search

docker-library / haproxy

Docker Official Image packaging for HAProxy
http://www.haproxy.org/
GNU General Public License v2.0
347 stars 158 forks source link

How to deal with "Failed to drop supplementary groups"? #209

Closed fillest closed 1 year ago

fillest commented 1 year ago

I get the following in the log: "haproxy docker: [WARNING] (9) : [haproxy.main()] Failed to drop supplementary groups. Using 'gid'/'group' without 'uid'/'user' is generally useless."

My config has both user and group defined:

global
    ...
    user haproxy
    group haproxy

I also tried uid 99 and gid 99 just in case. I start a container this way: sudo docker run -d --log-driver=journald --network=host --name haproxy --restart=always --init ...-v... docker.io/library/haproxy:2.7.8 (tried without --init too).

If I understand correctly, this image uses USER haproxy by default. Which means it probably has nothing to drop as it has no root privileges. But it tries anyway, so should I just ignore this warning then? But I want (and should) use zero-warning mode for strictness..

Docker: 23.0.6 community Image: haproxy:2.7.8 Ubuntu 22.04, kernel 5.15

tianon commented 1 year ago

If you want to remove the warnings, I would suggest removing user and group from your configuration. I would then also suggest adding an explicit --user to your docker run line (it defaults to haproxy, as you've found/noted, but being explicit is definitely better in this case IMO).

fillest commented 1 year ago

Indeed, user and group are apparently unneeded, as haproxy already gets started by haproxy user. Pretty obvious, but silly me :) Thanks.