Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 105978 - ntpd doesn't work with "-u ntp:ntp" option
Summary: ntpd doesn't work with "-u ntp:ntp" option
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: x86 Linux
: High major (vote)
Assignee: SpanKY
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2005-09-14 09:58 UTC by Siegbert Baude
Modified: 2006-07-16 05:50 UTC (History)
8 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Siegbert Baude 2005-09-14 09:58:43 UTC
ntpd fails (no message at all appears) to start if you use this line:  
  
ntpd -p /var/run/ntpd.pid -u ntp:ntp  
  
This one works however:  
  
ntpd -p /var/run/ntpd.pid  
  
According to the man page, this is a configure option (--enable-linuxcaps) and  
in the ebuild this is triggered by the USE flag nodroproot.  
  
My build was configured like this:  
# qpkg -I -v -i ntp  
net-misc/ntp-4.2.0.20040617-r3 *  
        Network Time Protocol suite/programs [ http://www.ntp.org/ ]  
Compiled with USE Flags: -parse-clocks -nodroproot -selinux ssl -ipv6  
-openntpd -debug  
  
and I saw the configure option "--enable-linuxcaps" was used. So the error  
doesn't seem to be in the ebuild, but in the build system or source itself. 
 
# grep ntp /etc/passwd /etc/group 
/etc/passwd:ntp:x:123:123:added by portage for ntp:/dev/null:/bin/false 
/etc/group:ntp::123: 
 

Reproducible: Always
Steps to Reproduce:
1. emerge ntp  
2. ntpd -p /var/run/ntpd.pid -u ntp:ntp  
3. ps aux|grep ntp 
  
Actual Results:  
ntpd was not running 

Expected Results:  
be running 

Portage 2.0.51.22-r2 (default-linux/x86/2005.0, gcc-3.3.6, glibc-2.3.5-r1, 
2.6.12-gentoo-r10 i686) 
================================================================= 
System uname: 2.6.12-gentoo-r10 i686 Pentium III (Coppermine) 
Gentoo Base System version 1.6.13 
dev-lang/python:     2.3.5-r2 
sys-apps/sandbox:    1.2.12 
sys-devel/autoconf:  2.13, 2.59-r6 
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6 
sys-devel/binutils:  2.15.92.0.2-r10 
sys-devel/libtool:   1.5.18-r1 
virtual/os-headers:  2.6.11-r2 
ACCEPT_KEYWORDS="x86" 
AUTOCLEAN="yes" 
CBUILD="i686-pc-linux-gnu" 
CFLAGS="-O3 -march=pentium3 -pipe -fomit-frame-pointer" 
CHOST="i686-pc-linux-gnu" 
CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3.4/env /usr/kde/3.4/share/config /usr/kde/3.4/shutdown /usr/kde/3/share/config /usr/lib/X11/xkb /usr/share/config /usr/share/texmf/dvipdfm/config/ /usr/share/texmf/dvips/config/ /usr/share/texmf/tex/generic/config/ /usr/share/texmf/tex/platex/config/ /usr/share/texmf/xdvi/ /var/qmail/control" 
CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d" 
CXXFLAGS="-O3 -march=pentium3 -pipe -fomit-frame-pointer" 
DISTDIR="/usr/portage/distfiles" 
FEATURES="autoconfig distlocks sandbox sfperms strict" 
GENTOO_MIRRORS="ftp://ftp.gentoo.mesh-solutions.com/gentoo/ 
ftp://ftp.tu-clausthal.de/pub/linux/gentoo/" 
LANG="de_DE@euro" 
LINGUAS="de" 
PKGDIR="/usr/portage/packages" 
PORTAGE_TMPDIR="/var/tmp" 
PORTDIR="/usr/portage" 
PORTDIR_OVERLAY="/usr/local/portage" 
SYNC="rsync://rsync.de.gentoo.org/gentoo-portage" 
USE="x86 X alsa amr aotuv apache2 apm arts async auctex avi bash-completion 
bootsplash bzip2 cddb cdparanoia cdr chroot crypt cscope css cups curl dio 
directfb divx4linux dpms dts dv dvb dvd dvdr dvdread eb eds encode escreen 
exif extensions f2c fam fastcgi fat fb fbcon fbdev ffmpeg flac fortran ftp gif 
gimp gphoto2 gpm gs gstreamer hal hpn httpd iconv icq imagemagick imap imlib 
imlib2 java javascript jce jcs jikes joystick joysticks jpeg jpeg2k kde 
kdeenablefinal koffice-plugin lcd lirc lm_sensors logitech-mouse lynxkeymap 
lzo lzw lzw-tiff maildir matroska matrox mime mjpeg mmx mozilla moznocompose 
moznoirc mp3 mpeg mpi mplayer mythtv ncurses nls nocd nptl ntfs offensive ogg 
oggvorbis opengl operanom2 pam pascal pdflib perl php png povray python qt 
quicktime rar rdesktop readline real recode reiserfs ruby samba scanner sdl 
sensord shorten slang smime spell sql sse ssl subtitles svga symlink sysfs 
tcpd tetex theora tidy tiff tos truetype truetype-fonts type1 type1-fonts usb 
userlocales v4l v4l2 vcd videos vidix vim-pager vim-with-x visualization 
vorbis win32codecs wmf xanim xfs xine xml2 xmms xv xvid xvmc yv12 zlib 
video_cards_matrox linguas_de userland_GNU kernel_linux elibc_glibc" 
Unset:  ASFLAGS, CTARGET, LC_ALL, LDFLAGS, MAKEOPTS
Comment 1 Jakub Moc (RETIRED) gentoo-dev 2005-09-14 10:20:21 UTC
What about using /etc/init.d/ntpd start like everyone else?
Comment 2 Siegbert Baude 2005-09-14 10:30:04 UTC
Of course this problem also exists, if you start ntpd by the means  
of /etc/initd. Do you believe that /etc/initd would automagically cure a  
problem which exists, if you even leave out some complexity?  
  
