Verified Commit 0b2f7759 authored by Maciej Delmanowski's avatar Maciej Delmanowski

Merge branch 'drybjed-role-proc_hidepid'

parents d62b5059 eb94a884
Pipeline #17270108 failed with stages
in 4 minutes and 46 seconds
......@@ -947,6 +947,14 @@ stages:
JANE_DIFF_PATTERN: '.*/debops.preseed/.*'
JANE_LOG_PATTERN: '\[debops\.preseed\]'
'proc_hidepid role':
<<: *test_role_no_deps
JANE_TEST_PLAY: '${DEBOPS_PLAYBOOKS}/service/proc_hidepid.yml'
JANE_INVENTORY_GROUPS: 'debops_service_proc_hidepid'
JANE_DIFF_PATTERN: '.*/debops.proc_hidepid/.*'
JANE_LOG_PATTERN: '\[debops\.proc_hidepid\]'
# --- r --- [[[2
......@@ -40,6 +40,8 @@ Added
- :ref:`debops.machine`: manage the :file:`/etc/machine-info` file,
the :file:`/etc/issue` file and a dynamic MOTD.
- :ref:`debops.proc_hidepid`: configure the ``/proc`` ``hidepid=`` options.
- You can now :ref:`use Vagrant <quick_start__vagrant>` to create an Ansible
Controller based on Debian Stretch and use it to manage itself or other hosts
over the network.
......@@ -123,6 +125,10 @@ Removed
is now available in the :ref:`debops.machine` role. You will need to update
the Ansible inventory variables to reflect the changes.
- [debops.console] Management of the ``/proc`` ``hidepid=`` option has been
moved to a new role, :ref:`debops.proc_hidepid`. You will need to update the
Ansible inventory variables to reflect the changes.
debops v0.6.0 - 2017-10-21
......@@ -121,6 +121,9 @@
- role: debops.root_account
tags: [ 'role::root_account' ]
- role: debops.proc_hidepid
tags: [ 'role::proc_hidepid' ]
- role: debops.console
tags: [ 'role::console' ]
......@@ -17,7 +17,7 @@
- role: debops.tcpwrappers
tags: [ 'role::tcpwrappers' ]
- '{{ mariadb_server__tcpwrappers__dependent_allow }}'
- role: debops.mariadb_server
- name: Manage /proc hidepid= configuration
hosts: [ 'debops_all_hosts', 'debops_service_proc_hidepid' ]
become: True
environment: '{{ inventory__environment | d({})
| combine(inventory__group_environment | d({}))
| combine(inventory__host_environment | d({})) }}'
- role: debops.proc_hidepid
tags: [ 'role::proc_hidepid' ]
......@@ -53,29 +53,6 @@ console_fsckfix: 'yes'
console_fsckfix_releases: [ 'wheezy', 'jessie', 'precise', 'trusty', 'xenial' ]
# ---- /proc & hidepid= options ----
# Mounting /proc with hidepid= allows you to hide process information of other
# users on unprivileged accounts. This functionality is only enabled on recent
# Linux kernels, and only on hardware hosts or KVM virtual machines. For LXC
# containers, have a look at the 'debops.lxc' role. For OpenVZ containers,
# AFAIK there's no way to enable it.
# Enable or disable hidepid= option in /proc. Disabling only stops Ansible
# from adding hidepid= automatically, you need to remove the /proc entry from
# /etc/fstab manually (and optionally remount command from /etc/rc.local)
# because if Ansible tries to do this using the 'mount' module, it will try to
# remove the /proc mount point as well. :-(
console_proc_hidepid: True
# What level of hidepid= to use (choices: 0, 1, 2)
console_proc_hidepid_level: '2'
