From 96ff3df09a8b4c5c1cfdfc06dd9b3e19651f31bc Mon Sep 17 00:00:00 2001
From: Dmitry Tantsur <dtantsur@protonmail.com>
Date: Fri, 14 Jan 2022 17:50:36 +0100
Subject: [PATCH] Do not run ironic-prometheus-exporter as root

Change-Id: Iffaf74e537a5b9c72c99ab983e53c38a2d14b139
---
 .../templates/ironic-prometheus-exporter.service.j2           | 2 ++
 releasenotes/notes/prometheus-user-e75a43f1b13e0049.yaml      | 4 ++++
 2 files changed, 6 insertions(+)
 create mode 100644 releasenotes/notes/prometheus-user-e75a43f1b13e0049.yaml

diff --git a/playbooks/roles/bifrost-ironic-install/templates/ironic-prometheus-exporter.service.j2 b/playbooks/roles/bifrost-ironic-install/templates/ironic-prometheus-exporter.service.j2
index b8917e430..7393a042a 100644
--- a/playbooks/roles/bifrost-ironic-install/templates/ironic-prometheus-exporter.service.j2
+++ b/playbooks/roles/bifrost-ironic-install/templates/ironic-prometheus-exporter.service.j2
@@ -8,3 +8,5 @@ ExecStart={{ bifrost_venv_dir }}/bin/gunicorn ironic_prometheus_exporter.app.wsg
     --bind {{ prometheus_exporter_host }}:{{ prometheus_exporter_port}} \
     --env IRONIC_CONFIG=/etc/ironic/ironic.conf \
     --workers 2 --threads 2 --access-logfile=- --error-logfile=-
+User=ironic
+Group=ironic
diff --git a/releasenotes/notes/prometheus-user-e75a43f1b13e0049.yaml b/releasenotes/notes/prometheus-user-e75a43f1b13e0049.yaml
new file mode 100644
index 000000000..34e98f2ea
--- /dev/null
+++ b/releasenotes/notes/prometheus-user-e75a43f1b13e0049.yaml
@@ -0,0 +1,4 @@
+---
+fixes:
+  - |
+    Ironic Prometheus Exporter is now run as the ``ironic`` user, not as root.