Browse Source

Use a separate user for prometheus and fix permissions and configuration

remove-logs
Andreas Linz 3 years ago
parent
commit
a6fcc2be0a
3 changed files with 10 additions and 5 deletions
  1. +8
    -2
      roles/prometheus/tasks/main.yml
  2. +2
    -1
      roles/prometheus/templates/prometheus.service.tmpl
  3. +0
    -2
      roles/prometheus/templates/prometheus.yml.tmpl

+ 8
- 2
roles/prometheus/tasks/main.yml View File

@ -1,12 +1,16 @@
- name: Build prometheus
command: make -C ./build/prometheus
delegate_to: localhost
- name: "Create group {{ prometheus_group }}"
become: true
group:
name: "{{ prometheus_group }}"
- name: "Create user {{ prometheus_user }}"
user:
name: {{ prometheus_user }}
name: "{{ prometheus_user }}"
comment: "Prometheus run user"
append: true
group: {{ prometheus_group }}
group: "{{ prometheus_group }}"
shell: /bin/false
become: true
- name: Install prometheus
@ -31,6 +35,8 @@
template:
src: prometheus.yml.tmpl
dest: /etc/prometheus/config.yml
owner: "{{ prometheus_user }}"
group: "{{ prometheus_group }}"
mode: 0600
notify: restart-prometheus
- name: Install prometheus systemd unit

+ 2
- 1
roles/prometheus/templates/prometheus.service.tmpl View File

@ -10,10 +10,11 @@ User={{ prometheus_user }}
Group={{ prometheus_group }}
ExecStart={{ prometheus_path }}\
-web.listen-address "127.0.0.1:{{ prometheus_port }}"\
-storage.local.path {{ prometheus_storage_path }}
-config.file {{ prometheus_config_path }}
PrivateTmp=true
PrivateDevices=true
ProtectHome=true
;ProtectHome=true
ProtectSystem=full
NoNewPrivileges=true

+ 0
- 2
roles/prometheus/templates/prometheus.yml.tmpl View File

@ -9,8 +9,6 @@ global:
external_labels:
monitor: 'codelab-monitor'
storage.local.path: {{ prometheus_storage_path }}
# Load rules once and periodically evaluate them according to the global 'evaluation_interval'.
rule_files:
# - "first.rules"

Loading…
Cancel
Save