15e0d6c7df
Rsyslog on Noble has apparmor rules that restrict rsyslog socket creation to /var/lib/*/dev/log. Previously we were configuring haproxy hosts to create an rsyslog socket for haproxy at /var/haproxy/dev/log which doesn't match the apparmor rule so gets denied. To address this we move all the host side haproxy config from /var/haproxy to /var/lib/haproxy. This allows rsyslog to create the socket. To avoid needing to update docker images (for haproxy statsd) and to continue to make the haproxy container itself happy we don't adjust paths on the target side of our bind mounts. This means some things still refer to /var/haproxy but they should all be within containers. I don't believe this will be impactful to existing load balancer servers. We should deploy new content to /var/lib/haproxy then automatically restart services (rsyslog and haproxy container) because their configs are updating. One potential problem with this is rsyslog will restart before the containers do and its log path will have moved. If we are concerned about this we can configure rsyslog to continue to attempt to create the old path in addition to the new path (this will fail on Noble). Change-Id: I4582e6b2dda188583f76265ab78bcb00a302e375
9 lines
183 B
Plaintext
9 lines
183 B
Plaintext
# Create additional haproxy socket to be mapped into container
|
|
|
|
$AddUnixListenSocket /var/lib/haproxy/dev/log
|
|
|
|
:programname, startswith, "haproxy" {
|
|
/var/log/haproxy.log
|
|
stop
|
|
}
|