ntpd listening on "*"

[Erratus]

I'm preparing to use jail. Now I've learned that services should not listen to "*".
I could prevent all services from listening to "*" except ntpd. I tried

# grep ntp /etc/rc.conf
ntpd_enable="YES"
ntpd_flags="-L"         # Do not listen to virtual IPs. (jail-testing)

but there is still

# sockstat | grep "\*:[0-9]"
root     ntpd       1661  20 udp4   *:123                 *:*
root     ntpd       1661  21 udp6   *:123                 *:*

How do you configure ntpd when using jail?

 

[SirDice]

Use net/openntpd. It's much better to configure.

 

[ohauer]

How do you configure ntpd when using jail?

ntpd_enable="[color="Red"]NO[/color]"
ntpdate_enable="YES"
ntpdate_flags="-b ip_from_external_ntpserver"
openntpd_enable="[color="DarkGreen"]YES[/color]"

 

[Erratus]

@SirDice
I understand, that openntpd has more comfort. Can listening of ntpd absolutly not be configured so that an additional port has to be used?

@ohauer

In man ntpdate can be read:

DESCRIPTION
     Note: The functionality of this program is now available in the ntpd(8)
     program.  See the -q command line option in the ntpd(8) page.  After a
     suitable period of mourning, the ntpdate utility is to be retired from
     this distribution.

So question is if openntpd can replace ntpd fully, why there is a need for using ntpdate?

@all
Is there a way to use ntpd with jails or do I have to use openntpd cause there is no known solution with ntpd?

 

[DutchDaemon]

ntpdate is only used to set the inital time (when booting) because it can change the system clock to any time immediately, no matter how big the difference is. With openntpd you can choose which interface (if any) to listen on (using /usr/local/etc/ntp.conf as the config file); ntpd listens on all interfaces by default, and it's probably not very aware of its actual environment.

So try net/openntpd, tell it where to listen:

# Addresses to listen on (ntpd does not listen by default)
#listen on *
#listen on 127.0.0.1
#listen on ::1

and set this in /etc/rc.conf:

ntpdate_enable="YES"
ntpdate_flags="-u -b"
ntpdate_hosts="ip.add.re.ss"
openntpd_enable="YES"

Use an IP address for ntpdate_hosts, because resolving may not yet be available when ntpdate runs.

 

[ohauer]

In man ntpdate can be read:

DESCRIPTION
     Note: The functionality of this program is now available in the ntpd(8)
     program.  See the -q command line option in the ntpd(8) page.  After a
     suitable period of mourning, the ntpdate utility is to be retired from
     this distribution.

So question is if openntpd can replace ntpd fully, why there is a need for using ntpdate?

@all
Is there a way to use ntpd with jails or do I have to use openntpd cause there is no known solution with ntpd?

Yes, openntpd should replace ntpd full, I have no issues with it on OpenBSD, but I see sometimes big time drifts on FreeBSD. So for my internal ntpd machines I stay with ntpd others have openntpd.

I guess I found a bug in the documentation but maybe someone can verify this (FreeBSD 7.3).

# ntpd -?
ntpd - NTP daemon program - [color="Red"]Ver. 4.2.4p5[/color]
USAGE:  ntpd [ -<flag> [<val>] | --<name>[{=| }<val>] ]...
...
  -q no  quit           Set the time and quit
  [color="Blue"]-L no  novirtualips   Do not listen to virtual IPs[/color]

# cd /usr/src/usr.sbin/ntpd
# less ntpd/Makefile
...
[FILE].PATH: ${.CURDIR}/../../../contrib/ntp/ntpd[/FILE]

# find . -type f -name ntpd.?
[FILE]./doc/ntpd.8[/FILE]

# cd /usr/src/contrib/ntp/ntpd
# ls ntpd.?
[color="Red"]ntpd.1[/color]  ntpd.c

# [color="Red"]man ./ntpd.1[/color] (and now verify this man page. It is no Programmer's Manual even the headline tells so)

Now the test with parameter -L on a different machine.
For parameter -q we use the option ntpd_sync_on_start

# grep ntpd_ /etc/rc.conf
ntpd_enable="YES"
[color="Red"]ntpd_sync_on_start[/color]="YES"         # Sync time on ntpd startup, even if offset is high
ntpd_flags="[color="Blue"]-L[/color] -p /var/run/ntpd.pid -f /var/db/ntpd.drift"

# sockstat -4 | grep :123
root     ntpd       824   20 udp4   [color="Blue"]*:123[/color]                 *:*
root     ntpd       824   22 udp4   [color="Blue"]172.30.1.30:123[/color]       *:*
root     ntpd       824   23 udp4   [color="Blue"]172.30.1.32:123[/color]       *:*
root     ntpd       824   24 udp4   [color="Blue"]172.30.1.33:123[/color]       *:*
root     ntpd       824   25 udp4   [color="Blue"]172.30.1.34:123[/color]       *:*
root     ntpd       824   26 udp4   [color="Blue"]172.30.1.35:123[/color]       *:*
root     ntpd       824   27 udp4   [color="Blue"]172.30.1.36:123[/color]       *:*
root     ntpd       824   30 udp4   [color="Blue"]127.0.0.1:123[/color]         *:*

I guess the man page in usr.sbin/ntpd/doc/ntpd.8 should be replaced with the
wrong named (.1 instead .8) from /usr/src/contrib/ntp/ntpd and parmeter -L should be removed.

 

[jordanch]

I'm preparing to use jail. Now I've learned that services should not listen to "*".
I could prevent all services from listening to "*" except ntpd. I tried

# grep ntp /etc/rc.conf
ntpd_enable="YES"
ntpd_flags="-L"         # Do not listen to virtual IPs. (jail-testing)

but there is still

# sockstat | grep "\*:[0-9]"
root     ntpd       1661  20 udp4   *:123                 *:*
root     ntpd       1661  21 udp6   *:123                 *:*

How do you configure ntpd when using jail?

This is not an answer to your question per se, since it is 8 years after the OP, but more for someone in the future who might be looking for the same thing and is led here by Google.

At the present time, it is possible to prevent ntpd from listening on all addresses. Add the lines below to your /etc/ntp.conf. The first for preventing it from listening on all addresses, the second for listening on localhost, and the third for the local machine's IP.

interface ignore wildcard
interface listen 127.0.0.1
interface listen 192.168.1.1

https://www.cyberciti.biz/faq/how-to-bind-ntpd-to-specific-ip-addresses-on-linuxunix/ is the source of my information. I was trying to do the exact same thing as the OP, and I've checked that the above works.