Allow kernel module access for the ohai collector

diff --git a/cookbooks/hardware/recipes/default.rb b/cookbooks/hardware/recipes/default.rb
index d8bfadbe5d18dc50c1821f086582fee4be1be738..6095cceeb4f939c70fd311b6fe8c9e5954d991aa 100644 (file)
--- a/cookbooks/hardware/recipes/default.rb
+++ b/cookbooks/hardware/recipes/default.rb
@@ -704,4 +704,5 @@ prometheus_collector "ohai" do
   private_devices false
   private_users false
   protect_clock false
+  protect_kernel_modules false
 end

diff --git a/cookbooks/prometheus/resources/collector.rb b/cookbooks/prometheus/resources/collector.rb
index 0ae8320f7ece8563979a4e1ee81a182b8db375fb..1dfd8764df27e873b727caf7a34e8a688b22d4d6 100644 (file)
--- a/cookbooks/prometheus/resources/collector.rb
+++ b/cookbooks/prometheus/resources/collector.rb
@@ -31,6 +31,7 @@ property :capability_bounding_set, [String, Array]
 property :private_devices, [true, false]
 property :private_users, [true, false]
 property :protect_clock, [true, false]
+property :protect_kernel_modules, [true, false]
 
 action :create do
   systemd_service service_name do
@@ -49,6 +50,7 @@ action :create do
     private_devices new_resource.private_devices if new_resource.property_is_set?(:private_devices)
     private_users new_resource.private_users if new_resource.property_is_set?(:private_users)
     protect_clock new_resource.protect_clock if new_resource.property_is_set?(:protect_clock)
+    protect_kernel_modules new_resource.protect_kernel_modules if new_resource.property_is_set?(:protect_kernel_modules)
     read_write_paths ["/var/lib/prometheus/node-exporter", "/var/lock", "/var/log"]
   end