![](https://seccdn.libravatar.org/avatar/e2145bc5cf53dda95c308a3c75e8fef3.jpg?s=120&d=mm&r=g)
Hello community,
here is the log from the commit of package haproxy for openSUSE:Factory checked in at 2014-06-25 15:24:23
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/haproxy (Old)
and /work/SRC/openSUSE:Factory/.haproxy.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "haproxy"
Changes:
--------
--- /work/SRC/openSUSE:Factory/haproxy/haproxy.changes 2014-05-23 07:27:53.000000000 +0200
+++ /work/SRC/openSUSE:Factory/.haproxy.new/haproxy.changes 2014-06-25 15:24:39.000000000 +0200
@@ -1,0 +2,123 @@
+Tue Jun 24 15:55:48 UTC 2014 - mrueckert@suse.de
+
+- install the vim file into the versioned directory and dont cover
+ the current symlink with a directory
+
+-------------------------------------------------------------------
+Tue Jun 24 13:00:39 UTC 2014 - mrueckert@suse.de
+
+- add Requires to vim to make the ownership of the vim directory
+ clear and not break any symlink handling the vim package might
+ use.
+
+-------------------------------------------------------------------
+Tue Jun 24 12:23:55 UTC 2014 - mrueckert@suse.de
+
+- update to 1.5.1
+ - BUG/MINOR: config: http-request replace-header arg typo
+ - BUG/MINOR: ssl: rejects OCSP response without nextupdate.
+ - BUG/MEDIUM: ssl: Fix to not serve expired OCSP responses.
+ - BUG/MINOR: ssl: Fix OCSP resp update fails with the same
+ certificate configured twice. (cherry picked from commit
+ 1d3865b096b43b9a6d6a564ffb424ffa6f1ef79f)
+ - BUG/MEDIUM: Consistently use 'check' in process_chk
+ - BUG/MAJOR: session: revert all the crappy client-side timeout
+ changes
+ - BUG/MINOR: logs: properly initialize and count log sockets
+- drop haproxy-1.5.0_consistently_use_check.patch:
+ included upstream
+
+-------------------------------------------------------------------
+Tue Jun 24 09:51:25 UTC 2014 - kgronlund@suse.com
+
+- Install vim file to a more appropriate location
+
+-------------------------------------------------------------------
+Mon Jun 23 09:19:04 UTC 2014 - kgronlund@suse.com
+
+- added pre macro for systemd service file
+
+-------------------------------------------------------------------
+Mon Jun 23 08:28:06 UTC 2014 - kgronlund@suse.com
+
+- Use better systemd detection consistently
+
+-------------------------------------------------------------------
+Sun Jun 22 19:48:11 UTC 2014 - mrueckert@suse.de
+
+- pull commit 9ac7cabaf9945fb92c96cb92f5ea85235f54f7d6:
+ Consistently use 'check' in process_chk
+ I am not entirely sure that this is a bug, but it seems
+ to me that it may cause a problem if there agent-check is
+ configured and there is some kind of error making a connection
+ for it.
+ adds patch haproxy-1.5.0_consistently_use_check.patch
+
+-------------------------------------------------------------------
+Fri Jun 20 14:37:21 UTC 2014 - mrueckert@suse.de
+
+- update to 1.5.0
+ For people who don't follow the development versions, 1.5 expands
+ 1.4 with many new features and performance improvements,
+ including native SSL support on both sides with SNI/NPN/ALPN and
+ OCSP stapling, IPv6 and UNIX sockets are supported everywhere,
+ full HTTP keep-alive for better support of NTLM and improved
+ efficiency in static farms, HTTP/1.1 compression (deflate, gzip)
+ to save bandwidth, PROXY protocol versions 1 and 2 on both sides,
+ data sampling on everything in request or response, including
+ payload, ACLs can use any matching method with any input sample
+ maps and dynamic ACLs updatable from the CLI stick-tables support
+ counters to track activity on any input sample custom format for
+ logs, unique-id, header rewriting, and redirects, improved health
+ checks (SSL, scripted TCP, check agent, ...), much more scalable
+ configuration supports hundreds of thousands of backends and
+ certificates without sweating.
