15e0d6c7df
Rsyslog on Noble has apparmor rules that restrict rsyslog socket creation to /var/lib/*/dev/log. Previously we were configuring haproxy hosts to create an rsyslog socket for haproxy at /var/haproxy/dev/log which doesn't match the apparmor rule so gets denied. To address this we move all the host side haproxy config from /var/haproxy to /var/lib/haproxy. This allows rsyslog to create the socket. To avoid needing to update docker images (for haproxy statsd) and to continue to make the haproxy container itself happy we don't adjust paths on the target side of our bind mounts. This means some things still refer to /var/haproxy but they should all be within containers. I don't believe this will be impactful to existing load balancer servers. We should deploy new content to /var/lib/haproxy then automatically restart services (rsyslog and haproxy container) because their configs are updating. One potential problem with this is rsyslog will restart before the containers do and its log path will have moved. If we are concerned about this we can configure rsyslog to continue to attempt to create the old path in addition to the new path (this will fail on Noble). Change-Id: I4582e6b2dda188583f76265ab78bcb00a302e375
65 lines
2.6 KiB
Python
65 lines
2.6 KiB
Python
# Copyright 2018 Red Hat, Inc.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
# not use this file except in compliance with the License. You may obtain
|
|
# a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
# License for the specific language governing permissions and limitations
|
|
# under the License.
|
|
|
|
import json
|
|
|
|
|
|
testinfra_hosts = ['gitea-lb02.opendev.org']
|
|
|
|
|
|
def test_gitea_listening(host):
|
|
gitea_https = host.socket("tcp://0.0.0.0:443")
|
|
assert gitea_https.is_listening
|
|
gitea_http = host.socket("tcp://0.0.0.0:80")
|
|
assert gitea_http.is_listening
|
|
|
|
def test_haproxy_statsd_running(host):
|
|
# TODO(clarkb) when everything is using docker compose we can use
|
|
# ps --format json and inspect the json document directly. Old
|
|
# docker-compose doesn't support this.
|
|
cmd = host.run("/usr/local/bin/docker-compose "
|
|
"-f /etc/haproxy-docker/docker-compose.yaml "
|
|
"ps haproxy-statsd")
|
|
assert ' Up ' in cmd.stdout
|
|
|
|
def test_haproxy_gitea_connection(host):
|
|
cmd = host.run('curl --resolve opendev.org:443:127.0.0.1 '
|
|
'https://opendev.org')
|
|
assert 'OpenDev: Free Software Needs Free Tools' in cmd.stdout
|
|
|
|
def test_more_than_haproxy_maxconn_conns(host):
|
|
'''Test we can handle more than haproxy maxconn limit for connections'''
|
|
# Perform more than 4000 (maxconn limit) requests.
|
|
cmd = host.run('bash -c "seq 1 4096 | xargs -IUNUSED -n 1 -P 0 '
|
|
'curl --resolve opendev.org:443:127.0.0.1 '
|
|
'https://opendev.org > /dev/null 2>&1"')
|
|
# Now make a request and ensure we get expected content back
|
|
cmd = host.run('curl --resolve opendev.org:443:127.0.0.1 '
|
|
'https://opendev.org')
|
|
assert 'OpenDev: Free Software Needs Free Tools' in cmd.stdout
|
|
|
|
def test_haproxy_stats(host):
|
|
cmd = host.run('echo "show servers state" | socat /var/lib/haproxy/run/stats stdio | '
|
|
'tail +3 | awk \'{print $2,$4,$6}\'')
|
|
|
|
assert 'balance_git_http gitea99.opendev.org 2' in cmd.stdout
|
|
assert 'balance_git_https gitea99.opendev.org 2' in cmd.stdout
|
|
|
|
def test_haproxy_logging(host):
|
|
# rsyslog is configured to add a unix socket at this path
|
|
assert host.file('/var/lib/haproxy/dev/log').is_socket
|
|
# Haproxy logs to syslog via the above socket which produces
|
|
# this logfile
|
|
assert host.file('/var/log/haproxy.log').is_file
|