Chroot resulting in 503

bwmetcalf · July 25, 2016, 8:31pm

I’m attempting to chroot our haproxy setup running as root, but when doing so I only get 503s when hitting our frontend. Nothing is showing up in the logs to indicate what might be wrong. The relevant parts of my config look like

global
  tune.ssl.default-dh-param 2048
  tune.ssl.cachesize 50000
  pidfile /var/run/haproxy/haproxy.pid
  chroot /var/haproxy
  log 127.0.0.1 local1
frontend ft_foo_ssl
  mode http
  bind *:80
  bind *:443 ssl crt /etc/haproxy/my.pem ciphers AES256-SHA:AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!RC4:!MD5:!PSK no-sslv3 no-tls-tickets
  http-request set-log-level silent
  maxconn 100000
  redirect scheme https code 301 if !{ ssl_fc }
  default_backend bk_foo_ssl
backend bk_foo_ssl
  mode http
  server ft_foo_sock unix@/var/run/haproxy/ft_foo.sock send-proxy-v2
frontend ft_foo
  mode http
  bind unix@/var/run/haproxy/ft_foo.sock accept-proxy
  maxconn 100000
  use_backend %[req.hdr(host),lower,map_dom(/etc/haproxy/foo.map)]

If I remove the chroot, everything works fine.

Baptiste · July 26, 2016, 3:40pm

bwmetcalf
July 25

I’m attempting to chroot our haproxy setup running as root, but when
doing so I only get 503s when hitting our frontend. Nothing is showing up
in the logs to indicate what might be wrong. The relevant parts of my
config look like

global tune.ssl.default-dh-param 2048 tune.ssl.cachesize 50000 pidfile
/var/run/haproxy/haproxy.pid chroot /var/haproxy log 127.0.0.1 local1
frontend ft_foo_ssl mode http bind *:80 bind *:443 ssl crt
/etc/haproxy/my.pem ciphers
AES256-SHA:AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!RC4:!MD5:!PSK
no-sslv3 no-tls-tickets http-request set-log-level silent maxconn 100000
redirect scheme https code 301 if !{ ssl_fc } default_backend bk_foo_ssl
backend bk_foo_ssl mode http server ft_foo_sock
unix@/var/run/haproxy/ft_foo.sock
send-proxy-v2 frontend ft_foo mode http bind unix@/var/run/haproxy/ft_foo.sock
accept-proxy maxconn 100000 use_backend
%[req.hdr(host),lower,map_dom(/etc/haproxy/foo.map)]

If I remove the chroot, everything works fine.

Hi,

The bind is performed before chrooting and the server use it after.
To make it work, the bind path must be absolute and points into the chroot
while the server one must be relative to the chroot.
Also check user/group permission.

Baptiste

bwmetcalf · July 26, 2016, 6:03pm

Thank you so much. That was the problem and was immediately clear from the docs.

Topic		Replies	Views
Hitless operation with chroot Help!	3	576	July 15, 2019
Chroot, log, /dev/log, sendmsg logger failed, and a rabbit hole Help!	0	3299	February 25, 2022
External-check with chroot not working Help!	3	3803	May 8, 2020
Trying to run haproxy as non-root ... not working Help!	4	7466	June 10, 2019
External-check and chroot Help!	14	10222	May 25, 2023

Chroot resulting in 503

Related topics