+
+ For all the details see /usr/share/doc/packages/haproxy/CHANGELOG
+
+- enable tcp fast open if the kernel is recent enough
+- enable PCRE JIT if PCRE is recent enough
+- enable openssl support!
+ - haproxy can finally terminate ssl itself and also talk SSL to
+ the backend servers.
+ - including SNI/NPN/ALPN support.
+ new buildrequires openssl and pkgconfig
+- enable deflate support
+ new buildrequires zlib-devel
+- enable transparent proxy support
+- enable usage of accept4. reduces the syscall amount.
+- enable building and installing of halog
+- install vim file into the correct place
+- dropped patches:
+ 0001-MEDIUM-add-systemd-service.patch
+ 0002-MEDIUM-add-haproxy-systemd-wrapper.patch
+ 0003-MEDIUM-New-cli-option-Ds-for-systemd-compatibility.patch
+ 0004-BUG-MEDIUM-systemd-wrapper-don-t-leak-zombie-process.patch
+ 0005-BUILD-stdbool-is-not-portable-again.patch
+ 0006-MEDIUM-haproxy-systemd-wrapper-Use-haproxy-in-same-d.patch
+ 0007-MEDIUM-systemd-wrapper-Kill-child-processes-when-int.patch
+ 0008-LOW-systemd-wrapper-Write-debug-information-to-stdou.patch
+ 0009-openSUSE-Configure-haproxy-user.patch
+ 0010-openSUSE-Fix-path-to-PCRE-library.patch
+ 0011-BUILD-MINOR-systemd-fix-compiler-warning-about-unuse.patch
+ 0012-BUG-MEDIUM-systemd-wrapper-fix-locating-of-haproxy-b.patch
+ 0013-MINOR-systemd-wrapper-re-execute-on-SIGUSR2.patch
+ 0014-MINOR-systemd-wrapper-improve-logging.patch
+ 0015-MINOR-systemd-wrapper-propagate-exit-status.patch
+- added haproxy-1.2.16_config_haproxy_user.patch:
+ (replaces 0009-openSUSE-Configure-haproxy-user.patch)
+- added haproxy-1.5_check_config_before_start.patch:
+ systemd allows us to run other things before we start the final
+ daemon. use this to check the configuration before launching.
+- added haproxy-makefile_lib.patch
+ (replaces 0010-openSUSE-Fix-path-to-PCRE-library.patch)
+- added sec-options.patch:
+ allow it more easily to build haproxy with PIE, stackprotector
+ and relro. all those options are enabled on our build.
+- added apparmor profile
+ usr.sbin.haproxy.apparmor
+ local.usr.sbin.haproxy.apparmor
+- change the conditionals for systemd to use bcond_with to make it
+ more obvious what we are guarding.
+
+-------------------------------------------------------------------
Old:
----
0001-MEDIUM-add-systemd-service.patch
0002-MEDIUM-add-haproxy-systemd-wrapper.patch
0003-MEDIUM-New-cli-option-Ds-for-systemd-compatibility.patch
0004-BUG-MEDIUM-systemd-wrapper-don-t-leak-zombie-process.patch
0005-BUILD-stdbool-is-not-portable-again.patch
0006-MEDIUM-haproxy-systemd-wrapper-Use-haproxy-in-same-d.patch
0007-MEDIUM-systemd-wrapper-Kill-child-processes-when-int.patch
0008-LOW-systemd-wrapper-Write-debug-information-to-stdou.patch
0009-openSUSE-Configure-haproxy-user.patch
0010-openSUSE-Fix-path-to-PCRE-library.patch
0011-BUILD-MINOR-systemd-fix-compiler-warning-about-unuse.patch
0012-BUG-MEDIUM-systemd-wrapper-fix-locating-of-haproxy-b.patch
0013-MINOR-systemd-wrapper-re-execute-on-SIGUSR2.patch
0014-MINOR-systemd-wrapper-improve-logging.patch
0015-MINOR-systemd-wrapper-propagate-exit-status.patch
haproxy-1.4.25.tar.gz
New:
