openstack/kolla
Code Issues Proposed changes

Run HAProxy in a chroot jail

Browse Source 
It's impossible to drop root for the HAProxy container.
But HAProxy provides a possibility to use a chroot jail.

When attaching to the HAProxy container, we see that
the root directory is changed:

    $ sudo docker exec -ti haproxy bash
    (haproxy)[root@operator /]# ls -di /
    259 /

Co-Authored-By: Vikram Hosakote <vhosakot@cisco.com>

Closes-Bug: #1552289

Change-Id: I9d55e9b741b8560cac53dc8b837a24a3029a4dc0
This commit is contained in:
Michal Rostecki 2015-11-13 08:28:29 +01:00 committed by Michal Rostecki
parent bde5e732d5
commit a5c1aa0b81
2 changed files with 7 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
ansible/roles/haproxy/templates/haproxy.cfg.j2
View File

@ -1,5 +1,8 @@
{% set tls_bind_info = 'ssl crt /etc/haproxy/haproxy.pem' if kolla_enable_tls_external | bool else '' %} {% set tls_bind_info = 'ssl crt /etc/haproxy/haproxy.pem' if kolla_enable_tls_external | bool else '' %}
global global
chroot /var/lib/haproxy
user haproxy
group haproxy
daemon daemon
log /var/lib/kolla/heka/log local0 log /var/lib/kolla/heka/log local0
maxconn 4000 maxconn 4000

4
docker/haproxy/Dockerfile.j2
View File

@ -15,6 +15,10 @@ RUN apt-get install -y --no-install-recommends \
{% endif %} {% endif %}
RUN usermod -a -G kolla haproxy \
&& mkdir -p /var/lib/kolla/haproxy \
&& chown -R haproxy: /var/lib /run
COPY ensure_latest_config.sh /usr/local/bin/kolla_ensure_haproxy_latest_config COPY ensure_latest_config.sh /usr/local/bin/kolla_ensure_haproxy_latest_config
RUN chmod 755 /usr/local/bin/kolla_ensure_haproxy_latest_config RUN chmod 755 /usr/local/bin/kolla_ensure_haproxy_latest_config