X-Git-Url: https://git.openstreetmap.org/chef.git/blobdiff_plain/f5527d84e5d638dea105bb207c0c406a6db5e7ae..2e17bd4b4697423f9c124cfdb802424a58c16d80:/cookbooks/prometheus/resources/exporter.rb

diff --git a/cookbooks/prometheus/resources/exporter.rb b/cookbooks/prometheus/resources/exporter.rb
index 581c961dd..66dcd2b29 100644
--- a/cookbooks/prometheus/resources/exporter.rb
+++ b/cookbooks/prometheus/resources/exporter.rb
@@ -33,7 +33,10 @@ property :options, :kind_of => [String, Array]
 property :environment, :kind_of => Hash, :default => {}
 property :protect_proc, String
 property :proc_subset, String
+property :capability_bounding_set, [String, Array]
+property :ambient_capabilities, [String, Array]
 property :private_devices, [true, false]
+property :private_users, [true, false]
 property :protect_clock, [true, false]
 property :restrict_address_families, [String, Array]
 property :remove_ipc, [true, false]
@@ -58,7 +61,10 @@ action :create do
     sandbox :enable_network => true
     protect_proc new_resource.protect_proc if new_resource.property_is_set?(:protect_proc)
     proc_subset new_resource.proc_subset if new_resource.property_is_set?(:proc_subset)
+    capability_bounding_set new_resource.capability_bounding_set if new_resource.property_is_set?(:capability_bounding_set)
+    ambient_capabilities new_resource.ambient_capabilities if new_resource.property_is_set?(:ambient_capabilities)
     private_devices new_resource.private_devices if new_resource.property_is_set?(:private_devices)
+    private_users new_resource.private_users if new_resource.property_is_set?(:private_users)
     protect_clock new_resource.protect_clock if new_resource.property_is_set?(:protect_clock)
     restrict_address_families new_resource.restrict_address_families if new_resource.property_is_set?(:restrict_address_families)
     remove_ipc new_resource.remove_ipc if new_resource.property_is_set?(:remove_ipc)
@@ -72,9 +78,9 @@ action :create do
 
   firewall_rule "accept-prometheus-#{new_resource.exporter}" do
     action :accept
-    source "osm"
-    dest "fw"
-    proto "tcp:syn"
+    context :incoming
+    protocol :tcp
+    source :osm
     dest_ports new_resource.port
     only_if { node[:prometheus][:mode] == "external" }
   end