r/promtail: Optionally run with DAC_READ_SEARCH
The *promtail* service runs as an unprivileged user by default, which is fine in most cases (i.e. when scraping only the Journal), but may not always be sufficient to read logs from other files. Rather than run Promtail as root in these cases, we can assign it the CAP_DAC_READ_SEARCH capability, which will allow it to read any file, but does not grant it any of root's other privileges. To enable this functionality, the `promtail_dac_read_search` Ansible variable can be set to `true` for a host or group. This will create a systemd unit configuration extension that configures the service to have the CAP_DAC_READ_SEARCH capability in its ambient set.
This commit is contained in:
@@ -1,3 +1,5 @@
|
||||
promtail_dac_read_search: false
|
||||
|
||||
promtail_positions_file: /tmp/positions.yaml
|
||||
|
||||
promtail_clients:
|
||||
|
||||
Reference in New Issue
Block a user