Getting started
Static GID assignment
The procadmins
group uses a static GID 70
, chosen based on the default
set of system groups provided in Debian with usable range between 61-99. This
becomes important in environments with LXC containers where, depending on the
configuration, host and container GIDs could differ, resulting in a different
set of users being able to see the /proc
contents. Thus, the need to
synchronize the GID between distinct environments sharing the same GID
namespace (the same kernel).
Ansible local facts
The debops.proc_hidepid
role provides a set of Ansible local facts
available in the ansible_local.proc_hidepid.*
hierarchy. You can use the
facts to add application UNIX accounts to the correct UNIX system group that
allows them access to the /proc
filesystem.
Example inventory
The debops.proc_hidepid
role is included by default in the common.yml
DebOps playbook; you don't need to add hosts to any Ansible groups to enable
it.
Example playbook
If you are using this role without DebOps, here's an example Ansible playbook
that uses the debops.proc_hidepid
role:
---
- name: Manage /proc hidepid= configuration
collections: [ 'debops.debops', 'debops.roles01',
'debops.roles02', 'debops.roles03' ]
hosts: [ 'debops_all_hosts', 'debops_service_proc_hidepid' ]
become: True
environment: '{{ inventory__environment | d({})
| combine(inventory__group_environment | d({}))
| combine(inventory__host_environment | d({})) }}'
roles:
- role: proc_hidepid
tags: [ 'role::proc_hidepid', 'skip::proc_hidepid' ]