f29aa2da16
This makes the haproxy role more generic so we can run another (or potentially even more) haproxy instance(s) to manage other services. The config file is moved to a variable for the haproxy role. The gitea specific config is then installed for the gitea-lb service by a new gitea-lb role. statsd reporting is made optional with an argument. This enables/disables the service in the docker compose. Role documenation is updated. Needed-By: https://review.opendev.org/678159 Change-Id: I3506ebbed9dda17d910001e71b17a865eba4225d
62 lines
2.2 KiB
Django/Jinja
62 lines
2.2 KiB
Django/Jinja
# Version 2 is the latest that is supported by docker-compose in
|
|
# Ubuntu Xenial.
|
|
version: '2'
|
|
|
|
services:
|
|
haproxy:
|
|
restart: always
|
|
image: docker.io/library/haproxy:latest
|
|
# NOTE(ianw) 2021-05-17 : haproxy >= 2.4 runs as a non-privileged
|
|
# user. The main problem here is we use host networking, so the
|
|
# haproxy user is not allowed to bind to low ports (80/443). The
|
|
# secondary problem permissions to disk files/socket.
|
|
#
|
|
# As of this writing, non-host ipv6 networking is a big PITA. You
|
|
# give docker a range in "fixed-cidr-v6"; the first problem is
|
|
# figuring out your routable prefix our hetrogenous environments
|
|
# and getting the daemon setup. The second problem is making sure
|
|
# that range actually passes packets. Insert hand-wavy things
|
|
# that range from setting up routes, to NDP proxies, etc. Then we
|
|
# have the problem that docker then assigns containers addresses
|
|
# randomly out of that (no good for DNS) which requires more
|
|
# setup.
|
|
#
|
|
# Now we could override security policies and set
|
|
# /proc/sys/net/ipv4/ip_unprivileged_port_start to 0 to allow
|
|
# anyone to bind to low ports. That doesn't seem right.
|
|
#
|
|
# ip6tables NAT is another option here, which is still
|
|
# experimental in docker 20.10.6. In theory, this works well for
|
|
# our use-case where unprivileged containers bind to high ports
|
|
# and we just want packets that reach external 80/443/8125 ports
|
|
# to get into their containers and out again.
|
|
#
|
|
# Until this is sorted, run as root
|
|
user: "root:root"
|
|
network_mode: host
|
|
volumes:
|
|
- /dev/log:/dev/log
|
|
- /var/haproxy/etc:/usr/local/etc/haproxy
|
|
- /var/haproxy/run:/var/haproxy/run
|
|
logging:
|
|
driver: syslog
|
|
options:
|
|
tag: "docker-haproxy"
|
|
|
|
{% if haproxy_run_statsd %}
|
|
haproxy-statsd:
|
|
restart: always
|
|
image: docker.io/opendevorg/haproxy-statsd:latest
|
|
network_mode: host
|
|
user: "1000:1000"
|
|
volumes:
|
|
- /var/haproxy/run:/var/haproxy/run
|
|
environment:
|
|
STATSD_HOST: graphite.opendev.org
|
|
STATSD_PORT: 8125
|
|
logging:
|
|
driver: syslog
|
|
options:
|
|
tag: "docker-haproxy-statsd"
|
|
{% endif %}
|