Commit Graph

15894 Commits

Author SHA1 Message Date
Willy Tarreau
01cac3f721 MEDIUM: listeners: split the thread mask between receiver and bind_conf
With groups at some point we'll have to have distinct masks/groups in the
receiver and the bind_conf, because a single bind_conf might require to
instantiate multiple receivers (one per group).

Let's split the thread mask and group to have one for the bind_conf and
another one for the receiver while it remains easy to do. This will later
allow to use different storage for the bind_conf if needed (e.g. support
multiple groups).
2021-10-14 21:27:48 +02:00
Willy Tarreau
875ee704dd MINOR: resolvers: fix the resolv_dn_label_to_str() API about trailing zero
This function suffers from the same API issue as its sibling that does the
opposite direction, it demands that the input string is zero-terminated
*and* that its length *including* the trailing zero is passed on input,
forcing callers to pass length + 1, and itself to use that length - 1
everywhere internally.

This patch addressess this. There is a single caller, which is the
location of the previous bug, so it should probably be backported at
least to keep the code consistent across versions. Note that the
function is called dns_dn_label_to_str() in 2.3 and earlier.
2021-10-14 21:24:18 +02:00
Willy Tarreau
85c15e6bff BUG/MINOR: resolvers: do not reject host names of length 255 in SRV records
An off-by-one issue in buffer size calculation used to limit the output
of resolv_dn_label_to_str() to 254 instead of 255.

This must be backported to 2.0.
2021-10-14 21:24:18 +02:00
Willy Tarreau
947ae125cc BUG/MEDIUM: resolver: make sure to always use the correct hostname length
In issue #1411, @jjiang-stripe reports that do-resolve() sometimes seems
to be trying to resolve crap from random memory contents.

The issue is that action_prepare_for_resolution() tries to measure the
input string by itself using strlen(), while resolv_action_do_resolve()
directly passes it a pointer to the sample, omitting the known length.
Thus of course any other header present after the host in memory are
appended to the host value. It could theoretically crash if really
unlucky, with a buffer that does not contain any zero including in the
index at the end, and if the HTX buffer ends on an allocation boundary.
In practice it should be too low a probability to have ever been observed.

This patch modifies the action_prepare_for_resolution() function to take
the string length on with the host name on input and pass that down the
chain. This should be backported to 2.0 along with commit "MINOR:
resolvers: fix the resolv_str_to_dn_label() API about trailing zero".
2021-10-14 21:24:18 +02:00
Willy Tarreau
bf9498a31b MINOR: resolvers: fix the resolv_str_to_dn_label() API about trailing zero
This function is bogus at the API level: it demands that the input string
is zero-terminated *and* that its length *including* the trailing zero is
passed on input. While that already looks smelly, the trailing zero is
copied as-is, and is then explicitly replaced with a zero... Not only
all callers have to pass hostname_len+1 everywhere to work around this
absurdity, but this requirement causes a bug in the do-resolve() action
that passes random string lengths on input, and that will be fixed on a
subsequent patch.

Let's fix this API issue for now.

This patch will have to be backported, and in versions 2.3 and older,
the function is in dns.c and is called dns_str_to_dn_label().
2021-10-14 21:24:18 +02:00
Willy Tarreau
6823a3acee MINOR: protocol: uniformize protocol errors
Some protocols fail with "error blah [ip:port]" and other fail with
"[ip:port] error blah". All this already appears in a "starting" or
"binding" context after a proxy name. Let's choose a more universal
approach like below where the ip:port remains at the end of the line
prefixed with "for".

  [WARNING]  (18632) : Binding [binderr.cfg:10] for proxy http: cannot bind receiver to device 'eth2' (No such device) for [0.0.0.0:1080]
  [WARNING]  (18632) : Starting [binderr.cfg:10] for proxy http: cannot set MSS to 12 for [0.0.0.0:1080]
2021-10-14 21:22:52 +02:00
Willy Tarreau
37de553f1d MINOR: protocol: report the file and line number for binding/listening errors
Binding errors and late socket errors provide no information about
the file and line where the problem occurs. These are all done by
protocol_bind_all() and they only report "Starting proxy blah". Let's
change this a little bit so that:
  - the file name and line number of the faulty bind line is alwas mentioned
  - early binding errors are indicated with "Binding" instead of "Starting".

