diff --git a/roles/node_exporter/molecule/latest/converge.yml b/roles/node_exporter/molecule/latest/converge.yml index 020438535..049f022e2 100644 --- a/roles/node_exporter/molecule/latest/converge.yml +++ b/roles/node_exporter/molecule/latest/converge.yml @@ -6,3 +6,4 @@ - prometheus.prometheus.node_exporter vars: node_exporter_version: latest + node_exporter_textfile_dir: "/home/node_exporter" diff --git a/roles/node_exporter/molecule/latest/tests/test_alternative.py b/roles/node_exporter/molecule/latest/tests/test_latest.py similarity index 78% rename from roles/node_exporter/molecule/latest/tests/test_alternative.py rename to roles/node_exporter/molecule/latest/tests/test_latest.py index f2636ecd9..d33fea31c 100644 --- a/roles/node_exporter/molecule/latest/tests/test_alternative.py +++ b/roles/node_exporter/molecule/latest/tests/test_latest.py @@ -19,6 +19,16 @@ def test_files(host, files): assert f.is_file +def test_directories(host): + dirs = [ + "/home/node_exporter" + ] + for dir in dirs: + d = host.file(dir) + assert d.is_directory + assert d.exists + + def test_service(host): s = host.service("node_exporter") # assert s.is_enabled @@ -28,7 +38,7 @@ def test_service(host): def test_protecthome_property(host): s = host.service("node_exporter") p = s.systemd_properties - assert p.get("ProtectHome") == "yes" + assert p.get("ProtectHome") == "read-only" def test_socket(host): diff --git a/roles/node_exporter/templates/node_exporter.service.j2 b/roles/node_exporter/templates/node_exporter.service.j2 index e68535556..36c450347 100644 --- a/roles/node_exporter/templates/node_exporter.service.j2 +++ b/roles/node_exporter/templates/node_exporter.service.j2 @@ -42,6 +42,9 @@ StartLimitInterval=0 {% for m in ansible_mounts if m.mount.startswith('/home') %} {% set ns.protect_home = 'read-only' %} {% endfor %} +{% if node_exporter_textfile_dir.startswith('/home') %} +{% set ns.protect_home = 'read-only' %} +{% endif %} ProtectHome={{ ns.protect_home }} NoNewPrivileges=yes