From nobody Fri Feb 28 20:37:19 2025
X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Z4KlG6TSYz5p53c
	for <dev-commits-src-branches@mlmmj.nyi.freebsd.org>; Fri, 28 Feb 2025 20:37:30 +0000 (UTC)
	(envelope-from junchoon@dec.sakura.ne.jp)
Received: from www121.sakura.ne.jp (www121.sakura.ne.jp [153.125.133.21])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mx1.freebsd.org (Postfix) with ESMTPS id 4Z4KlG04wmz3j5p;
	Fri, 28 Feb 2025 20:37:29 +0000 (UTC)
	(envelope-from junchoon@dec.sakura.ne.jp)
Authentication-Results: mx1.freebsd.org;
	none
Received: from kalamity.joker.local (124-18-40-20.area1c.commufa.jp [124.18.40.20])
	(authenticated bits=0)
	by www121.sakura.ne.jp (8.17.1/8.17.1/[SAKURA-WEB]/20201212) with ESMTPA id 51SKbJoA098072;
	Sat, 1 Mar 2025 05:37:20 +0900 (JST)
	(envelope-from junchoon@dec.sakura.ne.jp)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=dec.sakura.ne.jp;
	s=s2405; t=1740775041;
	bh=Bu8SDU6RmR4mjqzLT9Uy6cu9GwpVceccB8WjFH860IA=;
	h=Date:From:To:Cc:Subject:In-Reply-To:References;
	b=aKSGzOXdY61gATtRseG0TP5jWvniBNRUb9VQInAxiHaIgNuM9hRm/pL0PJXw+GQkB
	 GqRGUwlwuJwWu1cM8ijPLjAOOA4FHhIt4JH0bO4OjoNtZfsk68BUWxBnPpw60gShio
	 JnJaXxmySiqY2XIDRkrO2wWWweJUAU+gkjCVZ2C4=
Date: Sat, 1 Mar 2025 05:37:19 +0900
From: Tomoaki AOKI <junchoon@dec.sakura.ne.jp>
To: Cy Schubert <Cy.Schubert@cschubert.com>
Cc: freebsd@oldach.net (Helge Oldach), cy@FreeBSD.org,
        dev-commits-src-branches@freebsd.org
Subject: Re: git: 1a241a911dc8 - stable/14 - ntpd: Use the ntpd -u option 
 in preference to the rc su plumbing
Message-Id: <20250301053719.2449ddcf28e417f6639ac58f@dec.sakura.ne.jp>
In-Reply-To: <20250228162252.E5053324@slippy.cwsent.com>
References: <202502281412.51SECsWG048020@nuc.oldach.net>
	<20250228162252.E5053324@slippy.cwsent.com>
Organization: Junchoon corps
X-Mailer: Sylpheed 3.7.0 (GTK+ 2.24.33; amd64-portbld-freebsd14.2)
List-Id: Commits to the stable branches of the FreeBSD src repository <dev-commits-src-branches.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches
List-Help: <mailto:dev-commits-src-branches+help@freebsd.org>
List-Post: <mailto:dev-commits-src-branches@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-branches+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-branches+unsubscribe@freebsd.org>
X-BeenThere: dev-commits-src-branches@freebsd.org
Sender: owner-dev-commits-src-branches@FreeBSD.org
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
X-Rspamd-Pre-Result: action=no action;
	module=replies;
	Message is reply to one we originated
X-Spamd-Result: default: False [-4.00 / 15.00];
	REPLY(-4.00)[];
	ASN(0.00)[asn:7684, ipnet:153.125.128.0/18, country:JP]
X-Rspamd-Queue-Id: 4Z4KlG04wmz3j5p
X-Spamd-Bar: ----

On Fri, 28 Feb 2025 08:22:52 -0800
Cy Schubert <Cy.Schubert@cschubert.com> wrote:

> In message <202502281412.51SECsWG048020@nuc.oldach.net>, Helge Oldach 
> writes:
> > Tomoaki AOKI wrote on Fri, 28 Feb 2025 10:53:24 +0100 (CET):
> > > Unfortunately, this commit caused ntpd hesitating to (re)start
> > > with error messages below on stable/14, amd64.
> > > 
> > >      ===== Quote =====
> > > # service ntpd stop
> > > Stopping ntpd.
> > > Waiting for PIDS: 52508.
> > > # service ntpd start
> > > Starting ntpd.
> > > daemon control: got EOF
> > > /etc/rc.d/ntpd: WARNING: failed to start ntpd
> > > # 
> > >      ===== End quote =====
> > > 
> > > Note that I have
> > >   ntpd_flags="-4 -g -x -f /var/db/ntpd.drift -l /var/log/ntpd.log"
> > >   ntpd_config="/etc/ntp/ntp.conf"
> > >   ntpd_enable="YES"
> > >   ntpd_sync_on_start="YES"
> > >   daily_ntpd_leapfile_enable="YES"
> > >   ntp_leapfile_fetch_verbose="YES"
> > > in my /etc/rc.conf.
> >
> > I suggest ensure that the files referenced by the command line or by
> > configuration files can be created/written to by ntpd:ntpd.
> >
> > For example, you're not using the default location for ntpd.drift.
> > The default location is /var/db/ntp/ntpd.drift, where the directory
> > /var/db/ntp/ is owned by ntpd:ntpd (as per /etc/mtree/BSD.var.dist), so
> > ntpd is able to write the drift file after dropping privileges.
> >
> > Kind regards
> > Helge

