Hi!
I have built a custom monitor which HAProxy uses via agent checks.
The agent protocol is quite simple, HAProxy opens a TCP connection, send something, wait for the response, close connection. It would be neat if HAProxy could do the same over a Unix socket, i.e. let agent-addr accept unix@.
Are you aware of a way to do this? I didn’t find anything specific in the docs (v3.4) and current stable (v3.3.7) refuses the config (it cannot parse agent-addr unix@/run/my/socket).
Thanks,
Buzz
Not sure if you are talking about the agent protocol or the check the agent fulfills, in case its the latter, you probably could have implemented this with haproxy itself, instead of externalizing.
You can send and expect data in custom ASCII based healthcheck or binary based healthcheck.
No, this is not supported.
If can also lead lots of issues, as always with unix sockets: haproxy usually runs in chroot, so you admins needs to understand the path configured in haproxy to access this socket is not a global path, but is within the chroot. The user/group haproxy runs with needs permissions to read and write to the socket.
Abstract namespace socket (ABNS) solves those issues, but that’s not supported either and probably more complicated to support at the agents end.
What specifically makes you want to use unix sockets over loopback?
You can file an feature request on github if you want; personally I’m not sure if this is worth the effort.
Thanks for your feedback @lukastribus
Some part of this question was probably driven by my inner neat freak: keep conntrack for user sessions only and try to avoid using loopbacks to minimize the attack surface (so my customers don’t accidentally create configs using the agents as servers).
Plus my HAProxy is running in a container, so the chroot question can be somewhat relaxed in this case.
That said, I noticed that there are multiple directives that already accept various address families (like unix@, config docs section 2.9.1). One of them is “server”, supporting unix, abns or even sockpair. So, if the feature did not exist yet, my hope was that at least the code supporting the address families syntax might be lurking just around the corner with little effort to wire it up in agent-checks.
I’ll head over to GitHub, let’s see what comes of it.