debops.proc_hidepid default variables

General configuration, APT packages


Enable or disable support for managing the /proc hidepid= option using Ansible.

proc_hidepid__enabled: True

List of APT packages required for hidepid support.

proc_hidepid__base_packages: [ 'libcap2-bin' ]

List of additional APT packages to install with hidepid support.

proc_hidepid__packages: []

List of APT packages which are known to cause issues when hidepid is enabled. When the role detects that they are installed on the host, it will default to using more permissive settings.

proc_hidepid__skip_packages: [ 'policykit-1', 'polkitd' ]

The /proc filesystem options


When enabled, the role will try and remount the /proc filesystem to enable the hidepid= options. This might not be possible in certain environments like LXC/Docker containers, in which case the role will only passively set up the required facts and other configuration.

proc_hidepid__remount: '{{ True
                           if ((((ansible_system_capabilities_enforced | d()) | bool and
                                 "cap_sys_admin" in ansible_system_capabilities) or
                                not (ansible_system_capabilities_enforced | d(True)) | bool) and
                               (ansible_local | d() and ansible_local.proc_hidepid | d() and
                                (ansible_local.proc_hidepid.proc_owner | d("root")) == "root"))
                           else False }}'

Specify what level of protection for the /proc files to configure:

  • 0: no protection, files are world-readable

  • 1: the /proc contents are protected using UNIX permissions, file

    owners can access their own files

  • 2: the /proc contents are invisible to non-owners, only root

    and users in the specific UNIX system group can see everything

proc_hidepid__level: '{{ proc_hidepid__fact_default_level | d("2") }}'

Name of the UNIX system group which will have unrestricted access to the /proc filesystem.

proc_hidepid__group: 'procadmins'

The GID used by the UNIX system group. If not specified, it will be selected automatically. If you change the GID, you need to remount the /proc filesystem manually and restart any services that rely on this functionality.

proc_hidepid__gid: '70'

The /proc/sched_debug options


Enable or disable file attributes change of the /proc/sched_debug file to not be world-readable. Note: the root account in privileged LXC containers can read the file and change its permissions at will.

proc_hidepid__secure_scheduler_enabled: '{{ True
                                            if (proc_hidepid__register_sched.stat.exists | bool and
                                                proc_hidepid__register_sched.stat.uid == 0)
                                            else False }}'

Name of the UNIX system group which will be able to read the contents of the /proc/sched_debug file.

proc_hidepid__secure_scheduler_group: '{{ proc_hidepid__group }}'