The error when not running as root is expected. However, the fact it
does not work on boot, then works after is odd. Can you share a minimal
configuration file which exhibits this issue?
On 7/8/22 23:43, Henning Svane wrote:
Hi Vincent
And found out if I started the service manual with sudo it also worked
sudo service haproxy start
odin@haproxyxmail01:~$ systemctl status haproxy.service
● haproxy.service - HAProxy Load Balancer
Loaded: loaded (/lib/systemd/system/haproxy.service; enabled; vendor
preset: enabled)
Active: active (running) since Fri 2022-07-08 23:39:11 CEST; 5s ago
Docs: man:haproxy(1)
file:/usr/share/doc/haproxy/configuration.txt.gz
Main PID: 1945 (haproxy)
Tasks: 17 (limit: 4578)
Memory: 22.0M
CPU: 945ms
CGroup: /system.slice/haproxy.service
├─1945 /usr/sbin/haproxy -Ws -f /etc/haproxy/haproxy.cfg -p
/run/haproxy.pid -S /run/haproxy-master.sock
└─1947 /usr/sbin/haproxy -Ws -f /etc/haproxy/haproxy.cfg -p
/run/haproxy.pid -S /run/haproxy-master.sock
sudo ls -l /run/haproxy.pid
-rw-r--r-- 1 root root 5 Jul 8 23:39 /run/haproxy.pid
Haproxy.pid will only be created it haproxy/haproxy.service has been started
with sudo else it is missing
Regards
Henning
-----Oprindelig meddelelse-----
Fra: Henning Svane <[email protected]>
Sendt: 8. juli 2022 23:32
Til: Vincent Bernat <[email protected]>
Cc: [email protected]
Emne: SV: SV: Config will not start on 2.6.1 on Ubuntu 22.04
Hi Vincent
I have now build 2 new Ubuntu 22.04 servers
It looks like when haproxy service is started under boot it do not have
permission to bind to interfaces.
If I from console start haproxy manual with sudo it works, but not without
sudo, then it behaves like when the haproxy.services is started under boot.
So my question how to fix this? So the service is started with permission to
bind to interfaces.
I can see haproxy.service has these permissions
-rw-r--r-- 1 root root 1506 Jun 22 20:49 /lib/systemd/system/haproxy.service
Start of service under boot:
systemctl status haproxy.service
× haproxy.service - HAProxy Load Balancer
Loaded: loaded (/lib/systemd/system/haproxy.service; enabled; vendor
preset: enabled)
Active: failed (Result: exit-code) since Fri 2022-07-08 16:13:25 CEST;
1min 56s ago
Docs: man:haproxy(1)
file:/usr/share/doc/haproxy/configuration.txt.gz
Process: 1069 ExecStart=/usr/sbin/haproxy -Ws -f $CONFIG -p $PIDFILE
$EXTRAOPTS (code=exited, status=1/FAILURE)
Main PID: 1069 (code=exited, status=1/FAILURE)
CPU: 209ms
Jul 08 16:13:25 haproxyxmail01 systemd[1]: haproxy.service: Main process
exited, code=exited, status=1/FAILURE Jul 08 16:13:25 haproxyxmail01
systemd[1]: haproxy.service: Failed with result 'exit-code'.
Jul 08 16:13:25 haproxyxmail01 systemd[1]: Failed to start HAProxy Load
Balancer.
Jul 08 16:13:25 haproxyxmail01 systemd[1]: haproxy.service: Scheduled restart
job, restart counter is at 5.
Jul 08 16:13:25 haproxyxmail01 systemd[1]: Stopped HAProxy Load Balancer.
Jul 08 16:13:25 haproxyxmail01 systemd[1]: haproxy.service: Start request
repeated too quickly.
Jul 08 16:13:25 haproxyxmail01 systemd[1]: haproxy.service: Failed with result
'exit-code'.
