Re: service jails and precmd make ntpd (and nfsd) sad
Date: Fri, 21 Mar 2025 14:52:24 UTC
Alexander Leidinger: > > i would propose 'setup' as the thing which is run outside the jail, and > > 'precmd' as the thing which is run inside the jail. > Modifying the service jails to run the precmd (or whatever) inside instead > of of outside requires more than an one line change. Be careful if you want > to go that way. i think this is going to break things either way. i'd be fine with doing it the other way around, i.e., 'setup' runs inside the jail and 'precmd' runs outside the jail, but both nfsd and ntpd will need changing either way. > There is another option. Load the kernel module outside of the ntpd service > rc script. Either as a documented requirement when enabling service jails > (and an error message from the rc script in the svcj case if the module is > not loaded), or by adding another rc script which also listens on > ntpd_enable and the ntpd rc scripts depends on. some rc.d scripts (nfsd, for example) also attempt to set sysctls in their precmd, and this won't be allowed in a jail either. would you suggest that all such services should have a second service (ntpd_setup, nfsd_setup, etc.) to perform these tasks? i'm not opposed to that approach, and i can see how it's cleaner, but before i put any effort into implementing it i'd appreciate some sort of consensus that this is the right approach.