# System group to set for /proc so that selected users can access it without
# restrictions; this is meant for monitoring services, etc.
console_proc_hidepid_group: 'procadmins'
# ---- /etc/hosts ----
# Add or remove entries in /etc/hosts
......@@ -58,28 +58,6 @@
path: '{{ (console_preferred_editors | intersect(console_register_installed_editors.stdout_lines)) | first }}'
tags: [ 'role::console:editor' ]
# Enable hidepid= only on specific hosts
- include: proc_hidepid.yml
when: (ansible_local|d() and ((ansible_local.root|d() and 'ignore-cap12s' in ansible_local.root.flags) or
(ansible_local.cap12s|d() and (not ansible_local.cap12s.enabled | bool or
(ansible_local.cap12s.enabled | bool and 'cap_sys_admin' in ansible_local.cap12s.list)))))
- name: Make sure that Ansible fact directory exists
path: '/etc/ansible/facts.d'
state: 'directory'
owner: 'root'
group: 'root'
mode: '0755'
- name: Install proc hidepid fact script
src: 'etc/ansible/facts.d/proc.fact.j2'
dest: '/etc/ansible/facts.d/proc.fact'
owner: 'root'
group: 'root'
mode: '0755'
- name: Remove obsolet sysctl configuration file
path: '/etc/sysctl.d/10-debops.console.conf'
debops.proc_hidepid - Configure /proc hidepid= options
Copyright (C) 2018 Maciej Delmanowski <[email protected]>
Copyright (C) 2018 DebOps
This Ansible role is part of DebOps.
DebOps is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License version 3, as
published by the Free Software Foundation.
DebOps is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with DebOps. If not, see
# .. vim: foldmarker=[[[,]]]:foldmethod=marker
# debops.proc_hidepid default variables
# =====================================
# .. envvar:: proc_hidepid__enabled [[[
# Enable or disable support for managing the ``/proc`` ``hidepid=`` option
# using Ansible.
proc_hidepid__enabled: '{{ True
if ((ansible_system_capabilities_enforced|bool and
"cap_sys_admin" in ansible_system_capabilities) or
not ansible_system_capabilities_enforced|bool)
else False }}'
# ]]]
# .. envvar:: proc_hidepid__level [[[
# Specify what level of protection for the ``/proc`` files to configure:
# - ``0``: no protection, files are world-readable
# - ``1``: the ``/proc`` contents are protected using UNIX permissions, file
# owners can access their own files
# - ``2``: the ``/proc`` contents are invisible to non-owners, only ``root``
# and users in the specific UNIX system group can see everything
proc_hidepid__level: '2'
# ]]]
# .. envvar:: proc_hidepid__group [[[
# Name of the UNIX system group which will have unrestricted access to the
# ``/proc`` filesystem.
proc_hidepid__group: 'procadmins'
# ]]]
# .. envvar:: proc_hidepid__gid [[[
# The GID used by the UNIX system group. If not specified, it will be selected
# automatically. It might be best not to change existing GID once set.
proc_hidepid__gid: ''
# ]]]
# ]]]
dependencies: []
author: 'Maciej Delmanowski'
description: 'Configure /proc hidepid= options'
company: 'DebOps'
license: 'GPL-3.0'
min_ansible_version: '2.4.0'
- name: Ubuntu
- precise
- trusty
- xenial
- name: Debian
- wheezy
- jessie
- stretch
- system
- security
- hidepid
- name: Make sure that system group with access to /proc exists
- name: Ensure that UNIX system group with /proc access exists
name: '{{ console_proc_hidepid_group }}'
system: True
name: '{{ proc_hidepid__group }}'
gid: '{{ proc_hidepid__gid if proc_hidepid__gid|d() else omit }}'
state: 'present'
when: console_proc_hidepid is defined and console_proc_hidepid
system: True
when: proc_hidepid__enabled|bool
- name: Configure /proc with hidepid= in /etc/fstab
- name: Configure /proc with hidepid= option in /etc/fstab
