property :environment, :kind_of => Hash, :default => {}
property :protect_proc, String
property :proc_subset, String
+property :capability_bounding_set, [String, Array]
+property :ambient_capabilities, [String, Array]
property :private_devices, [true, false]
+property :private_users, [true, false]
property :protect_clock, [true, false]
property :restrict_address_families, [String, Array]
property :remove_ipc, [true, false]
property :system_call_filter, [String, Array]
property :service, :kind_of => String
+property :labels, :kind_of => Hash, :default => {}
property :scrape_interval, :kind_of => String
property :scrape_timeout, :kind_of => String
property :metric_relabel, :kind_of => Array
property :register_target, :kind_of => [TrueClass, FalseClass], :default => true
+property :ssh, [true, false]
action :create do
+ if new_resource.ssh && new_resource.user.nil?
+ keys = data_bag_item("prometheus", "keys")
+
+ directory "/var/lib/private/prometheus/#{new_resource.exporter}-exporter" do
+ mode "700"
+ recursive true
+ end
+
+ file "/var/lib/private/prometheus/#{new_resource.exporter}-exporter/id_rsa" do
+ content keys["ssh"].join("\n")
+ mode "400"
+ end
+
+ cookbook_file "/var/lib/private/prometheus/#{new_resource.exporter}-exporter/id_rsa.pub" do
+ mode "644"
+ end
+ end
+
systemd_service service_name do
after "network-online.target"
wants "network-online.target"
environment new_resource.environment
exec_start "#{executable_path} #{new_resource.command} #{executable_options}"
sandbox :enable_network => true
+ state_directory "prometheus/#{new_resource.exporter}-exporter" if new_resource.ssh && new_resource.user.nil?
protect_proc new_resource.protect_proc if new_resource.property_is_set?(:protect_proc)
proc_subset new_resource.proc_subset if new_resource.property_is_set?(:proc_subset)
+ capability_bounding_set new_resource.capability_bounding_set if new_resource.property_is_set?(:capability_bounding_set)
+ ambient_capabilities new_resource.ambient_capabilities if new_resource.property_is_set?(:ambient_capabilities)
private_devices new_resource.private_devices if new_resource.property_is_set?(:private_devices)
+ private_users new_resource.private_users if new_resource.property_is_set?(:private_users)
protect_clock new_resource.protect_clock if new_resource.property_is_set?(:protect_clock)
restrict_address_families new_resource.restrict_address_families if new_resource.property_is_set?(:restrict_address_families)
remove_ipc new_resource.remove_ipc if new_resource.property_is_set?(:remove_ipc)
firewall_rule "accept-prometheus-#{new_resource.exporter}" do
action :accept
- source "osm"
- dest "fw"
- proto "tcp:syn"
+ context :incoming
+ protocol :tcp
+ source :osm
dest_ports new_resource.port
only_if { node[:prometheus][:mode] == "external" }
end
node.default[:prometheus][:exporters][new_resource.port] = {
:name => new_resource.exporter,
:address => listen_address,
+ :labels => new_resource.labels,
:scrape_interval => new_resource.scrape_interval,
:scrape_timeout => new_resource.scrape_timeout,
:metric_relabel => new_resource.metric_relabel