Overview

File _hardening.txt of Package prometheus-smartctl_exporter

The exporter must run as root due the underlying smartctl requiring root access (see https://www.smartmontools.org/ticket/1064 for an explanation).
Instead of the upstream systemd unit file a custom one with additional hardening options is used on top of an AppArmor profile.

Notes:
  - PrivateUsers cannot be used
  - CAP_SYS_RAWIO is required for smartctl to read device attributes (SCSI commands / SG_IO)

Mysteries:

Why does
  ProtectClock=yes
cause
  level=error msg="Device open failed, device did not return an IDENTIFY DEVICE structure, or device is in a low-power mode" device=sdX
  level=error msg="Smartctl open device: /dev/sdX failed: Operation not permitted"
on *some* hardware?
openSUSE Build Service is sponsored by
Places