haproxy-3.0.6 failed to chroot, explained by Gemini Code Assist

 

haproxy-2.6.6 was able to run with user root

but haproxy-3.0.6 hit error:

haproxy[384105]: [ALERT] (384105) : [/usr/local/sbin/haproxy.main()] Cannot chroot(/opt/haproxy/chroot).

The fact that HAProxy 2.6.6 ran as root while HAProxy 3.0.6 fails with a chroot error when run as root indicates a key difference: HAProxy 2.6.6 was not actually using chroot, even if the directive was present in the configuration file. Running as root bypasses the chroot setup because root has access to the entire filesystem. The chroot directive was effectively being ignored.

With HAProxy 3.0.6, the chroot is being correctly enforced. Since the chroot environment (/opt/haproxy/chroot) is likely missing the necessary files for HAProxy to run (its binary, libraries, configuration, etc.), it fails to start.

Here's what to do:

1. Confirm chroot necessity: Do you actually need chroot? If not, remove the chroot /opt/haproxy/chroot line from your /etc/haproxy/haproxy.cfg. This is often the simplest and best solution.

2. If chroot is required:

   • Populate the chroot environment: Copy the necessary files into /opt/haproxy/chroot. This includes the HAProxy binary, required libraries (use ldd /usr/local/sbin/haproxy to find them), your haproxy.cfg file, and any other files HAProxy needs (e.g., certificates). Remember, the paths inside the chroot must match the paths HAProxy expects. So, if a library is normally in /lib64/, it needs to be in /opt/haproxy/chroot/lib64/.
   • Permissions: Even as root, ensure the files within /opt/haproxy/chroot have the correct permissions for the user HAProxy runs as within the chroot.

3. Alternatives: Consider alternatives to chroot, such as Docker or systemd's isolation features, which are easier to manage and often provide better security.

The key takeaway: your HAProxy 2.6.6 was likely not using chroot at all, even if the directive was present in the configuration. The root user bypassed the chroot restriction. Now, with 3.0.6, the chroot is being enforced, hence the error. Either populate the chroot or, better yet, remove the chroot directive if it's not essential.