Re: [ANNOUNCE] haproxy-2.4-dev1

2020-11-26 Thread Baptiste
Hi,

Cool release and another +1 for the backport of the "del-header -m".

Baptiste


[ANNOUNCE] haproxy-2.4-dev1

2020-11-21 Thread Willy Tarreau
Hi,

HAProxy 2.4-dev1 was released on 2020/11/21. It added 107 new commits
after version 2.4-dev0.

Let me say that despite having spent quite some time recently on a few
really irritating bugs, I'm quite happy to see that the new development
cycle starts to pay off. It's probably the first ever new branch that
gets 107 patches 2 weeks after having been opened, and the majority are
updates and not bug fixes.

First, let's have a quick round on the bugs fixed since last release
(2.3.2 should be issued shortly). The latest SSL changes in 2.3 had a
little bit of crt-list breakage that was quickly addressed. A bug in
the http-after-response rules could possibly cause random crashes. An
old bug in the SPOE with a dangling pointer could cause random crashes
(Many thanks to Maciej Zdeb for working hard for two months to isolate
this one). Checks could crash if a "proto" directive was set on the
server lines. And finally the last one, a dangling session pointer in
the idle connections was sometimes used after the session had been
detached, causing random crashes. These were detected on 2.3 which
amplifies the issue. While it's possible to crash 2.2 on the same issue
by applying a minor patch, it's impossible to say if a similar code path
is used without that patch. And a few crash reports there look suspiciously
related, so given that backporting this one requires extreme care, I'd
appreciate it if the rare ones who occasionally experience a crash in 2.2
could run an instance on 2.4-dev1 and report if they think their issue is
gone.

Now the new stuff. First there was a nice liftup of the CI to migrate to
GitHub actions (thanks Tim and Ilya for the work). We now have a larger
test matrix which seems more reliable and is more controllable than the
one we previously used on Travis. It was also an opportunity to start to
make the SSL build process more resistant to the non-linear evolutions of
the various OpenSSL forks.

Some changes were made to the pattern code to stop freezing the whole
process each time a del-acl or del-map action is performed. While it used
to be OK when dealing with only a few hundreds of thousands of entries,
it's not fun anymore with maps containing 20 million IP addresses where it
used to cause long pauses that sometimes managed to trigger the watchdog!
With this change, the ACL/map entries are now versionned and atomically
updated, so that it is possible to perform a delete in the background in
small batches, and even if it requires a full scan for certain types, it
will be done in small batches.

The cache used not to fully comply with the standards, as it would cache
an object that didn't have an explicit expiration time nor validator. RĂ©mi
fixed this. Normally nobody should notice anything because such objects are
almost non-existent nowadays. However maybe some broken applications will
not be cached anymore, but for good, in that it was not really possible to
check for validity there.

It used to be possible to change a server's IP address at run time form the
CLI but it was not possible to enable SSL at run time because it required
to allocate an SSL context. William Dauchy worked on this so that this
limitation doesn't exist anymore.

The memory of the old process usage during reloads should significantly
on systems supporting malloc_trim() (i.e. glibc for now). While working
on optimizing the patterns I was annoyed by the huge memory usage after
replacing a whole map and have been looking for a way to compact unused
memory. I discovered this malloc_trim() that does exactly what one would
expect, i.e. unmap all unused pages from the allocator's caches. My old
process went down form 1.7 GB to 260 MB! Those doing frequent reloads
might be interested in giving it a try.

Amaury added some SSL stats so that it will now be possible to count
handshakes an errors on the two sides. More detailed info will likely
come over time but for me this will be related to the ability to report
better SSL logs as well.

Christopher and Baptiste finally finished their work on the MQTT and FIX
parsers. These can be used to extract information from initial messages
and steer the traffic to one server or another (or to drop it).

Fred added some traces to the peers so that exchanges can now be observed.
This is essentially useful for debugging, but always interesting to see
what flows between nodes during tables synchronization. This should be
improved over time.

Maciej implemented the "-m" argument to the "del-header" action, that was
initially planned for 2.2 and that everyone forgot about. This one allows
to specify if the argument to del-header designates a full header name,
a substring, a prefix, a suffix, or even a regex. This is something a lot
of users have been missing after "rspdel" was removed. I suspect that his
work is safe for backporting, so if anyone currently uses 2.2 or 2.3 and
is using ugly tricks (or Lua) just to remove header names by prefix for
example, just raise your hand to ask for