diff --git a/_service b/_service index 7541102..d52be1b 100644 --- a/_service +++ b/_service @@ -1,12 +1,12 @@ - http://git.haproxy.org/git/haproxy-1.8.git + http://git.haproxy.org/git/haproxy-2.0.git git haproxy - @PARENT_TAG@~git@TAG_OFFSET@.%h + @PARENT_TAG@+git@TAG_OFFSET@.%h v(.*) \1 - v1.8.20 + master enable diff --git a/_servicedata b/_servicedata index a871554..1920ab6 100644 --- a/_servicedata +++ b/_servicedata @@ -1,8 +1,6 @@ - - http://git.haproxy.org/git/haproxy-1.6.git - 864bf78c3b6898eb12ece5f0a44032090f26f57f - http://git.haproxy.org/git/haproxy-1.7.git - 640d526f8cdad00f7f5043b51f6a34f3f6ebb49f - http://git.haproxy.org/git/haproxy-1.8.git - 6fb9fadc5311cd00beb522a35596d3aa63f24fdb \ No newline at end of file + + http://git.haproxy.org/git/haproxy-2.0.git + 5db881ff0506bd5bb6caf9d80a06e79afa7473ca + + diff --git a/haproxy-1.6.0-makefile_lib.patch b/haproxy-1.6.0-makefile_lib.patch index 33c4611..9debd31 100644 --- a/haproxy-1.6.0-makefile_lib.patch +++ b/haproxy-1.6.0-makefile_lib.patch @@ -1,9 +1,9 @@ -Index: Makefile -=================================================================== ---- Makefile.orig -+++ Makefile -@@ -647,7 +647,7 @@ ifneq ($(USE_PCRE)$(USE_STATIC_PCRE)$(US - PCREDIR := $(shell pcre-config --prefix 2>/dev/null || echo /usr/local) +diff --git a/Makefile b/Makefile +index d62fead7..33fa6338 100644 +--- a/Makefile ++++ b/Makefile +@@ -619,7 +619,7 @@ PCRE_CONFIG := pcre-config + PCREDIR := $(shell $(PCRE_CONFIG) --prefix 2>/dev/null || echo /usr/local) ifneq ($(PCREDIR),) PCRE_INC := $(PCREDIR)/include -PCRE_LIB := $(PCREDIR)/lib @@ -11,3 +11,12 @@ Index: Makefile endif ifeq ($(USE_STATIC_PCRE),) +@@ -638,7 +638,7 @@ PCRE2_CONFIG := pcre2-config + PCRE2DIR := $(shell $(PCRE2_CONFIG) --prefix 2>/dev/null || echo /usr/local) + ifneq ($(PCRE2DIR),) + PCRE2_INC := $(PCRE2DIR)/include +-PCRE2_LIB := $(PCRE2DIR)/lib ++PCRE2_LIB := $(PCRE2DIR)/$(LIB) + + ifeq ($(PCRE2_WIDTH),) + PCRE2_WIDTH = 8 diff --git a/haproxy-1.6.0-sec-options.patch b/haproxy-1.6.0-sec-options.patch index 9069a3c..3b689be 100644 --- a/haproxy-1.6.0-sec-options.patch +++ b/haproxy-1.6.0-sec-options.patch @@ -1,9 +1,15 @@ -Index: Makefile -=================================================================== ---- Makefile.orig -+++ Makefile -@@ -674,6 +674,35 @@ OPTIONS_CFLAGS += -DUSE_TFO - BUILD_OPTIONS += $(call ignore_implicit,USE_TFO) +commit 88413472b09e2ecd4ad2b4a00992184c14d5723c +Author: Kristoffer Gronlund +Date: Mon Jun 17 13:00:08 2019 +0000 + + SUSE: Makefile sec options + +diff --git a/Makefile b/Makefile +index 33fa6338..3777ad6d 100644 +--- a/Makefile ++++ b/Makefile +@@ -675,6 +675,35 @@ endif + endif endif +# PIE diff --git a/haproxy-1.6.0_config_haproxy_user.patch b/haproxy-1.6.0_config_haproxy_user.patch index 361e0e4..8b5fef5 100644 --- a/haproxy-1.6.0_config_haproxy_user.patch +++ b/haproxy-1.6.0_config_haproxy_user.patch @@ -15,20 +15,6 @@ Index: haproxy-1.6.0/examples/acl-content-sw.cfg pidfile /var/run/haproxy.pid daemon quiet -Index: haproxy-1.6.0/examples/auth.cfg -=================================================================== ---- haproxy-1.6.0.orig/examples/auth.cfg -+++ haproxy-1.6.0/examples/auth.cfg -@@ -1,7 +1,7 @@ - global --# chroot /var/empty/ --# uid 451 --# gid 451 -+ user haproxy -+ group haproxy -+ chroot /var/lib/haproxy - log 192.168.131.214:8514 local4 debug - maxconn 8192 Index: haproxy-1.6.0/examples/content-sw-sample.cfg =================================================================== @@ -64,20 +50,6 @@ Index: haproxy-1.6.0/examples/option-http_proxy.cfg nbproc 4 daemon -Index: haproxy-1.6.0/examples/ssl.cfg -=================================================================== ---- haproxy-1.6.0.orig/examples/ssl.cfg -+++ haproxy-1.6.0/examples/ssl.cfg -@@ -4,6 +4,9 @@ - - global - maxconn 100 -+ chroot /var/lib/haproxy -+ user haproxy -+ group haproxy - - defaults - mode http Index: haproxy-1.6.0/examples/transparent_proxy.cfg =================================================================== --- haproxy-1.6.0.orig/examples/transparent_proxy.cfg diff --git a/haproxy-1.8.20~git0.6fb9fadc.tar.gz b/haproxy-1.8.20~git0.6fb9fadc.tar.gz deleted file mode 100644 index 52b8209..0000000 --- a/haproxy-1.8.20~git0.6fb9fadc.