[nycbug-talk] sys/systm.h

Miles Nordin carton at Ivy.NET
Mon Apr 27 17:14:35 EDT 2009 

>>>>> "ms" == Marco Scoffier <marco at metm.org> writes:

    ms> trying to figure out how to do the same on FreeBSD and it was
    ms> non-obvious...

rdate works with a simple server built into inetd

ntpdate works with ntp servers but cannot be run while ntpd is
running.  FreeBSD ships with init scripts to run it automatically
before ntpd.

the -g option of ntpd avoids the bashfulness you describe and thus the
need for ntpdate, but was buggy on some versions of ntpd in my
experience.  in /etc/rc.conf:

ntpd_enable="YES"       ntpd_flags="-g"


or the rather silly but equivalent:

ntpd_enable="YES"       ntpd_sync_on_start="YES"


ntpd also has problems if bind is not available when it starts.  It's
supposed to spawn a thread to keep retrying the lookups in the
background and reconfigure ntpd over the ntpdc command channel when
nameservice becomes available, but there are two problems with this:

 * I can't confirm -g continues to work in that case.  -g is supposed
   to apply once, at boot, but preserve sanity checking for
   whacked-out servers after boot.  You can see how a naive
   implementation would mess this up.

 * ntpd uses UDP and needs to control its source address, so it binds
   to individual interfaces.  If not all your interfaces are up before
   ntpd starts, that's a problem.  bind has code to watch the routing
   socket and rebind interfaces that appear, but often gets fucked up
   because of privilege dropping.

 * if you try to ``lock down'' your ntpd by enabling all kinds of
   fancy security, you'll deny access to the background DNS process.
   You have to allow passwordless admin access to 127.0.0.1 for the
   background dns resolver trick to work.

ntpd.conf
-----8<-----
restrict default nomodify
restrict 127.0.0.1      # no restrictions.  needs 'modify' permission 
                        # so ntpd_initres works.
restrict 192.168.2.1 nomodify notrust nopeer  #untrusted ci$co client
-----8<-----


With all this together I've not gotten the whole damn thing to work
smoothly.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 304 bytes
Desc: not available
URL: <http://lists.nycbug.org/pipermail/talk/attachments/20090427/e6ec6adb/attachment.bin>

More information about the talk mailing list