fix: remove unsupported systemd options

2021-05-29 15:47:26 +02:00 · 2021-05-29 15:47:26 +02:00 · ab3ea4e283
commit ab3ea4e283
parent f7b77d7245
5 changed files with 17 additions and 13 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -113,7 +113,11 @@ prometheus_alert_rules:
    labels:
      severity: warning
    annotations:
-      description: "This is an alert meant to ensure that the entire alerting pipeline is functional.\nThis alert is always firing, therefore it should always be firing in Alertmanager\nand always fire against a receiver. There are integrations with various notification\nmechanisms that send a notification when this alert is not firing. For example the\n\"DeadMansSnitch\" integration in PagerDuty."
+      description: >-
+        This is an alert meant to ensure that the entire alerting pipeline is functional.
+        This alert is always firing, therefore it should always be firing in Alertmanager
+        and always fire against a receiver. There are integrations with various notification
+        mechanisms that send a notification when this alert is not firing.
      summary: "Ensure entire alerting pipeline is functional"
  - alert: InstanceDown
    expr: "up == 0"
--- a/molecule/centos7/molecule.yml
+++ b/molecule/centos7/molecule.yml
@ -3,6 +3,7 @@ dependency:
  name: galaxy
  options:
    role-file: molecule/requirements.yml
+    requirements-file: molecule/requirements.yml
  env:
    ANSIBLE_GALAXY_DISPLAY_PROGRESS: "false"
 driver:
@ -18,5 +19,6 @@ provisioner:
  env:
    ANSIBLE_FILTER_PLUGINS: ${ANSIBLE_FILTER_PLUGINS:-./plugins/filter}
    ANSIBLE_LIBRARY: ${ANSIBLE_LIBRARY:-./library}
+  log: False
 verifier:
  name: testinfra
--- a/tasks/setup.yml
+++ b/tasks/setup.yml
@ -27,11 +27,10 @@
        extra_opts:
          - --strip-components=1
        remote_src: yes
-        include:
-          - prometheus-{{ prometheus_version }}.linux-amd64/consoles/
-          - prometheus-{{ prometheus_version }}.linux-amd64/console_libraries/
-          - prometheus-{{ prometheus_version }}.linux-amd64/prometheus
-          - prometheus-{{ prometheus_version }}.linux-amd64/promtool
+        exclude:
+          - prometheus-{{ prometheus_version }}.linux-amd64/LICENSE
+          - prometheus-{{ prometheus_version }}.linux-amd64/NOTICE
+          - prometheus-{{ prometheus_version }}.linux-amd64/prometheus.yml
      notify: __prometheus_restart
  become: True
  become_user: "{{ prometheus_user }}"
@ -48,8 +47,8 @@
      notify: __prometheus_reload

    - name: Copy prometheus web config file
-      copy:
-        content: "{{ prometheus_web_config | to_nice_yaml(indent=2) }}"
+      template:
+        src: "conf/web.yml.j2"
        dest: "{{ prometheus_config_dir }}/web.yml"
        owner: "{{ prometheus_user }}"
        group: "{{ prometheus_user }}"
--- a/templates/conf/web.yml.j2
+++ b/templates/conf/web.yml.j2
@ -0,0 +1,4 @@
+#jinja2: lstrip_blocks: True
+{{ ansible_managed | comment }}
+
+{{ prometheus_web_config | to_nice_yaml(indent=2) }}
--- a/templates/etc/systemd/system/prometheus.service.j2
+++ b/templates/etc/systemd/system/prometheus.service.j2
@ -34,16 +34,11 @@ ExecStart={{ prometheus_base_dir }}/prometheus \
 {% endfor %}
  --config.file={{ prometheus_config_dir }}/prometheus.yml

-CapabilityBoundingSet=CAP_SET_UID
 LimitNOFILE=65000
-LockPersonality=true
 NoNewPrivileges=true
-MemoryDenyWriteExecute=true
 PrivateDevices=true
 PrivateTmp=true
 ProtectHome=true
-RemoveIPC=true
-RestrictSUIDSGID=true

 ReadWriteDirectories={{ prometheus_data_dir }}
 {% for path in prometheus_read_only_dirs %}