Make nftables block various invalid TCP flag combinations

[chef.git] / cookbooks / prometheus / resources / collector.rb

diff --git a/cookbooks/prometheus/resources/collector.rb b/cookbooks/prometheus/resources/collector.rb
index 0ae8320f7ece8563979a4e1ee81a182b8db375fb..9a4870f24d67dd74222c88a96140a7fdcd861c55 100644 (file)
--- a/cookbooks/prometheus/resources/collector.rb
+++ b/cookbooks/prometheus/resources/collector.rb
@@ -31,10 +31,12 @@ property :capability_bounding_set, [String, Array]
 property :private_devices, [true, false]
 property :private_users, [true, false]
 property :protect_clock, [true, false]
+property :protect_kernel_modules, [true, false]
 
 action :create do
   systemd_service service_name do
     description "Prometheus #{new_resource.collector} collector"
+    type "oneshot"
     user new_resource.user
     dynamic_user new_resource.user.nil?
     group "adm"
@@ -49,6 +51,7 @@ action :create do
     private_devices new_resource.private_devices if new_resource.property_is_set?(:private_devices)
     private_users new_resource.private_users if new_resource.property_is_set?(:private_users)
     protect_clock new_resource.protect_clock if new_resource.property_is_set?(:protect_clock)
+    protect_kernel_modules new_resource.protect_kernel_modules if new_resource.property_is_set?(:protect_kernel_modules)
     read_write_paths ["/var/lib/prometheus/node-exporter", "/var/lock", "/var/log"]
   end