fix(node_exporter): Fix ProtectHome for textfiles (#184)

Set the node_exporter `ProtectHome=read-only` when the textfile dir is
in `/home`.

Fixes: https://github.com/prometheus-community/ansible/issues/183

Signed-off-by: SuperQ <superq@gmail.com>
This commit is contained in:
Ben Kochie 2023-08-22 14:59:57 +02:00 committed by GitHub
parent b44af63d31
commit d7ad271617
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 15 additions and 1 deletions

View file

@ -4,3 +4,4 @@ provisioner:
group_vars:
all:
node_exporter_version: latest
node_exporter_textfile_dir: /home/node_exporter

View file

@ -19,6 +19,16 @@ def test_files(host, files):
assert f.is_file
def test_directories(host):
dirs = [
"/home/node_exporter"
]
for dir in dirs:
d = host.file(dir)
assert d.is_directory
assert d.exists
def test_service(host):
s = host.service("node_exporter")
try:
@ -35,7 +45,7 @@ def test_service(host):
def test_protecthome_property(host):
s = host.service("node_exporter")
p = s.systemd_properties
assert p.get("ProtectHome") == "yes"
assert p.get("ProtectHome") == "read-only"
def test_socket(host):

View file

@ -42,6 +42,9 @@ StartLimitInterval=0
{% for m in ansible_mounts if m.mount.startswith('/home') %}
{% set ns.protect_home = 'read-only' %}
{% endfor %}
{% if node_exporter_textfile_dir.startswith('/home') %}
{% set ns.protect_home = 'read-only' %}
{% endif %}
ProtectHome={{ ns.protect_home }}
NoNewPrivileges=yes