name: '/proc'
src: 'proc'
fstype: 'proc'
opts: 'defaults,hidepid={{ console_proc_hidepid_level }},gid={{ console_proc_hidepid_group }}'
opts: 'defaults,hidepid={{ proc_hidepid__level }},gid={{ proc_hidepid__group }}'
state: 'mounted'
when: console_proc_hidepid is defined and console_proc_hidepid
when: proc_hidepid__enabled|bool
# This is a workaround for Ubuntu bug:
- name: Remount /proc from rc.local when needed
dest: '/etc/rc.local'
regexp: '^mount -o remount,hidepid={{ console_proc_hidepid_level }},gid={{ console_proc_hidepid_group }} /proc'
line: 'mount -o remount,hidepid={{ console_proc_hidepid_level }},gid={{ console_proc_hidepid_group }} /proc'
regexp: '^mount -o remount,hidepid={{ proc_hidepid__level }},gid={{ proc_hidepid__group }} /proc'
line: 'mount -o remount,hidepid={{ proc_hidepid__level }},gid={{ proc_hidepid__group }} /proc'
insertbefore: 'exit 0'
state: 'present'
when: ((console_proc_hidepid is defined and console_proc_hidepid) and
(ansible_distribution in [ 'Ubuntu' ] and ansible_distribution_release in [ 'trusty' ]))
when: (proc_hidepid__enabled|bool and
(ansible_distribution in [ 'Ubuntu' ] and
ansible_distribution_release in [ 'trusty' ]))
- name: Create the systemd-logind configuration directory
......@@ -34,9 +36,7 @@
owner: 'root'
group: 'root'
mode: '0755'
when: (console_proc_hidepid | bool and
(ansible_local|d() and ansible_local.init|d() and
ansible_local.init == "systemd"))
when: proc_hidepid__enabled|bool and ansible_service_mgr == 'systemd'
- name: Ensure that logind is exempt from hidepid
......@@ -45,12 +45,30 @@
owner: 'root'
group: 'root'
mode: '0644'
register: console_register_hidepid_logind
when: (console_proc_hidepid | bool and
(ansible_local|d() and ansible_local.init|d() and
ansible_local.init == "systemd"))
register: proc_hidepid__register_logind
when: proc_hidepid__enabled|bool and ansible_service_mgr == 'systemd'
- name: Reload systemd daemons
command: systemctl daemon-reload
when: console_register_hidepid_logind.changed | bool
when: proc_hidepid__register_logind|changed
- name: Make sure that Ansible local facts directory exists
path: '/etc/ansible/facts.d'
state: 'directory'
owner: 'root'
group: 'root'
mode: '0755'
- name: Save proc_hidepid local facts
src: 'etc/ansible/facts.d/proc_hidepid.fact.j2'
dest: '/etc/ansible/facts.d/proc_hidepid.fact'
owner: 'root'
group: 'root'
mode: '0755'
register: proc_hidepid__register_facts
- name: Update Ansible facts if they were modified
action: setup
when: proc_hidepid__register_facts|changed
......@@ -6,17 +6,18 @@
set -o nounset -o pipefail -o errexit
if grep -qs -E '^proc\s+.*hidepid=' /proc/mounts ; then
# Find the hidepid value
hidepid_type="$(grep -E '^proc\s+.*hidepid=' /proc/mounts | awk '{print $4}' | awk -F',' '{for (i=1;i<=NF;i++) {if ($i ~ /hidepid=/) {print $i}}}' | cut -d= -f2)"
hidepid_level="$(grep -E '^proc\s+.*hidepid=' /proc/mounts | awk '{print $4}' | awk -F',' '{for (i=1;i<=NF;i++) {if ($i ~ /hidepid=/) {print $i}}}' | cut -d= -f2)"
# Find the hidepid gid
hidepid_gid="$(grep -E '^proc\s+.*hidepid=' /proc/mounts | awk '{print $4}' | awk -F',' '{for (i=1;i<=NF;i++) {if ($i ~ /gid=/) {print $i}}}' | cut -d= -f2)"
......@@ -28,7 +29,6 @@ if grep -qs -E '^proc\s+.*hidepid=' /proc/mounts ; then
output="{\"hidepid\": \"${hidepid}\", \"hidepid_type\": \"${hidepid_type}\", \"hidepid_gid\": \"${hidepid_gid}\", \"hidepid_group\": \"${hidepid_group}\"}"
echo ${output}
output="{\"configured\": \"${hidepid_configured}\", \"enabled\": \"${hidepid_enabled}\", \"level\": \"${hidepid_level}\", \"gid\": \"${hidepid_gid}\", \"group\": \"${hidepid_group}\"}"
printf "${output}\n"
