From: Michele Baldessari <michele@acksyn.org>
Date: Wed, 8 Mar 2017 14:23:59 +0000 (+0100)
Subject: Correct haproxy's stat unix socket path
X-Git-Url: https://gerrit.opnfv.org/gerrit/gitweb?a=commitdiff_plain;h=c802a805d400f12835b53bd7fed7ab086a04e9c4;p=apex-puppet-tripleo.git

Correct haproxy's stat unix socket path

We currently set the haproxy stat socket to /var/run/haproxy.sock.
On Centos/RHEL with selinux enabled this will break:

avc: denied { link } for pid=284010 comm="haproxy"
name="haproxy.sock" dev="tmpfs" ino=330803
scontext=system_u:system_r:haproxy_t:s0
tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file

The blessed/correctly-labeled path is /var/lib/haproxy/stats

Note: I am setting only Partial-Bug because I would still like
to make this a parameter so other distros may just override the path.
But that change is more apt for pike and not for ocata.

Change-Id: I62aab6fb188a9103f1586edac1c2aa7949fdb08c
Patial-Bug: #1671119
(cherry picked from commit 5f8607711bb85150bb9631559f0538254ba5c5cc)
---

diff --git a/manifests/haproxy.pp b/manifests/haproxy.pp
index 13d4ba5..0f1bece 100644
--- a/manifests/haproxy.pp
+++ b/manifests/haproxy.pp
@@ -808,7 +808,7 @@ class tripleo::haproxy (
       'ssl-default-bind-ciphers' => $ssl_cipher_suite,
       'ssl-default-bind-options' => $ssl_options,
       'stats'                    => [
-        'socket /var/run/haproxy.sock mode 600 level user',
+        'socket /var/lib/haproxy/stats mode 600 level user',
         'timeout 2m'
       ],
     },