diff --git a/README.md b/README.md index cf7e53b..a988741 100644 --- a/README.md +++ b/README.md @@ -17,7 +17,7 @@ If you don't have YunoHost, please consult [the guide](https://yunohost.org/#/in Monitoring system and time series database -**Shipped version:** 2.33.1~ynh1 +**Shipped version:** 2.33.5~ynh1 **Demo:** https://demo.do.prometheus.io diff --git a/README_fr.md b/README_fr.md index 6a6208a..7986b0c 100644 --- a/README_fr.md +++ b/README_fr.md @@ -13,7 +13,7 @@ Si vous n'avez pas YunoHost, regardez [ici](https://yunohost.org/#/install) pour Supervision chronologique de systèmes et services -**Version incluse :** 2.33.1~ynh1 +**Version incluse :** 2.33.5~ynh1 **Démo :** https://demo.do.prometheus.io diff --git a/conf/app.386.src b/conf/app.386.src index a6dba8c..1cf2870 100644 --- a/conf/app.386.src +++ b/conf/app.386.src @@ -1,5 +1,5 @@ -SOURCE_URL=https://github.com/prometheus/prometheus/releases/download/v2.33.1/prometheus-2.33.1.linux-386.tar.gz -SOURCE_SUM=2a02adc1ba695c4efd0ca9c466d253c4c3008d49c2d65339ce4f0f98e2052ee2 +SOURCE_URL=https://github.com/prometheus/prometheus/releases/download/v2.33.5/prometheus-2.33.5.linux-386.tar.gz +SOURCE_SUM=69a7a4c2d47d39a9f61ce62813c689e77992dd20489fdde1525c6678240fd145 SOURCE_SUM_PRG=sha256sum SOURCE_FORMAT=tar.gz SOURCE_IN_SUBDIR=true diff --git a/conf/app.amd64.src b/conf/app.amd64.src index 1ff5a63..f13180d 100644 --- a/conf/app.amd64.src +++ b/conf/app.amd64.src @@ -1,5 +1,5 @@ -SOURCE_URL=https://github.com/prometheus/prometheus/releases/download/v2.33.1/prometheus-2.33.1.linux-amd64.tar.gz -SOURCE_SUM=55de29727fc4d3977d3400c54fa222ebb52755bd0201936f1e1052fea6f2b44b +SOURCE_URL=https://github.com/prometheus/prometheus/releases/download/v2.33.5/prometheus-2.33.5.linux-amd64.tar.gz +SOURCE_SUM=53876d18d4ed2d02a35797d91b09e9057621b495415703be77dd29956002514d SOURCE_SUM_PRG=sha256sum SOURCE_FORMAT=tar.gz SOURCE_IN_SUBDIR=true diff --git a/conf/app.arm64.src b/conf/app.arm64.src index abc695c..7ad257f 100644 --- a/conf/app.arm64.src +++ b/conf/app.arm64.src @@ -1,5 +1,5 @@ -SOURCE_URL=https://github.com/prometheus/prometheus/releases/download/v2.33.1/prometheus-2.33.1.linux-arm64.tar.gz -SOURCE_SUM=21d89df7a98882a1a872bd3210aeaac3915a7f7be9f2ad28c986c80ad64ee77d +SOURCE_URL=https://github.com/prometheus/prometheus/releases/download/v2.33.5/prometheus-2.33.5.linux-arm64.tar.gz +SOURCE_SUM=538f558d37e7863db57b3e81ba7133e2ba397b9db0c3b3e481885296b5956073 SOURCE_SUM_PRG=sha256sum SOURCE_FORMAT=tar.gz SOURCE_IN_SUBDIR=true diff --git a/conf/app.armv5.src b/conf/app.armv5.src index 8f15a66..5b35c6f 100644 --- a/conf/app.armv5.src +++ b/conf/app.armv5.src @@ -1,5 +1,5 @@ -SOURCE_URL=https://github.com/prometheus/prometheus/releases/download/v2.33.1/prometheus-2.33.1.linux-armv5.tar.gz -SOURCE_SUM=bc51a6073ac1d90c8ebd548694baeb8c6dff91945cf00b763c65a11412b7f945 +SOURCE_URL=https://github.com/prometheus/prometheus/releases/download/v2.33.5/prometheus-2.33.5.linux-armv5.tar.gz +SOURCE_SUM=505e9f7546d434c3c58c7b264a7fa50b2a07848c7232688452a76c6b99259c14 SOURCE_SUM_PRG=sha256sum SOURCE_FORMAT=tar.gz SOURCE_IN_SUBDIR=true diff --git a/conf/app.armv6.src b/conf/app.armv6.src index e35210d..d03b5f8 100644 --- a/conf/app.armv6.src +++ b/conf/app.armv6.src @@ -1,5 +1,5 @@ -SOURCE_URL=https://github.com/prometheus/prometheus/releases/download/v2.33.1/prometheus-2.33.1.linux-armv6.tar.gz -SOURCE_SUM=16769a890ce803f571a5c68689dd9c6401a9d80e491352eaefd5eeff6441e460 +SOURCE_URL=https://github.com/prometheus/prometheus/releases/download/v2.33.5/prometheus-2.33.5.linux-armv6.tar.gz +SOURCE_SUM=eb6c0a309de29805323b34a90e898689fbe15e4e4215e149cabe2d883f275740 SOURCE_SUM_PRG=sha256sum SOURCE_FORMAT=tar.gz SOURCE_IN_SUBDIR=true diff --git a/conf/app.armv7.src b/conf/app.armv7.src index b49fcd6..1659bcb 