From 87a0a5c66c203b695194940d1c993509a868d3c7 Mon Sep 17 00:00:00 2001 From: Anton Date: Wed, 22 Jan 2025 18:02:08 +0200 Subject: [PATCH 1/2] HAproxy upgraded to 3.1, started from a debian bullseye image --- docker-compose.yml | 6 +- haproxy/Dockerfile | 107 ++++++++++++++++++++++++++++++++++- haproxy/Readme.md | 10 ++-- haproxy/docker-entrypoint.sh | 19 ++++++- haproxy/src/configure.py | 7 ++- 5 files changed, 135 insertions(+), 14 deletions(-) diff --git a/docker-compose.yml b/docker-compose.yml index 217ae58..1be2f1e 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -1,7 +1,8 @@ version: "2" services: haproxy: - image: eeacms/haproxy + #image: eeacms/haproxy + image: h30 depends_on: - webapp ports: @@ -12,10 +13,11 @@ services: BACKENDS: "webapp" BACKENDS_PORT: "8080" DNS_ENABLED: "True" - HTTPCHK: "GET /" + HTTPCHK: "meth GET uri /" INTER: "5s" LOG_LEVEL: "info" webapp: image: eeacms/hello + scale: 4 environment: PORT: "8080" diff --git a/haproxy/Dockerfile b/haproxy/Dockerfile index 3f97c92..ce44781 100644 --- a/haproxy/Dockerfile +++ b/haproxy/Dockerfile @@ -1,6 +1,101 @@ -FROM haproxy:1.8.31-buster +FROM debian:bullseye-slim LABEL maintainer="EEA: IDM2 A-Team " +USER root +# runtime dependencies +RUN set -eux; \ + apt-get update; \ + apt-get install -y --no-install-recommends \ +# @system-ca: https://github.com/docker-library/haproxy/pull/216 + ca-certificates \ + ; \ + rm -rf /var/lib/apt/lists/* + +# roughly, https://salsa.debian.org/haproxy-team/haproxy/-/blob/732b97ae286906dea19ab5744cf9cf97c364ac1d/debian/haproxy.postinst#L5-6 +RUN set -eux; \ + groupadd --gid 99 --system haproxy; \ + useradd \ + --gid haproxy \ + --home-dir /var/lib/haproxy \ + --no-create-home \ + --system \ + --uid 99 \ + haproxy \ + ; \ + mkdir /var/lib/haproxy; \ + chown haproxy:haproxy /var/lib/haproxy + +ENV HAPROXY_VERSION 3.1.2 +ENV HAPROXY_URL https://www.haproxy.org/download/3.1/src/haproxy-3.1.2.tar.gz +ENV HAPROXY_SHA256 af35dc8bf3193870b72276a63920974bef1405fc41038d545b86b641aa59f400 + +# see https://sources.debian.net/src/haproxy/jessie/debian/rules/ for some helpful navigation of the possible "make" arguments +RUN set -eux; \ + \ + savedAptMark="$(apt-mark showmanual)"; \ + apt-get update && apt-get install -y --no-install-recommends \ + gcc \ + libc6-dev \ + liblua5.4-dev \ + libpcre2-dev \ + libssl-dev \ + make \ + wget \ + ; \ + rm -rf /var/lib/apt/lists/*; \ + \ + wget -O haproxy.tar.gz "$HAPROXY_URL"; \ + echo "$HAPROXY_SHA256 *haproxy.tar.gz" | sha256sum -c; \ + mkdir -p /usr/src/haproxy; \ + tar -xzf haproxy.tar.gz -C /usr/src/haproxy --strip-components=1; \ + rm haproxy.tar.gz; \ + \ + makeOpts=' \ + TARGET=linux-glibc \ + USE_GETADDRINFO=1 \ + USE_LUA=1 LUA_INC=/usr/include/lua5.4 \ + USE_OPENSSL=1 \ + USE_PCRE2=1 USE_PCRE2_JIT=1 \ + USE_PROMEX=1 \ + \ + EXTRA_OBJS=" \ + " \ + '; \ +# https://salsa.debian.org/haproxy-team/haproxy/-/commit/53988af3d006ebcbf2c941e34121859fd6379c70 + dpkgArch="$(dpkg --print-architecture)"; \ + case "$dpkgArch" in \ + armel) makeOpts="$makeOpts ADDLIB=-latomic" ;; \ + esac; \ + \ + nproc="$(nproc)"; \ + eval "make -C /usr/src/haproxy -j '$nproc' all $makeOpts"; \ + eval "make -C /usr/src/haproxy install-bin $makeOpts"; \ + \ + mkdir -p /usr/local/etc/haproxy; \ + cp -R /usr/src/haproxy/examples/errorfiles /usr/local/etc/haproxy/errors; \ + rm -rf /usr/src/haproxy; \ + \ + apt-mark auto '.*' > /dev/null; \ + [ -z "$savedAptMark" ] || apt-mark manual $savedAptMark; \ + find /usr/local -type f -executable -exec ldd '{}' ';' \ + | awk '/=>/ { so = $(NF-1); if (index(so, "/usr/local/") == 1) { next }; gsub("^/(usr/)?", "", so); printf "*%s\n", so }' \ + | sort -u \ + | xargs -r dpkg-query --search \ + | cut -d: -f1 \ + | sort -u \ + | xargs -r apt-mark manual \ + ; \ + apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \ + \ +# smoke test + haproxy -v + +# https://www.haproxy.org/download/1.8/doc/management.txt +# "4. Stopping and restarting HAProxy" +# "when the SIGTERM signal is sent to the haproxy process, it immediately quits and all established connections are closed" +# "graceful stop is triggered when the SIGUSR1 signal is sent to the haproxy process" +STOPSIGNAL SIGUSR1 + RUN apt-get update \ && apt-get install -y --no-install-recommends \ ca-certificates \ @@ -15,10 +110,16 @@ RUN apt-get update \ && sed -i '/#$UDPServerRun/c\$UDPServerRun 514' /etc/rsyslog.conf \ && sed -i '/$UDPServerRun 514/a $UDPServerAddress 127.0.0.1' /etc/rsyslog.conf \ && sed -i '/cron.*/a local2.* \/proc\/1\/fd\/1' /etc/rsyslog.conf \ - && mv /usr/local/bin/docker-entrypoint.sh /usr/local/bin/haproxy-entrypoint.sh - + && sed -i '/^module(load="imklog")/s/^/#/' /etc/rsyslog.conf + COPY src/haproxy.cfg /tmp/ COPY src/configure.py src/track_hosts src/track_dns / + COPY docker-entrypoint.sh /usr/local/bin/ +ENTRYPOINT ["docker-entrypoint.sh"] + +# https://github.com/docker-library/haproxy/issues/200 +WORKDIR /var/lib/haproxy +CMD ["haproxy", "-f", "/usr/local/etc/haproxy/haproxy.cfg"] diff --git a/haproxy/Readme.md b/haproxy/Readme.md index 42ec8d4..0243642 100644 --- a/haproxy/Readme.md +++ b/haproxy/Readme.md @@ -3,16 +3,18 @@ This image is generic, thus you can obviously re-use it within your non-related EEA projects. - - Debian: **Buster** - - HAProxy: **1.8** + - Debian: **Bullseye** + - HAProxy: **2.9** - Expose: **5000** ### Supported tags and respective Dockerfile links - - `:latest` [*Dockerfile*](https://github.com/eea/eea.docker.haproxy/blob/master/haproxy/Dockerfile) - Debian: **Buster**, HAProxy: **1.8** + - `:latest` [*Dockerfile*](https://github.com/eea/eea.docker.haproxy/blob/master/haproxy/Dockerfile) - Debian: **bullseye**, HAProxy: **2.9** ### Stable and immutable tags + - `:2.9-1.1` [*Dockerfile*](https://github.com/eea/eea.docker.haproxy/tree/2.9-1.1/haproxy/Dockerfile) - HAProxy: **2.9.9** Release: **1.1** + - `:2.0-1.0` [*Dockerfile*](https://github.com/eea/eea.docker.haproxy/tree/2.0-1.0/haproxy/Dockerfile) - HAProxy: **2.0.31** Release: **1.0** - `:1.8-1.8` [*Dockerfile*](https://github.com/eea/eea.docker.haproxy/tree/1.8-1.8/haproxy/Dockerfile) - HAProxy: **1.8.31** Release: **1.8** - `:1.8-1.7` [*Dockerfile*](https://github.com/eea/eea.docker.haproxy/tree/1.8-1.7/haproxy/Dockerfile) - HAProxy: **1.8.30** Release: **1.7** - `:1.8-1.6` [*Dockerfile*](https://github.com/eea/eea.docker.haproxy/tree/1.8-1.6/haproxy/Dockerfile) - HAProxy: **1.8.29** Release: **1.6** @@ -150,7 +152,7 @@ either when running the container or in a `docker-compose.yml` file. * `TIMEOUT_CONNECT` the maximum time to wait for a