Commit Graph

5945 Commits

Author SHA1 Message Date
Willy Tarreau
f13ebdf286 REORG: cli: move table dump/clear/set to stick_table.c
The table dump code was a horrible mess, with common parts interleaved
all the way to deal with the various actions (set/clear/show). A few
error messages were still incorrect, as the "set" operation did not
update them so they would still report "unknown action" (now fixed).

The action was now passed as a private argument to the CLI keyword
which itself is copied into the appctx private field. It's just an
int cast to a pointer.

Some minor issues were noticed while doing this, for example when dumping
an entry by key, if the key doesn't exist, nothing is printed, not even
the table's header. It's unclear whether this was intentional but it
doesn't really match what is done for data-based dumps. It was left
unchanged for now so that a later fix can be backported if needed.

Enum entries STAT_CLI_O_TAB, STAT_CLI_O_CLR and STAT_CLI_O_SET were
removed.
2016-11-24 16:59:28 +01:00
Willy Tarreau
97c2ae13bc REORG: cli: move dump_text(), dump_text_line(), and dump_binary() to standard.c
These are general purpose functions, move them away.
2016-11-24 16:59:27 +01:00
Willy Tarreau
0baac8cf1f REORG: cli: move "show info" to stats.c
Move the "show info" command to stats.c using the CLI keyword API
to register it on the CLI. The stats_dump_info_to_buffer() function
is now static again. Note, we don't need proto_ssl anymore in cli.c.
2016-11-24 16:59:27 +01:00
Willy Tarreau
2b812e29f6 REORG: cli: move "show stat" to stats.c
Move the "show stat" command to stats.c using the CLI keyword API
to register it on the CLI. The stats_dump_stat_to_buffer() function
is now static again.
2016-11-24 16:59:27 +01:00
William Lallemand
6b16094355 REORG: cli: move get/set weight to server.c
Move get/set weight CLI functions to server.c and use the cli keyword API
to register it on the CLI.
2016-11-24 16:59:27 +01:00
William Lallemand
933efcd01a REORG: cli: move 'show backend' to proxy.c
Move 'show backend' CLI functions to proxy.c and use the cli keyword API
to register it on the CLI.
2016-11-24 16:59:27 +01:00
William Lallemand
4c5b4d531c REORG: cli: move 'show sess' to stream.c
Move 'show sess' CLI functions to stream.c and use the cli keyword API
to register it on the CLI.

[wt: the choice of stream vs session makes sense because since 1.6 these
 really are streams that we're dumping and not sessions anymore]
2016-11-24 16:59:27 +01:00
William Lallemand
a6c5f3372d REORG: cli: move 'show servers' to proxy.c
Move 'show servers' CLI functions to proxy.c and use the cli keyword
API to register it on the CLI.
2016-11-24 16:59:27 +01:00
William Lallemand
e7ed8855de REORG: cli: move 'show pools' to memory.c
Move 'show pools' CLI functions to memory.c and use the cli keyword
API to register it on the CLI.
2016-11-24 16:59:27 +01:00
William Lallemand
222baf20da REORG: cli: move 'set server' to server.c
Move 'set server' CLI functions to server.c and use the cli keyword API
to register it on the CLI.
2016-11-24 16:59:27 +01:00
Willy Tarreau
960f2cb056 MINOR: proxy: create new function cli_find_frontend() to find a frontend
Several CLI commands require a frontend, so let's have a function to
look this one up and prepare the appropriate error message and the
appctx's state in case of failure.
2016-11-24 16:59:27 +01:00
Willy Tarreau
21b069dca8 MINOR: server: create new function cli_find_server() to find a server
Several CLI commands require a server, so let's have a function to
look this one up and prepare the appropriate error message and the
appctx's state in case of failure.
2016-11-24 16:59:27 +01:00
Willy Tarreau
de57a578ba MINOR: cli: create new function cli_has_level() to validate permissions
This function is used to check that the CLI features the appropriate
level of permissions or to prepare the adequate error message.
2016-11-24 16:59:27 +01:00
William Lallemand
69e9644e35 REORG: cli: move show stat resolvers to dns.c
Move dns CLI functions to dns.c and use the cli keyword API to register
actions on the CLI.
2016-11-24 16:59:27 +01:00
William Lallemand
ad8be61c7e REORG: cli: move map and acl code to map.c
Move map and acl CLI functions to map.c and use the cli keyword API to
register actions on the CLI. Then remove the now unused individual
"add" and "del" keywords.
2016-11-24 16:59:27 +01:00
William Lallemand
32af203b75 REORG: cli: move ssl CLI functions to ssl_sock.c
Move ssl CLI functions to ssl_sock.c and use the cli keyword API to
register ssl actions on the CLI.
2016-11-24 16:59:27 +01:00
William Lallemand
9ed6203aef REORG: cli: split dumpstats.h in stats.h and cli.h
proto/dumpstats.h has been split in 4 files:

