Skip to content

HAProxy 2.1.3

Compare
Choose a tag to compare
@DBezemer DBezemer released this 16 Mar 18:59
· 6 commits to 2.1 since this release

HAProxy 2.1.3 was released on 2020/02/12. It added 86 new commits
after version 2.1.2.

It's clear that 2.1 has been one of the calmest releases in a while, to
the point of making us forget that it still had a few fixes pending that
would be pleasant to have in a released version! So after accumulating
fixes for 7 weeks, it's about time to have another one!

Here are the most relevant fixes:

  • pools: there is an ABA race condition in pool_flush() (which is called
    when stopping as well as under memory pressure) which can lead to a
    crash. It's been there since 1.9 and is very hard to trigger, but if
    you run with many threads and reload very often you may occasionally
    hit it, seeing a trace of the old process crashing in your system
    logs.

  • there was a bug in the way our various hashes were calculated, some
    of them were considering the inputs as signed chars instead of
    unsigned ones, so some non-ASCII characters would hash differently
    across different architectures and wouldn't match another component's
    calculation (e.g. a CRC32 inserted in a header would differ when given
    values with the 8th bit set, or applied to the PROXY protocol header).
    The bug has been there since 1.5-dev20 but became visible since it
    affected Postfix's validation of the PROXY protocol's CRC32. It's
    unlikely that anyone will ever witness it if it didn't happen already,
    but I tagged it "major" to make sure it is properly backported to
    distro packages, since not having it on certain nodes may sometimes
    result in hash inconsistencies which can be very hard to diagnose.

  • the addition of the Early-Data header when using 0rtt could wrongly
    be emitted during SSL handshake as well.

  • health checks could crash if using handshakes (e.g. SSL) mixed with
    DNS that takes time to retrieve an address, causing an attempt to
    use an incompletely initialized connection.

  • the peers listening socket was missing from the seamless reload,
    possibly causing some failed bindings when not using reuseport,
    resulting in the new process giving up.

  • splicing could often end up on a timeout because after the last block
    we did not switch back to HTX to complete the message.

  • fixed a small race affecting idle connections, allowing one thread to
    pick a connection at the same moment another one would decide to free
    it because there are too many idle.

  • response redirects were appended to the actual response instead of
    replacing it. This could cause various errors, including data
    corruption on the client if the entire response didn't fit into the
    buffer at once.

  • when stopping or when releasing a few connections after a listener's
    maxconn was reached, we could distribute some work to inexistent
    threads if the listener had "1/odd" or "1/even" while the process
    had less than 64 threads. An easy workaround for this is to explicitly
    reference the thread numbers instead.

  • when proxying an HTTP/1 client to an HTTP/2 server, make sure to clean
    up the "TE" header from anything but "trailers", otherwise the server
    may reject a request if it came from a browser placing "gzip" there.

  • the H2 mux had an incorrect buffer full detection causing the send
    phase to stop on a fragment boundary then to immediately wake up all
    waiting threads to go on, resulting in an excessive CPU usage in some
    tricky situations. It is possible that those using H2 with many streams
    per connection and moderately large objects, like Luke's maps servers,
    could observe a CPU usage drop (maybe Luke on his map servers).

  • it was possible to lose the master-worker status after a failed reload
    when it was only mentioned in the config and not on the command line.

  • when decoding the Netscaler's CIP protocol we forgot to allocate the
    storage for the src/dst addresses, crashing the process.

  • upon pipe creation failure due to shortage of file descriptors, the
    struct pipe was still returned after having been released, quickly
    crashing the process. Fortunately the automatic maxconn/maxpipe
    settings do not allow this situation to happen but very old configs
    still having "ulimit-n" could have been affected.

  • the "tcp-request session" rules would report an error upon a "reject"
    action, making the listener throttle itself to protect resources,
    which could actually amplify the problem.

  • the "commit ssl cert" command on the CLI used the old SSL_CTX instead
    of the new one, which caused some certs not to work anymore (found on
    openssl-1.0.2 with ECDSA+ECDHE). There is quite a number of other SSL
    SSL fixes for small bugs that were found while troubleshooting this
    issue, mainly in relation with dynamic cert updates.

