Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update HAProxy #70

Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open

Update HAProxy #70

wants to merge 3 commits into from

Conversation

RealOrangeOne
Copy link
Contributor

2.2 is very old. Pin to a newer version, and keep it up-to-date during rebuilds.

@RealOrangeOne
Update HAProxy
cdaa212 
2.2 is very old. Pin to a newer version, and keep it up-to-date during rebuilds.
@mariaWitch
Copy link

mariaWitch commented Aug 15, 2022
edited
Loading

I'm currently looking into why the prebuild tests seem to fail if this is raised above HAProxy 2.2. It looks like something may have changed in the 2.4 release of HAProxy, so I'm starting there.

mariaWitch
mariaWitch suggested changes Aug 16, 2022
View reviewed changes
Copy link

@mariaWitch mariaWitch left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Due to HAProxy changing the default user instance for their image after version 2.2, the following needs to be added to the DockerFile:
USER root
This will allow the container to not error out upon launch and will then be able to build successfully.

mariaWitch
mariaWitch reviewed Aug 16, 2022
View reviewed changes
Dockerfile Show resolved Hide resolved
@mariaWitch
Copy link

Checking for any additional action on this.

@RealOrangeOne
Copy link
Contributor Author

Just set the container to run as root (not ideal), and tested locally and all works as expected. I don't know what's happening with the CI failures.

@pedrobaeza
Copy link
Member

Can you please try the technique pointed by Maria about the directory?

@RealOrangeOne
Create a docker group on startup with the correct GID
c734470 
This allows haproxy to read the socket, whilst running as a non-privileged user.

The container itself needs to run as root to create the group, but haproxy itself changes its own group after startup.
@RealOrangeOne
Copy link
Contributor Author

The problem with not running as root is more about access to the docker socket than access to /run. I've made the container create a dedicated docker group at startup, which haproxy then switches to after startup. It's not perfect, but I think it's the only way forward.

@mikemhenry mikemhenry mentioned this pull request Dec 21, 2022
Merged
@Tardo
Copy link
Contributor

Tardo commented Jan 20, 2023

I agree with RealOrangeOne. You can do what mariaWitch says. But to read the .sock you need root permissions. I have not been able to do it without using root either.

The change to use haproxy instead of root was made in 2.4 ... The branch we currently use (2.2) has LTS support until 2025.

mariaWitch
mariaWitch approved these changes Jan 20, 2023
View reviewed changes
Copy link

@mariaWitch mariaWitch left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This seems to work on my local setup.

@Tardo
Copy link
Contributor

Tardo commented Feb 24, 2023
edited
Loading

Finally, this can be done using "--user=haproxy:<docker_gid>" ... need comment "pidfile" in the configuration due to no have permissions to write there.

And can remove '--privileged' flag and use: "--sysctl net.ipv4.ip_unprivileged_port_start=0"

More info: docker-library/haproxy#202

Other solution can be... don't use docker-library image and use the image from haproxy: https://github.com/haproxytech/haproxy-docker-alpine

@yfhyou
Copy link

yfhyou commented Dec 23, 2023

When running this I get addgroup: gid '999' in use. My host stat -c "%g" /var/run/docker.sock output is 999, and from what I can tell this gid is already in use in the haproxy image:

...
utmp:x:406:
ping:x:999:
nogroup:x:65533:
...

Running docker on WSL2 Ubuntu.
The 'standard' config without the entrypoint.sh and using the --user=haproxy:<docker_gid> as @Tardo mention, does seem to work. Provided I move the pid file to another writable location like /tmp/haproxy.pid

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mariaWitch mariaWitch mariaWitch approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@RealOrangeOne @mariaWitch @pedrobaeza @Tardo @yfhyou