From 815be0e3e6806ac7d1c09f43e67afd32186223fe78549e4ecb292808da472756 Mon Sep 17 00:00:00 2001 From: Stephan Kulow Date: Wed, 25 Jun 2014 13:24:23 +0000 Subject: [PATCH] Accepting request 238588 from network:ha-clustering:Factory 1 OBS-URL: https://build.opensuse.org/request/show/238588 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/haproxy?expand=0&rev=6 --- 0001-MEDIUM-add-systemd-service.patch | 56 ----- 0002-MEDIUM-add-haproxy-systemd-wrapper.patch | 227 ------------------ ...-option-Ds-for-systemd-compatibility.patch | 157 ------------ ...md-wrapper-don-t-leak-zombie-process.patch | 65 ----- ...-BUILD-stdbool-is-not-portable-again.patch | 25 -- ...ystemd-wrapper-Use-haproxy-in-same-d.patch | 54 ----- ...rapper-Kill-child-processes-when-int.patch | 61 ----- ...per-Write-debug-information-to-stdou.patch | 65 ----- 0009-openSUSE-Configure-haproxy-user.patch | 45 ---- 0010-openSUSE-Fix-path-to-PCRE-library.patch | 25 -- ...emd-fix-compiler-warning-about-unuse.patch | 42 ---- ...md-wrapper-fix-locating-of-haproxy-b.patch | 51 ---- ...ystemd-wrapper-re-execute-on-SIGUSR2.patch | 117 --------- ...INOR-systemd-wrapper-improve-logging.patch | 72 ------ ...ystemd-wrapper-propagate-exit-status.patch | 28 --- haproxy-1.2.16_config_haproxy_user.patch | 32 +++ haproxy-1.4.25.tar.gz | 3 - haproxy-1.5.1.tar.gz | 3 + haproxy-1.5_check_config_before_start.patch | 12 + haproxy-makefile_lib.patch | 13 + haproxy.changes | 123 ++++++++++ haproxy.spec | 162 +++++++------ local.usr.sbin.haproxy.apparmor | 1 + sec-options.patch | 40 +++ usr.sbin.haproxy.apparmor | 29 +++ 25 files changed, 345 insertions(+), 1163 deletions(-) delete mode 100644 0001-MEDIUM-add-systemd-service.patch delete mode 100644 0002-MEDIUM-add-haproxy-systemd-wrapper.patch delete mode 100644 0003-MEDIUM-New-cli-option-Ds-for-systemd-compatibility.patch delete mode 100644 0004-BUG-MEDIUM-systemd-wrapper-don-t-leak-zombie-process.patch delete mode 100644 0005-BUILD-stdbool-is-not-portable-again.patch delete mode 100644 0006-MEDIUM-haproxy-systemd-wrapper-Use-haproxy-in-same-d.patch delete mode 100644 0007-MEDIUM-systemd-wrapper-Kill-child-processes-when-int.patch delete mode 100644 0008-LOW-systemd-wrapper-Write-debug-information-to-stdou.patch delete mode 100644 0009-openSUSE-Configure-haproxy-user.patch delete mode 100644 0010-openSUSE-Fix-path-to-PCRE-library.patch delete mode 100644 0011-BUILD-MINOR-systemd-fix-compiler-warning-about-unuse.patch delete mode 100644 0012-BUG-MEDIUM-systemd-wrapper-fix-locating-of-haproxy-b.patch delete mode 100644 0013-MINOR-systemd-wrapper-re-execute-on-SIGUSR2.patch delete mode 100644 0014-MINOR-systemd-wrapper-improve-logging.patch delete mode 100644 0015-MINOR-systemd-wrapper-propagate-exit-status.patch create mode 100644 haproxy-1.2.16_config_haproxy_user.patch delete mode 100644 haproxy-1.4.25.tar.gz create mode 100644 haproxy-1.5.1.tar.gz create mode 100644 haproxy-1.5_check_config_before_start.patch create mode 100644 haproxy-makefile_lib.patch create mode 100644 local.usr.sbin.haproxy.apparmor create mode 100644 sec-options.patch create mode 100644 usr.sbin.haproxy.apparmor diff --git a/0001-MEDIUM-add-systemd-service.patch b/0001-MEDIUM-add-systemd-service.patch deleted file mode 100644 index a8cf6e1..0000000 --- a/0001-MEDIUM-add-systemd-service.patch +++ /dev/null @@ -1,56 +0,0 @@ -From 88c70beb5a24cf200a32c70a8a95865c8e97efb6 Mon Sep 17 00:00:00 2001 -From: Marc-Antoine Perennou -Date: Fri, 22 Nov 2013 08:28:03 +0100 -Subject: [PATCH 01/15] MEDIUM: add systemd service - ---- - .gitignore | 1 + - contrib/systemd/Makefile | 8 ++++++++ - contrib/systemd/haproxy.service.in | 11 +++++++++++ - 3 files changed, 20 insertions(+) - create mode 100644 contrib/systemd/Makefile - create mode 100644 contrib/systemd/haproxy.service.in - -diff --git a/.gitignore b/.gitignore -index 5d9576af102e..83d84083ca3e 100644 ---- a/.gitignore -+++ b/.gitignore -@@ -15,3 +15,4 @@ haproxy-* - make-* - dlmalloc.c - 00*.patch -+*.service -diff --git a/contrib/systemd/Makefile b/contrib/systemd/Makefile -new file mode 100644 -index 000000000000..e542c2387c79 ---- /dev/null -+++ b/contrib/systemd/Makefile -@@ -0,0 +1,8 @@ -+PREFIX = /usr/local -+SBINDIR = $(PREFIX)/sbin -+ -+haproxy.service: haproxy.service.in -+ sed -e 's:@SBINDIR@:'$(strip $(SBINDIR))':' $< > $@ -+ -+clean: -+ rm -f haproxy.service -diff --git a/contrib/systemd/haproxy.service.in b/contrib/systemd/haproxy.service.in -new file mode 100644 -index 000000000000..1a3d2c050f49 ---- /dev/null -+++ b/contrib/systemd/haproxy.service.in -@@ -0,0 +1,11 @@ -+[Unit] -+Description=HAProxy Load Balancer -+After=network.target -+ -+[Service] -+ExecStart=@SBINDIR@/haproxy-systemd-wrapper -f /etc/haproxy/haproxy.cfg -p /run/haproxy.pid -+ExecReload=/bin/kill -USR2 $MAINPID -+Restart=always -+ -+[Install] -+WantedBy=multi-user.target --- -1.8.4.5 - diff --git a/0002-MEDIUM-add-haproxy-systemd-wrapper.patch b/0002-MEDIUM-add-haproxy-systemd-wrapper.patch deleted file mode 100644 index 0276282..0000000 --- a/0002-MEDIUM-add-haproxy-systemd-wrapper.patch +++ /dev/null @@ -1,227 +0,0 @@ -From 3fe5ee78e8ff11fc477a979df79c678720e042ea Mon Sep 17 00:00:00 2001 -From: Marc-Antoine Perennou -Date: Fri, 22 Nov 2013 08:29:29 +0100 -Subject: [PATCH 02/15] MEDIUM: add haproxy-systemd-wrapper - -Currently, to reload haproxy configuration, you have to use "-sf". - -There is a problem with this way of doing things. First of all, in the systemd world, -reload commands should be "oneshot" ones, which means they should not be the new main -process but rather a tool which makes a call to it and then exits. With the current approach, -the reload command is the new main command and moreover, it makes the previous one exit. -Systemd only tracks the main program, seeing it ending, it assumes it either finished or failed, -and kills everything remaining as a grabage collector. We then end up with no haproxy running -at all. - -This patch adds wrapper around haproxy, no changes at all have been made into it, -so it's not intrusive and doesn't change anything for other hosts. What this wrapper does -is basically launching haproxy as a child, listen to the SIGUSR2 (not to conflict with -haproxy itself) signal, and spawing a new haproxy with "-sf" as a child to relay the -first one. - -Signed-off-by: Marc-Antoine Perennou ---- - .gitignore | 1 + - Makefile | 16 +++++- - src/haproxy-systemd-wrapper.c | 114 ++++++++++++++++++++++++++++++++++++++++++ - 3 files changed, 129 insertions(+), 2 deletions(-) - create mode 100644 src/haproxy-systemd-wrapper.c - -diff --git a/.gitignore b/.gitignore -index 83d84083ca3e..ec1545a7a3df 100644 ---- a/.gitignore -+++ b/.gitignore -@@ -12,6 +12,7 @@ src/*.o - *.log* - *.trace* - haproxy-* -+!src/*.c - make-* - dlmalloc.c - 00*.patch -diff --git a/Makefile b/Makefile -index 60267e2e2b1a..658716a60a80 100644 ---- a/Makefile -+++ b/Makefile -@@ -519,7 +519,7 @@ all: - @echo - @exit 1 - else --all: haproxy -+all: haproxy haproxy-systemd-wrapper - endif - - OBJS = src/haproxy.o src/sessionhash.o src/base64.o src/protocols.o \ -@@ -537,12 +537,17 @@ EBTREE_OBJS = $(EBTREE_DIR)/ebtree.o \ - $(EBTREE_DIR)/ebmbtree.o $(EBTREE_DIR)/ebsttree.o \ - $(EBTREE_DIR)/ebimtree.o $(EBTREE_DIR)/ebistree.o - -+WRAPPER_OBJS = src/haproxy-systemd-wrapper.o -+ - # Not used right now - LIB_EBTREE = $(EBTREE_DIR)/libebtree.a - - haproxy: $(OBJS) $(OPTIONS_OBJS) $(EBTREE_OBJS) - $(LD) $(LDFLAGS) -o $@ $^ $(LDOPTS) - -+haproxy-systemd-wrapper: $(WRAPPER_OBJS) -+ $(LD) $(LDFLAGS) -o $@ $^ $(LDOPTS) -+ - $(LIB_EBTREE): $(EBTREE_OBJS) - $(AR) rv $@ $^ - -@@ -562,6 +567,11 @@ src/haproxy.o: src/haproxy.c - -DBUILD_OPTIONS='"$(strip $(BUILD_OPTIONS))"' \ - -c -o $@ $< - -+src/haproxy-systemd-wrapper.o: src/haproxy-systemd-wrapper.c -+ $(CC) $(COPTS) \ -+ -DSBINDIR='"$(strip $(SBINDIR))"' \ -+ -c -o $@ $< -+ - src/dlmalloc.o: $(DLMALLOC_SRC) - $(CC) $(COPTS) -DDEFAULT_MMAP_THRESHOLD=$(DLMALLOC_THRES) -c -o $@ $< - -@@ -575,9 +585,10 @@ install-doc: - install -m 644 doc/$$x.txt $(DESTDIR)$(DOCDIR) ; \ - done - --install-bin: haproxy -+install-bin: haproxy haproxy-systemd-wrapper - install -d $(DESTDIR)$(SBINDIR) - install haproxy $(DESTDIR)$(SBINDIR) -+ install haproxy-systemd-wrapper $(DESTDIR)$(SBINDIR) - - install: install-bin install-man install-doc - -@@ -586,6 +597,7 @@ clean: - for dir in . src include/* doc ebtree; do rm -f $$dir/*~ $$dir/*.rej $$dir/core; done - rm -f haproxy-$(VERSION).tar.gz haproxy-$(VERSION)$(SUBVERS).tar.gz - rm -f haproxy-$(VERSION) haproxy-$(VERSION)$(SUBVERS) nohup.out gmon.out -+ rm -f haproxy-systemd-wrapper - - tags: - find src include \( -name '*.c' -o -name '*.h' \) -print0 | \ -diff --git a/src/haproxy-systemd-wrapper.c b/src/haproxy-systemd-wrapper.c -new file mode 100644 -index 000000000000..596801591b9e ---- /dev/null -+++ b/src/haproxy-systemd-wrapper.c -@@ -0,0 +1,114 @@ -+/* -+ * Wrapper to make haproxy systemd-compliant. -+ * -+ * Copyright 2013 Marc-Antoine Perennou -+ * -+ * This program is free software; you can redistribute it and/or -+ * modify it under the terms of the GNU General Public License -+ * as published by the Free Software Foundation; either version -+ * 2 of the License, or (at your option) any later version. -+ * -+ */ -+ -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+ -+static pid_t pid = 0; -+static char *pid_file = "/run/haproxy.pid"; -+static int main_argc; -+static char **main_argv; -+ -+static pid_t spawn_haproxy(char **pid_strv, int nb_pid) -+{ -+ pid_t pid = fork(); -+ if (!pid) { -+ /* 3 for "haproxy -Ds -sf" */ -+ char **argv = calloc(4 + main_argc + nb_pid + 1, sizeof(char *)); -+ int i; -+ int argno = 0; -+ argv[argno++] = SBINDIR"/haproxy"; -+ for (i = 0; i < main_argc; ++i) -+ argv[argno++] = main_argv[i]; -+ argv[argno++] = "-Ds"; -+ if (nb_pid > 0) { -+ argv[argno++] = "-sf"; -+ for (i = 0; i < nb_pid; ++i) -+ argv[argno++] = pid_strv[i]; -+ } -+ argv[argno] = NULL; -+ execv(argv[0], argv); -+ exit(0); -+ } -+ return pid; -+} -+ -+static int read_pids(char ***pid_strv) -+{ -+ FILE *f = fopen(pid_file, "r"); -+ int read = 0, allocated = 8; -+ char pid_str[10]; -+ -+ if (!f) -+ return 0; -+ -+ *pid_strv = malloc(allocated * sizeof(char *)); -+ while (1 == fscanf(f, "%s\n", pid_str)) { -+ if (read == allocated) { -+ allocated *= 2; -+ *pid_strv = realloc(*pid_strv, allocated * sizeof(char *)); -+ } -+ (*pid_strv)[read++] = strdup(pid_str); -+ } -+ -+ fclose(f); -+ -+ return read; -+} -+ -+static void signal_handler(int signum __attribute__((unused))) -+{ -+ int i; -+ char **pid_strv = NULL; -+ int nb_pid = read_pids(&pid_strv); -+ -+ pid = spawn_haproxy(pid_strv, nb_pid); -+ -+ for (i = 0; i < nb_pid; ++i) -+ free(pid_strv[i]); -+ free(pid_strv); -+} -+ -+static void init(int argc, char **argv) -+{ -+ while (argc > 1) { -+ if (**argv == '-') { -+ char *flag = *argv + 1; -+ --argc; ++argv; -+ if (*flag == 'p') -+ pid_file = *argv; -+ } -+ --argc; ++argv; -+ } -+} -+ -+int main(int argc, char **argv) -+{ -+ --argc; ++argv; -+ main_argc = argc; -+ main_argv = argv; -+ -+ init(argc, argv); -+ -+ signal(SIGUSR2, &signal_handler); -+ -+ pid = spawn_haproxy(NULL, 0); -+ while (-1 != waitpid(pid, NULL, 0) || errno == EINTR); -+ -+ return EXIT_SUCCESS; -+} --- -1.8.4.5 - diff --git a/0003-MEDIUM-New-cli-option-Ds-for-systemd-compatibility.patch b/0003-MEDIUM-New-cli-option-Ds-for-systemd-compatibility.patch deleted file mode 100644 index 9c367ef..0000000 --- a/0003-MEDIUM-New-cli-option-Ds-for-systemd-compatibility.patch +++ /dev/null @@ -1,157 +0,0 @@ -From 44c4c476fac6efccb07c419873bb6c8d12d565a7 Mon Sep 17 00:00:00 2001 -From: Marc-Antoine Perennou -Date: Fri, 22 Nov 2013 08:34:52 +0100 -Subject: [PATCH 03/15] MEDIUM: New cli option -Ds for systemd compatibility - -This patch adds a new option "-Ds" which is exactly like "-D", but instead of -forking n times to get n jobs running and then exiting, prefers to wait for all the -children it just created. With this done, haproxy becomes more systemd-compliant, -without changing anything for other systems. - -Signed-off-by: Marc-Antoine Perennou ---- - doc/haproxy.1 | 4 ++++ - include/types/global.h | 1 + - src/haproxy.c | 35 +++++++++++++++++++++++------------ - 3 files changed, 28 insertions(+), 12 deletions(-) - -diff --git a/doc/haproxy.1 b/doc/haproxy.1 -index 0150aa753475..26e35a21f0e2 100644 ---- a/doc/haproxy.1 -+++ b/doc/haproxy.1 -@@ -57,6 +57,10 @@ starting up. - Start in daemon mode. - - .TP -+\fB\-Ds\fP -+Start in systemd daemon mode, keeping a process in foreground. -+ -+.TP - \fB\-q\fP - Disable messages on output. - -diff --git a/include/types/global.h b/include/types/global.h -index 7c5346b00b2d..d871939db21d 100644 ---- a/include/types/global.h -+++ b/include/types/global.h -@@ -38,6 +38,7 @@ - #define MODE_VERBOSE 0x10 - #define MODE_STARTING 0x20 - #define MODE_FOREGROUND 0x40 -+#define MODE_SYSTEMD 0x80 - - /* list of last checks to perform, depending on config options */ - #define LSTCHK_CAP_BIND 0x00000001 /* check that we can bind to any port */ -diff --git a/src/haproxy.c b/src/haproxy.c -index 748c5535b37d..67e29b8bc8cc 100644 ---- a/src/haproxy.c -+++ b/src/haproxy.c -@@ -42,6 +42,7 @@ - #include - #include - #include -+#include - #include - #include - #include -@@ -488,8 +489,11 @@ void init(int argc, char **argv) - arg_mode |= MODE_DEBUG; - else if (*flag == 'c') - arg_mode |= MODE_CHECK; -- else if (*flag == 'D') -+ else if (*flag == 'D') { - arg_mode |= MODE_DAEMON; -+ if (flag[1] == 's') /* -Ds */ -+ arg_mode |= MODE_SYSTEMD; -+ } - else if (*flag == 'q') - arg_mode |= MODE_QUIET; - else if (*flag == 's' && (flag[1] == 'f' || flag[1] == 't')) { -@@ -541,7 +545,7 @@ void init(int argc, char **argv) - } - - global.mode = MODE_STARTING | /* during startup, we want most of the alerts */ -- (arg_mode & (MODE_DAEMON | MODE_FOREGROUND | MODE_VERBOSE -+ (arg_mode & (MODE_DAEMON | MODE_SYSTEMD | MODE_FOREGROUND | MODE_VERBOSE - | MODE_QUIET | MODE_CHECK | MODE_DEBUG)); - - if (LIST_ISEMPTY(&cfg_cfgfiles)) -@@ -649,24 +653,24 @@ void init(int argc, char **argv) - - if (arg_mode & (MODE_DEBUG | MODE_FOREGROUND)) { - /* command line debug mode inhibits configuration mode */ -- global.mode &= ~(MODE_DAEMON | MODE_QUIET); -+ global.mode &= ~(MODE_DAEMON | MODE_SYSTEMD | MODE_QUIET); - global.mode |= (arg_mode & (MODE_DEBUG | MODE_FOREGROUND)); - } - -- if (arg_mode & MODE_DAEMON) { -+ if (arg_mode & (MODE_DAEMON | MODE_SYSTEMD)) { - /* command line daemon mode inhibits foreground and debug modes mode */ - global.mode &= ~(MODE_DEBUG | MODE_FOREGROUND); -- global.mode |= (arg_mode & MODE_DAEMON); -+ global.mode |= (arg_mode & (MODE_DAEMON | MODE_SYSTEMD)); - } - - global.mode |= (arg_mode & (MODE_QUIET | MODE_VERBOSE)); - -- if ((global.mode & MODE_DEBUG) && (global.mode & (MODE_DAEMON | MODE_QUIET))) { -- Warning(" mode incompatible with and . Keeping only.