From d0cd709c08020e795bbd4cbfd23978179a53c9dd Mon Sep 17 00:00:00 2001 From: sak Date: Mon, 19 Apr 2021 15:15:59 +0530 Subject: [PATCH 1/3] security** node-exporter data & port publicly exposed --- roles/matrix-prometheus-node-exporter/defaults/main.yml | 2 +- .../systemd/matrix-prometheus-node-exporter.service.j2 | 9 ++++++--- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/roles/matrix-prometheus-node-exporter/defaults/main.yml b/roles/matrix-prometheus-node-exporter/defaults/main.yml index f2eca52c1..90f809f12 100644 --- a/roles/matrix-prometheus-node-exporter/defaults/main.yml +++ b/roles/matrix-prometheus-node-exporter/defaults/main.yml @@ -18,5 +18,5 @@ matrix_prometheus_node_exporter_systemd_wanted_services_list: [] # Controls whether the matrix-prometheus container exposes its HTTP port (tcp/9100 in the container). # -# Takes an ":" or "" value (e.g. "127.0.0.1:9100"), or empty string to not expose. +# Takes an ":" value (e.g. "127.0.0.1:9100"), or empty string to not expose. matrix_prometheus_node_exporter_container_http_host_bind_port: '' diff --git a/roles/matrix-prometheus-node-exporter/templates/systemd/matrix-prometheus-node-exporter.service.j2 b/roles/matrix-prometheus-node-exporter/templates/systemd/matrix-prometheus-node-exporter.service.j2 index 93638c191..c9f752a7c 100644 --- a/roles/matrix-prometheus-node-exporter/templates/systemd/matrix-prometheus-node-exporter.service.j2 +++ b/roles/matrix-prometheus-node-exporter/templates/systemd/matrix-prometheus-node-exporter.service.j2 @@ -22,9 +22,6 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-prometheus-nod --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --cap-drop=ALL \ --read-only \ - {% if matrix_prometheus_node_exporter_container_http_host_bind_port %} - -p {{ matrix_prometheus_node_exporter_container_http_host_bind_port }}:9100 \ - {% endif %} {% for arg in matrix_prometheus_node_exporter_container_extra_arguments %} {{ arg }} \ {% endfor %} @@ -32,6 +29,12 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-prometheus-nod --pid=host \ --mount type=bind,src=/,dst=/host,ro,bind-propagation=rslave \ {{ matrix_prometheus_node_exporter_docker_image }} \ + {{ matrix_prometheus_node_exporter_docker_image }} \ + {% if matrix_prometheus_node_exporter_container_http_host_bind_port %} + --web.listen-address={{ matrix_prometheus_node_exporter_container_http_host_bind_port }} \ + {% else %} + --web.listen-address=localhost:9100 \ + {% endif %} --path.rootfs=/host ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-prometheus-node-exporter 2>/dev/null' From 0f9a4557193d249e9ee746c98de6f2a6767d434c Mon Sep 17 00:00:00 2001 From: sak Date: Mon, 19 Apr 2021 15:24:36 +0530 Subject: [PATCH 2/3] Revert "security** node-exporter data & port publicly exposed" This reverts commit d0cd709c08020e795bbd4cbfd23978179a53c9dd. --- roles/matrix-prometheus-node-exporter/defaults/main.yml | 2 +- .../systemd/matrix-prometheus-node-exporter.service.j2 | 9 +++------ 2 files changed, 4 insertions(+), 7 deletions(-) diff --git a/roles/matrix-prometheus-node-exporter/defaults/main.yml b/roles/matrix-prometheus-node-exporter/defaults/main.yml index 90f809f12..f2eca52c1 100644 --- a/roles/matrix-prometheus-node-exporter/defaults/main.yml +++ b/roles/matrix-prometheus-node-exporter/defaults/main.yml @@ -18,5 +18,5 @@ matrix_prometheus_node_exporter_systemd_wanted_services_list: [] # Controls whether the matrix-prometheus container exposes its HTTP port (tcp/9100 in the container). # -# Takes an ":" value (e.g. "127.0.0.1:9100"), or empty string to not expose. +# Takes an ":" or "" value (e.g. "127.0.0.1:9100"), or empty string to not expose. matrix_prometheus_node_exporter_container_http_host_bind_port: '' diff --git a/roles/matrix-prometheus-node-exporter/templates/systemd/matrix-prometheus-node-exporter.service.j2 