debops.proc_hidepid default variables

General configuration, APT packages

proc_hidepid__enabled

Enable or disable support for managing the /proc hidepid= option using Ansible.

proc_hidepid__enabled: True
proc_hidepid__base_packages

List of APT packages required for hidepid support.

proc_hidepid__base_packages: [ 'libcap2-bin' ]
proc_hidepid__packages

List of additional APT packages to install with hidepid support.

proc_hidepid__packages: []
proc_hidepid__skip_packages

List of APT packages which are known to cause issues when hidepid is enabled. When the role detects that they are installed on the host, it will default to using more permissive settings.

proc_hidepid__skip_packages: [ 'policykit-1', 'polkitd' ]

The /proc filesystem options

proc_hidepid__remount

When enabled, the role will try and remount the /proc filesystem to enable the hidepid= options. This might not be possible in certain environments like LXC/Docker containers, in which case the role will only passively set up the required facts and other configuration.

proc_hidepid__remount: '{{ True
                           if ((((ansible_system_capabilities_enforced | d()) | bool and
                                 "cap_sys_admin" in ansible_system_capabilities) or
                                not (ansible_system_capabilities_enforced | d(True)) | bool) and
                               (ansible_local | d() and ansible_local.proc_hidepid | d() and
                                (ansible_local.proc_hidepid.proc_owner | d("root")) == "root"))
                           else False }}'
proc_hidepid__level

Specify what level of protection for the /proc files to configure:

  • 0: no protection, files are world-readable

  • 1: the /proc contents are protected using UNIX permissions, file

    owners can access their own files

  • 2: the /proc contents are invisible to non-owners, only root

    and users in the specific UNIX system group can see everything

proc_hidepid__level: '{{ proc_hidepid__fact_default_level | d("2") }}'
proc_hidepid__group

Name of the UNIX system group which will have unrestricted access to the /proc filesystem.

proc_hidepid__group: 'procadmins'
proc_hidepid__gid

The GID used by the UNIX system group. If not specified, it will be selected automatically. If you change the GID, you need to remount the /proc filesystem manually and restart any services that rely on this functionality.

proc_hidepid__gid: '70'

The /proc/sched_debug options

proc_hidepid__secure_scheduler_enabled

Enable or disable file attributes change of the /proc/sched_debug file to not be world-readable. Note: the root account in privileged LXC containers can read the file and change its permissions at will.

proc_hidepid__secure_scheduler_enabled: '{{ True
                                            if (proc_hidepid__register_sched.stat.exists | bool and
                                                proc_hidepid__register_sched.stat.uid == 0)
                                            else False }}'
proc_hidepid__secure_scheduler_group

Name of the UNIX system group which will be able to read the contents of the /proc/sched_debug file.

proc_hidepid__secure_scheduler_group: '{{ proc_hidepid__group }}'