Re: SV: SV: Config will not start on 2.6.1 on Ubuntu 22.04

2022-07-08 Thread Vincent Bernat 
The error when not running as root is expected. However, the fact it 
does not work on boot, then works after is odd. Can you share a minimal 
configuration file which exhibits this issue?


On 7/8/22 23:43, Henning Svane wrote:

Hi Vincent

And found out if I started the service manual with sudo it also worked
sudo service haproxy start
odin@haproxyxmail01:~$ systemctl status haproxy.service
● haproxy.service - HAProxy Load Balancer
  Loaded: loaded (/lib/systemd/system/haproxy.service; enabled; vendor 
preset: enabled)
  Active: active (running) since Fri 2022-07-08 23:39:11 CEST; 5s ago
Docs: man:haproxy(1)
  file:/usr/share/doc/haproxy/configuration.txt.gz
Main PID: 1945 (haproxy)
   Tasks: 17 (limit: 4578)
  Memory: 22.0M
 CPU: 945ms
  CGroup: /system.slice/haproxy.service
  ├─1945 /usr/sbin/haproxy -Ws -f /etc/haproxy/haproxy.cfg -p 
/run/haproxy.pid -S /run/haproxy-master.sock
  └─1947 /usr/sbin/haproxy -Ws -f /etc/haproxy/haproxy.cfg -p 
/run/haproxy.pid -S /run/haproxy-master.sock


sudo ls -l /run/haproxy.pid
-rw-r--r-- 1 root root 5 Jul  8 23:39 /run/haproxy.pid

Haproxy.pid will only be created it haproxy/haproxy.service has been started 
with sudo else it is missing

Regards
Henning

-Oprindelig meddelelse-
Fra: Henning Svane 
Sendt: 8. juli 2022 23:32
Til: Vincent Bernat 
Cc: haproxy@formilux.org
Emne: SV: SV: Config will not start on 2.6.1 on Ubuntu 22.04

Hi Vincent

I have now build 2 new Ubuntu 22.04 servers

It looks like when haproxy service is started under boot it do not have 
permission to bind to interfaces.
If I from console start haproxy manual with sudo it works, but not without 
sudo, then it behaves like when the haproxy.services is started under boot.
So my question how to fix this? So the service is started with permission to 
bind to interfaces.

I can see haproxy.service has these permissions
-rw-r--r-- 1 root root 1506 Jun 22 20:49 /lib/systemd/system/haproxy.service

Start of service under boot:
systemctl status haproxy.service
× haproxy.service - HAProxy Load Balancer
  Loaded: loaded (/lib/systemd/system/haproxy.service; enabled; vendor 
preset: enabled)
  Active: failed (Result: exit-code) since Fri 2022-07-08 16:13:25 CEST; 
1min 56s ago
Docs: man:haproxy(1)
  file:/usr/share/doc/haproxy/configuration.txt.gz
 Process: 1069 ExecStart=/usr/sbin/haproxy -Ws -f $CONFIG -p $PIDFILE 
$EXTRAOPTS (code=exited, status=1/FAILURE)
Main PID: 1069 (code=exited, status=1/FAILURE)
 CPU: 209ms

Jul 08 16:13:25 haproxyxmail01 systemd[1]: haproxy.service: Main process 
exited, code=exited, status=1/FAILURE Jul 08 16:13:25 haproxyxmail01 
systemd[1]: haproxy.service: Failed with result 'exit-code'.
Jul 08 16:13:25 haproxyxmail01 systemd[1]: Failed to start HAProxy Load 
Balancer.
Jul 08 16:13:25 haproxyxmail01 systemd[1]: haproxy.service: Scheduled restart 
job, restart counter is at 5.
Jul 08 16:13:25 haproxyxmail01 systemd[1]: Stopped HAProxy Load Balancer.
Jul 08 16:13:25 haproxyxmail01 systemd[1]: haproxy.service: Start request 
repeated too quickly.
Jul 08 16:13:25 haproxyxmail01 systemd[1]: haproxy.service: Failed with result 
'exit-code'.
Jul 08 16:13:25 haproxyxmail01 systemd[1]: Failed to start HAProxy Load 
Balancer.

And if I try to run my configuration from console Without sudo it fails And 
with sudo it works (See below)

haproxy -d -f /etc/haproxy/haproxy.cfg
Available polling systems :
   epoll : pref=300,  test result OK
poll : pref=200,  test result OK
  select : pref=150,  test result FAILED
Total: 3 (2 usable), will use epoll.

Available filters :
 [CACHE] cache
 [COMP] compression
 [FCGI] fcgi-app
 [  OT] opentracing
 [SPOE] spoe
 [TRACE] trace
Using epoll() as the polling mechanism.
[NOTICE]   (1811) : haproxy version is 2.6.1-1ppa1~jammy
[NOTICE]   (1811) : path to executable is /usr/sbin/haproxy
[ALERT](1811) : Binding [/etc/haproxy/haproxy.cfg:85] for frontend 
FrontEnd_Xmail_L7_IPv4: cannot bind socket (Permission denied) for 
[xx.xx.58.10:80]
[ALERT](1811) : Binding [/etc/haproxy/haproxy.cfg:86] for frontend 
FrontEnd_Xmail_L7_IPv4: cannot bind socket (Permission denied) for 
[xx.xx.58.10:443]
...
[ALERT](1811) : [haproxy.main()] Some protocols failed to start their 
listeners! Exiting.


sudo haproxy -d -f /etc/haproxy/haproxy.cfg Available polling systems :
   epoll : pref=300,  test result OK
poll : pref=200,  test result OK
  select : pref=150,  test result FAILED
Total: 3 (2 usable), will use epoll.