So if you have in /etc/conf.d/ntpd 
NTPD_OPTS="-u ntp:ntp" 
the start fails, if you have 
NTPD_OPTS="" 
it works. 
 
 
Comment 3 Jakub Moc (RETIRED) gentoo-dev 2005-09-14 10:40:50 UTC
# emerge -pv ntp

[ebuild   R   ] net-misc/ntp-4.2.0.20040617-r3  -debug -ipv6 -nodroproot
-openntpd -parse-clocks (-selinux) +ssl 0 kB

# cat /etc/conf.d/ntpd
# /etc/conf.d/ntpd

# Options to pass to the ntpd process
# Most people should leave this line alone ...
# however, if you know what you're doing, feel free to tweak
NTPD_OPTS="-u ntp:ntp"

Works just fine here...

# ps aux | grep ^ntp
ntp       9064  0.0  0.5   3900  3900 ?        SLs  Sep10   0:01 /usr/sbin/ntpd
-p /var/run/ntpd.pid -u ntp:ntp
Comment 4 Anders Hellgren gentoo-dev 2005-09-14 11:18:09 UTC
Does your kernel support linuxcaps?

CONFIG_SECURITY_CAPABILITIES=y
Comment 5 Siegbert Baude 2005-09-14 16:54:32 UTC
Good hint! No I don't have this activated. As I'm quite sure I never had before,
but "-u ntp:ntp" worked until some time ago, I didn't suspect it to be a kernel
problem.
I'm just compiling a new one and will try again. If ntp then works again, should
we check within the ntp-ebuild if this feature is switched on in the kernel and
"nodroproot" is not in the USE flags? How would this be done best, grepping
/usr/src/linux/.config or is there a possibility via /proc or /sys?

