X-Git-Url: https://git.openstreetmap.org./chef.git/blobdiff_plain/3fa753aa704c2d806046d083efe866ba39d87122..0475454f0df92b64713b744a9379fc6142f8438b:/cookbooks/hardware/recipes/default.rb

diff --git a/cookbooks/hardware/recipes/default.rb b/cookbooks/hardware/recipes/default.rb
index 6679bb178..48e8f2888 100644
--- a/cookbooks/hardware/recipes/default.rb
+++ b/cookbooks/hardware/recipes/default.rb
@@ -186,6 +186,8 @@ if File.exist?("/etc/default/grub")
   end
 end
 
+package "initramfs-tools"
+
 execute "update-initramfs" do
   action :nothing
   command "update-initramfs -u -k all"
@@ -219,6 +221,10 @@ if node[:kernel][:modules].include?("ipmi_si")
 
   prometheus_exporter "ipmi" do
     port 9290
+    user "root"
+    private_devices false
+    protect_clock false
+    system_call_filter ["@system-service", "@raw-io"]
     options "--config.file=/etc/prometheus/ipmi_local.yml"
     subscribes :restart, "template[/etc/prometheus/ipmi_local.yml]"
   end
@@ -253,6 +259,7 @@ end
 
 prometheus_exporter "rasdaemon" do
   port 9797
+  user "root"
 end
 
 tools_packages = []
@@ -530,6 +537,11 @@ if disks.count.positive?
 
   prometheus_collector "smart" do
     interval "15m"
+    user "root"
+    capability_bounding_set %w[CAP_DAC_OVERRIDE CAP_SYS_ADMIN CAP_SYS_RAWIO]
+    private_devices false
+    private_users false
+    protect_clock false
   end
 
   # Don't try and do munin monitoring of disks behind
@@ -688,4 +700,11 @@ end
 
 prometheus_collector "ohai" do
   interval "15m"
+  user "root"
+  proc_subset "all"
+  capability_bounding_set %w[CAP_DAC_OVERRIDE CAP_SYS_ADMIN]
+  private_devices false
+  private_users false
+  protect_clock false
+  protect_kernel_modules false
 end