jail's periodic stuff

Brian Candler B.Candler at pobox.com
Fri Sep 23 12:09:10 PDT 2005

On Fri, Sep 23, 2005 at 06:30:42PM +0200, Jeremie Le Hen wrote:
> Note that I'm still not sure about these scripts :
> 	400.status-disks
> 	405.status-ata-raid
> 	420.status-network
> For instance, 420 uses ``netstat -in''.  It will not be able to run
> inside a jail, unless /dev/mem is available (I'm not sure this is
> still the case with rwatson@ recent changes), which is, while still
> possible, very unlikely.

You probably don't need to worry about it too much. Even if the user isn't
allowed to run 'netstat -in' then nothing bad will happen, short of perhaps
a mail being sent to the jail owner. They can always override it in their
own /etc/periodic.conf or /etc/periodic.conf.local

The test I would use is: "is this script something to do with administering
the *machine* itself, or the *jail environment*?" Almost always I'd expect
the network interfaces to belong to the machine only. The disks and ata-raid
arrays most likely belong to the machine. It's not impossible that the
system administrator would decide to open up direct access to a particular
drive into a particular jail (using devfs rules), but even then it's more
likely the system administrator rather than the person sitting within the
jail who is going to be responsible for the good health of the drives, and
therefore wants to see these alerts.

> I would like to hear some advice of wise people about this.

Ah, that I can't help you with :-)



More information about the freebsd-current mailing list