Re: git: 1a241a911dc8 - stable/14 - ntpd: Use the ntpd -u option in preference to the rc su plumbing

Reply: Tomoaki AOKI : "Re: git: 1a241a911dc8 - stable/14 - ntpd: Use the ntpd -u option in preference to the rc su plumbing"
In reply to: Cy Schubert : "Re: git: 1a241a911dc8 - stable/14 - ntpd: Use the ntpd -u option in preference to the rc su plumbing"
Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Tomoaki AOKI <junchoon_at_dec.sakura.ne.jp>
Date: Fri, 28 Feb 2025 20:37:19 UTC
On Fri, 28 Feb 2025 08:22:52 -0800
Cy Schubert <Cy.Schubert@cschubert.com> wrote:

> In message <202502281412.51SECsWG048020@nuc.oldach.net>, Helge Oldach 
> writes:
> > Tomoaki AOKI wrote on Fri, 28 Feb 2025 10:53:24 +0100 (CET):
> > > Unfortunately, this commit caused ntpd hesitating to (re)start
> > > with error messages below on stable/14, amd64.
> > > 
> > >      ===== Quote =====
> > > # service ntpd stop
> > > Stopping ntpd.
> > > Waiting for PIDS: 52508.
> > > # service ntpd start
> > > Starting ntpd.
> > > daemon control: got EOF
> > > /etc/rc.d/ntpd: WARNING: failed to start ntpd
> > > # 
> > >      ===== End quote =====
> > > 
> > > Note that I have
> > >   ntpd_flags="-4 -g -x -f /var/db/ntpd.drift -l /var/log/ntpd.log"
> > >   ntpd_config="/etc/ntp/ntp.conf"
> > >   ntpd_enable="YES"
> > >   ntpd_sync_on_start="YES"
> > >   daily_ntpd_leapfile_enable="YES"
> > >   ntp_leapfile_fetch_verbose="YES"
> > > in my /etc/rc.conf.
> >
> > I suggest ensure that the files referenced by the command line or by
> > configuration files can be created/written to by ntpd:ntpd.
> >
> > For example, you're not using the default location for ntpd.drift.
> > The default location is /var/db/ntp/ntpd.drift, where the directory
> > /var/db/ntp/ is owned by ntpd:ntpd (as per /etc/mtree/BSD.var.dist), so
> > ntpd is able to write the drift file after dropping privileges.
> >
> > Kind regards
> > Helge

Thanks for advice!

IIRC, my configuration was to allow keeping use of old-school place.

Anyway, edited /etc/rc/conf to switch /var/db/ntpd.drift
to /var/db/ntp/ntpd.drift (serivce command picks configs everytime
invoked, so no reboots), without luck. Of course, /var/db/ntp has
ntpd:ntpd ownweship.

Comparing succeeded (with reverted /etc/rc.d/ntpd) and failed
(/etc/rc.d/ntpd without reverts), I found an error only in the latter
case.

 1 Mar 04:32:59 ntpd[12772]: Need MAC 'ntpd' policy enabled to drop
root privileges 1 Mar 04:32:59 ntpd[12771]: daemon child exited with
code 255

In normal case, ntpd starts soliciting pool servers, but the erroneous
case, stops there (does not start soiciting pool servers).


> This looks like it's related to,
> 
> https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=284863, which is upstream
> https://bugs.ntp.org/show_bug.cgi?id=3967. It's a regression in 4.2.8p18.

Thanks!
But it's not my case. All interfaces has different IP addresses.
(Some are hidden with "*".)

% ifconfig      
em0: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP>
metric 0 mtu 1454
options=4e504bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,LRO,VLAN_HWFILTER,VLAN_HWTSO,RXCSUM_IPV6,TXCSUM_IPV6,HWSTATS,MEXTPG>
ether 98:*:*:*:*:* inet 192.168.*.45 netmask 0xffffff00 broadcast
192.168.*.255 media: Ethernet autoselect (1000baseT <full-duplex>)
	status: active
	nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
lo0: flags=1008049<UP,LOOPBACK,RUNNING,MULTICAST,LOWER_UP> metric 0 mtu
16384 options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
	inet 127.0.0.1 netmask 0xff000000
	inet6 ::1 prefixlen 128
	inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2
	groups: lo
	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
wlan0: flags=8c43<UP,BROADCAST,RUNNING,DRV_OACTIVE,SIMPLEX,MULTICAST>
metric 10 mtu 1500 options=0
	ether 24:*:*:*:*:*
	inet 192.168.*.108 netmask 0xffffff00 broadcast 192.168.*.255
	groups: wlan
	ssid "" channel 36 (5180 MHz 11a)
	regdomain JAPAN country JP authmode WPA1+WPA2/802.11i privacy ON
	deftxkey UNDEF txpower 23 bmiss 7 mcastrate 6 mgmtrate 6
scanvalid 60 wme roaming MANUAL
	parent interface: iwlwifi0
	media: IEEE 802.11 Wireless Ethernet autoselect mode 11a
	status: no carrier
	nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>

The problem seems to be "how to enable MAC 'ntpd' policy?".

Reading Chapter 18 of the Handbook (especially 18.5) and looking
into /boot/kernel, mac_ntpd.ko seems to be the culprit, but as I still
have confusions with MAC feature, I'm not 100% sure loading it is safe
or not, thus, still cannot try loading it.

 *I've read somewhere (lost track with there) stating that "once MAC
  feature is enabled in a filesystem, it cannot disabled anymore and
  possibly causes fatal problems on interpoerabilities".
  This does not match handbook at least with 18.5, though.

My /etc/rc.conf is carried over from 2.1.6.1 (IIRC) with modifications
on needs. So don't have MAC (not MAC address but Mandatory Access
Control feature, I guess) related configurations in it.

IMHO, this kinds of mandated (and considered to be safe) configurations
should be in /etc/defaults/rc.conf (including auto-loading mandatory
in-tree kmods) by default and overrided in /etc/rc.conf[.local] whenever
actually needed.


> -- 
> Cheers,
> Cy Schubert <Cy.Schubert@cschubert.com>
> FreeBSD UNIX:  <cy@FreeBSD.org>   Web:  https://FreeBSD.org
> NTP:           <cy@nwtime.org>    Web:  https://nwtime.org
> 
> 			e^(i*pi)+1=0

Regards.

-- 
Tomoaki AOKI    <junchoon@dec.sakura.ne.jp>