[arch-commits] Commit in loki/trunk (PKGBUILD loki.service promtail.service)
Jelle van der Waa
jelle at archlinux.org
Mon Jan 27 15:54:48 UTC 2020
Date: Monday, January 27, 2020 @ 15:54:48
Author: jelle
Revision: 374088
Updates to hardening and loki user
Modified:
loki/trunk/PKGBUILD
loki/trunk/loki.service
loki/trunk/promtail.service
------------------+
PKGBUILD | 22 ++++++++++++++++++----
loki.service | 22 +++++++++++++++++++++-
promtail.service | 8 ++++++--
3 files changed, 45 insertions(+), 7 deletions(-)
Modified: PKGBUILD
===================================================================
--- PKGBUILD 2020-01-27 15:47:00 UTC (rev 374087)
+++ PKGBUILD 2020-01-27 15:54:48 UTC (rev 374088)
@@ -10,11 +10,16 @@
depends=('glibc')
makedepends=('go-pie')
backup=('etc/loki/loki.yaml' 'etc/loki/promtail.yaml')
-source=($pkgname-$pkgver.tar.gz::https://github.com/grafana/loki/archive/v$pkgver.tar.gz promtail.sysusers promtail.service promtail.tmpfiles)
+source=($pkgname-$pkgver.tar.gz::https://github.com/grafana/loki/archive/v$pkgver.tar.gz
+ promtail.sysusers promtail.service promtail.tmpfiles
+ loki.sysusers loki.service loki.tmpfiles)
sha512sums=('db2c5e81b2b24d884f2c56531e577beae693cc06e30fe74b4d89b6b1c3857992396aeb46877ab5b787b268741cc9de75fd5ed53c548de6abac701afe97477df2'
'2b6c44b18ea3c9f955a7450222180d0b20b5fc551d0b7e5d0d8949e40adc847c4166829146260f87a75732cc5473eab0347dd56fc2125517698bac0652738c74'
- 'a3d08bffb40b496d020bde93cc7a76e315e35aa8d3372585fe49de9e916759e0b904148f3a0d89b832fabceb83ef129ad0c455dea8bc476f4cdf7e4c7ef7a53b'
- '598042c40673a7914c5a1eeccfb78f832379a61f4360212c5d86f667343cf2fc78e98d9025f9717ea64f3e16e0a28f08cd7709706d811656722019f6167dd788')
+ 'a3427ddecada33b90658635962c4ea36ced6b9d0e1686ce898884980c2ce1a82be2ddcfa6b42736392653f48fa561408633d6016b77e2b513029ba0cec977727'
+ '598042c40673a7914c5a1eeccfb78f832379a61f4360212c5d86f667343cf2fc78e98d9025f9717ea64f3e16e0a28f08cd7709706d811656722019f6167dd788'
+ 'f00b3cb64b71d3ca5a422a2bdff1f81a3e2707c4f73bcb27e24338eabff039b96125c847aaae43c9b22ccc47f89585118c1d0e0b29c4eb7b6f9260c68f8a8324'
+ '3c40d70366ee0ac3d11c87a818d82dfb4e64143e905187b287f7716ee009640bab6676b8a348e526458a00e4cff35fbd8e9d81bdaa6db38a5d673294f09e6638'
+ 'de40d1e6752edbf8c21317ce1ee10f98dfc869e569c07092c613f7144e261e9438683a145a2e0e37e2a9fc758c5c2f02e1d0ac1c60347e98b147e4a550ec6040')
build() {
cd loki-$pkgver
@@ -22,16 +27,19 @@
LDFLAGS="-extldflags $LDFLAGS"
go build \
+ -mod=vendor \
-trimpath \
-ldflags "$LDFLAGS" \
./cmd/loki
go build \
+ -mod=vendor \
-trimpath \
-ldflags "$LDFLAGS" \
./cmd/promtail
go build \
+ -mod=vendor \
-trimpath \
-ldflags "$LDFLAGS" \
./cmd/logcli
@@ -51,7 +59,13 @@
install -Dm644 cmd/promtail/promtail-local-config.yaml $pkgdir/etc/loki/promtail.yaml
install -Dm644 cmd/loki/loki-local-config.yaml $pkgdir/etc/loki/loki.yaml
+ # Promtail
install -Dm644 ${srcdir}/promtail.sysusers "$pkgdir/usr/lib/sysusers.d/promtail.conf"
+ install -Dm644 ${srcdir}/promtail.tmpfiles "$pkgdir/usr/lib/tmpfiles.d/promtail.conf"
install -Dm644 ${srcdir}/promtail.service "$pkgdir/usr/lib/systemd/system/promtail.service"
- install -Dm644 ${srcdir}/promtail.tmpfiles "$pkgdir/usr/lib/tmpfiles.d/promtail.conf"
+
+ # Loki
+ install -Dm644 ${srcdir}/loki.sysusers "$pkgdir/usr/lib/sysusers.d/loki.conf"
+ install -Dm644 ${srcdir}/loki.tmpfiles "$pkgdir/usr/lib/tmpfiles.d/loki.conf"
+ install -Dm644 ${srcdir}/loki.service "$pkgdir/usr/lib/systemd/system/loki.service"
}
Modified: loki.service
===================================================================
--- loki.service 2020-01-27 15:47:00 UTC (rev 374087)
+++ loki.service 2020-01-27 15:54:48 UTC (rev 374088)
@@ -1,7 +1,27 @@
[Unit]
Description=Loki is a horizontally-scalable, highly-available, multi-tenant log aggregation system
+After=network.target
[Service]
Type=simple
-ExecStart=/usr/bin/loki -config.file /etc/loki/loki.yaml
+ExecStart=/usr/bin/loki -boltdb.dir /var/lib/loki/index -local.chunk-directory /var/lib/loki/chunks -config.file /etc/loki/loki.yaml
TimeoutStopSec=30s
+User=loki
+
+NoNewPrivileges=true
+MemoryDenyWriteExecute=true
+RestrictRealtime=true
+
+ProtectHome=true
+ProtectSystem=strict
+ReadWritePaths=/var/lib/loki
+PrivateTmp=true
+
+PrivateDevices=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+
+[Install]
+WantedBy=multi-user.target
Modified: promtail.service
===================================================================
--- promtail.service 2020-01-27 15:47:00 UTC (rev 374087)
+++ promtail.service 2020-01-27 15:54:48 UTC (rev 374088)
@@ -9,10 +9,14 @@
TimeoutStopSec=30s
NoNewPrivileges=true
+MemoryDenyWriteExecute=true
+RestrictRealtime=true
+
ProtectHome=true
-# Needs to write to /var/log/positions.yml
-#ProtectSystem=full
+ProtectSystem=strict
+ReadWritePaths=/var/lib/promtail
PrivateTmp=true
+
PrivateDevices=true
ProtectKernelTunables=true
ProtectKernelModules=true
More information about the arch-commits
mailing list