Project

General

Profile

Actions

Bug #51355

closed

ingress service /var/lib/haproxy/haproxy.cfg

Added by Asbjørn Sannes almost 3 years ago. Updated over 2 years ago.

Status:
Resolved
Priority:
Normal
Category:
orchestrator
Target version:
-
% Done:

0%

Source:
Tags:
Backport:
Regression:
No
Severity:
3 - minor
Reviewed:
Affected Versions:
ceph-qa-suite:
Pull request ID:
Crash signature (v1):
Crash signature (v2):

Description

It seems like cephadm expects haproxy to run as root, while the docker image haproxy runs it as the user haproxy.

This seems to have changed between haproxy 2.3.x and 2.4.x Docker images (https://hub.docker.com/_/haproxy).

It does work to add "-u root" to the docker run command in the run.unit file to make it work (found in /var/lib/ceph/<fsid>/haproxy.rgw.foo.simon.xcyvkg/unit.run).

Without those changes I get:

Jun 24 18:52:32 simon bash[3042133]: WARNING: Error loading config file: .dockercfg: $HOME is not defined
Jun 24 18:52:34 simon bash[3042133]: [NOTICE]   (8) : haproxy version is 2.4.0-6cbbecf
Jun 24 18:52:34 simon bash[3042133]: [NOTICE]   (8) : path to executable is /usr/local/sbin/haproxy
Jun 24 18:52:34 simon bash[3042133]: [ALERT]    (8) : Cannot open configuration file/directory /var/lib/haproxy/haproxy.cfg : Permission denied

When applying (rgw-ingress.yaml):

service_type: ingress
service_id: rgw.foo
placement:
  hosts:
    - simon
spec:
  backend_service: rgw.foo
  frontend_port: 8443
  virtual_ip: 10.10.12.7
  virtual_interface_networks:
    - "10.10.12.0/24" 
  monitor_port: 1967
  ssl_cert:
    -----BEGIN CERTIFICATE-----
...

with:

ceph orch apply -i rgw-ingress.yaml.

Actions #2

Updated by Javier Cacheiro almost 3 years ago

An alternative approach would be to change the owner of the haproxy config to the haproxy user (currently 99 in the docker image) and change the haproxy config so it does not try to chroot (only works when the process is started with root privileges).

And there is even another alternative that it would be to remove the "USER haproxy" instruction in the haproxy Dockerfile. This would avoid to then having to overwrite it in the commandline.

Actions #3

Updated by Asbjørn Sannes over 2 years ago

The 2.3 haproxy version is pinned in 16.2.5, it works for me, please close this.

Actions #4

Updated by Sebastian Wagner over 2 years ago

  • Status changed from New to Fix Under Review
  • Assignee set to Sebastian Wagner
  • Pull request ID set to 42415
Actions #5

Updated by Kefu Chai over 2 years ago

  • Status changed from Fix Under Review to Resolved
Actions

Also available in: Atom PDF