Now we can for example have this:
  [WARNING]  (18580) : Binding [binderr.cfg:10] for proxy http: cannot bind receiver to device 'eth2' (No such device) [0.0.0.0:1080]
2021-10-14 21:22:52 +02:00
Willy Tarreau
f78b52eb7d MINOR: inet: report the faulty interface name in "bind" errors
When a "bind ... interface foo" statement fails, let's report the
interface name in the error message to help locating it in the file.
2021-10-14 21:22:52 +02:00
Willy Tarreau
3cf05cb0b1 MINOR: proto_tcp: also report the attempted MSS values in error message
The MSS errors are the only ones not indicating what was attempted, let's
report the value that was tried, as it can help users spot them in the
config (particularly if a default value was used).
2021-10-14 21:22:52 +02:00
Bjoern Jacke
ed1748553a MINOR: proto_tcp: use chunk_appendf() to ouput socket setup errors
Right now only the last warning or error is reported from
tcp_bind_listener(), but it is useful to report all warnings and no only
the last one, so we now emit them delimited by commas. Previously we used
a fixed buffer of 100 bytes, which was too small to store more than one
message, so let's extend it.

Signed-off-by: Bjoern Jacke <bjacke@samba.org>
2021-10-14 21:22:52 +02:00
William Lallemand
1dbf578ee0 BUILD: jwt: fix declaration of EVP_KEY in jwt-h.h
In file included from include/haproxy/jwt.h:25:
include/haproxy/jwt-t.h:66:2: error: unknown type name 'EVP_PKEY'
        EVP_PKEY *pkey;
        ^
1 error generated.

Fix this compilation issue by inserting openssl-compat.h in jwt-t.h
2021-10-14 17:21:11 +02:00
Remi Tricot-Le Breton
36da606324 REGTESTS: jwt: Add tests for the jwt_verify converter
This regtest uses the new jwt_header_query, jwt_payload_query and
jwt_verify converters that can be used to validate a JSON Web Token.
2021-10-14 16:38:14 +02:00
Remi Tricot-Le Breton
130e142ee2 MEDIUM: jwt: Add jwt_verify converter to verify JWT integrity
This new converter takes a JSON Web Token, an algorithm (among the ones
specified for JWS tokens in RFC 7518) and a public key or a secret, and
it returns a verdict about the signature contained in the token. It does
not simply return a boolean because some specific error cases cas be
specified by returning an integer instead, such as unmanaged algorithms
or invalid tokens. This enables to distinguich malformed tokens from
tampered ones, that would be valid format-wise but would have a bad
signature.
This converter does not perform a full JWT validation as decribed in
section 7.2 of RFC 7519. For instance it does not ensure that the header
and payload parts of the token are completely valid JSON objects because
it would need a complete JSON parser. It only focuses on the signature
and checks that it matches the token's contents.
2021-10-14 16:38:14 +02:00
Remi Tricot-Le Breton
0a72f5ee7c MINOR: jwt: jwt_header_query and jwt_payload_query converters
Those converters allow to extract a JSON value out of a JSON Web Token's
header part or payload part (the two first dot-separated base64url
encoded parts of a JWS in the Compact Serialization format).
They act as a json_query call on the corresponding decoded subpart when
given parameters, and they return the decoded JSON subpart when no
parameter is given.
2021-10-14 16:38:13 +02:00
Remi Tricot-Le Breton
864089e0a6 MINOR: jwt: Insert public certificates into dedicated JWT tree
A JWT signed with the RSXXX or ESXXX algorithm (RSA or ECDSA) requires a
public certificate to be verified and to ensure it is valid. Those
certificates must not be read on disk at runtime so we need a caching
mechanism into which those certificates will be loaded during init.
This is done through a dedicated ebtree that is filled during
configuration parsing. The path to the public certificates will need to
be explicitely mentioned in the configuration so that certificates can
be loaded as early as possible.
This tree is different from the ckch one because ckch entries are much
bigger than the public certificates used in JWT validation process.
2021-10-14 16:38:12 +02:00
Remi Tricot-Le Breton
e0d3c00086 MINOR: jwt: JWT tokenizing helper function
This helper function splits a JWT under Compact Serialization format
(dot-separated base64-url encoded strings) into its different sub
strings. Since we do not want to manage more than JWS for now, which can
only have at most three subparts, any JWT that has strictly more than
two dots is considered invalid.
2021-10-14 16:38:10 +02:00
Remi Tricot-Le Breton
7feb361776 MINOR: jwt: Parse JWT alg field
The full list of possible algorithms used to create a JWS signature is
defined in section 3.1 of RFC7518. This patch adds a helper function
that converts the "alg" strings into an enum member.
2021-10-14 16:38:08 +02:00
Remi Tricot-Le Breton
f5dd337b12 MINOR: http: Add http_auth_bearer sample fetch
This fetch can be used to retrieve the data contained in an HTTP
Authorization header when the Bearer scheme is used. This is used when
transmitting JSON Web Tokens for instance.
2021-10-14 16:38:07 +02:00
William Lallemand
1d58b01316 MINOR: ssl: add ssl_fc_is_resumed to "option httpslog"
In order to trace which session were TLS resumed, add the
ssl_fc_is_resumed in the httpslog option.
2021-10-14 14:27:48 +02:00
William Lallemand
e5dfd405b3 REGTESTS: ssl: re-enable set_ssl_cert_bundle.vtc
The new "ssllib_name_startswith(OpenSSL)" command allows us to
reactivate set_ssl_cert_bundle.vtc with >= OpenSSL 1.1.1 only.
2021-10-14 11:06:16 +02:00
Amaury Denoyelle
493bb1db10 MINOR: quic: handle CONNECTION_CLOSE frame
On receiving CONNECTION_CLOSE frame, the mux is flagged for immediate
connection close. A stream is closed even if there is data not ACKed
left if CONNECTION_CLOSE has been received.
2021-10-13 16:38:56 +02:00
Amaury Denoyelle
1e308ffc79 MINOR: mux: remove last occurences of qcc ring buffer
The mux tx buffers have been rewritten with buffers attached to qcs
instances. qc_buf_available and qc_get_buf functions are updated to
manipulates qcs. All occurences of the unused qcc ring buffer are
removed to ease the code maintenance.
2021-10-13 16:38:56 +02:00
Amaury Denoyelle
cae0791942 MEDIUM: mux-quic: defer stream shut if remaining tx data
Defer the shutting of a qcs if there is still data in its tx buffers. In
this case, the conn_stream is closed but the qcs is kept with a new flag
QC_SF_DETACH.

