![Ian Wienand](/assets/img/avatar_default.png)
haproxy only logs to /dev/log; this means all our access logs get mixed into syslog. This makes it impossible to pick out anything in syslog that might be interesting (and vice-versa, means you have to filter out things if analysing just the haproxy logs). It seems like the standard way to deal with this is to have rsyslogd listen on a separate socket, and then point haproxy to that. So this configures rsyslogd to create /var/run/dev/log and maps that into the container as /dev/log (i.e. don't have to reconfigure the container at all). We then capture this sockets logs to /var/log/haproxy.log, and install rotation for it. Additionally we collect this log from our tests. Change-Id: I32948793df7fd9b990c948730349b24361a8f307
62 lines
2.2 KiB
Django/Jinja
62 lines
2.2 KiB
Django/Jinja
# Version 2 is the latest that is supported by docker-compose in
|
|
# Ubuntu Xenial.
|
|
version: '2'
|
|
|
|
services:
|
|
haproxy:
|
|
restart: always
|
|
image: docker.io/library/haproxy:latest
|
|
# NOTE(ianw) 2021-05-17 : haproxy >= 2.4 runs as a non-privileged
|
|
# user. The main problem here is we use host networking, so the
|
|
# haproxy user is not allowed to bind to low ports (80/443). The
|
|
# secondary problem permissions to disk files/socket.
|
|
#
|
|
# As of this writing, non-host ipv6 networking is a big PITA. You
|
|
# give docker a range in "fixed-cidr-v6"; the first problem is
|
|
# figuring out your routable prefix our hetrogenous environments
|
|
# and getting the daemon setup. The second problem is making sure
|
|
# that range actually passes packets. Insert hand-wavy things
|
|
# that range from setting up routes, to NDP proxies, etc. Then we
|
|
# have the problem that docker then assigns containers addresses
|
|
# randomly out of that (no good for DNS) which requires more
|
|
# setup.
|
|
#
|
|
# Now we could override security policies and set
|
|
# /proc/sys/net/ipv4/ip_unprivileged_port_start to 0 to allow
|
|
# anyone to bind to low ports. That doesn't seem right.
|
|
#
|
|
# ip6tables NAT is another option here, which is still
|
|
# experimental in docker 20.10.6. In theory, this works well for
|
|
# our use-case where unprivileged containers bind to high ports
|
|
# and we just want packets that reach external 80/443/8125 ports
|
|
# to get into their containers and out again.
|
|
#
|
|
# Until this is sorted, run as root
|
|
user: "root:root"
|
|
network_mode: host
|
|
volumes:
|
|
- /var/haproxy/dev/log:/dev/log
|
|
- /var/haproxy/etc:/usr/local/etc/haproxy:ro
|
|
- /var/haproxy/run:/var/haproxy/run
|
|
logging:
|
|
driver: syslog
|
|
options:
|
|
tag: "docker-haproxy"
|
|
|
|
{% if haproxy_run_statsd %}
|
|
haproxy-statsd:
|
|
restart: always
|
|
image: docker.io/opendevorg/haproxy-statsd:latest
|
|
network_mode: host
|
|
user: "1000:1000"
|
|
volumes:
|
|
- /var/haproxy/run:/var/haproxy/run
|
|
environment:
|
|
STATSD_HOST: graphite.opendev.org
|
|
STATSD_PORT: 8125
|
|
logging:
|
|
driver: syslog
|
|
options:
|
|
tag: "docker-haproxy-statsd"
|
|
{% endif %}
|