Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

cannot find user id for 'haproxy' #6

kadishmal opened this Issue May 11, 2015 · 12 comments


None yet
Copy link

kadishmal commented May 11, 2015

My config is as follows.

# Global settings
    # to have these messages end up in /var/log/haproxy.log you will
    # need to:
    #1) configure syslog to accept network log events.  This is done
    #    by adding the '-r' option to the SYSLOGD_OPTIONS in
    #    /etc/sysconfig/syslog
    #2) configure local2 events to go to the /var/log/haproxy.log
    #   file. A line like the following can be added to
    #   /etc/sysconfig/syslog
    #    local2.*                       /var/log/haproxy.log
    # Refer to [HTTP log format](
    # for more information on the format of the HAProxy log.
    log             local0
    chroot                    /var/lib/haproxy
    user                      haproxy
    group                     haproxy

Despite the fact that on line 22 and 23 I have defined haproxy as a user, I get the following error:

haproxy_1 | [ALERT] 130/094703 (1) : parsing [/usr/local/etc/haproxy/haproxy.cfg:22] : cannot find user id for 'haproxy' (0:Success)
haproxy_1 | [ALERT] 130/094703 (1) : parsing [/usr/local/etc/haproxy/haproxy.cfg:23] : cannot find group id for 'haproxy' (0:Success)
haproxy_1 | [ALERT] 130/094703 (1) : Error(s) found in configuration file : /usr/local/etc/haproxy/haproxy.cfg
haproxy_1 | [ALERT] 130/094703 (1) : Fatal errors found in configuration.

This is because the underlying container doesn't have haproxy user created.

If I try to remove those settings from the configuration file, I still run into another problem:

haproxy_1 | [ALERT] 130/094534 (1) : [haproxy.main()] Cannot chroot(/var/lib/haproxy).

Ok. Found out the directory doesn't exist.

So, I support the Dockerfile for haproxy should create the user most commonly used by users.

For now I had to create my own Dockerfile based on this image and create system group and user, then create the directory manually.


This comment has been minimized.

Copy link

yosifkit commented May 11, 2015

Since the haproxy config is all user specified, you will need to create any users, groups, files, and directories that you require. If some of these are universal, I would be open to making it easier to use haproxy.


This comment has been minimized.

Copy link

eranchetz commented May 13, 2015

@kadishmal, haproxy usually runs in chroot (a sandbox, something like a container)
I suggest you remove the following lines from your haproxy.cfg :
chroot /var/lib/haproxy
user haproxy
group haproxy

this will make haproxy run from root inside you container.

@yosifkit, I think it will be wise if you provide a basic haproxy.cfg.sample that works out of the box.


This comment has been minimized.

Copy link

kadishmal commented May 13, 2015

I prefer keeping those configurations according to best practices of HAProxy. So went with creating a custom image from this base:

FROM haproxy:1.5.12

# Create a system group and user to be used by HAProxy.
RUN groupadd haproxy && useradd -g haproxy haproxy

# Need to create a directory for HAProxy to be able to `chroot`.
# This is a security measurement.
# Refer to
RUN mkdir /var/lib/haproxy

# Now copy the configurations file applicable for NELO2.
COPY config/haproxy.cfg /usr/local/etc/haproxy/haproxy.cfg

This comment has been minimized.

Copy link

echernyavskiy commented May 13, 2015

Also created a haproxy-specific user and chroot directory in my Dockerfile. Had to override the CMD instruction per one of the comments on the docker registry page as well:

FROM haproxy:1.5


RUN groupadd --system ${HAPROXY_USER} && \
  useradd --system --gid ${HAPROXY_USER} ${HAPROXY_USER} && \
  mkdir --parents /var/lib/${HAPROXY_USER} && \

COPY haproxy.cfg /usr/local/etc/haproxy/haproxy.cfg

CMD ["haproxy", "-db", "-f", "/usr/local/etc/haproxy/haproxy.cfg"]

This comment has been minimized.

Copy link

kadishmal commented May 14, 2015

@echernyavskiy your code is more neat. I will use it :). Thank you!


This comment has been minimized.

Copy link

workmaster2n commented Jul 27, 2015

@echernyavskiy Why are you running it in debug mode?


This comment has been minimized.

Copy link

jmkgreen commented Feb 18, 2016

Suggest this gets closed - Docker being more than just a chroot jail obviates the need for these haproxy-supplied recommendations AFAICT. Yields a smaller config file as a result.


This comment has been minimized.

Copy link

Yajo commented Mar 2, 2016

What if you use HAProxy to set SSL certificates for an HTTPS site? Being debian, you should put them under /etc/ssl/private, which is only readable for root. Running haproxy inside its chroot and with its own user and group would add a layer of protection over cert stealth in case of 0day.

Given that, adding the haproxy user and group by default and creating /var/lib/haproxy seems still a good idea.

However you can add it always in the Dockerfile, so maybe it's better to KISS for when this is not your use case... What do you think?


This comment has been minimized.

Copy link

tianon commented Aug 29, 2016

I agree that this is something users ought to do for themselves depending on their configuration needs and personal preferences. For the extra paranoid, it might even be possible to use --user/USER to ensure that the container doesn't even start as root. 👍

That being said, it's definitely worth documenting this better (

@wglambert wglambert added the question label Apr 25, 2018

@wglambert wglambert closed this May 2, 2018


This comment has been minimized.

Copy link

wstrange commented Jun 5, 2018

It would be nice to be able to use this image without needing to create a child image using FROM.

If it came out of the box with an haproxy user, you can simply volume mount the haproxy.cfg

Perhaps consider reopening this?


This comment has been minimized.

Copy link

wglambert commented Jun 5, 2018

You can have it set a user at inception through docker's --user. Certain port bindings are privileged however and when using a non-privileged user you'll need to pass --sysctl net.ipv4.ip_unprivileged_port_start=0 as arguments to docker moby/moby#8460 (comment)

You can also do it through haproxy.cfg itself with uid defined under the global section

Changes the process' user ID to . It is recommended that the user ID
is dedicated to HAProxy or to a small set of similar daemons. HAProxy must
be started with superuser privileges in order to be able to switch to another
one. See also "gid" and "user".

Using docker's option is preferred as it allows for more encompassing functionality.


This comment has been minimized.

Copy link

ChessSpider commented Jan 24, 2019

This works for me:

FROM haproxy


RUN groupadd --gid 49971 --system ${HAPROXY_USER} && \
  useradd --system --uid 49971 --gid ${HAPROXY_USER} ${HAPROXY_USER} && \
  mkdir --parents /var/lib/${HAPROXY_USER} && \

RUN apt-get update && apt-get install -y --no-install-recommends libcap2-bin  && rm -rf /var/lib/apt/lists/*
RUN setcap 'cap_net_bind_service=+ep' /usr/local/sbin/haproxy

USER haproxy

Just make sure all files used by haproxy also have uid 49971

(no chroot/uid/gid settings in haproxy.cfg)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.