  * proto/cli.h  contains protypes for the CLI
  * proto/stats.h contains prototypes for the stats
  * types/cli.h contains definition for the CLI
  * types/stats.h contains definition for the stats
2016-11-24 16:59:27 +01:00
William Lallemand
74c24fb071 REORG: cli: split dumpstats.c in src/cli.c and src/stats.c
dumpstats.c was containing either the stats code and the CLI code.
The cli code has been moved to cli.c and the stats code to stats.c
2016-11-24 16:59:27 +01:00
Willy Tarreau
8e0bb0ae16 MINOR: connection: add names for transport and data layers
This makes debugging easier and avoids having to put ugly checks
against certain well-known internal struct pointers.
2016-11-24 16:58:12 +01:00
Willy Tarreau
2dc770c641 MINOR: connection: add a few functions to report the data and xprt layers' names
These functions will be needed by "show sess" on the CLI, let's make them
globally available. It's important to note that due to the fact that we
still do not set the data and transport layers' names in the structures,
we still have to rely on some exports just to match the pointers. This is
ugly but is preferable to adding many includes since the short-term goal
is to get rid of these tests by having proper names in place.
2016-11-24 16:49:40 +01:00
Willy Tarreau
2b5e6315a3 BUG/MINOR: cli: wake up the CLI's task after a timeout update
When the CLI's timeout is reduced, nothing was done to take the task
up to update it. In the past it used to run inside process_stream()
so it used to be refreshed. This is not the case anymore since we have
the appctx so the task needs to be woken up in order to recompute the
new expiration date.

This fix needs to be backported to 1.6.
2016-11-24 15:35:16 +01:00
Willy Tarreau
74a5a9828b BUG/MINOR: cli: dequeue from the proxy when changing a maxconn
The "set maxconn frontend" statement on the CLI tries to dequeue possibly
pending requests, but due to a copy-paste error, they're dequeued on the
CLI's frontend instead of the one being changed.

The impact is very minor as it only means that possibly pending connections
will still have to wait for a previous one to complete before being accepted
when a limit is raised.

This fix has to be backported to 1.6 and 1.5.
2016-11-24 15:34:34 +01:00
Willy Tarreau
578fa0259f BUG/MINOR: cli: fix pointer size when reporting data/transport layer name
In dumpstats.c we have get_conn_xprt_name() and get_conn_data_name() to
report the name of the data and transport layers used on a connection.
But when the name is not known, its pointer is reported instead. But the
static char used to report the pointer is too small as it doesn't leave
room for '0x'. Fortunately all subsystems are known so we never trigger
this case.

This fix needs to be backported to 1.6 and 1.5.
2016-11-24 15:21:26 +01:00
David Carlier
327298c215 BUILD: fix build on Solaris 10/11
uint16_t instead of u_int16_t
None ISO fields of struct tm are not present, but
by zeroyfing it, on GNU and BSD systems tm_gmtoff
field will be set.

[wt: moved the memset into each of the date functions]
2016-11-22 12:04:19 +01:00
Willy Tarreau
0034cd9e0a BUILD: contrib: fix ip6range build on Centos 7
Jarno Huuskonen reported that ip6range doesn't build anymore on
Centos 7 (and possibly other distros) due to "in6_u" not being known.
Using s6_addr32 instead of in6_u.u6_addr32 apparently works fine, and
it's also what the Lua code uses so it should be OK.

