Summary: | ntpd doesn't work with "-u ntp:ntp" option | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | Siegbert Baude <siegbert.baude> |
Component: | Current packages | Assignee: | SpanKY <vapier> |
Status: | RESOLVED FIXED | ||
Severity: | major | CC: | akborder, alonbl, andres, denilsonsa, evan, evert.gentoo, hramrach, supermihi |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | x86 | ||
OS: | Linux | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- |
Description
Siegbert Baude
2005-09-14 09:58:43 UTC
What about using /etc/init.d/ntpd start like everyone else? Of course this problem also exists, if you start ntpd by the means of /etc/initd. Do you believe that /etc/initd would automagically cure a problem which exists, if you even leave out some complexity? So if you have in /etc/conf.d/ntpd NTPD_OPTS="-u ntp:ntp" the start fails, if you have NTPD_OPTS="" it works. # emerge -pv ntp [ebuild R ] net-misc/ntp-4.2.0.20040617-r3 -debug -ipv6 -nodroproot -openntpd -parse-clocks (-selinux) +ssl 0 kB # cat /etc/conf.d/ntpd # /etc/conf.d/ntpd # Options to pass to the ntpd process # Most people should leave this line alone ... # however, if you know what you're doing, feel free to tweak NTPD_OPTS="-u ntp:ntp" Works just fine here... # ps aux | grep ^ntp ntp 9064 0.0 0.5 3900 3900 ? SLs Sep10 0:01 /usr/sbin/ntpd -p /var/run/ntpd.pid -u ntp:ntp Does your kernel support linuxcaps? CONFIG_SECURITY_CAPABILITIES=y Good hint! No I don't have this activated. As I'm quite sure I never had before, but "-u ntp:ntp" worked until some time ago, I didn't suspect it to be a kernel problem. I'm just compiling a new one and will try again. If ntp then works again, should we check within the ntp-ebuild if this feature is switched on in the kernel and "nodroproot" is not in the USE flags? How would this be done best, grepping /usr/src/linux/.config or is there a possibility via /proc or /sys? Should a hint go the maintainers of the install docs, that the kernel should have this feature, as obviously this port seems to take this for granted? the drop root support has changed in the backend across different versions of ntp so ... With "CONFIG_SECURITY_CAPABILITIES=y" enabled in the kernel everything works again as expected. So what steps should be done now? Is there a canonical method to check kernel features from within an ebuild? Should the install-docs be changed? there is but i'd prefer to not go that route ;) ntpd does support running as the rtc user afaik by default, but i'll have to look into that ... If not using different security models, unsetting CONFIG_SECURITY will also enable linuxcaps in the kernel. hehe, I have compiled the capabilities - as a module. Of course, the init script does not load it. I'm still having odd trouble with net-misc/ntp-4.2.0.20040617-r3. I recompiled kernel with SECURITY=y and SECURITY_CAPABILITIES=y but still ntpd gives error when starting (/usr/sbin/ntpd -p /var/run/ntpd.pid -u ntp:ntp): ntpd[28638]: cap_from_text() failed: Invalid argument Without dropping root everything works. My emerge info: Portage 2.0.54 (default-linux/x86/2006.0, gcc-3.4.4, glibc-2.3.5-r3, 2.6.16-gentoo-r3 i686) ================================================================= System uname: 2.6.16-gentoo-r3 i686 Intel(R) Pentium(R) 4 CPU 3.00GHz Gentoo Base System version 1.6.14 dev-lang/python: 2.4.2 sys-apps/sandbox: 1.2.12 sys-devel/autoconf: 2.13, 2.59-r6 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r1 sys-devel/binutils: 2.16.1 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.11-r2 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CBUILD="i686-pc-linux-gnu" CFLAGS="-O2 -march=i686 -pipe" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3/share/config /usr/share/config /var/qmail/control" CONFIG_PROTECT_MASK="/etc/eselect/compiler /etc/gconf /etc/splash /etc/terminfo /etc/env.d" CXXFLAGS="-O2 -march=i686 -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="autoconfig distlocks sandbox sfperms strict" GENTOO_MIRRORS="http://ftp.linux.ee/pub/gentoo/distfiles/ ftp://ftp.linux.ee/pub/gentoo/distfiles/" LANG="et_EE.UTF-8" LC_ALL="et_EE.UTF-8" LINGUAS="et en" PKGDIR="/usr/portage/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="x86 acl bash-completion bzip2 cdr cli crypt cups dbus expat foomaticdb fortran gif gpm hal iconv imlib ipv6 jpeg ldap libwww mmap ncurses nls nptl pam pcre perl png python readline slang slp snmp spell ssl tcpd truetype truetype-fonts udev unicode usb xml zlib linguas_et linguas_en userland_GNU kernel_linux elibc_glibc" Unset: ASFLAGS, CTARGET, INSTALL_MASK, LDFLAGS, MAKEOPTS, PORTDIR_OVERLAY > kernel with SECURITY=y and SECURITY_CAPABILITIES=y but still ntpd gives error
> when starting (/usr/sbin/ntpd -p /var/run/ntpd.pid -u ntp:ntp):
> ntpd[28638]: cap_from_text() failed: Invalid argument
I experienced the same problem on my system. In the end I discovered that libcap was missing; if ntpd is compiled without that library, it does not provide the -u option.