  • the H1 mux could attempt to perform a sendto() when facing new data
    after having already failed, resulting in excess calls to sendto().

The rest has less impact or is less likely to be noticed, but feel free
to dig into the appended changelog.

I'm hearing 2.0 jealously complain that it's always his youngest brother
that's served first and that it would like to get a release as well, so
maybe I'll please the rest of the family this week, as the other stable
co-maintainers look busy right now (or they play it well :-)).

Speaking of this, for those currently testing 2.2-dev2, please make sure
to be up to date, as I was hit by two dirty crashes after deploying it on
haproxy.org this week-end, that were both addressed in the master branch.

[RELEASE] Released version 2.1.0

Released version 2.1.0 with the following main changes :
- BUG/MINOR: init: fix set-dumpable when using uid/gid
- MINOR: init: avoid code duplication while setting identify
- BUG/MINOR: ssl: ssl_pkey_info_index ex_data can store a dereferenced pointer
- BUG/MINOR: ssl: fix crt-list neg filter for openssl < 1.1.1
- MINOR: peers: Alway show the table info for disconnected peers.
- MINOR: peers: Add TX/RX heartbeat counters.
- MINOR: peers: Add debugging information to "show peers".
- BUG/MINOR: peers: Wrong null "server_name" data field handling.
- MINOR: ssl/cli: 'abort ssl cert' deletes an on-going transaction
- BUG/MEDIUM: mworker: don't fill the -sf argument with -1 during the reexec
- BUG/MINOR: peers: "peer alive" flag not reset when deconnecting.
- BUILD/MINOR: ssl: fix compiler warning about useless statement
- BUG/MEDIUM: stream-int: Don't loose events on the CS when an EOS is reported
- MINOR: contrib/prometheus-exporter: filter exported metrics by scope
- MINOR: contrib/prometheus-exporter: Add a param to ignore servers in maintenance
- BUILD: debug: Avoid warnings in dev mode with -02 because of some BUG_ON tests
- BUG/MINOR: mux-h1: Fix tunnel mode detection on the response path
- BUG/MINOR: http-ana: Properly catch aborts during the payload forwarding
- DOC: Update http-buffer-request description to remove the part about chunks
- BUG/MINOR: stream-int: Fix si_cs_recv() return value
- DOC: internal: document the init calls
- MEDIUM: dns: Add resolve-opts "ignore-weight"
- MINOR: ssl: ssl_sock_prepare_ctx() return an error code
- MEDIUM: ssl/cli: apply SSL configuration on SSL_CTX during commit
- MINOR: ssl/cli: display warning during 'commit ssl cert'
- MINOR: version: report the version status in "haproxy -v"
- MINOR: version: emit the link to the known bugs in output of "haproxy -v"
- DOC: Add documentation about the use-service action
- MINOR: ssl: fix possible null dereference in error handling
- BUG/MINOR: ssl: fix curve setup with LibreSSL
- BUG/MINOR: ssl: Stop passing dynamic strings as format arguments
- CLEANUP: ssl: check if a transaction exists once before setting it
- BUG/MINOR: cli: fix out of bounds in -S parser
- MINOR: ist: add ist_find_ctl()
- BUG/MAJOR: h2: reject header values containing invalid chars
- BUG/MAJOR: h2: make header field name filtering stronger
- BUG/MAJOR: mux-h2: don't try to decode a response HEADERS frame in idle state
- MINOR: h2: add a function to report H2 error codes as strings
- MINOR: mux-h2/trace: report the connection and/or stream error code
- SCRIPTS: create-release: show the correct origin name in suggested commands
- SCRIPTS: git-show-backports: add "-s" to proposed cherry-pick commands
- BUG/MEDIUM: trace: fix a typo causing an incorrect startup error
- BUILD: reorder the objects in the makefile
- DOC: mention in INSTALL haproxy 2.1 is a stable stable version
- MINOR: version: indicate that this version is stable