From 5548a2a5b854e8c9bb9da308e5f6aced074a9927 Mon Sep 17 00:00:00 2001 From: Rommel Pawar Date: Wed, 9 Nov 2022 14:05:28 -0800 Subject: Configure AAI HA Proxy to distribute the load to multiple AAI service replicas. Added some useful tools for custom image of aai haproxy Issue-ID: AAI-3588 Signed-off-by: Rommel Pawar Change-Id: Ibab655238c915c83b8a5b4a29cd5a4c1a3f19a0b --- .../aai-haproxy-image/src/main/docker/Dockerfile | 19 +++++++++++++++---- .../src/main/docker/docker-entrypoint.sh | 8 +++++--- 2 files changed, 20 insertions(+), 7 deletions(-) diff --git a/aai-common-docker/aai-haproxy-image/src/main/docker/Dockerfile b/aai-common-docker/aai-haproxy-image/src/main/docker/Dockerfile index 3e04c92c..1508abca 100644 --- a/aai-common-docker/aai-haproxy-image/src/main/docker/Dockerfile +++ b/aai-common-docker/aai-haproxy-image/src/main/docker/Dockerfile @@ -1,4 +1,4 @@ -FROM haproxy:1.7.10-alpine +FROM haproxy:2.4.13-alpine # For building the image in a proxy environment if necessary ARG HTTP_PROXY @@ -9,14 +9,17 @@ ENV HTTPS_PROXY ${HTTPS_PROXY} ENV http_proxy ${HTTP_PROXY} ENV https_proxy ${HTTPS_PROXY} +# Added to execute commands which required root permission +USER root + RUN apk add --no-cache \ ca-certificates \ curl \ + bash \ + socat \ openssl \ shadow \ util-linux && \ - groupadd haproxy -g 1000 && \ - adduser -u 1000 -S -D -G haproxy -s /bin/bash haproxy && \ chown -R haproxy:haproxy /usr/local/etc/haproxy RUN mkdir -p /etc/ssl/certs/ && mkdir -p /etc/ssl/private @@ -26,7 +29,15 @@ COPY --chown=haproxy docker-entrypoint.sh /docker-entrypoint.sh COPY --chown=haproxy resolvers.conf /usr/local/etc/haproxy/resolvers.conf COPY --chown=haproxy haproxy.cfg /usr/local/etc/haproxy/haproxy.cfg -RUN chmod +x /docker-entrypoint.sh +# Changing group and group permission to allow haproxy user to execute sed comamnd ot change files +RUN chgrp haproxy /usr/local/etc/haproxy; \ + chgrp haproxy /docker-entrypoint.sh /usr/local/etc/haproxy/haproxy.cfg /usr/local/etc/haproxy/resolvers.conf + +RUN chmod +x /docker-entrypoint.sh; \ + chmod g+wx /usr/local/etc/haproxy; \ + chmod g+w /docker-entrypoint.sh /usr/local/etc/haproxy/haproxy.cfg /usr/local/etc/haproxy/resolvers.conf + +# Reverting to haproxy use to not run the pod with root permissions USER haproxy ENTRYPOINT [ "/docker-entrypoint.sh" ] diff --git a/aai-common-docker/aai-haproxy-image/src/main/docker/docker-entrypoint.sh b/aai-common-docker/aai-haproxy-image/src/main/docker/docker-entrypoint.sh index a56eea95..a8e521f1 100644 --- a/aai-common-docker/aai-haproxy-image/src/main/docker/docker-entrypoint.sh +++ b/aai-common-docker/aai-haproxy-image/src/main/docker/docker-entrypoint.sh @@ -14,9 +14,11 @@ sed -i 's/${ONAP_NAMESERVER_CLUSTER_IP}/'${NAMESERVER_IP}'/g' /usr/local/etc/hap } if [ "$1" = 'haproxy' ]; then - # if the user wants "haproxy", let's use "haproxy-systemd-wrapper" instead so we can have proper reloadability implemented by upstream - shift # "haproxy" - set -- "$(which haproxy-systemd-wrapper)" -p /usr/local/etc/haproxy/haproxy.pid "$@" + shift # "haproxy" + # if the user wants "haproxy", let's add a couple useful flags + # -W -- "master-worker mode" (similar to the old "haproxy-systemd-wrapper"; allows for reload via "SIGUSR2") + # -db -- disables background mode + set -- haproxy -W -db "$@" fi exec "$@" -- cgit 1.2.3-korg