X-Git-Url: https://git.openstreetmap.org/chef.git/blobdiff_plain/48d22e400425013f6deb626dafbfc1f97af97c6f..2292e576096b80fead4e88d0c83f072f9e7c5f60:/cookbooks/hardware/recipes/default.rb

diff --git a/cookbooks/hardware/recipes/default.rb b/cookbooks/hardware/recipes/default.rb
index 656bb58ba..a62288f22 100644
--- a/cookbooks/hardware/recipes/default.rb
+++ b/cookbooks/hardware/recipes/default.rb
@@ -63,6 +63,7 @@ when "HP", "HPE"
   execute "update-ilo" do
     action :nothing
     command "/usr/sbin/hponcfg -f /etc/ilo-defaults.xml"
+    not_if { kitchen? }
   end
 
   template "/etc/ilo-defaults.xml" do
@@ -145,6 +146,7 @@ end
 units.sort.uniq.each do |unit|
   service "serial-getty@ttyS#{unit}" do
     action [:enable, :start]
+    not_if { kitchen? }
   end
 end
 
@@ -217,6 +219,10 @@ if node[:kernel][:modules].include?("ipmi_si")
 
   prometheus_exporter "ipmi" do
     port 9290
+    user "root"
+    private_devices false
+    protect_clock false
+    system_call_filter ["@system-service", "@raw-io"]
     options "--config.file=/etc/prometheus/ipmi_local.yml"
     subscribes :restart, "template[/etc/prometheus/ipmi_local.yml]"
   end
@@ -251,6 +257,7 @@ end
 
 prometheus_exporter "rasdaemon" do
   port 9797
+  user "root"
 end
 
 tools_packages = []
@@ -412,9 +419,9 @@ if !intel_ssds.empty? || !intel_nvmes.empty?
   sst_tool_version = "1.3"
   sst_package_version = "#{sst_tool_version}.208-0"
 
-  remote_file "#{Chef::Config[:file_cache_path]}/SST_CLI_Linux_#{sst_tool_version}.zip" do
-    source "https://downloadmirror.intel.com/743764/SST_CLI_Linux_#{sst_tool_version}.zip"
-  end
+  # remote_file "#{Chef::Config[:file_cache_path]}/SST_CLI_Linux_#{sst_tool_version}.zip" do
+  #   source "https://downloadmirror.intel.com/743764/SST_CLI_Linux_#{sst_tool_version}.zip"
+  # end
 
   execute "#{Chef::Config[:file_cache_path]}/SST_CLI_Linux_#{sst_tool_version}.zip" do
     command "unzip SST_CLI_Linux_#{sst_tool_version}.zip sst_#{sst_package_version}_amd64.deb"
@@ -528,6 +535,11 @@ if disks.count.positive?
 
   prometheus_collector "smart" do
     interval "15m"
+    user "root"
+    capability_bounding_set %w[CAP_SYS_ADMIN CAP_SYS_RAWIO]
+    private_devices false
+    private_users false
+    protect_clock false
   end
 
   # Don't try and do munin monitoring of disks behind
@@ -686,4 +698,11 @@ end
 
 prometheus_collector "ohai" do
   interval "15m"
+  user "root"
+  proc_subset "all"
+  capability_bounding_set %w[CAP_SYS_ADMIN CAP_DAC_OVERRIDE]
+  private_devices false
+  private_users false
+  protect_clock false
+  protect_kernel_modules false
 end