Chroot resulting in 503


#1

I’m attempting to chroot our haproxy setup running as root, but when doing so I only get 503s when hitting our frontend. Nothing is showing up in the logs to indicate what might be wrong. The relevant parts of my config look like

global
  tune.ssl.default-dh-param 2048
  tune.ssl.cachesize 50000
  pidfile /var/run/haproxy/haproxy.pid
  chroot /var/haproxy
  log 127.0.0.1 local1
frontend ft_foo_ssl
  mode http
  bind *:80
  bind *:443 ssl crt /etc/haproxy/my.pem ciphers AES256-SHA:AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!RC4:!MD5:!PSK no-sslv3 no-tls-tickets
  http-request set-log-level silent
  maxconn 100000
  redirect scheme https code 301 if !{ ssl_fc }
  default_backend bk_foo_ssl
backend bk_foo_ssl
  mode http
  server ft_foo_sock unix@/var/run/haproxy/ft_foo.sock send-proxy-v2
frontend ft_foo
  mode http
  bind unix@/var/run/haproxy/ft_foo.sock accept-proxy
  maxconn 100000
  use_backend %[req.hdr(host),lower,map_dom(/etc/haproxy/foo.map)]

If I remove the chroot, everything works fine.


#2

bwmetcalf
July 25

I’m attempting to chroot our haproxy setup running as root, but when
doing so I only get 503s when hitting our frontend. Nothing is showing up
in the logs to indicate what might be wrong. The relevant parts of my
config look like

global tune.ssl.default-dh-param 2048 tune.ssl.cachesize 50000 pidfile
/var/run/haproxy/haproxy.pid chroot /var/haproxy log 127.0.0.1 local1
frontend ft_foo_ssl mode http bind *:80 bind *:443 ssl crt
/etc/haproxy/my.pem ciphers
AES256-SHA:AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!RC4:!MD5:!PSK
no-sslv3 no-tls-tickets http-request set-log-level silent maxconn 100000
redirect scheme https code 301 if !{ ssl_fc } default_backend bk_foo_ssl
backend bk_foo_ssl mode http server ft_foo_sock
unix@/var/run/haproxy/ft_foo.sock
send-proxy-v2 frontend ft_foo mode http bind unix@/var/run/haproxy/ft_foo.sock
accept-proxy maxconn 100000 use_backend
%[req.hdr(host),lower,map_dom(/etc/haproxy/foo.map)]

If I remove the chroot, everything works fine.

Hi,

The bind is performed before chrooting and the server use it after.
To make it work, the bind path must be absolute and points into the chroot
while the server one must be relative to the chroot.
Also check user/group permission.

Baptiste


#3

Thank you so much. That was the problem and was immediately clear from the docs.