From a5c1aa0b81db71fb2e293ad45c8dc920d07b8a20 Mon Sep 17 00:00:00 2001 From: Michal Rostecki Date: Fri, 13 Nov 2015 08:28:29 +0100 Subject: [PATCH] Run HAProxy in a chroot jail It's impossible to drop root for the HAProxy container. But HAProxy provides a possibility to use a chroot jail. When attaching to the HAProxy container, we see that the root directory is changed: $ sudo docker exec -ti haproxy bash (haproxy)[root@operator /]# ls -di / 259 / Co-Authored-By: Vikram Hosakote Closes-Bug: #1552289 Change-Id: I9d55e9b741b8560cac53dc8b837a24a3029a4dc0 --- ansible/roles/haproxy/templates/haproxy.cfg.j2 | 3 +++ docker/haproxy/Dockerfile.j2 | 4 ++++ 2 files changed, 7 insertions(+) diff --git a/ansible/roles/haproxy/templates/haproxy.cfg.j2 b/ansible/roles/haproxy/templates/haproxy.cfg.j2 index 72c52cab73..a6507ed20a 100644 --- a/ansible/roles/haproxy/templates/haproxy.cfg.j2 +++ b/ansible/roles/haproxy/templates/haproxy.cfg.j2 @@ -1,5 +1,8 @@ {% set tls_bind_info = 'ssl crt /etc/haproxy/haproxy.pem' if kolla_enable_tls_external | bool else '' %} global + chroot /var/lib/haproxy + user haproxy + group haproxy daemon log /var/lib/kolla/heka/log local0 maxconn 4000 diff --git a/docker/haproxy/Dockerfile.j2 b/docker/haproxy/Dockerfile.j2 index d219696293..3d25277723 100644 --- a/docker/haproxy/Dockerfile.j2 +++ b/docker/haproxy/Dockerfile.j2 @@ -15,6 +15,10 @@ RUN apt-get install -y --no-install-recommends \ {% endif %} +RUN usermod -a -G kolla haproxy \ + && mkdir -p /var/lib/kolla/haproxy \ + && chown -R haproxy: /var/lib /run + COPY ensure_latest_config.sh /usr/local/bin/kolla_ensure_haproxy_latest_config RUN chmod 755 /usr/local/bin/kolla_ensure_haproxy_latest_config