From 650894d19039e9f3626f5b16912cc5125706d53a Mon Sep 17 00:00:00 2001 From: Oleksander Piskun Date: Fri, 23 Jan 2026 09:14:21 +0200 Subject: [PATCH] move configs to "/run/harp" instead of "/"(root) Signed-off-by: Oleksander Piskun --- healthcheck.sh | 9 ++++++- start.sh | 69 +++++++++++++++++++++++++++++--------------------- 2 files changed, 48 insertions(+), 30 deletions(-) diff --git a/healthcheck.sh b/healthcheck.sh index 6ec06a4..692886c 100644 --- a/healthcheck.sh +++ b/healthcheck.sh @@ -12,8 +12,15 @@ # # This script returns 0 if all checks pass, 1 otherwise. +# Determine config directory (same logic as start.sh) +if [ -f "/run/harp/haproxy.cfg" ]; then + CFG_DIR="/run/harp" +else + CFG_DIR="" +fi + # 1) Validate HAProxy config -haproxy -c -f /haproxy.cfg || exit 1 +haproxy -c -f "${CFG_DIR}/haproxy.cfg" || exit 1 if ! command -v nc >/dev/null 2>&1; then echo "ERROR: 'nc' command not found. Install netcat." diff --git a/start.sh b/start.sh index de72e21..04aa7b3 100644 --- a/start.sh +++ b/start.sh @@ -7,7 +7,7 @@ set -e # ---------------------------------------------------------------------------- # start.sh # - Generates self-signed certificates for FRP Server and FRP Clients -# - Generates /haproxy.cfg from haproxy.cfg.template +# - Generates haproxy.cfg from haproxy.cfg.template (in /run/harp if available) # - Reads HP_SHARED_KEY or HP_SHARED_KEY_FILE # - Comments out HTTPS frontends if no /certs/cert.pem is found # - Starts FRP server (frps) on HP_FRP_ADDRESS @@ -36,6 +36,17 @@ log() { fi } +# ---------------------------------------------------------------------------- +# Determine config directory - use /run/harp if available (for read-only rootfs) +# If user mounted config files at root, use root paths for backward compatibility +# ---------------------------------------------------------------------------- +CFG_DIR="" +if [ -f "/haproxy.cfg" ] || [ -f "/frps.toml" ] || [ -f "/frpc-docker.toml" ]; then + log "INFO: Found user-provided config file(s) at root, using root paths." +elif [ -d "/run/harp" ] || mkdir -p /run/harp 2>/dev/null; then + CFG_DIR="/run/harp" +fi + # ---------------------------------------------------------------------------- # Helper function to strip surrounding quotes from a string. # This is useful because users sometimes accidentally include quotes in @@ -239,38 +250,38 @@ else fi # ---------------------------------------------------------------------------- -# Generate final /haproxy.cfg if not already present +# Generate final haproxy.cfg if not already present # ---------------------------------------------------------------------------- -if [ -f "/haproxy.cfg" ]; then - log "INFO: /haproxy.cfg already present. Skipping config generation..." +if [ -f "${CFG_DIR}/haproxy.cfg" ]; then + log "INFO: ${CFG_DIR}/haproxy.cfg already present. Skipping config generation..." else - log "INFO: Creating /haproxy.cfg from haproxy.cfg.template..." + log "INFO: Creating ${CFG_DIR}/haproxy.cfg from haproxy.cfg.template..." # Use envsubst to render the main configuration. - envsubst < /haproxy.cfg.template > /haproxy.cfg + envsubst < /haproxy.cfg.template > "${CFG_DIR}/haproxy.cfg" # If we do not have a SSL cert for HAProxy, comment out the HTTPS frontends if [ -f "/certs/cert.pem" ]; then log "INFO: Found /certs/cert.pem, HTTPS frontends remain enabled." - sed -i "/_HTTPS_FRONTEND_/ s|_HTTPS_FRONTEND_ ||g" /haproxy.cfg + sed -i "/_HTTPS_FRONTEND_/ s|_HTTPS_FRONTEND_ ||g" "${CFG_DIR}/haproxy.cfg" chmod 644 /certs/cert.pem else log "INFO: No /certs/cert.pem found, disabling HTTPS frontends..." - sed -i "/_HTTPS_FRONTEND_/ s|^|#|g" /haproxy.cfg + sed -i "/_HTTPS_FRONTEND_/ s|^|#|g" "${CFG_DIR}/haproxy.cfg" fi fi if [ "$HP_VERBOSE_START" -eq 1 ]; then - log "INFO: Final /haproxy.cfg:" - cat /haproxy.cfg + log "INFO: Final ${CFG_DIR}/haproxy.cfg:" + cat "${CFG_DIR}/haproxy.cfg" fi # ---------------------------------------------------------------------------- # Prepare FRP configuration # ---------------------------------------------------------------------------- -if [ ! -f "/frps.toml" ]; then +if [ ! -f "${CFG_DIR}/frps.toml" ]; then if [ "${HP_FRP_DISABLE_TLS}" != "true" ]; then -cat </frps.toml +cat <"${CFG_DIR}/frps.toml" bindAddr = "${FRP_HOST}" bindPort = ${FRP_PORT} proxyBindAddr = "127.0.0.1" @@ -280,7 +291,7 @@ transport.tls.certFile = "/certs/frp/server.crt" transport.tls.keyFile = "/certs/frp/server.key" transport.tls.trustedCaFile = "/certs/frp/ca.crt" -log.to = "/frps.log" +log.to = "${CFG_DIR}/frps.log" log.level = "info" log.maxDays = 3 @@ -296,14 +307,14 @@ path = "/frp_handler" ops = ["Login"] EOF else -cat </frps.toml +cat <"${CFG_DIR}/frps.toml" bindAddr = "${FRP_HOST}" bindPort = ${FRP_PORT} proxyBindAddr = "127.0.0.1" transport.tls.force = false -log.to = "/frps.log" +log.to = "${CFG_DIR}/frps.log" log.level = "info" log.maxDays = 3 @@ -319,13 +330,13 @@ path = "/frp_handler" ops = ["Login"] EOF fi - log "INFO: FRP server configuration generated at /frps.toml." + log "INFO: FRP server configuration generated at ${CFG_DIR}/frps.toml." if [ "$HP_VERBOSE_START" -eq 1 ]; then - log "INFO: Generated /frps.toml:" - cat /frps.toml + log "INFO: Generated ${CFG_DIR}/frps.toml:" + cat "${CFG_DIR}/frps.toml" fi else - log "INFO: /frps.toml already exists. Skipping FRP server configuration generation..." + log "INFO: ${CFG_DIR}/frps.toml already exists. Skipping FRP server configuration generation..." fi # ---------------------------------------------------------------------------- @@ -334,10 +345,10 @@ fi if [ -e "/var/run/docker.sock" ]; then LOCAL_FRP_HOST="$FRP_HOST" [ "$LOCAL_FRP_HOST" = "0.0.0.0" ] && LOCAL_FRP_HOST="127.0.0.1" - if [ ! -f "/frpc-docker.toml" ]; then - log "INFO: Detected /var/run/docker.sock, generating /frpc-docker.toml configuration file..." + if [ ! -f "${CFG_DIR}/frpc-docker.toml" ]; then + log "INFO: Detected /var/run/docker.sock, generating ${CFG_DIR}/frpc-docker.toml configuration file..." if [ "${HP_FRP_DISABLE_TLS}" != "true" ]; then -cat </frpc-docker.toml +cat <"${CFG_DIR}/frpc-docker.toml" serverAddr = "${LOCAL_FRP_HOST}" serverPort = ${FRP_PORT} @@ -358,7 +369,7 @@ type = "unix_domain_socket" unixPath = "/var/run/docker.sock" EOF else -cat </frpc-docker.toml +cat <"${CFG_DIR}/frpc-docker.toml" serverAddr = "${LOCAL_FRP_HOST}" serverPort = ${FRP_PORT} @@ -376,11 +387,11 @@ unixPath = "/var/run/docker.sock" EOF fi if [ "$HP_VERBOSE_START" -eq 1 ]; then - log "INFO: Generated /frpc-docker.toml:" - cat /frpc-docker.toml + log "INFO: Generated ${CFG_DIR}/frpc-docker.toml:" + cat "${CFG_DIR}/frpc-docker.toml" fi else - log "INFO: /frpc-docker.toml already exists. Skipping generation..." + log "INFO: ${CFG_DIR}/frpc-docker.toml already exists. Skipping generation..." fi fi @@ -395,7 +406,7 @@ log "INFO: Waiting for SPOA port ${HP_SPOA_ADDRESS}..." wait_for_tcp "$SPOA_HOST" "$SPOA_PORT" "$HP_WAIT_SPOA" "$HP_WAIT_INTERVAL" log "INFO: Starting FRP server on ${HP_FRP_ADDRESS}..." -frps -c /frps.toml & +frps -c "${CFG_DIR}/frps.toml" & # Wait for FRP port to be listening before starting frpc LOCAL_FRP_HOST="$FRP_HOST" @@ -405,8 +416,8 @@ wait_for_tcp "$LOCAL_FRP_HOST" "$FRP_PORT" "$HP_WAIT_FRP" "$HP_WAIT_INTERVAL" if [ -e "/var/run/docker.sock" ]; then log "INFO: Starting FRP client for Docker Engine..." - frpc -c /frpc-docker.toml & + frpc -c "${CFG_DIR}/frpc-docker.toml" & fi log "INFO: Starting HAProxy..." -exec haproxy -f /haproxy.cfg -W -db +exec haproxy -f "${CFG_DIR}/haproxy.cfg" -W -db