Should a hint go the maintainers of the install docs, that the kernel should
have this feature, as obviously this port seems to take this for granted?
Comment 6 SpanKY gentoo-dev 2005-09-14 18:11:41 UTC
the drop root support has changed in the backend across different versions of
ntp so ...
Comment 7 Siegbert Baude 2005-09-14 18:32:27 UTC
With "CONFIG_SECURITY_CAPABILITIES=y" enabled in the kernel everything works
again as expected. So what steps should be done now? Is there a canonical method
to check kernel features from within an ebuild? Should the install-docs be changed?

Comment 8 SpanKY gentoo-dev 2005-09-14 18:51:29 UTC
there is but i'd prefer to not go that route ;)

ntpd does support running as the rtc user afaik by default, but i'll have to
look into that ...
Comment 9 Matthew Stapleton 2005-12-27 20:51:57 UTC
If not using different security models, unsetting CONFIG_SECURITY will also enable linuxcaps in the kernel.
Comment 10 Michal Suchanek 2006-02-20 05:05:09 UTC
hehe, I have compiled the capabilities - as a module.

Of course, the init script does not load it.
Comment 11 Andres Toomsalu 2006-04-26 23:25:30 UTC
I'm still having odd trouble with net-misc/ntp-4.2.0.20040617-r3. I recompiled kernel with SECURITY=y and SECURITY_CAPABILITIES=y but still ntpd gives error when starting (/usr/sbin/ntpd -p /var/run/ntpd.pid -u ntp:ntp):
ntpd[28638]: cap_from_text() failed: Invalid argument

Without dropping root everything works.

My emerge info:
Portage 2.0.54 (default-linux/x86/2006.0, gcc-3.4.4, glibc-2.3.5-r3, 2.6.16-gentoo-r3 i686)
=================================================================
System uname: 2.6.16-gentoo-r3 i686 Intel(R) Pentium(R) 4 CPU 3.00GHz
Gentoo Base System version 1.6.14
dev-lang/python:     2.4.2
sys-apps/sandbox:    1.2.12
sys-devel/autoconf:  2.13, 2.59-r6
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r1
sys-devel/binutils:  2.16.1
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.11-r2
ACCEPT_KEYWORDS="x86"
AUTOCLEAN="yes"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-O2 -march=i686 -pipe"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3/share/config /usr/share/config /var/qmail/control"
CONFIG_PROTECT_MASK="/etc/eselect/compiler /etc/gconf /etc/splash /etc/terminfo /etc/env.d"
CXXFLAGS="-O2 -march=i686 -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoconfig distlocks sandbox sfperms strict"
GENTOO_MIRRORS="http://ftp.linux.ee/pub/gentoo/distfiles/ ftp://ftp.linux.ee/pub/gentoo/distfiles/"
LANG="et_EE.UTF-8"
LC_ALL="et_EE.UTF-8"
LINGUAS="et en"
PKGDIR="/usr/portage/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="x86 acl bash-completion bzip2 cdr cli crypt cups dbus expat foomaticdb fortran gif gpm hal iconv imlib ipv6 jpeg ldap libwww mmap ncurses nls nptl pam pcre perl png python readline slang slp snmp spell ssl tcpd truetype truetype-fonts udev unicode usb xml zlib linguas_et linguas_en userland_GNU kernel_linux elibc_glibc"
Unset:  ASFLAGS, CTARGET, INSTALL_MASK, LDFLAGS, MAKEOPTS, PORTDIR_OVERLAY
Comment 12 Anakim Border 2006-05-06 14:52:44 UTC
> kernel with SECURITY=y and SECURITY_CAPABILITIES=y but still ntpd gives error
> when starting (/usr/sbin/ntpd -p /var/run/ntpd.pid -u ntp:ntp):
> ntpd[28638]: cap_from_text() failed: Invalid argument

I experienced the same problem on my system. In the end I discovered that libcap was missing; if ntpd is compiled without that library, it does not provide the -u option.
Portage didn't notice that dependency, even if the "nodroproot" flag was _not_ enabled.
Comment 13 Andres Toomsalu 2006-05-07 03:23:03 UTC
I have libcap installed, nodroproot is not set and still ntpd complains when /usr/sbin/ntpd -p /var/run/ntpd.pid -u ntp:ntpntpd[28638]: cap_from_text() failed: Invalid argument


