Cron only practices

The time-essentially essentially based fully job scheduler cron(8) has been spherical since Version 7 Unix, and its crontab(5) syntax is acquainted even for these that don’t attain grand Unix machine administration. It’s standardised, moderately flexible, simple to configure, and works reliably, and so it’s trusted by each and every machine programs and customers to manage many significant duties.

Nonetheless, love many older Unix instruments, cron(8)‘s simplicity has a downside: it depends upon the person to know some detail of the diagram it actually works, and to as it goes to be implement any other security checking behaviour spherical it. Namely, all it does is strive to breeze the job at an relevant time, and email the output. For simple and unimportant per-individual jobs, that will presumably presumably very smartly be correct kind honest correct-looking, however for additional significant machine duties it’s correct to wrap a chunk additional infrastructure spherical it and the duties it calls.

There are a pair of how to diagram the vogue you exercise cron(8) extra sturdy ought to you’re in a problem the put keeping track of the running job is attention-grabbing.

Command the conception of least privilege

The sixth column of a machine crontab(5) file is the username of the person as which the duty ought to tranquil breeze:

0 root  cron-job

To the extent that is purposeful, you ought to tranquil breeze the duty as a individual with only the privileges it wants to breeze, and nothing else. This will as soon as in some time diagram it correct to construct a devoted machine individual purely for running scheduled duties relevant to your application.

0 myappcron  cron-job

Right here isn’t any longer correct kind for security reasons, though these are exact ones; it helps provide protection to you towards nasties love scripting errors making an attempt to buy away whole machine directories.

In the same diagram, for duties with database systems equivalent to MySQL, don’t exercise the chief root individual ought to chances are you’ll presumably presumably steer obvious of it; as an different, exercise or even construct a devoted individual with a varied random password kept in a locked-down ~/.my.cnf file, with only the obligatory permissions. For a MySQL backup job, for instance, only a pair of permissions ought to be required, along side SELECT, SHOW VIEW, and LOCK TABLES.

In some instances, in spite of the whole lot, you truly will can maintain to be root. In in particular sensitive contexts chances are you’ll presumably well even place in mind using sudo(8) with relevant NOPASSWD alternatives, to allow the devoted individual to breeze only essentially the most appealing duties as root, and nothing else.

Test the duties

Prior to inserting a role in a crontab(5) file, you ought to tranquil take a look at it on the uncover line, because the person configured to breeze the duty and with essentially the most appealing atmosphere pickle. If you happen to’re going to breeze the duty as root, exercise one thing love su or sudo -i to secure a root shell with the person’s anticipated atmosphere first:

$ sudo -i -u cronuser
$ cron-job

As soon as the duty works on the uncover line, relate it within the crontab(5) file with the timing settings modified to breeze the duty a pair of minutes later, after which understand /var/log/syslog with tail -f to verify that the duty truly runs with out errors, and that the duty itself completes smartly:

Could honest  7 13: 30: 01 yourhost CRON[20249]: (you) CMD (cron-job)

This will seem pedantic before the whole lot, however it undoubtedly turns into routine very mercurial, and it saves a form of hassles down the line as it’s very simple to diagram an assumption about one thing in your atmosphere that doesn’t truly defend within the person that cron(8) will exercise. It’s moreover a obligatory acid take a look at to make breeze that your crontab(5) file is smartly-fashioned, as some implementations of cron(8) will refuse to load the whole file if one among the lines is malformed.

If obligatory, chances are you’ll presumably presumably pickle arbitrary atmosphere variables for the duties on the tip of the file:

MYVAR=myvalue

0 you  cron-job

Don’t throw away errors or correct output

You’ve potentially seen tutorials on the on-line the put in deliver to defend the crontab(5) job from sending smartly-liked output and/or smartly-liked error emails every 5 minutes, shell redirection operators are included on the end of the job specification to discard each and every the smartly-liked output and smartly-liked error. This kluge is in particular smartly-liked for running web trend duties by automating a request to a URL with curl(1) or wget(1):

*/5 root  curl https://example.com/cron.php>/dev/null 2>&1

Ignoring the output entirely is mostly no longer a exact conception, because except you produce other duties or monitoring guaranteeing the job does its work, you gained’t sight complications (or know what they are), when the job emits output or errors that you just positively care about.

In the case of curl(1), there are correct kind system too many issues that will presumably presumably trip irascible, that chances are you’ll presumably well sight a long way too leisurely:

  • The script would possibly presumably presumably secure broken and return 500 errors.
  • The URL of the cron.php job would possibly presumably presumably commerce, and any individual would possibly presumably presumably neglect so that you just can add a HTTP 301 redirect.
  • Even though a HTTP 301 redirect is added, ought to you don’t exercise -L or --situation for curl(1), it gained’t apply it.
  • The patron would possibly presumably presumably secure blacklisted, firewalled, or in any other case impeded by automatic or handbook processes that falsely flag the request as spam.
  • If using HTTPS, connectivity would possibly presumably presumably damage as a result of cipher or protocol mismatch.

