HAProxy community

External-check and chroot


#1

Hey there,
we use haproxy to do load balancing and health check on our APIs. I’m trying to use the external-check feature on haproxy 1.7 with the chroot option. It won’t work and I don’t know why:

global
chroot /var/lib/haproxy
external-check
user haproxy
group haproxy

backend ABC
option external-check
external-check command /var/lib/haproxy/check.sh

The /var/lib/haproxy directory looks like:

.
├── bin
│ └── bash
├── check.sh
├── dev
│ └── log
└── text.txt

The check.sh script does something simple like:

#!/bin/bash

echo "Here the args:"
echo $@  >> /text.txt
exit 0

When I take this configuration online haproxy is immediately assuming the APIs are offline.

Any ideas why that is so?


#2

Considering that you are already in chroot (/var/lib/haproxy/), I assume the check command should just be the script:

external-check command /check.sh


#3

Thanks for the message!

Yes, I also thought about that and tried it but the result is the same - haproxy does not execute the script and assumes the API is down.


#4

You are also dropping privileges though.
Does the haproxy user have the executable privilege for the script and /var/lib/haproxy/bin/bash?

What does sudo -u haproxy /var/lib/haproxy/check.sh say?

If the privileges are also ok, you may want to run haproxy through strace.

Or better yet, try chroot --userspec=haproxy:haproxy /var/lib/haproxy /check.sh


#5

I have the same issue. I have the following configuration:

global
chroot /var/lib/haproxy
external-check
user haproxy
group haproxy

backend TCP
mode tcp
option external-check
external-check command /TCPCheck.sh

File TCPCheck.sh is present in /var/lib/haproxy directory.

Running the command
sudo -u haproxy /var/lib/haproxy/TCPCheck.sh is working properly.

What may be the issue?

Do I need to configure external-check path configuration?


#6

Do you have everything you need in chroot?

sudo chroot /var/lib/haproxy
./TCPCheck.sh

#7

Yes. I have TCPCheck.sh file in /var/lib/haproxy directory as /var/lib/haproxy/TCPCheck.sh


#8

My question was not whether script is in there, but whether everything you need is in there, that probably includes at least bash or sh. That’s why you should actually try it with the commands above.


#9

I have sh on /usr/bin/sh.

Do I need it in /var/lib/haproxy directory?

If yes, I need to provide external-check path ? or can you suggest me any other way?


#10

Test it.

It is impossible for me to know what may or may not be required.

Test it.


#11

I have added all the required libs in my chroot directory.

sudo chroot jail/ /check.sh is running properly. Still I am getting External check error, code: 255


#12

My service is running with chroot /var/lib/haproxy. I have confirmed that using ls -al /proc/pid/root.

Now I have usr/ bin/ lib/ sbin/ lib64/ in chroot.

I have used external-check command /bin/true. Which is also creating error External check error, code: 255.

How can /bin/true returning 255?