Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

cannot find user id for 'haproxy' #6

Closed
kadishmal opened this Issue May 11, 2015 · 12 comments

Comments

Projects
None yet
@kadishmal
Copy link

kadishmal commented May 11, 2015

My config is as follows.

#---------------------------------------------------------------------
# Global settings
#---------------------------------------------------------------------
global
    # to have these messages end up in /var/log/haproxy.log you will
    # need to:
    #
    #1) configure syslog to accept network log events.  This is done
    #    by adding the '-r' option to the SYSLOGD_OPTIONS in
    #    /etc/sysconfig/syslog
    #
    #2) configure local2 events to go to the /var/log/haproxy.log
    #   file. A line like the following can be added to
    #   /etc/sysconfig/syslog
    #
    #    local2.*                       /var/log/haproxy.log
    #
    # Refer to [HTTP log format](http://cbonte.github.io/haproxy-dconv/configuration-1.4.html#8.2.3)
    # for more information on the format of the HAProxy log.
    log 127.0.0.1             local0
    chroot                    /var/lib/haproxy
    user                      haproxy
    group                     haproxy

Despite the fact that on line 22 and 23 I have defined haproxy as a user, I get the following error:

haproxy_1 | [ALERT] 130/094703 (1) : parsing [/usr/local/etc/haproxy/haproxy.cfg:22] : cannot find user id for 'haproxy' (0:Success)
haproxy_1 | [ALERT] 130/094703 (1) : parsing [/usr/local/etc/haproxy/haproxy.cfg:23] : cannot find group id for 'haproxy' (0:Success)
haproxy_1 | [ALERT] 130/094703 (1) : Error(s) found in configuration file : /usr/local/etc/haproxy/haproxy.cfg
haproxy_1 | [ALERT] 130/094703 (1) : Fatal errors found in configuration.

This is because the underlying container doesn't have haproxy user created.

If I try to remove those settings from the configuration file, I still run into another problem:

haproxy_1 | [ALERT] 130/094534 (1) : [haproxy.main()] Cannot chroot(/var/lib/haproxy).

Ok. Found out the directory doesn't exist.

So, I support the Dockerfile for haproxy should create the user most commonly used by users.

For now I had to create my own Dockerfile based on this image and create system group and user, then create the directory manually.

@yosifkit

This comment has been minimized.

Copy link
Member

yosifkit commented May 11, 2015

Since the haproxy config is all user specified, you will need to create any users, groups, files, and directories that you require. If some of these are universal, I would be open to making it easier to use haproxy.

@eranchetz

This comment has been minimized.

Copy link

eranchetz commented May 13, 2015

@kadishmal, haproxy usually runs in chroot (a sandbox, something like a container)
I suggest you remove the following lines from your haproxy.cfg :
chroot /var/lib/haproxy
user haproxy
group haproxy

this will make haproxy run from root inside you container.

@yosifkit, I think it will be wise if you provide a basic haproxy.cfg.sample that works out of the box.

@kadishmal

This comment has been minimized.

Copy link
Author

kadishmal commented May 13, 2015

I prefer keeping those configurations according to best practices of HAProxy. So went with creating a custom image from this base:

FROM haproxy:1.5.12

# Create a system group and user to be used by HAProxy.
RUN groupadd haproxy && useradd -g haproxy haproxy

# Need to create a directory for HAProxy to be able to `chroot`.
# This is a security measurement.
# Refer to http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#chroot.
RUN mkdir /var/lib/haproxy

# Now copy the configurations file applicable for NELO2.
COPY config/haproxy.cfg /usr/local/etc/haproxy/haproxy.cfg
@echernyavskiy

This comment has been minimized.

