shadow \
util-linux && \
groupadd haproxy -g 1000 && \
- adduser -u 1000 -S -D -G haproxy -s /bin/bash haproxy
+ adduser -u 1000 -S -D -G haproxy -s /bin/bash haproxy && \
+ chown -R haproxy:haproxy /usr/local/etc/haproxy
RUN mkdir -p /etc/ssl/certs/ && mkdir -p /etc/ssl/private
-COPY aai.pem /etc/ssl/private/aai.pem
-COPY docker-entrypoint.sh /docker-entrypoint.sh
-COPY resolvers.conf /usr/local/etc/haproxy/resolvers.conf
-COPY haproxy.cfg /usr/local/etc/haproxy/haproxy.cfg
+COPY --chown=haproxy aai.pem /etc/ssl/private/aai.pem
+COPY --chown=haproxy docker-entrypoint.sh /docker-entrypoint.sh
+COPY --chown=haproxy resolvers.conf /usr/local/etc/haproxy/resolvers.conf
+COPY --chown=haproxy haproxy.cfg /usr/local/etc/haproxy/haproxy.cfg
RUN chmod +x /docker-entrypoint.sh
+USER haproxy
ENTRYPOINT [ "/docker-entrypoint.sh" ]
CMD [ "haproxy", "-f", "/usr/local/etc/haproxy/haproxy.cfg", "-f", "/usr/local/etc/haproxy/resolvers.conf" ]
if [ "$1" = 'haproxy' ]; then
# if the user wants "haproxy", let's use "haproxy-systemd-wrapper" instead so we can have proper reloadability implemented by upstream
shift # "haproxy"
- set -- "$(which haproxy-systemd-wrapper)" -p /run/haproxy.pid "$@"
+ set -- "$(which haproxy-systemd-wrapper)" -p /usr/local/etc/haproxy/haproxy.pid "$@"
fi
exec "$@"