This patch may be backported to 1.6.
2016-11-22 11:50:51 +01:00
Simon Horman
1084a3631f MINOR: stats: correct documentation of process ID for typed output
The process ID appears at the end of the first column rather than
the line.
2016-11-21 22:54:00 +01:00
Christopher Faulet
985532d1d8 MINOR: spoe: Add "option set-on-error" statement
It defines the variable to set when an error occurred during an event
processing. It will only be set when an error occurred in the scope of the
transaction. As for all other variables define by the SPOE, it will be
prefixed. So, if your variable name is "error" and your prefix is "my_spoe_pfx",
the variable will be "txn.my_spoe_pfx.error".

When set, the variable is the boolean "true". Note that if "option
continue-on-error" is set, the variable is not automatically removed between
events processing.
2016-11-21 15:29:59 +01:00
Christopher Faulet
4802672274 MINOR: spoe: Add "maxconnrate" and "maxerrrate" statements
"maxconnrate" is the maximum number of connections per second. The SPOE will
stop to open new connections if the maximum is reached and will wait to acquire
an existing one.

"maxerrrate" is the maximum number of errors per second. The SPOE will stop its
processing if the maximum is reached.

These options replace hardcoded macros MAX_NEW_SPOE_APPLETS and
MAX_NEW_SPOE_APPLET_ERRS. We use it to limit SPOE activity, especially when
servers are down..
2016-11-21 15:29:59 +01:00
Christopher Faulet
ea62c2a345 MINOR: spoe: Add 'option continue-on-error' statement in spoe-agent section
By default, for a specific stream, when an abnormal/unexpected error occurs, the
SPOE is disabled for all the transaction. So if you have several events
configured, such error on an event will disabled all followings. For TCP
streams, this will disable the SPOE for the whole session. For HTTP streams,
this will disable it for the transaction (request and response).

To bypass this behaviour, you can set 'continue-on-error' option in 'spoe-agent'
section. With this option, only the current event will be ignored.
2016-11-21 15:29:59 +01:00
Christopher Faulet
03a3449e1a MINOR: spoe: Remove useless 'timeout ack' option
To limit the time to process an event, you should set 'timeout processing'
option. So 'timeout ack' option is redundant and useless.
2016-11-21 15:29:59 +01:00
Christopher Faulet
f7a3092512 MINOR: spoe: Add 'timeout processing' option to limit time to process an event
It is a way to set the maximum time to wait for a stream to process an event,
i.e to acquire a stream to talk with an agent, to encode all messages, to send
the NOTIFY frame, to receive the corrsponding acknowledgement and to process all
actions. It is applied on the stream that handle the client and the server
sessions.
2016-11-21 15:29:59 +01:00
Christopher Faulet
a00d817aba MINOR: filters: Add check_timeouts callback to handle timers expiration on streams
A filter can now be notified when a stream is woken up because of an expired
timer.

The documentation and the TRACE filter have been updated.
2016-11-21 15:29:58 +01:00
Thierry FOURNIER / OZON.IO
8dc7316a6f BUG/MEDIUM: lua: In some case, the return of sample-fetche is ignored
When:

 - A Lua action return data and close the channel. The request status
   is set to HTTP_MSG_CLOSED for the request and HTTP_MSG_DONE for the
   response.

 - HAProxy sets the state HTTP_MSG_ERROR. I don't known why, because
   there are many line which sets this state.

 - A Lua sample-fetch is executed, typically for building the log
   line.

 - When the Lua sample fetch exits, a control of the data is
   executed. If HAProxy is currently parsing the request, the request
   is aborted in order to prevent a segfault or sending corrupted
   data.

This ast control is executed comparing the state HTTP_MSG_BODY. When
this state is reached, the request is parsed and no error are
possible. When the state is < than HTTP_MSG_BODY, the parser is
running.

Unfortunately, the code HTTP_MSG_ERROR is just < HTTP_MSG_BODY. When
we are in error, we want to terminate the execution of Lua without
error.

This patch changes the comparaison level.

This patch must be backported in 1.6
2016-11-19 00:29:19 +01:00
Willy Tarreau
2fe1b92163 BUG/MINOR: cli: properly decrement ref count on tables during failed dumps
Gernot Prner reported some constant leak of ref counts for stick tables
entries. It happens that this leak was not at all in the regular traffic
path but on the "show table" path. An extra ref count was taken during
the dump if the output had to be paused, and it was released upon clean
termination or an error detected in the I/O handler. But the release
handler didn't do it, while it used to properly do it for the sessions
dump.

