Bug #51355
closedingress service /var/lib/haproxy/haproxy.cfg
0%
Description
It seems like cephadm expects haproxy to run as root, while the docker image haproxy runs it as the user haproxy.
This seems to have changed between haproxy 2.3.x and 2.4.x Docker images (https://hub.docker.com/_/haproxy).
It does work to add "-u root" to the docker run command in the run.unit file to make it work (found in /var/lib/ceph/<fsid>/haproxy.rgw.foo.simon.xcyvkg/unit.run).
Without those changes I get:
Jun 24 18:52:32 simon bash[3042133]: WARNING: Error loading config file: .dockercfg: $HOME is not defined Jun 24 18:52:34 simon bash[3042133]: [NOTICE] (8) : haproxy version is 2.4.0-6cbbecf Jun 24 18:52:34 simon bash[3042133]: [NOTICE] (8) : path to executable is /usr/local/sbin/haproxy Jun 24 18:52:34 simon bash[3042133]: [ALERT] (8) : Cannot open configuration file/directory /var/lib/haproxy/haproxy.cfg : Permission denied
When applying (rgw-ingress.yaml):
service_type: ingress service_id: rgw.foo placement: hosts: - simon spec: backend_service: rgw.foo frontend_port: 8443 virtual_ip: 10.10.12.7 virtual_interface_networks: - "10.10.12.0/24" monitor_port: 1967 ssl_cert: -----BEGIN CERTIFICATE----- ...
with:
ceph orch apply -i rgw-ingress.yaml.
Updated by Asbjørn Sannes almost 3 years ago
Someone else also noticing the same:
https://www.reddit.com/r/ceph/comments/nxl5v3/ingress_service_on_pacific_v1624_haproxy_not/
Updated by Javier Cacheiro almost 3 years ago
An alternative approach would be to change the owner of the haproxy config to the haproxy user (currently 99 in the docker image) and change the haproxy config so it does not try to chroot (only works when the process is started with root privileges).
And there is even another alternative that it would be to remove the "USER haproxy" instruction in the haproxy Dockerfile. This would avoid to then having to overwrite it in the commandline.
Updated by Asbjørn Sannes almost 3 years ago
The 2.3 haproxy version is pinned in 16.2.5, it works for me, please close this.
Updated by Sebastian Wagner almost 3 years ago
- Status changed from New to Fix Under Review
- Assignee set to Sebastian Wagner
- Pull request ID set to 42415
Updated by Kefu Chai almost 3 years ago
- Status changed from Fix Under Review to Resolved