jail's periodic stuff
Brian Candler
B.Candler at pobox.com
Fri Sep 23 02:22:28 PDT 2005
On Thu, Sep 22, 2005 at 02:21:13PM +0200, Jeremie Le Hen wrote:
> there are some periodic script which shouldn't be run inside a jail,
> because jail's restrictions would prevent the utility to work correctly.
> This includes those that gathers statistics from various firewalls,
> in security/ :
> 510.ipfdenied
> 520.pfdenied
> 550.ipfwlimit
> 600.ip6fwdenied
> 610.ipf6denied
> 650.ip6fwlimit
...
> I would like to hear your comments on this and on the best way to solve
> this problem. My first thought was to add
>
> % if [ `sysctl -n security.jail.jailed` -eq 1 ]
> % then
> % exit 0
> % fi
>
> just before the main case statement, but there may be smarter ways to
> achieve this.
A mechanism which already exists is to create /etc/periodic.conf within your
jail, disabling the individual scripts you don't want to run. See
/etc/defaults/periodic.conf for the settings available (or
/usr/share/examples/etc/defaults/periodic.conf)
However it might be a good idea for FreeBSD to provide a sample
periodic.conf for use in a jail environment.
Regards,
Brian.
More information about the freebsd-current
mailing list