Instead of setting CAP_NET_RAW on the binary, why not have systemd give the service the capability at runtime? The blackbox exporter isn't something that you run from the CLI much anyway is it?

Here's what part of my service file looks like:

[Service]
User=blackbox_exporter
Group=blackbox_exporter
AmbientCapabilities=CAP_NET_RAW
ExecStart=/opt/blackbox_exporter/blackbox_exporter --config.file /opt/blackbox_exporter/config.yaml --log.level debug

On Fri, Nov 10, 2017 at 10:07 AM, <nicolas.mailhot@laposte.net> wrote:

I've done the naïve
setcap cap_net_raw+ep /builddir/build/BUILDROOT/prometheus-blackbox-exporter-0.10.0-1.fc28.llt.x86_64/usr/bin/prometheus-blackbox-exporter

Maybe this is just bikeshedding, but why have you renamed the binary from blackbox_exporter to prometheus-blackbox-exporter? blackbox_exporter doesn't conflict with anything else AFAIK and renaming it is just going to confuse people when they are reading upstream documentation etc.

Jeff Ollie
The majestik møøse is one of the mäni interesting furry animals in Sweden.