Available filters :
 [CACHE] cache
 [COMP] compression
 [FCGI] fcgi-app
 [  OT] opentracing
 [SPOE] spoe
 [TRACE] trace
Using epoll() as the polling mechanism.
[WARNING]  (1794) : Health check for server HA_DAG_XMail_Autodiscover/XMailDB02 
succeeded, reason: Layer7 check passed, code: 200, check

Re: Thoughts on QUIC/HTTP3

2022-07-08 Thread Shawn Heisey 

On 7/8/22 03:30, William Lallemand wrote:

HAProxy uses the ca-certificates provided by OpenSSL.
The SSL_CERT_DIR by default is set to the "certs" directory inside your
openssldir. You can check your openssldir by using the "openssl" binary
you compiled with your library (not the one of your distribution).

   $ openssl version -d
   OPENSSLDIR: "/usr/lib/ssl"

So you might want to set the SSL_CERT_DIR environment variable before
starting HAProxy or doing a symlink from your openssldir to the real
path of your ca-certificates ( /etc/ssl/certs ? )

This warning is emitted when trying to load the ca-certificates into the
httpclient at startup with an empty directory. (Which is not supposed to
happen on the openssl build of your distribution)



The openssl that haproxy is compiled against is in /opt/quictls/ssl ... 
but there is a distribution-provided openssl package in /usr/lib/ssl as 
well.  Both locations contain "certs".


Setting either environment variable that you have mentioned does not 
eliminate the warning.


root@bilbo:~# SSL_CERT_DIR=/opt/quictls/ssl/certs haproxy -c -f 
/etc/haproxy/haproxy.cfg

[NOTICE]   (2379692) : haproxy version is 2.6.1
[NOTICE]   (2379692) : path to executable is /usr/local/sbin/haproxy
[WARNING]  (2379692) : config : ca-file: 0 CA were loaded from '@system-ca'
Warnings were found.
Configuration file is valid
root@bilbo:~# OPENSSLDIR=/opt/quictls/ssl haproxy -c -f 
/etc/haproxy/haproxy.cfg

[NOTICE]   (2379701) : haproxy version is 2.6.1
[NOTICE]   (2379701) : path to executable is /usr/local/sbin/haproxy
[WARNING]  (2379701) : config : ca-file: 0 CA were loaded from '@system-ca'
Warnings were found.
Configuration file is valid

My setup has no need to verify certificates, so the warning doesn't 
actually matter for me.  But it could be a problem for someone else.


I did figure out the correct way to run the "version -d" command you 
mentioned on the quictls install:


elyograg@smeagol:~$ LD_LIBRARY_PATH=/opt/quictls/lib64 
/opt/quictls/bin/openssl version -d

OPENSSLDIR: "/opt/quictls/ssl"

My install does quic/http3 correctly, so I know it is finding and using 
quictls.


Thanks,
Shawn

Re: Thoughts on QUIC/HTTP3

2022-07-08 Thread William Lallemand 
On Thu, Jul 07, 2022 at 07:53:24AM -0600, Shawn Heisey wrote:
> On 7/6/22 09:50, Илья Шипицин wrote:
> > haproxy is built in CI against latest quictls, for example quictls-3.0.5
> >
> > https://github.com/haproxy/haproxy/runs/721404?check_suite_focus=true
> >
> > please open an issue on github with failure details, no known build 
> > failures so far
> 
> Shortly after I saw this message, I tried the build again.  My script 
> does "git pull" on the repo.  There were a bunch of updates to the 
> quictls repo, and now haproxy compiles and runs.
> 
> I am getting a new config warning, though:
> 
> elyograg@bilbo:/usr/local/src$ sudo haproxy -c -f /etc/haproxy/haproxy.cfg
> [NOTICE]   (2080586) : haproxy version is 2.6.1
> [NOTICE]   (2080586) : path to executable is /usr/local/sbin/haproxy
> [WARNING]  (2080586) : config : ca-file: 0 CA were loaded from '@system-ca'
> Warnings were found.
> Configuration file is valid
> 
 
HAProxy uses the ca-certificates provided by OpenSSL.
The SSL_CERT_DIR by default is set to the "certs" directory inside your
openssldir. You can check your openssldir by using the "openssl" binary
you compiled with your library (not the one of your distribution).

  $ openssl version -d
  OPENSSLDIR: "/usr/lib/ssl"

So you might want to set the SSL_CERT_DIR environment variable before
starting HAProxy or doing a symlink from your openssldir to the real
path of your ca-certificates ( /etc/ssl/certs ? )

This warning is emitted when trying to load the ca-certificates into the
httpclient at startup with an empty directory. (Which is not supposed to
happen on the openssl build of your distribution)

-- 
William Lallemand