Hello community, here is the log from the commit of package haproxy for openSUSE:Factory checked in at 2014-11-26 10:33:24 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/haproxy (Old) and /work/SRC/openSUSE:Factory/.haproxy.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "haproxy" Changes: -------- --- /work/SRC/openSUSE:Factory/haproxy/haproxy.changes 2014-11-11 09:59:45.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.haproxy.new/haproxy.changes 2014-11-26 10:33:31.000000000 +0100 @@ -1,0 +2,18 @@ +Thu Nov 20 06:56:23 UTC 2014 - kgronlund@suse.com + +- BUILD: fix "make install" to support spaces in the install dirs +- BUG/MEDIUM: ssl: fix bad ssl context init can cause segfault in case of OOM. +- BUG/MEDIUM: ssl: force a full GC in case of memory shortage +- BUG/MEDIUM: checks: fix conflicts between agent checks and ssl healthchecks +- BUG/MINOR: config: don't inherit the default balance algorithm in frontends +- BUG/MAJOR: frontend: initialize capture pointers earlier + +- Add patches: + - 0001-BUILD-fix-make-install-to-support-spaces-in-the-inst.patch + - 0002-BUG-MEDIUM-ssl-fix-bad-ssl-context-init-can-cause-se.patch + - 0003-BUG-MEDIUM-ssl-force-a-full-GC-in-case-of-memory-sho.patch + - 0004-BUG-MEDIUM-checks-fix-conflicts-between-agent-checks.patch + - 0005-BUG-MINOR-config-don-t-inherit-the-default-balance-a.patch + - 0006-BUG-MAJOR-frontend-initialize-capture-pointers-earli.patch + +------------------------------------------------------------------- New: ---- 0001-BUILD-fix-make-install-to-support-spaces-in-the-inst.patch 0002-BUG-MEDIUM-ssl-fix-bad-ssl-context-init-can-cause-se.patch 0003-BUG-MEDIUM-ssl-force-a-full-GC-in-case-of-memory-sho.patch 0004-BUG-MEDIUM-checks-fix-conflicts-between-agent-checks.patch 0005-BUG-MINOR-config-don-t-inherit-the-default-balance-a.patch 0006-BUG-MAJOR-frontend-initialize-capture-pointers-earli.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ haproxy.spec ++++++ --- /var/tmp/diff_new_pack.oZunna/_old 2014-11-26 10:33:32.000000000 +0100 +++ /var/tmp/diff_new_pack.oZunna/_new 2014-11-26 10:33:32.000000000 +0100 @@ -61,6 +61,19 @@ Patch2: haproxy-makefile_lib.patch Patch3: sec-options.patch +# PATCH-FIX-UPSTREAM BUILD: fix "make install" to support spaces in the install dirs +Patch4: 0001-BUILD-fix-make-install-to-support-spaces-in-the-inst.patch +# PATCH-FIX-UPSTREAM BUG/MEDIUM: ssl: fix bad ssl context init can cause segfault in case of OOM. +Patch5: 0002-BUG-MEDIUM-ssl-fix-bad-ssl-context-init-can-cause-se.patch +# PATCH-FIX-UPSTREAM BUG/MEDIUM: ssl: force a full GC in case of memory shortage +Patch6: 0003-BUG-MEDIUM-ssl-force-a-full-GC-in-case-of-memory-sho.patch +# PATCH-FIX-UPSTREAM BUG/MEDIUM: checks: fix conflicts between agent checks and ssl healthchecks +Patch7: 0004-BUG-MEDIUM-checks-fix-conflicts-between-agent-checks.patch +# PATCH-FIX-UPSTREAM BUG/MINOR: config: don't inherit the default balance algorithm in frontends +Patch8: 0005-BUG-MINOR-config-don-t-inherit-the-default-balance-a.patch +# PATCH-FIX-UPSTREAM BUG/MAJOR: frontend: initialize capture pointers earlier +Patch9: 0006-BUG-MAJOR-frontend-initialize-capture-pointers-earli.patch + Source99: haproxy-rpmlintrc # Summary: The Reliable, High Performance TCP/HTTP Load Balancer @@ -94,6 +107,13 @@ %patch2 %patch3 +%patch4 -p1 +%patch5 -p1 +%patch6 -p1 +%patch7 -p1 +%patch8 -p1 +%patch9 -p1 + %build %{__make} \ TARGET=linux26 \ ++++++ 0001-BUILD-fix-make-install-to-support-spaces-in-the-inst.patch ++++++