On ACK reception, the xprt wake up the shut_tl tasklet if the stream is
flagged with QC_SF_DETACH. This tasklet is responsible to free the qcs
and possibly the qcc when all bidirectional streams are removed.
2021-10-13 16:38:56 +02:00
Amaury Denoyelle
ac8ee25659 MINOR: mux-quic: implement standard method to detect if qcc is dead
For the moment, a quic connection is considered dead if it has no
bidirectional streams left on it. This test is implemented via
qcc_is_dead function. It can be reused to properly close the connection
when needed.
2021-10-13 16:38:56 +02:00
Amaury Denoyelle
4fc8b1cb17 CLEANUP: h3: remove dead code
Remove unused function. This will simplify code maintenance.
2021-10-13 16:38:56 +02:00
Amaury Denoyelle
a587136c6f MINOR: mux-quic: standardize h3 settings sending
Use same buffer management to send h3 settings as for streams. This
simplify the code maintenance with unused function removed.
2021-10-13 16:38:56 +02:00
Amaury Denoyelle
a543eb1f6f MEDIUM: h3: properly manage tx buffers for large data
Properly handle tx buffers management in h3 data sending. If there is
not enough contiguous space, the buffer is first realigned. If this is
not enough, the stream is flagged with QC_SF_BLK_MROOM waiting for the
buffer to be emptied.

If a frame on a stream is successfully pushed for sending, the stream is
called if it was flagged with QC_SF_BLK_MROOM.
2021-10-13 16:38:56 +02:00
Amaury Denoyelle
d3d97c6ae7 MEDIUM: mux-quic: rationalize tx buffers between qcc/qcs
Remove the tx mux ring buffers in qcs, which should be in the qcc. For
the moment, use a simple architecture with 2 simple tx buffers in the
qcs.

