Willy Tarreau
[ANNOUNCE] haproxy-1.8-rc3
November 11, 2017 09:40AM
Hi,

things are getting much better. We fixed a large number of remaining
issues in the multi-threaded code (mostly unmatched locks), and various
issues in the HTTP/2 code causing some streams either time out or some
connections to be closed before the end of the response could be
transmitted. There were also some issues in the HTTP/1 response parser
used by the HTTP/2 gateway causing spinning loops on certain invalid
responses such as status codes made of more than 3 digits, or on chunked
responses filling the buffer. Also, the HTTP/1 parser now properly blocks
"PRI" requests which are in fact caused by an HTTP/2 preface sent to a
TCP frontend relaying to an HTTP backend.

There was an issue with the multi-threaded task scheduler converging
in O(N) when long series of tasks were running on the same thread, as
triggered with HTTP/2 benchmarks. This was addressed so that it now
does O(log(N)) again. So if you have run some benchmarks of H/2 with
multithreaded and were surprised with some low performance results,
you'll have to run them again :-) It's suspected that the applets
scheduler will need the same change by the way, because while it used
to endure little stress, with the cache that may change quite a bit.

The code is now expected to build fine again on Solaris since SPIN_LOCK
macros were renamed to HA_SPIN_LOCK, and the server-side 0-rtt TLS-1.3
code should now work.

In master-worker mode, the pid file now only reports the parent's pid,
which is more consistent with what is done by most other deamons and is
more friendly to many tools. Nothing changed for the legacy multi-process
mode however.

I've run a number of tests on this one and could not freeze it nor
crash it anymore. It even survived 100 million stats requests over H/2
with threads enabled without any error, something which previously
would cause a few timeouts or spinning loops.

I'm going to deploy 1.8-rc3 with threads enabled on haproxy.org now and
watch it a little bit.

We still have some cleanups to do in the code, and we have more or less
decided what to do to address the HTTP2/cache/filters incompatibilities
so hopefully cache+HTTP/2 will work fine together in rc4.

While I used to say "be extremely careful" till rc2, I'd now say that
you may want to give it a try on a single server if you're able to
quickly take it out or roll back in case of outage. Please at least try
to collect a core file if you see it crash, as there's no more known
case where this is expected to happen. And please keep in mind that the
HTTP/2 and multi-thread features are still experimental, so in case of
trouble, just disable H2 and/or threads and see if the issue persists.

Please find the usual URLs below :
Site index : http://www.haproxy.org/
Discourse : http://discourse.haproxy.org/
Sources : http://www.haproxy.org/download/1.8/src/
Git repository : http://git.haproxy.org/git/haproxy-1.8.git/
Git Web browsing : http://git.haproxy.org/?p=haproxy-1.8.git
Changelog : http://www.haproxy.org/download/1.8/src/CHANGELOG
Cyril's HTML doc : http://cbonte.github.io/haproxy-dconv/

PS: I messed up during the first upload and force-pushed it again after
checking in the logs that nobody tried to pull it. In case you have
an automated mirror that reports an error, it's my fault and you'll
have to fix it by hand. The code doesn't differ at all, it's just
that the last commit with the changelog used to happen twice.

Willy
---
Complete changelog :
Christopher Faulet (4):
BUILD: threads: Rename SPIN/RWLOCK macros using HA_ prefix
BUILD: enable USE_THREAD for Solaris build.
BUG/MEDIUM: stream-int: Don't loss write's notifs when a stream is woken up
BUG/MINOR: pattern: Rely on the sample type to copy it in pattern_exec_match

Daniel Schneller (1):
DOC: Add note about encrypted password CPU usage

Emeric Brun (2):
BUG/MEDIUM: splice/threads: pipe reuse list was not protected.
BUG/MINOR: comp: fix compilation warning compiling without compression.

