d2iq-archive · vixns · Sep 20, 2016 · Dec 18, 2016 · Dec 18, 2016 · Dec 19, 2016
diff --git a/Dockerfile b/Dockerfile
@@ -2,7 +2,6 @@ FROM debian:stretch
 
 # runtime dependencies
 RUN apt-get update && apt-get install -y --no-install-recommends \
-        iptables \
         openssl \
         libssl1.0.2 \
         procps \

diff --git a/README.md b/README.md
@@ -292,7 +292,6 @@ The deployment method is described [in this Marathon document](https://mesospher
   - `HAPROXY_DEPLOYMENT_ALT_PORT`: An alternate service port is required because Marathon requires service ports to be unique across all apps
 - Only use 1 service port: multiple ports are not yet implemented
 - Use the provided `zdd.py` script to orchestrate the deploy: the script will make API calls to Marathon, and use the HAProxy stats endpoint to gracefully terminate instances
-- The marathon-lb container must be run in privileged mode (to execute `iptables` commands) due to the issues outlined in the excellent blog post by the [Yelp engineering team found here](http://engineeringblog.yelp.com/2015/04/true-zero-downtime-haproxy-reloads.html)
 - If you have long-lived TCP connections using the same HAProxy instances, it may cause the deploy to take longer than necessary. The script will wait up to 5 minutes (by default) for connections to drain from HAProxy between steps, but any long-lived TCP connections will cause old instances of HAProxy to stick around.
 
 An example minimal configuration for a [test instance of nginx is included here](tests/1-nginx.json). You might execute a deployment from a CI tool like Jenkins with:

diff --git a/build-haproxy.sh b/build-haproxy.sh
@@ -40,7 +40,7 @@ make -j4 \
   LUA_LIB=/usr/local/lib/ \
   LUA_INC=/usr/local/include/ \
   USE_ZLIB=1
-make install-bin
+make EXTRA=haproxy-systemd-wrapper install-bin
 
 # Clean up
 cd /

diff --git a/service/haproxy/run b/service/haproxy/run
@@ -1,55 +1,4 @@
-#!/bin/bash
+#!/bin/sh
 exec 2>&1
-export PIDFILE="/tmp/haproxy.pid"
-
-addFirewallRules() {
-  IFS=',' read -ra ADDR <<< "$PORTS"
-  for i in "${ADDR[@]}"; do
-    iptables -w -I INPUT -p tcp --dport $i --syn -j DROP
-  done
-}
-
-removeFirewallRules() {
-  IFS=',' read -ra ADDR <<< "$PORTS"
-  for i in "${ADDR[@]}"; do
-    while iptables -w -D INPUT -p tcp --dport $i --syn -j DROP 2>/dev/null; do :; done
-  done
-}
-
-reload() {
-  echo "Reloading haproxy"
-
-  (
-    flock 200
-
-    # Begin to drop SYN packets with firewall rules
-    addFirewallRules
-
-    # Wait to settle
-    sleep 0.1
-
-    # Save the current HAProxy state
-    socat /var/run/haproxy/socket - <<< "show servers state" > /var/state/haproxy/global
-
-    # Trigger reload
-    LATEST_HAPROXY_PID=$(cat $PIDFILE)
-    haproxy -p $PIDFILE -f /marathon-lb/haproxy.cfg -D -sf $LATEST_HAPROXY_PID 200>&-
-    if [ -n "${HAPROXY_RELOAD_SIGTERM_DELAY-}" ]; then
-      sleep $HAPROXY_RELOAD_SIGTERM_DELAY && kill $LATEST_HAPROXY_PID 200>&- 2>/dev/null &
-    fi
-
-    # Remove the firewall rules
-    removeFirewallRules
-
-    # Need to wait 1s to prevent TCP SYN exponential backoff
-    sleep 1
-  ) 200>/var/run/haproxy/lock
-}
-
-mkdir -p /var/state/haproxy
-mkdir -p /var/run/haproxy
-
-reload
-
-trap reload SIGHUP
-while true; do sleep 0.5; done
+mkdir -p /var/run/haproxy/
+exec /usr/local/sbin/haproxy-systemd-wrapper -p /run/haproxy.pid -f /marathon-lb/haproxy.cfg