docker-socket-proxy icon indicating copy to clipboard operation
docker-socket-proxy copied to clipboard

Published 20 hours ago verified publisher icon Tecnativa

Update HAProxy

Open RealOrangeOne opened this issue 2 years ago • 8 comments

2.2 is very old. Pin to a newer version, and keep it up-to-date during rebuilds.

RealOrangeOne avatar Jun 04 '22 22:06 RealOrangeOne

I'm currently looking into why the prebuild tests seem to fail if this is raised above HAProxy 2.2. It looks like something may have changed in the 2.4 release of HAProxy, so I'm starting there.

mariaWitch avatar Aug 15 '22 20:08 mariaWitch

Checking for any additional action on this.

mariaWitch avatar Sep 15 '22 17:09 mariaWitch

Just set the container to run as root (not ideal), and tested locally and all works as expected. I don't know what's happening with the CI failures.

RealOrangeOne avatar Nov 06 '22 14:11 RealOrangeOne

Can you please try the technique pointed by Maria about the directory?

pedrobaeza avatar Nov 08 '22 07:11 pedrobaeza

The problem with not running as root is more about access to the docker socket than access to /run. I've made the container create a dedicated docker group at startup, which haproxy then switches to after startup. It's not perfect, but I think it's the only way forward.

RealOrangeOne avatar Nov 29 '22 09:11 RealOrangeOne

I agree with RealOrangeOne. You can do what mariaWitch says. But to read the .sock you need root permissions. I have not been able to do it without using root either.

The change to use haproxy instead of root was made in 2.4 ... The branch we currently use (2.2) has LTS support until 2025.

Tardo avatar Jan 20 '23 09:01 Tardo

Finally, this can be done using "--user=haproxy:<docker_gid>" ... need comment "pidfile" in the configuration due to no have permissions to write there.

And can remove '--privileged' flag and use: "--sysctl net.ipv4.ip_unprivileged_port_start=0"

More info: https://github.com/docker-library/haproxy/issues/202

Other solution can be... don't use docker-library image and use the image from haproxy: https://github.com/haproxytech/haproxy-docker-alpine

Tardo avatar Feb 24 '23 11:02 Tardo

When running this I get addgroup: gid '999' in use. My host stat -c "%g" /var/run/docker.sock output is 999, and from what I can tell this gid is already in use in the haproxy image:

...
utmp:x:406:
ping:x:999:
nogroup:x:65533:
...

Running docker on WSL2 Ubuntu. The 'standard' config without the entrypoint.sh and using the --user=haproxy:<docker_gid> as @Tardo mention, does seem to work. Provided I move the pid file to another writable location like /tmp/haproxy.pid

yfhyou avatar Dec 23 '23 03:12 yfhyou