Copy link

echernyavskiy commented May 13, 2015

Also created a haproxy-specific user and chroot directory in my Dockerfile. Had to override the CMD instruction per one of the comments on the docker registry page as well:

FROM haproxy:1.5


ENV HAPROXY_USER haproxy


RUN groupadd --system ${HAPROXY_USER} && \
  useradd --system --gid ${HAPROXY_USER} ${HAPROXY_USER} && \
  mkdir --parents /var/lib/${HAPROXY_USER} && \
  chown -R ${HAPROXY_USER}:${HAPROXY_USER} /var/lib/${HAPROXY_USER}


COPY haproxy.cfg /usr/local/etc/haproxy/haproxy.cfg


CMD ["haproxy", "-db", "-f", "/usr/local/etc/haproxy/haproxy.cfg"]
@kadishmal

This comment has been minimized.

Copy link
Author

kadishmal commented May 14, 2015

@echernyavskiy your code is more neat. I will use it :). Thank you!

@workmaster2n

This comment has been minimized.

Copy link

workmaster2n commented Jul 27, 2015

@echernyavskiy Why are you running it in debug mode?

@jmkgreen

This comment has been minimized.

Copy link

jmkgreen commented Feb 18, 2016

Suggest this gets closed - Docker being more than just a chroot jail obviates the need for these haproxy-supplied recommendations AFAICT. Yields a smaller config file as a result.

@Yajo

This comment has been minimized.

Copy link
Contributor

Yajo commented Mar 2, 2016

What if you use HAProxy to set SSL certificates for an HTTPS site? Being debian, you should put them under /etc/ssl/private, which is only readable for root. Running haproxy inside its chroot and with its own user and group would add a layer of protection over cert stealth in case of 0day.

Given that, adding the haproxy user and group by default and creating /var/lib/haproxy seems still a good idea.

However you can add it always in the Dockerfile, so maybe it's better to KISS for when this is not your use case... What do you think?

@tianon

This comment has been minimized.

Copy link
Member

tianon commented Aug 29, 2016

I agree that this is something users ought to do for themselves depending on their configuration needs and personal preferences. For the extra paranoid, it might even be possible to use --user/USER to ensure that the container doesn't even start as root. 👍

That being said, it's definitely worth documenting this better (https://github.com/docker-library/docs/blob/59d1e7be752f98ec3cf9c1c3dfa714b042d7f71e/haproxy/content.md).

@wglambert wglambert added the question label Apr 25, 2018

@wglambert wglambert closed this May 2, 2018

@wstrange

This comment has been minimized.

Copy link

wstrange commented Jun 5, 2018

It would be nice to be able to use this image without needing to create a child image using FROM.

If it came out of the box with an haproxy user, you can simply volume mount the haproxy.cfg

Perhaps consider reopening this?

@wglambert

This comment has been minimized.

Copy link

wglambert commented Jun 5, 2018

You can have it set a user at inception through docker's --user. Certain port bindings are privileged however and when using a non-privileged user you'll need to pass --sysctl net.ipv4.ip_unprivileged_port_start=0 as arguments to docker moby/moby#8460 (comment)

You can also do it through haproxy.cfg itself with uid defined under the global section https://www.haproxy.org/download/1.4/doc/configuration.txt

uid
Changes the process' user ID to . It is recommended that the user ID
is dedicated to HAProxy or to a small set of similar daemons. HAProxy must
be started with superuser privileges in order to be able to switch to another
one. See also "gid" and "user".

Using docker's option is preferred as it allows for more encompassing functionality.

@ChessSpider

This comment has been minimized.

Copy link

ChessSpider commented Jan 24, 2019

This works for me:

FROM haproxy

ENV HAPROXY_USER haproxy

RUN groupadd --gid 49971 --system ${HAPROXY_USER} && \
  useradd --system --uid 49971 --gid ${HAPROXY_USER} ${HAPROXY_USER} && \
  mkdir --parents /var/lib/${HAPROXY_USER} && \
  chown -R ${HAPROXY_USER}:${HAPROXY_USER} /var/lib/${HAPROXY_USER}

RUN apt-get update && apt-get install -y --no-install-recommends libcap2-bin  && rm -rf /var/lib/apt/lists/*
RUN setcap 'cap_net_bind_service=+ep' /usr/local/sbin/haproxy

USER haproxy

Just make sure all files used by haproxy also have uid 49971

(no chroot/uid/gid settings in haproxy.cfg)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.