From fbc8186248060d1a17057888681422f26c6742b60d0813609440f99629e1c4e0 Mon Sep 17 00:00:00 2001 From: Marcus Rueckert Date: Fri, 7 Feb 2020 12:48:28 +0000 Subject: [PATCH 1/3] - Update to version 2.1.2+git0.d5b6759b5: * [RELEASE] Released version 2.1.2 * BUILD: ssl: improve SSL_CTX_set_ecdh_auto compatibility * BUG/MEDIUM: stream: Be sure to never assign a TCP backend to an HTX stream * BUG/MINOR: state-file: do not leak memory on parse errors * BUG/MINOR: state-file: do not store duplicates in the global tree * BUG/MEDIUM: state-file: do not allocate a full buffer for each server entry * BUG/MINOR: ssl: openssl-compat: Fix getm_ defines * BUG/MEDIUM: fd/threads: fix a concurrency issue between add and rm on the same fd * MINOR: fd/threads: make _GET_NEXT()/_GET_PREV() use the volatile attribute * BUG/MEDIUM: ssl: Revamp the way early data are handled. * BUG/MAJOR: task: add a new TASK_SHARED_WQ flag to fix foreing requeuing * MINOR: task: only check TASK_WOKEN_ANY to decide to requeue a task * MINOR: http: add a new "replace-path" action * MINOR: debug: support logging to various sinks * BUG/MEDIUM: ssl: Don't set the max early data we can receive too early. * MINOR: sample: Validate the number of bits for the sha2 converter * BUG/MINOR: sample: always check converters' arguments * BUG/MINOR: sample: fix the closing bracket and LF in the debug converter * DOC: clarify the fact that replace-uri works on a full URI - drop the udev buildrequires completely OBS-URL: https://build.opensuse.org/package/show/server:http/haproxy?expand=0&rev=211 --- _service | 2 +- _servicedata | 2 +- haproxy-2.1.1+git0.4ae521379.tar.gz | 3 --- haproxy-2.1.2+git0.d5b6759b5.tar.gz | 3 +++ haproxy.changes | 29 +++++++++++++++++++++++++++++ haproxy.spec | 3 +-- 6 files changed, 35 insertions(+), 7 deletions(-) delete mode 100644 haproxy-2.1.1+git0.4ae521379.tar.gz create mode 100644 haproxy-2.1.2+git0.d5b6759b5.tar.gz diff --git a/_service b/_service index be635a9..a17ab51 100644 --- a/_service +++ b/_service @@ -6,7 +6,7 @@ @PARENT_TAG@+git@TAG_OFFSET@.%h v(.*) \1 - v2.1.1 + v2.1.2 enable diff --git a/_servicedata b/_servicedata index ebc60aa..53ed1a7 100644 --- a/_servicedata +++ b/_servicedata @@ -1,6 +1,6 @@ http://git.haproxy.org/git/haproxy-2.1.git - 4ae521379e97fb23630fc60516e6f19c03a93b58 + d5b6759b51ad0b63608bec8e0b228f209e42ae6f \ No newline at end of file diff --git a/haproxy-2.1.1+git0.4ae521379.tar.gz b/haproxy-2.1.1+git0.4ae521379.tar.gz deleted file mode 100644 index 1ab6e0e..0000000 --- a/haproxy-2.1.1+git0.4ae521379.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:8a23806a9d221107ae782b3d97e0163ab21d1dff62d147ebdd8d8e4f14a28e92 -size 2737454 diff --git a/haproxy-2.1.2+git0.d5b6759b5.tar.gz b/haproxy-2.1.2+git0.d5b6759b5.tar.gz new file mode 100644 index 0000000..4a16bde --- /dev/null +++ b/haproxy-2.1.2+git0.d5b6759b5.