......@@ -3,5 +3,4 @@
# Based on
SupplementaryGroups={{ console_proc_hidepid_group }}
SupplementaryGroups={{ proc_hidepid__group }}
......@@ -274,8 +274,8 @@ snmpd_load_15min: '{{ (((snmpd_load_base | float) *
# Should the ``debops.snmpd`` add the ``snmp`` user account to a group that has
# access to the ``/proc`` filesystem?
snmpd_proc_hidepid: '{{ True
if (ansible_local|d() and ansible_local.proc|d() and
if (ansible_local|d() and ansible_local.proc_hidepid|d() and
else False }}'
......@@ -283,9 +283,9 @@ snmpd_proc_hidepid: '{{ True
# Name of the system group which ``snmp`` user will be added to to get
# information about processes.
snmpd_proc_hidepid_group: '{{ (ansible_local.proc.hidepid_group
if (ansible_local|d() and ansible_local.proc|d() and
snmpd_proc_hidepid_group: '{{ (
if (ansible_local|d() and ansible_local.proc_hidepid|d() and|d())
else "") }}'
......@@ -124,6 +124,7 @@ other hosts.
- :ref:`debops.nfs`
- :ref:`debops.nfs_server`
- :ref:`debops.persistent_paths`
- :ref:`debops.proc_hidepid`
- :ref:`debops.tftpd`
- :ref:`debops.tgt`
- ``debops.samba``
......@@ -181,6 +182,7 @@ Monitoring
- :ref:`debops.librenms`
- :ref:`debops.monit`
- :ref:`debops.proc_hidepid`
- :ref:`debops.snmpd`
- ``debops.smstools``
......@@ -222,6 +224,7 @@ Security
- :ref:`debops.authorized_keys`
- :ref:`debops.fail2ban`
- :ref:`debops.ferm`
- :ref:`debops.proc_hidepid`
- :ref:`debops.sshd`
- :ref:`debops.tcpwrappers`
- ``debops-contrib.apparmor``
Getting started
.. contents::
Ansible local facts
The ``debops.proc_hidepid`` role provides a set of Ansible local facts
available in the ``ansible_local.proc_hidepid.*`` hierarchy. You can use the
facts to add application UNIX accounts to the correct UNIX system group that
allows them access to the ``/proc`` filesystem.
Example inventory
The ``debops.proc_hidepid`` role is included by default in the ``common.yml``
DebOps playbook; you don't need to add hosts to any Ansible groups to enable
Example playbook
If you are using this role without DebOps, here's an example Ansible playbook
that uses the ``debops.proc_hidepid`` role:
.. literalinclude:: ../../../../ansible/playbooks/service/proc_hidepid.yml
:language: yaml
Ansible tags
You can use Ansible ``--tags`` or ``--skip-tags`` parameters to limit what
tasks are performed during Ansible run. This can be used after a host was first
configured to speed up playbook execution, when you are sure that most of the
configuration is already in the desired state.
Available role tags:
Main role tag, should be used in the playbook to execute all of the role
tasks as well as role dependencies.
.. _debops.proc_hidepid:
This role will ensure that the ``/proc`` filesystem is mounted with the
``hidepid=`` option enabled. `The 'hidepid=' option`__ can be used to hide
processes that don't belong to a particular user account.
.. __:
.. toctree::
:maxdepth: 2
.. literalinclude:: ../../../../ansible/roles/debops.proc_hidepid/COPYRIGHT
Local Variables:
mode: rst
ispell-local-dictionary: "american"
......@@ -59,8 +59,28 @@ Inventory variable changes
| ``console_motd`` | :envvar:`machine__motd` | No |
The support for dynamic MOTD has been implemented by the :ref:`debops.machine`
role, you might want to use that instead of the static MOTD file.
The support for dynamic MOTD has been implemented by the :ref:`debops.machine`
role, you might want to use that instead of the static MOTD file.
- Configuration of the ``/proc`` ``hidepid=`` option has been removed from the
``debops.console`` and is now available in the new :ref:`debops.proc_hidepid`
Ansible role. List of default variables that were affected:
| Old variable name | New variable name | Changed value |
| ``console_proc_hidepid`` | :envvar:`proc_hidepid__enabled` | No |
| ``console_proc_hidepid_level`` | :envvar:`proc_hidepid__level` | No |
| ``console_proc_hidepid_group`` | :envvar:`proc_hidepid__group` | No |
The logic to enable/disable the ``hidepid=`` configuration has been moved to
the :envvar:`proc_hidepid__enabled` variable to be more accessible. The role
creates its own set of Ansible local facts with new variable names, you might
need to update configuration of the roles that relied on them.
Markdown is supported
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment