Hi,
HAProxy 2.1.0 was released on 2019/11/25. It added 45 new commits
after version 2.1-dev5.
As some might have noticed, the last week was quite calm except the last
few days with a few unexpected bugs to deal with. But that's better than
having bugs immediately after the release forcing a new version to be
emitted, so I'm not complaining :-)
For those not following development closely, 2.1 is a stable branch that
will be maintained till around Q1 2021, and is mostly aimed at experienced
users, just like 1.9 was.
The most sensitive changes since 2.0 that may possibly burn you include :
- improvements to multi-threading: it's now possible to wake up a
tasklet scheduled on another thread. The multi-queue connection
listener now exploits these multi-threaded tasklets to further
increase its performance and decrease latency (it used to rely on
the heavier tasks in 2.0).
- fd-cache removal: I/O handlers are now updated directly from the
pollers, and I/O completion enable/disable the pollers. It could
theorically result in more calls to epoll_ctl() if we missed
something but practically speaking we've seen a boost of ~20% of
connection rate thanks to this. Any report of regression on a
corner case workload is welcome.
- legacy HTTP mode removal, HTX is now mandatory. That's it. As
planned, only HTX remains implemented, and with the drop of the
18-years old HTTP engine that had become extremely difficult to
maintain and adapt to new features, we also got rid of a large
number of tricky corner cases and pending bugs. Still we know
that HTX remains young but given that it's already required for
H2 backends, L7 retries, fastcgi, prometheus and I don't remember
what else, it didn't make sense to keep an old mechanism conflicting
with existing features and preventing from cleaning them up. By the
way, this also implied the removal of the old deprecated "http-tunnel"
mode.
And for the user-visible stuff, we can enumerate this :
- support of FastCGI servers (FastCGI is basically a different encoding
of HTTP, it was an obvious next step with HTX always on). For some
simple setups, it can simplify deployments by avoiding the need for
multiple layers.
- merging of same certificates: this will boot much faster on configs
with insane amounts of certificates (10k-100k) and will save a lot of
memory when multiple bind lines use the same certificate.
- support of runtime certificate updates. It's now possible to change
existing certs without reloading. Creation is yet another challenge
and I understood that there are also some limitations to certain
situations where updates are still not possible (though an error
message will indicate it).
- logging to CLI: it's now possible to log to a ring buffer that can
be consulted from the CLI. This can help when logs are exported far
away and there's no local storage to keep a recent history.
- tracing of H1/H2/FCGI: the 3 HTTP-based protocols received lots of
trace points which can dynamically enabled at run time at various
verbosity levels and triggers in order to observe what is happening,
entering/leaving haproxy. At a low verbosity level this can simply
be used as a live request logger from the CLI.
- the prometheus-exporter now supports filtering exported metrics by
scope. The principle is to avoid dumping everything when only servers
or frontends are required for example.
- all stats metrics include a human readable description of what the
metric is and what it relates to. This is visible using "show info desc"
or "show stat typed desc".
- new directives to work around bogus web applications which incorrectly
expect that some HTTP header fields match a certain case. This feature
was backported to 2.0.10 to ease transition to HTX.
- some long-obsolete keywords were now removed. These include the reqadd,
reqdel, reqrep, etc that were designed in version 1.1 to match a full
line from the incoming stream using regexes. They were totally emulated
for a while and since 1.9 with HTX it became a total mess as the request
had to be reformatted on the fly just for the purpose of matching a regex.
Not to mention the mess of these "(^[^\ ]\+)" rules to match a method
before a path. The config parser will suggest what to use instead when
facing such a rule.
- strict-limits: we've all been used to see haproxy warn on startup that
it didn't have enough FDs to allocate the required number of connections
but startup nevertheless. A number of people got caught in production
with this, especially more recently with systemd where warnings do not
appear on the console by default anymore. The new "strict-limits"
directive makes haproxy refuse to start when conditions are not met. It
is not enabled by default but the default will change in 2.3 to be turned
on in order to avoid surprises. You have one more year to check your
configs :-)
- peers can now log! And they can be observed using "show peers". Thus
if you experience loss of stick-table synchronization you'll have more
ways to observe what is happening.
- the gpt0 value stored in stick-tables can now be set from an expression.
In short this allows you to store any arbitrary 32-bit value into a
stick-table and see it replicated to all peers. This might be exploited
to share useful information (thresholds, server counts, etc), or even
do very ugly things by using multiple static keys.
- the DNS resolvers can now ignore the weights advertised in SRV records.
The reason is that some users use the DNS to define the perimeter of the
farm and an agent to define the weight.
- new sample fetch functions and converters, such as sha2, srv_name,
srv_queue, uuid, fc_pp_authority, http_auth_{pass,type,user}. The pattern
lookup cache is now thread-local so that there's no more lock contention
in setups involving many regex/case insensitive lookups from ACLs or maps.
- it's now possible to specify the uid/gid of external programs.
- "haproxy -v" will not indicate the support status of the version you're
running (development, stable, LTS), an EOL when known (for stable
releases), and a link to the bugs page so that it's easier for anyone
to figure if the version is up to date and what known bugs affect it.
For developers, some internal documentation was added (HTX API and initcalls).
As usual it's not as much as I'd like to have but we're making progress on
this front.
