Improve sandboxing of prometheus collectors

[chef.git] / cookbooks / systemd / templates / default / service.erb

diff --git a/cookbooks/systemd/templates/default/service.erb b/cookbooks/systemd/templates/default/service.erb
index c53439a2b292003868c090dce6e8c8378422d815..1f11ffbf6bdaf1eb2be219f336bba30c81c8c4e8 100644 (file)
--- a/cookbooks/systemd/templates/default/service.erb
+++ b/cookbooks/systemd/templates/default/service.erb
@@ -54,6 +54,9 @@ User=<%= @user %>
 <% if @group -%>
 Group=<%= @group %>
 <% end -%>
+<% if @dynamic_user -%>
+DynamicUser=<%= @dynamic_user %>
+<% end -%>
 <% if @working_directory -%>
 WorkingDirectory=<%= @working_directory %>
 <% end -%>
@@ -111,10 +114,10 @@ StandardOutput=<%= @standard_output %>
 <% if @standard_error -%>
 StandardError=<%= @standard_error %>
 <% end -%>
-<% if @protect_proc -%>
+<% if @protect_proc && node[:lsb][:release].to_f >= 22.04  -%>
 ProtectProc=<%= @protect_proc %>
 <% end -%>
-<% if @proc_subset -%>
+<% if @proc_subset && node[:lsb][:release].to_f >= 22.04 -%>
 ProcSubset=<%= @proc_subset %>
 <% end -%>
 <% if @no_new_privileges -%>
@@ -147,7 +150,7 @@ PrivateDevices=<%= @private_devices %>
 <% if @private_network -%>
 PrivateNetwork=<%= @private_network %>
 <% end -%>
-<% if @private_ipc -%>
+<% if @private_ipc && node[:lsb][:release].to_f >= 22.04 -%>
 PrivateIPC=<%= @private_ipc %>
 <% end -%>
 <% if @private_users -%>