15e0d6c7df
Rsyslog on Noble has apparmor rules that restrict rsyslog socket creation to /var/lib/*/dev/log. Previously we were configuring haproxy hosts to create an rsyslog socket for haproxy at /var/haproxy/dev/log which doesn't match the apparmor rule so gets denied. To address this we move all the host side haproxy config from /var/haproxy to /var/lib/haproxy. This allows rsyslog to create the socket. To avoid needing to update docker images (for haproxy statsd) and to continue to make the haproxy container itself happy we don't adjust paths on the target side of our bind mounts. This means some things still refer to /var/haproxy but they should all be within containers. I don't believe this will be impactful to existing load balancer servers. We should deploy new content to /var/lib/haproxy then automatically restart services (rsyslog and haproxy container) because their configs are updating. One potential problem with this is rsyslog will restart before the containers do and its log path will have moved. If we are concerned about this we can configure rsyslog to continue to attempt to create the old path in addition to the new path (this will fail on Noble). Change-Id: I4582e6b2dda188583f76265ab78bcb00a302e375
62 lines
2.2 KiB
Django/Jinja
62 lines
2.2 KiB
Django/Jinja
# Version 2 is the latest that is supported by docker-compose in
|
|
# Ubuntu Xenial.
|
|
version: '2'
|
|
|
|
services:
|
|
haproxy:
|
|
restart: always
|
|
image: quay.io/opendevmirror/haproxy:lts
|
|
# NOTE(ianw) 2021-05-17 : haproxy >= 2.4 runs as a non-privileged
|
|
# user. The main problem here is we use host networking, so the
|
|
# haproxy user is not allowed to bind to low ports (80/443). The
|
|
# secondary problem permissions to disk files/socket.
|
|
#
|
|
# As of this writing, non-host ipv6 networking is a big PITA. You
|
|
# give docker a range in "fixed-cidr-v6"; the first problem is
|
|
# figuring out your routable prefix our hetrogenous environments
|
|
# and getting the daemon setup. The second problem is making sure
|
|
# that range actually passes packets. Insert hand-wavy things
|
|
# that range from setting up routes, to NDP proxies, etc. Then we
|
|
# have the problem that docker then assigns containers addresses
|
|
# randomly out of that (no good for DNS) which requires more
|
|
# setup.
|
|
#
|
|
# Now we could override security policies and set
|
|
# /proc/sys/net/ipv4/ip_unprivileged_port_start to 0 to allow
|
|
# anyone to bind to low ports. That doesn't seem right.
|
|
#
|
|
# ip6tables NAT is another option here, which is still
|
|
# experimental in docker 20.10.6. In theory, this works well for
|
|
# our use-case where unprivileged containers bind to high ports
|
|
# and we just want packets that reach external 80/443/8125 ports
|
|
# to get into their containers and out again.
|
|
#
|
|
# Until this is sorted, run as root
|
|
user: "root:root"
|
|
network_mode: host
|
|
volumes:
|
|
- /var/lib/haproxy/dev/log:/dev/log
|
|
- /var/lib/haproxy/etc:/usr/local/etc/haproxy:ro
|
|
- /var/lib/haproxy/run:/var/haproxy/run
|
|
logging:
|
|
driver: journald
|
|
options:
|
|
tag: "docker-haproxy"
|
|
|
|
{% if haproxy_run_statsd %}
|
|
haproxy-statsd:
|
|
restart: always
|
|
image: docker.io/opendevorg/haproxy-statsd:latest
|
|
network_mode: host
|
|
user: "1000:1000"
|
|
volumes:
|
|
- /var/lib/haproxy/run:/var/haproxy/run
|
|
environment:
|
|
STATSD_HOST: graphite.opendev.org
|
|
STATSD_PORT: 8125
|
|
logging:
|
|
driver: journald
|
|
options:
|
|
tag: "docker-haproxy-statsd"
|
|
{% endif %}
|