The first buffer is used by the h3 layer to prepare the data. The mux
send operation transfer these into the 2nd buffer named xprt_buf. This
buffer is only freed when an ACK has been received.

This architecture is functional but not optimal for two reasons :
- it won't limit the buffer usage by connection
- each transfer on a new stream requires an allocation
2021-10-13 16:38:56 +02:00
Remi Tricot-Le Breton
e1b61090a0 REGTESTS: ssl: Use mostly TLSv1.2 in ssl_errors test
In order for the test to run with OpenSSL 1.0.2 the test will now mostly
use TLSv1.2 and use TLS 1.3 only on some specific tests (covered by
preconditions).
2021-10-13 11:28:12 +02:00
Remi Tricot-Le Breton
d12e13a55a REGTESTS: ssl: Reenable ssl_errors test for OpenSSL only
The test is strongly dependent on the way the errors are output by the
SSL library so it is not possible to perform the same checks when using
OpenSSL or LibreSSL. It is then reenabled for OpenSSL (whatever the
version) but still disabled for LibreSSL.
This limitation is added thanks to the new ssllib_name_startswith
precondition check.
2021-10-13 11:28:11 +02:00
Remi Tricot-Le Breton
d266cdad2a REGTESTS: ssl: Fix ssl_errors test for OpenSSL v3
The OpenSSL error codes for the same errors are not consistent between
OpenSSL versions. The ssl_errors test needs to be modified to only take
into account a fixed part of those error codes.
This patch focuses on the reason part of the error code by applying a
mask on the error code (whose size varies depending on the lib version).
2021-10-13 11:28:10 +02:00
Remi Tricot-Le Breton
b01179aa92 MINOR: ssl: Add ssllib_name_startswith precondition
This new ssllib_name_startswith precondition check can be used to
distinguish application linked with OpenSSL from the ones linked with
other SSL libraries (LibreSSL or BoringSSL namely). This check takes a
string as input and returns 1 when the SSL library's name starts with
the given string. It is based on the OpenSSL_version function which
returns the same output as the "openssl version" command.
2021-10-13 11:28:08 +02:00
Remi Tricot-Le Breton
1ac65f8668 REGTESTS: ssl: Fix references to removed option in test description
The log-error-via-logformat option was removed in commit
3d6350e108 and was replaced by a dedicated
error-log-format option. The references to this option need to be
removed from the test's description.
2021-10-13 11:28:07 +02:00
William Lallemand
bc2b96c2de CI: github: switch to OpenSSL 3.0.0
Switch the OpenSSL 3.0.0alpha17 version to the final 3.0.0 release.

Part of OpenSSL 3.0.0 portage. (ticket #1276)
2021-10-13 10:21:22 +02:00
Tim Duesterhus
9e5e586e35 BUG/MINOR: lua: Fix lua error handling in hlua_config_prepend_path()
Set an `lua_atpanic()` handler before calling `hlua_prepend_path()` in
`hlua_config_prepend_path()`.

This prevents the process from abort()ing when `hlua_prepend_path()` fails
for some reason.

see GitHub Issue #1409

This is a very minor issue that can't happen in practice. No backport needed.
2021-10-12 11:28:57 +02:00
Christopher Faulet
8c67eceeca CLEANUP: stream: Properly indent current_rule line in "show sess all"
This line is not related to the response channel but to the stream. Thus it
must be indented at the same level as stream-interfaces, connections,
channels...
2021-10-12 11:27:24 +02:00
Christopher Faulet
d4762b8474 MINOR: stream: report the current filter in "show sess all" when known
Filters can block the stream on pre/post analysis for any reason and it can
be useful to report it in "show sess all". So now, a "current_filter" extra
line is reported for each channel if a filter is blocking the analysis. Note
that this does not catch the TCP/HTTP payload analysis because all
registered filters are always evaluated when more data are received.
2021-10-12 11:26:49 +02:00
Willy Tarreau
1274e10d5c MINOR: stream: report the current rule in "show sess all" when known
Sometimes an HTTP or TCP rule may take time to complete because it is
waiting for external data (e.g. "wait-for-body", "do-resolve"), and it
can be useful to report the action and the location of that rule in
"show sess all". Here for streams blocked on such a rule, there will
now be a "current_line" extra line reporting this. Note that this does
not catch rulesets which are re-evaluated from the start on each change
(e.g. tcp-request content waiting for changes) but only when a specific
rule is being paused.
2021-10-12 07:38:30 +02:00
Willy Tarreau
c9e4868510 MINOR: rules: add a file name and line number to act_rules
These ones are passed on rule creation for the sole purpose of being
reported in "show sess", which is not done yet. For now the entries
are allocated upon rule creation and freed in free_act_rules().
2021-10-12 07:38:30 +02:00
Willy Tarreau
d535f807bb MINOR: rules: add a new function new_act_rule() to allocate act_rules
Rules are currently allocated using calloc() by their caller, which does
not make it very convenient to pass more information such as the file
name and line number.

