HAProxy community

How to run HAProxy with non-Root User

Hi,
We are able to run HAPROXY process via a non-root user but the problem is if we need to restart it, we have to do it via “root” user only which is not what we want. We are trying to have complete control on haproxy start/stop/debug.

we are working with below config -

#---------------------------------------------------------------------
# Global settings
#---------------------------------------------------------------------
global
    # to have these messages end up in /var/log/haproxy.log you will
    # need to:
    #
    # 1) configure syslog to accept network log events.  This is done
    #    by adding the '-r' option to the SYSLOGD_OPTIONS in
    #    /etc/sysconfig/syslog
    #
    # 2) configure local2 events to go to the /var/log/haproxy.log
    #   file. A line like the following can be added to
    #   /etc/sysconfig/syslog
    #
    #    local2.*                       /var/log/haproxy.log
    #
    # log         127.0.0.1 local2
 
    log         127.0.0.1  local0
    chroot      /etc/haproxy/lib/haproxy
    pidfile     /etc/haproxy/haproxy.pid
    maxconn     4000
    user        atul
    group       centos
    daemon

    # turn on stats unix socket
    stats socket /etc/haproxy/lib/haproxy/stats

#---------------------------------------------------------------------
# common defaults that all the 'listen' and 'backend' sections will
# use if not designated in their block
#---------------------------------------------------------------------
defaults
    mode                    tcp
    log                     global
    option                  tcplog
    option                  dontlognull
    option http-server-close
    option                  redispatch
    retries                 3
    timeout http-request    10s
    timeout queue           1m
    timeout connect         10s
    timeout client          1m
    timeout server          1m
    timeout http-keep-alive 10s
    timeout check           10s
    maxconn                 3000

#---------------------------------------------------------------------

listen haproxy-monitoring
   bind *:1936
   mode  http
   stats enable
   stats hide-version
   #http-request set-path /projects/%[var(req.rewrite_project)]%[path] if { var(req.rewrite_project) -m found }

   stats realm Haproxy\ Statistics
   stats uri /
   stats auth atuluser:atulhaproxy
   
#---------------------------------------------------------------------   




##=====================================================
##=====================================================
frontend 7962
    mode tcp
    bind *:7962
    acl p_7962 dst_port 7962
    use_backend port_config_7962 if p_7962
    
backend port_config_7962
    mode tcp
    balance roundrobin
    server vm_app 10.241.223.80:7962

After this when we are running command to user “atuluser” we are getting below error -

$ haproxy -f /etc/haproxy/haproxy.cfg
[ALERT] 217/121314 (2112) : [haproxy.main()] Cannot chroot(/etc/haproxy/lib/haproxy).

Though, this folder is exists in the system.

I think that is a bad idea, because you will lower the overall security of your setup, but if you insist: chroot needs CAP_SYS_CHROOT, so you need to add that privilege to the users actually starting/restarting haproxy.

Ohh, so we need Linux admin team to grant CAP_SYS_CHROOT permission to user?
Is there a way we can start/stop with non-root user without lowering the security.

Yes, and that doesn’t make a lot sense.

Can you explain why do you want to start/stop without root in the first place?