Allow CAP_SYS_RAWIO for the ohai collector

[chef.git] / cookbooks / hardware / recipes / default.rb

diff --git a/cookbooks/hardware/recipes/default.rb b/cookbooks/hardware/recipes/default.rb
index d8bfadbe5d18dc50c1821f086582fee4be1be738..2af1124797d24f002add58d0ba2a7419782bf31c 100644 (file)
--- a/cookbooks/hardware/recipes/default.rb
+++ b/cookbooks/hardware/recipes/default.rb
@@ -186,6 +186,8 @@ if File.exist?("/etc/default/grub")
   end
 end
 
+package "initramfs-tools"
+
 execute "update-initramfs" do
   action :nothing
   command "update-initramfs -u -k all"
@@ -475,7 +477,7 @@ disks = disks.map do |disk|
     munin = device
   end
 
-  next if device.nil?
+  next if device.nil? || munin.nil?
 
   Hash[
     :device => device,
@@ -536,7 +538,7 @@ if disks.count.positive?
   prometheus_collector "smart" do
     interval "15m"
     user "root"
-    capability_bounding_set "CAP_SYS_ADMIN"
+    capability_bounding_set %w[CAP_DAC_OVERRIDE CAP_SYS_ADMIN CAP_SYS_RAWIO]
     private_devices false
     private_users false
     protect_clock false
@@ -700,8 +702,9 @@ prometheus_collector "ohai" do
   interval "15m"
   user "root"
   proc_subset "all"
-  capability_bounding_set "CAP_SYS_ADMIN"
+  capability_bounding_set %w[CAP_DAC_OVERRIDE CAP_SYS_ADMIN CAP_SYS_RAWIO]
   private_devices false
   private_users false
   protect_clock false
+  protect_kernel_modules false
 end