How do deal with ntpd and jails? [Archive]

View Full Version : How do deal with ntpd and jails?

uisge

December 23rd, 2008, 01:22

Hi -

I'm currently installing a server from scratch and plan to create service jails, my first time dealing with. If I'm not mistaken, I have to re-configure daemons to bind to all IPs before starting jails.

Now I'm facing the issue that I cannot tell ntpd to listen on a single IP, only.

Here my questions:

1) can ntpd become jailed and adjust system time out of a jail what I doubt)?
2) is openntpd an alternative?
3) how do you deal with ntp and jails?

uisge

December 23rd, 2008, 01:27

If I'm not mistaken, I have to re-configure daemons to bind to all IPs before starting jails.

Sorry, that has to read: ... daemons NOT to bind ...

anomie

December 23rd, 2008, 01:32

1) can ntpd become jailed and adjust system time out of a jail what I doubt)?

No. AFAIK, ntpd can only modify the time from the host (not from the jails).

2) is openntpd an alternative?

I haven't used openntpd, but I've read that it can bind to a single (specified) IP address. So, yes, it probably is a good alternative here.

Confirmation on openntpd binding to specific IP(s): http://www.openbsd.org/cgi-bin/man.cgi?query=ntpd.conf&sektion=5&arch=&apropos=0&manpath=OpenBSD+Current

See the listen on directive.

3) how do you deal with ntp and jails?

For the last host/jail systems I set up, I was using ntpd -q once a day (which, frankly, was a pretty lousy solution).

I recommend either pursuing the openntpd idea, or living with the idea that ntpd will be bound to all interfaces.

uisge

December 23rd, 2008, 09:19

No. AFAIK, ntpd can only modify the time from the host (not from the jails).

Thanks for the clarification.

I haven't used openntpd, but I've read that it can bind to a single (specified) IP address. So, yes, it probably is a good alternative here.

I did install opnntpd in the meantime, and yes, it binds to a single (or multiple if wanted) IPs. But openntpd is hard to monitor: ntpq doesn't work, and it adjusted time only once during the last 10 hours ...

I recommend either pursuing the openntpd idea, or living with the idea that ntpd will be bound to all interfaces.

Hmm. Does that mean one can start jails even if a daemon listens on a given port on all IPs? If that is true, I did misinterpret Michael Lucas textbook who just begins in the jail section of his book to re-configure all daemons in this regard.

Hmm, can one start jails even if ntdd is still bound to all IPs at 123?

anomie

December 23rd, 2008, 21:06

Does that mean one can start jails even if a daemon listens on a given port on all IPs? If that is true, I did misinterpret Michael Lucas textbook who just begins in the jail section of his book to re-configure all daemons in this regard.

Hmm, can one start jails even if ntdd is still bound to all IPs at 123?

---
"The jail must have exclusive access to that IP address; nothing on the host system can use it."
Lucas, Michael W. Absolute FreeBSD 2nd Edition
CA: No Starch Press, Inc., 2008. p. 287
---

It would be simple for you to verify whether this is true by testing. If so, it looks like your best bet will be openntpd (in spite of the limitations you experienced).

uisge

December 23rd, 2008, 22:57

---
"The jail must have exclusive access to that IP address; nothing on the host system can use it."
Lucas, Michael W. Absolute FreeBSD 2nd Edition
CA: No Starch Press, Inc., 2008. p. 287
---

That one the next two sentences were the ones I did refer to:

"That IP is the only network address the jail can have. If your host server has a daemon that binds to all available IP addresses on the system, that daemon will prevent a jail from starting."

It would be simple for you to verify whether this is true by testing.

That's what I did in the meantime, and it seems to me that Lucas' conclusion are wrong:

> sockstat -4
USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS
root syslogd 90900 6 udp4 10.0.0.1:514 *:*
root ntpd 90767 20 udp4 *:123 *:*
root ntpd 90767 22 udp4 xxx.xxx.xxx.xxx:123 *:*
root ntpd 90767 25 udp4 127.0.0.1:123 *:*

> jls
JID IP Address Hostname Path
1 10.0.0.1 www.example.invalid /home/jails/www

www# sockstat -4
USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS
root syslogd 90900 6 udp4 10.0.0.1:514 *:*

Although ntpd binds to all IP addresses at port 123, I was able to start my four jails (only one shown above).

Hmm, may the reason for this disagreement be the fact, that ntpd listens to udp only?

I'm by far too inexperienced to judge ...

Thanks.

anomie

December 24th, 2008, 00:20

Let me offer an alternate interpretation: It's probably a bit strong to say that a jail will be prevented from starting in this case (which you seem to have proven to be false). Instead, I would say it is a best practice to force services on the host to bind only to non-jail IP addresses.

The issue you get into when you bind a host's service to a jail's IP address is the service is then (AFAIK) accessible from the jail. This could potentially leave a gaping hole in your jail scheme by allowing a "back door" into your host via said service. Once again, you could test and prove/disprove this hypothesis. (Or is your command output above already testing that? I wasn't exactly sure what that was.)

uisge

December 24th, 2008, 01:12

The issue you get into when you bind a host's service to a jail's IP address is the service is then (AFAIK) accessible from the jail. This could potentially leave a gaping hole in your jail scheme by allowing a "back door" into your host via said service. Once again, you could test and prove/disprove this hypothesis. (Or is your command output above already testing that? I wasn't exactly sure what that was.)

JFTR: The first sockstat shows the host's bindings after starting the jails, the jls shows an example jail's IP address, and the last sockstat in that jail shows the example jail's bindings.

In order to test your hypothesis I should now test if 1) another ntpd can be started in that jail and 2) if that ntpd will bind to the host's IP address?

If so, I do need some sleep before ;-)

anomie

December 24th, 2008, 02:44

Nah, I think you've already done it. I was curious to see if starting ntpd in the host (which gloms onto all interfaces - including the jail's IP) would allow ntpd to be visible and accessible within the jail itself. It seems not.

Unless I'm missing something, you've solved your problem here.

cajunman4life

December 24th, 2008, 18:31

It's been a little while since I worked with jails, but... doesn't the jail get it's time from the host system? I ran NTPD on the jail host and all the jails seems to stay in sync with the host...

anomie

December 24th, 2008, 23:40

It's been a little while since I worked with jails, but... doesn't the jail get it's time from the host system?

Yes, it does. You have to set the timezone within the jail itself, but actual time changes need to happen in the host.

cajunman4life

December 24th, 2008, 23:58

Disregard. Completely misunderstood the op.