----
haproxy-1.2.16_config_haproxy_user.patch
haproxy-1.5.1.tar.gz
haproxy-1.5_check_config_before_start.patch
haproxy-makefile_lib.patch
local.usr.sbin.haproxy.apparmor
sec-options.patch
usr.sbin.haproxy.apparmor
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ haproxy.spec ++++++
--- /var/tmp/diff_new_pack.zG62nH/_old 2014-06-25 15:24:40.000000000 +0200
+++ /var/tmp/diff_new_pack.zG62nH/_new 2014-06-25 15:24:40.000000000 +0200
@@ -13,59 +13,54 @@
# published by the Open Source Initiative.
# Please submit bugfixes or comments via http://bugs.opensuse.org/
-#
+%if 0%{?suse_version} >= 1230
+%bcond_without tcp_fast_open
+%else
+%bcond_with tcp_fast_open
+%endif
+%if 0%{?suse_version} >= 1310
+%bcond_without systemd
+%else
+%bcond_with systemd
+%endif
+
+%if 0%{?suse_version} > 1140
+%bcond_without pcre_jit
+%else
+%bcond_with pcre_jit
+%endif
+%bcond_without apparmor
Name: haproxy
-Version: 1.4.25
+Version: 1.5.1
Release: 0
#
#
-%if 0%{?suse_version} >= 1230
-BuildRequires: pkgconfig(systemd)
-%endif
BuildRoot: %{_tmppath}/%{name}-%{version}-build
BuildRequires: libgcrypt-devel
BuildRequires: pcre-devel
+BuildRequires: zlib-devel
+BuildRequires: openssl-devel
+BuildRequires: pkg-config
BuildRequires: udev
+%if %{with systemd}
+BuildRequires: pkgconfig(systemd)
+%endif
+BuildRequires: vim
%define pkg_name haproxy
%define pkg_home /var/lib/%{pkg_name}
#
Url: http://haproxy.1wt.eu/
-Source: http://haproxy.1wt.eu/download/1.4/src/haproxy-%{version}.tar.gz
+Source: http://haproxy.1wt.eu/download/1.5/src/haproxy-%{version}.tar.gz
Source1: %{pkg_name}.init
Source2: http://haproxy.1wt.eu/download/contrib/haproxy.vim
-# PATCH-FEATURE-UPSTREAM
-Patch1: 0001-MEDIUM-add-systemd-service.patch
-# PATCH-FEATURE-UPSTREAM
-Patch2: 0002-MEDIUM-add-haproxy-systemd-wrapper.patch
-# PATCH-FIX-UPSTREAM
-Patch3: 0003-MEDIUM-New-cli-option-Ds-for-systemd-compatibility.patch
-# PATCH-FIX-UPSTREAM
-Patch4: 0004-BUG-MEDIUM-systemd-wrapper-don-t-leak-zombie-process.patch
-# PATCH-FIX-UPSTREAM
-Patch5: 0005-BUILD-stdbool-is-not-portable-again.patch
-# PATCH-FIX-UPSTREAM
-Patch6: 0006-MEDIUM-haproxy-systemd-wrapper-Use-haproxy-in-same-d.patch
-# PATCH-FIX-UPSTREAM
-Patch7: 0007-MEDIUM-systemd-wrapper-Kill-child-processes-when-int.patch
-# PATCH-FIX-UPSTREAM
-Patch8: 0008-LOW-systemd-wrapper-Write-debug-information-to-stdou.patch
-# PATCH-FIX-OPENSUSE
-Patch9: 0009-openSUSE-Configure-haproxy-user.patch
-# PATCH-FIX-OPENSUSE
-Patch10: 0010-openSUSE-Fix-path-to-PCRE-library.patch
-# PATCH-FIX-UPSTREAM
-Patch11: 0011-BUILD-MINOR-systemd-fix-compiler-warning-about-unuse.patch
-# PATCH-FIX-UPSTREAM
-Patch12: 0012-BUG-MEDIUM-systemd-wrapper-fix-locating-of-haproxy-b.patch