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:f62a41fa22f7b12ad58740b6eedac135a01a64a776f75105150afc20a0b90ef1 +size 2740242 diff --git a/haproxy.changes b/haproxy.changes index 9b20a0b..495adaf 100644 --- a/haproxy.changes +++ b/haproxy.changes @@ -1,3 +1,32 @@ +------------------------------------------------------------------- +Fri Feb 07 12:48:02 UTC 2020 - mrueckert@suse.de + +- Update to version 2.1.2+git0.d5b6759b5: + * [RELEASE] Released version 2.1.2 + * BUILD: ssl: improve SSL_CTX_set_ecdh_auto compatibility + * BUG/MEDIUM: stream: Be sure to never assign a TCP backend to an HTX stream + * BUG/MINOR: state-file: do not leak memory on parse errors + * BUG/MINOR: state-file: do not store duplicates in the global tree + * BUG/MEDIUM: state-file: do not allocate a full buffer for each server entry + * BUG/MINOR: ssl: openssl-compat: Fix getm_ defines + * BUG/MEDIUM: fd/threads: fix a concurrency issue between add and rm on the same fd + * MINOR: fd/threads: make _GET_NEXT()/_GET_PREV() use the volatile attribute + * BUG/MEDIUM: ssl: Revamp the way early data are handled. + * BUG/MAJOR: task: add a new TASK_SHARED_WQ flag to fix foreing requeuing + * MINOR: task: only check TASK_WOKEN_ANY to decide to requeue a task + * MINOR: http: add a new "replace-path" action + * MINOR: debug: support logging to various sinks + * BUG/MEDIUM: ssl: Don't set the max early data we can receive too early. + * MINOR: sample: Validate the number of bits for the sha2 converter + * BUG/MINOR: sample: always check converters' arguments + * BUG/MINOR: sample: fix the closing bracket and LF in the debug converter + * DOC: clarify the fact that replace-uri works on a full URI + +------------------------------------------------------------------- +Fri Feb 7 12:46:02 UTC 2020 - Marcus Rueckert + +- drop the udev buildrequires completely + ------------------------------------------------------------------- Thu Jan 23 13:10:03 UTC 2020 - Dominique Leuenberger diff --git a/haproxy.spec b/haproxy.spec index 9c6b9dd..9b4143d 100644 --- a/haproxy.spec +++ b/haproxy.spec @@ -47,7 +47,7 @@ %endif Name: haproxy -Version: 2.1.1+git0.4ae521379 +Version: 2.1.2+git0.d5b6759b5 Release: 0 # # @@ -72,7 +72,6 @@ BuildRequires: pcre-devel BuildRequires: zlib-devel BuildRequires: openssl-devel BuildRequires: pkg-config -BuildRequires: pkgconfig(udev) %if %{with systemd} BuildRequires: pkgconfig(systemd) BuildRequires: pkgconfig(libsystemd) From 051439ae93b042d8362391b23946ddb588cf81b662a88ef70ce781ffa031e5e9 Mon Sep 17 00:00:00 2001 From: Marcus Rueckert Date: Wed, 12 Feb 2020 15:42:47 +0000 Subject: [PATCH 2/3] - Update to version 2.1.3+git0.5c020bbdd: OBS-URL: https://build.opensuse.org/package/show/server:http/haproxy?expand=0&rev=212 --- _service | 2 +- _servicedata | 2 +- haproxy-2.1.2+git0.d5b6759b5.tar.gz | 3 - haproxy-2.1.3+git0.5c020bbdd.tar.gz | 3 + haproxy.changes | 92 +++++++++++++++++++++++++++++ haproxy.spec | 2 +- 6 files changed, 98 insertions(+), 6 deletions(-) delete mode 100644 haproxy-2.1.2+git0.d5b6759b5.tar.gz create mode 100644 haproxy-2.1.3+git0.5c020bbdd.tar.gz diff --git a/_service b/_service index a17ab51..90e1a6f 100644 --- a/_service +++ b/_service @@ -6,7 +6,7 @@ @PARENT_TAG@+git@TAG_OFFSET@.%h v(.*) \1 - v2.1.2 + v2.1.3 enable diff --git a/_servicedata b/_servicedata index 53ed1a7..ced6b8d 100644 --- a/_servicedata +++ b/_servicedata @@ -1,6 +1,6 @@ http://git.haproxy.org/git/haproxy-2.1.git - d5b6759b51ad0b63608bec8e0b228f209e42ae6f + 5c020bbddc3d9573f02cde383abc983ad0781fc1 \ No newline at end of file diff --git a/haproxy-2.1.2+git0.d5b6759b5.tar.gz b/haproxy-2.1.2+git0.d5b6759b5.tar.gz deleted file mode 100644 index 4a16bde..0000000 --- a/haproxy-2.1.2+git0.d5b6759b5.