Accepting request 928144 from server:monitoring

OBS-URL: https://build.opensuse.org/request/show/928144 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/loki?expand=0&rev=5
2021-10-29 20:34:40 +00:00 · 2021-10-29 20:34:40 +00:00 · c6bf95facb
commit c6bf95facb
parent 892fec9011 7ae04090b7
5 changed files with 58 additions and 0 deletions
--- a/harden_promtail.service.patch
+++ b/harden_promtail.service.patch
@ -0,0 +1,23 @@
 Index: loki-2.2.1+git.1617669398.babea82e/docs/sources/clients/aws/ec2/promtail.service
 ===================================================================
 --- loki-2.2.1+git.1617669398.babea82e.orig/docs/sources/clients/aws/ec2/promtail.service
 +++ loki-2.2.1+git.1617669398.babea82e/docs/sources/clients/aws/ec2/promtail.service
@@ -1,6 +1,18 @@
 [Unit]
 Description=Promtail
 [Service]
 +# added automatically, for details please see
 +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
 +ProtectSystem=full
 +ProtectHome=true
 +PrivateDevices=true
 +ProtectHostname=true
 +ProtectClock=true
 +ProtectKernelTunables=true
 +ProtectKernelModules=true
 +ProtectControlGroups=true
 +RestrictRealtime=true
 +# end of automatic additions 
 User=root
 WorkingDirectory=/opt/promtail/
 ExecStartPre=/bin/sleep 30
--- a/loki.changes
+++ b/loki.changes
@ -1,3 +1,12 @@
 -------------------------------------------------------------------
 Wed Oct  6 06:11:13 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
 - Added hardening to systemd service(s) (bsc#1181400). Added patch(es):
  * harden_promtail.service.patch
  Modified:
  * loki.service
  * promtail.service
 -------------------------------------------------------------------
 Fri Jun 25 08:58:58 UTC 2021 - Stefano Torresi <stefano.torresi@suse.com>
--- a/loki.service
+++ b/loki.service
@ -3,6 +3,18 @@ Description=Loki is a horizontally-scalable, highly-available, multi-tenant log
 Documentation=https://github.com/grafana/loki
 [Service]
 # added automatically, for details please see
 # https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
 ProtectSystem=full
 ProtectHome=true
 PrivateDevices=true
 ProtectHostname=true
 ProtectClock=true
 ProtectKernelTunables=true
 ProtectKernelModules=true
 ProtectControlGroups=true
 RestrictRealtime=true
 # end of automatic additions 
 Restart=always
 User=loki
 EnvironmentFile=-/etc/sysconfig/loki
--- a/loki.spec
+++ b/loki.spec
@ -28,6 +28,7 @@ Source1:        loki.service
 Source2:        promtail.service
 Source3:        sysconfig.loki
 Source4:        sysconfig.promtail
 Patch0:	harden_promtail.service.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 BuildRequires:  golang-packaging
 BuildRequires:  systemd-devel
@ -57,6 +58,7 @@ This package contains the Promtail client.
 %prep
 %setup -q %{name}-%{version}
 %patch0 -p1
 %build
 %define buildpkg github.com/grafana/loki/pkg/build
--- a/promtail.service
+++ b/promtail.service
@ -3,6 +3,18 @@ Description=promtail is the agent responsible for gathering logs and sending the
 Documentation=https://github.com/grafana/loki/blob/master/docs/promtail.md
 [Service]
 # added automatically, for details please see
 # https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
 ProtectSystem=full
 ProtectHome=true
 PrivateDevices=true
 ProtectHostname=true
 ProtectClock=true
 ProtectKernelTunables=true
 ProtectKernelModules=true
 ProtectControlGroups=true
 RestrictRealtime=true
 # end of automatic additions 
 Restart=always
 User=loki
 EnvironmentFile=-/etc/sysconfig/promtail