Olivier Houchard (7):
BUILD: use MAXPATHLEN instead of NAME_MAX.
BUG/MINOR: dns: Don't try to get the server lock if it's already held.
BUG/MINOR: dns: Don't lock the server lock in snr_check_ip_callback().
BUG/MINOR; ssl: Don't assume we have a ssl_bind_conf because a SNI is matched.
MINOR: ssl: Handle session resumption with TLS 1.3
MINOR: ssl: Spell 0x10101000L correctly.
MINOR: ssl: Handle sending early data to server.

William Lallemand (4):
MINOR: add master-worker in the warning about nbproc
MINOR: mworker: allow pidfile in mworker + foreground
MINOR: mworker: write parent pid in the pidfile
MINOR: mworker: do not store child pid anymore in the pidfile

Willy Tarreau (56):
BUG/MAJOR: threads/checks: add 4 missing spin_unlock() in various functions
BUG/MAJOR: threads/server: missing unlock in CLI fqdn parser
BUG/MINOR: cli: do not perform an invalid action on "set server check-port"
BUG/MAJOR: threads/checks: wrong use of SPIN_LOCK instead of SPIN_UNLOCK
CLEANUP: checks: remove return statements in locked functions
BUG/MINOR: cli: add severity in "set server addr" parser
CLEANUP: server: get rid of return statements in the CLI parser
BUG/MAJOR: cli/streams: missing unlock on exit "show sess"
BUG/MAJOR: threads/dns: add missing unlock on allocation failure path
BUG/MAJOR: threads/lb: fix missing unlock on consistent hash LB
BUG/MAJOR: threads/lb: fix missing unlock on map-based hash LB
BUG/MEDIUM: threads/stick-tables: close a race condition on stktable_trash_expired()
BUG/MAJOR: h2: set the connection's task to NULL when no client timeout is set
BUG/MAJOR: thread/listeners: enable_listener must not call unbind_listener()
BUG/MEDIUM: threads: don't try to free build option message on exit
MINOR: applets: no need to check for runqueue's emptiness in appctx_res_wakeup()
MINOR: ebtree: implement the scope-aware functions for eb32
MEDIUM: ebtree: specify the scope of every node inserted via eb32sc
MINOR: ebtree: update the eb32sc parent node's scope on delete
MEDIUM: ebtree: only consider the branches matching the scope in lookups
MINOR: ebtree: implement eb32sc_lookup_ge_or_first()
MAJOR: task: make use of the scope-aware ebtree functions
MINOR: task: simplify wake_expired_tasks() to avoid unlocking in the loop
MEDIUM: task: change the construction of the loop in process_runnable_tasks()
MINOR: threads: use faster locks for the spin locks
MINOR: tasks: only visit filled task slots after processing them
MEDIUM: tasks: implement a lockless scheduler for single-thread usage
BUG/MINOR: h2: set the "HEADERS_SENT" flag on stream, not connection
BUG/MEDIUM: h2: properly send an RST_STREAM on mux stream error
BUG/MEDIUM: h2: properly send the GOAWAY frame in the mux
BUG/MEDIUM: h2: don't try (and fail) to send non-existing data in the mux
MEDIUM: h2: remove the H2_SS_RESET intermediate state
BUG/MEDIUM: h2: fix some wrong error codes on connections
BUG/MEDIUM: h2: don't close the connection is there are data left
MINOR: h2: don't re-enable the connection's task when we're closing
BUG/MEDIUM: h2: properly set H2_SF_ES_SENT when sending the final frame
BUG/MINOR: h2: correctly check for H2_SF_ES_SENT before closing
MINOR: h2: add new stream flag H2_SF_OUTGOING_DATA
BUG/MINOR: h2: don't send GOAWAY on failed response
BUG/MINOR: stream-int: don't set MSG_MORE on closed request path
BUG/MAJOR: threads/tasks: fix the scheduler again
BUILD: ssl: fix build of backend without ssl
BUILD: shctx: do not depend on openssl anymore
BUG/MINOR: h1: the HTTP/1 make status code parser check for digits
BUG/MEDIUM: h2: reject non-3-digit status codes
BUG/MEDIUM: h2: split the function to send RST_STREAM
BUG/MEDIUM: h1: ensure the chunk size parser can deal with full buffers
MINOR: tools: don't use unlikely() in hex2i()
BUG/MEDIUM: h2: support orphaned streams
BUG/MEDIUM: threads/cli: fix "show sess" locking on release
CLEANUP: mux: remove the unused "release()" function
MINOR: cli: make "show fd" report the fd's thread mask
BUG/MEDIUM: stream: don't ignore res.analyse_exp anymore
CLEANUP: global: introduce variable pid_bit to avoid shifts with relative_pid
MEDIUM: http: always reject the "PRI" method
[RELEASE] Released version 1.8-rc3

---
Aleksandar Lazic
Re: [ANNOUNCE] haproxy-1.8-rc3
November 12, 2017 01:00AM
Great ;-)

Updated on docker hub.

https://hub.docker.com/r/me2digital/haproxy18/

###
HA-Proxy version 1.8-rc3-34650d5 2017/11/11
Copyright 2000-2017 Willy Tarreau <[email protected]>

Build options :
TARGET = linux2628
CPU = generic
CC = gcc
CFLAGS = -O2 -g -fno-strict-aliasing -Wdeclaration-after-statement
-fwrapv -Wno-unused-label
OPTIONS = USE_LINUX_SPLICE=1 USE_GETADDRINFO=1 USE_ZLIB=1
USE_REGPARM=1 USE_OPENSSL=1 USE_LUA=1 USE_PCRE=1 USE_PCRE_JIT=1
USE_TFO=1

Default settings :
maxconn = 2000, bufsize = 16384, maxrewrite = 1024, maxpollevents =
200

Built with OpenSSL version : OpenSSL 1.0.2k-fips 26 Jan 2017
Running on OpenSSL version : OpenSSL 1.0.2k-fips 26 Jan 2017
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : SSLv3 TLSv1.0 TLSv1.1 TLSv1.2
Built with Lua version : Lua 5.3.4
Built with transparent proxy support using: IP_TRANSPARENT
IPV6_TRANSPARENT IP_FREEBIND
Built with network namespace support.
Built with zlib version : 1.2.7
Running on zlib version : 1.2.7
Compression algorithms supported : identity("identity"),
deflate("deflate"), raw-deflate("deflate"), gzip("gzip")
Encrypted password support via crypt(3): yes
Built with PCRE version : 8.32 2012-11-30
Running on PCRE version : 8.32 2012-11-30
PCRE library supports JIT : yes
Built with multi-threading support.

Available polling systems :
epoll : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result OK
Total: 3 (3 usable), will use epoll.

Available filters :
[SPOE] spoe
[COMP] compression
[TRACE] trace
###

------ Originalnachricht ------
Von: "Willy Tarreau" <[email protected]>
An: haproxy@formilux.org
Gesendet: 11.11.2017 09:34:13
Betreff: [ANNOUNCE] haproxy-1.8-rc3

>Hi,
>
>things are getting much better. We fixed a large number of remaining
>issues in the multi-threaded code (mostly unmatched locks), and various
>issues in the HTTP/2 code causing some streams either time out or some
>connections to be closed before the end of the response could be
>transmitted. There were also some issues in the HTTP/1 response parser
>used by the HTTP/2 gateway causing spinning loops on certain invalid
>responses such as status codes made of more than 3 digits, or on
>chunked
>responses filling the buffer. Also, the HTTP/1 parser now properly
>blocks
>"PRI" requests which are in fact caused by an HTTP/2 preface sent to a
>TCP frontend relaying to an HTTP backend.
>
>There was an issue with the multi-threaded task scheduler converging
>in O(N) when long series of tasks were running on the same thread, as
>triggered with HTTP/2 benchmarks. This was addressed so that it now
>does O(log(N)) again. So if you have run some benchmarks of H/2 with
>multithreaded and were surprised with some low performance results,
>you'll have to run them again :-) It's suspected that the applets
>scheduler will need the same change by the way, because while it used
>to endure little stress, with the cache that may change quite a bit.
>
>The code is now expected to build fine again on Solaris since SPIN_LOCK
>macros were renamed to HA_SPIN_LOCK, and the server-side 0-rtt TLS-1.3
>code should now work.
>
>In master-worker mode, the pid file now only reports the parent's pid,
>which is more consistent with what is done by most other deamons and is
>more friendly to many tools. Nothing changed for the legacy
>multi-process
>mode however.
>
>I've run a number of tests on this one and could not freeze it nor
>crash it anymore. It even survived 100 million stats requests over H/2
>with threads enabled without any error, something which previously
>would cause a few timeouts or spinning loops.
>
>I'm going to deploy 1.8-rc3 with threads enabled on haproxy.org now and
>watch it a little bit.
>
>We still have some cleanups to do in the code, and we have more or less
>decided what to do to address the HTTP2/cache/filters incompatibilities
>so hopefully cache+HTTP/2 will work fine together in rc4.
>
>While I used to say "be extremely careful" till rc2, I'd now say that
>you may want to give it a try on a single server if you're able to
>quickly take it out or roll back in case of outage. Please at least try
>to collect a core file if you see it crash, as there's no more known
>case where this is expected to happen. And please keep in mind that the
>HTTP/2 and multi-thread features are still experimental, so in case of
>trouble, just disable H2 and/or threads and see if the issue persists.
>
>Please find the usual URLs below :
> Site index : http://www.haproxy.org/
> Discourse : http://discourse.haproxy.org/
> Sources : http://www.haproxy.org/download/1.8/src/
> Git repository : http://git.haproxy.org/git/haproxy-1.8.git/
> Git Web browsing : http://git.haproxy.org/?p=haproxy-1.8.git
> Changelog : http://www.haproxy.org/download/1.8/src/CHANGELOG
> Cyril's HTML doc : http://cbonte.github.io/haproxy-dconv/
>
>PS: I messed up during the first upload and force-pushed it again after
> checking in the logs that nobody tried to pull it. In case you have
> an automated mirror that reports an error, it's my fault and you'll
> have to fix it by hand. The code doesn't differ at all, it's just
> that the last commit with the changelog used to happen twice.
>
>Willy
>---
>Complete changelog :
>Christopher Faulet (4):
> BUILD: threads: Rename SPIN/RWLOCK macros using HA_ prefix
> BUILD: enable USE_THREAD for Solaris build.
> BUG/MEDIUM: stream-int: Don't loss write's notifs when a stream is
>woken up
> BUG/MINOR: pattern: Rely on the sample type to copy it in
>pattern_exec_match
>
>Daniel Schneller (1):
> DOC: Add note about encrypted password CPU usage
>
>Emeric Brun (2):
> BUG/MEDIUM: splice/threads: pipe reuse list was not protected.
> BUG/MINOR: comp: fix compilation warning compiling without
>compression.
>
>Olivier Houchard (7):
> BUILD: use MAXPATHLEN instead of NAME_MAX.
> BUG/MINOR: dns: Don't try to get the server lock if it's already
>held.
> BUG/MINOR: dns: Don't lock the server lock in
>snr_check_ip_callback().
> BUG/MINOR; ssl: Don't assume we have a ssl_bind_conf because a SNI
>is matched.
> MINOR: ssl: Handle session resumption with TLS 1.3
> MINOR: ssl: Spell 0x10101000L correctly.
> MINOR: ssl: Handle sending early data to server.
>
>William Lallemand (4):
> MINOR: add master-worker in the warning about nbproc
> MINOR: mworker: allow pidfile in mworker + foreground
> MINOR: mworker: write parent pid in the pidfile
> MINOR: mworker: do not store child pid anymore in the pidfile
>
>Willy Tarreau (56):
> BUG/MAJOR: threads/checks: add 4 missing spin_unlock() in various
>functions
> BUG/MAJOR: threads/server: missing unlock in CLI fqdn parser
> BUG/MINOR: cli: do not perform an invalid action on "set server
>check-port"
> BUG/MAJOR: threads/checks: wrong use of SPIN_LOCK instead of
>SPIN_UNLOCK
> CLEANUP: checks: remove return statements in locked functions
> BUG/MINOR: cli: add severity in "set server addr" parser
> CLEANUP: server: get rid of return statements in the CLI parser
> BUG/MAJOR: cli/streams: missing unlock on exit "show sess"
> BUG/MAJOR: threads/dns: add missing unlock on allocation failure
>path
> BUG/MAJOR: threads/lb: fix missing unlock on consistent hash LB
> BUG/MAJOR: threads/lb: fix missing unlock on map-based hash LB
> BUG/MEDIUM: threads/stick-tables: close a race condition on
>stktable_trash_expired()
> BUG/MAJOR: h2: set the connection's task to NULL when no client
>timeout is set
> BUG/MAJOR: thread/listeners: enable_listener must not call
>unbind_listener()
> BUG/MEDIUM: threads: don't try to free build option message on
>exit
> MINOR: applets: no need to check for runqueue's emptiness in
>appctx_res_wakeup()
> MINOR: ebtree: implement the scope-aware functions for eb32
> MEDIUM: ebtree: specify the scope of every node inserted via
>eb32sc
> MINOR: ebtree: update the eb32sc parent node's scope on delete
> MEDIUM: ebtree: only consider the branches matching the scope in
>lookups
> MINOR: ebtree: implement eb32sc_lookup_ge_or_first()
> MAJOR: task: make use of the scope-aware ebtree functions
> MINOR: task: simplify wake_expired_tasks() to avoid unlocking in
>the loop
> MEDIUM: task: change the construction of the loop in
>process_runnable_tasks()
> MINOR: threads: use faster locks for the spin locks
> MINOR: tasks: only visit filled task slots after processing them
> MEDIUM: tasks: implement a lockless scheduler for single-thread
>usage
> BUG/MINOR: h2: set the "HEADERS_SENT" flag on stream, not
>connection
> BUG/MEDIUM: h2: properly send an RST_STREAM on mux stream error
> BUG/MEDIUM: h2: properly send the GOAWAY frame in the mux
> BUG/MEDIUM: h2: don't try (and fail) to send non-existing data in
>the mux
> MEDIUM: h2: remove the H2_SS_RESET intermediate state
> BUG/MEDIUM: h2: fix some wrong error codes on connections
> BUG/MEDIUM: h2: don't close the connection is there are data left
> MINOR: h2: don't re-enable the connection's task when we're
>closing
> BUG/MEDIUM: h2: properly set H2_SF_ES_SENT when sending the final
>frame
> BUG/MINOR: h2: correctly check for H2_SF_ES_SENT before closing
> MINOR: h2: add new stream flag H2_SF_OUTGOING_DATA
> BUG/MINOR: h2: don't send GOAWAY on failed response
> BUG/MINOR: stream-int: don't set MSG_MORE on closed request path
> BUG/MAJOR: threads/tasks: fix the scheduler again
> BUILD: ssl: fix build of backend without ssl
> BUILD: shctx: do not depend on openssl anymore
> BUG/MINOR: h1: the HTTP/1 make status code parser check for digits
> BUG/MEDIUM: h2: reject non-3-digit status codes
> BUG/MEDIUM: h2: split the function to send RST_STREAM
> BUG/MEDIUM: h1: ensure the chunk size parser can deal with full
>buffers
> MINOR: tools: don't use unlikely() in hex2i()
> BUG/MEDIUM: h2: support orphaned streams
> BUG/MEDIUM: threads/cli: fix "show sess" locking on release
> CLEANUP: mux: remove the unused "release()" function
> MINOR: cli: make "show fd" report the fd's thread mask
> BUG/MEDIUM: stream: don't ignore res.analyse_exp anymore
> CLEANUP: global: introduce variable pid_bit to avoid shifts with
>relative_pid
> MEDIUM: http: always reject the "PRI" method
> [RELEASE] Released version 1.8-rc3
>
>---
>
Sorry, only registered users may post in this forum.

Click here to login