Fine tuning periodic jobs for jails and directing their output to log files

J

jmpalacios

Hi everyone,

I'm on a quest to fine tune the configuration of a few jails I'm running, and one thing I'd like to do is disable periodic(8) jobs that are either undesired and/or redundant for jails, and to get all of the remaining output sent to log files, rather than being delivered by mail.

Below is my /usr/local/etc/periodic.conf configuration, where, as you can see, I configure daily_output, daily_status_security_output, weekly_output, weekly_status_security_output, monthly_output, and monthly_status_security_output to go to files. Also, I'm keeping the daily_status_security_inline, weekly_status_security_inline, and monthly_status_security_inline variables at their "NO" defaults. Yet, however, I'm still seeing mail files being generated in /var/spool/clientmqueue with job reports after nightly periodic runs, so I'm wondering if there's something obvious I'm missing, or if what I want is simply not possible.

Thanks in advance for any help!

sh: 
# Output to log files which are rotated by default:
daily_output="/var/log/daily.log"
daily_status_security_output="/var/log/daily.log"
weekly_output="/var/log/weekly.log"
weekly_status_security_output="/var/log/weekly.log"
monthly_output="/var/log/monthly.log"
monthly_status_security_output="/var/log/monthly.log"

# No output for successful script runs:
daily_show_success="NO"
weekly_show_success="NO"
monthly_show_success="NO"
security_show_success="NO"

# Disabled daily scripts:
daily_accounting_enable="NO"
daily_backup_aliases_enable="NO"
daily_backup_efi_enable="NO"
daily_backup_gmirror_enable="NO"
daily_backup_gpart_enable="NO"
daily_backup_zfs_enable="NO"
daily_backup_zfs_props_enable="NO"
daily_calendar_enable="NO"
daily_clean_disks_enable="NO"
daily_clean_hoststat_enable="NO"
daily_clean_preserve_enable="NO"
daily_clean_rwho_enable="NO"
daily_clean_tmps_enable="NO"
daily_news_expire_enable="NO"
daily_queuerun_enable="NO"
daily_scrub_zfs_enable="NO"
daily_status_disks_enable="NO"
daily_status_gconcat_enable="NO"
daily_status_gmirror_enable="NO"
daily_status_graid3_enable="NO"
daily_status_gstripe_enable="NO"
daily_status_include_submit_mailq="NO"
daily_status_mail_rejects_enable="NO"
daily_status_mailq_enable="NO"
daily_status_mfi_enable="NO"
daily_status_network_enable="NO"
daily_status_ntpd_enable="NO"
daily_status_world_kernel="NO"
daily_status_zfs_enable="NO"
daily_status_zfs_zpool_list_enable="NO"
daily_submit_queuerun="NO"

# Enabled daily scripts:
daily_backup_passwd_enable="YES"
daily_clean_msgs_enable="YES"
daily_status_security_enable="YES"

# Disabled weekly scripts:
weekly_locate_enable="NO"
weekly_noid_enable="NO"
weekly_whatis_enable="NO"

# Enabled weekly scripts:
weekly_status_pkg_enable="YES"
weekly_status_security_enable="YES"

# Enabled monthly scripts:
monthly_accounting_enable="YES"
monthly_status_security_enable="YES"

# Disabled security scripts:
security_status_chkmounts_enable="NO"
security_status_chkportsum_enable="NO"
security_status_chksetuid_enable="NO"
security_status_ipfdenied_enable="NO"
security_status_ipfwdenied_enable="NO"
security_status_ipfwlimit_enable="NO"
security_status_kernelmsg_enable="NO"
security_status_logincheck_enable="NO"
security_status_loginfail_enable="NO"
security_status_neggrpperm_enable="NO"
security_status_pfdenied_enable="NO"
security_status_tcpwrap_enable="NO"

# Enabled security scripts:
security_status_chkuid0_enable="YES"
security_status_chkuid0_period="daily"
security_status_passwdless_enable="YES"
security_status_passwdless_period="daily"
 
kjeacle said:
In case this is the something obvious that you're missing: is this periodic.conf on both the jailhost and all of the jails? Do you see mail activity on the jailhost or the jails?
Click to expand...
This is /usr/local/etc/periodic.conf on all of the jails, and they're all generating periodic output, e.g. "Checking for passwordless accounts:", to clientmqueue files.

But the plot thickens! That output is generated by the /etc/periodic/security/400.passwdless job, which I have enabled via the security_status_passwdless_enable variable. However, I am seeing activity in this sample jail's /var/log/daily.log file, e.g. "Disk status" coming from the /etc/periodic/daily/400.status-disks job, which I have disabled via the daily_status_disks_enable variable!

Both jobs source the source_periodic_confs function which, according to my reading of its code in /etc/defaults/periodic.conf, should be pulling in my /usr/local/etc/periodic.conf file via the ${_localbase} definition (sysctl -n user.localbase == /usr/local of course).

So, all in all, this behavior seems really odd and contradictory, at least to my understanding of the source code and the configs, but I can't find any kind of a silly mistake, e.g. a typo, that I might be making somewhere…

Meanwhile, the host is an already rather old TrueNAS CORE 13.3-U1.2 system (please don't chastise me, this rig has served me wonderfully for almost 10 years already, and it's hosting quite a few things that I am working on migrating to something a little more modern), and I can't quite figure out how it's running its own periodic jobs, if at all (not looking like it).
 
Not that it should matter, but I use /etc/periodic.conf on my systems. Have you disabled sendmail in /etc/rc.conf?
Code: 
sendmail_enable="NO"
sendmail_submit_enable="NO"
sendmail_outbound_enable="NO"
sendmail_msp_queue_enable="NO"
sendmail_cert_create="NO"
 
kjeacle said:
Not that it should matter, but I use /etc/periodic.conf on my systems. Have you disabled sendmail in /etc/rc.conf?
Code: 
sendmail_enable="NO"
sendmail_submit_enable="NO"
sendmail_outbound_enable="NO"
sendmail_msp_queue_enable="NO"
sendmail_cert_create="NO"
Click to expand...
I do have sendmail fully disabled in /etc/rc.conf for all my jails:

sh: 
sendmail_enable="NO"
sendmail_submit_enable="NO"
sendmail_outbound_enable="NO"
sendmail_msp_queue_enable="NO"

And last night I did an experiment, which was simply moving their periodic.conf files from /usr/local/etc (which I prefer using for all jail configurations because I nullfs mount those directories from the host and keep their contents under source control, greatly helping in making jails easily replaceable) to /etc, and that appears to have done the trick of honoring my periodic(8) configuration and not generating clientmqueue files!

I'm still waiting for at least one more night before declaring victory, but if that does work, then I am either missing some very obvious configuration to enable the use of my ${LOCALBASE}/etc/periodic.conf file, or bizarrely misunderstanding the documentation and/or the execution of /etc/defaults/periodic.conf's source_periodic_confs function… or there's a bug somewhere.
 
Two nights in a row with my jails' periodic.conf files moved from their /usr/local/etc location to /etc, and still no files in any of their /var/spool/clientmqueue directories.

Wonder if this behavior is the result of a bug somewhere in periodic(8), if it also manifests in newer FreeBSD versions (my jails are all still stuck on 13.5), or if I've simply misunderstood something about configuration and/or the code, because I most certainly want to keep all my customizations to /usr/local
 
Looks like support for /usr/local/etc/periodic.conf was first introduced in 13.3 which explains why I have always used /etc/periodic.conf. Unfortunately there was a bug and the fix didn't make it into 13.5, first appearing in 14.3.
 
Raising a glass for all those dead CPU cycles I've been wasting all this time running unnecessary periodic scripts in *all* of my numerous jails while I investigated this issue, when it was so painfully obvious that my /usr/local/etc/periodic.conf file was just flat-out being ignored! (and, of course, to my pride as well, for failing to notice such an obvious bug and for failing to put together such a simple test to surface it! In my defense, though, I've been working with so many other things concurrently, and I only have so much brain power 😥).

Thank you for that refreshing info, this was getting frustrating, and for giving me yet another reason to continue upgrading my jails!

Once I do so, I'll test moving my periodic configuration back to /usr/local/etc/periodic.conf and perform a simple test to confirm it's being honored, and at that point I'll mark this thread as resolved for the benefit of the community.

Thanks!
 
You must log in or register to reply here.
Back
Top