-# PATCH-FIX-UPSTREAM
-Patch13: 0013-MINOR-systemd-wrapper-re-execute-on-SIGUSR2.patch
-# PATCH-FIX-UPSTREAM
-Patch14: 0014-MINOR-systemd-wrapper-improve-logging.patch
-# PATCH-FIX-UPSTREAM
-Patch15: 0015-MINOR-systemd-wrapper-propagate-exit-status.patch
-
+Source3: usr.sbin.haproxy.apparmor
+Source4: local.usr.sbin.haproxy.apparmor
+Patch1: haproxy-1.2.16_config_haproxy_user.patch
+Patch2: haproxy-makefile_lib.patch
+Patch3: sec-options.patch
+Patch4: haproxy-1.5_check_config_before_start.patch
Source99: haproxy-rpmlintrc
#
Summary: The Reliable, High Performance TCP/HTTP Load Balancer
@@ -73,10 +68,14 @@
Group: Productivity/Networking/Web/Proxy
Provides: %{name}-doc = %{version}
Obsoletes: %{name}-doc < %{version}
-
-%if 0%{?suse_version} >= 1230
+Provides: haproxy-1.5 = %{version}
+Obsoletes: haproxy-1.5 < %{version}
+# this requires is not strictly needed. we only need it for the ownership of the vim data dir
+Requires: vim
+%if %{with systemd}
%{?systemd_requires}
%endif
+%{!?vim_data_dir:%global vim_data_dir /usr/share/vim/%(readlink /usr/share/vim/current)}
%description
HAProxy implements an event-driven, mono-process model which enables support
@@ -91,40 +90,54 @@
%prep
%setup -q
-%patch1 -p1
-%patch2 -p1
-%patch3 -p1
+%patch1
+%patch2
+%patch3
%patch4 -p1
-%patch5 -p1
-%patch6 -p1
-%patch7 -p1
-%patch8 -p1
-%patch9 -p1
-%patch10 -p1
-%patch11 -p1
-%patch12 -p1
-%patch13 -p1
-%patch14 -p1
-%patch15 -p1
%build
%{__make} \
TARGET=linux26 \
CPU="%{_target_cpu}" \
USE_PCRE=1 \
+ %if %{with pcre_jit}
+ USE_PCRE_JIT=1 \
+ %endif
USE_LIBCRYPT=1 \
+ USE_OPENSSL=1 \
+ USE_ZLIB=1 \
+ USE_NETFILTER=1 \
+ %ifarch %ix86
+ USE_REGPARM=1 \
+ %endif
+ USE_TPROXY=1 \
+ USE_LINUX_TPROXY=1 \
+ USE_LINUX_SPLICE=1 \
+ USE_ACCEPT4=1 \
+ USE_CPU_AFFINITY=1 \
+ USE_GETADDRINFO=1 \
+ USE_GETSOCKNAME=1 \
+ USE_PIE=1 \
+ USE_STACKPROTECTOR=1 \
+ USE_RELRO_NOW=1 \
+%if %{with tcp_fast_open}
+ USE_TFO=1 \
+%endif
LIB="%{_lib}" \
- DEBUG="%{optflags} -fno-strict-aliasing"
-
-%{__make} PREFIX="%{_prefix}" -C contrib/systemd
+ PREFIX="%{_prefix}" \
+ DEBUG_CFLAGS="%{optflags}"
+make -C contrib/systemd PREFIX="%{_prefix}"
+make -C contrib/halog PREFIX="%{_prefix}" \
+ DEFINE="%{optflags} -pie -fpie -fstack-protector -Wl,-z,relro,-z,now"
%install
%{__install} -D -m 0755 %{pkg_name} %{buildroot}%{_sbindir}/%{pkg_name}
%{__install} -D -m 0644 examples/%{pkg_name}.cfg %{buildroot}%{_sysconfdir}/%{pkg_name}/%{pkg_name}.cfg
-%if 0%{?suse_version} >= 1230
+%{__install} -D -m 0755 contrib/halog/halog %{buildroot}%{_sbindir}/haproxy-halog
+%if %{with systemd}
%{__install} -D -m 0755 haproxy-systemd-wrapper %{buildroot}%{_sbindir}/haproxy-systemd-wrapper
