From 681088951b5deb5711f99973122123269b530aa0 Mon Sep 17 00:00:00 2001
From: Clark Boylan <clark.boylan@gmail.com>
Date: Tue, 11 Feb 2025 07:53:19 -0800
Subject: [PATCH] Perform haproxy HUP signals with kill

Podman on Ubuntu Noble has apparmor config that prevents SIGHUP from
being delivered via `podman kill -s HUP` or `docker compose kill -s
HUP`. Attempting to do so results in:

  kernel: audit: type=1400 audit(1739232042.996:129): apparmor="DENIED" operation="signal" class="signal" profile="containers-default-0.57.4-apparmor1" pid=17067 comm="runc" requested_mask="receive" denied_mask="receive" signal=hup peer="podman"

This appears to be due to issues with the apparmor configuration that
was edited to make other signals work:

  https://bugs.launchpad.net/ubuntu/+source/libpod/+bug/2040483

We work around that by using kill to issue the signal instead which
seems to work based on some manual testing.

Change-Id: I49435fdda662e25c7192faf24e0ae4b527e943b9
---
 .../roles/haproxy/handlers/hup_haproxy.yaml   | 22 +++++++++++++++++++
 playbooks/roles/haproxy/handlers/main.yaml    |  4 +---
 2 files changed, 23 insertions(+), 3 deletions(-)
 create mode 100644 playbooks/roles/haproxy/handlers/hup_haproxy.yaml

diff --git a/playbooks/roles/haproxy/handlers/hup_haproxy.yaml b/playbooks/roles/haproxy/handlers/hup_haproxy.yaml
new file mode 100644
index 0000000000..cb14d72441
--- /dev/null
+++ b/playbooks/roles/haproxy/handlers/hup_haproxy.yaml
@@ -0,0 +1,22 @@
+# This is necessary because podman kill -s HUP doesn't currently work on
+# Ubuntu Noble. They appear tohave fixed this for other common signals (see
+# https://bugs.launchpad.net/ubuntu/+source/libpod/+bug/2040483 ) but not
+# for HUP. To work around this we use kill directly against the container
+# process.
+#
+# Note that we need the first docker-compose ps here as the container name
+# is different between docker-compose and docker compose.
+- name: Get haproxy container ID
+  command: docker-compose ps -q haproxy
+  args:
+    chdir: /etc/haproxy-docker/
+  register: docker_ps
+
+- name: Get haproxy container pid
+  command: "{{ cmd_str }} {{ docker_ps.stdout }}"
+  vars:
+    cmd_str: !unsafe "docker inspect --format '{{ .State.Pid }}'"
+  register: docker_inspect
+
+- name: Send HUP to haproxy
+  command: kill -s HUP {{ docker_inspect.stdout }}
diff --git a/playbooks/roles/haproxy/handlers/main.yaml b/playbooks/roles/haproxy/handlers/main.yaml
index 9d749458e7..2db10d95cf 100644
--- a/playbooks/roles/haproxy/handlers/main.yaml
+++ b/playbooks/roles/haproxy/handlers/main.yaml
@@ -1,4 +1,2 @@
 - name: Reload haproxy
-  shell:
-    cmd: docker-compose kill -s HUP haproxy
-    chdir: /etc/haproxy-docker/
+  include_tasks: roles/haproxy/handlers/hup_haproxy.yaml