From d0cd709c08020e795bbd4cbfd23978179a53c9dd Mon Sep 17 00:00:00 2001 From: sak Date: Mon, 19 Apr 2021 15:15:59 +0530 Subject: [PATCH] security** node-exporter data & port publicly exposed --- roles/matrix-prometheus-node-exporter/defaults/main.yml | 2 +- .../systemd/matrix-prometheus-node-exporter.service.j2 | 9 ++++++--- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/roles/matrix-prometheus-node-exporter/defaults/main.yml b/roles/matrix-prometheus-node-exporter/defaults/main.yml index f2eca52c..90f809f1 100644 --- a/roles/matrix-prometheus-node-exporter/defaults/main.yml +++ b/roles/matrix-prometheus-node-exporter/defaults/main.yml @@ -18,5 +18,5 @@ matrix_prometheus_node_exporter_systemd_wanted_services_list: [] # Controls whether the matrix-prometheus container exposes its HTTP port (tcp/9100 in the container). # -# Takes an ":" or "" value (e.g. "127.0.0.1:9100"), or empty string to not expose. +# Takes an ":" value (e.g. "127.0.0.1:9100"), or empty string to not expose. matrix_prometheus_node_exporter_container_http_host_bind_port: '' diff --git a/roles/matrix-prometheus-node-exporter/templates/systemd/matrix-prometheus-node-exporter.service.j2 b/roles/matrix-prometheus-node-exporter/templates/systemd/matrix-prometheus-node-exporter.service.j2 index 93638c19..c9f752a7 100644 --- a/roles/matrix-prometheus-node-exporter/templates/systemd/matrix-prometheus-node-exporter.service.j2 +++ b/roles/matrix-prometheus-node-exporter/templates/systemd/matrix-prometheus-node-exporter.service.j2 @@ -22,9 +22,6 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-prometheus-nod --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --cap-drop=ALL \ --read-only \ - {% if matrix_prometheus_node_exporter_container_http_host_bind_port %} - -p {{ matrix_prometheus_node_exporter_container_http_host_bind_port }}:9100 \ - {% endif %} {% for arg in matrix_prometheus_node_exporter_container_extra_arguments %} {{ arg }} \ {% endfor %} @@ -32,6 +29,12 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-prometheus-nod --pid=host \ --mount type=bind,src=/,dst=/host,ro,bind-propagation=rslave \ {{ matrix_prometheus_node_exporter_docker_image }} \ + {{ matrix_prometheus_node_exporter_docker_image }} \ + {% if matrix_prometheus_node_exporter_container_http_host_bind_port %} + --web.listen-address={{ matrix_prometheus_node_exporter_container_http_host_bind_port }} \ + {% else %} + --web.listen-address=localhost:9100 \ + {% endif %} --path.rootfs=/host ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-prometheus-node-exporter 2>/dev/null'