Run phpfpm exporter in group www-data to allow socket access

[chef.git] / cookbooks / prometheus / resources / exporter.rb

diff --git a/cookbooks/prometheus/resources/exporter.rb b/cookbooks/prometheus/resources/exporter.rb
index 7ff729211b2738fae6a442c4ce1c9b7da8900357..3087f9c93084eede68b1104ac035dd7632594862 100644 (file)
--- a/cookbooks/prometheus/resources/exporter.rb
+++ b/cookbooks/prometheus/resources/exporter.rb
@@ -26,12 +26,20 @@ property :address, :kind_of => String
 property :port, :kind_of => Integer, :required => [:create]
 property :listen_switch, :kind_of => String, :default => "web.listen-address"
 property :listen_type, :kind_of => String, :default => "address"
-property :user, :kind_of => String, :default => "root"
+property :user, :kind_of => String
+property :group, :kind_of => String
 property :command, :kind_of => String
 property :options, :kind_of => [String, Array]
 property :environment, :kind_of => Hash, :default => {}
+property :protect_proc, String
+property :proc_subset, String
+property :private_devices, [true, false]
+property :protect_clock, [true, false]
+property :restrict_address_families, [String, Array]
+property :system_call_filter, [String, Array]
 property :service, :kind_of => String
 property :scrape_interval, :kind_of => String
+property :scrape_timeout, :kind_of => String
 property :metric_relabel, :kind_of => Array
 property :register_target, :kind_of => [TrueClass, FalseClass], :default => true
 
@@ -42,12 +50,17 @@ action :create do
     description "Prometheus #{new_resource.exporter} exporter"
     type "simple"
     user new_resource.user
+    dynamic_user new_resource.user.nil?
+    group new_resource.group
     environment new_resource.environment
     exec_start "#{executable_path} #{new_resource.command} #{executable_options}"
-    private_tmp true
-    protect_system "strict"
-    protect_home true
-    no_new_privileges true
+    sandbox :enable_network => true
+    protect_proc new_resource.protect_proc if new_resource.property_is_set?(:protect_proc)
+    proc_subset new_resource.proc_subset if new_resource.property_is_set?(:proc_subset)
+    private_devices new_resource.private_devices if new_resource.property_is_set?(:private_devices)
+    protect_clock new_resource.protect_clock if new_resource.property_is_set?(:protect_clock)
+    restrict_address_families new_resource.restrict_address_families if new_resource.property_is_set?(:restrict_address_families)
+    system_call_filter new_resource.system_call_filter if new_resource.property_is_set?(:system_call_filter)
   end
 
   service service_name do
@@ -71,6 +84,7 @@ action :create do
       :name => new_resource.exporter,
       :address => listen_address,
       :scrape_interval => new_resource.scrape_interval,
+      :scrape_timeout => new_resource.scrape_timeout,
       :metric_relabel => new_resource.metric_relabel
     }
   end
@@ -107,7 +121,23 @@ action_class do
   end
 
   def executable_path
-    "/opt/prometheus-exporters/exporters/#{new_resource.exporter}/#{new_resource.exporter}_exporter"
+    if ::File.exist?("#{executable_directory}/#{executable_name}_#{executable_architecture}")
+      "#{executable_directory}/#{executable_name}_#{executable_architecture}"
+    else
+      "#{executable_directory}/#{executable_name}"
+    end
+  end
+
+  def executable_directory
+    "/opt/prometheus-exporters/exporters/#{new_resource.exporter}"
+  end
+
+  def executable_name
+    "#{new_resource.exporter}_exporter"
+  end
+
+  def executable_architecture
+    node[:kernel][:machine]
   end
 
   def executable_options