jail's periodic stuff

Jeremie Le Hen jeremie at le-hen.org
Fri Sep 23 03:07:12 PDT 2005


Hi Brian,

thank you for replying, I was beginning to feel lonely :-).

> > there are some periodic script which shouldn't be run inside a jail,
> > because jail's restrictions would prevent the utility to work correctly.
> > This includes those that gathers statistics from various firewalls,
> > in security/ :
> > 	510.ipfdenied
> > 	520.pfdenied
> > 	550.ipfwlimit
> > 	600.ip6fwdenied
> > 	610.ipf6denied
> > 	650.ip6fwlimit
> ...
> > I would like to hear your comments on this and on the best way to solve
> > this problem.  My first thought was to add
> > 
> > % if [ `sysctl -n security.jail.jailed` -eq 1 ]
> > % then
> > %	exit 0
> > % fi
> > 
> > just before the main case statement, but there may be smarter ways to
> > achieve this.
> 
> A mechanism which already exists is to create /etc/periodic.conf within your
> jail, disabling the individual scripts you don't want to run. See
> /etc/defaults/periodic.conf for the settings available (or
> /usr/share/examples/etc/defaults/periodic.conf)
> 
> However it might be a good idea for FreeBSD to provide a sample
> periodic.conf for use in a jail environment.

At present time, there is a handbook chapter in preparation about jails.
Most of the current jail(8) manpage should be moved out to it.
I first thought to add a note about periodic.conf(5) in it, and actually
I still do for greedy weekly things for instance, but considering that
the mentioned scripts won't ever be allowed to run inside a jail anyway
(at least until we a network stack virtualization ;p), I've felt it
would be a good thing to simply disable them in jail environnement.

Regards,
-- 
Jeremie Le Hen
< jeremie at le-hen dot org >< ttz at chchile dot org >


More information about the freebsd-current mailing list