feat(ipmi-exporter): add option to run ipmi-exporter with sudo

Author: guivin

roles/ipmi_exporter/defaults/main.yml

@@ -30,3 +30,6 @@ ipmi_exporter_config_dir: /etc/ipmi_exporter
 
 # Local path to stash the archive and its extraction
 ipmi_exporter_local_cache_path: "/tmp/ipmi_exporter-{{ ansible_facts['system'] | lower }}-{{ _ipmi_exporter_go_ansible_arch }}/{{ ipmi_exporter_version }}"
+
+ipmi_exporter_run_with_sudo: true
+ipmi_exporter_sudoers_name: "99-ipmi-exporter"

roles/ipmi_exporter/tasks/configure.yml

@@ -30,3 +30,10 @@
     - ipmi_exporter
     - configure
     - ipmi_exporter_configure
+
+- name: Create the sudoers file to run ipmi commands
+  community.general.sudoers:
+    name: "{{ ipmi_exporter_sudoers_name }}"
+    user: "{{ ipmi_exporter_system_user }}"
+    commands: "{{ _ipmi_exporter_sudo_commands }}"
+  when: ipmi_exporter_run_with_sudo

roles/ipmi_exporter/templates/ipmi_exporter.service.j2

@@ -23,13 +23,18 @@ RestartSec=1
 StartLimitInterval=0
 
 ProtectHome=yes
+
+{% if ipmi_exporter_run_with_sudo %}
 NoNewPrivileges=yes
+{% endif %}
 
 {% if (ansible_facts.packages.systemd | first).version is version('232', '>=') %}
 ProtectSystem=strict
 ProtectControlGroups=true
+{% if ipmi_exporter_run_with_sudo %}
 ProtectKernelModules=true
 ProtectKernelTunables=yes
+{% endif %}
 PrivateTmp=true
 {% else %}
 ProtectSystem=full

roles/ipmi_exporter/vars/main.yml

@@ -10,3 +10,11 @@ _ipmi_exporter_binaries: ['ipmi_exporter']
 _ipmi_exporter_dependencies: "{{ (ansible_facts['pkg_mgr'] == 'apt')
                               | ternary((['python-apt'] if ansible_facts['python_version'] is version('3', '<') else ['python3-apt']),
                               []) + ['freeipmi'] }}"
+_ipmi_exporter_sudo_commands:
+  - /usr/sbin/ipmimonitoring
+  - /usr/sbin/ipmi-sensors
+  - /usr/sbin/ipmi-dcmi
+  - /usr/sbin/ipmi-raw
+  - /usr/sbin/bmc-info
+  - /usr/sbin/ipmi-chassis
+  - /usr/sbin/ipmi-sel