我正在使用haproxy 2.0.8。根据其配置上的许多文档,我了解以下几点:
1. haproxy chroots to a directory in order to decrease security priviledges. So starting haproxy as root should not create any issue.
2. When you don't give USER directive in your Dockerfile, the container starts as root but following the user & group directive in your haproxy config file, the process should downgrade to these user & group
已经说过,这是我的Dockerfile和haproxy的全局部分:
Dockerfile:
FROM haproxy:2.0.5
RUN groupadd -g 999 haproxy && useradd -g haproxy -u 999 haproxy
RUN mkdir /var/lib/haproxy && \
mkdir -p /etc/haproxy && \
chown -R haproxy:haproxy /etc/haproxy/ && \
chown -R haproxy:haproxy /usr/local/etc/haproxy/
VOLUME /etc/haproxy /usr/local/etc/haproxy/
Haproxy.cfg:
global
chroot /var/lib/haproxy
pidfile /var/run/haproxy.pid
maxconn 40000
gid 999
uid 999
user haproxy
group haproxy
daemon
log stdout local0 debug
tune.ssl.default-dh-param 2048
但是当我检查正在运行的容器的进程时,我得到haproxy是以root用户身份运行的:
/haproxy$ docker top 98d80a0f020b
UID PID PPID C STIME TTY TIME CMD
root 70699 70680 0 16:26 ? 00:00:00 haproxy -W -db -f /usr/local/etc/haproxy/haproxy.cfg
beat_ex+ 70780 70699 0 16:26 ? 00:00:00 haproxy -W -db -f /usr/local/etc/haproxy/haproxy.cfg
如果我执行到容器中,则主目录不是chroot“ / var / lib / haproxy”,而是“ /”。
我没有正确检查配置,还是haproxy无法正确使用我的配置? 如何检查haproxy是否将权限从root降级到haproxy用户?