Run HAProxy in a chroot jail

It's impossible to drop root for the HAProxy container. But HAProxy provides a possibility to use a chroot jail. When attaching to the HAProxy container, we see that the root directory is changed: $ sudo docker exec -ti haproxy bash (haproxy)[root@operator /]# ls -di / 259 / Co-Authored-By: Vikram Hosakote <vhosakot@cisco.com> Closes-Bug: #1552289 Change-Id: I9d55e9b741b8560cac53dc8b837a24a3029a4dc0
2015-11-13 08:28:29 +01:00 · 2015-11-13 08:28:29 +01:00 · a5c1aa0b81
commit a5c1aa0b81
parent bde5e732d5
2 changed files with 7 additions and 0 deletions
--- a/ansible/roles/haproxy/templates/haproxy.cfg.j2
+++ b/ansible/roles/haproxy/templates/haproxy.cfg.j2
@ -1,5 +1,8 @@
 {% set tls_bind_info = 'ssl crt /etc/haproxy/haproxy.pem' if kolla_enable_tls_external | bool else '' %}
 global
+  chroot /var/lib/haproxy
+  user haproxy
+  group haproxy
  daemon
  log /var/lib/kolla/heka/log local0
  maxconn 4000
--- a/docker/haproxy/Dockerfile.j2
+++ b/docker/haproxy/Dockerfile.j2
@ -15,6 +15,10 @@ RUN apt-get install -y --no-install-recommends \

 {% endif %}

+RUN usermod -a -G kolla haproxy \
+    && mkdir -p /var/lib/kolla/haproxy \
+    && chown -R haproxy: /var/lib /run
+
 COPY ensure_latest_config.sh /usr/local/bin/kolla_ensure_haproxy_latest_config
 RUN chmod 755 /usr/local/bin/kolla_ensure_haproxy_latest_config