connection attempt to a VPS to succeed. Default `5000` ms * `TIMEOUT_CLIENT` timeouts apply when the client is expected to acknowledge or send data during the TCP process. Default `50000` ms * `TIMEOUT_SERVER` timeouts apply when the server is expected to acknowledge or send data during the TCP process. Default `50000` ms - * `HTTPCHK` The HTTP method and uri used to check on the servers health - default `HEAD /` + * `HTTPCHK` The HTTP method and uri used to check on the servers health - default `meth GET uri /` * `HTTPCHK_HOST` Host Header override on http Health Check - default `localhost` * `INTER` parameter sets the interval between two consecutive health checks. If not specified, the default value is `2s` * `FAST_INTER` parameter sets the interval between two consecutive health checks when the server is any of the transition state (read above): UP - transitionally DOWN or DOWN - transitionally UP. If not set, then `INTER` is used. diff --git a/haproxy/docker-entrypoint.sh b/haproxy/docker-entrypoint.sh index 4d9f355..6d4692f 100755 --- a/haproxy/docker-entrypoint.sh +++ b/haproxy/docker-entrypoint.sh @@ -1,5 +1,20 @@ #!/bin/bash +set -e + +# first arg is `-f` or `--some-option` +if [ "${1#-}" != "$1" ]; then + set -- haproxy "$@" +fi + +if [ "$1" = 'haproxy' ]; then + shift # "haproxy" + # if the user wants "haproxy", let's add a couple useful flags + # -W -- "master-worker mode" (similar to the old "haproxy-systemd-wrapper"; allows for reload via "SIGUSR2") + # -db -- disables background mode + set -- haproxy -W -db "$@" +fi + #fix variable _name to not have / if [ -n "$FRONTEND_NAME" ]; then export FRONTEND_NAME="${FRONTEND_NAME//\//}" @@ -67,10 +82,10 @@ fi #start logging -service rsyslog restart +rsyslogd #start crontab service cron restart -exec /usr/local/bin/haproxy-entrypoint.sh "$@" +exec "$@" diff --git a/haproxy/src/configure.py b/haproxy/src/configure.py index aec0c80..f17ab18 100644 --- a/haproxy/src/configure.py +++ b/haproxy/src/configure.py @@ -28,7 +28,7 @@ TIMEOUT_CONNECT = os.environ.get('TIMEOUT_CONNECT', '5000') TIMEOUT_CLIENT = os.environ.get('TIMEOUT_CLIENT', '50000') TIMEOUT_SERVER = os.environ.get('TIMEOUT_SERVER', '50000') -HTTPCHK = os.environ.get('HTTPCHK', 'HEAD /') +HTTPCHK = os.environ.get('HTTPCHK', 'meth GET uri /') HTTPCHK_HOST = os.environ.get('HTTPCHK_HOST', 'localhost') INTER = os.environ.get('INTER', '2s') FAST_INTER = os.environ.get('FAST_INTER', INTER) @@ -81,10 +81,11 @@ backend_type_http = Template(""" option forwardfor + option httpchk http-request set-header X-Forwarded-Port %[dst_port] http-request add-header X-Forwarded-Proto https if { ssl_fc } - option httpchk $httpchk HTTP/1.1\\r\\nHost:$httpchk_host -""") + http-check send $httpchk ver HTTP/1.1 hdr host $httpchk_host + """) backend_conf_plus = Template(""" server $name-$index $host:$port $cookies check From 7a8d69550b31827674e3a32312a7fabb19a411d5 Mon Sep 17 00:00:00 2001 From: anton16 Date: Thu, 23 Jan 2025 16:20:33 +0200 Subject: [PATCH 2/2] Update CHANGELOG.md --- CHANGELOG.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index e175e4d..3a02430 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,8 @@ # Changelog +## 2025-01-16 (3.1-1.0) +- Upgrade HAproxy to 3.1.2 + ## 2023-03-09 (1.8-1.8) - Upgrade HAproxy to 1.8.31