Portage didn't notice that dependency, even if the "nodroproot" flag was _not_ enabled.
I have libcap installed, nodroproot is not set and still ntpd complains when /usr/sbin/ntpd -p /var/run/ntpd.pid -u ntp:ntpntpd[28638]: cap_from_text() failed: Invalid argument (In reply to comment #12) > > kernel with SECURITY=y and SECURITY_CAPABILITIES=y but still ntpd gives error > > when starting (/usr/sbin/ntpd -p /var/run/ntpd.pid -u ntp:ntp): > > ntpd[28638]: cap_from_text() failed: Invalid argument > > I experienced the same problem on my system. In the end I discovered that > libcap was missing; if ntpd is compiled without that library, it does not > provide the -u option. > Portage didn't notice that dependency, even if the "nodroproot" flag was _not_ > enabled. > What I did to get it back working again is: kernel: CONFIG_SECURITY_CAPABILITIES=m compile&install kernel&modules echo capabilities >>/etc/modules.autoload.d/kernel-2.6 shutdown -r now USE=caps emerge ntp etc-update /etc/init.d/ntpd stop pkill -x ntpd /etc/init.d/ntpd zap /etc/init.d/ntpd start ps -fC ntpd Please consider adding -i /var/lib/ntp to NTPD_OPTS, so if caps enabled: NTPD_OPTS="-u ntp:ntp -i /var/lib/ntp" Drop privs and chroot. Well, that's nice, but after putting NTPD_OPTS="-u ntp:ntp -i /var/lib/ntp" in /etc/conf.d/ntpd and restarting ntpd, /var/lib/ntp/ntp.drift doesn't get updated anymore! Do you have a solution to that problem too? Furthermore, a correction to my previous comment #14 echo capabilities >>/etc/modules.autoload.d/kernel-2.6 should be: echo capability >>/etc/modules.autoload.d/kernel-2.6 I found a solution to make the chroot thing work correctly: # mkdir -p /var/lib/ntp/var/lib # ln -sfn ../.. /var/lib/ntp/var/lib/ntp I also tried to change the location of the drift file (both with the commandline option -f /ntp.drift but also in /etc/ntp.conf) but that doesn't work right with the chroot option. It looks like at startup, ntpd reads the drift file in non-chroot mode: /var/log/syslog: Jun 3 20:49:42 amd ntpd[27500]: frequency initialized -22.017 PPM from /var/lib/ntp/ntp.drift and later tries to update the drift file hourly in chroot mode using the same location of the drift file: /var/log/syslog: Jun 3 19:49:41 amd ntpd[27500]: can't open /var/lib/ntp/ntp.drift.TEMP: No such file or directory which of course doesn't work since the location in chroot and non-chroot is not the same. This makes is necessary to make the above softlink if you want to run ntpd in chroot mode. There still seems to be something wrong. My ntp doesn't have any droproot USE-flag but one called "caps" what seems to be the same (ntp-4.2.2). I also had the problem with the -u ntp:ntp option as described in the initial bug report here. The "caps" flag was NOT set. However, I now recompiled ntp with the caps flag enabled and now it works. Silly enough, since I DON'T HAVE capabilities enabled in the kernel ... -u is only enabled when USE=caps the ebuild will strip the -u stuff from conf.d/ntpd when USE=-caps (In reply to comment #19) > -u is only enabled when USE=caps > > the ebuild will strip the -u stuff from conf.d/ntpd when USE=-caps I would also suggest you to add a comment to conf.d/ntpd explaining that -u parameter is only available when compiled with USE=caps |