Hi Brian, thank you for replying, I was beginning to feel lonely :-). > > there are some periodic script which shouldn't be run inside a jail, > > because jail's restrictions would prevent the utility to work correctly. > > This includes those that gathers statistics from various firewalls, > > in security/ : > > 510.ipfdenied > > 520.pfdenied > > 550.ipfwlimit > > 600.ip6fwdenied > > 610.ipf6denied > > 650.ip6fwlimit > ... > > I would like to hear your comments on this and on the best way to solve > > this problem. My first thought was to add > > > > % if [ `sysctl -n security.jail.jailed` -eq 1 ] > > % then > > % exit 0 > > % fi > > > > just before the main case statement, but there may be smarter ways to > > achieve this. > > A mechanism which already exists is to create /etc/periodic.conf within your > jail, disabling the individual scripts you don't want to run. See > /etc/defaults/periodic.conf for the settings available (or > /usr/share/examples/etc/defaults/periodic.conf) > > However it might be a good idea for FreeBSD to provide a sample > periodic.conf for use in a jail environment. At present time, there is a handbook chapter in preparation about jails. Most of the current jail(8) manpage should be moved out to it. I first thought to add a note about periodic.conf(5) in it, and actually I still do for greedy weekly things for instance, but considering that the mentioned scripts won't ever be allowed to run inside a jail anyway (at least until we a network stack virtualization ;p), I've felt it would be a good thing to simply disable them in jail environnement. Regards, -- Jeremie Le Hen < jeremie at le-hen dot org >< ttz at chchile dot org >Received on Fri Sep 23 2005 - 08:07:12 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:38:44 UTC