svn commit: r326565 - head/release/tools

Colin Percival cperciva at
Tue Dec 5 09:22:15 UTC 2017

Author: cperciva
Date: Tue Dec  5 09:22:14 2017
New Revision: 326565

  Make EC2 instances use Amazon's NTP service for time synchronization.
  Since Amazon provides NTP servers within their network, this should
  be far superior to using the default NTP pools; and since the service
  is provided by Amazon there's very little risk in enabling it by
  default.  (If someone is able to compromise Amazon's NTP servers and
  exploit them to attack EC2 instances, they would almost certainly be
  able to compromise EC2 instances even without ntpd running...)
  MFC after:	1 week
  Relnotes:	EC2 instances now keep their clocks synchronized using
  		the Amazon Time Sync Service (aka. NTP).


Modified: head/release/tools/ec2.conf
--- head/release/tools/ec2.conf	Tue Dec  5 09:08:48 2017	(r326564)
+++ head/release/tools/ec2.conf	Tue Dec  5 09:22:14 2017	(r326565)
@@ -9,7 +9,7 @@
 export VM_EXTRA_PACKAGES="ec2-scripts firstboot-freebsd-update firstboot-pkgs dual-dhclient amazon-ssm-agent"
 # Set to a list of third-party software to enable in rc.conf(5).
-export VM_RC_LIST="ec2_configinit ec2_fetchkey ec2_ephemeralswap ec2_loghostkey firstboot_freebsd_update firstboot_pkgs"
+export VM_RC_LIST="ec2_configinit ec2_fetchkey ec2_ephemeralswap ec2_loghostkey firstboot_freebsd_update firstboot_pkgs ntpd"
 # Build with a 3 GB UFS partition; the growfs rc.d script will expand
 # the partition to fill the root disk after the EC2 instance is launched.
@@ -86,6 +86,11 @@ vm_extra_pre_umount() {
 	sed -i '' -e \
 		's/^#ChallengeResponseAuthentication yes/ChallengeResponseAuthentication no/' \
+	# Use the NTP service provided by Amazon
+	sed -i '' -e 's/^pool/#pool/' \
+		-e 's/^#server.*/server iburst/' \
+		${DESTDIR}/etc/ntp.conf
 	# The first time the AMI boots, the installed "first boot" scripts
 	# should be allowed to run:

More information about the svn-src-head mailing list