Merge "Run HAProxy in a chroot jail"

2016-05-27 21:19:45 +00:00 · 2016-05-27 21:19:45 +00:00 · 162fa25829
commit 162fa25829
parent cd4602819c a5c1aa0b81
2 changed files with 7 additions and 0 deletions
--- a/ansible/roles/haproxy/templates/haproxy.cfg.j2
+++ b/ansible/roles/haproxy/templates/haproxy.cfg.j2
@ -1,5 +1,8 @@
 {% set tls_bind_info = 'ssl crt /etc/haproxy/haproxy.pem' if kolla_enable_tls_external | bool else '' %}
 global
+  chroot /var/lib/haproxy
+  user haproxy
+  group haproxy
  daemon
  log /var/lib/kolla/heka/log local0
  maxconn 4000
--- a/docker/haproxy/Dockerfile.j2
+++ b/docker/haproxy/Dockerfile.j2
@ -15,6 +15,10 @@ RUN apt-get -y install --no-install-recommends \

 {% endif %}

+RUN usermod -a -G kolla haproxy \
+    && mkdir -p /var/lib/kolla/haproxy \
+    && chown -R haproxy: /var/lib /run
+
 COPY ensure_latest_config.sh /usr/local/bin/kolla_ensure_haproxy_latest_config
 RUN chmod 755 /usr/local/bin/kolla_ensure_haproxy_latest_config