search

balena-io / open-balena

Open source software to manage connected IoT devices at scale
https://balena.io/open
GNU Affero General Public License v3.0
1.07k stars 163 forks source link

haproxy:2.9-alpine can not build #189

Closed aslansutu closed 3 months ago

aslansutu commented 4 months ago

Hello all,

Starting from a fresh install and build, I am unable to build the Docker containers. Here is a partial output of ./scripts/compose up -d;

.
.
.
Building haproxy
Step 1/6 : FROM haproxy:2.9-alpine
2.9-alpine: Pulling from library/haproxy
4abcf2066143: Already exists
eba3dc9911ac: Pull complete
ee9248e96ac2: Pull complete
f0686b8cb114: Pull complete
a875960eff6b: Pull complete
4f4fb700ef54: Pull complete
Digest: sha256:109bc4b43c6705762257a5f7a3ab07894304fd1e68a3a7127e4af7fb51494ae3
Status: Downloaded newer image for haproxy:2.9-alpine
 ---> 507cf331789f
Step 2/6 : VOLUME [ "/certs" ]
 ---> Running in a9c609dcbf96
Removing intermediate container a9c609dcbf96
 ---> a9e14165fca3
Step 3/6 : RUN apk add --update inotify-tools
 ---> Running in 4b2942d8e332
ERROR: Unable to lock database: Permission denied
ERROR: Failed to open apk database: Permission denied
ERROR: Service 'haproxy' failed to build : The command '/bin/sh -c apk add --update inotify-tools' returned a non-zero code: 99

I noticed that there was a recent commit #172 has updated the Dockerfile. Once I manually downgraded the version to 1, I was able to successfully build it.

I went ahead and pulled the image and was also unable to run the command manually. It looks like apk needs to be run as root. I believe haproxy image uses the user haproxy. So maybe adding USER root to the Dockerfile may be a solution. However I am not sure how everything else may be effected.

aslansutu commented 4 months ago

When I set the USER as root and built the image, this time I came accross the following error

haproxy_1        | [NOTICE]   (16) : haproxy version is 2.9.7-5742051
haproxy_1        | [ALERT]    (16) : config : parsing [/usr/local/etc/haproxy/haproxy.cfg:13] : The 'reqadd' directive is not supported anymore since HAProxy 2.1. Use 'http-request add-header' instead.
haproxy_1        | [ALERT]    (16) : config : parsing [/usr/local/etc/haproxy/haproxy.cfg:58] : The 'reqadd' directive is not supported anymore since HAProxy 2.1. Use 'http-request add-header' instead.
haproxy_1        | [ALERT]    (16) : config : Error(s) found in configuration file : /usr/local/etc/haproxy/haproxy.cfg
haproxy_1        | [ALERT]    (16) : config : Fatal errors found in configuration.

It turns out that in src/haproxy/haproxy.cfg, the following has to be changed from

reqadd X-Forwarded-Proto:\ http
reqadd X-Forwarded-Proto:\ https

to 

http-request set-header X-Forwarded-Proto http
http-request set-header X-Forwarded-Proto https

as explained here

MauritsMonteyne commented 4 months ago

Ran into the same issue and posted my solution on the OpenBalena forum. I modified the Dockfile to to only temporarily switch to the root user as running a container as root is considered a bad practise. 

FROM haproxy:2.9.6-alpine

VOLUME [ "/certs" ]

# Switch back to root to install packages
USER root

RUN apk add --update inotify-tools

# Make haproxy user owner of certificate directory (is root by default)
RUN chown haproxy:haproxy /etc/ssl/private

# Switch back to haproxy user
USER haproxy 

COPY haproxy.cfg /usr/local/etc/haproxy/haproxy.cfg
COPY start-haproxy.sh /start-haproxy

CMD /start-haproxy

https://forums.balena.io/t/logbackend-server-responded-with-status-code-504-mystery-solved/369223/10

ab77 commented 4 months ago

We've recently updated the project, try it here.