fix(node_exporter): Fix ProtectHome for textfiles

Set the node_exporter `ProtectHome=read-only` when the textfile dir is in `/home`. Fixes: #183 Signed-off-by: SuperQ <[email protected]>
prometheus-community · Aug 17, 2023 · 55507f9 · 55507f9
1 parent c3d24a0
commit 55507f9
Show file tree

Hide file tree

Showing 3 changed files with 15 additions and 1 deletion.
diff --git a/roles/node_exporter/molecule/latest/converge.yml b/roles/node_exporter/molecule/latest/converge.yml
@@ -6,3 +6,4 @@
     - prometheus.prometheus.node_exporter
   vars:
     node_exporter_version: latest
+    node_exporter_textfile_dir: "/home/node_exporter"
diff --git a/...molecule/latest/tests/test_alternative.py → ...rter/molecule/latest/tests/test_latest.py b/...molecule/latest/tests/test_alternative.py → ...rter/molecule/latest/tests/test_latest.py
@@ -19,6 +19,16 @@ def test_files(host, files):
     assert f.is_file
 
 
+def test_directories(host):
+    dirs = [
+        "/home/node_exporter"
+    ]
+    for dir in dirs:
+        d = host.file(dir)
+        assert d.is_directory
+        assert d.exists
+
+
 def test_service(host):
     s = host.service("node_exporter")
     # assert s.is_enabled
@@ -28,7 +38,7 @@ def test_service(host):
 def test_protecthome_property(host):
     s = host.service("node_exporter")
     p = s.systemd_properties
-    assert p.get("ProtectHome") == "yes"
+    assert p.get("ProtectHome") == "read-only"
 
 
 def test_socket(host):

diff --git a/roles/node_exporter/templates/node_exporter.service.j2 b/roles/node_exporter/templates/node_exporter.service.j2
@@ -42,6 +42,9 @@ StartLimitInterval=0
 {% for m in ansible_mounts if m.mount.startswith('/home') %}
 {%   set ns.protect_home = 'read-only' %}
 {% endfor %}
+{% if node_exporter_textfile_dir.startswith('/home') %}
+{%   set ns.protect_home = 'read-only' %}
+{% endif %}
 ProtectHome={{ ns.protect_home }}
 NoNewPrivileges=yes