Jul 08 16:13:25 haproxyxmail01 systemd[1]: Failed to start HAProxy Load
Balancer.
And if I try to run my configuration from console Without sudo it fails And
with sudo it works (See below)
haproxy -d -f /etc/haproxy/haproxy.cfg
Available polling systems :
epoll : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result FAILED
Total: 3 (2 usable), will use epoll.
Available filters :
[CACHE] cache
[COMP] compression
[FCGI] fcgi-app
[ OT] opentracing
[SPOE] spoe
[TRACE] trace
Using epoll() as the polling mechanism.
[NOTICE] (1811) : haproxy version is 2.6.1-1ppa1~jammy
[NOTICE] (1811) : path to executable is /usr/sbin/haproxy
[ALERT] (1811) : Binding [/etc/haproxy/haproxy.cfg:85] for frontend
FrontEnd_Xmail_L7_IPv4: cannot bind socket (Permission denied) for
[xx.xx.58.10:80]
[ALERT] (1811) : Binding [/etc/haproxy/haproxy.cfg:86] for frontend
FrontEnd_Xmail_L7_IPv4: cannot bind socket (Permission denied) for
[xx.xx.58.10:443]
...
[ALERT] (1811) : [haproxy.main()] Some protocols failed to start their
listeners! Exiting.
sudo haproxy -d -f /etc/haproxy/haproxy.cfg Available polling systems :
epoll : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result FAILED
Total: 3 (2 usable), will use epoll.
Available filters :
[CACHE] cache
[COMP] compression
[FCGI] fcgi-app
[ OT] opentracing
[SPOE] spoe
[TRACE] trace
Using epoll() as the polling mechanism.
[WARNING] (1794) : Health check for server HA_DAG_XMail_Autodiscover/XMailDB02
succeeded, reason: Layer7 check passed, code: 200, check duration: 36ms,
status: 3/3 UP.
[WARNING] (1794) : Health check for server HA_DAG_XMail_Autodiscover/XMailDB03
succeeded, reason: Layer7 check passed, code: 200, check duration: 34ms,
status: 3/3 UP.
[WARNING] (1794) : Health check for server HA_DAG_XMail_Autodiscover/XMailDB01
succeeded, reason: Layer7 check passed, code: 200, check duration: 46ms,
status: 3/3 UP.
-----Oprindelig meddelelse-----
Fra: Henning Svane
Sendt: 6. juli 2022 23:25
Til: Vincent Bernat <[email protected]>
Emne: SV: SV: Config will not start on 2.6.1 on Ubuntu 22.04
Hi Vincent
Yes I can build a new server I use these steps #Upgrade installation sudo
apt-get update sudo apt-get upgrade sudo apt-get dist-upgrade sudo reboot sudo
apt install snapd sudo timedatectl set-timezone Europe/Copenhagen
#Change SSH timeout
sudo nano /etc/ssh/sshd_config
#Change values Timeout value = ClientAliveInterval * ClientAliveCountMax
ClientAliveInterval 60 ClientAliveCountMax 10 sudo systemctl reload sshd
#sudo snap install chrony-git
#sudo snap install keepalived --classic
#sudo add-apt-repository ppa:vbernat/haproxy-2.6 #sudo apt install
--no-install-recommends software-properties-common #sudo apt install
haproxy=2.6.\*
As I use a redundant setup I copy the server as I am running them on VMware.
Then I rename the cloned server.
sudo hostnamectl set-hostname "NewName"
sudo nano /etc/hosts
sudo reboot
Regards
Henning
-----Oprindelig meddelelse-----
Fra: Vincent Bernat <[email protected]>
Sendt: 6. juli 2022 23:14
Til: Henning Svane <[email protected]>; [email protected]
Emne: Re: SV: Config will not start on 2.6.1 on Ubuntu 22.04
Running apparmor is not a problem per-se. It may be only if there is a profile
preventing HAProxy to execute something. Try journalctl -k --grep haproxy to
double-check.
