jails

Jeremy Chadwick koitsu at FreeBSD.org
Tue Sep 9 16:46:11 UTC 2008 

On Tue, Sep 09, 2008 at 08:45:33AM -0700, gahn wrote:
> Hello:
> 
> I don't know what you were referring to. but the date and time of the machine was set correctly.
> 
> #date Tue Sep 9 11:40:04 EDT 2008
> 
> best 

Is your system clock skewing a lot?  Are you running ntpd?  (I hope
you're not using ntpdate from a cronjob, that would pretty much
guarantee what you're seeing.)

You can't easily tell clock skew with userland utilities, but the
result often manifests itself in the way you're seeing.  I can provide
some advice on how to use ntpd/ntpq/ntpdc if need be.

If you're not using ntpd, you should be!  Here's a decent/proper
ntp.conf (you should visit the use.html document and pick servers that
are appropriate for your region).  Do not add "iburst" to all of the
servers; just the first one.


# north-america.pool.ntp.org
#   http://www.pool.ntp.org/use.html
#
# maxpoll 9 is used to work around PLL/FLL flipping, which
# happens at exactly 1024 seconds (the default maxpoll value).
# Another FreeBSD member recommended using 9 instead.
# http://lists.freebsd.org/pipermail/freebsd-stable/2006-December/031512.html
#
server 0.north-america.pool.ntp.org maxpoll 9 iburst
server 1.north-america.pool.ntp.org maxpoll 9
server 2.north-america.pool.ntp.org maxpoll 9

# Default: ignore all ntp queries from all other hosts.  Packets
# to/from "server" lines are still respected.
restrict default noquery nomodify nopeer

# Allow queries to/from localhost, used for ntpdc and other utils
# Allow queries to/from the local private network (read-only)
restrict 127.0.0.0 mask 255.0.0.0
restrict 192.168.1.0 mask 255.255.255.0 nomodify nopeer notrap


After, run "ntpdate <server>", where server is the first server in your
list.  ntpdate should update the clock for you, and provide you an idea
of just how skewed it was compared to the remote NTP server's clock.

Then you can run ntpd safely.  Just place the below into /etc/rc.conf
and run /etc/rc.d/ntpd start.  (ntpd_sync_on_start is primarily for
when you reboot the box; don't let the name mislead you)

ntpd_enable="yes"
ntpd_sync_on_start="yes"

Hope this helps, or at least educates.

-- 
| Jeremy Chadwick                                jdc at parodius.com |
| Parodius Networking                       http://www.parodius.com/ |
| UNIX Systems Administrator                  Mountain View, CA, USA |
| Making life hard for others since 1977.              PGP: 4BD6C0CB |

More information about the freebsd-security mailing list