This patch introduces new_act_rule() which performs the malloc() and
already takes in argument the ruleset (ACT_F_*), the file name and the
line number. This saves the caller from having to assing ->from, and
will allow to improve the internal storage with more info.
2021-10-12 07:38:30 +02:00
Olivier Houchard
e972c0acde MINOR: initcall: Rename __GLOBL and __GLOBL1.
Rename __GLOBL and __GLOBL1 to __HA_GLOBL and __HA_GLOBL1, as the former are
already defined on FreeBSD.

This should be backported to 2.4, 2.3 and 2.2.
2021-10-11 00:55:26 +02:00
Willy Tarreau
4c67bd6a06 [RELEASE] Released version 2.5-dev9
Released version 2.5-dev9 with the following main changes :
    - head-truc
    - REGTESTS: lua: test the httpclient:get() feature
    - Revert "head-truc"
    - BUG/MEDIUM: httpclient: replace ist0 by istptr
    - MINOR: config: use a standard parser for the "nbthread" keyword
    - CLEANUP: init: remove useless test against MAX_THREADS in affinity loop
    - MEDIUM: init: de-uglify the per-thread affinity setting
    - MINOR: init: extract the setup and end of threads to their own functions
    - MINOR: log: Try to get the status code when MUX_EXIT_STATUS is retrieved
    - MINOR: mux-h1: Set error code if possible when MUX_EXIT_STATUS is returned
    - MINOR: mux-h1: Be able to set custom status code on parsing error
    - MEDIUM: mux-h1: Reject HTTP/1.0 GET/HEAD/DELETE requests with a payload
    - MEDIUM: h1: Force close mode for invalid uses of T-E header
    - BUG/MINOR: mux-h1/mux-fcgi: Sanitize TE header to only send "trailers"
    - MINOR: http: Add 422-Unprocessable-Content error message
    - MINOR: h1: Change T-E header parsing to fail if chunked encoding is found twice
    - BUG/MEDIUM: mux-h1/mux-fcgi: Reject messages with unknown transfer encoding
    - REGTESTS: Add script to validate T-E header parsing
    - REORG: pools: move default settings to defaults.h
    - DOC: peers: fix doc "enable" statement on "peers" sections
    - MINOR: Makefile: add MEMORY_POOLS to the list of DEBUG_xxx options
    - MINOR: ssl: Set connection error code in case of SSL read or write fatal failure
    - MINOR: ssl: Rename ssl_bc_hsk_err to ssl_bc_err
    - MINOR: ssl: Store the last SSL error code in case of read or write failure
    - REGTESTS: ssl: enable show_ssl_ocspresponse.vtc again
    - REGTESTS: ssl: enable ssl_crt-list_filters.vtc again
    - BUG/MEDIUM: lua: fix wakeup condition from sleep()
    - BUG/MAJOR: lua: use task_wakeup() to properly run a task once
    - MINOR: arg: Be able to forbid unresolved args when building an argument list
    - BUG/MINOR: tcpcheck: Don't use arg list for default proxies during parsing
    - BUG/MINOR: tcp-rules: Stop content rules eval on read error and end-of-input
    - MINOR: tasks: catch TICK_ETERNITY with BUG_ON() in __task_queue()
    - REGTESTS: ssl: show_ssl_ocspresponse w/ freebsd won't use base64
    - REGTESTS: ssl: wrong feature cmd in show_ssl_ocspresponse.vtc
    - CLEANUP: tasks: remove the long-unused work_lists
    - MINOR: task: provide 3 task_new_* wrappers to simplify the API
    - MINOR: time: uninline report_idle() and move it to task.c
    - REORG: sched: move idle time calculation from time.h to task.h
    - REORG: sched: move the stolen CPU time detection to sched_entering_poll()
    - BUG/MEDIUM: filters: Fix a typo when a filter is attached blocking the release
    - BUG/MEDIUM: http-ana: Clear request analyzers when applying redirect rule
    - MINOR: httpclient: destroy() must free the headers and the ists
    - MINOR: httpclient: set HTTPCLIENT_F_ENDED only in release
    - MINOR: httpclient: stop_and_destroy() ask the applet to autokill
    - MINOR: httpclient: test if started during stop_and_destroy()
    - MINOR: httpclient/lua: implement garbage collection
    - BUG/MEDIUM: httpclient/lua: crash because of b_xfer and get_trash_chunk()
    - MINOR: httpclient: destroy checks if a client was started but not stopped
    - BUG/MINOR: httpclient/lua: does not process headers when failed
    - MINOR: httpclient/lua: supports headers via named arguments