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:2532e32c049351060e35aa4d5fda51ca76e1c411b00b8578609134250cd06000 -size 2142728 diff --git a/haproxy-2.0.1+git27.5db881ff.tar.gz b/haproxy-2.0.1+git27.5db881ff.tar.gz new file mode 100644 index 0000000..fbc3034 --- /dev/null +++ b/haproxy-2.0.1+git27.5db881ff.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:728a964b51d9438b5a4d0098fccbcc697f55869f10a273e4f47d8d00d99934f8 +size 2618306 diff --git a/haproxy.changes b/haproxy.changes index 49dc44c..89374e1 100644 --- a/haproxy.changes +++ b/haproxy.changes @@ -1,3 +1,178 @@ +------------------------------------------------------------------- +Tue Jul 09 11:48:41 UTC 2019 - kgronlund@suse.com + +- Update to version 2.0.1+git27.5db881ff: + * BUG/MINOR: ssl: revert empty handshake detection in OpenSSL <= 1.0.2 + * BUG/MEDIUM: servers: Don't forget to set srv_cs to NULL if we can't reuse it. + * BUG/MEDIUM: stream-int: Don't rely on CF_WRITE_PARTIAL to unblock opposite si + * MINOR: stream-int: Factorize processing done after sending data in si_cs_send() + * BUG/MINOR: mux-h1: Don't process input or ouput if an error occurred + * BUG/MEDIUM: mux-h1: Handle TUNNEL state when outgoing messages are formatted + * BUG/MEDIUM: lb_fas: Don't test the server's lb_tree from outside the lock + * BUG/MEDIUM: http/applet: Finish request processing when a service is registered + * MINOR: action: Add the return code ACT_RET_DONE for actions + * BUG/MINOR: contrib/prometheus-exporter: Don't try to add empty data blocks + * MINOR: server: Add "no-tfo" option. + * BUG/MEDIUM: sessions: Don't keep an extra idle connection in sessions. + * BUG/MEDIUM: servers: Authorize tfo in default-server. + * BUG/MEDIUM: connections: Make sure we're unsubscribe before upgrading the mux. + * BUG/MINOR: contrib/prometheus-exporter: Respect the reserve when data are sent + * BUG/MINOR: hlua/htx: Respect the reserve when HTX data are sent + * BUG/MEDIUM: channel/htx: Use the total HTX size in channel_htx_recv_limit() + * BUG/MINOR: hlua: Don't use channel_htx_recv_max() + * BUG/MINOR: contrib/prometheus-exporter: Don't use channel_htx_recv_max() + * BUG/MEDIUM: checks: Make sure the tasklet won't run if the connection is closed. + * BUG/MEDIUM: connections: Always call shutdown, with no linger. + * BUG/MINOR: mux-h1: Don't return the empty chunk on HEAD responses + * BUG/MINOR: mux-h1: Skip trailers for non-chunked outgoing messages + * BUG/MEDIUM: checks: unblock signals in external checks + * BUG/MEDIUM: mux-h1: Always release H1C if a shutdown for writes was reported + * BUG/MEDIUM: ssl: Don't attempt to set alpn if we're not using SSL. + * BUG/MINOR: mworker/cli: don't output a \n before the response + * BUG/MINOR: mux-h1: Make format errors during output formatting fatal + * BUG/MEDIUM: mux-h1: Use buf_room_for_htx_data() to detect too large messages + * BUG/MEDIUM: proto_htx: Don't add EOM on 1xx informational messages + * BUG/MINOR: log: Detect missing sampling ranges in config + * BUG/MINOR: memory: Set objects size for pools in the per-thread cache + * BUG/MAJOR: mux-h1: Don't crush trash chunk area when outgoing message is formatted + * BUG/MINOR: htx: Save hdrs_bytes when the HTX start-line is replaced + * BUG/MEDIUM: ssl: Don't do anything in ssl_subscribe if we have no ctx. + * BUG/MEDIUM: connections: Always add the xprt handshake if needed. + * BUG/MEDIUM: stream_interface: Don't add SI_FL_ERR the state is < SI_ST_CON. + * BUG/MINOR: spoe: Fix memory leak if failing to allocate memory + * BUG/MEDIUM: mworker/cli: command pipelining doesn't work anymore + * BUG/MEDIUM: mworker: don't call the thread and fdtab deinit + * BUG/MINOR: mworker-prog: Fix