I'd also like to address special thanks the people who help with QA and
bug reports, as overall we've improved the quality of our releases. And
more specifically I'm thinking about the developers who still feel quite
concerned by any bug in their code and who jump on reports. I'm thinking
about Lukas Tribus who's helping everyone on the Discourse forum, helping
with GitHub issues and running tests, and who very likely is the person
on this planet who knows haproxy the best by know for having dealt with
several thousands reports. I'm thinking about Ilya Shipitsin who maintains
the Travis and Cirrus CI and sorts out Coverity reports. Even if we still
have a number of false positives on this last one, at least these ones
remain at a manageable level and managed to find real bugs, so I consider
that the overall balance is positive. And this will force us to improve
our comments in the code so that false positives are not turned into
issues. And I'd also like to thank Tim Düsterhus who is co-maintaining
the issue tracker with Lukas. For now bug reports remain quite manageable
and constitute a significant improvement over the previous situation,
helping us save time and head scratching. We have the usual very active
participants on the list responding a lot to those asking for help, with
Aleksandar, Jarno and Patrick being the most active ones. And of course,
a big thanks to all the testers and users taking the time to report issues,
collect traces, and to test the proposed fixes, as most of the time the
bugs can only be reproduced in the reporter's environment. This help is
invaluable and must continue. All of this pays off : we started to run
development versions in production on haproxy.org since 2.0-dev without
ever meeting any single issue. The server is currently running 2.1-dev5
and will be updated to 2.1.0. This is not something we could reasonably
do in the past so we're making progress.
Enough talking. I've pushed everything to the public places and created
2.2-dev0. I think that this time I got everything right for the release
(and I took notes). Please do not hesitate to report broken links or
anything that does not work.
Please find the usual URLs below :
Site index : http://www.haproxy.org/
Discourse : http://discourse.haproxy.org/
Slack channel : https://slack.haproxy.org/
Issue tracker : https://github.com/haproxy/haproxy/issues
Sources : http://www.haproxy.org/download/2.1/src/
Git repository : http://git.haproxy.org/git/haproxy-2.1.git/
Git Web browsing : http://git.haproxy.org/?p=haproxy-2.1.git
Changelog : http://www.haproxy.org/download/2.1/src/CHANGELOG
Cyril's HTML doc : http://cbonte.github.io/haproxy-dconv/
Willy
---
Complete changelog since 2.1-dev5:
Christopher Faulet (9):
BUG/MEDIUM: stream-int: Don't loose events on the CS when an EOS is
reported
MINOR: contrib/prometheus-exporter: filter exported metrics by scope
MINOR: contrib/prometheus-exporter: Add a param to ignore servers in
maintenance
BUILD: debug: Avoid warnings in dev mode with -02 because of some BUG_ON
tests
BUG/MINOR: mux-h1: Fix tunnel mode detection on the response path
BUG/MINOR: http-ana: Properly catch aborts during the payload forwarding
DOC: Update http-buffer-request description to remove the part about
chunks
BUG/MINOR: stream-int: Fix si_cs_recv() return value
DOC: Add documentation about the use-service action
Daniel Corbett (1):
MEDIUM: dns: Add resolve-opts "ignore-weight"
Emmanuel Hocdet (2):
BUG/MINOR: ssl: ssl_pkey_info_index ex_data can store a dereferenced
pointer
BUG/MINOR: ssl: fix crt-list neg filter for openssl < 1.1.1
Eric Salama (1):
BUILD/MINOR: ssl: fix compiler warning about useless statement
Frédéric Lécaille (5):
MINOR: peers: Alway show the table info for disconnected peers.
MINOR: peers: Add TX/RX heartbeat counters.
MINOR: peers: Add debugging information to "show peers".
BUG/MINOR: peers: Wrong null "server_name" data field handling.
BUG/MINOR: peers: "peer alive" flag not reset when deconnecting.
Lukas Tribus (1):
BUG/MINOR: ssl: fix curve setup with LibreSSL
Tim Duesterhus (1):
BUG/MINOR: ssl: Stop passing dynamic strings as format arguments
William Dauchy (4):
BUG/MINOR: init: fix set-dumpable when using uid/gid
MINOR: init: avoid code duplication while setting identify
MINOR: ssl: fix possible null dereference in error handling
CLEANUP: ssl: check if a transaction exists once before setting it
William Lallemand (6):
MINOR: ssl/cli: 'abort ssl cert' deletes an on-going transaction
BUG/MEDIUM: mworker: don't fill the -sf argument with -1 during the reexec
MINOR: ssl: ssl_sock_prepare_ctx() return an error code
MEDIUM: ssl/cli: apply SSL configuration on SSL_CTX during commit
MINOR: ssl/cli: display warning during 'commit ssl cert'
BUG/MINOR: cli: fix out of bounds in -S parser
Willy Tarreau (15):
DOC: internal: document the init calls
MINOR: version: report the version status in "haproxy -v"
MINOR: version: emit the link to the known bugs in output of "haproxy -v"
MINOR: ist: add ist_find_ctl()
BUG/MAJOR: h2: reject header values containing invalid chars
BUG/MAJOR: h2: make header field name filtering stronger
BUG/MAJOR: mux-h2: don't try to decode a response HEADERS frame in idle
state
MINOR: h2: add a function to report H2 error codes as strings
MINOR: mux-h2/trace: report the connection and/or stream error code
SCRIPTS: create-release: show the correct origin name in suggested
commands
SCRIPTS: git-show-backports: add "-s" to proposed cherry-pick commands
BUG/MEDIUM: trace: fix a typo causing an incorrect startup error
BUILD: reorder the objects in the makefile
DOC: mention in INSTALL haproxy 2.1 is a stable stable version
MINOR: version: indicate that this version is stable
---
