-
Notifications
You must be signed in to change notification settings - Fork 187
Update HAProxy #70
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update HAProxy #70
Conversation
c2ea8d3 to
09da95c
Compare
2.2 is very old. Pin to a newer version, and keep it up-to-date during rebuilds.
09da95c to
cdaa212
Compare
I'm currently looking into why the prebuild tests seem to fail if this is raised above HAProxy 2.2. It looks like something may have changed in the 2.4 release of HAProxy, so I'm starting there.
@mariaWitch
mariaWitch
left a comment
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Due to HAProxy changing the default user instance for their image after version 2.2, the following needs to be added to the DockerFile:
USER root
This will allow the container to not error out upon launch and will then be able to build successfully.
mariaWitch
commented
Sep 15, 2022
Checking for any additional action on this.
RealOrangeOne
commented
Nov 6, 2022
Just set the container to run as root (not ideal), and tested locally and all works as expected. I don't know what's happening with the CI failures.
pedrobaeza
commented
Nov 8, 2022
Can you please try the technique pointed by Maria about the directory?
This allows haproxy to read the socket, whilst running as a non-privileged user. The container itself needs to run as root to create the group, but haproxy itself changes its own group after startup.
RealOrangeOne
commented
Nov 29, 2022
The problem with not running as root is more about access to the docker socket than access to /run. I've made the container create a dedicated docker group at startup, which haproxy then switches to after startup. It's not perfect, but I think it's the only way forward.
Tardo
commented
Jan 20, 2023
I agree with RealOrangeOne. You can do what mariaWitch says. But to read the .sock you need root permissions. I have not been able to do it without using root either.
The change to use haproxy instead of root was made in 2.4 ... The branch we currently use (2.2) has LTS support until 2025.
@mariaWitch
mariaWitch
left a comment
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This seems to work on my local setup.
Finally, this can be done using "--user=haproxy:<docker_gid>" ... need comment "pidfile" in the configuration due to no have permissions to write there.
And can remove '--privileged' flag and use: "--sysctl net.ipv4.ip_unprivileged_port_start=0"
More info: docker-library/haproxy#202
Other solution can be... don't use docker-library image and use the image from haproxy: https://github.com/haproxytech/haproxy-docker-alpine
yfhyou
commented
Dec 23, 2023
When running this I get addgroup: gid '999' in use. My host stat -c "%g" /var/run/docker.sock output is 999, and from what I can tell this gid is already in use in the haproxy image:
...
utmp:x:406:
ping:x:999:
nogroup:x:65533:
...
Running docker on WSL2 Ubuntu.
The 'standard' config without the entrypoint.sh and using the --user=haproxy:<docker_gid> as @Tardo mention, does seem to work. Provided I move the pid file to another writable location like /tmp/haproxy.pid
2.2 is very old. Pin to a newer version, and keep it up-to-date during rebuilds.