f4a20b0502
Starting with the automated update to the haproxy 2.9.1 image at 04:00 today, we noticed the service immediately spiking up to 100% CPU and quickly filling its session table. Downgrading from the latest tag to lts (currently 2.8.5) appears to have solved it for now. This might be https://github.com/haproxy/haproxy/issues/2393 . Change-Id: I3085e7921f43665118678a660d777601f08debd3
62 lines
2.2 KiB
Django/Jinja
62 lines
2.2 KiB
Django/Jinja
# Version 2 is the latest that is supported by docker-compose in
|
|
# Ubuntu Xenial.
|
|
version: '2'
|
|
|
|
services:
|
|
haproxy:
|
|
restart: always
|
|
image: docker.io/library/haproxy:lts
|
|
# NOTE(ianw) 2021-05-17 : haproxy >= 2.4 runs as a non-privileged
|
|
# user. The main problem here is we use host networking, so the
|
|
# haproxy user is not allowed to bind to low ports (80/443). The
|
|
# secondary problem permissions to disk files/socket.
|
|
#
|
|
# As of this writing, non-host ipv6 networking is a big PITA. You
|
|
# give docker a range in "fixed-cidr-v6"; the first problem is
|
|
# figuring out your routable prefix our hetrogenous environments
|
|
# and getting the daemon setup. The second problem is making sure
|
|
# that range actually passes packets. Insert hand-wavy things
|
|
# that range from setting up routes, to NDP proxies, etc. Then we
|
|
# have the problem that docker then assigns containers addresses
|
|
# randomly out of that (no good for DNS) which requires more
|
|
# setup.
|
|
#
|
|
# Now we could override security policies and set
|
|
# /proc/sys/net/ipv4/ip_unprivileged_port_start to 0 to allow
|
|
# anyone to bind to low ports. That doesn't seem right.
|
|
#
|
|
# ip6tables NAT is another option here, which is still
|
|
# experimental in docker 20.10.6. In theory, this works well for
|
|
# our use-case where unprivileged containers bind to high ports
|
|
# and we just want packets that reach external 80/443/8125 ports
|
|
# to get into their containers and out again.
|
|
#
|
|
# Until this is sorted, run as root
|
|
user: "root:root"
|
|
network_mode: host
|
|
volumes:
|
|
- /var/haproxy/dev/log:/dev/log
|
|
- /var/haproxy/etc:/usr/local/etc/haproxy:ro
|
|
- /var/haproxy/run:/var/haproxy/run
|
|
logging:
|
|
driver: syslog
|
|
options:
|
|
tag: "docker-haproxy"
|
|
|
|
{% if haproxy_run_statsd %}
|
|
haproxy-statsd:
|
|
restart: always
|
|
image: docker.io/opendevorg/haproxy-statsd:latest
|
|
network_mode: host
|
|
user: "1000:1000"
|
|
volumes:
|
|
- /var/haproxy/run:/var/haproxy/run
|
|
environment:
|
|
STATSD_HOST: graphite.opendev.org
|
|
STATSD_PORT: 8125
|
|
logging:
|
|
driver: syslog
|
|
options:
|
|
tag: "docker-haproxy-statsd"
|
|
{% endif %}
|