From df3dd1c82459b61b4ed549797580de4c37ebad4b Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 31 Jan 2021 17:34:32 +0200 Subject: [PATCH] Use --read-only FS for metrics-related containers It seems like it doesn't cause any issues for any of these services. --- roles/matrix-grafana/templates/systemd/matrix-grafana.service.j2 | 1 + .../templates/systemd/matrix-prometheus-node-exporter.service.j2 | 1 + .../templates/systemd/matrix-prometheus.service.j2 | 1 + 3 files changed, 3 insertions(+) diff --git a/roles/matrix-grafana/templates/systemd/matrix-grafana.service.j2 b/roles/matrix-grafana/templates/systemd/matrix-grafana.service.j2 index f2ab66424..a4f81e357 100644 --- a/roles/matrix-grafana/templates/systemd/matrix-grafana.service.j2 +++ b/roles/matrix-grafana/templates/systemd/matrix-grafana.service.j2 @@ -21,6 +21,7 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-grafana \ --log-driver=none \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --cap-drop=ALL \ + --read-only \ --network={{ matrix_docker_network }} \ {% if matrix_grafana_container_http_host_bind_port %} -p {{ matrix_grafana_container_http_host_bind_port }}:3000 \ diff --git a/roles/matrix-prometheus-node-exporter/templates/systemd/matrix-prometheus-node-exporter.service.j2 b/roles/matrix-prometheus-node-exporter/templates/systemd/matrix-prometheus-node-exporter.service.j2 index 583494448..93638c191 100644 --- a/roles/matrix-prometheus-node-exporter/templates/systemd/matrix-prometheus-node-exporter.service.j2 +++ b/roles/matrix-prometheus-node-exporter/templates/systemd/matrix-prometheus-node-exporter.service.j2 @@ -21,6 +21,7 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-prometheus-nod --log-driver=none \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --cap-drop=ALL \ + --read-only \ {% if matrix_prometheus_node_exporter_container_http_host_bind_port %} -p {{ matrix_prometheus_node_exporter_container_http_host_bind_port }}:9100 \ {% endif %} diff --git a/roles/matrix-prometheus/templates/systemd/matrix-prometheus.service.j2 b/roles/matrix-prometheus/templates/systemd/matrix-prometheus.service.j2 index dd3ac72cb..ad75d664a 100644 --- a/roles/matrix-prometheus/templates/systemd/matrix-prometheus.service.j2 +++ b/roles/matrix-prometheus/templates/systemd/matrix-prometheus.service.j2 @@ -21,6 +21,7 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-prometheus \ --log-driver=none \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --cap-drop=ALL \ + --read-only \ --network={{ matrix_docker_network }} \ {% if matrix_prometheus_container_http_host_bind_port %} -p {{ matrix_prometheus_container_http_host_bind_port }}:9090 \