Create a docker group on startup with the correct GID

This allows haproxy to read the socket, whilst running as a non-privileged user. The container itself needs to run as root to create the group, but haproxy itself changes its own group after startup.
1 year ago · c73447028f
parent 104914f212
commit c73447028f
3 changed files with 19 additions and 0 deletions
--- a/6
+++ b/6
@ -30,4 +30,10 @@ ENV ALLOW_RESTARTS=0 \
    TASKS=0 \
    VERSION=1 \
    VOLUMES=0
+
+COPY docker-entrypoint.sh /docker-entrypoint.sh
+ENTRYPOINT [ "/docker-entrypoint.sh" ]
+
 COPY haproxy.cfg /usr/local/etc/haproxy/haproxy.cfg
+
+CMD ["haproxy", "-f", "/usr/local/etc/haproxy/haproxy.cfg"]
--- a/docker-entrypoint.sh
+++ b/docker-entrypoint.sh
@ -0,0 +1,10 @@
+#!/bin/sh
+
+set -e
+
+# Create a group with the same gid as the docker socket
+export DOCKER_GID=$(stat -c "%g" $SOCKET_PATH)
+addgroup -g $DOCKER_GID docker
+
+# Run the original entrypoint - Our work here is done.
+exec /usr/local/bin/docker-entrypoint.sh $@
--- a/haproxy.cfg
+++ b/haproxy.cfg
@ -4,6 +4,9 @@ global
    pidfile /run/haproxy.pid
    maxconn 4000

+    user haproxy
+    group docker
+
    # Turn on stats unix socket
    server-state-file /var/lib/haproxy/server-state