Merge pull request #68 from bdossantos/fix/systemd-AmbientCapabilities

fix: use AmbientCapabilities only when systemd version is >= 230
ansible-community · Nov 16, 2018 · 2da7a47 · 2da7a47
2 parents db34a0c + 6c15be4
commit 2da7a47
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 0 deletions.
diff --git a/tasks/main.yml b/tasks/main.yml
@@ -134,6 +134,14 @@
     - not ansible_os_family == "FreeBSD"
     - not ansible_os_family == "Solaris"
 
+- name: extract systemd version
+  shell: systemctl --version systemd | head -n 1 | cut -d' ' -f2
+  register: systemd_version
+  when:
+    - ansible_service_mgr == "systemd"
+    - not ansible_os_family == "FreeBSD"
+    - not ansible_os_family == "Solaris"
+
 - name: systemd unit
   template:
     src: "{{ vault_systemd_template }}"
@@ -145,6 +153,7 @@
     - ansible_service_mgr == "systemd"
     - not ansible_os_family == "FreeBSD"
     - not ansible_os_family == "Solaris"
+    - systemd_version is defined
 
 - name: Start Vault
   service:

diff --git a/templates/vault_systemd.service.j2 b/templates/vault_systemd.service.j2
@@ -25,7 +25,9 @@ PrivateTmp=yes
 PrivateDevices=yes
 SecureBits=keep-caps
 Capabilities=CAP_IPC_LOCK+ep
+{% if systemd_version | version_compare('230', '>=') %}
 AmbientCapabilities=CAP_SYSLOG CAP_IPC_LOCK
+{% endif %}
 CapabilityBoundingSet=CAP_SYSLOG CAP_IPC_LOCK
 NoNewPrivileges=yes
 ExecStart={{ vault_bin_path }}/vault server -config={{ vault_main_config }} {% if vault_log_level is defined %}-log-level={{ vault_log_level | lower }}