This fix needs to be backported to 1.6.
2016-11-18 19:20:09 +01:00
Willy Tarreau
5179146fa3 BUG/MEDIUM: stick-table: fix regression caused by recent fix for out-of-memory
Commit ef8f4fe ("BUG/MINOR: stick-table: handle out-of-memory condition
gracefully") unfortunately got trapped by a pointer operation. Replacing

    ts = poll_alloc() + size;

with :

    ts = poll_alloc();
    ts += size;

Doesn't give the same result because pool_alloc() is void while ts is a
struct stksess*. So now we don't access the same places, which is visible
in certain stick-table scenarios causing a crash.

This must be backported to 1.6 and 1.5.
2016-11-18 18:21:39 +01:00
Willy Tarreau
733b1327a6 DEBUG: connection: mark the closed FDs with a value that is easier to detect
Setting an FD to -1 when closed isn't the most easily noticeable thing
to do when we're chasing accidental reuse of a stale file descriptor.
Instead set it to that large a negative value that it will overflow the
fdtab and provide an analysable core at the moment the issue happens.
Care was taken to ensure it doesn't overflow nor change sign on 32-bit
machines when multiplied by fdtab, and that it also remains negative for
the various checks that exist. The value equals 0xFDDEADFD which happens
to be easily spotted in a debugger.
2016-11-18 15:00:42 +01:00
Willy Tarreau
350135cf49 BUG/MEDIUM: connection: check the control layer before stopping polling
The bug described in commit 568743a ("BUG/MEDIUM: stream-int: completely
detach connection on connect error") was not a stream-interface layer bug
but a connection layer bug. There was exactly one place in the code where
we could change a file descriptor's status without first checking whether
it is valid or not, it was in conn_stop_polling(). This one is called when
the polling status is changed after an update, and calls fd_stop_both even
if we had already closed the file descriptor :

1479388298.484240 ->->->->->   conn_fd_handler > conn_cond_update_polling
1479388298.484240 ->->->->->->   conn_cond_update_polling > conn_stop_polling
1479388298.484241 ->->->->->->->   conn_stop_polling > conn_ctrl_ready
1479388298.484241                  conn_stop_polling < conn_ctrl_ready
1479388298.484241 ->->->->->->->   conn_stop_polling > fd_stop_both
1479388298.484242 ->->->->->->->->   fd_stop_both > fd_update_cache
1479388298.484242 ->->->->->->->->->   fd_update_cache > fd_release_cache_entry
1479388298.484242                      fd_update_cache < fd_release_cache_entry
1479388298.484243                    fd_stop_both < fd_update_cache
1479388298.484243                  conn_stop_polling < fd_stop_both
1479388298.484243                conn_cond_update_polling < conn_stop_polling
1479388298.484243              conn_fd_handler < conn_cond_update_polling

The problem with the previous fix above is that it break the http_proxy mode
and possibly even some Lua parts and peers to a certain extent ; all outgoing
connections where the target address is initially copied into the outgoing
connection which experience a retry would use a random outgoing address after
the retry because closing and detaching the connection causes the target
address to be lost. This was attempted to be addressed by commit 0857d7a
("BUG/MAJOR: stream: properly mark the server address as unset on connect
retry") but it used to only solve the most visible effect and not the root
cause.

Prior to this fix, it was possible to cause this config to keep CLOSE_WAIT
for as long as it takes to expire a client or server timeout (note the
missing client timeout) :

   listen test
        mode http
        bind :8002
        server s1 127.0.0.1:8001

   $ tcploop 8001 L0 W N20 A R P100 S:"HTTP/1.1 200 OK\r\nContent-length: 0\r\n\r\n" &
   $ tcploop 8002 N200 C T W S:"GET / HTTP/1.0\r\n\r\n" O P10000 K

With this patch, these CLOSE_WAIT properly vanish when both processes leave.