As I am unable to reproduce on a freshly installed Ubuntu VM, can you try to
reproduce on a VM on your side?
On 7/6/22 23:05, Henning Svane wrote:
Hi Vincent
I have not by my self installed apparmor, but I can see when I run
your suggested command (journalctl -k | grep haproxy)
It output all, as my server name is haproxyxmail01, but I piped it to
a file and looked it over and can find no output from haproxy, but can
find many lines with apparmor.
I have not installed it and until you asked about it, I did not know
about apparmor.
I have search on apparmor and can see it is standard installed and
enabled on Ubuntu
Security - AppArmor | Ubuntu
<https://ubuntu.com/server/docs/security-apparmor>
To your question “What do you mean by "under load"” I mean under boot
of the server.
So it must be part of the Ubuntu installation.
Here you can see the output from “journalctl -k | grep apparmor”
Jul 05 20:01:34 haproxymail01a kernel: evm: security.apparmor
Jul 05 20:01:35 haproxymail01a kernel: audit: type=1400
audit(1657044095.636:2): apparmor="STATUS" operation="profile_load"
profile="unconfined" name="lsb_release" pid=741 comm="apparmor_parser"
Jul 05 20:01:35 haproxymail01a kernel: audit: type=1400
audit(1657044095.640:3): apparmor="STATUS" operation="profile_load"
profile="unconfined" name="nvidia_modprobe" pid=742 comm="apparmor_parser"
Jul 05 20:01:35 haproxymail01a kernel: audit: type=1400
audit(1657044095.640:4): apparmor="STATUS" operation="profile_load"
profile="unconfined" name="nvidia_modprobe//kmod" pid=742
comm="apparmor_parser"
Jul 05 20:01:35 haproxymail01a kernel: audit: type=1400
audit(1657044095.648:5): apparmor="STATUS" operation="profile_load"
profile="unconfined" name="/usr/bin/man" pid=745 comm="apparmor_parser"
Jul 05 20:01:35 haproxymail01a kernel: audit: type=1400
audit(1657044095.648:6): apparmor="STATUS" operation="profile_load"
profile="unconfined" name="man_filter" pid=745 comm="apparmor_parser"
Jul 05 20:01:35 haproxymail01a kernel: audit: type=1400
audit(1657044095.648:7): apparmor="STATUS" operation="profile_load"
profile="unconfined" name="man_groff" pid=745 comm="apparmor_parser"
Jul 05 20:01:35 haproxymail01a kernel: audit: type=1400
audit(1657044095.660:8): apparmor="STATUS" operation="profile_load"
profile="unconfined" name="tcpdump" pid=746 comm="apparmor_parser"
Jul 05 20:01:35 haproxymail01a kernel: audit: type=1400
audit(1657044095.660:9): apparmor="STATUS" operation="profile_load"
profile="unconfined"
name="/usr/lib/NetworkManager/nm-dhcp-client.action" pid=744
comm="apparmor_parser"
Jul 05 20:01:35 haproxymail01a kernel: audit: type=1400
audit(1657044095.660:10): apparmor="STATUS" operation="profile_load"
profile="unconfined" name="/usr/lib/NetworkManager/nm-dhcp-helper"
pid=744 comm="apparmor_parser"
Jul 05 20:01:35 haproxymail01a kernel: audit: type=1400
audit(1657044095.660:11): apparmor="STATUS" operation="profile_load"
profile="unconfined" name="/usr/lib/connman/scripts/dhclient-script"
pid=744 comm="apparmor_parser"
But when I run the same command on the old 20.04 I can see apparmor is
also enabled, and here haproxy works
sudo nano /etc/haproxy/haproxy.cfg
odin@HAProxy02:~$ journalctl -k | grep apparmor
