From owner-freebsd-current@FreeBSD.ORG Fri Sep 23 10:07:12 2005 Return-Path: X-Original-To: freebsd-current@FreeBSD.org Delivered-To: freebsd-current@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 10B6516A41F for ; Fri, 23 Sep 2005 10:07:12 +0000 (GMT) (envelope-from tataz@tataz.chchile.org) Received: from smtp1-g19.free.fr (smtp1-g19.free.fr [212.27.42.27]) by mx1.FreeBSD.org (Postfix) with ESMTP id A3C1F43D45 for ; Fri, 23 Sep 2005 10:07:11 +0000 (GMT) (envelope-from tataz@tataz.chchile.org) Received: from tatooine.tataz.chchile.org (vol75-8-82-233-239-98.fbx.proxad.net [82.233.239.98]) by smtp1-g19.free.fr (Postfix) with ESMTP id 8C9B52F297; Fri, 23 Sep 2005 12:07:10 +0200 (CEST) Received: by tatooine.tataz.chchile.org (Postfix, from userid 1000) id 071C8405D; Fri, 23 Sep 2005 12:07:08 +0200 (CEST) Date: Fri, 23 Sep 2005 12:07:07 +0200 From: Jeremie Le Hen To: Brian Candler Message-ID: <20050923100707.GW24643@obiwan.tataz.chchile.org> References: <20050922122113.GO24643@obiwan.tataz.chchile.org> <20050923092231.GF94511@uk.tiscali.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20050923092231.GF94511@uk.tiscali.com> User-Agent: Mutt/1.5.10i Cc: freebsd-current@FreeBSD.org, Jeremie Le Hen Subject: Re: jail's periodic stuff X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Sep 2005 10:07:12 -0000 Hi Brian, thank you for replying, I was beginning to feel lonely :-). > > there are some periodic script which shouldn't be run inside a jail, > > because jail's restrictions would prevent the utility to work correctly. > > This includes those that gathers statistics from various firewalls, > > in security/ : > > 510.ipfdenied > > 520.pfdenied > > 550.ipfwlimit > > 600.ip6fwdenied > > 610.ipf6denied > > 650.ip6fwlimit > ... > > I would like to hear your comments on this and on the best way to solve > > this problem. My first thought was to add > > > > % if [ `sysctl -n security.jail.jailed` -eq 1 ] > > % then > > % exit 0 > > % fi > > > > just before the main case statement, but there may be smarter ways to > > achieve this. > > A mechanism which already exists is to create /etc/periodic.conf within your > jail, disabling the individual scripts you don't want to run. See > /etc/defaults/periodic.conf for the settings available (or > /usr/share/examples/etc/defaults/periodic.conf) > > However it might be a good idea for FreeBSD to provide a sample > periodic.conf for use in a jail environment. At present time, there is a handbook chapter in preparation about jails. Most of the current jail(8) manpage should be moved out to it. I first thought to add a note about periodic.conf(5) in it, and actually I still do for greedy weekly things for instance, but considering that the mentioned scripts won't ever be allowed to run inside a jail anyway (at least until we a network stack virtualization ;p), I've felt it would be a good thing to simply disable them in jail environnement. Regards, -- Jeremie Le Hen < jeremie at le-hen dot org >< ttz at chchile dot org >