From 184422d39df1aa27e6ef4c1ae75177489147ec99 Mon Sep 17 00:00:00 2001 From: Arcadiy Ivanov <arcadiy.ivanov@servicemesh.com> Date: Tue, 4 Nov 2014 07:06:13 -0500 Subject: [PATCH 1/6] BUILD: fix "make install" to support spaces in the install dirs

Makefile is unable to install into directories containing spaces. (cherry picked from commit 3785311e64792787de78370fa126fd806734f7fe) --- Makefile | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/Makefile b/Makefile index 707037b..9556069 100644 --- a/Makefile +++ b/Makefile @@ -710,19 +710,19 @@ src/dlmalloc.o: $(DLMALLOC_SRC) $(CC) $(COPTS) -DDEFAULT_MMAP_THRESHOLD=$(DLMALLOC_THRES) -c -o $@ $< install-man: - install -d $(DESTDIR)$(MANDIR)/man1 - install -m 644 doc/haproxy.1 $(DESTDIR)$(MANDIR)/man1 + install -d "$(DESTDIR)$(MANDIR)"/man1 + install -m 644 doc/haproxy.1 "$(DESTDIR)$(MANDIR)"/man1 install-doc: - install -d $(DESTDIR)$(DOCDIR) + install -d "$(DESTDIR)$(DOCDIR)" for x in configuration architecture haproxy-en haproxy-fr; do \ - install -m 644 doc/$$x.txt $(DESTDIR)$(DOCDIR) ; \ + install -m 644 doc/$$x.txt "$(DESTDIR)$(DOCDIR)" ; \ done install-bin: haproxy haproxy-systemd-wrapper - install -d $(DESTDIR)$(SBINDIR) - install haproxy $(DESTDIR)$(SBINDIR) - install haproxy-systemd-wrapper $(DESTDIR)$(SBINDIR) + install -d "$(DESTDIR)$(SBINDIR)" + install haproxy "$(DESTDIR)$(SBINDIR)" + install haproxy-systemd-wrapper "$(DESTDIR)$(SBINDIR)" install: install-bin install-man install-doc -- 2.1.3 ++++++ 0002-BUG-MEDIUM-ssl-fix-bad-ssl-context-init-can-cause-se.patch ++++++

From 90951497008967f10ba8f9927b53c6e6bc138540 Mon Sep 17 00:00:00 2001 From: Emeric Brun <ebrun@haproxy.comw> Date: Wed, 12 Nov 2014 17:35:37 +0100 Subject: [PATCH 2/6] BUG/MEDIUM: ssl: fix bad ssl context init can cause segfault in case of OOM.

