configpolicy

dustin

configpolicy

Fork 0

Commit Graph

Author	SHA1	Message	Date
Dustin	d9f46d6d62	r/promtail: Optionally run with DAC_READ_SEARCH The promtail service runs as an unprivileged user by default, which is fine in most cases (i.e. when scraping only the Journal), but may not always be sufficient to read logs from other files. Rather than run Promtail as root in these cases, we can assign it the CAP_DAC_READ_SEARCH capability, which will allow it to read any file, but does not grant it any of root's other privileges. To enable this functionality, the `promtail_dac_read_search` Ansible variable can be set to `true` for a host or group. This will create a systemd unit configuration extension that configures the service to have the CAP_DAC_READ_SEARCH capability in its ambient set.	2024-02-28 19:00:26 -06:00

Author

SHA1

Message

Date

Dustin

d9f46d6d62

r/promtail: Optionally run with DAC_READ_SEARCH

The *promtail* service runs as an unprivileged user by default, which is
fine in most cases (i.e. when scraping only the Journal), but may not
always be sufficient to read logs from other files.  Rather than run
Promtail as root in these cases, we can assign it the
CAP_DAC_READ_SEARCH capability, which will allow it to read any file,
but does not grant it any of root's other privileges.

To enable this functionality, the `promtail_dac_read_search` Ansible
variable can be set to `true` for a host or group.  This will create a
systemd unit configuration extension that configures the service to have
the CAP_DAC_READ_SEARCH capability in its ambient set.

2024-02-28 19:00:26 -06:00

1 Commits (7d93ba836ed8bf599fd4b1f5513eb5a09780200e)