Re: external-check error ??

[Holger Just]

Hi Hugo

Hugo Delval wrote:
> global
> # [...]
> chroot /var/lib/haproxy
>
> # [...]
> 
> backend web-backend
> balance roundrobin
> option external-check
> external-check path "/usr/bin:/bin:/tmp"
> external-check command /bin/true
> server web1 127.0.0.1:80 check
> server web2 127.0.0.1:81 check


You are configuring HAProxy to drop into a chroot directly after start.
Thus, any scripts or external tools  (including all its required
libraries and potentially device nodes) it runs have to be inside the
chroot directory. In your case, this is probably not the case.

Thus, you can either get rid of the chroot completely or move all your
dependencies into the chroot. The latter is probably a bit of a hassle
for more complex checks but might be more secure.

Good luck,
Holger

external-check error ??

[Hugo Delval]

Hi everyone,

I'm quite new with Haproxy and I have a weird behavior with external check..

here is my config file :

global
log /dev/loglocal0
log /dev/loglocal1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon

# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private

# Default ciphers to use on SSL-enabled listening sockets.
# For more information, see ciphers(1SSL). This list is from:
#  https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
ssl-default-bind-ciphers
ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
ssl-default-bind-options no-sslv3
*external-check*

defaults
logglobal
modehttp
optionhttplog
optiondontlognull
timeout connect 5000
timeout client  5
timeout server  5
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http

backend web-backend
balance roundrobin




*option external-checkexternal-check path "/usr/bin:/bin:/tmp"
 external-check command /bin/trueserver web1 127.0.0.1:80
<http://127.0.0.1:80> checkserver web2 127.0.0.1:81
<http://127.0.0.1:81> check*

frontend http
bind *:82
mode http

default_backend web-backend


And yet I get a 503 and in my logs I got this :

...: Server web-backend/web1 is DOWN, reason: External check error, code:
255, check duration: 5ms. 1 active and 0 backup servers left. 0 sessions
active, 0 requeued, 0 remaining in queue.
...: Server web-backend/web1 is DOWN, reason: External check error, code:
255, check duration: 5ms. 1 active and 0 backup servers left. 0 sessions
active, 0 requeued, 0 remaining in queue.
...: Server web-backend/web2 is DOWN, reason: External check error, code:
255, check duration: 1ms. 0 active and 0 backup servers left. 0 sessions
active, 0 requeued, 0 remaining in queue.
...: Server web-backend/web2 is DOWN, reason: External check error, code:
255, check duration: 1ms. 0 active and 0 backup servers left. 0 sessions
active, 0 requeued, 0 remaining in queue.
...: backend web-backend has no server available!
...: backend web-backend has no server available!

How could the check */bin/true* fail and return 255 ?

I'm running the latest stable version (1.6.5)
If someone have an idea of what I'm doing wrong please heelp ! ^^

Bye,
Hugo DELVAL