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:f62a41fa22f7b12ad58740b6eedac135a01a64a776f75105150afc20a0b90ef1 -size 2740242 diff --git a/haproxy-2.1.3+git0.5c020bbdd.tar.gz b/haproxy-2.1.3+git0.5c020bbdd.tar.gz new file mode 100644 index 0000000..11db92e --- /dev/null +++ b/haproxy-2.1.3+git0.5c020bbdd.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:e0a0b380bdd6f34240a7470e86d6c83463e8a2a98e2922b6e9fa8a55dd1bcd41 +size 2752990 diff --git a/haproxy.changes b/haproxy.changes index 495adaf..d931117 100644 --- a/haproxy.changes +++ b/haproxy.changes @@ -1,3 +1,95 @@ +------------------------------------------------------------------- +Wed Feb 12 15:42:26 UTC 2020 - mrueckert@suse.de + +- Update to version 2.1.3+git0.5c020bbdd: + * [RELEASE] Released version 2.1.3 + * BUG/MINOR: tcp: don't try to set defaultmss when value is negative + * BUG/MINOR: http-ana: Set HTX_FL_PROXY_RESP flag if a server perform a redirect + * BUG/MINOR: http-ana: Don't overwrite outgoing data when an error is reported + * MINOR: htx/channel: Add a function to copy an HTX message in a channel's buffer + * MINOR: htx: Add a function to append an HTX message to another one + * DOC: word converter ignores delimiters at the start or end of input string + * MINOR: build: add aix72-gcc build TARGET and power{8,9} CPUs + * BUG/MINOR: tcp: avoid closing fd when socket failed in tcp_bind_listener + * BUG/MINOR: listener: enforce all_threads_mask on bind_thread on init + * BUG/MEDIUM: listener: only consider running threads when resuming listeners + * BUG/MINOR: dns: allow 63 char in hostname + * BUG/MINOR: unix: better catch situations where the unix socket path length is close to the limit + * DOC: schematic of the SSL certificates architecture + * BUG/MEDIUM: ssl/cli: 'commit ssl cert' wrong SSL_CTX init + * SCRIPTS: announce-release: allow the user to force to overwrite old files + * SCRIPTS: announce-release: place the send command in the mail's header + * CONTRIB: debug: also support reading values from stdin + * MINOR: acl: Warn when an ACL is named 'or' + * CONTRIB: debug: support reporting multiple values at once + * CONTRIB: debug: add the possibility to decode the value as certain types only + * CONTRIB: debug: add missing flags SF_HTX and SF_MUX + * BUG/MINOR: ssl: clear the SSL errors on DH loading failure + * BUG/MINOR: ssl: we may only ignore the first 64 errors + * BUG/MAJOR: memory: Don't forget to unlock the rwlock if the pool is empty. + * BUG/MEDIUM: memory: Add a rwlock before freeing memory. + * MINOR: memory: Only init the pool spinlock once. + * BUG/MEDIUM: memory_pool: Update the seq number in pool_flush(). + * BUG/MEDIUM: connections: Don't forget to unlock when killing a connection. + * BUG/MINOR: connection: fix ip6 dst_port copy in make_proxy_line_v2 + * BUG/MINOR: ssl: Possible memleak when allowing the 0RTT data buffer. + * BUG/MEDIUM: pipe: fix a use-after-free in case of pipe creation error + * BUG/MINOR: tcpchecks: fix the connect() flags regarding delayed ack + * BUG/MEDIUM: ssl: Don't forget to free