# Is it possible to jail ntpd?



## fonz (Aug 8, 2013)

Since I could only find one relevant thread from several years ago, I figured I might as well start a new thread for this.

Is it possible to run ntpd() in a jail? I'm finding the following message repeated in the jail's /var/log/messages:

```
<timestamp> ntp ntpd[<pid>]: step-systime: Operation not permitted
```
This suggests to me that the system clock cannot be adjusted from within a jail, which makes sense. However, there doesn't appear to be a sysctl or rc.conf setting that can override this, leaving me inclined to think that ntpd() indeed cannot be jailed.

Any thoughts?


----------



## Uniballer (Aug 8, 2013)

What would be the implications of running ntpd(8) in a jail if it could adjust the kernel clock?  Would it/Could it gain you anything to do so?


----------



## marwis (Aug 9, 2013)

When trying to secure the NTP deamon, I chose to use net/openntpd instead of the standard ntpd(8).  It's easier to configure (as a client), doesn't insist on listening on the network and has the source code written by the OpenBSD guys which is orders of magnitude smaller.


```
$ ps aux | grep ntp
root        1727   0.0  0.0  12028   1452 ??  Is   Wed06AM    0:00.01 ntpd: [priv] (ntpd)
_ntp        1728   0.0  0.0  12028   1532 ??  I    Wed06AM    0:00.18 ntpd: ntp engine (ntpd)
_ntp        1730   0.0  0.0  12028   1468 ??  I    Wed06AM    0:00.00 ntpd: dns engine (ntpd)
$ sockstat -l -4 -6 | grep ntp
$ 
$ ntpdate -q pool.ntp.org
server 194.109.64.200, stratum 2, offset -0.009010, delay 0.06390
server 82.197.221.30, stratum 3, offset -0.008171, delay 0.06064
server 83.98.201.134, stratum 2, offset -0.008078, delay 0.06050
server 85.255.214.66, stratum 2, offset -0.008058, delay 0.06046
 9 Aug 07:02:20 ntpdate[17333]: adjust time server 85.255.214.66 offset -0.008058 sec
```


----------



## SirDice (Aug 9, 2013)

I don't think it's possible to run any kind of NTP daemon in a jail. If I'm not mistaken it needs to access certain kernel parameters which isn't allowed.

If you need good time-keeping run NTP on the host. The jails get their date/time from there, just make sure you set the correct timezone with tzsetup(8).


----------



## fonz (Aug 11, 2013)

Uniballer said:
			
		

> What would be the implications of running ntpd(8) in a jail if it could adjust the kernel clock?  Would it/Could it gain you anything to do so?


Well, ntpd is a _service_, other machines on the network synchronise against it. And since it's a service, I immediately think "jail it", although admittedly that's perhaps a bit of a Pavlov reaction 



			
				marwis said:
			
		

> When trying to secure the NTP deamon, I chose to use net/openntpd instead of the standard ntpd(8).  It's easier to configure (as a client), doesn't insist on listening on the network and has the source code written by the OpenBSD guys which is orders of magnitude smaller.


Sounds worth checking out, thanks.



			
				SirDice said:
			
		

> I don't think it's possible to run any kind of NTP daemon in a jail. If I'm not mistaken it needs to access certain kernel parameters which isn't allowed.


I figured as much, thanks for the confirmation.


----------

