haproxy ships a rsyslog configuration snippet:
$ cat /etc/rsyslog.d/49-haproxy.conf
# Create an additional socket in haproxy's chroot in order to allow logging via
# /dev/log to chroot'ed HAProxy processes
$AddUnixListenSocket /var/lib/haproxy/dev/log
# Send HAProxy messages to a dedicated logfile
:programname, startswith, "haproxy" {
/var/log/haproxy.log
stop
}
So rsyslog will open that socket, and indeed it does:
root@n-haproxy:~# fuser /var/lib/haproxy/dev/log
/var/lib/haproxy/dev/log: 2647
root@n-haproxy:~# ps fxaw|grep 2647
2707 pts/5 S+ 0:00 \_ grep --color=auto 2647
2647 ? Ssl 0:00 /usr/sbin/rsyslogd -n -iNONE
I straced haproxy while generating some traffic, and it looks like it chrooted
and then opened /dev/log, so it should be the one inside the chroot indeed:
3846 read(4, "global\n\tlog /dev/log\tlocal0\n\tlog"..., 4096) = 1504
3848 chroot("/var/lib/haproxy" <unfinished ...>
3848 <... chroot resumed>) = 0
3848 sendmsg(21, {msg_name={sa_family=AF_UNIX, sun_path="/dev/log"},
msg_namelen=110, msg_iov=[{iov_base="<134>", iov_len=5}, {iov_base="Jan 26
17:45:48 ", iov_len=16}, {iov_base="haproxy", iov_len=7}, {iov_base="[",
iov_len=1}, {iov_base="3848", iov_len=4}, {iov_base="]", iov_len=1},
{iov_base=": ", iov_len=2}, {iov_base="127.0.0.1:42154 [26/Jan/2026:17:"...,
iov_len=126}, {iov_base="\n", iov_len=1}], msg_iovlen=9, msg_controllen=0,
msg_flags=0}, MSG_DONTWAIT|MSG_NOSIGNAL) = 163
Confirming chroot:
root 3614 0.0 0.1 96876 13056 ? Ss 17:39 0:00
/usr/sbin/haproxy -Ws -f /etc/haproxy/haproxy.cfg -p /run/haproxy.pid -S
/run/haproxy-master.sock
haproxy 3616 0.0 0.9 360900 73388 ? Sl 17:39 0:00 \_
/usr/sbin/haproxy -Ws -f /etc/haproxy/haproxy.cfg -p /run/haproxy.pid -S
/run/haproxy-master.sock
root@n-haproxy:~# l /proc/3616/root
lrwxrwxrwx 1 root root 0 Jan 26 17:40 /proc/3616/root -> /var/lib/haproxy
The rsyslog apparmor profile also has an allow rule for chroots, like this:
/var/lib/*/dev/log rwl,
That matches /var/lib/haproxy/dev/log. So read is allowed.
Maybe the problem here is with the "disconnected path".
@David, could you please share your /etc/haproxy/haproxy.cfg file, and
/etc/apparmor.d/usr.sbin.rsyslogd?
Feek free to sanitize the haproxy config.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2138647
Title:
haproxy stops logging after reload with permission denied error
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/haproxy/+bug/2138647/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