ctx->ssl on failure. + * MINOR: lua: Add HLUA_PREPEND_C?PATH build option + * MINOR: lua: Add lua-prepend-path configuration option + * MINOR: lua: Add hlua_prepend_path function + * BUILD: cfgparse: silence a bogus gcc warning on 32-bit machines + * BUG/MEDIUM: mux-h2: make sure we don't emit TE headers with anything but "trailers" + * BUG/MINOR: stktable: report the current proxy name in error messages + * BUG/MEDIUM: 0rtt: Only consider the SSL handshake. + * BUG/MINOR: ssl/cli: ocsp_issuer must be set w/ "set ssl cert" + * BUG/MINOR: ssl: typo in previous patch + * BUG/MINOR: ssl: memory leak w/ the ocsp_issuer + * BUG/MINOR: ssl: increment issuer refcount if in chain + * CLEANUP: stats: shut up a wrong null-deref warning from gcc 9.2 + * BUG/MINOR: ssl/cli: free the previous ckch content once a PEM is loaded + * BUG/MINOR: ssl: ssl_sock_load_pem_into_ckch is not consistent + * BUG/MEDIUM: netscaler: Don't forget to allocate storage for conn->src/dst. + * BUG/MINOR: http_act: don't check capture id in backend + * MINOR: proxy/http-ana: Add support of extra attributes for the cookie directive + * BUG/MINOR: ssl: ssl_sock_load_sctl_from_file memory leak + * BUG/MINOR: ssl: ssl_sock_load_issuer_file_into_ckch memory leak + * BUG/MINOR: ssl: ssl_sock_load_ocsp_response_from_file memory leak + * BUG/MINOR: tcp-rules: Fix memory releases on error path during action parsing + * BUG/MINOR: stick-table: Use MAX_SESS_STKCTR as the max track ID during parsing + * BUG/MINOR: http-rules: Remove buggy deinit functions for HTTP rules + * BUG/MINOR: http-ana/filters: Wait end of the http_end callback for all filters + * BUILD: pattern: include errno.h + * BUG/MINOR: 51d: Fix bug when HTX is enabled + * BUG/MINOR: dns: Make dns_query_id_seed unsigned + * BUG/MINOR: cache: Fix leak of cache name in error path + * BUG/MINOR: pattern: handle errors from fgets when trying to load patterns + * BUG/MEDIUM: connection: add a mux flag to indicate splice usability + * BUG/MINOR: stream: don't mistake match rules for store-request rules + * BUG/MEDIUM: cli: _getsocks must send the peers sockets + * REGTEST: add sample_fetches/hashes.vtc to validate hashes + * BUG/MAJOR: hashes: fix the signedness of the hash inputs + * BUG/MEDIUM: mux_h1: Don't call h1_send if we subscribed(). + * BUG/MEDIUM: mworker: remain in mworker mode during reload + * REGTEST: mcli/mcli_start_progs: start 2 programs + * BUG/MINOR: cli/mworker: can't start haproxy with 2 programs + * BUG/MEDIUM: mux-h2: don't stop sending when crossing a buffer boundary + * BUG/MEDIUM: mux-h2: fix missing test on sending_list in previous patch + * BUG/MINOR: mux-h2: use a safe list_for_each_entry in h2_send() + * BUG/MEDIUM: tasks: Use the MT macros in tasklet_free(). + * BUG/MINOR: stream-int: Don't trigger L7 retry if max retries is already reached + * BUG/MEDIUM: session: do not report a failure when rejecting a session + * BUG/MINOR: channel: inject output data at the end of output + * BUG/MEDIUM: http-ana: Truncate the response when a redirect rule is applied + * BUG/MINOR: proxy: Fix input data copy when an error is captured + * BUG/MINOR: h1: Report the right error position when a header value is invalid + * MINOR: ssl: Remove