segmentation fault during cfgparse + * BUG/MAJOR: sample: Wrong stick-table name parsing in "if/unless" ACL condition. + * BUG/MEDIUM: lb_fwlc: Don't test the server's lb_tree from outside the lock + * BUG/MEDIUM: mux-h2: Remove the padding length when a DATA frame size is checked + * BUG/MEDIUM: mux-h2: Reset padlen when several frames are demux + +------------------------------------------------------------------- +Sun Jun 30 10:24:18 UTC 2019 - Jan Engelhardt + +- Correct version line, which should be 2.0.0+git6. + +------------------------------------------------------------------- +Tue Jun 18 12:09:15 UTC 2019 - Marcus Rueckert + +- allow the new master socket path in the apparmor profile + +------------------------------------------------------------------- +Tue Jun 18 12:04:20 UTC 2019 - mrueckert@suse.de + +- Update to version 2.0.0~git6.41dc8432: + * BUG/MEDIUM: htx: Fully update HTX message when the block value is changed + * MINOR: htx: Add the function htx_change_blk_value_len() + * BUG/MEDIUM: compression: Set Vary: Accept-Encoding for compressed responses + * BUG/MINOR: mux-h1: Add the header connection in lower case in outgoing messages + * BUG/MINOR: lua/htx: Make txn.req_req_* and txn.res_rep_* HTX aware + * BUG/MEDIUM: h2/htx: Update data length of the HTX when the cookie list is built + +------------------------------------------------------------------- +Mon Jun 17 12:33:47 UTC 2019 - kgronlund@suse.com + +- Update to version 2.0.0~git0.ba23630a: + - new internal native HTTP representation called HTX, was already in 1.9 + and is now enabled by default in 2.0 ; + + - end-to-end HTTP/2 support including trailers and continuation frames, + as needed for gRPC ; HTTP/2 may also be upgraded from HTTP/1.1 using + the H2 preface; + + - server connection pooling and more advanced reuse, with ALPN protocol + negotiation (already in 1.9) ; + + - layer 7 retries, allowing to use 0-RTT and TCP Fast Open to the servers + as well as on the frontend ; + + - much more scalable multi-threading, which is even enabled by default on + platforms where it was successfully tested ; by default, as many threads + are started as the number of CPUs haproxy is allowed to run on. This + removes a lot of configuration burden in VMs and containers ; + + - automatic maxconn setting for the process and the frontends, directly + based on the number of available FDs (easier configuration in containers + and with systemd) ; + + - logging to stdout for use in containers and systemd (already in 1.9). + Logs can now provide micro-second resolution for some events ; + + - peers now support SSL, declaration of multiple stick-tables directly in + the peers section, and synchronization of server names, not just IDs ; + + - In master-worker mode, the master process now exposes its own CLI and + can communicate with all other processes (including the stopping ones), + even allowing to connect to their CLI and check their state. It is also + possible to start some sidecar programs and monitor them from the master, + and the master can automatically kill old processes that survived too + many reloads ; + + - the incoming connections are load-balanced between all threads depending + on their load to minimize the processing time and maximize the capacity + (already in 1.9) ; + + - the SPOE connection load-balancing was significantly improved in order + to reduce high percentiles of SPOA response time (already in 1.9) ; + + - the "random" load balancing algorithm and a power-of-two-choices variant + were introduced ; + + - statistics improvements with per-thread counters for certain things, and + a prometheus exporter for all our statistics; + + - lots of debugging help, it's easier to produce a core dump, there are + new commands on the CLI to control various things, there is a watchdog + to fail cleanly when a thread deadlock or a spinning task are detected, + so overall it should provide a better experience in field and less + round