jail's periodic stuff
Jeremie Le Hen
jeremie at le-hen.org
Fri Sep 23 03:07:12 PDT 2005
thank you for replying, I was beginning to feel lonely :-).
> > there are some periodic script which shouldn't be run inside a jail,
> > because jail's restrictions would prevent the utility to work correctly.
> > This includes those that gathers statistics from various firewalls,
> > in security/ :
> > 510.ipfdenied
> > 520.pfdenied
> > 550.ipfwlimit
> > 600.ip6fwdenied
> > 610.ipf6denied
> > 650.ip6fwlimit
> > I would like to hear your comments on this and on the best way to solve
> > this problem. My first thought was to add
> > % if [ `sysctl -n security.jail.jailed` -eq 1 ]
> > % then
> > % exit 0
> > % fi
> > just before the main case statement, but there may be smarter ways to
> > achieve this.
> A mechanism which already exists is to create /etc/periodic.conf within your
> jail, disabling the individual scripts you don't want to run. See
> /etc/defaults/periodic.conf for the settings available (or
> However it might be a good idea for FreeBSD to provide a sample
> periodic.conf for use in a jail environment.
At present time, there is a handbook chapter in preparation about jails.
Most of the current jail(8) manpage should be moved out to it.
I first thought to add a note about periodic.conf(5) in it, and actually
I still do for greedy weekly things for instance, but considering that
the mentioned scripts won't ever be allowed to run inside a jail anyway
(at least until we a network stack virtualization ;p), I've felt it
would be a good thing to simply disable them in jail environnement.
Jeremie Le Hen
< jeremie at le-hen dot org >< ttz at chchile dot org >
More information about the freebsd-current