-%{__install} -D -m 0755 contrib/systemd/%{pkg_name}.service %{buildroot}%{_unitdir}/%{pkg_name}.service
+%{__install} -D -m 0644 contrib/systemd/%{pkg_name}.service %{buildroot}%{_unitdir}/%{pkg_name}.service
ln -sf /sbin/service %{buildroot}%{_sbindir}/rc%{pkg_name}
%else
%{__install} -D -m 0755 %{S:1} %{buildroot}%{_sysconfdir}/init.d/%{pkg_name}
@@ -132,9 +145,14 @@
%endif
%{__install} -d -m 0755 %{buildroot}%{pkg_home}
-%{__install} -D -m 0644 %{S:2} %{buildroot}%{_datadir}/%{pkg_name}/%{pkg_name}.vim
+%{__install} -D -m 0644 %{S:2} %{buildroot}%{vim_data_dir}/syntax/%{pkg_name}.vim
%{__install} -D -m 0644 doc/%{pkg_name}.1 %{buildroot}%{_mandir}/man1/%{pkg_name}.1
-gzip %{buildroot}%{_mandir}/man1/%{pkg_name}.1
+%if %{with apparmor}
+%{__install} -D -m 0644 %{S:3} %{buildroot}/etc/apparmor.d/usr.sbin.haproxy
+%{__install} -D -m 0644 %{S:4} %{buildroot}/etc/apparmor.d/local/usr.sbin.haproxy
+%endif
+
+%{__rm} examples/haproxy.spec
%if 0%{?suse_version} < 1230
%clean
@@ -144,11 +162,9 @@
%pre
/usr/sbin/groupadd -r %{pkg_name} &>/dev/null ||:
/usr/sbin/useradd -g %{pkg_name} -s /bin/false -r -c "user for %{pkg_name}" -d %{pkg_home} %{pkg_name} &>/dev/null ||:
-%if 0%{?suse_version} >= 1230
- %service_add_pre %{pkg_name}.service
-%endif
-%if 0%{?suse_version} >= 1230
+%if %{with systemd}
+%service_add_pre %{pkg_name}.service
%post
%service_add_post %{pkg_name}.service
@@ -176,12 +192,11 @@
%files
%defattr(-,root,root,-)
%doc CHANGELOG README LICENSE
-%doc ROADMAP TODO doc/* examples
+%doc ROADMAP doc/* examples/
+%doc contrib/netsnmp-perl/ contrib/selinux/
%dir %{_sysconfdir}/%{pkg_name}
%config(noreplace) %{_sysconfdir}/%{pkg_name}/%{pkg_name}.cfg
-
-%if 0%{?suse_version} >= 1230
-
+%if %{with systemd}
%{_unitdir}/%{pkg_name}.service
%{_sbindir}/haproxy-systemd-wrapper
@@ -192,9 +207,16 @@
%endif
%{_sbindir}/haproxy
+%{_sbindir}/haproxy-halog
%{_sbindir}/rchaproxy
%{pkg_home}
-%doc %{_mandir}/man1/%{pkg_name}.1.gz
-%{_datadir}/%{pkg_name}
+%{_mandir}/man1/%{pkg_name}.1.gz
+%{vim_data_dir}/syntax/%{pkg_name}.vim
+%if %{with apparmor}
+%dir /etc/apparmor.d/
+%dir /etc/apparmor.d/local/
+%config(noreplace) /etc/apparmor.d/usr.sbin.haproxy
+%config(noreplace) /etc/apparmor.d/local/usr.sbin.haproxy
+%endif
%changelog
++++++ haproxy-1.2.16_config_haproxy_user.patch ++++++
Index: examples/examples.cfg
===================================================================
--- examples/examples.cfg.orig
+++ examples/examples.cfg
@@ -3,8 +3,8 @@
# log 127.0.0.1 local1
maxconn 4000
ulimit-n 8000
- uid 0
- gid 0
+ user haproxy
+ group haproxy
# chroot /tmp
# nbproc 2
# daemon
Index: examples/haproxy.cfg
===================================================================