100644 --- a/conf/app.armv7.src +++ b/conf/app.armv7.src @@ -1,5 +1,5 @@ -SOURCE_URL=https://github.com/prometheus/prometheus/releases/download/v2.33.1/prometheus-2.33.1.linux-armv7.tar.gz -SOURCE_SUM=09e285f098c36a5f2e7cf065fb38bd8f65ef262aeda728aac48b8cbb40ef34cc +SOURCE_URL=https://github.com/prometheus/prometheus/releases/download/v2.33.5/prometheus-2.33.5.linux-armv7.tar.gz +SOURCE_SUM=4b6730e0fa483328c27af0bd7a0a14c9f0ea13536c83c40552ea847d6f5afac8 SOURCE_SUM_PRG=sha256sum SOURCE_FORMAT=tar.gz SOURCE_IN_SUBDIR=true diff --git a/conf/nginx.conf b/conf/nginx.conf index a25d1a1..7415ad6 100644 --- a/conf/nginx.conf +++ b/conf/nginx.conf @@ -1,11 +1,6 @@ #sub_path_only rewrite ^__PATH__$ __PATH__/ permanent; location __PATH__ { - # Force usage of https - if ($scheme = http) { - rewrite ^ https://$server_name$request_uri? permanent; - } - proxy_pass http://127.0.0.1:__PORT__; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; diff --git a/conf/systemd.service b/conf/systemd.service index d7eda5c..3d38ec8 100644 --- a/conf/systemd.service +++ b/conf/systemd.service @@ -15,5 +15,35 @@ ExecStart=__FINALPATH__/prometheus \ StandardOutput=append:/var/log/__APP__/__APP__.log StandardError=inherit +# Sandboxing options to harden security +# Depending on specificities of your service/app, you may need to tweak these +# .. but this should be a good baseline +# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html +NoNewPrivileges=yes +PrivateTmp=yes +PrivateDevices=yes +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK +RestrictNamespaces=yes +RestrictRealtime=yes +DevicePolicy=closed +ProtectSystem=full +ProtectControlGroups=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +LockPersonality=yes +SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap + +# Denying access to capabilities that should not be relevant for webapps +# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html +CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD +CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE +CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT +CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK +CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM +CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG +CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE +CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW +CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG + [Install] WantedBy=multi-user.target diff --git a/manifest.json b/manifest.json index 9d903ab..b7e7aec 100644 --- a/manifest.json +++ b/manifest.json @@ -6,7 +6,7 @@ "en": "Monitoring system and time series database", "fr": "Supervision chronologique de systèmes et services" }, - "version": "2.33.1~ynh1", + "version": "2.33.5~ynh1", "url": "https://prometheus.io", "upstream": { "license": "Apache-2.0", @@ -21,7 +21,7 @@ "email": "tituspijean@outlook.com" }, "requirements": { - "yunohost": ">= 4.1.3" + "yunohost": ">= 4.3" }, "multi_instance": true, "services": [ @@ -33,8 +33,7 @@ "install": [ { "name": "domain", - "type": "domain", - "example": "example.com" + "type": "domain" }, { "name": "path", @@ -44,8 +43,7 @@ }, { "name": "admin", - "type": "user", - "example": "johndoe" + "type": "user" } ] } diff --git a/scripts/restore b/scripts/restore index 2eacfe6..bf0532a 100755 --- a/scripts/restore +++ b/scripts/restore @@ -38,8 +38,6 @@ port=$(ynh_app_setting_get --app=$app --key=port) #================================================= ynh_script_progression --message="Validating restoration parameters..." --weight=1 -ynh_webpath_available --domain=$domain --path_url=$path_url \ - || ynh_die --message="Path not available: ${domain}${path_url}" test ! -d $final_path \ || ynh_die --message="There is already a directory: $final_path "