HAProxy - Cannot chroot /var/lib/haproxy

CodeWeed

2/24/23, 10:32 PM

I am trying to run haproxy in docker by following this article from the haproxy blog. https://www.haproxy.com/blog/haproxy-on-docker-swarm-load-balancing-and-dns-service-discovery/ I am getting the following error Cannot chroot /var/lib/haproxy

hap_haproxy.3.j24pbth7qsup@prox1    | [NOTICE]   (1) : New worker #1 (9) forked
hap_haproxy.3.j24pbth7qsup@prox1    | [NOTICE]   (9) : haproxy version is 2.4.7-b5e51a5
hap_haproxy.3.j24pbth7qsup@prox1    | [NOTICE]   (9) : path to executable is /usr/local/sbin/haproxy
hap_haproxy.3.j24pbth7qsup@prox1    | [ALERT]    (9) : [haproxy.main()] Cannot chroot(/var/lib/haproxy).
hap_haproxy.3.j24pbth7qsup@prox1    | [WARNING]  (1) : Current worker #1 (9) exited with code 1 (Exit)

Here is my haproxy configuration

global
    log          fd@2 local2
#    log     stdout format raw local0 info
    chroot       /var/lib/haproxy
    pidfile      /var/lib/haproxy/haproxy.pid
    maxconn      4000
    user         haproxy 
    group        haproxy
    stats socket /var/lib/haproxy/stats user haproxy group haproxy mode 660 level admin expose-fd listeners
    master-worker

resolvers docker
    nameserver dns1 127.0.0.11:53
    resolve_retries 3
    timeout resolve 1s
    timeout retry   1s
    hold other      10s
    hold refused    10s
    hold nx         10s
    hold timeout    10s
    hold valid      10s
    hold obsolete   10s

defaults
    timeout connect 10s
    timeout client 30s
    timeout server 30s
    log global
    mode http
    option httplog

frontend  fe_web
    bind *:8080
    use_backend stat if { path -i /stats }
    default_backend be_service

backend be_service
    balance roundrobin
    server-template nginx- 6 nginx-Service:80 check resolvers docker init-addr libc,none

backend be_service_wrong_case
    balance roundrobin
    server-template nginx- 6 nginx-service:80 check resolvers docker init-addr libc,none

backend stat
    stats enable
    stats uri /stats
    stats refresh 15s
    stats show-legends
    stats show-node

I checked the dockerfile of the official image and the path /var/lib/haproxy is created. Can someone please tell me what is going wrong ? (edited)

558

0 + 0

reverse-proxy

haproxy

docker

docker-swarm

Score:0

Server

jacorl

7/9/23, 9:26 AM

Ath the moment I found the same problem in Haproxy Dockerfile. Maybe it is something that I do not catch. Anyways a simple solution:

To create a simple docker context to send:

mkdir haproxy && cd haproxy

Create a Dockerfile as follows:

FROM debian:bullseye-slim

# roughly, https://salsa.debian.org/haproxy-team/haproxy/-/blob/732b97ae286906dea19ab5744cf9cf97c364ac1d/debian/haproxy.postinst#L5-6
RUN set -eux; \
    groupadd --gid 99 --system haproxy; \
    useradd \
        --gid haproxy \
        --home-dir /var/lib/haproxy \
        --no-create-home \
        --system \
        --uid 99 \
        haproxy \
    ; \
    mkdir /var/lib/haproxy; \
    chown haproxy:haproxy /var/lib/haproxy

ENV HAPROXY_VERSION 2.5.4
ENV HAPROXY_URL https://www.haproxy.org/download/2.5/src/haproxy-2.5.4.tar.gz
ENV HAPROXY_SHA256 dc4015d85c7fef811b459803b763001d809b07a9251dc1864fedb9a07b44aefb

# see https://sources.debian.net/src/haproxy/jessie/debian/rules/ for some helpful navigation of the possible "make" arguments
RUN set -eux; \
    \
    savedAptMark="$(apt-mark showmanual)"; \
    apt-get update && apt-get install -y --no-install-recommends \
        ca-certificates \
        gcc \
        libc6-dev \
        liblua5.3-dev \
        libpcre2-dev \
        libssl-dev \
        make \
        wget \
    ; \
    rm -rf /var/lib/apt/lists/*; \
    \
    wget -O haproxy.tar.gz "$HAPROXY_URL"; \
    echo "$HAPROXY_SHA256 *haproxy.tar.gz" | sha256sum -c; \
    mkdir -p /usr/src/haproxy; \
    tar -xzf haproxy.tar.gz -C /usr/src/haproxy --strip-components=1; \
    rm haproxy.tar.gz; \
    \
    makeOpts=' \
        TARGET=linux-glibc \
        USE_GETADDRINFO=1 \
        USE_LUA=1 LUA_INC=/usr/include/lua5.3 \
        USE_OPENSSL=1 \
        USE_PCRE2=1 USE_PCRE2_JIT=1 \
        USE_PROMEX=1 \
        \
        EXTRA_OBJS=" \
        " \
    '; \
# https://salsa.debian.org/haproxy-team/haproxy/-/commit/53988af3d006ebcbf2c941e34121859fd6379c70
    dpkgArch="$(dpkg --print-architecture)"; \
    case "$dpkgArch" in \
        armel) makeOpts="$makeOpts ADDLIB=-latomic" ;; \
    esac; \
    \
    nproc="$(nproc)"; \
    eval "make -C /usr/src/haproxy -j '$nproc' all $makeOpts"; \
    eval "make -C /usr/src/haproxy install-bin $makeOpts"; \
    \
    mkdir -p /usr/local/etc/haproxy; \
    cp -R /usr/src/haproxy/examples/errorfiles /usr/local/etc/haproxy/errors; \
    rm -rf /usr/src/haproxy; \
    \
    apt-mark auto '.*' > /dev/null; \
    [ -z "$savedAptMark" ] || apt-mark manual $savedAptMark; \
    find /usr/local -type f -executable -exec ldd '{}' ';' \
        | awk '/=>/ { print $(NF-1) }' \
        | sort -u \
        | xargs -r dpkg-query --search \
        | cut -d: -f1 \
        | sort -u \
        | xargs -r apt-mark manual \
    ; \
    apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \
    \
# smoke test
    haproxy -v

# https://www.haproxy.org/download/1.8/doc/management.txt
# "4. Stopping and restarting HAProxy"
# "when the SIGTERM signal is sent to the haproxy process, it immediately quits and all established connections are closed"
# "graceful stop is triggered when the SIGUSR1 signal is sent to the haproxy process"
STOPSIGNAL SIGUSR1

COPY docker-entrypoint.sh /usr/local/bin/
ENTRYPOINT ["docker-entrypoint.sh"]

USER haproxy
CMD ["haproxy", "-f", "/usr/local/etc/haproxy/haproxy.cfg"]

Then create the docker-entrypoint.sh as follows:

touch docker-entrypoint.sh

and paste the following content:

#!/bin/sh
set -e

# first arg is `-f` or `--some-option`
if [ "${1#-}" != "$1" ]; then
    set -- haproxy "$@"
fi

if [ "$1" = 'haproxy' ]; then
    shift # "haproxy"
    # if the user wants "haproxy", let's add a couple useful flags
    #   -W  -- "master-worker mode" (similar to the old "haproxy-systemd-wrapper"; allows for reload via "SIGUSR2")
    #   -db -- disables background mode
    set -- haproxy -W -db "$@"
fi

exec "$@"

After these steps you can build your working haproxy image: docker build -t haproxy .

0 + 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: HAProxy - Cannot chroot /var/lib/haproxy

TH: HAProxy - ไม่สามารถ chroot /var/lib/haproxy.h

RO: HAProxy - Nu se poate face un chroot /var/lib/haproxy

RU: HAProxy - Не удается выполнить chroot /var/lib/haproxy

VI: HAProxy - Không thể chroot /var/lib/haproxy

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.