    - CLEANUP: server: always include the storage for SSL settings
    - CLEANUP: sample: rename sample_conv_var2smp() to *_sint
    - CLEANUP: sample: uninline sample_conv_var2smp_str()
    - MINOR: sample: provide a generic var-to-sample conversion function
    - BUG/MEDIUM: sample: properly verify that variables cast to sample
    - BUILD: action: add the relevant structures for function arguments
    - BUILD: extcheck: needs to include stream-t.h
    - BUILD: hlua: needs to include stream-t.h
    - BUILD: stats: define several missing structures in stats.h
    - BUILD: resolvers: define missing types in resolvers.h
    - BUILD: httpclient: include missing ssl_sock-t
    - BUILD: sample: include openssl-compat
    - BUILD: http_ana: need to include proxy-t to get redirect_rule
    - BUILD: http_rules: requires http_ana-t.h for REDIRECT_*
    - BUILD: vars: need to include xxhash
    - BUILD: peers: need to include eb{32/mb/pt}tree.h
    - BUILD: ssl_ckch: include ebpttree.h in ssl_ckch.c
    - BUILD: compiler: add the container_of() and container_of_safe() macros
    - BUILD: idleconns: include missing ebmbtree.h at several places
    - BUILD: connection: connection.h needs list.h and server.h
    - BUILD: tree-wide: add missing http_ana.h from many places
    - BUILD: cfgparse-ssl: add missing errors.h
    - BUILD: tcp_sample: include missing errors.h and session-t.h
    - BUILD: mworker: mworker-prog needs time.h for the 'now' variable
    - BUILD: tree-wide: add several missing activity.h
    - BUILD: compat: fix -Wundef on SO_REUSEADDR
    - CLEANUP: pools: pools-t.h doesn't need to include thread-t.h
    - REORG: pools: uninline the UAF allocator and force-inline the rest
    - REORG: thread: uninline the lock-debugging code
    - MINOR: thread/debug: replace nsec_now() with now_mono_time()
    - CLEANUP: remove some unneeded includes from applet-t.h
    - REORG: listener: move bind_conf_alloc() and listener_state_str() to listener.c
    - CLEANUP: listeners: do not include openssl-compat
    - CLEANUP: servers: do not include openssl-compat
    - REORG: ssl: move ssl_sock_is_ssl() to connection.h and rename it
    - CLEANUP: mux_fcgi: remove dependency on ssl_sock
    - CLEANUP: ssl/server: move ssl_sock_set_srv() to srv_set_ssl() in server.c
    - REORG: ssl-sock: move the sslconns/totalsslconns counters to global
    - REORG: sample: move the crypto samples to ssl_sample.c
    - REORG: sched: moved samp_time and idle_time to task.c as well
    - REORG: time/ticks: move now_ms and global_now_ms definitions to ticks.h
    - CLEANUP: tree-wide: remove unneeded include time.h in ~20 files
    - REORG: activity: uninline activity_count_runtime()
    - REORG: acitvity: uninline sched_activity_entry()
    - CLEANUP: stream: remove many unneeded includes from stream-t.h
    - CLEANUP: stick-table: no need to include socket nor in.h
    - MINOR: connection: use uint64_t for the hashes
    - REORG: connection: move the hash-related stuff to connection.c
    - REORG: connection: uninline conn_notify_mux() and conn_delete_from_tree()
    - REORG: server: uninline the idle conns management functions
    - REORG: ebtree: split structures into their own file ebtree-t.h
    - CLEANUP: tree-wide: only include ebtree-t from type files
    - REORG: connection: move the largest inlines from connection.h to connection.c
    - CLEANUP: connection: do not include http_ana!
    - CLEANUP: connection: remove unneeded tcpcheck-t.h and use only session-t.h
    - REORG: connection: uninline the rest of the alloc/free stuff
    - REORG: task: uninline the loop time measurement code
    - CLEANUP: time: move a few configurable defines to defaults.h
    - CLEANUP: fd: do not include time.h
    - REORG: fd: uninline compute_poll_timeout()
    - CLENAUP: wdt: use ha_tkill() instead of accessing pthread directly
    - REORG: thread: move the thread init/affinity/stop to thread.c
    - REORG: thread: move ha_get_pthread_id() to thread.c
    - MINOR: thread: use a dedicated static pthread_t array in thread.c
