From c73447028fae7f12512be5844cac43cde2b0ca29 Mon Sep 17 00:00:00 2001
From: Jake Howard <git@theorangeone.net>
Date: Tue, 29 Nov 2022 09:15:34 +0000
Subject: [PATCH] Create a docker group on startup with the correct GID

This allows haproxy to read the socket, whilst running as a non-privileged user.

The container itself needs to run as root to create the group, but haproxy itself changes its own group after startup.
---
 Dockerfile           |  6 ++++++
 docker-entrypoint.sh | 10 ++++++++++
 haproxy.cfg          |  3 +++
 3 files changed, 19 insertions(+)
 create mode 100755 docker-entrypoint.sh

diff --git a/Dockerfile b/Dockerfile
index 24d522b..a484328 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -30,4 +30,10 @@ ENV ALLOW_RESTARTS=0 \
     TASKS=0 \
     VERSION=1 \
     VOLUMES=0
+
+COPY docker-entrypoint.sh /docker-entrypoint.sh
+ENTRYPOINT [ "/docker-entrypoint.sh" ]
+
 COPY haproxy.cfg /usr/local/etc/haproxy/haproxy.cfg
+
+CMD ["haproxy", "-f", "/usr/local/etc/haproxy/haproxy.cfg"]
diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh
new file mode 100755
index 0000000..11d6c35
--- /dev/null
+++ b/docker-entrypoint.sh
@@ -0,0 +1,10 @@
+#!/bin/sh
+
+set -e
+
+# Create a group with the same gid as the docker socket
+export DOCKER_GID=$(stat -c "%g" $SOCKET_PATH)
+addgroup -g $DOCKER_GID docker
+
+# Run the original entrypoint - Our work here is done.
+exec /usr/local/bin/docker-entrypoint.sh $@
diff --git a/haproxy.cfg b/haproxy.cfg
index 011137e..fd37c73 100644
--- a/haproxy.cfg
+++ b/haproxy.cfg
@@ -4,6 +4,9 @@ global
     pidfile /run/haproxy.pid
     maxconn 4000
 
+    user haproxy
+    group docker
+
     # Turn on stats unix socket
     server-state-file /var/lib/haproxy/server-state