prometheus_exporter "fail2ban" do
port 9635
+ user "root"
+ restrict_address_families "AF_UNIX"
end
prometheus_exporter "ipmi" do
port 9290
+ user "root"
+ private_devices false
+ protect_clock false
+ system_call_filter ["@system-service", "@raw-io"]
options "--config.file=/etc/prometheus/ipmi_local.yml"
subscribes :restart, "template[/etc/prometheus/ipmi_local.yml]"
end
prometheus_exporter "rasdaemon" do
port 9797
+ user "root"
end
tools_packages = []
prometheus_collector "smart" do
interval "15m"
+ user "root"
+ capability_bounding_set "CAP_SYS_ADMIN"
+ private_devices false
+ private_users false
+ protect_clock false
end
# Don't try and do munin monitoring of disks behind
prometheus_collector "ohai" do
interval "15m"
+ user "root"
+ proc_subset "all"
+ capability_bounding_set "CAP_SYS_ADMIN"
+ private_devices false
+ private_users false
+ protect_clock false
end
prometheus_exporter "nominatim" do
port 8082
user "www-data"
+ restrict_address_families "AF_UNIX"
options [
"--nominatim.query-log=#{node[:nominatim][:logdir]}/query.log",
"--nominatim.database-name=#{node[:nominatim][:dbname]}"
prometheus_exporter "overpass" do
port 9898
user username
+ restrict_address_families "AF_UNIX"
options [
"--overpass.base-directory=#{basedir}"
]
if new_resource.prometheus_port
prometheus_exporter "phpfpm" do
port new_resource.prometheus_port
+ restrict_address_families "AF_UNIX"
service service_name
command "server"
options "--phpfpm.scrape-uri=#{scrape_uri}"
environment "DATA_SOURCE_URI" => uris.sort.uniq.first,
"PG_EXPORTER_AUTO_DISCOVER_DATABASES" => "true",
"PG_EXPORTER_EXCLUDE_DATABASES" => "postgres,template0,template1"
+ restrict_address_families "AF_UNIX"
subscribes :restart, "template[/etc/prometheus/exporters/postgres_queries.yml]"
end
prometheus_exporter "node" do
port 9100
+ user "root"
+ proc_subset "all"
+ protect_clock false
+ restrict_address_families ["AF_UNIX", "AF_NETLINK"]
+ system_call_filter ["@system-service", "@clock"]
options %w[
--collector.textfile.directory=/var/lib/prometheus/node-exporter
--collector.interrupts
property :collector, :kind_of => String, :name_property => true
property :interval, :kind_of => [Integer, String], :required => [:create]
+property :user, :kind_of => String
property :options, :kind_of => [String, Array]
property :environment, :kind_of => Hash, :default => {}
+property :proc_subset, String
+property :capability_bounding_set, [String, Array]
+property :private_devices, [true, false]
+property :private_users, [true, false]
+property :protect_clock, [true, false]
action :create do
systemd_service service_name do
description "Prometheus #{new_resource.collector} collector"
- user "root"
+ user new_resource.user
+ dynamic_user new_resource.user.nil?
+ group "adm"
environment new_resource.environment
standard_output "file:/var/lib/prometheus/node-exporter/#{new_resource.collector}.new"
standard_error "journal"
exec_start "#{executable_path} #{executable_options}"
exec_start_post "/bin/mv /var/lib/prometheus/node-exporter/#{new_resource.collector}.new /var/lib/prometheus/node-exporter/#{new_resource.collector}.prom"
- private_tmp true
- protect_system "strict"
- protect_home true
+ sandbox true
+ proc_subset new_resource.proc_subset if new_resource.property_is_set?(:proc_subset)
+ capability_bounding_set new_resource.capability_bounding_set if new_resource.property_is_set?(:capability_bounding_set)
+ private_devices new_resource.private_devices if new_resource.property_is_set?(:private_devices)
+ private_users new_resource.private_users if new_resource.property_is_set?(:private_users)
+ protect_clock new_resource.protect_clock if new_resource.property_is_set?(:protect_clock)
read_write_paths ["/var/lib/prometheus/node-exporter", "/var/lock", "/var/log"]
- no_new_privileges true
end
systemd_timer service_name do
property :port, :kind_of => Integer, :required => [:create]
property :listen_switch, :kind_of => String, :default => "web.listen-address"
property :listen_type, :kind_of => String, :default => "address"
-property :user, :kind_of => String, :default => "root"
+property :user, :kind_of => String
property :command, :kind_of => String
property :options, :kind_of => [String, Array]
property :environment, :kind_of => Hash, :default => {}
+property :proc_subset, String
+property :private_devices, [true, false]
+property :protect_clock, [true, false]
+property :restrict_address_families, [String, Array]
+property :system_call_filter, [String, Array]
property :service, :kind_of => String
property :scrape_interval, :kind_of => String
property :scrape_timeout, :kind_of => String
description "Prometheus #{new_resource.exporter} exporter"
type "simple"
user new_resource.user
+ dynamic_user new_resource.user.nil?
environment new_resource.environment
exec_start "#{executable_path} #{new_resource.command} #{executable_options}"
- private_tmp true
- protect_system "strict"
- protect_home true
- no_new_privileges true
+ sandbox :enable_network => true
+ proc_subset new_resource.proc_subset if new_resource.property_is_set?(:proc_subset)
+ private_devices new_resource.private_devices if new_resource.property_is_set?(:private_devices)
+ protect_clock new_resource.protect_clock if new_resource.property_is_set?(:protect_clock)
+ restrict_address_families new_resource.restrict_address_families if new_resource.property_is_set?(:restrict_address_families)
+ system_call_filter new_resource.system_call_filter if new_resource.property_is_set?(:system_call_filter)
end
service service_name do
end
def listen_address
- if new_resource.address
+ if true
+ "127.0.0.1:#{new_resource.port}"
+ elsif new_resource.address
"#{new_resource.address}:#{new_resource.port}"
elsif node[:prometheus][:mode] == "wireguard"
"[#{node[:prometheus][:address]}]:#{new_resource.port}"
property :environment_file, [String, Hash]
property :user, String
property :group, String
+property :dynamic_user, [true, false]
property :working_directory, String
property :exec_start_pre, [String, Array]
property :exec_start, [String, Array]
<% if @group -%>
Group=<%= @group %>
<% end -%>
+<% if @dynamic_user -%>
+DynamicUser=<%= @dynamic_user %>
+<% end -%>
<% if @working_directory -%>
WorkingDirectory=<%= @working_directory %>
<% end -%>
projects / chef.git / commitdiff