[debops.console] Remove /proc hidepid= support

The hidepid configuration has been moved to a new role,
'debops.proc_hidepid'.
parent 8e5c8785
......@@ -125,6 +125,10 @@ Removed
is now available in the :ref:`debops.machine` role. You will need to update
the Ansible inventory variables to reflect the changes.
- [debops.console] Management of the ``/proc`` ``hidepid=`` option has been
moved to a new role, :ref:`debops.proc_hidepid`. You will need to update the
Ansible inventory variables to reflect the changes.
debops v0.6.0 - 2017-10-21
--------------------------
......
......@@ -53,29 +53,6 @@ console_fsckfix: 'yes'
console_fsckfix_releases: [ 'wheezy', 'jessie', 'precise', 'trusty', 'xenial' ]
# ---- /proc & hidepid= options ----
# Mounting /proc with hidepid= allows you to hide process information of other
# users on unprivileged accounts. This functionality is only enabled on recent
# Linux kernels, and only on hardware hosts or KVM virtual machines. For LXC
# containers, have a look at the 'debops.lxc' role. For OpenVZ containers,
# AFAIK there's no way to enable it.
# Enable or disable hidepid= option in /proc. Disabling only stops Ansible
# from adding hidepid= automatically, you need to remove the /proc entry from
# /etc/fstab manually (and optionally remount command from /etc/rc.local)
# because if Ansible tries to do this using the 'mount' module, it will try to
# remove the /proc mount point as well. :-(
console_proc_hidepid: True
# What level of hidepid= to use (choices: 0, 1, 2)
console_proc_hidepid_level: '2'
# System group to set for /proc so that selected users can access it without
# restrictions; this is meant for monitoring services, etc.
console_proc_hidepid_group: 'procadmins'
# ---- /etc/hosts ----
# Add or remove entries in /etc/hosts
......
......@@ -58,28 +58,6 @@
path: '{{ (console_preferred_editors | intersect(console_register_installed_editors.stdout_lines)) | first }}'
tags: [ 'role::console:editor' ]
# Enable hidepid= only on specific hosts
- include: proc_hidepid.yml
when: (ansible_local|d() and ((ansible_local.root|d() and 'ignore-cap12s' in ansible_local.root.flags) or
(ansible_local.cap12s|d() and (not ansible_local.cap12s.enabled | bool or
(ansible_local.cap12s.enabled | bool and 'cap_sys_admin' in ansible_local.cap12s.list)))))
- name: Make sure that Ansible fact directory exists
file:
path: '/etc/ansible/facts.d'
state: 'directory'
owner: 'root'
group: 'root'
mode: '0755'
- name: Install proc hidepid fact script
template:
src: 'etc/ansible/facts.d/proc.fact.j2'
dest: '/etc/ansible/facts.d/proc.fact'
owner: 'root'
group: 'root'
mode: '0755'
- name: Remove obsolet sysctl configuration file
file:
path: '/etc/sysctl.d/10-debops.console.conf'
......
---
- name: Make sure that system group with access to /proc exists
group:
name: '{{ console_proc_hidepid_group }}'
system: True
state: 'present'
when: console_proc_hidepid is defined and console_proc_hidepid
- name: Configure /proc with hidepid= in /etc/fstab
mount:
name: '/proc'
src: 'proc'
fstype: 'proc'
opts: 'defaults,hidepid={{ console_proc_hidepid_level }},gid={{ console_proc_hidepid_group }}'
state: 'mounted'
when: console_proc_hidepid is defined and console_proc_hidepid
# This is a workaround for Ubuntu bug: https://bugs.launchpad.net/ubuntu/+source/mountall/+bug/1039887
- name: Remount /proc from rc.local when needed
lineinfile:
dest: '/etc/rc.local'
regexp: '^mount -o remount,hidepid={{ console_proc_hidepid_level }},gid={{ console_proc_hidepid_group }} /proc'
line: 'mount -o remount,hidepid={{ console_proc_hidepid_level }},gid={{ console_proc_hidepid_group }} /proc'
insertbefore: 'exit 0'
state: 'present'
when: ((console_proc_hidepid is defined and console_proc_hidepid) and
(ansible_distribution in [ 'Ubuntu' ] and ansible_distribution_release in [ 'trusty' ]))
- name: Create the systemd-logind configuration directory
file:
path: '/etc/systemd/system/systemd-logind.service.d'
state: 'directory'
owner: 'root'
group: 'root'
mode: '0755'
when: (console_proc_hidepid | bool and
(ansible_local|d() and ansible_local.init|d() and
ansible_local.init == "systemd"))
- name: Ensure that logind is exempt from hidepid
template:
