8cd8784825
Ubuntu Noble ships with an enforcing rsyslogd apparmor profile. This profile prevents our haproxy container from opening the syslog socket we bind mount into the container. I discussed this in #ubuntu-security which resulted in this issue: https://bugs.launchpad.net/ubuntu/+source/rsyslog/+bug/2098148 which includes many details on what is going on. This change implements the suggested workaround for our haproxy nodes. I believe this is the only place we are currently attempting to directly access rsyslog sockets from within containers. The tl;dr on the fix is that we have to tell rsyslogd to attach disconnected connections as the container runs in a different filesystem namespace which disconnects the paths for the socket. Unfortunately sarnold indicates that we have to edit the primary profile configuration file as this flag applies to the top level of the profile. We cannot use one of the files this profile #includes. Change-Id: I4e09211a1bdc4dfbf3012a66e79c181c6fb957a4
Install, configure, and run a haproxy server.
Role Variables