Fuel for OpenStack

haproxy misconfiguration lead to missing logs

Bug #1350835 reported by Sergey Yudin on 2014-07-31

6

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Fuel for OpenStack	Fix Committed	High	Bogdan Dobrelya	Fuel for OpenStack 5.1

Bug Description

Haproxy backends is configured to log http reqs and haproxy logger is logging onto /dev/log, but since haproxy is running in chroot(not namespace!) haproxy can't log into system /dev/log.

Proposed solution:
remove line
chroot /var/lib/haproxy
from haproxy.cfg since there is no obvious reasons to run haproxy in the chroot.

Nastya Urlapova (aurlapova) on 2014-07-31

Changed in fuel:
importance:	Undecided → Medium
assignee:	nobody → Fuel Library Team (fuel-library)
milestone:	none → 5.1

Bogdan Dobrelya (bogdando) on 2014-07-31

Changed in fuel:
assignee:	Fuel Library Team (fuel-library) → Bogdan Dobrelya (bogdando)
importance:	Medium → High
status:	New → Triaged

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-07-31: Fix proposed to fuel-library (master)

#1

Fix proposed to branch: master
Review: https://review.openstack.org/110996

Changed in fuel:
status:	Triaged → In Progress

Revision history for this message

Dmitry Borodaenko (angdraug) wrote on 2014-07-31:

#2

As commented on the review, I think a better solution is to expose /dev/log inside the chroot (e.g. bindmount /dev into it) instead of disabling a valuable security isolation measure.

Revision history for this message

Sergey Yudin (tsipa740) wrote on 2014-07-31:

#3

Otherwise we have to deal with syslog to let them know about new source, or use some hacky solution with symlinks or something. Also the only reason to use chroot here i heard was "it was enabled by default".

Revision history for this message

Dmitry Borodaenko (angdraug) wrote on 2014-08-01:

#4

Well, chroot is supposed to be a security measure, but after some more reading on the topic, I'm ready to concede that it's really not, especially if the whole /dev/ is bindmounted into the jail.

Revision history for this message

Vladimir Kuklin (vkuklin) wrote on 2014-08-01:

#5

we can symlink only /dev/log

Revision history for this message

Sergey Yudin (tsipa740) wrote on 2014-08-01:

#6

No, i don't think we can solve the issue with symlink, it just will not work. The only _proper_ solution is to use another socket in the chroot and notify syslog about new log source.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-08-01: Fix merged to fuel-library (master)

#7

Reviewed: https://review.openstack.org/110996
Committed: https://git.openstack.org/cgit/stackforge/fuel-library/commit/?id=9877025db8b5f90ca0ebeb342cdce5741bc1d943
Submitter: Jenkins
Branch: master

commit 9877025db8b5f90ca0ebeb342cdce5741bc1d943
Author: Bogdan Dobrelya <email address hidden>
Date: Thu Jul 31 18:33:28 2014 +0300

Do not run haproxy in chroot

    Chroot prevents haproxy from logging into /dev/log
    and that is an issue. There is no need to run
    it in chroot as well.

Closes-bug: #1350835

Change-Id: Ib161fced734344815035b4ddfcf28bfda11a0cb7
Signed-off-by: Bogdan Dobrelya <email address hidden>

Changed in fuel:
status:	In Progress → Fix Committed

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.