    - CLEANUP: thread: uninline ha_tkill/ha_tkillall/ha_cpu_relax()
    - DOC: configuration: add clarification on escaping in keyword arguments
    - BUG/MINOR: task: fix missing include with DEBUG_TASK
    - MINOR: pools: report the amount used by thread caches in "show pools"
    - MINOR: quic: Distinguish packet and SSL read enc. level in traces
    - MINOR: quic: Add a function to dump SSL stack errors
    - MINOR: quic: BUG_ON() SSL errors.
    - MINOR: quic: Fix SSL error issues (do not use ssl_bio_and_sess_init())
    - BUG/MEDIUM: mux-quic: reinsert all streams in by_id tree
    - BUG/MAJOR: xprt-quic: do not queue qc timer if not set
    - MINOR: mux-quic: release connection if no more bidir streams
    - BUG/MAJOR: quic: remove qc from receiver cids tree on free
    - BUG/MEDIUM: mux_h2: Handle others remaining read0 cases on partial frames
    - MINOR: qpack: do not encode invalid http status code
    - MINOR: qpack: support non-indexed http status code encoding
    - MINOR: qpack: fix memory leak on huffman decoding
    - CLEANUP: mux-quic: remove unused code
    - BUG/MINOR: quic: fix includes for compilation
    - BUILD: connection: avoid a build warning on FreeBSD with SO_USER_COOKIE
    - BUILD: init: avoid a build warning on FreeBSD with USE_PROCCTL
    - REORG: time: move time-keeping code and variables to clock.c
    - REORG: clock: move the updates of cpu/mono time to clock.c
    - MINOR: activity: get the run_time from the clock updates
    - CLEANUP: clock: stop exporting before_poll and after_poll
    - REORG: clock: move the clock_id initialization to clock.c
    - REORG: clock/wdt: move wdt timer initialization to clock.c
    - MINOR: clock: move the clock_ids to clock.c
    - MINOR: wdt: move wd_timer to wdt.c
    - CLEANUP: wdt: do not remap SI_TKILL to SI_LWP, test the values directly
    - REORG: thread/sched: move the task_per_thread stuff to thread_ctx
    - REORG: thread/clock: move the clock parts of thread_info to thread_ctx
    - REORG: thread/sched: move the thread_info flags to the thread_ctx
    - REORG: thread/sched: move the last dynamic thread_info to thread_ctx
    - MINOR: thread: make "ti" a const pointer and clean up thread_info a bit
    - MINOR: threads: introduce a minimalistic notion of thread-group
    - MINOR: global: add a new "thread-groups" directive
    - MINOR: global: add a new "thread-group" directive
    - MINOR: threads: make tg point to the current thread's group
    - MEDIUM: threads: automatically assign threads to groups
    - MINOR: threads: set the group ID and its bit in the thread group
    - MINOR: threads: set the tid, ltid and their bit in thread_cfg
    - MEDIUM: threads: replace ha_set_tid() with ha_set_thread()
    - MINOR: threads: add the current group ID in thread-local "tgid" variable
    - MINOR: debug: report the group and thread ID in the thread dumps
    - MEDIUM: listeners: support the definition of thread groups on bind lines
    - MINOR: threads: add a new function to resolve config groups and masks
    - MEDIUM: config: resolve relative threads on bind lines to absolute ones
    - MEDIUM: stick-table: never learn the "conn_cur" value from peers
2021-10-08 18:22:24 +02:00
Willy Tarreau
db2ab8218c MEDIUM: stick-table: never learn the "conn_cur" value from peers
There have been a large number of issues reported with conn_cur
synchronization because the concept is wrong. In an active-passive
setup, pushing the local connections count from the active node to
the passive one will result in the passive node to have a higher
counter than the real number of connections. Due to this, after a
switchover, it will never be able to close enough connections to
go down to zero. The same commonly happens on reloads since the new
process preloads its values from the old process, and if no connection
happens for a key after the value is learned, it is impossible to reset
the previous ones. In active-active setups it's a bit different, as the
number of connections reflects the number on the peer that pushed last.

