debops.proc_hidepid default variables¶
Sections
General configuration, APT packages¶
-
proc_hidepid__enabled
¶
Enable or disable support for managing the /proc
hidepid=
option
using Ansible.
proc_hidepid__enabled: True
-
proc_hidepid__base_packages
¶
List of APT packages required for hidepid support.
proc_hidepid__base_packages: [ 'libcap2-bin' ]
-
proc_hidepid__packages
¶
List of additional APT packages to install with hidepid support.
proc_hidepid__packages: []
The /proc
filesystem options¶
-
proc_hidepid__remount
¶
When enabled, the role will try and remount the /proc
filesystem to
enable the hidepid=
options. This might not be possible in certain
environments like LXC/Docker containers, in which case the role will only
passively set up the required facts and other configuration.
proc_hidepid__remount: '{{ True
if ((((ansible_system_capabilities_enforced|d())|bool and
"cap_sys_admin" in ansible_system_capabilities) or
not (ansible_system_capabilities_enforced|d(True))|bool) and
(ansible_local|d() and ansible_local.proc_hidepid|d() and
(ansible_local.proc_hidepid.proc_owner|d("root")) == "root"))
else False }}'
-
proc_hidepid__level
¶
Specify what level of protection for the /proc
files to configure:
0
: no protection, files are world-readable1
: the/proc
contents are protected using UNIX permissions, file- owners can access their own files
2
: the/proc
contents are invisible to non-owners, onlyroot
- and users in the specific UNIX system group can see everything
proc_hidepid__level: '2'
-
proc_hidepid__group
¶
Name of the UNIX system group which will have unrestricted access to the
/proc
filesystem.
proc_hidepid__group: 'procadmins'
-
proc_hidepid__gid
¶
The GID used by the UNIX system group. If not specified, it will be selected
automatically. If you change the GID, you need to remount the /proc
filesystem manually and restart any services that rely on this functionality.
proc_hidepid__gid: '70'
The /proc/sched_debug
options¶
-
proc_hidepid__secure_scheduler_enabled
¶
Enable or disable file attributes change of the /proc/sched_debug
file to not be world-readable. Note: the root
account in privileged LXC
containers can read the file and change its permissions at will.
proc_hidepid__secure_scheduler_enabled: '{{ True
if (proc_hidepid__register_sched.stat.exists|bool and
proc_hidepid__register_sched.stat.uid == 0)
else False }}'
-
proc_hidepid__secure_scheduler_group
¶
Name of the UNIX system group which will be able to read the contents of the
/proc/sched_debug
file.
proc_hidepid__secure_scheduler_group: '{{ proc_hidepid__group }}'