src: 'etc/systemd/system/systemd-logind.service.d/hidepid.conf.j2'
dest: '/etc/systemd/system/systemd-logind.service.d/hidepid.conf'
owner: 'root'
group: 'root'
mode: '0644'
register: console_register_hidepid_logind
when: (console_proc_hidepid | bool and
(ansible_local|d() and ansible_local.init|d() and
ansible_local.init == "systemd"))
- name: Reload systemd daemons
command: systemctl daemon-reload
when: console_register_hidepid_logind.changed | bool
#!/bin/bash
# {{ ansible_managed }}
# Gather information about /proc related to hidepid
set -o nounset -o pipefail -o errexit
hidepid="false"
hidepid_type=""
hidepid_gid=""
hidepid_group=""
if grep -qs -E '^proc\s+.*hidepid=' /proc/mounts ; then
hidepid="true"
# Find the hidepid value
hidepid_type="$(grep -E '^proc\s+.*hidepid=' /proc/mounts | awk '{print $4}' | awk -F',' '{for (i=1;i<=NF;i++) {if ($i ~ /hidepid=/) {print $i}}}' | cut -d= -f2)"
# Find the hidepid gid
hidepid_gid="$(grep -E '^proc\s+.*hidepid=' /proc/mounts | awk '{print $4}' | awk -F',' '{for (i=1;i<=NF;i++) {if ($i ~ /gid=/) {print $i}}}' | cut -d= -f2)"
# Find the hidepid group
if [ -n "${hidepid_gid}" ]; then
hidepid_group="$(getent group ${hidepid_gid} | cut -d: -f1)"
fi
fi
output="{\"hidepid\": \"${hidepid}\", \"hidepid_type\": \"${hidepid_type}\", \"hidepid_gid\": \"${hidepid_gid}\", \"hidepid_group\": \"${hidepid_group}\"}"
echo ${output}
# {{ ansible_managed }}
# Based on https://github.com/indiv0/ansible-role-console
[Service]
SupplementaryGroups={{ console_proc_hidepid_group }}
......@@ -274,8 +274,8 @@ snmpd_load_15min: '{{ (((snmpd_load_base | float) *
# Should the ``debops.snmpd`` add the ``snmp`` user account to a group that has
# access to the ``/proc`` filesystem?
snmpd_proc_hidepid: '{{ True
if (ansible_local|d() and ansible_local.proc|d() and
ansible_local.proc.hidepid|bool)
if (ansible_local|d() and ansible_local.proc_hidepid|d() and
(ansible_local.proc_hidepid.enabled|d())|bool)
else False }}'
......@@ -283,9 +283,9 @@ snmpd_proc_hidepid: '{{ True
#
# Name of the system group which ``snmp`` user will be added to to get
# information about processes.
snmpd_proc_hidepid_group: '{{ (ansible_local.proc.hidepid_group
if (ansible_local|d() and ansible_local.proc|d() and
ansible_local.proc.hidepid_group|d())
snmpd_proc_hidepid_group: '{{ (ansible_local.proc_hidepid.group
if (ansible_local|d() and ansible_local.proc_hidepid|d() and
ansible_local.proc_hidepid.group|d())
else "") }}'
......
......@@ -59,8 +59,28 @@ Inventory variable changes
| ``console_motd`` | :envvar:`machine__motd` | No |
+-------------------+---------------------------------+---------------+
The support for dynamic MOTD has been implemented by the :ref:`debops.machine`
role, you might want to use that instead of the static MOTD file.
The support for dynamic MOTD has been implemented by the :ref:`debops.machine`
role, you might want to use that instead of the static MOTD file.
- Configuration of the ``/proc`` ``hidepid=`` option has been removed from the
``debops.console`` and is now available in the new :ref:`debops.proc_hidepid`
Ansible role. List of default variables that were affected:
+--------------------------------+---------------------------------+---------------+
| Old variable name | New variable name | Changed value |
+================================+=================================+===============+
| ``console_proc_hidepid`` | :envvar:`proc_hidepid__enabled` | No |
+--------------------------------+---------------------------------+---------------+
| ``console_proc_hidepid_level`` | :envvar:`proc_hidepid__level` | No |
+--------------------------------+---------------------------------+---------------+
| ``console_proc_hidepid_group`` | :envvar:`proc_hidepid__group` | No |
+--------------------------------+---------------------------------+---------------+
The logic to enable/disable the ``hidepid=`` configuration has been moved to
the :envvar:`proc_hidepid__enabled` variable to be more accessible. The role
creates its own set of Ansible local facts with new variable names, you might
need to update configuration of the roles that relied on them.
v0.6.0
------
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment