Re: jail's periodic stuff

From: Brian Candler <B.Candler_at_pobox.com> Date: Fri, 23 Sep 2005 12:38:19 +0100 · This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:38:44 UTC

On Fri, Sep 23, 2005 at 12:07:07PM +0200, Jeremie Le Hen wrote:
> I first thought to add a note about periodic.conf(5) in it, and actually
> I still do for greedy weekly things for instance, but considering that
> the mentioned scripts won't ever be allowed to run inside a jail anyway
> (at least until we a network stack virtualization ;p), I've felt it
> would be a good thing to simply disable them in jail environnement.

Perhaps, but I expect we're looking at it from different points of view. In
your original post you asked for suggestions on "the best way to solve this
problem", without exactly describing what you thought *was* the problem.

Problem 1? "These scripts fail when you attempt to run then inside a jail(8)"

I don't see this as a problem, I see it as correct behaviour. You try to do
something which you are not allowed to do, and the kernel prohibits it. The
same would be true if you tried to run these scripts as a non-root user, for
example.

I wouldn't expect to see magic in these scripts saying

    if [ `id -u` != 0 ]; then
      exit 0
    fi

so I don't see any need to add magic to exit early if the script is run in a
jail.

Problem 2? "These scripts are invoked by cron periodically in a default jail
installation, and this causes spurious error mails to be sent out every day"

This I agree is undesirable behaviour, and it derives from the fact that a
jail installation is just a normal FreeBSD installation, which expects that
it needs to run periodic machine-level admin tasks when in fact it is
running at the jail level where these tasks are inappropriate.

So for me the obvious solution is to make a jail installation slightly
different from a normal installation, by installing /etc/periodic.conf which
disables those tasks that send out spurious mails.

If you want to run the machine-level tasks only when cron is running outside
a jail, without explicit configuration, then I'd suggest the place to put
the magic is /etc/defaults/periodic.conf (which is, after all, just a shell
script)

    if [ `sysctl -n security.jail.jailed` == 0 ]; then
      not_jailed="YES"
    else
      not_jailed="NO"
    fi

    ...

    # 600.ip6fwdenied
    daily_status_security_ip6fwdenied_enable=not_jailed

    # 610.ipf6denied
    daily_status_security_ipf6denied_enable=not_jailed

This seems cleaner to me, as it still allows you to override these policies
(even if that's not currently a useful thing to do)

Regards,

Brian.