From 388093f9ee3d26472d9a185d6a9acbad30a5ddc9 Mon Sep 17 00:00:00 2001 From: Tom Hughes Date: Tue, 22 Sep 2020 17:28:04 +0100 Subject: [PATCH] Disable device sandboxing for squid on idris --- cookbooks/squid/attributes/default.rb | 1 + cookbooks/squid/recipes/default.rb | 2 +- roles/idris.rb | 3 ++- 3 files changed, 4 insertions(+), 2 deletions(-) diff --git a/cookbooks/squid/attributes/default.rb b/cookbooks/squid/attributes/default.rb index 7b7333d44..ea3b97375 100644 --- a/cookbooks/squid/attributes/default.rb +++ b/cookbooks/squid/attributes/default.rb @@ -2,5 +2,6 @@ default[:squid][:version] = 4 default[:squid][:cache_mem] = "256 MB" default[:squid][:cache_dir] = "ufs /var/spool/squid 256 16 256" default[:squid][:access_log] = "/var/log/squid/access.log openstreetmap" +default[:squid][:private_devices] = true default[:apt][:sources] = node[:apt][:sources] | ["squid#{node[:squid][:version]}"] diff --git a/cookbooks/squid/recipes/default.rb b/cookbooks/squid/recipes/default.rb index b46cafe3a..e04a216e8 100644 --- a/cookbooks/squid/recipes/default.rb +++ b/cookbooks/squid/recipes/default.rb @@ -108,7 +108,7 @@ systemd_service "squid" do dropin "chef" limit_nofile 98304 private_tmp true - private_devices true + private_devices node[:squid][:private_devices] protect_system "full" protect_home true restrict_address_families address_families diff --git a/roles/idris.rb b/roles/idris.rb index 0d9ddd5c8..4308c95ab 100644 --- a/roles/idris.rb +++ b/roles/idris.rb @@ -36,7 +36,8 @@ default_attributes( "rock /store/squid/rock-8192 25000 swap-timeout=200 slot-size=8192 min-size=3997 max-size=8092", "rock /store/squid/rock-16384 35000 swap-timeout=200 slot-size=16384 min-size=8093 max-size=16284", "rock /store/squid/rock-32768 45000 swap-timeout=200 slot-size=32768 min-size=16285 max-size=262144" - ] + ], + :private_devices => false }, :nginx => { :cache => { -- 2.43.2