\n"); -- global.mode &= ~(MODE_DAEMON | MODE_QUIET); -+ if ((global.mode & MODE_DEBUG) && (global.mode & (MODE_DAEMON | MODE_SYSTEMD | MODE_QUIET))) { -+ Warning(" mode incompatible with , and . Keeping only.\n"); -+ global.mode &= ~(MODE_DAEMON | MODE_SYSTEMD | MODE_QUIET); - } - -- if ((global.nbproc > 1) && !(global.mode & MODE_DAEMON)) { -+ if ((global.nbproc > 1) && !(global.mode & (MODE_DAEMON | MODE_SYSTEMD))) { - if (!(global.mode & (MODE_FOREGROUND | MODE_DEBUG))) - Warning(" is only meaningful in daemon mode. Setting limit to 1 process.\n"); - global.nbproc = 1; -@@ -1133,7 +1137,7 @@ int main(int argc, char **argv) - } - - /* open log & pid files before the chroot */ -- if (global.mode & MODE_DAEMON && global.pidfile != NULL) { -+ if (global.mode & (MODE_DAEMON | MODE_SYSTEMD) && global.pidfile != NULL) { - int pidfd; - unlink(global.pidfile); - pidfd = open(global.pidfile, O_CREAT | O_WRONLY | O_TRUNC, 0644); -@@ -1223,9 +1227,10 @@ int main(int argc, char **argv) - argv[0], (int)limit.rlim_cur, global.maxconn, global.maxsock, global.maxsock); - } - -- if (global.mode & MODE_DAEMON) { -+ if (global.mode & (MODE_DAEMON | MODE_SYSTEMD)) { - struct proxy *px; - int ret = 0; -+ int *children = calloc(global.nbproc, sizeof(int)); - int proc; - - /* the father launches the required number of processes */ -@@ -1238,6 +1243,7 @@ int main(int argc, char **argv) - } - else if (ret == 0) /* child breaks here */ - break; -+ children[proc] = ret; - if (pidfile != NULL) { - fprintf(pidfile, "%d\n", ret); - fflush(pidfile); -@@ -1263,8 +1269,13 @@ int main(int argc, char **argv) - px = px->next; - } - -- if (proc == global.nbproc) -+ if (proc == global.nbproc) { -+ if (global.mode & MODE_SYSTEMD) { -+ for (proc = 0; proc < global.nbproc; proc++) -+ while (waitpid(children[proc], NULL, 0) == -1 && errno == EINTR); -+ } - exit(0); /* parent must leave */ -+ } - - /* if we're NOT in QUIET mode, we should now close the 3 first FDs to ensure - * that we can detach from the TTY. We MUST NOT do it in other cases since --- -1.8.4.5 - diff --git a/0004-BUG-MEDIUM-systemd-wrapper-don-t-leak-zombie-process.patch b/0004-BUG-MEDIUM-systemd-wrapper-don-t-leak-zombie-process.patch deleted file mode 100644 index 26a33f4..0000000 --- a/0004-BUG-MEDIUM-systemd-wrapper-don-t-leak-zombie-process.patch +++ /dev/null @@ -1,65 +0,0 @@ -From f0eb767ac292c24ed37e5cec2a9a86d773df75d0 Mon Sep 17 00:00:00 2001 -From: Marc-Antoine Perennou -Date: Fri, 22 Nov 2013 08:36:01 +0100 -Subject: [PATCH 04/15] BUG/MEDIUM: systemd-wrapper: don't leak zombie - processes - -Formerly, if A was replaced by B, and then B by C before -A finished exiting, we didn't wait for B to finish so it -ended up as a zombie process. -Fix this by waiting randomly every child we spawn. - -Signed-off-by: Marc-Antoine Perennou ---- - src/haproxy-systemd-wrapper.c | 10 ++++------ - 1 file changed, 4 insertions(+), 6 deletions(-) - -diff --git a/src/haproxy-systemd-wrapper.c b/src/haproxy-systemd-wrapper.c -index 596801591b9e..8499b35188c5 100644 ---- a/src/haproxy-systemd-wrapper.c -+++ b/src/haproxy-systemd-wrapper.c -@@ -19,12 +19,11 @@ - #include - #include - --static pid_t pid = 0; - static char *pid_file = "/run/haproxy.pid"; - static int main_argc; - static char **main_argv; - --static pid_t spawn_haproxy(char **pid_strv, int nb_pid) -+static void spawn_haproxy(char **pid_strv, int nb_pid) - { - pid_t pid = fork(); - if (!pid) { -@@ -45,7 +44,6 @@ static pid_t spawn_haproxy(char **pid_strv, int nb_pid) - execv(argv[0], argv); - exit(0); - } -- return pid; - } - - static int read_pids(char ***pid_strv) -@@ -77,7 +75,7 @@ static void signal_handler(int signum __attribute__((unused))) - char **pid_strv = NULL; - int nb_pid = read_pids(&pid_strv); - -- pid = spawn_haproxy(pid_strv, nb_pid); -+ spawn_haproxy(pid_strv, nb_pid); - - for (i = 0; i < nb_pid; ++i) - free(pid_strv[i]); -@@ -107,8 +105,8 @@ int main(int argc, char **argv) - - signal(SIGUSR2, &signal_handler); - -- pid = spawn_haproxy(NULL, 0); -- while (-1 != waitpid(pid, NULL, 0) || errno == EINTR); -+ spawn_haproxy(NULL, 0); -+ while (-1 != wait(NULL) || errno == EINTR); - - return EXIT_SUCCESS; - } --- -1.8.4.5 - diff --git a/0005-BUILD-stdbool-is-not-portable-again.patch b/0005-BUILD-stdbool-is-not-portable-again.patch deleted file mode 100644 index 59313b2..0000000 --- a/0005-BUILD-stdbool-is-not-portable-again.patch +++ /dev/null @@ -1,25 +0,0 @@ -From b369ce63274ae800b76d45aed2d451557ac33499 Mon Sep 17 00:00:00 2001 -From: Willy Tarreau -Date: Fri, 22 Nov 2013 08:37:33 +0100 -Subject: [PATCH 05/15] BUILD: stdbool is not portable (again) - -Another build issue on Solaris without c99. Please don't use stdbool. ---- - src/haproxy-systemd-wrapper.c | 1 - - 1 file changed, 1 deletion(-) - -diff --git a/src/haproxy-systemd-wrapper.c b/src/haproxy-systemd-wrapper.c -index 8499b35188c5..fb1a7fd92724 100644 ---- a/src/haproxy-systemd-wrapper.c -+++ b/src/haproxy-systemd-wrapper.c -@@ -12,7 +12,6 @@ - - #include - #include --#include - #include - #include - #include --- -1.8.4.5 - diff --git a/0006-MEDIUM-haproxy-systemd-wrapper-Use-haproxy-in-same-d.patch b/0006-MEDIUM-haproxy-systemd-wrapper-Use-haproxy-in-same-d.patch deleted file mode 100644 index d909b96..0000000 --- a/0006-MEDIUM-haproxy-systemd-wrapper-Use-haproxy-in-same-d.patch +++ /dev/null @@ -1,54 +0,0 @@ -From 1c9ed41d4cdfdb31381e89f1a8b93df01220fe07 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Kristoffer=20Gr=C3=B6nlund?= -Date: Fri, 22 Nov 2013 11:06:34 +0100 -Subject: [PATCH 06/15] MEDIUM: haproxy-systemd-wrapper: Use haproxy in same - directory - -Locate the wrapper and use a haproxy executable found in the -same directory. - -This patch lets the wrapper work in openSUSE. ---- - src/haproxy-systemd-wrapper.c | 19 +++++++++++++++++-- - 1 file changed, 17 insertions(+), 2 deletions(-) - -diff --git a/src/haproxy-systemd-wrapper.c b/src/haproxy-systemd-wrapper.c -index fb1a7fd92724..6546616b79ee 100644 ---- a/src/haproxy-systemd-wrapper.c -+++ b/src/haproxy-systemd-wrapper.c -@@ -22,15 +22,30 @@ static char *pid_file = "/run/haproxy.pid"; - static int main_argc; - static char **main_argv; - -+static void locate_haproxy(char *buffer, size_t buffer_size) -+{ -+ char* end; -+ readlink("/proc/self/exe", buffer, buffer_size); -+ end = strrchr(buffer, '/'); -+ if (end == NULL) -+ strncpy(buffer, "/usr/sbin/haproxy", buffer_size); -+ end[1] = '\0'; -+ strncat(buffer, "haproxy", buffer_size); -+} -+ - static void spawn_haproxy(char **pid_strv, int nb_pid) - { -- pid_t pid = fork(); -+ char haproxy_bin[512]; -+ pid_t pid; -+ -+ pid = fork(); - if (!pid) { - /* 3 for "haproxy -Ds -sf" */ - char **argv = calloc(4 + main_argc + nb_pid + 1, sizeof(char *)); - int i; - int argno = 0; -- argv[argno++] = SBINDIR"/haproxy"; -+ locate_haproxy(haproxy_bin, 512); -+ argv[argno++] = haproxy_bin; - for (i = 0; i < main_argc; ++i) - argv[argno++] = main_argv[i]; - argv[argno++] = "-Ds"; --- -1.8.4.5 - diff --git a/0007-MEDIUM-systemd-wrapper-Kill-child-processes-when-int.patch b/0007-MEDIUM-systemd-wrapper-Kill-child-processes-when-int.patch deleted file mode 100644 index 49dc46b..0000000 --- a/0007-MEDIUM-systemd-wrapper-Kill-child-processes-when-int.patch +++ /dev/null @@ -1,61 +0,0 @@ -From e2f3c212072dcf1e9b809fc2cb774946eaba665f Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Kristoffer=20Gr=C3=B6nlund?