The author has seen all of the above happen, in some instances very incessantly.

As a overall policy, it’s worth taking the time to learn the handbook web enlighten of the duty you’re calling, and to note for ways to as it goes to be modify its output so as that it emits only the output you positively want. In the case of curl(1), for instance, I’ve stumbled on the next system works smartly:

curl -fLsS -o /dev/null http://example.com/
  • -f: If the HTTP response code is an error, emit an error message in preference to the 404 web enlighten.
  • -L: If there’s an HTTP 301 redirect given, strive to apply it.
  • -sS: Don’t suppose development meter (-S stops -s from moreover blocking error messages).
  • -o /dev/null: Ship the smartly-liked output (the staunch web enlighten returned) to /dev/null.

This vogue, the curl(1) request ought to tranquil conclude quiet if the whole lot is smartly, per the ragged Unix philosophy Rule of Silence.

It’s seemingly you’ll presumably presumably presumably no longer trust a pair of of the picks above; chances are you’ll presumably well judge it significant to e.g. log the whole output of the returned web enlighten, or to fail in preference to silently accept a 301 redirect, or chances are you’ll presumably well defend to make exercise of wget(1). The purpose is that you just secure the time to note in additional depth what the known as program will truly emit below what circumstances, and diagram it match your requirements as carefully as that chances are you’ll presumably presumably factor in, in preference to blindly discarding the whole output and (worse) the errors. Work with Murphy’s regulations; desire that anything else that can trip irascible in the end will.

Ship the output someplace correct

Yet every other smartly-liked mistake is failing to pickle a correct MAILTO on the tip of the crontab(5) file, because the specified destination for any output and errors from the duties. cron(8) makes exercise of the machine mail implementation to send its messages, and usually, default configurations for mail brokers will simply send the message to an mbox file in /var/mail/$USER, that they would possibly presumably per chance no longer ever learn. This defeats grand of the point of mailing output and errors.

Right here is with out anxiousness dealt with, though; make breeze that chances are you’ll presumably presumably send a message to an address you positively attain take a look at from the server, per chance using mail(1):

$ printf '%sn' 'Test message' | mail -s 'Test topic' you@example.com

Whenever you’ve verified that your mail agent is as it goes to be configured and that the mail arrives in your inbox, pickle the address in a MAILTO variable on the tip of your file:

MAILTO=you@example.com

0 you  cron-job-1
*/5 you  cron-job-2

If you happen to don’t are making an attempt to make exercise of email for routine output, one other system that works is sending the output to syslog with a tool love logger(1):

0 you  cron-job | logger -it cron-job

Alternatively, chances are you’ll presumably presumably configure aliases in your machine to forward machine mail destined for you on to an address you take a look at. For Postfix, you’d exercise an aliases(5) file.

I as soon as in some time exercise this setup in instances the put the duty is predicted to emit a pair of lines of output which would possibly well presumably presumably very smartly be correct for later overview, however send stderr output through MAILTO as smartly-liked. If you happen to’d moderately no longer exercise syslog, per chance for the reason that output is high in volume and/or frequency, chances are you’ll presumably presumably persistently pickle up a log file /var/log/cron-job.log … however don’t neglect so that you just can add a logrotate(8) rule for it!

Place the duties of their very have shell script file

Ideally, the instructions in your crontab(5) definitions ought to tranquil only be a pair of words, in one or two instructions. If the uncover is running off the screen, it’s likely too long to be within the crontab(5) file, and likewise you ought to tranquil as an different place it into its have script. Right here’s an awfully exact conception in deliver for you to reliably exercise facets of bash or one other shell apart from POSIX/Bourne /bin/sh in your instructions, or per chance a scripting language love Awk or Perl; by default, cron(8) makes exercise of the machine’s /bin/sh implementation for parsing the instructions.

Due to the crontab(5) files don’t allow multi-line instructions, and produce other gotchas love the must secure away p.c indicators % with backslashes, keeping as grand configuration out of the staunch crontab(5) file as chances are you’ll presumably presumably can be a exact conception.

