include # Docker overlay @{docker_root}=/docker/ /var/lib/docker/ @{fs_root}=/ @{docker_root}/overlay2/*/diff/ @{do_etc}=@{fs_root}/etc/ @{do_opt}=@{fs_root}/opt/ @{do_run}=@{fs_root}/{run,var/run}/ @{do_usr}=@{fs_root}/usr/ @{do_var}=@{fs_root}/var/ # Systemd Journal location @{journald}=/{run,var}/log/journal/{,**} profile promtail flags=(attach_disconnected,mediate_deleted) { include include # Send signals to child services signal (send) peer=@{profile_name}//*, # Network access network tcp, network udp, # S6-Overlay /init rix, /bin/** rix, /usr/bin/** rix, @{do_etc}/s6*/** r, @{do_etc}/fix-attrs.d/{,**} r, @{do_etc}/cont-{init,finish}.d/{,**} rwix, @{do_etc}/services.d/{,**} rwix, @{do_run}/{s6,s6-rc*,service}/** rix, /command/** rix, /package/** rix, @{do_run}/{,**} rwk, /dev/tty rw, @{do_usr}/lib/locale/{,**} r, @{do_etc}/ssl/openssl.cnf r, @{do_etc}/{group,hosts,passwd} r, @{do_etc}/{host,nsswitch,resolv}.conf r, /dev/null k, # https://github.com/hassio-addons/addon-debian-base/blob/main/base/rootfs/etc/cont-init.d/02-set-timezone.sh # Wants to link /etc/localtime but apparmor sees a random hash so * it is. @{do_etc}/* rw, @{do_usr}/share/zoneinfo/{,**} r, # Bashio /usr/lib/bashio/** ix, /tmp/** rw, # Options.json & addon data /data r, /data/** rw, # Files needed for setup @{do_etc}/promtail/{,**} rw, /config/promtail/{,**} r, /{share,ssl}/{,**} r, @{journald} r, # Programs /usr/bin/promtail cx -> promtail, /usr/bin/yq Cx, profile promtail flags=(attach_disconnected,mediate_deleted) { include # Receive signals from s6 signal (receive) peer=*_promtail, # Network access network tcp, network udp, network netlink raw, network unix dgram, # Temp files /tmp/.positions.yaml* rw, # Addon data /data/** r, /data/promtail/** rwk, # Config & log data @{do_etc}/promtail/config.yaml r, /config/promtail/{,**} r, /{share,ssl}/** r, @{journald} r, # Runtime usage /usr/bin/promtail rm, @{do_etc}/{hosts,passwd} r, @{do_etc}/{resolv,nsswitch}.conf r, @{PROC}/sys/net/core/somaxconn r, @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, /dev/null k, @{do_etc}/ssl/certs/** r, } profile /usr/bin/yq flags=(attach_disconnected,mediate_deleted) { include # Config files @{do_etc}/promtail/* rw, /config/promtail/{,**} r, /share/** r, # Runtime usage /usr/bin/yq rm, @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, /dev/null k, } }