Some SSL context's init functions errors were not handled and can cause a segfault due to an incomplete SSL context initialization. This fix must be backported to 1.5. (cherry picked from commit 5547615cdac377797ae351a2e024376dbf6d6963) --- src/ssl_sock.c | 52 ++++++++++++++++++++++++++++++++++++++-------------- 1 file changed, 38 insertions(+), 14 deletions(-) diff --git a/src/ssl_sock.c b/src/ssl_sock.c index f8bfbe7..620609f 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -2040,15 +2040,29 @@ static int ssl_sock_init(struct connection *conn) return -1; } + /* set fd on SSL session context */ + if (!SSL_set_fd(conn->xprt_ctx, conn->t.sock.fd)) { + SSL_free(conn->xprt_ctx); + conn->xprt_ctx = NULL; + conn->err_code = CO_ER_SSL_NO_MEM; + return -1; + } + + /* set connection pointer */ + if (!SSL_set_app_data(conn->xprt_ctx, conn)) { + SSL_free(conn->xprt_ctx); + conn->xprt_ctx = NULL; + conn->err_code = CO_ER_SSL_NO_MEM; + return -1; + } + SSL_set_connect_state(conn->xprt_ctx); - if (objt_server(conn->target)->ssl_ctx.reused_sess) - SSL_set_session(conn->xprt_ctx, objt_server(conn->target)->ssl_ctx.reused_sess); - - /* set fd on SSL session context */ - SSL_set_fd(conn->xprt_ctx, conn->t.sock.fd); - - /* set connection pointer */ - SSL_set_app_data(conn->xprt_ctx, conn); + if (objt_server(conn->target)->ssl_ctx.reused_sess) { + if(!SSL_set_session(conn->xprt_ctx, objt_server(conn->target)->ssl_ctx.reused_sess)) { + SSL_SESSION_free(objt_server(conn->target)->ssl_ctx.reused_sess); + objt_server(conn->target)->ssl_ctx.reused_sess = NULL; + } + } /* leave init state and start handshake */ conn->flags |= CO_FL_SSL_WAIT_HS | CO_FL_WAIT_L6_CONN; @@ -2065,14 +2079,24 @@ static int ssl_sock_init(struct connection *conn) return -1; } + /* set fd on SSL session context */ + if (!SSL_set_fd(conn->xprt_ctx, conn->t.sock.fd)) { + SSL_free(conn->xprt_ctx); + conn->xprt_ctx = NULL; + conn->err_code = CO_ER_SSL_NO_MEM; + return -1; + } + + /* set connection pointer */ + if (!SSL_set_app_data(conn->xprt_ctx, conn)) { + SSL_free(conn->xprt_ctx); + conn->xprt_ctx = NULL; + conn->err_code = CO_ER_SSL_NO_MEM; + return -1; + } + SSL_set_accept_state(conn->xprt_ctx); - /* set fd on SSL session context */ - SSL_set_fd(conn->xprt_ctx, conn->t.sock.fd); - - /* set connection pointer */ - SSL_set_app_data(conn->xprt_ctx, conn); - /* leave init state and start handshake */ conn->flags |= CO_FL_SSL_WAIT_HS | CO_FL_WAIT_L6_CONN; -- 2.1.3 ++++++ 0003-BUG-MEDIUM-ssl-force-a-full-GC-in-case-of-memory-sho.patch ++++++

From 9bcc01ae25985dd540080f43b160beab1f1a2bc6 Mon Sep 17 00:00:00 2001 From: Willy Tarreau <w@1wt.eu> Date: Thu, 13 Nov 2014 13:48:58 +0100 Subject: [PATCH 3/6] BUG/MEDIUM: ssl: force a full GC in case of memory shortage

