From 4d60167a0a935a141e6300bc1c1fb691a77c49c0 Mon Sep 17 00:00:00 2001 From: Christian Pointner Date: Mon, 27 Sep 2021 21:41:57 +0200 Subject: fix and finalize ipmi exporter --- roles/monitoring/prometheus/exporter/base/tasks/main.yml | 5 +++++ roles/monitoring/prometheus/exporter/base/tasks/tls.yml | 4 ++-- roles/monitoring/prometheus/exporter/ipmi/templates/service.j2 | 5 ++--- 3 files changed, 9 insertions(+), 5 deletions(-) (limited to 'roles/monitoring/prometheus/exporter') diff --git a/roles/monitoring/prometheus/exporter/base/tasks/main.yml b/roles/monitoring/prometheus/exporter/base/tasks/main.yml index 5f42867d..c69c6e05 100644 --- a/roles/monitoring/prometheus/exporter/base/tasks/main.yml +++ b/roles/monitoring/prometheus/exporter/base/tasks/main.yml @@ -13,6 +13,11 @@ home: /nonexistent create_home: no +- name: create base directory for exporter configs + file: + path: /etc/prometheus/exporter + state: directory + - name: create TLS certificate and key import_tasks: tls.yml diff --git a/roles/monitoring/prometheus/exporter/base/tasks/tls.yml b/roles/monitoring/prometheus/exporter/base/tasks/tls.yml index e34025e4..083ca930 100644 --- a/roles/monitoring/prometheus/exporter/base/tasks/tls.yml +++ b/roles/monitoring/prometheus/exporter/base/tasks/tls.yml @@ -25,7 +25,7 @@ owner: prometheus-exporter group: prometheus-exporter mode: 0400 - notify: restart prometheus-exporter-exporter + notify: reload nginx - name: create signing request for exporter certificate openssl_csr: @@ -86,7 +86,7 @@ copy: content: "{{ prometheus_exporter_server_cert.certificate }}" dest: /etc/ssl/prometheus/exporter/crt.pem - notify: restart prometheus-exporter-exporter + notify: reload nginx - name: slurp CA certificate delegate_to: "{{ prometheus_server }}" diff --git a/roles/monitoring/prometheus/exporter/ipmi/templates/service.j2 b/roles/monitoring/prometheus/exporter/ipmi/templates/service.j2 index 465215e8..d862e299 100644 --- a/roles/monitoring/prometheus/exporter/ipmi/templates/service.j2 +++ b/roles/monitoring/prometheus/exporter/ipmi/templates/service.j2 @@ -1,22 +1,21 @@ [Unit] Description=Prometheus ipmi exporter +After=systemd-modules-load.service [Service] Restart=always -User=prometheus-exporter ExecStart=/usr/bin/prometheus-ipmi-exporter --web.listen-address="127.0.0.1:9290" --config.file=/etc/prometheus/exporter/ipmi/config.yml --freeipmi.path="/usr/sbin" ExecReload=/bin/kill -HUP $MAINPID -{# TODO: test which hardening options need to be removed for IPMI to work... #} # systemd hardening-options AmbientCapabilities= CapabilityBoundingSet= DeviceAllow=/dev/null rw +DeviceAllow=char-ipmidev rw DevicePolicy=strict LockPersonality=true MemoryDenyWriteExecute=true NoNewPrivileges=true -PrivateDevices=true PrivateTmp=true ProtectControlGroups=true ProtectHome=true -- cgit v1.2.3