[arch-dev-public] Use systemd timers instead of /etc/cron.{hourly, daily, weekly, monthly}?

Daniel Micay danielmicay at gmail.com
Thu Mar 27 21:01:17 EDT 2014


On 27/03/14 08:01 PM, Thomas Bächler wrote:
> Since systemd 212, systemd timers support the Persistent=true option for
> OnCalendar timers. This is functionality similar to anacron:
> 
> Persistent=
>     Takes a boolean argument. If true the service unit is immediately
>     triggered when the timer unit is activated and the timer elapsed at
>     least once since the last time the service unit has been triggered
>     by the timer unit. The time when the service unit was last
>     triggered is stored on disk. This is useful to catch up for missed
>     timers when a machine is shutdown temporarily and then is powered
>     up again. Note that this setting only has an effect on timers
>     configured with OnCalendar=.
> 
> This means that we could replace the cron.* dropin scripts with systemd
> services and timers.
> 
> Pros:
>  * enabled by default (in contrast to cronie)
>  * systems without need for crontabs can disable/uninstall cron
>  * service will be simpler than the rather long dropin scripts
> 
> Cons:
>  * services are run in parallel instead of sequentially (is this even a
> con? timer start will be randomized, and we can increase accuracy to an
> hour to randomize even more)
>  * no holdoff time after boot as it seems
> 
> Affected packages:
> 
> community/awstats 7.2-1         /etc/cron.hourly/awstats
> community/snapper 0.2.1-1       /etc/cron.hourly/snapper
> community/sysstat 10.3.1-1      /etc/cron.hourly/sysstat
> 
> core/logrotate 3.8.7-1          /etc/cron.daily/logrotate
> core/man-db 2.6.6-1             /etc/cron.daily/man-db
> core/mlocate 0.26-1             /etc/cron.daily/updatedb
> core/shadow 4.1.5.1-7           /etc/cron.daily/shadow
> extra/hylafax 6.0.6-4           /etc/cron.daily/hylafax
> community/atop 2.0.2-1          /etc/cron.daily/atop
> community/dspam 3.10.2-8        /etc/cron.daily/dspam_maintenance
> community/logwatch 7.4.0-3      /etc/cron.daily/0logwatch
> community/snapper 0.2.1-1       /etc/cron.daily/snapper
> community/sysstat 10.3.1-1      /etc/cron.daily/sysstat
> 
> extra/pkgstats 2.3-3    /etc/cron.weekly/pkgstats
> community/squid 3.4.4-1 /etc/cron.weekly/squid
> 
> I'd be willing to convert all the core packages and put them to testing
> if people agree that this is the right course.

I think it would make sense to remove cronie from base when these are
migrated to timer units. It's not enabled by default, and ships with a
setuid binary (crontab) so it opens up a vulnerability in the base install.

Among others (although one requires cron to be enabled):

* https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-0424
* https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-6097

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.archlinux.org/pipermail/arch-dev-public/attachments/20140327/dc1ea580/attachment-0001.asc>


More information about the arch-dev-public mailing list