Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: improve systemd.service #223

Open
wants to merge 7 commits into
base: main
Choose a base branch
from
Open

feat: improve systemd.service #223

Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
f2cc3ce
remove GOMAXPROCS environment
anarcat Sep 27, 2023
9a9473b
sort and regroup system hardening options
anarcat Sep 27, 2023
de6927a
harden systemd options
anarcat Sep 27, 2023
54e354a
only restart on abnormal crashes
anarcat Sep 27, 2023
ed01497
remote Type=Simple, default
anarcat Sep 27, 2023
19f0fa9
depend on time-sync.target
anarcat Sep 27, 2023
9a85854
expand description
anarcat Sep 27, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
66 changes: 34 additions & 32 deletions roles/prometheus/templates/prometheus.service.j2
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,14 +1,12 @@
{{ ansible_managed | comment }}

[Unit]
Description=Prometheus
After=network-online.target
Requires=local-fs.target
After=local-fs.target
Description=Monitoring system and time series database
Documentation=https://prometheus.io/docs/introduction/overview/ man:prometheus(1)
After=time-sync.target

[Service]
Type=simple
Environment="GOMAXPROCS={{ ansible_processor_vcpus|default(ansible_processor_count) }}"
Restart=on-failure
User=prometheus
Group=prometheus
ExecReload=/bin/kill -HUP $MAINPID
Expand Down Expand Up @@ -44,31 +42,25 @@ ExecStart={{ _prometheus_binary_install_dir }}/prometheus \
{% endif %}
{% endfor %}
--config.file={{ prometheus_config_dir }}/prometheus.yml
{% if http_proxy is defined %}
Environment="HTTP_PROXY={{ http_proxy }}"{% if https_proxy is defined %} "HTTPS_PROXY={{ https_proxy }}{% endif %}"
{% endif %}

SyslogIdentifier=prometheus
TimeoutStopSec={{ prometheus_stop_timeout }}

CapabilityBoundingSet=CAP_SET_UID
# systemd hardening-options
AmbientCapabilities=
CapabilityBoundingSet=
DeviceAllow=/dev/null rw
DevicePolicy=strict
LimitMEMLOCK=0
LimitNOFILE=65000
LockPersonality=true
NoNewPrivileges=true
MemoryDenyWriteExecute=true
NoNewPrivileges=true
PrivateDevices=true
PrivateTmp=true
ProtectHome=true
RemoveIPC=true
RestrictSUIDSGID=true
#SystemCallFilter=@signal @timer

{% if (ansible_facts.packages.systemd | first).version is version('231', '>=') %}
ReadWritePaths={{ prometheus_db_dir }}
{% for path in prometheus_read_only_dirs %}
ReadOnlyPaths={{ path }}
{% endfor %}
{% else %}
ReadWriteDirectories={{ prometheus_db_dir }}
{% for path in prometheus_read_only_dirs %}
ReadOnlyDirectories={{ path }}
{% endfor %}
{% endif %}

{% if (ansible_facts.packages.systemd | first).version is version('232', '>=') %}
PrivateUsers=true
ProtectControlGroups=true
Expand All @@ -78,14 +70,24 @@ ProtectSystem=strict
{% else %}
ProtectSystem=full
{% endif %}

{% if http_proxy is defined %}
Environment="HTTP_PROXY={{ http_proxy }}"{% if https_proxy is defined %} "HTTPS_PROXY={{ https_proxy }}{% endif %}"
ProtectHome=true
{% if (ansible_facts.packages.systemd | first).version is version('231', '>=') %}
{% for path in prometheus_read_only_dirs %}
ReadOnlyPaths={{ path }}
{% endfor %}
ReadWritePaths={{ prometheus_db_dir }}
{% else %}
{% for path in prometheus_read_only_dirs %}
ReadOnlyDirectories={{ path }}
{% endfor %}
ReadWriteDirectories={{ prometheus_db_dir }}
{% endif %}

SyslogIdentifier=prometheus
Restart=always
TimeoutStopSec={{ prometheus_stop_timeout }}
RemoveIPC=true
RestrictSUIDSGID=true
RestrictNamespaces=true
RestrictRealtime=true
SystemCallArchitectures=native
#SystemCallFilter=@signal @timer

[Install]
WantedBy=multi-user.target
Loading