Disable device sandboxing for squid on idris

diff --git a/cookbooks/squid/attributes/default.rb b/cookbooks/squid/attributes/default.rb
index 7b7333d444b8df0dab1d580d39a57a169f585521..ea3b97375dd51dee625487017b5f2501bad9702d 100644 (file)
--- a/cookbooks/squid/attributes/default.rb
+++ b/cookbooks/squid/attributes/default.rb
@@ -2,5 +2,6 @@ default[:squid][:version] = 4
 default[:squid][:cache_mem] = "256 MB"
 default[:squid][:cache_dir] = "ufs /var/spool/squid 256 16 256"
 default[:squid][:access_log] = "/var/log/squid/access.log openstreetmap"
+default[:squid][:private_devices] = true
 
 default[:apt][:sources] = node[:apt][:sources] | ["squid#{node[:squid][:version]}"]

diff --git a/cookbooks/squid/recipes/default.rb b/cookbooks/squid/recipes/default.rb
index b46cafe3a84d430ef9d3bdbba2e347c98f458707..e04a216e8d120b386eae1b4ef81a351755a559bd 100644 (file)
--- a/cookbooks/squid/recipes/default.rb
+++ b/cookbooks/squid/recipes/default.rb
@@ -108,7 +108,7 @@ systemd_service "squid" do
   dropin "chef"
   limit_nofile 98304
   private_tmp true
-  private_devices true
+  private_devices node[:squid][:private_devices]
   protect_system "full"
   protect_home true
   restrict_address_families address_families

diff --git a/roles/idris.rb b/roles/idris.rb
index 0d9ddd5c87294e8f77eed2815660997c67f2c18d..4308c95ab269670a0824565ddc52b273e2cb3448 100644 (file)
--- a/roles/idris.rb
+++ b/roles/idris.rb
@@ -36,7 +36,8 @@ default_attributes(
       "rock /store/squid/rock-8192 25000 swap-timeout=200 slot-size=8192 min-size=3997 max-size=8092",
       "rock /store/squid/rock-16384 35000 swap-timeout=200 slot-size=16384 min-size=8093 max-size=16284",
       "rock /store/squid/rock-32768 45000 swap-timeout=200 slot-size=32768 min-size=16285 max-size=262144"
-    ]
+    ],
+    :private_devices => false
   },
   :nginx => {
     :cache => {