jail's periodic stuff

Brian Candler B.Candler at pobox.com
Fri Sep 23 02:22:28 PDT 2005


On Thu, Sep 22, 2005 at 02:21:13PM +0200, Jeremie Le Hen wrote:
> there are some periodic script which shouldn't be run inside a jail,
> because jail's restrictions would prevent the utility to work correctly.
> This includes those that gathers statistics from various firewalls,
> in security/ :
> 	510.ipfdenied
> 	520.pfdenied
> 	550.ipfwlimit
> 	600.ip6fwdenied
> 	610.ipf6denied
> 	650.ip6fwlimit
...
> I would like to hear your comments on this and on the best way to solve
> this problem.  My first thought was to add
> 
> % if [ `sysctl -n security.jail.jailed` -eq 1 ]
> % then
> %	exit 0
> % fi
> 
> just before the main case statement, but there may be smarter ways to
> achieve this.

A mechanism which already exists is to create /etc/periodic.conf within your
jail, disabling the individual scripts you don't want to run. See
/etc/defaults/periodic.conf for the settings available (or
/usr/share/examples/etc/defaults/periodic.conf)

However it might be a good idea for FreeBSD to provide a sample
periodic.conf for use in a jail environment.

Regards,

Brian.


More information about the freebsd-current mailing list