When memory becomes scarce and openssl refuses to allocate a new SSL session, it is worth freeing the pools and trying again instead of rejecting all incoming SSL connection. This can happen when some memory usage limits have been assigned to the haproxy process using -m or with ulimit -m/-v. This is mostly an enhancement of previous fix and is worth backporting to 1.5. (cherry picked from commit fba03cdc5ac6e3ca318b34915596cbc0a0dacc55) --- src/ssl_sock.c | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/src/ssl_sock.c b/src/ssl_sock.c index 620609f..f50efe5 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -2033,9 +2033,16 @@ static int ssl_sock_init(struct connection *conn) /* If it is in client mode initiate SSL session in connect state otherwise accept state */ if (objt_server(conn->target)) { + int may_retry = 1; + + retry_connect: /* Alloc a new SSL session ctx */ conn->xprt_ctx = SSL_new(objt_server(conn->target)->ssl_ctx.ctx); if (!conn->xprt_ctx) { + if (may_retry--) { + pool_gc2(); + goto retry_connect; + } conn->err_code = CO_ER_SSL_NO_MEM; return -1; } @@ -2044,6 +2051,10 @@ static int ssl_sock_init(struct connection *conn) if (!SSL_set_fd(conn->xprt_ctx, conn->t.sock.fd)) { SSL_free(conn->xprt_ctx); conn->xprt_ctx = NULL; + if (may_retry--) { + pool_gc2(); + goto retry_connect; + } conn->err_code = CO_ER_SSL_NO_MEM; return -1; } @@ -2052,6 +2063,10 @@ static int ssl_sock_init(struct connection *conn) if (!SSL_set_app_data(conn->xprt_ctx, conn)) { SSL_free(conn->xprt_ctx); conn->xprt_ctx = NULL; + if (may_retry--) { + pool_gc2(); + goto retry_connect; + } conn->err_code = CO_ER_SSL_NO_MEM; return -1; } @@ -2072,9 +2087,16 @@ static int ssl_sock_init(struct connection *conn) return 0; } else if (objt_listener(conn->target)) { + int may_retry = 1; + + retry_accept: /* Alloc a new SSL session ctx */ conn->xprt_ctx = SSL_new(objt_listener(conn->target)->bind_conf->default_ctx); if (!conn->xprt_ctx) { + if (may_retry--) { + pool_gc2(); + goto retry_accept; + } conn->err_code = CO_ER_SSL_NO_MEM; return -1; } @@ -2083,6 +2105,10 @@ static int ssl_sock_init(struct connection *conn) if (!SSL_set_fd(conn->xprt_ctx, conn->t.sock.fd)) { SSL_free(conn->xprt_ctx); conn->xprt_ctx = NULL; + if (may_retry--) { + pool_gc2(); + goto retry_accept; + } conn->err_code = CO_ER_SSL_NO_MEM; return -1; } @@ -2091,6 +2117,10 @@ static int ssl_sock_init(struct connection *conn) if (!SSL_set_app_data(conn->xprt_ctx, conn)) { SSL_free(conn->xprt_ctx); conn->xprt_ctx = NULL; + if (may_retry--) { + pool_gc2(); + goto retry_accept; + } conn->err_code = CO_ER_SSL_NO_MEM; return -1; } -- 2.1.3 ++++++ 0004-BUG-MEDIUM-checks-fix-conflicts-between-agent-checks.patch ++++++

From 1f96a87c4e1412ccdc6cfe81bfd6f20a1782886a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cyril=20Bont=C3=A9?= <cyril.bonte@free.fr> Date: Sat, 15 Nov 2014 22:41:27 +0100 Subject: [PATCH 4/6] BUG/MEDIUM: checks: fix conflicts between agent checks and ssl healthchecks