If you happen to’re running cron(8) duties as a non-machine individual, and can’t add scripts into a machine bindir love /usr/local/bin, a clear system is to initiate your have, and encompass a reference to it as fraction of your PATH. I favour ~/.local/bin, and maintain seen references to ~/bin as smartly. Set apart the script in ~/.local/bin/cron-job, diagram it executable with chmod +x, and encompass the directory within the PATH atmosphere definition on the tip of the file:

PATH=/dwelling/you/.local/bin:/usr/local/bin:/usr/bin:/bin
MAILTO=you@example.com

0 you  cron-job

Having your have directory with custom scripts in your have capabilities has a bunch of other advantages, however that’s one other article…

Help a long way flung from /etc/crontab

If your implementation of cron(8) helps it, in preference to having an /etc/crontab file a mile long, chances are you’ll presumably presumably place duties into separate files in /etc/cron.d:

$ ls /etc/cron.d
machine-a
machine-b
raid-maint

This suggests enables you to community the configuration files meaningfully, so as that you just and other administrators can earn essentially the most appealing duties extra with out anxiousness; it moreover enables you to diagram some files editable by some customers and no longer others, and reduces the prospect of edit conflicts. Utilizing sudoedit(8) helps right here too. Yet every other advantage is that it actually works better with model modify; if I initiate gathering extra than a pair of of these job files or to interchange them extra usually than every few months, I initiate a Git repository to trace them:

$ cd /etc/cron.d
$ sudo git init
$ sudo git add --all
$ sudo git commit -m "First commit"

If you happen to’re bettering a crontab(5) file for duties connected only to the person individual, exercise the crontab(1) tool; chances are you’ll presumably presumably edit your have crontab(5) by typing crontab -e, which is prepared to initiate your $EDITOR to edit a immediate file that will be installed on exit. This will build the files into a devoted directory, which on my machine is /var/spool/cron/crontabs.

On the systems maintained by the author, it’s rather smartly-liked for /etc/crontab never to commerce from its packaged template.

Embody a timeout

cron(8) will usually allow a role to breeze indefinitely, so if right here’s no longer attention-grabbing, you ought to tranquil place in mind both using alternatives of the program you’re calling to implement a timeout, or along side one within the script. If there’s no option for the uncover itself, the timeout(1) uncover wrapper in coreutils is individual who chances are you’ll presumably presumably factor in system of imposing this:

0 you  timeout 10s cron-job

Greg’s wiki has some additional strategies on ways to implement timeouts.

Embody file locking to stop overruns

cron(8) will initiate a recent job no topic whether its old runs maintain performed, so ought to you must book obvious of locking for long-running job, on GNU/Linux chances are you’ll presumably well exercise the flock(1) wrapper for the flock(2) machine call to pickle a regular lockfile, in deliver to stop the duty from running extra than one instance in parallel.

0 you  flock -nx /var/lock/cron-job cron-job

Greg’s wiki has some extra in-depth discussion of the file locking anxiousness for scripts in a overall sense, along side significant data in regards to the caveats of “rolling your have” when flock(1) isn’t any longer available.

If it’s significant that your duties breeze in a relate deliver, place in mind whether it’s obligatory to maintain them in separate duties at all; it would possibly per chance presumably presumably very smartly be more straightforward to squawk they’re breeze sequentially by gathering them in a single shell script.

Set apart one thing correct with exit statuses

If your cron(8) job or instructions interior its script exit non-zero, it would even be correct to breeze instructions that take care of the failure as it goes to be, along side cleanup of relevant resources, and sending data to monitoring instruments in regards to essentially the most modern role of the job. If you happen to’re using Nagios Core or one among its derivatives, chances are you’ll presumably well place in mind using send_nsca to send passive assessments reporting the role of jobs to your monitoring server. I’ve written a straightforward script known as nscaw to attain this for me:

0 you  nscaw CRON_TASK -- cron-job

Elevate into consideration picks to cron(8)

If your machine isn’t persistently on and your job doesn’t must breeze at a relate time, however moderately wants to breeze as soon as daily or weekly, chances are you’ll presumably presumably install anacron and fall scripts into the cron.hourly, cron.daily, cron.month-to-month, and cron.weekly directories in /etc, as relevant. Indicate that on Debian and Ubuntu GNU/Linux systems, the default /etc/crontab contains hooks that breeze these, however they breeze supplied that anacron(8) isn’t any longer installed.

If you happen to’re using cron(8) to poll a directory for modifications and breeze a script if there are such modifications, on GNU/Linux chances are you’ll presumably well place in mind using a daemon in line with inotifywait(1) as an different.

In the end, ought to you require extra obedient modify over when and the diagram your job runs than cron(8) can provide, chances are you’ll presumably well per chance place in mind writing a daemon to breeze on the server persistently and fork processes for its job. This would allow running a role extra usually than as soon as a minute, for instance. Don’t secure too slowed down into contemplating that cron(8) is your only option for to any extent additional or less asynchronous job administration!

Read More

Vanic
WRITTEN BY

Vanic

β€œSimplicity, patience, compassion.
These three are your greatest treasures.
Simple in actions and thoughts, you return to the source of being.
Patient with both friends and enemies,
you accord with the way things are.
Compassionate toward yourself,
you reconcile all beings in the world.”
― Lao Tzu, Tao Te Ching