Date: Fri, 23 Sep 2005 12:07:07 +0200 From: Jeremie Le Hen <jeremie@le-hen.org> To: Brian Candler <B.Candler@pobox.com> Cc: freebsd-current@FreeBSD.org, Jeremie Le Hen <jeremie@le-hen.org> Subject: Re: jail's periodic stuff Message-ID: <20050923100707.GW24643@obiwan.tataz.chchile.org> In-Reply-To: <20050923092231.GF94511@uk.tiscali.com> References: <20050922122113.GO24643@obiwan.tataz.chchile.org> <20050923092231.GF94511@uk.tiscali.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi Brian, thank you for replying, I was beginning to feel lonely :-). > > there are some periodic script which shouldn't be run inside a jail, > > because jail's restrictions would prevent the utility to work correctly. > > This includes those that gathers statistics from various firewalls, > > in security/ : > > 510.ipfdenied > > 520.pfdenied > > 550.ipfwlimit > > 600.ip6fwdenied > > 610.ipf6denied > > 650.ip6fwlimit > ... > > I would like to hear your comments on this and on the best way to solve > > this problem. My first thought was to add > > > > % if [ `sysctl -n security.jail.jailed` -eq 1 ] > > % then > > % exit 0 > > % fi > > > > just before the main case statement, but there may be smarter ways to > > achieve this. > > A mechanism which already exists is to create /etc/periodic.conf within your > jail, disabling the individual scripts you don't want to run. See > /etc/defaults/periodic.conf for the settings available (or > /usr/share/examples/etc/defaults/periodic.conf) > > However it might be a good idea for FreeBSD to provide a sample > periodic.conf for use in a jail environment. At present time, there is a handbook chapter in preparation about jails. Most of the current jail(8) manpage should be moved out to it. I first thought to add a note about periodic.conf(5) in it, and actually I still do for greedy weekly things for instance, but considering that the mentioned scripts won't ever be allowed to run inside a jail anyway (at least until we a network stack virtualization ;p), I've felt it would be a good thing to simply disable them in jail environnement. Regards, -- Jeremie Le Hen < jeremie at le-hen dot org >< ttz at chchile dot org >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050923100707.GW24643>