debops.proc_hidepid default variables
Sections
General configuration, APT packages
- proc_hidepid__enabled
Enable or disable support for managing the /proc
hidepid=
option
using Ansible.
proc_hidepid__enabled: True
- proc_hidepid__base_packages
List of APT packages required for hidepid support.
proc_hidepid__base_packages: [ 'libcap2-bin' ]
- proc_hidepid__packages
List of additional APT packages to install with hidepid support.
proc_hidepid__packages: []
- proc_hidepid__skip_packages
List of APT packages which are known to cause issues when hidepid is enabled. When the role detects that they are installed on the host, it will default to using more permissive settings.
proc_hidepid__skip_packages: [ 'policykit-1', 'polkitd' ]
The /proc
filesystem options
- proc_hidepid__remount
When enabled, the role will try and remount the /proc
filesystem to
enable the hidepid=
options. This might not be possible in certain
environments like LXC/Docker containers, in which case the role will only
passively set up the required facts and other configuration.
proc_hidepid__remount: '{{ True
if ((((ansible_system_capabilities_enforced|d())|bool and
"cap_sys_admin" in ansible_system_capabilities) or
not (ansible_system_capabilities_enforced|d(True))|bool) and
(ansible_local|d() and ansible_local.proc_hidepid|d() and
(ansible_local.proc_hidepid.proc_owner|d("root")) == "root"))
else False }}'
- proc_hidepid__level
Specify what level of protection for the /proc
files to configure:
0
: no protection, files are world-readable1
: the/proc
contents are protected using UNIX permissions, fileowners can access their own files
2
: the/proc
contents are invisible to non-owners, onlyroot
and users in the specific UNIX system group can see everything
proc_hidepid__level: '{{ "0"
if (("debops_service_libvirtd" in group_names) or
(ansible_local.libvirtd.installed | d() | bool))
else (proc_hidepid__fact_default_level | d("2")) }}'
- proc_hidepid__group
Name of the UNIX system group which will have unrestricted access to the
/proc
filesystem.
proc_hidepid__group: 'procadmins'
- proc_hidepid__gid
The GID used by the UNIX system group. If not specified, it will be selected
automatically. If you change the GID, you need to remount the /proc
filesystem manually and restart any services that rely on this functionality.
proc_hidepid__gid: '70'
The /proc/sched_debug
options
- proc_hidepid__secure_scheduler_enabled
Enable or disable file attributes change of the /proc/sched_debug
file to not be world-readable. Note: the root
account in privileged LXC
containers can read the file and change its permissions at will.
proc_hidepid__secure_scheduler_enabled: '{{ True
if (proc_hidepid__register_sched.stat.exists|bool and
proc_hidepid__register_sched.stat.uid == 0)
else False }}'
- proc_hidepid__secure_scheduler_group
Name of the UNIX system group which will be able to read the contents of the
/proc/sched_debug
file.
proc_hidepid__secure_scheduler_group: '{{ proc_hidepid__group }}'