haproxy1 VS haproxy2

haproxy2由 2019-06-16 被发布,对于与haproxy1版本来说,haproxy 2.0 增加了对云原生的支持,这使得haproxy 2.0 更适用于云原生环境,对比于 haproxy1.0 在2001年发布来,到 1.9.16 在 2020/07/31 最后一次更新也代表haproxy1.0的结束维护

为什么选择haproxy2.0

haproxy2.0的核心功能就是集成了云原生架构的支持。包含L7重试, Prometheus metrics, 流量镜像 (traffic shadowing), 多语言可扩展性, gRPC 。haproxy2.0 还增加 基于haproxy2.0 的 Kubernetes Ingress Controller 和强大的 HAProxy Data Plane API,这提供了用于配置和管理 HAProxy 的 REST API

安装haproxy2.0

对于 Ubuntu/Debian 来说,社区版haproxy提供了更友好的安装方式,用户直接添加对应仓库可以直接安装最新版本的haproxy Debian/Ubuntu HAProxy packages

对于 CentOS/Fedora 来说,只有Fedora 仓库提供了较为新版的haproxy,通常来在这类平台的Linux都是通过编译安装haproxy

  1. 下载haproxy2.6源码 [ haproxy下载 ]

  2. 安装依赖包

    bash
    1
    
    yum install gcc pcre-devel openssl-devel tar make -y
  3. 编译程序

    bash
    1
    2
    3
    4
    5
    6
    7
    8
    9
    
    tar xf haproxy-2.6.7.tar.gz && cd haproxy-2.6.7/
    
    # 查看编译参数
    # 直接使用make可以查看编译参数,这是makefile中配置的
    make
    
    # 编译参数
    make TARGET=/app/haproxy USE_ZLIB=1 USE_OPENSSL=1 USE_PCRE=1
    make install
  4. 默认安装的路径在 /usr/local/

官方提供的一份 haproxy2.0 配置文件 HAProxy 2.0 configuration

Reference

[1] How to install HAProxy load balancer on CentOS

[2] HAProxy 2.0 and Beyond

Troubeshooting

The configuration file is not declared in the HAPROXY_CFGFILES environment variable, cannot start.

bash
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
$ haproxy -f haproxy.cfg
[NOTICE]   (3143) : New program 'api' (3144) forked
[NOTICE]   (3143) : New worker (3145) forked
[NOTICE]   (3143) : Loading success.
time="2022-12-15T18:43:44+08:00" level=fatal msg="The configuration file is not declared in the HAPROXY_CFGFILES environment variable, cannot start."
[NOTICE]   (3143) : haproxy version is 2.6.7-c55bfdb
[NOTICE]   (3143) : path to executable is /usr/local/sbin/haproxy
[ALERT]    (3143) : Current program 'api' (3144) exited with code 1 (Exit)
[ALERT]    (3143) : exit-on-failure: killing every processes with SIGTERM
[ALERT]    (3143) : Current worker (3145) exited with code 143 (Terminated)
[WARNING]  (3143) : All workers exited. Exiting... (1)

原因:指定的配置文件必须带有路径 haproxy -f haproxy.cfg 这种是错误的,-f 参数属性为

  • 如果为目录,则是这个目录下所有的 .cfg 结尾的文件
  • 如果是目录,./<filename>filename 都提示这个报错,必须绝对路径

no users configured

bash
1
2
3
4
5
6
 haproxy -f /root/haproxy.cfg 
[NOTICE]   (3193) : New program 'api' (3194) forked
[NOTICE]   (3193) : New worker (3195) forked
[NOTICE]   (3193) : Loading success.
time="2022-12-15T18:45:49+08:00" level=fatal msg="Error initiating users: no users configured in /root/haproxy.cfg, error: section missing"
[NOTICE]   (3193) : haproxy version is 2.6.7-c55bfdb

原因:data plane api 程序必须有运行的用户和用户组在配置文件中,官方手册中给出的配置不全 [1] ,对于data plane api部分配置可以参考 [2]

set gid: operation not permitted

bash
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
# haproxy -f /root/haproxy.cfg 
[NOTICE]   (3701) : haproxy version is 2.6.7-c55bfdb
[NOTICE]   (3701) : path to executable is /usr/local/sbin/haproxy
[WARNING]  (3701) : config : missing timeouts for frontend 'myfrontend'.
   | While not properly invalid, you will certainly encounter various problems
   | with such a configuration. To fix this, please ensure that all following
   | timeouts are set to a non-zero value: 'client', 'connect', 'server'.
[WARNING]  (3701) : config : missing timeouts for backend 'web_servers'.
   | While not properly invalid, you will certainly encounter various problems
   | with such a configuration. To fix this, please ensure that all following
   | timeouts are set to a non-zero value: 'client', 'connect', 'server'.
[NOTICE]   (3701) : New program 'api' (3702) forked
[NOTICE]   (3701) : New worker (3703) forked
[NOTICE]   (3701) : Loading success.
set gid: operation not permitted
[NOTICE]   (3701) : haproxy version is 2.6.7-c55bfdb
[NOTICE]   (3701) : path to executable is /usr/local/sbin/haproxy
[ALERT]    (3701) : Current program 'api' (3702) exited with code 1 (Exit)
[ALERT]    (3701) : exit-on-failure: killing every processes with SIGTERM
[ALERT]    (3701) : Current worker (3703) exited with code 143 (Terminated)
[WARNING]  (3701) : All workers exited. Exiting... (1)

Reference

[1] HAProxy Community

[2] configuration examples

[3] SSSD and LDAP

[4] Chapter 10. Migrating authentication from nslcd to SSSD

[5] OpenLDAP Client 2.4.23: TLS negotiation failure

[6] Chapter 10. Migrating authentication from nslcd to SSSD

[7] Configure SSSD

[8] Configure OpenLDAP SSSD client on CentOS 6/7