]> git.openstreetmap.org Git - chef.git/blobdiff - cookbooks/prometheus/resources/exporter.rb
Fix sandboxing of smokeping exporter
[chef.git] / cookbooks / prometheus / resources / exporter.rb
index 581c961ddd4709de25cad39b564eeacb18de921f..0e1d9d6e46a1be1ac8ffd8be33aa0cc836b58dcc 100644 (file)
@@ -33,7 +33,10 @@ property :options, :kind_of => [String, Array]
 property :environment, :kind_of => Hash, :default => {}
 property :protect_proc, String
 property :proc_subset, String
+property :capability_bounding_set, [String, Array]
+property :ambient_capabilities, [String, Array]
 property :private_devices, [true, false]
+property :private_users, [true, false]
 property :protect_clock, [true, false]
 property :restrict_address_families, [String, Array]
 property :remove_ipc, [true, false]
@@ -58,7 +61,10 @@ action :create do
     sandbox :enable_network => true
     protect_proc new_resource.protect_proc if new_resource.property_is_set?(:protect_proc)
     proc_subset new_resource.proc_subset if new_resource.property_is_set?(:proc_subset)
+    capability_bounding_set new_resource.capability_bounding_set if new_resource.property_is_set?(:capability_bounding_set)
+    ambient_capabilities new_resource.ambient_capabilities if new_resource.property_is_set?(:ambient_capabilities)
     private_devices new_resource.private_devices if new_resource.property_is_set?(:private_devices)
+    private_users new_resource.private_users if new_resource.property_is_set?(:private_users)
     protect_clock new_resource.protect_clock if new_resource.property_is_set?(:protect_clock)
     restrict_address_families new_resource.restrict_address_families if new_resource.property_is_set?(:restrict_address_families)
     remove_ipc new_resource.remove_ipc if new_resource.property_is_set?(:remove_ipc)
@@ -74,7 +80,7 @@ action :create do
     action :accept
     source "osm"
     dest "fw"
-    proto "tcp:syn"
+    proto "tcp"
     dest_ports new_resource.port
     only_if { node[:prometheus][:mode] == "external" }
   end