# How do deal with ntpd and jails?



## uisge (Dec 23, 2008)

Hi -

I'm currently installing a server from scratch and plan to create service jails, my first time dealing with. If I'm not mistaken, I have to re-configure daemons to bind to all IPs before starting jails.

Now I'm facing the issue that I cannot tell ntpd to listen on a single IP, only.

Here my questions: 

1) can ntpd become jailed and adjust system time out of a jail what I doubt)? 
2) is openntpd an alternative?
3) how do you deal with ntp and jails?


----------



## uisge (Dec 23, 2008)

uisge said:
			
		

> If I'm not mistaken, I have to re-configure daemons to bind to all IPs before starting jails.



Sorry, that has to read: ... daemons NOT to bind ...


----------



## anomie (Dec 23, 2008)

uisge said:
			
		

> 1) can ntpd become jailed and adjust system time out of a jail what I doubt)?



No. AFAIK, ntpd can only modify the time from the host (not from the jails). 



			
				uisge said:
			
		

> 2) is openntpd an alternative?



I haven't used openntpd, but I've read that it can bind to a single (specified) IP address. So, yes, it probably is a good alternative here. 

Confirmation on openntpd binding to specific IP(s): http://www.openbsd.org/cgi-bin/man....ion=5&arch=&apropos=0&manpath=OpenBSD+Current

See the *listen on* directive. 



			
				uisge said:
			
		

> 3) how do you deal with ntp and jails?



For the last host/jail systems I set up, I was using *ntpd -q* once a day (which, frankly, was a pretty lousy solution). 

I recommend either pursuing the openntpd idea, or living with the idea that ntpd will be bound to all interfaces.


----------



## uisge (Dec 23, 2008)

anomie said:
			
		

> No. AFAIK, ntpd can only modify the time from the host (not from the jails).


 
Thanks for the clarification.



> I haven't used openntpd, but I've read that it can bind to a single (specified) IP address. So, yes, it probably is a good alternative here.



I did install opnntpd in the meantime, and yes, it binds to a single (or multiple if wanted) IPs. But openntpd is hard to monitor: ntpq doesn't work, and it adjusted time only once during the last 10 hours ... 



> I recommend either pursuing the openntpd idea, or living with the idea that ntpd will be bound to all interfaces.



Hmm. Does that mean one can start jails even if a daemon listens on a given port on all IPs? If that is true, I did misinterpret Michael Lucas textbook who just begins in the jail section of his book to re-configure all daemons in this regard.

Hmm, can one start jails even if ntdd is still bound to all IPs at 123?


----------



## anomie (Dec 23, 2008)

uisge said:
			
		

> Does that mean one can start jails even if a daemon listens on a given port on all IPs? If that is true, I did misinterpret Michael Lucas textbook who just begins in the jail section of his book to re-configure all daemons in this regard.
> 
> Hmm, can one start jails even if ntdd is still bound to all IPs at 123?



---
"The jail must have exclusive access to that IP address]Absolute FreeBSD 2nd Edition[/u]
CA: No Starch Press, Inc., 2008. p. 287
---

It would be simple for you to verify whether this is true by testing. If so, it looks like your best bet will be openntpd (in spite of the limitations you experienced).


----------



## uisge (Dec 23, 2008)

anomie said:
			
		

> ---
> "The jail must have exclusive access to that IP address; nothing on the host system can use it."
> Lucas, Michael W. Absolute FreeBSD 2nd Edition
> CA: No Starch Press, Inc., 2008. p. 287
> ---



That one the next two sentences were the ones I did refer to:

"That IP is the only network address the jail can have. If your host server has a daemon that binds to all available IP addresses on the system, that daemon will prevent a jail from starting."



> It would be simple for you to verify whether this is true by testing.



That's what I did in the meantime, and it seems to me that Lucas' conclusion are wrong:

```
[font="Courier New"]> sockstat -4
USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS      
root     syslogd    90900 6  udp4   10.0.0.1:514          *:*
root     ntpd       90767 20 udp4   *:123                 *:*
root     ntpd       90767 22 udp4   xxx.xxx.xxx.xxx:123   *:*
root     ntpd       90767 25 udp4   127.0.0.1:123         *:*

> jls
   JID  IP Address      Hostname                      Path
     1  10.0.0.1        www.example.invalid           /home/jails/www

www# sockstat -4
USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS      
root     syslogd    90900 6  udp4   10.0.0.1:514          *:*
[/font]
```

Although ntpd binds to all IP addresses at port 123, I was able to start my four jails (only one shown above). 

Hmm, may the reason for this disagreement be the fact, that ntpd listens to udp only?

I'm by far too inexperienced to judge ...

Thanks.


----------



## anomie (Dec 23, 2008)

Let me offer an alternate interpretation: It's probably a bit strong to say that a jail will be prevented from starting in this case (which you seem to have proven to be false). Instead, I would say it is a best practice to force services on the host to bind only to non-jail IP addresses. 

The issue you get into when you bind a host's service to a jail's IP address is the service is then (AFAIK) accessible _from the jail_. This could potentially leave a gaping hole in your jail scheme by allowing a "back door" into your host via said service. Once again, you could test and prove/disprove this hypothesis. (Or is your command output above already testing that? I wasn't exactly sure what that was.)


----------



## uisge (Dec 24, 2008)

anomie said:
			
		

> The issue you get into when you bind a host's service to a jail's IP address is the service is then (AFAIK) accessible _from the jail_. This could potentially leave a gaping hole in your jail scheme by allowing a "back door" into your host via said service. Once again, you could test and prove/disprove this hypothesis. (Or is your command output above already testing that? I wasn't exactly sure what that was.)



JFTR: The first sockstat shows the host's bindings after starting the jails, the jls shows an example jail's IP address, and the last sockstat in that jail shows the example jail's bindings.

In order to test your hypothesis I should now test if 1) another ntpd can be started in that jail and 2) if that ntpd will bind to the host's IP address?

If so, I do need some sleep before ;-)


----------



## anomie (Dec 24, 2008)

Nah, I think you've already done it. I was curious to see if starting ntpd in the host (which gloms onto all interfaces - including the jail's IP) would allow ntpd to be visible and accessible within the jail itself. It seems not. 

Unless I'm missing something, you've solved your problem here.


----------



## cajunman4life (Dec 24, 2008)

It's been a little while since I worked with jails, but... doesn't the jail get it's time from the host system? I ran NTPD on the jail host and all the jails seems to stay in sync with the host...


----------



## anomie (Dec 24, 2008)

cajunman4life said:
			
		

> It's been a little while since I worked with jails, but... doesn't the jail get it's time from the host system?



Yes, it does. You have to set the timezone within the jail itself, but actual time changes need to happen in the host.


----------



## cajunman4life (Dec 24, 2008)

Disregard. Completely misunderstood the op.


----------

