debops.proc_hidepid default variables¶
Sections
General configuration, APT packages¶
-
proc_hidepid__enabled
¶
Enable or disable support for managing the /proc
hidepid=
option
using Ansible.
proc_hidepid__enabled: True
-
proc_hidepid__base_packages
¶
List of APT packages required for hidepid support.
proc_hidepid__base_packages: [ 'libcap2-bin' ]
-
proc_hidepid__packages
¶
List of additional APT packages to install with hidepid support.
proc_hidepid__packages: []
-
proc_hidepid__skip_packages
¶
List of APT packages which are known to cause issues when hidepid is enabled. When the role detects that they are installed on the host, it will default to using more permissive settings.
proc_hidepid__skip_packages: [ 'policykit-1', 'polkitd' ]
The /proc
filesystem options¶
-
proc_hidepid__remount
¶
When enabled, the role will try and remount the /proc
filesystem to
enable the hidepid=
options. This might not be possible in certain
environments like LXC/Docker containers, in which case the role will only
passively set up the required facts and other configuration.
proc_hidepid__remount: '{{ True
if ((((ansible_system_capabilities_enforced|d())|bool and
"cap_sys_admin" in ansible_system_capabilities) or
not (ansible_system_capabilities_enforced|d(True))|bool) and
(ansible_local|d() and ansible_local.proc_hidepid|d() and
(ansible_local.proc_hidepid.proc_owner|d("root")) == "root"))
else False }}'
-
proc_hidepid__level
¶
Specify what level of protection for the /proc
files to configure:
0
: no protection, files are world-readable1
: the/proc
contents are protected using UNIX permissions, file- owners can access their own files
2
: the/proc
contents are invisible to non-owners, onlyroot
- and users in the specific UNIX system group can see everything
proc_hidepid__level: '{{ proc_hidepid__fact_default_level | d("2") }}'
-
proc_hidepid__group
¶
Name of the UNIX system group which will have unrestricted access to the
/proc
filesystem.
proc_hidepid__group: 'procadmins'
-
proc_hidepid__gid
¶
The GID used by the UNIX system group. If not specified, it will be selected
automatically. If you change the GID, you need to remount the /proc
filesystem manually and restart any services that rely on this functionality.
proc_hidepid__gid: '70'
The /proc/sched_debug
options¶
-
proc_hidepid__secure_scheduler_enabled
¶
Enable or disable file attributes change of the /proc/sched_debug
file to not be world-readable. Note: the root
account in privileged LXC
containers can read the file and change its permissions at will.
proc_hidepid__secure_scheduler_enabled: '{{ True
if (proc_hidepid__register_sched.stat.exists|bool and
proc_hidepid__register_sched.stat.uid == 0)
else False }}'
-
proc_hidepid__secure_scheduler_group
¶
Name of the UNIX system group which will be able to read the contents of the
/proc/sched_debug
file.
proc_hidepid__secure_scheduler_group: '{{ proc_hidepid__group }}'