External-check and chroot


Hey there,
we use haproxy to do load balancing and health check on our APIs. I’m trying to use the external-check feature on haproxy 1.7 with the chroot option. It won’t work and I don’t know why:

chroot /var/lib/haproxy
user haproxy
group haproxy

backend ABC
option external-check
external-check command /var/lib/haproxy/check.sh

The /var/lib/haproxy directory looks like:

├── bin
│ └── bash
├── check.sh
├── dev
│ └── log
└── text.txt

The check.sh script does something simple like:


echo "Here the args:"
echo $@  >> /text.txt
exit 0

When I take this configuration online haproxy is immediately assuming the APIs are offline.

Any ideas why that is so?


Considering that you are already in chroot (/var/lib/haproxy/), I assume the check command should just be the script:

external-check command /check.sh


Thanks for the message!

Yes, I also thought about that and tried it but the result is the same - haproxy does not execute the script and assumes the API is down.


You are also dropping privileges though.
Does the haproxy user have the executable privilege for the script and /var/lib/haproxy/bin/bash?

What does sudo -u haproxy /var/lib/haproxy/check.sh say?

If the privileges are also ok, you may want to run haproxy through strace.

Or better yet, try chroot --userspec=haproxy:haproxy /var/lib/haproxy /check.sh