From d9f46d6d624b9bd63d12f26919b8b634dadce314 Mon Sep 17 00:00:00 2001
From: "Dustin C. Hatch" <dustin@hatch.name>
Date: Wed, 28 Feb 2024 19:00:26 -0600
Subject: [PATCH] r/promtail: Optionally run with DAC_READ_SEARCH

The *promtail* service runs as an unprivileged user by default, which is
fine in most cases (i.e. when scraping only the Journal), but may not
always be sufficient to read logs from other files.  Rather than run
Promtail as root in these cases, we can assign it the
CAP_DAC_READ_SEARCH capability, which will allow it to read any file,
but does not grant it any of root's other privileges.

To enable this functionality, the `promtail_dac_read_search` Ansible
variable can be set to `true` for a host or group.  This will create a
systemd unit configuration extension that configures the service to have
the CAP_DAC_READ_SEARCH capability in its ambient set.
---
 roles/promtail/defaults/main.yml              |  2 ++
 roles/promtail/handlers/main.yml              |  6 +++-
 roles/promtail/tasks/deploy.yml               | 28 +++++++++++++++++--
 roles/promtail/templates/capabilities.conf.j2 |  4 +++
 4 files changed, 37 insertions(+), 3 deletions(-)
 create mode 100644 roles/promtail/templates/capabilities.conf.j2

diff --git a/roles/promtail/defaults/main.yml b/roles/promtail/defaults/main.yml
index e5066e7..ba17f8f 100644
--- a/roles/promtail/defaults/main.yml
+++ b/roles/promtail/defaults/main.yml
@@ -1,3 +1,5 @@
+promtail_dac_read_search: false
+
 promtail_positions_file: /tmp/positions.yaml
 
 promtail_clients:
diff --git a/roles/promtail/handlers/main.yml b/roles/promtail/handlers/main.yml
index 4438971..d5371e9 100644
--- a/roles/promtail/handlers/main.yml
+++ b/roles/promtail/handlers/main.yml
@@ -1,4 +1,8 @@
-- name: reload promtail
+- name: reload systemd
+  systemd:
+    daemon_reload: true
+
+- name: restart promtail
   service:
     name: promtail
     state: restarted
diff --git a/roles/promtail/tasks/deploy.yml b/roles/promtail/tasks/deploy.yml
index dbdb7c5..b240864 100644
--- a/roles/promtail/tasks/deploy.yml
+++ b/roles/promtail/tasks/deploy.yml
@@ -18,7 +18,7 @@
     owner: root
     group: root
   notify:
-  - reload promtail
+  - restart promtail
   tags:
   - config
 
@@ -31,11 +31,33 @@
     group: root
     mode: u=rw,go=r
   notify:
-  - reload promtail
+  - restart promtail
   tags:
   - config
   - cert
 
+- name: ensure promtail systemd unit extension directory exists
+  file:
+    path: /etc/systemd/system/promtail.service.d
+    owner: root
+    group: root
+    mode: u=rwx,go=rx
+    state: directory
+  tags:
+  - systemd
+- name: ensure promtail service capabilities are configured
+  template:
+    src: capabilities.conf.j2
+    dest: /etc/systemd/system/promtail.service.d/capabilities.conf
+    owner: root
+    group: root
+    mode: u=rw,go=r
+  notify:
+  - reload systemd
+  - restart promtail
+  tags:
+  - systemd
+
 - name: ensure promtail service starts at boot
   service:
     name: promtail
@@ -43,6 +65,8 @@
   tags:
   - service
 
+- meta: flush_handlers
+
 - name: ensure promtail is running
   service:
     name: promtail
diff --git a/roles/promtail/templates/capabilities.conf.j2 b/roles/promtail/templates/capabilities.conf.j2
new file mode 100644
index 0000000..17bf99b
--- /dev/null
+++ b/roles/promtail/templates/capabilities.conf.j2
@@ -0,0 +1,4 @@
+[Service]
+{% if promtail_dac_read_search %}
+AmbientCapabilities=CAP_DAC_READ_SEARCH
+{% endif %}