unused variable "need_out". + * MINOR: config: disable busy polling on old processes + * BUG/MEDIUM: connections: Hold the lock when wanting to kill a connection. + * BUG/MEDIUM: checks: Only attempt to do handshakes if the connection is ready. + * BUG/MINOR: checks: refine which errno values are really errors. + ------------------------------------------------------------------- Fri Feb 07 12:48:02 UTC 2020 - mrueckert@suse.de diff --git a/haproxy.spec b/haproxy.spec index 9b4143d..35070f3 100644 --- a/haproxy.spec +++ b/haproxy.spec @@ -47,7 +47,7 @@ %endif Name: haproxy -Version: 2.1.2+git0.d5b6759b5 +Version: 2.1.3+git0.5c020bbdd Release: 0 # # From 01a99e5686be8d555b99f92dbbb930a33c43f33fda9669922c3d748e1f5e2f9d Mon Sep 17 00:00:00 2001 From: Marguerite Su Date: Sun, 16 Feb 2020 08:10:04 +0000 Subject: [PATCH 3/3] Accepting request 774367 from home:kukuk:container - Remove unsupported options from example haproxy.cfg - Make haproxy useable for containers - Use sysusers.d to create users. - Use systemd_ordering instead of requiring systemd. - Own vim syntax directory instead of requiring vim. This also solves the problem the directory got never removed if vim is updated before haproxy. OBS-URL: https://build.opensuse.org/request/show/774367 OBS-URL: https://build.opensuse.org/package/show/server:http/haproxy?expand=0&rev=213 --- haproxy-user.conf | 3 +++ haproxy.cfg | 1 - haproxy.changes | 11 +++++++++++ haproxy.spec | 46 ++++++++++++++++++++++++++++++++++++++-------- 4 files changed, 52 insertions(+), 9 deletions(-) create mode 100644 haproxy-user.conf diff --git a/haproxy-user.conf b/haproxy-user.conf new file mode 100644 index 0000000..1d72a75 --- /dev/null +++ b/haproxy-user.conf @@ -0,0 +1,3 @@ +# Type Name ID GECOS [HOME] +u haproxy - "User for haproxy" /var/lib/haproxy + diff --git a/haproxy.cfg b/haproxy.cfg index dc68fe5..4468995 100644 --- a/haproxy.cfg +++ b/haproxy.cfg @@ -32,4 +32,3 @@ listen stats stats enable stats uri / stats refresh 5s - rspadd Server:\ haproxy/1.6 diff --git a/haproxy.changes b/haproxy.changes index d931117..a56e75e 100644 --- a/haproxy.changes +++ b/haproxy.changes @@ -1,3 +1,14 @@ +------------------------------------------------------------------- +Fri Feb 14 13:23:23 UTC 2020 - Thorsten Kukuk + +- Remove unsupported options from example haproxy.cfg +- Make haproxy useable for containers + - Use sysusers.d to create users. + - Use systemd_ordering instead of requiring systemd. + - Own vim syntax directory instead of requiring vim. This also + solves the problem the directory got never removed if vim is + updated before haproxy. + ------------------------------------------------------------------- Wed Feb 12 15:42:26 UTC 2020 - mrueckert@suse.de diff --git a/haproxy.spec b/haproxy.spec index 35070f3..b20e967 100644 --- a/haproxy.spec +++ b/haproxy.spec @@ -46,6 +46,12 @@ %bcond_with apparmor_reload %endif +%if 0%{?suse_version} >= 1500 +%bcond_without sysusers +%else +%bcond_with sysusers +%endif + Name: haproxy Version: 2.1.3+git0.5c020bbdd Release: 0 @@ -75,6 +81,10 @@ BuildRequires: pkg-config %if %{with systemd} BuildRequires: pkgconfig(systemd) BuildRequires: pkgconfig(libsystemd) +%if %{with sysusers} +BuildRequires: sysuser-shadow +BuildRequires: sysuser-tools +%endif %endif BuildRequires: vim %define pkg_name haproxy @@ -87,6 +97,7 @@ Source1: %{pkg_name}.init Source2: usr.sbin.haproxy.apparmor Source3: local.usr.sbin.haproxy.apparmor Source4: haproxy.cfg +Source5: haproxy-user.conf Patch1: haproxy-1.6.0_config_haproxy_user.patch Patch2: haproxy-1.6.0-makefile_lib.patch Patch3: haproxy-1.6.0-sec-options.patch @@ -100,10 +111,11 @@ Provides: %{name}-doc = %{version} Obsoletes: %{name}-doc < %{version} Provides: haproxy-1.5 = %{version} Obsoletes: haproxy-1.5 < %{version} -# this requires is not strictly needed. we only need it for the ownership of the vim data dir -Requires: vim %if %{with systemd} -%{?systemd_requires} +%{?systemd_ordering} +%if %{with sysusers} +%sysusers_requires +%endif %endif %{!?vim_data_dir:%global vim_data_dir /usr/share/vim/%(readlink /usr/share/vim/current)} @@ -160,6 +172,9 @@ make \ DEBUG_CFLAGS="%{optflags}" V=1 %if %{with systemd} make -C contrib/systemd PREFIX="%{_prefix}" +%if %{with sysusers} +%sysusers_generate_pre %{SOURCE5} haproxy +%endif %endif make -C contrib/halog PREFIX="%{_prefix}" \ DEFINE="%{optflags} -pie -fpie -fstack-protector -Wl,-z,relro,-z,now" @@ -174,6 +189,9 @@ install -D -m 0755 contrib/halog/halog %{buildroot}%{_sbindir}/haproxy-halog %if %{with systemd} install -D -m 0644 contrib/systemd/%{pkg_name}.service %{buildroot}%{_unitdir}/%{pkg_name}.service ln -sf /sbin/service %{buildroot}%{_sbindir}/rc%{pkg_name} +%if %{with sysusers} +install -D -m 644 %{SOURCE5} %{buildroot}%{_sysusersdir}/haproxy-user.conf +%endif %else install -D -m 0755 %{S:1} %{buildroot}%{_sysconfdir}/init.d/%{pkg_name} ln -fs %{_sysconfdir}/init.d/%{pkg_name} %{buildroot}%{_sbindir}/rc%{pkg_name} @@ -189,13 +207,13 @@ install -D -m 0644 %{S:3} %{buildroot}/etc/apparmor.d/local/us rm examples/*init* -%pre -getent group %{pkg_name} >/dev/null || /usr/sbin/groupadd -r %{pkg_name} -getent passwd %{pkg_name} >/dev/null || \ - /usr/sbin/useradd -g %{pkg_name} -s /bin/false -r \ - -c "user for %{pkg_name}" -d %{pkg_home} %{pkg_name} %if %{with systemd} +%if %{with sysusers} +%pre -f haproxy.pre +%else +%pre +%endif %service_add_pre %{pkg_name}.service %post @@ -212,6 +230,12 @@ getent passwd %{pkg_name} >/dev/null || \ %else +%pre +getent group %{pkg_name} >/dev/null || /usr/sbin/groupadd -r %{pkg_name} +getent passwd %{pkg_name} >/dev/null || \ + /usr/sbin/useradd -g %{pkg_name} -s /bin/false -r \ + -c "user for %{pkg_name}" -d %{pkg_home} %{pkg_name} + %post %fillup_and_insserv %{pkg_name} %if %{with apparmor} && %{with apparmor_reload} @@ -237,6 +261,9 @@ getent passwd %{pkg_name} >/dev/null || \ %config(noreplace) %attr(-,root,haproxy) %{_sysconfdir}/%{pkg_name}/* %if %{with systemd} %{_unitdir}/%{pkg_name}.service +%if %{with sysusers} +%{_sysusersdir}/haproxy-user.conf +%endif %else %config(noreplace) %{_sysconfdir}/init.d/%{pkg_name} %endif @@ -245,6 +272,9 @@ getent passwd %{pkg_name} >/dev/null || \ %{_sbindir}/rchaproxy %dir %attr(-,root,haproxy) %{pkg_home} %{_mandir}/man1/%{pkg_name}.1.gz +%dir %{_datadir}/vim +%dir %{vim_data_dir} +%dir %{vim_data_dir}/syntax %{vim_data_dir}/syntax/%{pkg_name}.vim %if %{with apparmor} %if 0%{?suse_version} == 1110