system-config/playbooks/roles/haproxy/templates/docker-compose.yaml.j2
Ian Wienand f97b9b8b8b haproxy: redirect logs to a separate file
haproxy only logs to /dev/log; this means all our access logs get
mixed into syslog.  This makes it impossible to pick out anything in
syslog that might be interesting (and vice-versa, means you have to
filter out things if analysing just the haproxy logs).

It seems like the standard way to deal with this is to have rsyslogd
listen on a separate socket, and then point haproxy to that.  So this
configures rsyslogd to create /var/run/dev/log and maps that into the
container as /dev/log (i.e. don't have to reconfigure the container at
all).

We then capture this sockets logs to /var/log/haproxy.log, and install
rotation for it.

Additionally we collect this log from our tests.

Change-Id: I32948793df7fd9b990c948730349b24361a8f307
2022-07-07 21:29:13 +10:00

62 lines
2.2 KiB
Django/Jinja

# Version 2 is the latest that is supported by docker-compose in
# Ubuntu Xenial.
version: '2'
services:
haproxy:
restart: always
image: docker.io/library/haproxy:latest
# NOTE(ianw) 2021-05-17 : haproxy >= 2.4 runs as a non-privileged
# user. The main problem here is we use host networking, so the
# haproxy user is not allowed to bind to low ports (80/443). The
# secondary problem permissions to disk files/socket.
#
# As of this writing, non-host ipv6 networking is a big PITA. You
# give docker a range in "fixed-cidr-v6"; the first problem is
# figuring out your routable prefix our hetrogenous environments
# and getting the daemon setup. The second problem is making sure
# that range actually passes packets. Insert hand-wavy things
# that range from setting up routes, to NDP proxies, etc. Then we
# have the problem that docker then assigns containers addresses
# randomly out of that (no good for DNS) which requires more
# setup.
#
# Now we could override security policies and set
# /proc/sys/net/ipv4/ip_unprivileged_port_start to 0 to allow
# anyone to bind to low ports. That doesn't seem right.
#
# ip6tables NAT is another option here, which is still
# experimental in docker 20.10.6. In theory, this works well for
# our use-case where unprivileged containers bind to high ports
# and we just want packets that reach external 80/443/8125 ports
# to get into their containers and out again.
#
# Until this is sorted, run as root
user: "root:root"
network_mode: host
volumes:
- /var/haproxy/dev/log:/dev/log
- /var/haproxy/etc:/usr/local/etc/haproxy:ro
- /var/haproxy/run:/var/haproxy/run
logging:
driver: syslog
options:
tag: "docker-haproxy"
{% if haproxy_run_statsd %}
haproxy-statsd:
restart: always
image: docker.io/opendevorg/haproxy-statsd:latest
network_mode: host
user: "1000:1000"
volumes:
- /var/haproxy/run:/var/haproxy/run
environment:
STATSD_HOST: graphite.opendev.org
STATSD_PORT: 8125
logging:
driver: syslog
options:
tag: "docker-haproxy-statsd"
{% endif %}