d24f648db8
This reverts commit 4a762a6a8a9bc6c4364e8a4b3588326e4fc40982. A partial revert of 13cfceaea43f1ddc1dc4431da843e9d92e73e426 is also performed to swap out zookeeper-statsd without affecting other images. We perform this revert because Docker cannot do speculative gating of images hosted anywhere but on docker.io. Speculative testing of container images is an important feature that we wish to keep so revert until we can stop relying on Docker. Change-Id: I7ceafdb7cf1dfd4812ea8f12f273f01045ca89a2
62 lines
2.2 KiB
Django/Jinja
62 lines
2.2 KiB
Django/Jinja
# Version 2 is the latest that is supported by docker-compose in
|
|
# Ubuntu Xenial.
|
|
version: '2'
|
|
|
|
services:
|
|
haproxy:
|
|
restart: always
|
|
image: docker.io/library/haproxy:latest
|
|
# NOTE(ianw) 2021-05-17 : haproxy >= 2.4 runs as a non-privileged
|
|
# user. The main problem here is we use host networking, so the
|
|
# haproxy user is not allowed to bind to low ports (80/443). The
|
|
# secondary problem permissions to disk files/socket.
|
|
#
|
|
# As of this writing, non-host ipv6 networking is a big PITA. You
|
|
# give docker a range in "fixed-cidr-v6"; the first problem is
|
|
# figuring out your routable prefix our hetrogenous environments
|
|
# and getting the daemon setup. The second problem is making sure
|
|
# that range actually passes packets. Insert hand-wavy things
|
|
# that range from setting up routes, to NDP proxies, etc. Then we
|
|
# have the problem that docker then assigns containers addresses
|
|
# randomly out of that (no good for DNS) which requires more
|
|
# setup.
|
|
#
|
|
# Now we could override security policies and set
|
|
# /proc/sys/net/ipv4/ip_unprivileged_port_start to 0 to allow
|
|
# anyone to bind to low ports. That doesn't seem right.
|
|
#
|
|
# ip6tables NAT is another option here, which is still
|
|
# experimental in docker 20.10.6. In theory, this works well for
|
|
# our use-case where unprivileged containers bind to high ports
|
|
# and we just want packets that reach external 80/443/8125 ports
|
|
# to get into their containers and out again.
|
|
#
|
|
# Until this is sorted, run as root
|
|
user: "root:root"
|
|
network_mode: host
|
|
volumes:
|
|
- /var/haproxy/dev/log:/dev/log
|
|
- /var/haproxy/etc:/usr/local/etc/haproxy:ro
|
|
- /var/haproxy/run:/var/haproxy/run
|
|
logging:
|
|
driver: syslog
|
|
options:
|
|
tag: "docker-haproxy"
|
|
|
|
{% if haproxy_run_statsd %}
|
|
haproxy-statsd:
|
|
restart: always
|
|
image: docker.io/opendevorg/haproxy-statsd:latest
|
|
network_mode: host
|
|
user: "1000:1000"
|
|
volumes:
|
|
- /var/haproxy/run:/var/haproxy/run
|
|
environment:
|
|
STATSD_HOST: graphite.opendev.org
|
|
STATSD_PORT: 8125
|
|
logging:
|
|
driver: syslog
|
|
options:
|
|
tag: "docker-haproxy-statsd"
|
|
{% endif %}
|