Hi Miroslav, On Mon, Jun 07, 2021 at 04:55:21PM +0200, Miroslav Zagorac wrote: > From 4bbbe5fd3e66a37ec9703723ba22b742e7926a07 Mon Sep 17 00:00:00 2001 > From: Miroslav Zagorac <[email protected]> > Date: Mon, 7 Jun 2021 16:21:31 +0200 > Subject: [PATCH] BUG/MINOR: opentracing: fixed files existence check in chroot > mode > > If the 'chroot' keyword is used in the HAProxy configuration file, > HAProxy reports an error when initializing the OpenTracing API > library. > > The problem is that HAProxy also executes chdir("/") during chroot > process, so the paths written in the OpenTracing configuration are > no longer correct. > > This could be easily solved by writing the absolute path when using > the 'config' and 'plugin' keywords, but the problem remains that the > validity of these paths is also checked before the chroot process. > > To enable the use of the absolute path of the specified files after > the chroot process, the file existence check is moved from the > configuration parser to the ot_init() function (which is executed > after the chroot/chdir process). > > This may be a bit problematic because in this case the files from the > file system are retrieved in the HAProxy runtime. > > In fact, the only access to these files is achieved only once at the > beginning of the HAProxy process, in the initialization of threads. > After this initialization, no access to the file system is performed. > > This resolves GitHub issue #1274.
So I'm sorry but for me this is still only working around the problem. The problem is that a configuration file is read *after* chrooting, which cannot work. Here your solution seems to be to ask the users to move their files into the chroot, which contradicts the principle of using a chroot as a jail to isolate a process. In addition this means that the users will also need to keep sufficient privileges to access these files. I'd really want that we try to tackle the problem you've met when trying to correctly initialize that *before* the chroot, as this is the root cause of the problem, and adding pads on it will only make it worse for the long term, and harder to fix without annoying users again. Please try again to have a real initialization phase in the post_check or wherever suits you (we can even add another hook if you need a very special place, it's not a problem), but this thing needs to be initialized and to have its files loaded before chrooting. And if you still face any issue doing that, we can discuss it to figure how to address it, but I don't want us to paper over problems using methods that have short-term nor long-term implications on the users. And this one definitely has. Thanks, Willy