Lasse Birnbaum Jensen reported an issue when agent checks are used at the same time as standard healthchecks when SSL is enabled on the server side. The symptom is that agent checks try to communicate in SSL while it should manage raw data. This happens because the transport layer is shared between all kind of checks. To fix the issue, the transport layer is now stored in each check type, allowing to use SSL healthchecks when required, while an agent check should always use the raw_sock implementation. The fix must be backported to 1.5. (cherry picked from commit 9ce1311ebc834e20addc7a8392c0fc4e4ad687b7) --- include/types/checks.h | 3 ++- include/types/server.h | 1 - src/checks.c | 2 +- src/server.c | 2 +- src/ssl_sock.c | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/include/types/checks.h b/include/types/checks.h index a50043b..42b7b07 100644 --- a/include/types/checks.h +++ b/include/types/checks.h @@ -125,6 +125,7 @@ enum { }; struct check { + struct xprt_ops *xprt; /* transport layer operations for health checks */ struct connection *conn; /* connection state for health checks */ unsigned short port; /* the port to use for the health checks */ struct buffer *bi, *bo; /* input and output buffers to send/recv check */ @@ -132,7 +133,7 @@ struct check { struct timeval start; /* last health check start time */ long duration; /* time in ms took to finish last health check */ short status, code; /* check result, check code */ - char desc[HCHK_DESC_LEN]; /* health check descritpion */ + char desc[HCHK_DESC_LEN]; /* health check description */ int use_ssl; /* use SSL for health checks */ int send_proxy; /* send a PROXY protocol header with checks */ struct tcpcheck_rule *current_step; /* current step when using tcpcheck */ diff --git a/include/types/server.h b/include/types/server.h index 313f58d..c419b40 100644 --- a/include/types/server.h +++ b/include/types/server.h @@ -194,7 +194,6 @@ struct server { struct { /* configuration used by health-check and agent-check */ struct protocol *proto; /* server address protocol for health checks */ - struct xprt_ops *xprt; /* transport layer operations for health checks */ struct sockaddr_storage addr; /* the address to check, if different from <addr> */ } check_common; diff --git a/src/checks.c b/src/checks.c index 5318f35..84bf0e5 100644 --- a/src/checks.c +++ b/src/checks.c @@ -1413,7 +1413,7 @@ static int connect_chk(struct task *t) /* prepare a new connection */ conn_init(conn); - conn_prepare(conn, s->check_common.proto, s->check_common.xprt); + conn_prepare(conn, s->check_common.proto, check->xprt); conn_attach(conn, check, &check_conn_cb); conn->target = &s->obj_type; diff --git a/src/server.c b/src/server.c index fdb63cc..94a31b6 100644 --- a/src/server.c +++ b/src/server.c @@ -929,7 +929,7 @@ int parse_server(const char *file, int linenum, char **args, struct proxy *curpr newsrv->addr = *sk; newsrv->proto = newsrv->check_common.proto = protocol_by_family(newsrv->addr.ss_family); - newsrv->xprt = newsrv->check_common.xprt = &raw_sock; + newsrv->xprt = newsrv->check.xprt = newsrv->agent.xprt = &raw_sock; if (!newsrv->proto) { Alert("parsing [%s:%d] : Unknown protocol family %d '%s'\n", diff --git a/src/ssl_sock.c b/src/ssl_sock.c index f50efe5..b73d6f9 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -1812,7 +1812,7 @@ int ssl_sock_prepare_srv_ctx(struct server *srv, struct proxy *curproxy) if (srv->use_ssl) srv->xprt = &ssl_sock; if (srv->check.use_ssl) - srv->check_common.xprt = &ssl_sock; + srv->check.xprt = &ssl_sock; srv->ssl_ctx.ctx = SSL_CTX_new(SSLv23_client_method()); if (!srv->ssl_ctx.ctx) { -- 2.1.3 ++++++ 0005-BUG-MINOR-config-don-t-inherit-the-default-balance-a.patch ++++++

From cac307c020db7a938b73d4fef27a3b4ad2ecdf6a Mon Sep 17 00:00:00 2001 From: Willy Tarreau <w@1wt.eu> Date: Tue, 18 Nov 2014 15:04:29 +0100 Subject: [PATCH 5/6] BUG/MINOR: config: don't inherit the default balance algorithm in frontends

Tom Limoncelli from Stack Exchange reported a minor bug : the frontend inherits the LB parameters from the defaults sections. The impact is that if a "balance" directive uses any L7 parameter in the defaults sections and the frontend is in TCP mode, a warning is emitted about their incompatibility. The warning is harmless but a valid, sane config should never cause any warning to be reported. This fix should be backported into 1.5 and possibly 1.4. (cherry picked from commit 743c128580ee29c8f073b4a29771a5ce715f3721) --- src/cfgparse.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/cfgparse.c b/src/cfgparse.c index 392a692..40d20ab 100644 --- a/src/cfgparse.c +++ b/src/cfgparse.c @@ -2003,7 +2003,6 @@ int cfg_parse_listen(const char *file, int linenum, char **args, int kwm) curproxy->no_options = defproxy.no_options; curproxy->no_options2 = defproxy.no_options2; curproxy->bind_proc = defproxy.bind_proc; - curproxy->lbprm.algo = defproxy.lbprm.algo; curproxy->except_net = defproxy.except_net; curproxy->except_mask = defproxy.except_mask; curproxy->except_to = defproxy.except_to; @@ -2037,6 +2036,7 @@ int cfg_parse_listen(const char *file, int linenum, char **args, int kwm) } if (curproxy->cap & PR_CAP_BE) { + curproxy->lbprm.algo = defproxy.lbprm.algo; curproxy->fullconn = defproxy.fullconn; curproxy->conn_retries = defproxy.conn_retries; curproxy->max_ka_queue = defproxy.max_ka_queue; -- 2.1.3 ++++++ 0006-BUG-MAJOR-frontend-initialize-capture-pointers-earli.patch ++++++

From 8ba50128832bb31e95f06fe4cb2bd172f2b945fe Mon Sep 17 00:00:00 2001 From: Willy Tarreau <w@1wt.eu> Date: Tue, 18 Nov 2014 18:49:19 +0100 Subject: [PATCH 6/6] BUG/MAJOR: frontend: initialize capture pointers earlier

Denys Fedoryshchenko reported and diagnosed a nasty bug caused by TCP captures, introduced in late 1.5-dev by commit 18bf01e ("MEDIUM: tcp: add a new tcp-request capture directive"). The problem is that we're using the array of capture pointers initially designed for HTTP usage only, and that this array was only reset when starting to process an HTTP request. In a tcp-only frontend, the pointers are not reset, and if the capture pool is shared, we can very well point to whatever other memory location, resulting in random crashes when tcp-request content captures are processed. The fix simply consists in initializing these pointers when the pools are prepared. A workaround for existing versions consists in either disabling TCP captures in tcp-only frontends, or in forcing the frontends to work in HTTP mode. Thanks to Denys for the amount of testing and detailed reports. This fix must be backported to 1.5. (cherry picked from commit 9654e57fac86c773091b892f42015ba2ba56be5a) --- src/frontend.c | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/src/frontend.c b/src/frontend.c index 3f80774..2928047 100644 --- a/src/frontend.c +++ b/src/frontend.c @@ -106,11 +106,17 @@ int frontend_accept(struct session *s) if (global.tune.client_rcvbuf) setsockopt(cfd, SOL_SOCKET, SO_RCVBUF, &global.tune.client_rcvbuf, sizeof(global.tune.client_rcvbuf)); - if (unlikely(s->fe->nb_req_cap > 0 && (s->txn.req.cap = pool_alloc2(s->fe->req_cap_pool)) == NULL)) - goto out_return; /* no memory */ + if (unlikely(s->fe->nb_req_cap > 0)) { + if ((s->txn.req.cap = pool_alloc2(s->fe->req_cap_pool)) == NULL) + goto out_return; /* no memory */ + memset(s->txn.req.cap, 0, s->fe->nb_req_cap * sizeof(void *)); + } - if (unlikely(s->fe->nb_rsp_cap > 0 && (s->txn.rsp.cap = pool_alloc2(s->fe->rsp_cap_pool)) == NULL)) - goto out_free_reqcap; /* no memory */ + if (unlikely(s->fe->nb_rsp_cap > 0)) { + if ((s->txn.rsp.cap = pool_alloc2(s->fe->rsp_cap_pool)) == NULL) + goto out_free_reqcap; /* no memory */ + memset(s->txn.rsp.cap, 0, s->fe->nb_rsp_cap * sizeof(void *)); + } if (s->fe->http_needed) { /* we have to allocate header indexes only if we know -- 2.1.3 -- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org