Is it possible to jail ntpd?

[fonz]

Since I could only find one relevant thread from several years ago, I figured I might as well start a new thread for this.

Is it possible to run ntpd() in a jail? I'm finding the following message repeated in the jail's /var/log/messages:

<timestamp> ntp ntpd[<pid>]: step-systime: Operation not permitted

This suggests to me that the system clock cannot be adjusted from within a jail, which makes sense. However, there doesn't appear to be a sysctl or rc.conf setting that can override this, leaving me inclined to think that ntpd() indeed cannot be jailed.

Any thoughts?

 

[Uniballer]

What would be the implications of running ntpd(8) in a jail if it could adjust the kernel clock? Would it/Could it gain you anything to do so?

 

[marwis]

When trying to secure the NTP deamon, I chose to use net/openntpd instead of the standard ntpd(8). It's easier to configure (as a client), doesn't insist on listening on the network and has the source code written by the OpenBSD guys which is orders of magnitude smaller.

$ ps aux | grep ntp
root        1727   0.0  0.0  12028   1452 ??  Is   Wed06AM    0:00.01 ntpd: [priv] (ntpd)
_ntp        1728   0.0  0.0  12028   1532 ??  I    Wed06AM    0:00.18 ntpd: ntp engine (ntpd)
_ntp        1730   0.0  0.0  12028   1468 ??  I    Wed06AM    0:00.00 ntpd: dns engine (ntpd)
$ sockstat -l -4 -6 | grep ntp
$ 
$ ntpdate -q pool.ntp.org
server 194.109.64.200, stratum 2, offset -0.009010, delay 0.06390
server 82.197.221.30, stratum 3, offset -0.008171, delay 0.06064
server 83.98.201.134, stratum 2, offset -0.008078, delay 0.06050
server 85.255.214.66, stratum 2, offset -0.008058, delay 0.06046
 9 Aug 07:02:20 ntpdate[17333]: adjust time server 85.255.214.66 offset -0.008058 sec

 

[SirDice]

I don't think it's possible to run any kind of NTP daemon in a jail. If I'm not mistaken it needs to access certain kernel parameters which isn't allowed.

If you need good time-keeping run NTP on the host. The jails get their date/time from there, just make sure you set the correct timezone with tzsetup(8).

 

[fonz]

What would be the implications of running ntpd(8) in a jail if it could adjust the kernel clock? Would it/Could it gain you anything to do so?

Well, ntpd is a service, other machines on the network synchronise against it. And since it's a service, I immediately think "jail it", although admittedly that's perhaps a bit of a Pavlov reaction

When trying to secure the NTP deamon, I chose to use net/openntpd instead of the standard ntpd(8). It's easier to configure (as a client), doesn't insist on listening on the network and has the source code written by the OpenBSD guys which is orders of magnitude smaller.

Sounds worth checking out, thanks.

I don't think it's possible to run any kind of NTP daemon in a jail. If I'm not mistaken it needs to access certain kernel parameters which isn't allowed.

I figured as much, thanks for the confirmation.