= -Date: Fri, 22 Nov 2013 11:09:39 +0100 -Subject: [PATCH 07/15] MEDIUM: systemd-wrapper: Kill child processes when - interrupted - -Send SIGINT to child processes when killed. This ensures that -the haproxy process managed by the systemd-wrapper is stopped -when "systemctl stop haproxy.service" is called. ---- - src/haproxy-systemd-wrapper.c | 20 ++++++++++++++++++-- - 1 file changed, 18 insertions(+), 2 deletions(-) - -diff --git a/src/haproxy-systemd-wrapper.c b/src/haproxy-systemd-wrapper.c -index 6546616b79ee..d337f4c0d44e 100644 ---- a/src/haproxy-systemd-wrapper.c -+++ b/src/haproxy-systemd-wrapper.c -@@ -83,7 +83,7 @@ static int read_pids(char ***pid_strv) - return read; - } - --static void signal_handler(int signum __attribute__((unused))) -+static void sigusr2_handler(int signum __attribute__((unused))) - { - int i; - char **pid_strv = NULL; -@@ -96,6 +96,21 @@ static void signal_handler(int signum __attribute__((unused))) - free(pid_strv); - } - -+static void sigint_handler(int signum __attribute__((unused))) -+{ -+ int i, pid; -+ char **pid_strv = NULL; -+ int nb_pid = read_pids(&pid_strv); -+ for (i = 0; i < nb_pid; ++i) { -+ pid = atoi(pid_strv[i]); -+ if (pid > 0) { -+ kill(pid, SIGINT); -+ free(pid_strv[i]); -+ } -+ } -+ free(pid_strv); -+} -+ - static void init(int argc, char **argv) - { - while (argc > 1) { -@@ -117,7 +132,8 @@ int main(int argc, char **argv) - - init(argc, argv); - -- signal(SIGUSR2, &signal_handler); -+ signal(SIGINT, &sigint_handler); -+ signal(SIGUSR2, &sigusr2_handler); - - spawn_haproxy(NULL, 0); - while (-1 != wait(NULL) || errno == EINTR); --- -1.8.4.5 - diff --git a/0008-LOW-systemd-wrapper-Write-debug-information-to-stdou.patch b/0008-LOW-systemd-wrapper-Write-debug-information-to-stdou.patch deleted file mode 100644 index c2c8909..0000000 --- a/0008-LOW-systemd-wrapper-Write-debug-information-to-stdou.patch +++ /dev/null @@ -1,65 +0,0 @@ -From d581d9a037bfffe7900a1e5a1ec740e67002f974 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Kristoffer=20Gr=C3=B6nlund?= -Date: Fri, 22 Nov 2013 11:11:54 +0100 -Subject: [PATCH 08/15] LOW: systemd-wrapper: Write debug information to stdout - -Write the command line used to call haproxy to stdout, as -well as the return code returned by the haproxy process. ---- - src/haproxy-systemd-wrapper.c | 18 +++++++++++++++--- - 1 file changed, 15 insertions(+), 3 deletions(-) - -diff --git a/src/haproxy-systemd-wrapper.c b/src/haproxy-systemd-wrapper.c -index d337f4c0d44e..4ca86dd3b8c0 100644 ---- a/src/haproxy-systemd-wrapper.c -+++ b/src/haproxy-systemd-wrapper.c -@@ -55,6 +55,12 @@ static void spawn_haproxy(char **pid_strv, int nb_pid) - argv[argno++] = pid_strv[i]; - } - argv[argno] = NULL; -+ -+ printf("%s", "haproxy-systemd-wrapper: executing "); -+ for (i = 0; argv[i]; ++i) -+ printf("%s ", argv[i]); -+ puts(""); -+ - execv(argv[0], argv); - exit(0); - } -@@ -104,6 +110,7 @@ static void sigint_handler(int signum __attribute__((unused))) - for (i = 0; i < nb_pid; ++i) { - pid = atoi(pid_strv[i]); - if (pid > 0) { -+ printf("haproxy-systemd-wrapper: SIGINT -> %d\n", pid); - kill(pid, SIGINT); - free(pid_strv[i]); - } -@@ -126,9 +133,11 @@ static void init(int argc, char **argv) - - int main(int argc, char **argv) - { -+ int status; -+ - --argc; ++argv; -- main_argc = argc; -- main_argv = argv; -+ main_argc = argc; -+ main_argv = argv; - - init(argc, argv); - -@@ -136,7 +145,10 @@ int main(int argc, char **argv) - signal(SIGUSR2, &sigusr2_handler); - - spawn_haproxy(NULL, 0); -- while (-1 != wait(NULL) || errno == EINTR); -+ status = -1; -+ while (-1 != wait(&status) || errno == EINTR) -+ ; - -+ printf("haproxy-systemd-wrapper: exit, haproxy RC=%d\n", status); - return EXIT_SUCCESS; - } --- -1.8.4.5 - diff --git a/0009-openSUSE-Configure-haproxy-user.patch b/0009-openSUSE-Configure-haproxy-user.patch deleted file mode 100644 index 0a690e5..0000000 --- a/0009-openSUSE-Configure-haproxy-user.patch +++ /dev/null @@ -1,45 +0,0 @@ -From cb214d574a4d0474427fca9c05ac1a72d075c45e Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Kristoffer=20Gr=C3=B6nlund?= -Date: Tue, 6 May 2014 08:43:11 +0200 -Subject: [PATCH 09/15] openSUSE: Configure haproxy user - ---- - examples/examples.cfg | 4 ++-- - examples/haproxy.cfg | 6 +++--- - 2 files changed, 5 insertions(+), 5 deletions(-) - -diff --git a/examples/examples.cfg b/examples/examples.cfg -index 3499e7bd76b0..ed75c758952f 100644 ---- a/examples/examples.cfg -+++ b/examples/examples.cfg -@@ -3,8 +3,8 @@ global - # log 127.0.0.1 local1 - maxconn 4000 - ulimit-n 8000 -- uid 0 -- gid 0 -+ user haproxy -+ group haproxy - # chroot /tmp - # nbproc 2 - # daemon -diff --git a/examples/haproxy.cfg b/examples/haproxy.cfg -index 1c71d617716e..6f8a4ac51d0b 100644 ---- a/examples/haproxy.cfg -+++ b/examples/haproxy.cfg -@@ -5,9 +5,9 @@ global - log 127.0.0.1 local1 notice - #log loghost local0 info - maxconn 4096 -- chroot /usr/share/haproxy -- uid 99 -- gid 99 -+ chroot /var/lib/haproxy -+ user haproxy -+ group haproxy - daemon - #debug - #quiet --- -1.8.4.5 - diff --git a/0010-openSUSE-Fix-path-to-PCRE-library.patch b/0010-openSUSE-Fix-path-to-PCRE-library.patch deleted file mode 100644 index 2d31333..0000000 --- a/0010-openSUSE-Fix-path-to-PCRE-library.patch +++ /dev/null @@ -1,25 +0,0 @@ -From 9f7b45fa88460a20da5d6c907694f2d07eb1a90c Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Kristoffer=20Gr=C3=B6nlund?= -Date: Tue, 6 May 2014 08:44:24 +0200 -Subject: [PATCH 10/15] openSUSE: Fix path to PCRE library - ---- - Makefile | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/Makefile b/Makefile -index 658716a60a80..99516a819e28 100644 ---- a/Makefile -+++ b/Makefile -@@ -460,7 +460,7 @@ ifneq ($(USE_PCRE)$(USE_STATIC_PCRE),) - PCREDIR := $(shell pcre-config --prefix 2>/dev/null || echo /usr/local) - ifneq ($(PCREDIR),) - PCRE_INC := $(PCREDIR)/include --PCRE_LIB := $(PCREDIR)/lib -+PCRE_LIB := $(PCREDIR)/$(LIB) - endif - - ifeq ($(USE_STATIC_PCRE),) --- -1.8.4.5 - diff --git a/0011-BUILD-MINOR-systemd-fix-compiler-warning-about-unuse.patch b/0011-BUILD-MINOR-systemd-fix-compiler-warning-about-unuse.patch deleted file mode 100644 index 094b945..0000000 --- a/0011-BUILD-MINOR-systemd-fix-compiler-warning-about-unuse.patch +++ /dev/null @@ -1,42 +0,0 @@ -From 6bc058f3417b98d3c4c8766d50db4dc22a23e550 Mon Sep 17 00:00:00 2001 -From: Lukas Tribus -Date: Tue, 10 Dec 2013 07:32:56 +0100 -Subject: [PATCH 11/15] BUILD/MINOR: systemd: fix compiler warning about unused - result -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -BUILD/MINOR: systemd: fix compiler warning about unused result - -There is a compiler warning after commit 1b6e75fa84 ("MEDIUM: haproxy- -systemd-wrapper: Use haproxy in same directory"): - -src/haproxy-systemd-wrapper.c: In function ‘locate_haproxy’: -src/haproxy-systemd-wrapper.c:28:10: warning: ignoring return value of ‘readlink’, declared with attribute warn_unused_result [-Wunused-result] - -Fix the compiler warning by checking the return value of readlink(). ---- - src/haproxy-systemd-wrapper.