NO_NEW_PRIVILEGES on Ubuntu 16.04 about ansible-prometheus HOT 7 CLOSED

Removing this is a no-go since prometheus process should use this flag as per systemd security best practices. I would be more comfortable trying to solve your case than making this feature go away or making it optional.

Also as this is a systemd service, there is a quick and dirty workaround to force different service parameters without modifying service file itself. You need to:

1. Create /etc/systemd/system/<service_name>.service.d/<some_name>.conf (ex. /etc/systemd/system/prometheus.service.d/override.conf)
2. Put there parameters which you would like to override, in this case:

PrivateDevices=false
NoNewPrivileges=false

That said we are also using Ubuntu 16.04 our demo-site and never got into that problem.

# systemd --version
systemd 229
+PAM +AUDIT +SELINUX +IMA +APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ -LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD -IDN
# prometheus --version
prometheus, version 2.7.1 (branch: HEAD, revision: 62e591f928ddf6b3468308b7ac1de1c63aa7fcf3)
  build user:       root@f9f82868fc43
  build date:       20190131-11:16:59
  go version:       go1.11.5
# uname -a
Linux demo 4.4.0-141-generic #167-Ubuntu SMP Wed Dec 5 10:40:15 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

Could you post output of uname -a command?

from ansible-prometheus.

Of course nobody is asking that line to be removed.

I'm running on Joyent Triton so it's Illumos Solaris acting like Linux. But I'm happy to troubleshoot this further.

Linux 0cb983c4-e077-426b-8932-ed131b0e9ca1 4.3.0 BrandZ virtual linux x86_64 x86_64 x86_64 GNU/Linux

I looked at the systemd docs a bit. Maybe I need to make sure all the files it accesses are owned by the prometheus user?

from ansible-prometheus.

Now I see what is the problem. 😄 Disguising as linux can sometimes lead to strange behaviors (like this one), especially when some application (systemd) is relying on kernel features. I assume kernel you are using is not supporting calling prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0).

This is an issue of Joyen Triton and I would advise to notify them about it as systemd 240 is supposed to set NoNewPrivileges for all long running services by default.

from ansible-prometheus.

Sure, they're aware. Thanks for the advice.

Now how do I get this working? Is there an easy way to override that one template within a role? or do I need to fork it?

from ansible-prometheus.

You need to create additional directory and file as I described in #184 (comment). Best would be to create it before running this role.

So sth like this:

- hosts: all
  become: true
  pre_tasks:
  - name: Create prometheus service directory tree
    file:
      path: "/etc/systemd/system/prometheus.service.d"
      state: directory
  - name: Create prometheus service parameters override
    copy:
      dest: "/etc/systemd/system/prometheus.service.d/override.conf"
      content: |
        [Service]
        PrivateDevices=false
        NoNewPrivileges=false
  roles:
    - cloudalchemy.prometheus

from ansible-prometheus.

Thanks!

from ansible-prometheus.

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

from ansible-prometheus.