This commit reverts the two fixes above and replaces them with the proper
fix in connection.h. It must be backported to 1.6 and 1.5. Thanks to
Robson Roberto Souza Peixoto for providing very detailed traces showing
some obvious inconsistencies leading to finding this bug.
2016-11-18 14:48:52 +01:00
Thierry FOURNIER / OZON.IO
a44fdd95f9 MEDIUM: lua: Add cli handler for Lua
Now, HAProxy allows to register some keys in the "cli". This patch allows
to handle these keys with Lua code.
2016-11-18 14:32:03 +01:00
Thierry FOURNIER / OZON.IO
6a22dcbe27 MINOR: cli: add private pointer and release function
This pointer will be used for storing private context. With this,
the same executed function can handle more than one keyword. This
will be very useful for creation Lua cli bindings.

The release function is called when the command is terminated (give
back the hand to the prompt) or when the session is broken (timeout
or client closed).
2016-11-18 14:32:03 +01:00
Vincent Bernat
ef8f4fe12d BUG/MINOR: stick-table: handle out-of-memory condition gracefully
In case `pool_alloc2()` returns NULL, propagate the condition to the
caller. This could happen when limiting the amount of memory available
for HAProxy with `-m`.

[wt: backport to 1.6 and 1.5 needed]
2016-11-17 16:00:16 +01:00
Willy Tarreau
a71f642b62 CLEANUP: lua: avoid directly calling getsockname/getpeername()
We already have per-protocol functions for this, and they already
take care of properly setting the CO_FL_ADDR_*_SET flags.
2016-11-16 17:32:57 +01:00
Bertrand Jacquin
d4d0a23ca4 DOC: ssl: Use correct wording for ca-sign-pass
Doc references ca-sign-passphrase but the source code is referring
ca-sign-pass. Align doc to reality.
2016-11-14 18:15:20 +01:00
Bertrand Jacquin
ff13c06a17 CLEANUP: ssl: Fix bind keywords name in comments
Along with a whitespace cleanup and a grammar typo
2016-11-14 18:15:20 +01:00
Bertrand Jacquin
5a8fc2d45f CLEANUP: ssl: Remove goto after return dead code
This code can never be reached.
2016-11-14 18:15:20 +01:00
Bertrand Jacquin
5424ee08de BUG/MINOR: ssl: Print correct filename when error occurs reading OCSP
When Multi-Cert bundle are used, error is throwned regarding certificate
filename without including certifcate type extension.
2016-11-14 18:15:20 +01:00
Bertrand Jacquin
3342309572 BUG/MEDIUM: ssl: Store certificate filename in a variable
Before this change, trash is being used to create certificate filename
to read in care Mutli-Cert are in used. But then ssl_sock_load_ocsp()
modify trash leading to potential wrong information given in later error
message.

This also blocks any further use of certificate filename for other
usage, like ongoing patch to support Certificate Transparency handling
in Multi-Cert bundle.
2016-11-14 18:15:20 +01:00
Thierry FOURNIER / OZON.IO
b41f22f59c CLEANUP: lua: control executed twice
The availaible size in the stack is check two times. This patch removes
this double check.

Must be backported in 1.6
2016-11-14 15:23:17 +01:00
Thierry FOURNIER / OZON.IO
02564fd153 CLEANUP: lua: move comment
Old comment is misplaced. Certainly due to a bad copy/paste

Must be backported in 1.6
2016-11-14 15:23:17 +01:00
Thierry FOURNIER / OZON.IO
500d11e65d BUG/MEDIUM: channel: bad unlikely macro
The unlikely macro doesn't take in acount the condition, but only one
variable.

Must be backported in 1.6

[wt: with gcc 3.x, unlikely(x) is defined as __builtin_expect((x) != 0, 0)
 so the condition is wrong for negative numbers, which correspond to the
 case where bi_getblk_nc() has reached the end of the buffer and the
 channel is already closed. With gcc 4.x, the output is cast to unsigned long
 so the <=0 will not match negative values either. This is only used in Lua
 for now so that may explain why it hasn't hit yet]
2016-11-14 15:23:17 +01:00
Willy Tarreau
29cc11ca41 CONTRIB: tcploop: add basic loops via a jump instruction
This one jumps back to the oldest post-fork and post-accept action,
so it allows to recv(), pause() and send() in loops after a fork()
and an accept() for example. This is handy for bugs that reproduce
once in a while or to keep idle connections working.
2016-11-12 19:16:29 +01:00