--- examples/haproxy.cfg.orig
+++ examples/haproxy.cfg
@@ -5,9 +5,9 @@
log 127.0.0.1 local1 notice
#log loghost local0 info
maxconn 4096
- chroot /usr/share/haproxy
- uid 99
- gid 99
+ chroot /var/lib/haproxy
+ user haproxy
+ group haproxy
daemon
#debug
#quiet
++++++ haproxy-1.4.25.tar.gz -> haproxy-1.5.1.tar.gz ++++++
++++ 111784 lines of diff (skipped)
++++++ haproxy-1.5_check_config_before_start.patch ++++++
diff --git a/contrib/systemd/haproxy.service.in b/contrib/systemd/haproxy.service.in
index 1a3d2c0..9b3b72a 100644
--- a/contrib/systemd/haproxy.service.in
+++ b/contrib/systemd/haproxy.service.in
@@ -3,6 +3,7 @@ Description=HAProxy Load Balancer
After=network.target
[Service]
+ExecStartPre=@SBINDIR@/haproxy -f /etc/haproxy/haproxy.cfg -c -q
ExecStart=@SBINDIR@/haproxy-systemd-wrapper -f /etc/haproxy/haproxy.cfg -p /run/haproxy.pid
ExecReload=/bin/kill -USR2 $MAINPID
Restart=always
++++++ haproxy-makefile_lib.patch ++++++
Index: Makefile
===================================================================
--- Makefile.orig
+++ Makefile
@@ -567,7 +567,7 @@ ifneq ($(USE_PCRE)$(USE_STATIC_PCRE)$(US
PCREDIR := $(shell pcre-config --prefix 2>/dev/null || echo /usr/local)
ifneq ($(PCREDIR),)
PCRE_INC := $(PCREDIR)/include
-PCRE_LIB := $(PCREDIR)/lib
+PCRE_LIB := $(PCREDIR)/$(LIB)
endif
ifeq ($(USE_STATIC_PCRE),)
++++++ local.usr.sbin.haproxy.apparmor ++++++
# Site-specific additions and overrides for usr.sbin.haproxy.apparmor
++++++ sec-options.patch ++++++
Index: Makefile
===================================================================
--- Makefile.orig 2014-06-05 19:23:53.559663353 +0200
+++ Makefile 2014-06-05 19:29:01.679662808 +0200
@@ -594,6 +594,35 @@ OPTIONS_CFLAGS += -DUSE_TFO
BUILD_OPTIONS += $(call ignore_implicit,USE_TFO)
endif
+# PIE
+ifneq ($(USE_PIE),)
+OPTIONS_CFLAGS += -DUSE_PIE
+BUILD_OPTIONS += $(call ignore_implicit,USE_PIE)
+OPTIONS_LDFLAGS += -pie
+# still need to figure out how to express this conditional in the makefile
+# %ifarch s390 s390x %sparc
+# PIEFLAGS="-fPIE"
+# %else
+# PIEFLAGS="-fpie"
+# %endif
+# PIE_FLAGS.s390 = -fPIE
+# PIE_FLAGS.i386 = -fpie
+# SEC_FLAGS += $(PIE_FLAGS.$(ARCH))
+OPTIONS_CFLAGS += -fpie
+endif
+
+ifneq ($(USE_STACKPROTECTOR),)
+OPTIONS_CFLAGS += -DUSE_STACKPROTECTOR
+BUILD_OPTIONS += $(call ignore_implicit,USE_STACKPROTECTOR)
+OPTIONS_CFLAGS += -fstack-protector
+endif
+
+ifneq ($(USE_RELRO_NOW),)
+OPTIONS_CFLAGS += -DUSE_RELRO_NOW
+BUILD_OPTIONS += $(call ignore_implicit,USE_RELRO_NOW)
+OPTIONS_LDFLAGS += -Wl,-z,relro,-z,now
+endif
+
# This one can be changed to look for ebtree files in an external directory
EBTREE_DIR := ebtree
++++++ usr.sbin.haproxy.apparmor ++++++
#include