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/src/haproxy-systemd-wrapper.c b/src/haproxy-systemd-wrapper.c -index 4ca86dd3b8c0..c63f41ff7df6 100644 ---- a/src/haproxy-systemd-wrapper.c -+++ b/src/haproxy-systemd-wrapper.c -@@ -24,9 +24,9 @@ static char **main_argv; - - static void locate_haproxy(char *buffer, size_t buffer_size) - { -- char* end; -- readlink("/proc/self/exe", buffer, buffer_size); -- end = strrchr(buffer, '/'); -+ char* end = NULL; -+ if (readlink("/proc/self/exe", buffer, buffer_size) > 0) -+ end = strrchr(buffer, '/'); - if (end == NULL) - strncpy(buffer, "/usr/sbin/haproxy", buffer_size); - end[1] = '\0'; --- -1.8.4.5 - diff --git a/0012-BUG-MEDIUM-systemd-wrapper-fix-locating-of-haproxy-b.patch b/0012-BUG-MEDIUM-systemd-wrapper-fix-locating-of-haproxy-b.patch deleted file mode 100644 index aa430a6..0000000 --- a/0012-BUG-MEDIUM-systemd-wrapper-fix-locating-of-haproxy-b.patch +++ /dev/null @@ -1,51 +0,0 @@ -From e8dcf678f2b3fafd18c09eb957e4d4a83e792d54 Mon Sep 17 00:00:00 2001 -From: Willy Tarreau -Date: Mon, 14 Apr 2014 13:34:34 +0200 -Subject: [PATCH 12/15] BUG/MEDIUM: systemd-wrapper: fix locating of haproxy - binary - -BUG/MEDIUM: systemd-wrapper: fix locating of haproxy binary - -OpenBSD complains this way due to strncat() : - -src/haproxy-systemd-wrapper.o(.text+0xd5): In function `spawn_haproxy': -src/haproxy-systemd-wrapper.c:33: warning: strcat() is almost always misused, please use strlcat() - -In fact, the code before strncat() here is wrong, because it may -dereference a NULL if /proc/self/exe is not readable. So fix it -and get rid of strncat() at the same time. - -No backport is needed. ---- - src/haproxy-systemd-wrapper.c | 11 ++++++++--- - 1 file changed, 8 insertions(+), 3 deletions(-) - -diff --git a/src/haproxy-systemd-wrapper.c b/src/haproxy-systemd-wrapper.c -index c63f41ff7df6..8485dcd11da8 100644 ---- a/src/haproxy-systemd-wrapper.c -+++ b/src/haproxy-systemd-wrapper.c -@@ -24,13 +24,18 @@ static char **main_argv; - - static void locate_haproxy(char *buffer, size_t buffer_size) - { -- char* end = NULL; -+ char *end = NULL; -+ - if (readlink("/proc/self/exe", buffer, buffer_size) > 0) - end = strrchr(buffer, '/'); -- if (end == NULL) -+ -+ if (end == NULL) { - strncpy(buffer, "/usr/sbin/haproxy", buffer_size); -+ return; -+ } - end[1] = '\0'; -- strncat(buffer, "haproxy", buffer_size); -+ strncpy(end + 1, "haproxy", buffer + buffer_size - (end + 1)); -+ buffer[buffer_size - 1] = '\0'; - } - - static void spawn_haproxy(char **pid_strv, int nb_pid) --- -1.8.4.5 - diff --git a/0013-MINOR-systemd-wrapper-re-execute-on-SIGUSR2.patch b/0013-MINOR-systemd-wrapper-re-execute-on-SIGUSR2.patch deleted file mode 100644 index ddc7645..0000000 --- a/0013-MINOR-systemd-wrapper-re-execute-on-SIGUSR2.patch +++ /dev/null @@ -1,117 +0,0 @@ -From 07d130730feffcf64ab0709273f09c5374588b85 Mon Sep 17 00:00:00 2001 -From: Apollon Oikonomopoulos -Date: Thu, 17 Apr 2014 13:39:28 +0300 -Subject: [PATCH 13/15] MINOR: systemd wrapper: re-execute on SIGUSR2 - -MINOR: systemd wrapper: re-execute on SIGUSR2 - -Re-execute the systemd wrapper on SIGUSR2 and before reloading HAProxy, -making it possible to load a completely new version of HAProxy -(including a new version of the systemd wrapper) gracefully. -Since the wrapper accepts no command-line arguments of its own, -re-execution is signaled using the HAPROXY_SYSTEMD_REEXEC environment -variable. - -This is primarily intended to help seamless upgrades of distribution -packages. ---- - src/haproxy-systemd-wrapper.c | 54 ++++++++++++++++++++++++++++++++----------- - 1 file changed, 40 insertions(+), 14 deletions(-) - -diff --git a/src/haproxy-systemd-wrapper.c b/src/haproxy-systemd-wrapper.c -index 8485dcd11da8..e373483d5085 100644 ---- a/src/haproxy-systemd-wrapper.c -+++ b/src/haproxy-systemd-wrapper.c -@@ -18,9 +18,11 @@ - #include - #include - -+#define REEXEC_FLAG "HAPROXY_SYSTEMD_REEXEC" -+ - static char *pid_file = "/run/haproxy.pid"; --static int main_argc; --static char **main_argv; -+static int wrapper_argc; -+static char **wrapper_argv; - - static void locate_haproxy(char *buffer, size_t buffer_size) - { -@@ -42,6 +44,11 @@ static void spawn_haproxy(char **pid_strv, int nb_pid) - { - char haproxy_bin[512]; - pid_t pid; -+ int main_argc; -+ char **main_argv; -+ -+ main_argc = wrapper_argc - 1; -+ main_argv = wrapper_argv + 1; - - pid = fork(); - if (!pid) { -@@ -96,15 +103,10 @@ static int read_pids(char ***pid_strv) - - static void sigusr2_handler(int signum __attribute__((unused))) - { -- int i; -- char **pid_strv = NULL; -- int nb_pid = read_pids(&pid_strv); -+ setenv(REEXEC_FLAG, "1", 1); -+ printf("haproxy-systemd-wrapper: re-executing\n"); - -- spawn_haproxy(pid_strv, nb_pid); -- -- for (i = 0; i < nb_pid; ++i) -- free(pid_strv[i]); -- free(pid_strv); -+ execv(wrapper_argv[0], wrapper_argv); - } - - static void sigint_handler(int signum __attribute__((unused))) -@@ -140,16 +142,40 @@ int main(int argc, char **argv) - { - int status; - -+ wrapper_argc = argc; -+ wrapper_argv = argv; -+ - --argc; ++argv; -- main_argc = argc; -- main_argv = argv; -- - init(argc, argv); - - signal(SIGINT, &sigint_handler); - signal(SIGUSR2, &sigusr2_handler); - -- spawn_haproxy(NULL, 0); -+ if (getenv(REEXEC_FLAG) != NULL) { -+ /* We are being re-executed: restart HAProxy gracefully */ -+ int i; -+ char **pid_strv = NULL; -+ int nb_pid = read_pids(&pid_strv); -+ sigset_t sigs; -+ -+ unsetenv(REEXEC_FLAG); -+ spawn_haproxy(pid_strv, nb_pid); -+ -+ /* Unblock SIGUSR2 which was blocked by the signal handler -+ * before re-exec */ -+ sigprocmask(SIG_BLOCK, NULL, &sigs); -+ sigdelset(&sigs, SIGUSR2); -+ sigprocmask(SIG_SETMASK, &sigs, NULL); -+ -+ for (i = 0; i < nb_pid; ++i) -+ free(pid_strv[i]); -+ free(pid_strv); -+ } -+ else { -+ /* Start a fresh copy of HAProxy */ -+ spawn_haproxy(NULL, 0); -+ } -+ - status = -1; - while (-1 != wait(&status) || errno == EINTR) - ; --- -1.8.4.5 - diff --git a/0014-MINOR-systemd-wrapper-improve-logging.patch b/0014-MINOR-systemd-wrapper-improve-logging.patch deleted file mode 100644 index d3b63bb..0000000 --- a/0014-MINOR-systemd-wrapper-improve-logging.patch +++ /dev/null @@ -1,72 +0,0 @@ -From 21fef94beeba672fff22406d863a5423a27bed23 Mon Sep 17 00:00:00 2001 -From: Apollon Oikonomopoulos -Date: Thu, 17 Apr 2014 13:39:29 +0300 -Subject: [PATCH 14/15] MINOR: systemd wrapper: improve logging - -MINOR: systemd wrapper: improve logging - -Use standard error for logging messages, as it seems that this gets -messages to the systemd journal more reliably. Also use systemd's -support for specifying