Jul 05 20:54:09 HAProxy02 kernel: evm: security.apparmor
Jul 05 20:54:10 HAProxy02 kernel: audit: type=1400
audit(1657047250.732:2): apparmor="STATUS" operation="profile_load"
profile="unconfined" name="nvidia_modprobe" pid=786 comm="apparmor_parser"
Jul 05 20:54:10 HAProxy02 kernel: audit: type=1400
audit(1657047250.732:3): apparmor="STATUS" operation="profile_load"
profile="unconfined" name="nvidia_modprobe//kmod" pid=786
comm="apparmor_parser"
Jul 05 20:54:10 HAProxy02 kernel: audit: type=1400
audit(1657047250.744:4): apparmor="STATUS" operation="profile_load"
profile="unconfined" name="/usr/sbin/tcpdump" pid=787 comm="apparmor_parser"
Jul 05 20:54:10 HAProxy02 kernel: audit: type=1400
audit(1657047250.752:5): apparmor="STATUS" operation="profile_load"
profile="unconfined" name="/usr/bin/man" pid=790 comm="apparmor_parser"
Jul 05 20:54:10 HAProxy02 kernel: audit: type=1400
audit(1657047250.752:6): apparmor="STATUS" operation="profile_load"
profile="unconfined" name="man_filter" pid=790 comm="apparmor_parser"
Jul 05 20:54:10 HAProxy02 kernel: audit: type=1400
audit(1657047250.752:7): apparmor="STATUS" operation="profile_load"
profile="unconfined" name="man_groff" pid=790 comm="apparmor_parser"
Jul 05 20:54:10 HAProxy02 kernel: audit: type=1400
audit(1657047250.756:8): apparmor="STATUS" operation="profile_load"
profile="unconfined" name="/usr/lib/snapd/snap-confine" pid=791
comm="apparmor_parser"
Jul 05 20:54:10 HAProxy02 kernel: audit: type=1400
audit(1657047250.756:9): apparmor="STATUS" operation="profile_load"
profile="unconfined"
name="/usr/lib/snapd/snap-confine//mount-namespace-capture-helper"
pid=791 comm="apparmor_parser"
Jul 05 20:54:10 HAProxy02 kernel: audit: type=1400
audit(1657047250.760:10): apparmor="STATUS" operation="profile_load"
profile="unconfined" name="lsb_release" pid=792 comm="apparmor_parser"
Jul 05 20:54:10 HAProxy02 kernel: audit: type=1400
audit(1657047250.764:11): apparmor="STATUS" operation="profile_load"
profile="unconfined" name="/usr/sbin/chronyd" pid=793 comm="apparmor_parser"
Regards
Henning
*Fra:*Vincent Bernat <[email protected]>
*Sendt:* 6. juli 2022 19:06
*Til:* [email protected]
*Cc:* Henning Svane <[email protected]>
*Emne:* Re: Config will not start on 2.6.1 on Ubuntu 22.04
On 7/6/22 00:37, Henning Svane wrote:
I get under load of haproxy the following problems for all
frontends
What do you mean by "under load"?
Here are two of the errors
for frontend FrontEnd_Xmail_L7_IPv4: cannot bind socket (Permission
denied) for IPv4 number and port
and
for frontend GLOBAL: cannot bind UNIX socket (Permission denied)
[/run/haproxy/admin.sock]
global
maxconn 8000
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
expose-fd listeners
stats timeout 30s
user haproxy
group haproxy
daemon
I have compared folder permission /run/haproxy on Ubuntu 20.04.4
with Ubuntu 22.04 and the permission looks like this for both.
[/run/haproxy/admin.sock have these permission
drwxrwsr-x 2 haproxy haproxy 40 Jul 5 20:01 haproxy
I have tried your configuration on a freshly installed Ubuntu 22.04
and didn't run into any issue. Are you using apparmor? `journalctl -k
| grep haproxy` may give a hint if you have a profile for it (not
shipped by the package nor Ubuntu as far as I can see).