(In reply to comment #12)
> > kernel with SECURITY=y and SECURITY_CAPABILITIES=y but still ntpd gives error
> > when starting (/usr/sbin/ntpd -p /var/run/ntpd.pid -u ntp:ntp):
> > ntpd[28638]: cap_from_text() failed: Invalid argument
> 
> I experienced the same problem on my system. In the end I discovered that
> libcap was missing; if ntpd is compiled without that library, it does not
> provide the -u option.
> Portage didn't notice that dependency, even if the "nodroproot" flag was _not_
> enabled.
> 
Comment 14 Evert 2006-06-02 07:09:55 UTC
What I did to get it back working again is:

kernel: CONFIG_SECURITY_CAPABILITIES=m
compile&install kernel&modules
echo capabilities >>/etc/modules.autoload.d/kernel-2.6
shutdown -r now
USE=caps emerge ntp
etc-update
/etc/init.d/ntpd stop
pkill -x ntpd
/etc/init.d/ntpd zap
/etc/init.d/ntpd start
ps -fC ntpd
Comment 15 Alon Bar-Lev (RETIRED) gentoo-dev 2006-06-02 11:30:30 UTC
Please consider adding -i /var/lib/ntp to NTPD_OPTS, so if caps enabled:

NTPD_OPTS="-u ntp:ntp -i /var/lib/ntp"

Drop privs and chroot.
Comment 16 Evert 2006-06-04 07:47:08 UTC
Well, that's nice, but after putting
NTPD_OPTS="-u ntp:ntp -i /var/lib/ntp"
in /etc/conf.d/ntpd and restarting ntpd, /var/lib/ntp/ntp.drift doesn't get updated anymore! Do you have a solution to that problem too?

Furthermore, a correction to my previous comment #14

echo capabilities >>/etc/modules.autoload.d/kernel-2.6
should be:
echo capability >>/etc/modules.autoload.d/kernel-2.6
Comment 17 Evert 2006-06-07 06:01:04 UTC
I found a solution to make the chroot thing work correctly:

# mkdir -p /var/lib/ntp/var/lib
# ln -sfn ../.. /var/lib/ntp/var/lib/ntp

I also tried to change the location of the drift file (both with the commandline option -f /ntp.drift but also in /etc/ntp.conf) but that doesn't work right with the chroot option. It looks like at startup, ntpd reads the drift file in non-chroot mode:
/var/log/syslog: Jun  3 20:49:42 amd ntpd[27500]: frequency initialized -22.017 PPM from /var/lib/ntp/ntp.drift
and later tries to update the drift file hourly in chroot mode using the same location of the drift file:
/var/log/syslog: Jun  3 19:49:41 amd ntpd[27500]: can't open /var/lib/ntp/ntp.drift.TEMP: No such file or directory
which of course doesn't work since the location in chroot and non-chroot is not the same. This makes is necessary to make the above softlink if you want to run ntpd in chroot mode.
Comment 18 Michael Helmling 2006-06-18 23:44:00 UTC
There still seems to be something wrong.
My ntp doesn't have any droproot USE-flag but one called "caps" what seems to be the same (ntp-4.2.2).

I also had the problem with the -u ntp:ntp option as described in the initial bug report here. The "caps" flag was NOT set. However, I now recompiled ntp with the caps flag enabled and now it works. Silly enough, since I DON'T HAVE capabilities enabled in the kernel ...
Comment 19 SpanKY gentoo-dev 2006-07-16 00:02:06 UTC
-u is only enabled when USE=caps

the ebuild will strip the -u stuff from conf.d/ntpd when USE=-caps
Comment 20 Denilson Sá Maia 2006-07-16 05:50:06 UTC
(In reply to comment #19)
> -u is only enabled when USE=caps
> 
> the ebuild will strip the -u stuff from conf.d/ntpd when USE=-caps

I would also suggest you to add a comment to conf.d/ntpd explaining that -u parameter is only available when compiled with USE=caps