Solved NTPD at boot and unbound resolver in a jail

[jazzlover]

Hi there,
I successfully managed to install and run dns/unbound in a jail following this tutorial: HowTo: Jailed unbound > dnscrypt-proxy with DNSSEC
It is all up and running, but here is the thing: ntpd(8) is trying to update system time during boot and it runs before a jail has started. Hence no time update.
The possible solutions come into mind is to delay ntpd(8) in the rc script but I just wonder if there is another "best practice" solution for such conundrum. If this is only option could you please advise what exactly to add to the REQUIRE: line in the rc script to tell ntpd(8) to start when a jail is running only? Or to run system resolver in a jail is an idea not worth to pursuit?

 

[SirDice]

Simplest solution, use IP addresses instead of hostnames in ntpd.conf.

could you please advise what exactly to add to the REQUIRE: line in the rc script to tell ntpd(8) to start when a jail is running only?

Look in /etc/rc.d/jail. Look at the PROVIDE: line. That's what you need to put in the REQUIRE: to wait for jail to start. Note however this only dictates the order in which the scripts are run, it doesn't check if the jail is actually running or not. See rcorder(8).

 

[jazzlover]

Thank you SirDice, you are always here to help!
The IPs for the pool did the trick

this only dictates the order in which the scripts are run, it doesn't check if the jail is actually running or not

Yeah, that slipped my mind

 

[PMc]

I had this same problem.
I did put the IP for the official DNS of my provider into resolv.conf, and then switched to my own DNS after it got up and running.
Now I have a different design and put my uplink and DNS together into a jail, and start that jail early.

#!/bin/sh

# we can start only after syslogd, because otherwise the jail's syslogd will
# steal our console-messages.
# When starting syslogd without DNS, the remote *destinations* must be
# given as IPs, as these are resolved at start. The remode *sources* get
# resolved only ad-hoc.

# PROVIDE: jrouter
# REQUIRE: syslogd
# BEFORE: ntpdate
# KEYWORD: nojail shutdown

. /etc/rc.subr

name="jrouter"
rcvar=jrouter_enable

start_cmd="jrouter_start"
stop_cmd="jrouter_stop"

load_rc_config $name
: ${jrouter_enable:="NO"}
: ${jrouter_jailname:="rout"}
: ${jrouter_timeout:="30"}
: ${jrouter_test_ip:="8.8.8.8"}

jrouter_jailprog=/usr/sbin/jail
jrouter_jailjls=/usr/sbin/jls

jrouter_wait_for_uplink()
{
        local _count _rc

        trap break SIGINT
        echo -n "Waiting for uplink ... "
        _count=1
        while test $_count -le $jrouter_timeout; do
                /sbin/ping -t 1 -c 1 -o $jrouter_test_ip >/dev/null 2>&1
                _rc=$?
                if test $_rc -eq 0; then
                        trap - SIGINT
                        echo " established."
                        return
                fi
                _count=`expr $_count + 1`
        done
        echo ' failed, no uplink!'
        warn 'failed to receive ping reply from $jrouter_test_ip'
        trap - SIGINT
}

jrouter_start()
{
        local _jid

        echo 'Starting router jail'
        if $jrouter_jailprog $jail_flags -q -f $jail_conf -c $jrouter_jailname \
            < /dev/null; then
                _jid=$($jrouter_jailjls -j $jrouter_jailname jid)
                echo $_jid > /var/run/jail_${jrouter_jailname}.id
        else
                err 3 "Router start failed!"
        fi
        jrouter_wait_for_uplink
}

jrouter_stop()
{
        echo 'Stopping router jail'
        $jrouter_jailprog -q -f $jail_conf -r $jrouter_jailname
        if $jrouter_jailjls -j $jrouter_jailname > /dev/null 2>&1; then
                err 3 "Router stop failed!"
        else
                rm -f /var/run/jail_${jrouter_jailname}.id
        fi
        # wait until jail is really dead:
        echo -n "Waiting for termination ... "
        while jls -d -j $jrouter_jailname > /dev/null 2>&1; do
                mount -t devfs | awk '{print $3}' | xargs ls -l > /dev/null
                sleep 1
        done
        echo " complete."
}

run_rc_command "$1"

 

[jazzlover]

Thank you PMc, that's quite neat solution. While I am now quite happy with just putting IP for ntpd(8) ('cause it's the only issue yet), I definitely mark your script for the future.

start that jail early

As I understand, the trick is to name a jail and create a separate script to manage start of it. Is the ntpd(8) (or another pkg for that matter) will run if the jail fails to start? I'm quite new to FreeBSD and just would like to clarify that.

 

[PMc]

As I understand, the trick is to name a jail and create a separate script to manage start of it.

Yes. Jailing is a basic system feature, it can be started at any time, it only depends on the verious installed subsystems and how they rely to each other.

Is the ntpd(8) (or another pkg for that matter) will run if the jail fails to start? I'm quite new to FreeBSD and just would like to clarify that.

Everything will run - but nothing will work properly if it relies on DNS. But there is no reason why the jail would fail to start. It may fail to obtain an outbound connection - then intranet DNS resolving will still be functional.
I created it this way to have it look very similar to an external router - I could shutdown this jail and attach an external router instead, and with minimal reconfiguration all should continue to function normally. (I don't like external routers, as it is rather difficult to obtain security fixes for them, but depending on the IP-Provider it may be necessary).
But this is just a first step to sort things out - in an next step I will think about what to do with DNSSEC, i.e. if I need it and for what - currently I don't have to serve authoritative domains into the Internet, so the DNS tasks are only to serve the intranet and to do resolve from the Internet, and both do not essentially need DNSSEC.

 

[jazzlover]

Thanks for clarification, I'll definitely use this one day

resolve from the Internet, and both do not essentially need DNSSEC

Well, it's just another layer of security (for internet) to mitigate possible domain spoofing. Also (perhaps it's just me) I prefer a bit more privacy with providers / hosters sending dns queries over HTTPS (so called DoH) by using dns/dnscrypt-proxy2. It is really neat piece of software with many options and features. I use it on all my devices and yet on the server as well.