b/roles/matrix-prometheus-node-exporter/templates/systemd/matrix-prometheus-node-exporter.service.j2 index c9f752a7c..93638c191 100644 --- a/roles/matrix-prometheus-node-exporter/templates/systemd/matrix-prometheus-node-exporter.service.j2 +++ b/roles/matrix-prometheus-node-exporter/templates/systemd/matrix-prometheus-node-exporter.service.j2 @@ -22,6 +22,9 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-prometheus-nod --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --cap-drop=ALL \ --read-only \ + {% if matrix_prometheus_node_exporter_container_http_host_bind_port %} + -p {{ matrix_prometheus_node_exporter_container_http_host_bind_port }}:9100 \ + {% endif %} {% for arg in matrix_prometheus_node_exporter_container_extra_arguments %} {{ arg }} \ {% endfor %} @@ -29,12 +32,6 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-prometheus-nod --pid=host \ --mount type=bind,src=/,dst=/host,ro,bind-propagation=rslave \ {{ matrix_prometheus_node_exporter_docker_image }} \ - {{ matrix_prometheus_node_exporter_docker_image }} \ - {% if matrix_prometheus_node_exporter_container_http_host_bind_port %} - --web.listen-address={{ matrix_prometheus_node_exporter_container_http_host_bind_port }} \ - {% else %} - --web.listen-address=localhost:9100 \ - {% endif %} --path.rootfs=/host ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-prometheus-node-exporter 2>/dev/null' From 88a30fb5ed4d2957fae09f8b0ca56daa003c9045 Mon Sep 17 00:00:00 2001 From: sak Date: Mon, 19 Apr 2021 15:35:23 +0530 Subject: [PATCH 3/3] security** node-exporter data & port publicly exposed --- roles/matrix-prometheus-node-exporter/defaults/main.yml | 2 +- .../systemd/matrix-prometheus-node-exporter.service.j2 | 8 +++++--- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/roles/matrix-prometheus-node-exporter/defaults/main.yml b/roles/matrix-prometheus-node-exporter/defaults/main.yml index f2eca52c1..90f809f12 100644 --- a/roles/matrix-prometheus-node-exporter/defaults/main.yml +++ b/roles/matrix-prometheus-node-exporter/defaults/main.yml @@ -18,5 +18,5 @@ matrix_prometheus_node_exporter_systemd_wanted_services_list: [] # Controls whether the matrix-prometheus container exposes its HTTP port (tcp/9100 in the container). # -# Takes an ":" or "" value (e.g. "127.0.0.1:9100"), or empty string to not expose. +# Takes an ":" value (e.g. "127.0.0.1:9100"), or empty string to not expose. matrix_prometheus_node_exporter_container_http_host_bind_port: '' diff --git a/roles/matrix-prometheus-node-exporter/templates/systemd/matrix-prometheus-node-exporter.service.j2 b/roles/matrix-prometheus-node-exporter/templates/systemd/matrix-prometheus-node-exporter.service.j2 index 93638c191..5a72d37a7 100644 --- a/roles/matrix-prometheus-node-exporter/templates/systemd/matrix-prometheus-node-exporter.service.j2 +++ b/roles/matrix-prometheus-node-exporter/templates/systemd/matrix-prometheus-node-exporter.service.j2 @@ -22,9 +22,6 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-prometheus-nod --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --cap-drop=ALL \ --read-only \ - {% if matrix_prometheus_node_exporter_container_http_host_bind_port %} - -p {{ matrix_prometheus_node_exporter_container_http_host_bind_port }}:9100 \ - {% endif %} {% for arg in matrix_prometheus_node_exporter_container_extra_arguments %} {{ arg }} \ {% endfor %} @@ -32,6 +29,11 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-prometheus-nod --pid=host \ --mount type=bind,src=/,dst=/host,ro,bind-propagation=rslave \ {{ matrix_prometheus_node_exporter_docker_image }} \ + {% if matrix_prometheus_node_exporter_container_http_host_bind_port %} + --web.listen-address={{ matrix_prometheus_node_exporter_container_http_host_bind_port }} \ + {% else %} + --web.listen-address=localhost:9100 \ + {% endif %} --path.rootfs=/host ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-prometheus-node-exporter 2>/dev/null'