From owner-freebsd-current@FreeBSD.ORG Fri Sep 23 19:09:10 2005 Return-Path: X-Original-To: freebsd-current@FreeBSD.org Delivered-To: freebsd-current@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 16DC516A41F for ; Fri, 23 Sep 2005 19:09:10 +0000 (GMT) (envelope-from b.candler@pobox.com) Received: from thorn.pobox.com (thorn.pobox.com [208.210.124.75]) by mx1.FreeBSD.org (Postfix) with ESMTP id 80AF843D46 for ; Fri, 23 Sep 2005 19:09:09 +0000 (GMT) (envelope-from b.candler@pobox.com) Received: from thorn (localhost [127.0.0.1]) by thorn.pobox.com (Postfix) with ESMTP id 2F5CD93; Fri, 23 Sep 2005 15:01:55 -0400 (EDT) Received: from billdog.local.linnet.org (dsl-212-74-113-66.access.uk.tiscali.com [212.74.113.66]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by thorn.sasl.smtp.pobox.com (Postfix) with ESMTP id E757582F; Fri, 23 Sep 2005 15:01:53 -0400 (EDT) Received: from brian by billdog.local.linnet.org with local (Exim 4.50 (FreeBSD)) id 1EIsyL-0000GG-Mv; Fri, 23 Sep 2005 20:12:37 +0100 Date: Fri, 23 Sep 2005 20:12:37 +0100 From: Brian Candler To: Jeremie Le Hen Message-ID: <20050923191237.GA870@uk.tiscali.com> References: <20050922122113.GO24643@obiwan.tataz.chchile.org> <20050923092231.GF94511@uk.tiscali.com> <20050923100707.GW24643@obiwan.tataz.chchile.org> <20050923113819.GA95825@uk.tiscali.com> <20050923163042.GZ24643@obiwan.tataz.chchile.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20050923163042.GZ24643@obiwan.tataz.chchile.org> User-Agent: Mutt/1.4.2.1i Cc: freebsd-current@FreeBSD.org Subject: Re: jail's periodic stuff X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Sep 2005 19:09:10 -0000 On Fri, Sep 23, 2005 at 06:30:42PM +0200, Jeremie Le Hen wrote: > Note that I'm still not sure about these scripts : > 400.status-disks > 405.status-ata-raid > 420.status-network > For instance, 420 uses ``netstat -in''. It will not be able to run > inside a jail, unless /dev/mem is available (I'm not sure this is > still the case with rwatson@ recent changes), which is, while still > possible, very unlikely. You probably don't need to worry about it too much. Even if the user isn't allowed to run 'netstat -in' then nothing bad will happen, short of perhaps a mail being sent to the jail owner. They can always override it in their own /etc/periodic.conf or /etc/periodic.conf.local The test I would use is: "is this script something to do with administering the *machine* itself, or the *jail environment*?" Almost always I'd expect the network interfaces to belong to the machine only. The disks and ata-raid arrays most likely belong to the machine. It's not impossible that the system administrator would decide to open up direct access to a particular drive into a particular jail (using devfs rules), but even then it's more likely the system administrator rather than the person sitting within the jail who is going to be responsible for the good health of the drives, and therefore wants to see these alerts. > I would like to hear some advice of wise people about this. Ah, that I can't help you with :-) Regards, Brian.