Upgrade to haproxy 1.8.2 (#527)

* Upgrade to haproxy 1.8.1 * Use haproxy's new master worker, remove old iptables / sleep / lock hacks. * ‼️ BREAKING CHANGE: you _must_ remove "daemon" form your custom HAPROXY_HEAD templates. * upgrade libssl to version 1.1 * bump to haproxy 1.8.2 * use the default gpg keyserver
mesosphere · Dec 29, 2017 · 719f335 · 719f335
1 parent f0c2433
commit 719f335
Show file tree

Hide file tree

Showing 8 changed files with 15 additions and 158 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -4,27 +4,26 @@ FROM debian:buster
 RUN apt-get update && apt-get install -y --no-install-recommends \
         ca-certificates \
         inetutils-syslogd \
-        iptables \
         libcurl3 \
         liblua5.3-0 \
-        libssl1.0.2 \
+        libssl1.1 \
         openssl \
         procps \
         python3 \
         runit \
         gnupg-agent \
-	socat \
+        socat \
     && rm -rf /var/lib/apt/lists/*
 
-ENV TINI_VERSION=v0.13.2 \
+ENV TINI_VERSION=v0.16.1 \
     TINI_GPG_KEY=595E85A6B1B4779EA4DAAEC70B588DFF0527A9B7
 RUN set -x \
     && apt-get update && apt-get install -y --no-install-recommends dirmngr gpg wget \
         && rm -rf /var/lib/apt/lists/* \
     && wget -O tini "https://github.com/krallin/tini/releases/download/$TINI_VERSION/tini-amd64" \
     && wget -O tini.asc "https://github.com/krallin/tini/releases/download/$TINI_VERSION/tini-amd64.asc" \
     && export GNUPGHOME="$(mktemp -d)" \
-    && gpg --keyserver hkps://hkps.pool.sks-keyservers.net --recv-keys "$TINI_GPG_KEY" \
+    && gpg --recv-keys "$TINI_GPG_KEY" \
     && gpg --batch --verify tini.asc tini \
     && rm -rf "$GNUPGHOME" tini.asc \
     && mv tini /usr/bin/tini \
@@ -33,9 +32,9 @@ RUN set -x \
     && apt-get purge -y --auto-remove dirmngr gpg wget
 
 
-ENV HAPROXY_MAJOR=1.7 \
-    HAPROXY_VERSION=1.7.6 \
-    HAPROXY_MD5=8f4328cf66137f0dbf6901e065f603cc
+ENV HAPROXY_MAJOR=1.8 \
+    HAPROXY_VERSION=1.8.2 \
+    HAPROXY_MD5=5e72829793e163bea93da1df6b4aaa1e
 
 COPY requirements.txt /marathon-lb/
 

diff --git a/Longhelp.md b/Longhelp.md
@@ -58,7 +58,7 @@ optional arguments:
                         every --reload-interval seconds. Set to 0 to disable
                         or -1 for infinite retries. (default: 10)
   --reload-interval RELOAD_INTERVAL
-                        Wait this number of seconds betwee nreload retries.
+                        Wait this number of seconds between reload retries.
                         (default: 10)
   --strict-mode         If set, backends are only advertised if
                         HAPROXY_{n}_ENABLED=true. Strict mode will be enabled
@@ -367,7 +367,6 @@ and defaults.
 **Default template for `HAPROXY_HEAD`:**
 ```
 global
-  daemon
   log /dev/log local0
   log /dev/log local1 notice
   spread-checks 5
@@ -378,7 +377,7 @@ global
   ssl-default-bind-options no-sslv3 no-tlsv10 no-tls-tickets
   ssl-default-server-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:!aNULL:!MD5:!DSS
   ssl-default-server-options no-sslv3 no-tlsv10 no-tls-tickets
-  stats socket /var/run/haproxy/socket
+  stats socket /var/run/haproxy/socket expose-fd listeners
   server-state-file global
   server-state-base /var/state/haproxy/
   lua-load /marathon-lb/getpids.lua

diff --git a/config.py b/config.py
@@ -33,7 +33,6 @@ def load(self):
             ConfigTemplate(name='HEAD',
                            value='''\
 global
-  daemon
   log /dev/log local0
   log /dev/log local1 notice
   spread-checks 5
@@ -56,7 +55,7 @@ def load(self):
 DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:\
 AES256-SHA256:!aNULL:!MD5:!DSS
   ssl-default-server-options no-sslv3 no-tlsv10 no-tls-tickets
-  stats socket /var/run/haproxy/socket
+  stats socket /var/run/haproxy/socket expose-fd listeners
   server-state-file global
   server-state-base /var/state/haproxy/
   lua-load /marathon-lb/getpids.lua

diff --git a/haproxy_wrapper.py b/haproxy_wrapper.py
diff --git a/run b/run
@@ -121,6 +121,7 @@ done
 cat > $LB_SERVICE/run << EOF
 #!/bin/sh
 exec 2>&1
+sv status /marathon-lb/service/haproxy || exit 1
 cd /marathon-lb
 exec /marathon-lb/marathon_lb.py \
     --syslog-socket $SYSLOG_SOCKET \

diff --git a/service/haproxy/run b/service/haproxy/run
@@ -1,78 +1,9 @@
 #!/bin/bash
 exec 2>&1
 export PIDFILE="/tmp/haproxy.pid"
-
-LOG_PREFIX="$(pwd) $0"
-log() {
-    logline="[$LOG_PREFIX] $1\n"
-    printf "$logline" >&1
-}
-log_error() {
-    logline="[$LOG_PREFIX] $1\n"
-    printf "$logline" >&1
-    printf "$logline" >&2
-}
-
-addFirewallRules() {
-  IFS=',' read -ra ADDR <<< "$PORTS"
-  for i in "${ADDR[@]}"; do
-    iptables -w -I INPUT -p tcp --dport $i --syn -j DROP
-  done
-}
-
-removeFirewallRules() {
-  IFS=',' read -ra ADDR <<< "$PORTS"
-  for i in "${ADDR[@]}"; do
-    while iptables -w -D INPUT -p tcp --dport $i --syn -j DROP 2>/dev/null; do :; done
-  done
-}
-
-reload() {
-  log "Reloading haproxy"
-
-  (
-    flock 200
-
-    log "Dropping SYN packets with addFirewallRules"
-    addFirewallRules
-
-    # Wait to settle
-    sleep 0.1
-    log "addFirewallRules done"
-
-    log "Saving the current HAProxy state"
-    socat /var/run/haproxy/socket - <<< "show servers state" > /var/state/haproxy/global
-    log "Done saving the current HAProxy state"
-
-    # Trigger reload
-    LATEST_HAPROXY_PID=$(cat $PIDFILE)
-    log "LATEST_HAPROXY_PID: [$LATEST_HAPROXY_PID]"
-
-    WHICH_HAPROXY=$(which haproxy)
-
-    log "/marathon-lb/haproxy_wrapper.py $WHICH_HAPROXY -D -p $PIDFILE -f /marathon-lb/haproxy.cfg -sf $LATEST_HAPROXY_PID 200>&-"
-    /marathon-lb/haproxy_wrapper.py $WHICH_HAPROXY -D -p $PIDFILE -f /marathon-lb/haproxy.cfg -sf $LATEST_HAPROXY_PID 200>&-
-    local exit_code=$?
-    log "exit code: $exit_code"
-    if [ $exit_code -ne 0 ]; then
-      log_error "HAProxy reload failed"
-    fi
-
-    log "Removing firewall rules with removeFirewallRules"
-    removeFirewallRules
-    log "removeFirewallRules done"
-
-    # Need to wait 1s to prevent TCP SYN exponential backoff
-    sleep 1
-
-    log "Reload finished"
-  ) 200>/var/run/haproxy/lock
-}
+WHICH_HAPROXY=$(which haproxy)
 
 mkdir -p /var/state/haproxy
 mkdir -p /var/run/haproxy
 
-reload
-
-trap reload SIGHUP
-while true; do sleep 0.5; done
+exec $WHICH_HAPROXY -W -p $PIDFILE -f /marathon-lb/haproxy.cfg -x /var/run/haproxy/socket -sf
diff --git a/tests/test_marathon_lb.py b/tests/test_marathon_lb.py
@@ -12,7 +12,6 @@ def setUp(self):
         if 'HAPROXY_GLOBAL_DEFAULT_OPTIONS' in os.environ:
             del os.environ['HAPROXY_GLOBAL_DEFAULT_OPTIONS']
         self.base_config = '''global
-  daemon
   log /dev/log local0
   log /dev/log local1 notice
   spread-checks 5
@@ -35,7 +34,7 @@ def setUp(self):
 DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:\
 AES256-SHA256:!aNULL:!MD5:!DSS
   ssl-default-server-options no-sslv3 no-tlsv10 no-tls-tickets
-  stats socket /var/run/haproxy/socket
+  stats socket /var/run/haproxy/socket expose-fd listeners
   server-state-file global
   server-state-base /var/state/haproxy/
   lua-load /marathon-lb/getpids.lua

diff --git a/tests/test_marathon_lb_haproxy_options.py b/tests/test_marathon_lb_haproxy_options.py
@@ -8,7 +8,6 @@ def template_option(opt):
 
 
 base_config_prefix = '''global
-  daemon
   log /dev/log local0
   log /dev/log local1 notice
   spread-checks 5
@@ -31,7 +30,7 @@ def template_option(opt):
 DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:\
 AES256-SHA256:!aNULL:!MD5:!DSS
   ssl-default-server-options no-sslv3 no-tlsv10 no-tls-tickets
-  stats socket /var/run/haproxy/socket
+  stats socket /var/run/haproxy/socket expose-fd listeners
   server-state-file global
   server-state-base /var/state/haproxy/
   lua-load /marathon-lb/getpids.lua