log levels via stderr to apply different levels -to messages. ---- - src/haproxy-systemd-wrapper.c | 15 +++++++++------ - 1 file changed, 9 insertions(+), 6 deletions(-) - -diff --git a/src/haproxy-systemd-wrapper.c b/src/haproxy-systemd-wrapper.c -index e373483d5085..d4baa90c266e 100644 ---- a/src/haproxy-systemd-wrapper.c -+++ b/src/haproxy-systemd-wrapper.c -@@ -19,6 +19,8 @@ - #include - - #define REEXEC_FLAG "HAPROXY_SYSTEMD_REEXEC" -+#define SD_DEBUG "<7>" -+#define SD_NOTICE "<5>" - - static char *pid_file = "/run/haproxy.pid"; - static int wrapper_argc; -@@ -68,10 +70,10 @@ static void spawn_haproxy(char **pid_strv, int nb_pid) - } - argv[argno] = NULL; - -- printf("%s", "haproxy-systemd-wrapper: executing "); -+ fprintf(stderr, SD_DEBUG "haproxy-systemd-wrapper: executing "); - for (i = 0; argv[i]; ++i) -- printf("%s ", argv[i]); -- puts(""); -+ fprintf(stderr, "%s ", argv[i]); -+ fprintf(stderr, "\n"); - - execv(argv[0], argv); - exit(0); -@@ -104,7 +106,7 @@ static int read_pids(char ***pid_strv) - static void sigusr2_handler(int signum __attribute__((unused))) - { - setenv(REEXEC_FLAG, "1", 1); -- printf("haproxy-systemd-wrapper: re-executing\n"); -+ fprintf(stderr, SD_NOTICE "haproxy-systemd-wrapper: re-executing\n"); - - execv(wrapper_argv[0], wrapper_argv); - } -@@ -117,7 +119,7 @@ static void sigint_handler(int signum __attribute__((unused))) - for (i = 0; i < nb_pid; ++i) { - pid = atoi(pid_strv[i]); - if (pid > 0) { -- printf("haproxy-systemd-wrapper: SIGINT -> %d\n", pid); -+ fprintf(stderr, SD_DEBUG "haproxy-systemd-wrapper: SIGINT -> %d\n", pid); - kill(pid, SIGINT); - free(pid_strv[i]); - } -@@ -180,6 +182,7 @@ int main(int argc, char **argv) - while (-1 != wait(&status) || errno == EINTR) - ; - -- printf("haproxy-systemd-wrapper: exit, haproxy RC=%d\n", status); -+ fprintf(stderr, SD_NOTICE "haproxy-systemd-wrapper: exit, haproxy RC=%d\n", -+ status); - return EXIT_SUCCESS; - } --- -1.8.4.5 - diff --git a/0015-MINOR-systemd-wrapper-propagate-exit-status.patch b/0015-MINOR-systemd-wrapper-propagate-exit-status.patch deleted file mode 100644 index 8ce4ed3..0000000 --- a/0015-MINOR-systemd-wrapper-propagate-exit-status.patch +++ /dev/null @@ -1,28 +0,0 @@ -From 27b806b87289b403728d373020c4aeb5f79eb4bc Mon Sep 17 00:00:00 2001 -From: Apollon Oikonomopoulos -Date: Thu, 17 Apr 2014 13:39:30 +0300 -Subject: [PATCH 15/15] MINOR: systemd wrapper: propagate exit status - -MINOR: systemd wrapper: propagate exit status - -Use HAProxy's exit status as the systemd wrapper's exit status instead -of always returning EXIT_SUCCESS, permitting the use of systemd's -`Restart = on-failure' logic. ---- - src/haproxy-systemd-wrapper.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/haproxy-systemd-wrapper.c b/src/haproxy-systemd-wrapper.c -index d4baa90c266e..ba07ebe01ccc 100644 ---- a/src/haproxy-systemd-wrapper.c -+++ b/src/haproxy-systemd-wrapper.c -@@ -184,5 +184,5 @@ int main(int argc, char **argv) - - fprintf(stderr, SD_NOTICE "haproxy-systemd-wrapper: exit, haproxy RC=%d\n", - status); -- return EXIT_SUCCESS; -+ return status; - } --- -1.8.4.5 - diff --git a/haproxy-1.2.16_config_haproxy_user.patch b/haproxy-1.2.16_config_haproxy_user.patch new file mode 100644 index 0000000..bbea24f --- /dev/null +++ b/haproxy-1.2.16_config_haproxy_user.patch @@ -0,0 +1,32 @@ +Index: examples/examples.cfg +=================================================================== +--- examples/examples.cfg.orig ++++ examples/examples.cfg +@@ -3,8 +3,8 @@ + # log 127.0.0.1 local1 + maxconn 4000 + ulimit-n 8000 +- uid 0 +- gid 0 ++ user haproxy ++ group haproxy + # chroot /tmp + # nbproc 2 + # daemon +Index: examples/haproxy.cfg +=================================================================== +--- examples/haproxy.cfg.orig ++++ examples/haproxy.cfg +@@ -5,9 +5,9 @@ + log 127.0.0.1 local1 notice + #log loghost local0 info + maxconn 4096 +- chroot /usr/share/haproxy +- uid 99 +- gid 99 ++ chroot /var/lib/haproxy ++ user haproxy ++ group haproxy + daemon + #debug + #quiet diff --git a/haproxy-1.4.25.tar.gz b/haproxy-1.4.25.tar.gz deleted file mode 100644 index d28e58f..0000000 --- a/haproxy-1.4.25.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:84408ec1e37bf308c6b45ae3c7e66f2a9d2f762cb689ab6d322c67bba691db62 -size 838775 diff --git a/haproxy-1.5.1.tar.gz b/haproxy-1.5.1.tar.gz new file mode 100644 index 0000000..166e1d7 --- /dev/null +++ b/haproxy-1.5.1.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:69b54be39247b4a7556b4a7d3bd90ffd4acf35799ffa7125bbadebab8e5df5b4 +size 1329710 diff --git a/haproxy-1.5_check_config_before_start.patch b/haproxy-1.5_check_config_before_start.patch new file mode 100644 index 0000000..bdd251d --- /dev/null +++ b/haproxy-1.5_check_config_before_start.patch @@ -0,0 +1,12 @@ +diff --git a/contrib/systemd/haproxy.service.in b/contrib/systemd/haproxy.service.in +index 1a3d2c0..9b3b72a 100644 +--- a/contrib/systemd/haproxy.service.in ++++ b/contrib/systemd/haproxy.service.in +@@ -3,6 +3,7 @@ Description=HAProxy Load Balancer + After=network.target + + [Service] ++ExecStartPre=@SBINDIR@/haproxy -f /etc/haproxy/haproxy.cfg -c -q + ExecStart=@SBINDIR@/haproxy-systemd-wrapper -f /etc/haproxy/haproxy.cfg -p /run/haproxy.pid + ExecReload=/bin/kill -USR2 $MAINPID + Restart=always diff --git a/haproxy-makefile_lib.patch b/haproxy-makefile_lib.patch new file mode 100644 index 0000000..0d4b4a8 --- /dev/null +++ b/haproxy-makefile_lib.patch @@ -0,0 +1,13 @@ +Index: Makefile +=================================================================== +--- Makefile.orig ++++ Makefile +@@ -567,7 +567,7 @@ ifneq ($(USE_PCRE)$(USE_STATIC_PCRE)$(US + PCREDIR := $(shell pcre-config --prefix 2>/dev/null || echo /usr/local) + ifneq ($(PCREDIR),) + PCRE_INC := $(PCREDIR)/include +-PCRE_LIB := $(PCREDIR)/lib ++PCRE_LIB := $(PCREDIR)/$(LIB) + endif + + ifeq ($(USE_STATIC_PCRE),) diff --git a/haproxy.changes b/haproxy.changes index aaba623..1fbc49c 100644 --- a/haproxy.changes +++ b/haproxy.changes @@ -1,3 +1,126 @@ +------------------------------------------------------------------- +Tue Jun 24 15:55:48 UTC 2014 - mrueckert@suse.de + +- install the vim file into the versioned directory and dont cover + the current symlink with a directory + +------------------------------------------------------------------- +Tue Jun 24 13:00:39 UTC 2014 - mrueckert@suse.de + +- add Requires to vim to make the ownership of the vim directory + clear and not break any symlink handling the vim package might + use. + +------------------------------------------------------------------- +Tue Jun 24 12:23:55 UTC 2014 - mrueckert@suse.de + +- update to 1.5.1 + - BUG/MINOR: config: http-request replace-header arg typo + - BUG/MINOR: ssl: rejects OCSP response without nextupdate. + - BUG/MEDIUM: ssl: Fix to not serve expired OCSP responses. + - BUG/MINOR: ssl: Fix OCSP resp update fails with the same + certificate configured twice. (cherry picked from commit + 1d3865b096b43b9a6d6a564ffb424ffa6f1ef79f) + - BUG/MEDIUM: Consistently use 'check' in process_chk + - BUG/MAJOR: session: revert all the crappy client-side timeout + changes + - BUG/MINOR: logs: properly initialize and count log sockets +- drop haproxy-1.5.0_consistently_use_check.patch: + included upstream + +------------------------------------------------------------------- +Tue Jun 24 09:51:25 UTC 2014 - kgronlund@suse.com + +- Install vim file to a more appropriate location + +------------------------------------------------------------------- +Mon Jun 23 09:19:04 UTC 2014 - kgronlund@suse.com + +- added pre macro for systemd service file + +------------------------------------------------------------------- +Mon Jun 23 08:28:06 UTC 2014 - kgronlund@suse.com + +- Use better systemd detection consistently + +------------------------------------------------------------------- +Sun Jun 22 19:48:11 UTC 2014 - mrueckert@suse.de + +- pull commit 9ac7cabaf9945fb92c96cb92f5ea85235f54f7d6: + Consistently use 'check' in process_chk + I am not entirely sure that this is a bug, but it seems + to me that it may cause a problem if there agent-check is + configured and there is some kind of error making a connection + for it. + adds patch haproxy-1.5.0_consistently_use_check.patch + +------------------------------------------------------------------- +Fri Jun 20 14:37:21 UTC 2014 - mrueckert@suse.de + +- update to 1.5.0 + For people who don't follow the development versions, 1.5 expands + 1.4 with many new features and performance improvements, + including native SSL support on both sides with SNI/NPN/ALPN and + OCSP stapling, IPv6 and UNIX sockets are supported everywhere, + full HTTP keep-alive for better support of NTLM and improved + efficiency in static farms, HTTP/1.1 compression (deflate, gzip) + to save bandwidth, PROXY protocol versions 1 and 2 on both sides, + data sampling on everything in request or response, including + payload, ACLs can use any matching method with any input sample + maps and dynamic ACLs updatable from the CLI stick-tables support + counters to track activity on any input sample custom format for + logs, unique-id, header rewriting, and redirects, improved health + checks (SSL, scripted TCP, check agent, ...), much more scalable + configuration supports hundreds of thousands of backends and + certificates without sweating. + + For all the details see /usr/share/doc/packages/haproxy/CHANGELOG + +- enable tcp fast open if the kernel is recent enough +- enable PCRE JIT if PCRE is recent enough +- enable openssl support! + - haproxy can finally terminate ssl itself and also talk SSL to + the backend servers. + - including SNI/NPN/ALPN support. + new buildrequires openssl and pkgconfig +- enable deflate support + new buildrequires zlib-devel +- enable transparent proxy support +- enable usage of accept4. reduces the syscall amount. +- enable building and installing of halog +- install vim file into the correct place +- dropped patches: + 0001-MEDIUM-add-systemd-service.patch + 0002-MEDIUM-add-haproxy-systemd-wrapper.patch + 0003-MEDIUM-New-cli-option-Ds-for-systemd-compatibility.patch + 0004-BUG-MEDIUM-systemd-wrapper-don-t-leak-zombie-process.patch + 0005-BUILD-stdbool-is-not-portable-again.patch + 0006-MEDIUM-haproxy-systemd-wrapper-Use-haproxy-in-same-d.patch + 0007-MEDIUM-systemd-wrapper-Kill-child-processes-when-int.patch + 0008-LOW-systemd-wrapper-Write-debug-information-to-stdou.patch + 0009-openSUSE-Configure-haproxy-user.patch + 0010-openSUSE-Fix-path-to-PCRE-library.patch + 0011-BUILD-MINOR-systemd-fix-compiler-warning-about-unuse.patch + 0012-BUG-MEDIUM-systemd-wrapper-fix-locating-of-haproxy-b.patch + 0013-MINOR-systemd-wrapper-re-execute-on-SIGUSR2.patch + 0014-MINOR-systemd-wrapper-improve-logging.patch + 0015-MINOR-systemd-wrapper-propagate-exit-status.patch +- added haproxy-1.2.16_config_haproxy_user.patch: + (replaces 0009-openSUSE-Configure-haproxy-user.patch) +- added haproxy-1.5_check_config_before_start.patch: + systemd allows us to run other things before we start the final + daemon. use this to check the configuration before launching. +- added haproxy-makefile_lib.patch + (replaces 0010-openSUSE-Fix-path-to-PCRE-library.patch) +- added sec-options.patch: + allow it more easily to build haproxy with PIE, stackprotector + and relro. all those options are enabled on our build. +- added apparmor profile + usr.sbin.haproxy.apparmor + local.usr.sbin.haproxy.apparmor +- change the conditionals for systemd to use bcond_with to make it + more obvious what we are guarding. + ------------------------------------------------------------------- Wed May 21 10:50:21 UTC 2014 - jsegitz@novell.com diff --git a/haproxy.spec b/haproxy.spec index cb9febb..5688373 100644 --- a/haproxy.spec +++ b/haproxy.spec @@ -13,59 +13,54 @@ # published by the Open Source Initiative. # Please submit bugfixes or comments via http://bugs.opensuse.org/ -# +%if 0%{?suse_version} >= 1230 +%bcond_without tcp_fast_open +%else +%bcond_with tcp_fast_open +%endif +%if 0%{?suse_version} >= 1310 +%bcond_without systemd +%else +%bcond_with systemd +%endif + +%if 0%{?suse_version} > 1140 +%bcond_without pcre_jit +%else +%bcond_with pcre_jit +%endif +%bcond_without apparmor Name: haproxy -Version: 1.4.25 +Version: 1.5.1 Release: 0 # # -%if 0%{?suse_version} >= 1230 -BuildRequires: pkgconfig(systemd) -%endif BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: libgcrypt-devel BuildRequires: pcre-devel +BuildRequires: zlib-devel +BuildRequires: openssl-devel +BuildRequires: pkg-config BuildRequires: udev +%if %{with systemd} +BuildRequires: pkgconfig(systemd) +%endif +BuildRequires: vim %define pkg_name haproxy %define pkg_home /var/lib/%{pkg_name} # Url: http://haproxy.1wt.eu/ -Source: http://haproxy.1wt.eu/download/1.4/src/haproxy-%{version}.tar.gz +Source: http://haproxy.1wt.eu/download/1.5/src/haproxy-%{version}.tar.gz Source1: %{pkg_name}.init Source2: http://haproxy.1wt.eu/download/contrib/haproxy.vim -# PATCH-FEATURE-UPSTREAM -Patch1: 0001-MEDIUM-add-systemd-service.patch -# PATCH-FEATURE-UPSTREAM -Patch2: 0002-MEDIUM-add-haproxy-systemd-wrapper.patch -# PATCH-FIX-UPSTREAM -Patch3: 0003-MEDIUM-New-cli-option-Ds-for-systemd-compatibility.patch -# PATCH-FIX-UPSTREAM -Patch4: 0004-BUG-MEDIUM-systemd-wrapper-don-t-leak-zombie-process.patch -# PATCH-FIX-UPSTREAM -Patch5: 0005-BUILD-stdbool-is-not-portable-again.patch -# PATCH-FIX-UPSTREAM -Patch6: 0006-MEDIUM-haproxy-systemd-wrapper-Use-haproxy-in-same-d.patch -# PATCH-FIX-UPSTREAM -Patch7: 0007-MEDIUM-systemd-wrapper-Kill-child-processes-when-int.patch -# PATCH-FIX-UPSTREAM -Patch8: 0008-LOW-systemd-wrapper-Write-debug-information-to-stdou.patch -# PATCH-FIX-OPENSUSE -Patch9: 0009-openSUSE-Configure-haproxy-user.patch -# PATCH-FIX-OPENSUSE -Patch10: 0010-openSUSE-Fix-path-to-PCRE-library.patch -# PATCH-FIX-UPSTREAM -Patch11: 0011-BUILD-MINOR-systemd-fix-compiler-warning-about-unuse.patch -# PATCH-FIX-UPSTREAM -Patch12: 0012-BUG-MEDIUM-systemd-wrapper-fix-locating-of-haproxy-b.patch -# PATCH-FIX-UPSTREAM -Patch13: 0013-MINOR-systemd-wrapper-re-execute-on-SIGUSR2.patch -# PATCH-FIX-UPSTREAM -Patch14: 0014-MINOR-systemd-wrapper-improve-logging.patch -# PATCH-FIX-UPSTREAM -Patch15: 0015-MINOR-systemd-wrapper-propagate-exit-status.patch - +Source3: usr.sbin.haproxy.apparmor +Source4: local.usr.sbin.haproxy.apparmor +Patch1: haproxy-1.2.16_config_haproxy_user.patch +Patch2: haproxy-makefile_lib.patch +Patch3: sec-options.patch +Patch4: haproxy-1.5_check_config_before_start.patch Source99: haproxy-rpmlintrc # Summary: The Reliable, High Performance TCP/HTTP Load Balancer @@ -73,10 +68,14 @@ License: GPL-2.0+ and LGPL-2.1+ Group: Productivity/Networking/Web/Proxy Provides: %{name}-doc = %{version} Obsoletes: %{name}-doc < %{version} - -%if 0%{?suse_version} >= 1230 +Provides: haproxy-1.5 = %{version} +Obsoletes: haproxy-1.5 < %{version} +# this requires is not strictly needed. we only need it for the ownership of the vim data dir +Requires: vim +%if %{with systemd} %{?systemd_requires} %endif +%{!?vim_data_dir:%global vim_data_dir /usr/share/vim/%(readlink /usr/share/vim/current)} %description HAProxy implements an event-driven, mono-process model which enables support @@ -91,40 +90,54 @@ the most work done from every CPU cycle. %prep %setup -q -%patch1 -p1 -%patch2 -p1 -%patch3 -p1 +%patch1 +%patch2 +%patch3 %patch4 -p1 -%patch5 -p1 -%patch6 -p1 -%patch7 -p1 -%patch8 -p1 -%patch9 -p1 -%patch10 -p1 -%patch11 -p1 -%patch12 -p1 -%patch13 -p1 -%patch14 -p1 -%patch15 -p1 %build %{__make} \ TARGET=linux26 \ CPU="%{_target_cpu}" \ USE_PCRE=1 \ + %if %{with pcre_jit} + USE_PCRE_JIT=1 \ + %endif USE_LIBCRYPT=1 \ + USE_OPENSSL=1 \ + USE_ZLIB=1 \ + USE_NETFILTER=1 \ + %ifarch %ix86 + USE_REGPARM=1 \ + %endif + USE_TPROXY=1 \ + USE_LINUX_TPROXY=1 \ + USE_LINUX_SPLICE=1 \ + USE_ACCEPT4=1 \ + USE_CPU_AFFINITY=1 \ + USE_GETADDRINFO=1 \ + USE_GETSOCKNAME=1 \ + USE_PIE=1 \ + USE_STACKPROTECTOR=1 \ + USE_RELRO_NOW=1 \ +%if %{with tcp_fast_open} + USE_TFO=1 \ +%endif LIB="%{_lib}" \ - DEBUG="%{optflags} -fno-strict-aliasing" - -%{__make} PREFIX="%{_prefix}" -C contrib/systemd + PREFIX="%{_prefix}" \ + DEBUG_CFLAGS="%{optflags}" +make -C contrib/systemd PREFIX="%{_prefix}" +make -C contrib/halog PREFIX="%{_prefix}" \ + DEFINE="%{optflags} -pie -fpie -fstack-protector -Wl,-z,relro,-z,now" %install %{__install} -D -m 0755 %{pkg_name} %{buildroot}%{_sbindir}/%{pkg_name} %{__install} -D -m 0644 examples/%{pkg_name}.cfg %{buildroot}%{_sysconfdir}/%{pkg_name}/%{pkg_name}.cfg -%if 0%{?suse_version} >= 1230 +%{__install} -D -m 0755 contrib/halog/halog %{buildroot}%{_sbindir}/haproxy-halog +%if %{with systemd} %{__install} -D -m 0755 haproxy-systemd-wrapper %{buildroot}%{_sbindir}/haproxy-systemd-wrapper -%{__install} -D -m 0755 contrib/systemd/%{pkg_name}.service %{buildroot}%{_unitdir}/%{pkg_name}.service +%{__install} -D -m 0644 contrib/systemd/%{pkg_name}.service %{buildroot}%{_unitdir}/%{pkg_name}.service ln -sf /sbin/service %{buildroot}%{_sbindir}/rc%{pkg_name} %else %{__install} -D -m 0755 %{S:1} %{buildroot}%{_sysconfdir}/init.d/%{pkg_name} @@ -132,9 +145,14 @@ ln -sf /sbin/service %{buildroot}%{_sbindir}/rc%{pkg_name} %endif %{__install} -d -m 0755 %{buildroot}%{pkg_home} -%{__install} -D -m 0644 %{S:2} %{buildroot}%{_datadir}/%{pkg_name}/%{pkg_name}.vim +%{__install} -D -m 0644 %{S:2} %{buildroot}%{vim_data_dir}/syntax/%{pkg_name}.vim %{__install} -D -m 0644 doc/%{pkg_name}.1 %{buildroot}%{_mandir}/man1/%{pkg_name}.1 -gzip %{buildroot}%{_mandir}/man1/%{pkg_name}.1 +%if %{with apparmor} +%{__install} -D -m 0644 %{S:3} %{buildroot}/etc/apparmor.d/usr.sbin.haproxy +%{__install} -D -m 0644 %{S:4} %{buildroot}/etc/apparmor.d/local/usr.sbin.haproxy +%endif + +%{__rm} examples/haproxy.spec %if 0%{?suse_version} < 1230 %clean @@ -144,11 +162,9 @@ gzip %{buildroot}%{_mandir}/man1/%{pkg_name}.1 %pre /usr/sbin/groupadd -r %{pkg_name} &>/dev/null ||: /usr/sbin/useradd -g %{pkg_name} -s /bin/false -r -c "user for %{pkg_name}" -d %{pkg_home} %{pkg_name} &>/dev/null ||: -%if 0%{?suse_version} >= 1230 - %service_add_pre %{pkg_name}.service -%endif -%if 0%{?suse_version} >= 1230 +%if %{with systemd} +%service_add_pre %{pkg_name}.service %post %service_add_post %{pkg_name}.service @@ -176,12 +192,11 @@ gzip %{buildroot}%{_mandir}/man1/%{pkg_name}.1 %files %defattr(-,root,root,-) %doc CHANGELOG README LICENSE -%doc ROADMAP TODO doc/* examples +%doc ROADMAP doc/* examples/ +%doc contrib/netsnmp-perl/ contrib/selinux/ %dir %{_sysconfdir}/%{pkg_name} %config(noreplace) %{_sysconfdir}/%{pkg_name}/%{pkg_name}.cfg - -%if 0%{?suse_version} >= 1230 - +%if %{with systemd} %{_unitdir}/%{pkg_name}.service %{_sbindir}/haproxy-systemd-wrapper @@ -192,9 +207,16 @@ gzip %{buildroot}%{_mandir}/man1/%{pkg_name}.1 %endif %{_sbindir}/haproxy +%{_sbindir}/haproxy-halog %{_sbindir}/rchaproxy %{pkg_home} -%doc %{_mandir}/man1/%{pkg_name}.1.gz -%{_datadir}/%{pkg_name} +%{_mandir}/man1/%{pkg_name}.1.gz +%{vim_data_dir}/syntax/%{pkg_name}.vim +%if %{with apparmor} +%dir /etc/apparmor.d/ +%dir /etc/apparmor.d/local/ +%config(noreplace) /etc/apparmor.d/usr.sbin.haproxy +%config(noreplace) /etc/apparmor.d/local/usr.sbin.haproxy +%endif %changelog diff --git a/local.usr.sbin.haproxy.apparmor b/local.usr.sbin.haproxy.apparmor new file mode 100644 index 0000000..fc278de --- /dev/null +++ b/local.usr.sbin.haproxy.apparmor @@ -0,0 +1 @@ +# Site-specific additions and overrides for usr.sbin.haproxy.apparmor diff --git a/sec-options.patch b/sec-options.patch new file mode 100644 index 0000000..2554d93 --- /dev/null +++ b/sec-options.patch @@ -0,0 +1,40 @@ +Index: Makefile +=================================================================== +--- Makefile.orig 2014-06-05 19:23:53.559663353 +0200 ++++ Makefile 2014-06-05 19:29:01.679662808 +0200 +@@ -594,6 +594,35 @@ OPTIONS_CFLAGS += -DUSE_TFO + BUILD_OPTIONS += $(call ignore_implicit,USE_TFO) + endif + ++# PIE ++ifneq ($(USE_PIE),) ++OPTIONS_CFLAGS += -DUSE_PIE ++BUILD_OPTIONS += $(call ignore_implicit,USE_PIE) ++OPTIONS_LDFLAGS += -pie ++# still need to figure out how to express this conditional in the makefile ++# %ifarch s390 s390x %sparc ++# PIEFLAGS="-fPIE" ++# %else ++# PIEFLAGS="-fpie" ++# %endif ++# PIE_FLAGS.s390 = -fPIE ++# PIE_FLAGS.i386 = -fpie ++# SEC_FLAGS += $(PIE_FLAGS.$(ARCH)) ++OPTIONS_CFLAGS += -fpie ++endif ++ ++ifneq ($(USE_STACKPROTECTOR),) ++OPTIONS_CFLAGS += -DUSE_STACKPROTECTOR ++BUILD_OPTIONS += $(call ignore_implicit,USE_STACKPROTECTOR) ++OPTIONS_CFLAGS += -fstack-protector ++endif ++ ++ifneq ($(USE_RELRO_NOW),) ++OPTIONS_CFLAGS += -DUSE_RELRO_NOW ++BUILD_OPTIONS += $(call ignore_implicit,USE_RELRO_NOW) ++OPTIONS_LDFLAGS += -Wl,-z,relro,-z,now ++endif ++ + # This one can be changed to look for ebtree files in an external directory + EBTREE_DIR := ebtree + diff --git a/usr.sbin.haproxy.apparmor b/usr.sbin.haproxy.apparmor new file mode 100644 index 0000000..1e15a7e --- /dev/null +++ b/usr.sbin.haproxy.apparmor @@ -0,0 +1,29 @@ +#include + +/usr/sbin/haproxy { + #include + #include + capability net_bind_service, + capability setgid, + capability setuid, + capability kill, + capability sys_resource, + capability sys_chroot, + + # those are needed for the stats socket creation + capability chown, + capability fowner, + capability fsetid, + + network tcp, + + /etc/haproxy/* r, + + /var/lib/haproxy/stats rwl, + /var/lib/haproxy/stats.*.bak rwl, + /var/lib/haproxy/stats.*.tmp rwl, + /{,var/}run/haproxy.pid rw, + + # Site-specific additions and overrides. See local/README for details. + #include +}