trips between users and developers (hence less stress during an + incident). + + - all 3 device detection engines are now compatible with multi-threading + and can be build-tested without any external dependencies ; + + - "do-resolve" http-request action to perform a DNS resolution on any, + sample, and resolvers now support relying on /etc/resolv.conf to match + the local resolver ; + + - log sampling and balancing : it's now possible to send 1 log every 10 + to a server, or to spread the logging load over multiple log servers; + + - a new SPOA agent (spoa_server) allows to interface haproxy with Python + and Lua programs ; + + - support for Solaris' event ports (equivalent of kqueue or epoll) which + will significantly improve the performance there when dealing with + numerous connections ; + + - some warnings are now reported for some deprecated options that will + be removed in 2.1. Since 2.0 is long term supported, there's no + emergency to convert them, however if you see these warnings, you + need to understand that you're among their extremely rare users and + just because of this you may be taking risks by keeping them ; + + - A new SOCKS4 server-side layer was provided ; it allows outgoing + connections to be forwarded through a SOCKS4 proxy (such as ssh -D). + + - priority- and latency- aware server queues : it is possible now to + assign priorities to certain requests and/or to give them a time + bonus or penalty to refine control of the traffic and be able to + engage on SLAs. + + - internally the architecture was significantly redesigned to allow to + further improve performance and make it easier to implement protocols + that span over multiple layers (such as QUIC). This work started in + 1.9 and will continue with 2.1. + + - the I/O, applets and tasks now share the same multi-threaded scheduler, + giving a much better responsiveness and fairness between all tasks as + is visible with the CLI which always responds instantly even under + extreme loads (started in 1.9) ; + + - the internal buffers were redesigned to ease zero-copy operations, so + that it is possible to sustain a high bandwidth even when forwarding + HTTP/1 to/from HTTP/2 (already in 1.9) ; + ------------------------------------------------------------------- Fri May 03 12:56:13 UTC 2019 - kgronlund@suse.com diff --git a/haproxy.spec b/haproxy.spec index 73bfac6..238e06d 100644 --- a/haproxy.spec +++ b/haproxy.spec @@ -47,7 +47,7 @@ %endif Name: haproxy -Version: 1.8.20~git0.6fb9fadc +Version: 2.0.1+git27.5db881ff Release: 0 # # @@ -122,12 +122,12 @@ the most work done from every CPU cycle. %prep %setup -q %patch1 -p1 -%patch2 -%patch3 +%patch2 -p1 +%patch3 -p1 %build make \ - TARGET=linux2628 \ + TARGET=linux-glibc \ CPU="%{_target_cpu}" \ USE_PCRE=1 \ %if %{with pcre_jit} @@ -180,14 +180,14 @@ ln -fs %{_sysconfdir}/init.d/%{pkg_name} %{buildroot}%{_sbindir}/rc%{pkg_name} %endif install -d -m 0750 %{buildroot}%{pkg_home} -install -D -m 0644 examples/haproxy.vim %{buildroot}%{vim_data_dir}/syntax/%{pkg_name}.vim +install -D -m 0644 contrib/syntax-highlight/haproxy.vim %{buildroot}%{vim_data_dir}/syntax/%{pkg_name}.vim install -D -m 0644 doc/%{pkg_name}.1 %{buildroot}%{_mandir}/man1/%{pkg_name}.1 %if %{with apparmor} install -D -m 0644 %{S:2} %{buildroot}/etc/apparmor.d/usr.sbin.haproxy install -D -m 0644 %{S:3} %{buildroot}/etc/apparmor.d/local/usr.sbin.haproxy %endif -rm examples/haproxy.spec examples/*init* examples/haproxy.vim +rm examples/*init* %pre getent group %{pkg_name} >/dev/null || /usr/sbin/groupadd -r %{pkg_name} diff --git a/usr.sbin.haproxy.apparmor b/usr.sbin.haproxy.apparmor index 1153819..3e3ee27 100644 --- a/usr.sbin.haproxy.apparmor +++ b/usr.sbin.haproxy.apparmor @@ -26,6 +26,7 @@ /var/lib/haproxy/stats.*.bak rwl, /var/lib/haproxy/stats.*.tmp rwl, /{,var/}run/haproxy.pid rw, + /{,var/}run/haproxy-master.sock* rwlk, # Site-specific additions and overrides. See local/README for details. #include