Thanks for advice!

IIRC, my configuration was to allow keeping use of old-school place.

Anyway, edited /etc/rc/conf to switch /var/db/ntpd.drift
to /var/db/ntp/ntpd.drift (serivce command picks configs everytime
invoked, so no reboots), without luck. Of course, /var/db/ntp has
ntpd:ntpd ownweship.

Comparing succeeded (with reverted /etc/rc.d/ntpd) and failed
(/etc/rc.d/ntpd without reverts), I found an error only in the latter
case.

 1 Mar 04:32:59 ntpd[12772]: Need MAC 'ntpd' policy enabled to drop
root privileges 1 Mar 04:32:59 ntpd[12771]: daemon child exited with
code 255

In normal case, ntpd starts soliciting pool servers, but the erroneous
case, stops there (does not start soiciting pool servers).


> This looks like it's related to,
> 
> https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=284863, which is upstream
> https://bugs.ntp.org/show_bug.cgi?id=3967. It's a regression in 4.2.8p18.

Thanks!
But it's not my case. All interfaces has different IP addresses.
(Some are hidden with "*".)

% ifconfig      
em0: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP>
metric 0 mtu 1454
options=4e504bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,LRO,VLAN_HWFILTER,VLAN_HWTSO,RXCSUM_IPV6,TXCSUM_IPV6,HWSTATS,MEXTPG>
ether 98:*:*:*:*:* inet 192.168.*.45 netmask 0xffffff00 broadcast
192.168.*.255 media: Ethernet autoselect (1000baseT <full-duplex>)
	status: active
	nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
lo0: flags=1008049<UP,LOOPBACK,RUNNING,MULTICAST,LOWER_UP> metric 0 mtu
16384 options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
	inet 127.0.0.1 netmask 0xff000000
	inet6 ::1 prefixlen 128
	inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2
	groups: lo
	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
wlan0: flags=8c43<UP,BROADCAST,RUNNING,DRV_OACTIVE,SIMPLEX,MULTICAST>
metric 10 mtu 1500 options=0
	ether 24:*:*:*:*:*
	inet 192.168.*.108 netmask 0xffffff00 broadcast 192.168.*.255
	groups: wlan
	ssid "" channel 36 (5180 MHz 11a)
	regdomain JAPAN country JP authmode WPA1+WPA2/802.11i privacy ON
	deftxkey UNDEF txpower 23 bmiss 7 mcastrate 6 mgmtrate 6
scanvalid 60 wme roaming MANUAL
	parent interface: iwlwifi0
	media: IEEE 802.11 Wireless Ethernet autoselect mode 11a
	status: no carrier
	nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>

The problem seems to be "how to enable MAC 'ntpd' policy?".

Reading Chapter 18 of the Handbook (especially 18.5) and looking
into /boot/kernel, mac_ntpd.ko seems to be the culprit, but as I still
have confusions with MAC feature, I'm not 100% sure loading it is safe
or not, thus, still cannot try loading it.

 *I've read somewhere (lost track with there) stating that "once MAC
  feature is enabled in a filesystem, it cannot disabled anymore and
  possibly causes fatal problems on interpoerabilities".
  This does not match handbook at least with 18.5, though.

My /etc/rc.conf is carried over from 2.1.6.1 (IIRC) with modifications
on needs. So don't have MAC (not MAC address but Mandatory Access
Control feature, I guess) related configurations in it.

IMHO, this kinds of mandated (and considered to be safe) configurations
should be in /etc/defaults/rc.conf (including auto-loading mandatory
in-tree kmods) by default and overrided in /etc/rc.conf[.local] whenever
actually needed.


> -- 
> Cheers,
> Cy Schubert <Cy.Schubert@cschubert.com>
> FreeBSD UNIX:  <cy@FreeBSD.org>   Web:  https://FreeBSD.org
> NTP:           <cy@nwtime.org>    Web:  https://nwtime.org
> 
> 			e^(i*pi)+1=0

Regards.

-- 
Tomoaki AOKI    <junchoon@dec.sakura.ne.jp>