Haproxy rds lb in docker on centos running on hyper-v layer4 error

quite a mouthful, but yeah for a customer I recently did an implementation of haproxy (free) to be used as a rds load balancer and connection broker with stick tables based on least amount of connections.

The technology stack was:
VMware ESXi
CentOS in Virtual Machine
Docker running in CentOS 8
HaProxy running in Docker with the following configuration:

#global
global
ssl-server-verify none

#stats page
listen stats
bind :9001
mode http
timeout client 6h
stats enable
stats hide-version
stats realm Haproxy\ Statistics
stats uri /
stats auth statsadmin:############
stats admin if TRUE

#rdp configuration
frontend ft_rdp
mode tcp
bind 0.0.0.0:3389 name rdp
timeout client 1h
log global
option tcplog
tcp-request inspect-delay 2s
tcp-request content accept if RDP_COOKIE
default_backend bk_rdp

backend bk_rdp
mode tcp
balance leastconn
persist rdp-cookie
timeout server 1h
timeout connect 4s
log global
option tcplog
option tcp-check
stick-table type string len 32 size 10k expire 12h
stick on rdp_cookie(mstshash)
tcp-check connect port 3389 ssl
default-server inter 3s rise 2 fall 3
server RDS01 192.168.1.10:3389 weight 10 check
server RDS02 192.168.1.11:3389 weight 10 check

Now I’m running the exact same configuration in Hyper-V on a clients network, and now HaProxy is giving me errors stating the following:

[WARNING] 057/100915 (1) : parsing [/usr/local/etc/haproxy/haproxy.cfg:35] : backend ‘bk_rdp’ : ‘option tcplog’ directive is ignored in backends.,
[WARNING] 057/100915 (1) : config : log format ignored for frontend ‘ft_rdp’ since it has no log address.,
[NOTICE] 057/100915 (1) : New worker #1 (6) forked,
[WARNING] 057/100916 (6) : Server bk_rdp/RDS01 is DOWN, reason: Layer4 connection problem, info: “No route to host at step 1 of tcp-check (connect port 3389)”, check duration: 1010ms. 1 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue.,
[WARNING] 057/100917 (6) : Server bk_rdp/RDS02 is DOWN, reason: Layer4 connection problem, info: “No route to host at step 1 of tcp-check (connect port 3389)”, check duration: 1026ms. 0 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue.,
[ALERT] 057/100917 (6) : backend ‘bk_rdp’ has no server available!,

I’ve checked the VLAN the proxy and RDP servers are in, it’s the same. Even more strange from within CentOS I can perfectly resolve the machines and the domain without any further configuration.

My docker run command is: docker run --name=haproxyrds --restart=always -d -p 80:80 -p 443:443 -p 53:53 -p 3389:3389 -p 9001:9001 -v /etc/haproxy:/usr/local/etc/haproxy:ro haproxy:latest

I’ve added the ports 80, 443, and 53 to see if I could reach anything from inside docker container to outside, following this article https://training.play-with-docker.com/docker-networking-hol/ which explains how to ping from inside a docker container towards an computer outside the container, however I’m not even able to retrieve and install the ping package inside the container due to the fact it cannot resolve deb.debian.org and/or security.debian.org.

I’m running out of options to try, (I’m suspecting Hyper-V to be the culprit). Only thing I can imagine to try is to run HaProxy native on CentOS and not within docker.

I’ll answer my own question, never though this was the culprit:

Add the docker service to be allowed to operate on CentOS’ firewalld

1 Like