From owner-freebsd-current@FreeBSD.ORG Fri Sep 23 11:39:13 2005 Return-Path: X-Original-To: freebsd-current@FreeBSD.org Delivered-To: freebsd-current@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id ED7B116A420 for ; Fri, 23 Sep 2005 11:39:13 +0000 (GMT) (envelope-from b.candler@pobox.com) Received: from leto.uk.clara.net (leto.uk.clara.net [80.168.69.50]) by mx1.FreeBSD.org (Postfix) with ESMTP id 80A5C43D9B for ; Fri, 23 Sep 2005 11:38:17 +0000 (GMT) (envelope-from b.candler@pobox.com) Received: from bloodhound.noc.clara.net ([195.8.70.207]) by leto.uk.clara.net with esmtp (Exim 4.43) id 1EIlse-000DLW-LU; Fri, 23 Sep 2005 12:38:16 +0100 Received: from personal by bloodhound.noc.clara.net with local (Exim 4.52 (FreeBSD)) id 1EIlsh-000Oyq-6d; Fri, 23 Sep 2005 12:38:19 +0100 Date: Fri, 23 Sep 2005 12:38:19 +0100 From: Brian Candler To: Jeremie Le Hen Message-ID: <20050923113819.GA95825@uk.tiscali.com> References: <20050922122113.GO24643@obiwan.tataz.chchile.org> <20050923092231.GF94511@uk.tiscali.com> <20050923100707.GW24643@obiwan.tataz.chchile.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20050923100707.GW24643@obiwan.tataz.chchile.org> User-Agent: Mutt/1.4.2.1i Cc: freebsd-current@FreeBSD.org Subject: Re: jail's periodic stuff X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Sep 2005 11:39:14 -0000 On Fri, Sep 23, 2005 at 12:07:07PM +0200, Jeremie Le Hen wrote: > I first thought to add a note about periodic.conf(5) in it, and actually > I still do for greedy weekly things for instance, but considering that > the mentioned scripts won't ever be allowed to run inside a jail anyway > (at least until we a network stack virtualization ;p), I've felt it > would be a good thing to simply disable them in jail environnement. Perhaps, but I expect we're looking at it from different points of view. In your original post you asked for suggestions on "the best way to solve this problem", without exactly describing what you thought *was* the problem. Problem 1? "These scripts fail when you attempt to run then inside a jail(8)" I don't see this as a problem, I see it as correct behaviour. You try to do something which you are not allowed to do, and the kernel prohibits it. The same would be true if you tried to run these scripts as a non-root user, for example. I wouldn't expect to see magic in these scripts saying if [ `id -u` != 0 ]; then exit 0 fi so I don't see any need to add magic to exit early if the script is run in a jail. Problem 2? "These scripts are invoked by cron periodically in a default jail installation, and this causes spurious error mails to be sent out every day" This I agree is undesirable behaviour, and it derives from the fact that a jail installation is just a normal FreeBSD installation, which expects that it needs to run periodic machine-level admin tasks when in fact it is running at the jail level where these tasks are inappropriate. So for me the obvious solution is to make a jail installation slightly different from a normal installation, by installing /etc/periodic.conf which disables those tasks that send out spurious mails. If you want to run the machine-level tasks only when cron is running outside a jail, without explicit configuration, then I'd suggest the place to put the magic is /etc/defaults/periodic.conf (which is, after all, just a shell script) if [ `sysctl -n security.jail.jailed` == 0 ]; then not_jailed="YES" else not_jailed="NO" fi ... # 600.ip6fwdenied daily_status_security_ip6fwdenied_enable=not_jailed # 610.ipf6denied daily_status_security_ipf6denied_enable=not_jailed This seems cleaner to me, as it still allows you to override these policies (even if that's not currently a useful thing to do) Regards, Brian.