r/promtail: Optionally run with DAC_READ_SEARCH
The *promtail* service runs as an unprivileged user by default, which is fine in most cases (i.e. when scraping only the Journal), but may not always be sufficient to read logs from other files. Rather than run Promtail as root in these cases, we can assign it the CAP_DAC_READ_SEARCH capability, which will allow it to read any file, but does not grant it any of root's other privileges. To enable this functionality, the `promtail_dac_read_search` Ansible variable can be set to `true` for a host or group. This will create a systemd unit configuration extension that configures the service to have the CAP_DAC_READ_SEARCH capability in its ambient set.frigate-exporter
parent
6645ec36c1
commit
d9f46d6d62
|
|
@ -1,3 +1,5 @@
|
||||||
|
promtail_dac_read_search: false
|
||||||
|
|
||||||
promtail_positions_file: /tmp/positions.yaml
|
promtail_positions_file: /tmp/positions.yaml
|
||||||
|
|
||||||
promtail_clients:
|
promtail_clients:
|
||||||
|
|
|
||||||
|
|
@ -1,4 +1,8 @@
|
||||||
- name: reload promtail
|
- name: reload systemd
|
||||||
|
systemd:
|
||||||
|
daemon_reload: true
|
||||||
|
|
||||||
|
- name: restart promtail
|
||||||
service:
|
service:
|
||||||
name: promtail
|
name: promtail
|
||||||
state: restarted
|
state: restarted
|
||||||
|
|
|
||||||
|
|
@ -18,7 +18,7 @@
|
||||||
owner: root
|
owner: root
|
||||||
group: root
|
group: root
|
||||||
notify:
|
notify:
|
||||||
- reload promtail
|
- restart promtail
|
||||||
tags:
|
tags:
|
||||||
- config
|
- config
|
||||||
|
|
||||||
|
|
@ -31,11 +31,33 @@
|
||||||
group: root
|
group: root
|
||||||
mode: u=rw,go=r
|
mode: u=rw,go=r
|
||||||
notify:
|
notify:
|
||||||
- reload promtail
|
- restart promtail
|
||||||
tags:
|
tags:
|
||||||
- config
|
- config
|
||||||
- cert
|
- cert
|
||||||
|
|
||||||
|
- name: ensure promtail systemd unit extension directory exists
|
||||||
|
file:
|
||||||
|
path: /etc/systemd/system/promtail.service.d
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: u=rwx,go=rx
|
||||||
|
state: directory
|
||||||
|
tags:
|
||||||
|
- systemd
|
||||||
|
- name: ensure promtail service capabilities are configured
|
||||||
|
template:
|
||||||
|
src: capabilities.conf.j2
|
||||||
|
dest: /etc/systemd/system/promtail.service.d/capabilities.conf
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: u=rw,go=r
|
||||||
|
notify:
|
||||||
|
- reload systemd
|
||||||
|
- restart promtail
|
||||||
|
tags:
|
||||||
|
- systemd
|
||||||
|
|
||||||
- name: ensure promtail service starts at boot
|
- name: ensure promtail service starts at boot
|
||||||
service:
|
service:
|
||||||
name: promtail
|
name: promtail
|
||||||
|
|
@ -43,6 +65,8 @@
|
||||||
tags:
|
tags:
|
||||||
- service
|
- service
|
||||||
|
|
||||||
|
- meta: flush_handlers
|
||||||
|
|
||||||
- name: ensure promtail is running
|
- name: ensure promtail is running
|
||||||
service:
|
service:
|
||||||
name: promtail
|
name: promtail
|
||||||
|
|
|
||||||
|
|
@ -0,0 +1,4 @@
|
||||||
|
[Service]
|
||||||
|
{% if promtail_dac_read_search %}
|
||||||
|
AmbientCapabilities=CAP_DAC_READ_SEARCH
|
||||||
|
{% endif %}
|
||||||
Loading…
Reference in New Issue