This patch solves this by marking the "conn_cur" local and preventing
it from being learned from peers. It is still pushed, however, so that
any monitoring system that collects values from the peers will still
see it.

The patch is tiny and trivially backportable. While a change of behavior
in stable branches is never welcome, it remains possible to fix issues
if reports become frequent.
2021-10-08 17:53:12 +02:00
Willy Tarreau
e3f4d7496d MEDIUM: config: resolve relative threads on bind lines to absolute ones
Now threads ranges specified on bind lines will be turned to effective
ones that will lead to a usable thread mask and a group ID.
2021-10-08 17:22:26 +02:00
Willy Tarreau
627def9e50 MINOR: threads: add a new function to resolve config groups and masks
In the configuration sometimes we'll omit a thread group number to designate
a global thread number range, and sometimes we'll mention the group and
designate IDs within that group. The operation is more complex than it
seems due to the need to check for ranges spanning between multiple groups
and determining groups from threads from bit masks and remapping bit masks
between local/global.

This patch adds a function to perform this operation, it takes a group and
mask on input and updates them on output. It's designed to be used by "bind"
lines but will likely be usable at other places if needed.

For situations where specified threads do not exist in the group, we have
the choice in the code between silently fixing the thread set or failing
with a message. For now the better option seems to return an error, but if
it turns out to be an issue we can easily change that in the future. Note
that it should only happen with "x/even" when group x only has one thread.
2021-10-08 17:22:26 +02:00
Willy Tarreau
d57b9ff7af MEDIUM: listeners: support the definition of thread groups on bind lines
This extends the "thread" statement of bind lines to support an optional
thread group number. When unspecified (0) it's an absolute thread range,
and when specified it's one relative to the thread group. Masks are still
used so no more than 64 threads may be specified at once, and a single
group is possible. The directive is not used for now.
2021-10-08 17:22:26 +02:00
Willy Tarreau
a3870b7952 MINOR: debug: report the group and thread ID in the thread dumps
Now thread dumps will report the thread group number and the ID within
this group. Note that this is still quite limited because some masks
are calculated based on the thread in argument while they have to be
performed against a group-level thread ID.
2021-10-08 17:22:26 +02:00
Willy Tarreau
b90935c908 MINOR: threads: add the current group ID in thread-local "tgid" variable
This is the equivalent of "tid" for ease of access. In the future if we
make th_cfg a pure thread-local array (not a pointer), it may make sense
to move it there.
2021-10-08 17:22:26 +02:00
Willy Tarreau
43ab05b3da MEDIUM: threads: replace ha_set_tid() with ha_set_thread()
ha_set_tid() was randomly used either to explicitly set thread 0 or to
set any possibly incomplete thread during boot. Let's replace it with
a pointer to a valid thread or NULL for any thread. This allows us to
check that the designated threads are always valid, and to ignore the
thread 0's mapping when setting it to NULL, and always use group 0 with
it during boot.

The initialization code is also cleaner, as we don't pass ugly casts
of a thread ID to a pointer anymore.
2021-10-08 17:22:26 +02:00
Willy Tarreau
cc7a11ee3b MINOR: threads: set the tid, ltid and their bit in thread_cfg
This will be a convenient way to communicate the thread ID and its
local ID in the group, as well as their respective bits when creating
the threads or when only a pointer is given.
2021-10-08 17:22:26 +02:00