Re: heads up: mac_ntpd has to be explicitly loaded in recent stable/14
Date: Tue, 11 Mar 2025 17:25:03 UTC
W dniu 11.03.2025 o 18:20, Cy Schubert pisze: > In message<f63d67b5-6e05-481f-9560-06150eb5adbf@plan-b.pwste.edu.pl>, > Marek Za > rychta writes: >> W dniu 11.03.2025 o 17:29, Marek Zarychta pisze: >>> W dniu 11.03.2025 o 16:13, Cy Schubert pisze: >>>> In message<20250311011257.dd642ecbcd132ecb7142dc35@dec.sakura.ne.jp>, >>>> Tomoaki >>>> AOKI writes: >>>>> On Mon, 10 Mar 2025 16:37:58 +0100 >>>>> "Herbert J. Skuhra"<herbert@gojira.at> wrote: >>>>> >>>>>> On Mon, 10 Mar 2025 13:06:25 +0100, David Wolfskill wrote: >>>>>>> On Mon, Mar 10, 2025 at 01:51:40PM +0200, Marek Zarychta wrote: >>>>>>>> Hello List Subscirbers, >>>>>>>> >>>>>>>> in the past the module was loaded automatically upon NTPD server >>>>>>>> startu >>>>> p. >>>>>>>> It's no longer true, now it has to be loaded earlier. >>>>>>>> Perhaps people running stable/14 might find this message useful. >>>>>> Hmm, works for me on main and stable/14. >>>>>> >>>>>>> So... I noticed this for (precisely) one of the five machines I have >>>>>>> that track stable/14 -- the other 4 get mac_ntpd loaded >>>>>>> automagically as >>>>>>> usual. >>>>>>> >>>>>>> In the failing case, it seems that >>>>>>> >>>>>>> sysctl security.mac.version >>>>>>> >>>>>>> yielded >>>>>>> >>>>>>> sysctl: unknown oid 'security.mac.version' >>>>>> I only get this if I build a kernel without "options MAC". But in this >>>>>> no mac_* kernel modules are built and ntpd fails with: >>>>>> >>>>>> Starting ntpd. >>>>>> daemon control: got EOF >>>>>> /etc/rc.d/ntpd: WARNING: failed to start ntpd >>>>> In this case, you'll find something like >>>>> Need MAC 'ntpd' policy enabled to drop root privileges >>>>> daemon child exited with code 255 >>>>> in ntpd logfile (/var/db/ntpd.log in my case, but >>>>> possibly /var/log/messages by default). >>>> I don't understand why some systems (those in this thread) have a >>>> problem >>>> not loading mac_ntpd while others, i.e. my stable/14 at $JOB, are >>>> fine. I'd >>>> like to try to understand the differences between those that work and >>>> those >>>> that don't. >>>> >>>> First of all, the ntpd rc script bails without saying why when it >>>> encounters a problem. can_run_nonroot() simply returns a bad return code >>>> leaving us to wonder why. >>>> >>>> The first order of business is to produce a patch to indicate why it >>>> bails. Please apply the attached patch and let me know where it fails. >>>> Messages will be printed to stderr and to /var/log/messages (assuming >>>> daemon.err is sent there). >>>> >>>>> -- >>>>> Tomoaki AOKI<junchoon@dec.sakura.ne.jp> >>>>> >>>> >>>> >>>> Cheers, >>>> Cy Schubert<Cy.Schubert@cschubert.com> >>>> FreeBSD UNIX:<cy@FreeBSD.org> Web:https://FreeBSD.org >>>> NTP:<cy@nwtime.org> Web:https://nwtime.org >>>> >>>> e^(i*pi)+1=0 >>> Output from the patch: >>> >>> Mar 11 17:20:35 plan-b ntpd[60113]: ntpd 4.2.8p18-a (17): Starting >>> Mar 11 17:20:35 plan-b ntpd[60113]: Command line: /usr/sbin/ntpd -p >>> /var/db/ntp/ntpd.pid -c /etc/ntp.conf -u ntpd:ntpd >>> Mar 11 17:20:35 plan-b ntpd[60113]: >>> ---------------------------------------------------- >>> Mar 11 17:20:35 plan-b ntpd[60113]: ntp-4 is maintained by Network >>> Time Foundation, >>> Mar 11 17:20:35 plan-b ntpd[60113]: Inc. (NTF), a non-profit 501(c)(3) >>> public-benefit >>> Mar 11 17:20:35 plan-b ntpd[60113]: corporation. Support and training >>> for ntp-4 are >>> Mar 11 17:20:35 plan-b ntpd[60113]: available at >>> https://www.nwtime.org/support >>> Mar 11 17:20:35 plan-b ntpd[60113]: >>> ---------------------------------------------------- >>> Mar 11 17:20:35 plan-b ntpd[60114]: switching logging to file >>> /var/log/ntp >>> Mar 11 17:20:36 plan-b ntpd[60113]: daemon child exited with code 255 >>> Mar 11 17:20:36 plan-b root[60118]: /etc/rc.d/ntpd: WARNING: failed to >>> start ntpd >>> >>> Debugging output from from the unpatched /etc/rc.d/ntpd: >>> >>> (...) >>> >>> + echo 'Starting ntpd.' >>> Starting ntpd. >>> + [ -n '' ] >>> + _cd='' >>> + _doit=' /usr/sbin/ntpd -p /var/db/ntp/ntpd.pid -c /etc/ntp.conf -u >>> ntpd:ntpd' >>> + [ -n '' ] >>> + [ -n '' ] >>> + [ -n '' ] >>> + [ -n '' ] >>> + _doit=' limits -C daemon /usr/sbin/ntpd -p /var/db/ntp/ntpd.pid >>> -c /etc/ntp.conf -u ntpd:ntpd' >>> + _run_rc_doit ' limits -C daemon /usr/sbin/ntpd -p >>> /var/db/ntp/ntpd.pid -c /etc/ntp.conf -u ntpd:ntpd' >>> + local _m >>> + debug 'run_rc_command: doit: limits -C daemon /usr/sbin/ntpd -p >>> /var/db/ntp/ntpd.pid -c /etc/ntp.conf -u ntpd:ntpd' >>> + umask >>> + _m=0022 >>> + >>> + eval ' limits -C daemon /usr/sbin/ntpd -p /var/db/ntp/ntpd.pid -c >>> /etc/ntp.conf -u ntpd:ntpd' >>> + limits -C daemon /usr/sbin/ntpd -p /var/db/ntp/ntpd.pid -c >>> /etc/ntp.conf -u ntpd:ntpd >>> daemon control: got EOF >>> + _return=255 >>> + umask 0022 >>> + [ 255 -ne 0 ] >>> + [ -z '' ] >>> + return 1 >>> + warn 'failed to start ntpd' >>> + [ -x /usr/bin/logger ] >>> + logger '/etc/rc.d/ntpd: WARNING: failed to start ntpd' >>> + echo '/etc/rc.d/ntpd: WARNING: failed to start ntpd' >>> /etc/rc.d/ntpd: WARNING: failed to start ntpd >>> + return 1 >>> >> The real problem is here: >> + [ -n '' ] >> + local 'fileopts=^[ \t]*crypto|^[ \t]*driftfile|^[ \t]*key|^[ >> \t]*logfile|^[ \t]*statsdir' >> + grep -E -q '^[ \t]*crypto|^[ \t]*driftfile|^[ \t]*key|^[ >> \t]*logfile|^[ \t]*statsdir' /etc/ntp.conf >> + return 1 >> >> To reproduce: use config matching the regex from the above, for example >> add line: >> >> logfile /var/log/ntp.log >> >> to the ntp.conf >> >> 15-CURRENT is also affected this way. That's a bit odd that nobody >> reported it yet. >> >> Problems made by can_run_nonroot function can be fixed by removing lines >> 60-64 from the starting script. >> >> https://github.com/freebsd/freebsd-src/blob/main/libexec/rc/rc.d/ntpd#L63 > What is in your ntpd_config in rc.conf? # grep ntpd_config /etc/rc.conf /etc/defaults/rc.conf /etc/defaults/rc.conf:ntpd_config="/etc/ntp.conf" # ntpd(8) configuration file -- Marek Zarychta