point in an idle list. Thus a null pointer
dereference may be experienced. The second bug is about the flag
CO_RFL_READ_ONCE, instructing the socket layer to only try one read
attempt. This flag is now only set on the first read on each message.
And to not make others jealous, a memory leak was fixed in the pass-through
multiplexer. The leak happens when a TCP connection is upgraded to HTTP. The
mux is released but not the tasklet used for I/O subscriptions.
A thread-safety bug on load-balancing algorithms was fixed. The server lock
must be held when a connection is assigned or dropped. In this case, for
some algorithms (leastconn and first), the server position is updated. If
the server lock is not held, the tree may be corrupted. Another way to
trigger the bug is to update the server weight, for instance using an agent.
A divide by 0 may occur, leading to a crash. Another thread-safety bug was
fixed on the queues. This one depends on the compiler optimizations. It may
lead to a crash because pendconn_cond_unlink() occasionally sees a null
leaf_p when attempting to remove an entry. Another small bug on queue was
fixed. The counter of transferred connections when a server goes down is
now really incremented, fixing the log message emitted when a server goes
down.
A design issue in the SPOE was fixed. An agent may try to set a variable
with the NULL data type. But internally, in HAProxy, it is not possible to
set a variable with no data. Trying to do so may lead to undefined
behaviors, depending on how the variable is then used. Thus, now, when it
happens, the variable is unset instead.
Willy fixed a possible contention problem on the global task locks when
there are many threads. Now, the number of tasks picked from the wait queue
at once is bound. At most global.tune.runqueue_depth tasks are picked at
once. The counter is updated for both the local and the global queues, so
threads with more local expired tasks will pick less global tasks and
conversely, keeping the load balanced between all threads. This will
guarantee a much lower latency if/when wakeup storms happen (e.g. hundreds
of thousands of synchronized health checks).
Willy also limited the time spent purging old entries in stick-tables. This
avoid triggering the watchdog during the purge of moderately sized
stick-tables.
The slowstart value loaded from a state-file may now be changed, instead of
crashing HAProxy because the state is changed for a partially initialized
server.
A bug on idle connections was fixed. When using many threads and many
servers, it's very difficult to terminate the last idle connections on each
server because of a wrong calculation of the estimate of needed connections
and because the purge task may be not woken up in case of inactivity. Now we
ensure to always wake up the purge task as long as at least one idle
connection remains. And internal calculations have been fixed.
And finally, as usual, a bunch of minor fixes and improvements :
- Filters are no longer initialized for disabled proxies. Because the
configuration validity is not performed for those proxies, the filters
initialization must be skipped too. per-proxy/server post-check
functions are also skipped.
- Fred fixed a bug causing peers sessions to be reset sometimes.
- The BoringSSL support was fixed and it should now work again.
- Rémi fixed the parsing of the cache-control header values.
- Amaury fixed the server downtime calculation and uninitialized samples
at several places in the lua.
- Eric fixed leaks during the init on global and per-proxy log_tag.
- Amaury fixed the loop iteration on the connection takeover.
- The payload of internal responses is now skipped for HEAD requests.
- During startup, A error is triggered if a 204/304 internal response
contains a body. This includes the errorfiles and the http replies. In
addition, for other errors, An extra check is now performed to ensure
the body length matches the announce content-length.
- Now servers without address but with dns resolver are set in RMAINT mode
on startup.
- etc.
Thanks to everyone for this release. Enjoy !
