From: Tom Hughes <tom@compton.nu>
Date: Sat, 3 Dec 2022 11:39:18 +0000 (+0000)
Subject: Allow kernel module access for the ohai collector
X-Git-Url: https://git.openstreetmap.org./chef.git/commitdiff_plain/5ace4fe37e3efcb81461114649967b8bc23976f8

Allow kernel module access for the ohai collector
---

diff --git a/cookbooks/hardware/recipes/default.rb b/cookbooks/hardware/recipes/default.rb
index d8bfadbe5..6095cceeb 100644
--- a/cookbooks/hardware/recipes/default.rb
+++ b/cookbooks/hardware/recipes/default.rb
@@ -704,4 +704,5 @@ prometheus_collector "ohai" do
   private_devices false
   private_users false
   protect_clock false
+  protect_kernel_modules false
 end
diff --git a/cookbooks/prometheus/resources/collector.rb b/cookbooks/prometheus/resources/collector.rb
index 0ae8320f7..1dfd8764d 100644
--- a/cookbooks/prometheus/resources/collector.rb
+++ b/cookbooks/prometheus/resources/collector.rb
@@ -31,6 +31,7 @@ property :capability_bounding_set, [String, Array]
 property :private_devices, [true, false]
 property :private_users, [true, false]
 property :protect_clock, [true, false]
+property :protect_kernel_modules, [true, false]
 
 action :create do
   systemd_service service_name do
@@ -49,6 +50,7 @@ action :create do
     private_devices new_resource.private_devices if new_resource.property_is_set?(:private_devices)
     private_users new_resource.private_users if new_resource.property_is_set?(:private_users)
     protect_clock new_resource.protect_clock if new_resource.property_is_set?(:protect_clock)
+    protect_kernel_modules new_resource.protect_kernel_modules if new_resource.property_is_set?(:protect_kernel_modules)
     read_write_paths ["/var/lib/prometheus/node-exporter", "/var/lock", "/var/log"]
   end