r/promtail: Optionally run with DAC_READ_SEARCH

The *promtail* service runs as an unprivileged user by default, which is fine in most cases (i.e. when scraping only the Journal), but may not always be sufficient to read logs from other files. Rather than run Promtail as root in these cases, we can assign it the CAP_DAC_READ_SEARCH capability, which will allow it to read any file, but does not grant it any of root's other privileges. To enable this functionality, the `promtail_dac_read_search` Ansible variable can be set to `true` for a host or group. This will create a systemd unit configuration extension that configures the service to have the CAP_DAC_READ_SEARCH capability in its ambient set.
2024-02-28 19:00:26 -06:00 · 2024-02-28 19:00:26 -06:00 · d9f46d6d62
parent 6645ec36c1
commit d9f46d6d62
4 changed files with 37 additions and 3 deletions
--- a/roles/promtail/defaults/main.yml
+++ b/roles/promtail/defaults/main.yml
@ -1,3 +1,5 @@
+promtail_dac_read_search: false
+
 promtail_positions_file: /tmp/positions.yaml

 promtail_clients:
--- a/roles/promtail/handlers/main.yml
+++ b/roles/promtail/handlers/main.yml
@ -1,4 +1,8 @@
- name: reload promtail
+- name: reload systemd
+  systemd:
+    daemon_reload: true
+
+- name: restart promtail
  service:
    name: promtail
    state: restarted
--- a/roles/promtail/tasks/deploy.yml
+++ b/roles/promtail/tasks/deploy.yml
@ -18,7 +18,7 @@
    owner: root
    group: root
  notify:
-  - reload promtail
+  - restart promtail
  tags:
  - config

@ -31,11 +31,33 @@
    group: root
    mode: u=rw,go=r
  notify:
-  - reload promtail
+  - restart promtail
  tags:
  - config
  - cert

+- name: ensure promtail systemd unit extension directory exists
+  file:
+    path: /etc/systemd/system/promtail.service.d
+    owner: root
+    group: root
+    mode: u=rwx,go=rx
+    state: directory
+  tags:
+  - systemd
+- name: ensure promtail service capabilities are configured
+  template:
+    src: capabilities.conf.j2
+    dest: /etc/systemd/system/promtail.service.d/capabilities.conf
+    owner: root
+    group: root
+    mode: u=rw,go=r
+  notify:
+  - reload systemd
+  - restart promtail
+  tags:
+  - systemd
+
 - name: ensure promtail service starts at boot
  service:
    name: promtail
@ -43,6 +65,8 @@
  tags:
  - service

+- meta: flush_handlers
+
 - name: ensure promtail is running
  service:
    name: promtail
--- a/roles/promtail/templates/capabilities.conf.j2
+++ b/roles/promtail/templates/capabilities.conf.j2
@ -0,0 +1,4 @@
+[Service]
+{% if promtail_dac_read_search %}
+AmbientCapabilities=CAP_DAC_READ_SEARCH
+{% endif %}