Please find the usual URLs below :
Site index : http://www.haproxy.org/
Discourse : http://discourse.haproxy.org/
Slack channel : https://slack.haproxy.org/
Issue tracker : https://github.com/haproxy/haproxy/issues
Wiki : https://github.com/haproxy/wiki/wiki
Sources : http://www.haproxy.org/download/2.2/src/
Git repository : http://git.haproxy.org/git/haproxy-2.2.git/
Git Web browsing : http://git.haproxy.org/?p=haproxy-2.2.git
Changelog : http://www.haproxy.org/download/2.2/src/CHANGELOG
Cyril's HTML doc : http://cbonte.github.io/haproxy-dconv/
---
Complete changelog :
Amaury Denoyelle (6):
MINOR: counters: fix a typo in comment
BUG/MINOR: stats: fix validity of the json schema
BUG/MINOR: connection: fix loop iter on connection takeover
BUG/MINOR: server: fix srv downtime calcul on starting
BUG/MINOR: server: fix down_time report for stats
BUG/MINOR: lua: initialize sample before using it
Brad Smith (1):
BUILD: makefile: Fix building with closefrom() support enabled
Christopher Faulet (22):
DOC: tcp-rules: Refresh details about L7 matching for tcp-request content
rules
BUG/MINOR: tcpcheck: Set socks4 and send-proxy flags before the connect
call
MINOR: hlua: Display debug messages on stderr only in debug mode
BUG/MINOR: mux-h1: Be sure to only set CO_RFL_READ_ONCE for the first read
BUG/MINOR: mux-h1: Always set the session on frontend h1 stream
BUG/MEDIUM: mux-fcgi: Don't handle pending read0 too early on streams
BUG/MEDIUM: mux-h2: Don't handle pending read0 too early on streams
BUG/MINOR: http: Fix content-length of the default 500 error
BUG/MINOR: http-htx: Expect no body for 204/304 internal HTTP responses
BUG/MEDIUM: spoe: Unset variable instead of set it if no data provided
BUG/MEDIUM: mux-h1: Get the session from the H1S when capturing bad
messages
BUG/MEDIUM: lb: Always lock the server when calling
server_{take,drop}_conn
BUG/MINOR: http-ana: Don't send payload for internal responses to HEAD
requests
BUG/MAJOR: mux-h2: Don't try to send data if we know it is no longer
possible
BUG/MEDIUM: filters: Don't try to init filters for disabled proxies
BUG/MINOR: proxy/server: Skip per-proxy/server post-check for disabled
proxies
BUG/MINOR: checks: Report a socket error before any connection attempt
BUG/MINOR: server: Set server without addr but with dns in RMAINT on
startup
MINOR: server: Copy configuration file and line for server templates
BUG/MEDIUM: mux-pt: Release the tasklet during an HTTP upgrade
BUG/MINOR: filters: Skip disabled proxies during startup only
CLEANUP: mux-h2: Remove the h1 parser state from the h2 stream
Emmanuel Hocdet (1):
BUG/MEDIUM: ssl: OCSP must work with BoringSSL
Eric Salama (1):
BUG/MINOR: Fix several leaks of 'log_tag' in init().
Frédéric Lécaille (2):
BUG/MINOR: peers: Inconsistency when dumping peer status codes.
BUG/MINOR: peers: Possible unexpected peer seesion reset after collisions.
Ilya Shipitsin (2):
BUG/MINOR: disable dynamic OCSP load with BoringSSL
BUILD: ssl: make BoringSSL use its own version numbers
Matteo Contrini (1):
DOC: fix typo in MAX_SESS_STKCTR
Pierre Cheynier (1):
DOC: Add missing stats fields in the management doc
Remi Tricot-Le Breton (3):
MINOR: ist: Add a case insensitive istmatch function
BUG/MINOR: cache: Manage multiple values in cache-control header value
BUG/MINOR: cache: Inverted variables in http_calc_maxage function
Sébastien Gross (1):
DOC: Fix typos in configuration.txt
Tim Duesterhus (1):
MINOR: ssl: Add error if a crt-list might be truncated
William Lallemand (3):
MINOR: ssl: Add warning if a crt-list might be truncated
MINOR: ssl: 'ssl-load-extra-del-ext' removes the certificate extension
Revert "MINOR: ssl: 'ssl-load-extra-del-ext' removes the certificate
extension"
Willy Tarreau (15):
BUILD: ssl_crtlist: work around another bogus gcc-9.3 warning
BUG/MEDIUM: queue: make pendconn_cond_unlink() really thread-safe
DOC: fix a confusing typo on a regsub example
CLEANUP: tree-wide: use VAR_ARRAY instead of [0] in various definitions
BUILD: connection: fix build on clang after the VAR_ARRAY cleanup
BUG/MINOR: init: only keep rlim_fd_cur if max is unlimited
BUG/MINOR: mux-h2: do not stop outgoing connections on stopping
MINOR: fd: report an error message when failing initial allocations
BUG/MEDIUM: task: bound the number of tasks picked from the wait queue at
once
BUG/MINOR: queue: properly report redistributed connections
BUG/MEDIUM: server: support changing the slowstart value from state-file
BUG/MINOR: extcheck: add missing checks on extchk_setenv()
BUG/MINOR: log: fix memory leak on logsrv parse error
BUG/MINOR: log: fix risk of null deref on error path
BUG/MEDIUM: stick-table: limit the time spent purging old entries
--
Christopher Faulet
