Default NTP Installation - Open Network Service

This forum is for topics dealing with problems with software specifically in the ARMv7h repo.

Default NTP Installation - Open Network Service

Postby windexh8er » Wed Jul 22, 2015 2:28 pm

Recently put Arch on a new RPi2 for some home automation. Installed ntp as usual (pacman -Sy ntp) and did a sanity check to see where the defaults were listening...

To my surprise I got this back:
$this->bbcode_second_pass_code('', '(sbox-2710)[root@rpi2-arch-00 etc]# netstat -panu
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
udp 0 0 10.50.50.201:123 0.0.0.0:* 31091/ntpd
udp 0 0 127.0.0.1:123 0.0.0.0:* 31091/ntpd
udp 0 0 0.0.0.0:123 0.0.0.0:* 31091/ntpd
udp 0 0 0.0.0.0:5355 0.0.0.0:* 199/systemd-resolve
udp 0 0 10.50.50.201:68 0.0.0.0:* 188/systemd-network
udp6 0 0 fe80::ba27:ebff:fe0:123 :::* 31091/ntpd
udp6 0 0 ::1:123 :::* 31091/ntpd
udp6 0 0 :::123 :::* 31091/ntpd
udp6 0 0 :::5355 :::* 199/systemd-resolve
udp6 0 0 :::546 :::* 188/systemd-network')

So, I went into ntp.conf, nothing looked like it should be listening on an active interface but I whittled the configuration down to this:

$this->bbcode_second_pass_code('', '# North America Pool
server 0.north-america.pool.ntp.org iburst
server 1.north-america.pool.ntp.org iburst
server 2.north-america.pool.ntp.org iburst
server 3.north-america.pool.ntp.org iburst

restrict default ignore
restrict 127.0.0.1

# Location of drift file
driftfile /var/lib/ntp/ntp.drift')

Did a "systemctl restart ntpd". Same thing, listening on the external address. Weird. So, just for another sanity check I ran Nmap against it (from an external box) to validate it was truly serving time externally (which I don't want) and sure enough:

$this->bbcode_second_pass_code('', 'PORT STATE SERVICE VERSION
123/udp open ntp NTP v4
| ntp-info:
| receive time stamp: 2015-07-22T13:53:45
| version: ntpd 4.2.8p3@1.3265-o Mon Jul 6 19:12:19 UTC 2015 (1)
| processor: armv7l
| system: Linux/4.0.8-3-ARCH
| leap: 0
| stratum: 2
| precision: -19
| rootdelay: 28.706
| rootdisp: 8.085
| refid: 73.208.216.139
| reftime: 0xd95a1ed1.a4522dde
| clock: 0xd95a1ee8.1de9283b
| peer: 6069
| tc: 6
| mintc: 3
| offset: -2.159971
| frequency: 0.000
| jitter: 9.312738
| jitter: 1.107
|_ wander: 0.000
MAC Address: B8:27:EB:06:0A:78 (Raspberry Pi Foundation)
Too many fingerprints match this host to give specific OS details
Network Distance: 1 hop')

WTF. So... I looked for ntp.conf elsewhere, but didn't find anything. So I decide to see if lsof will tell me what configuration file ntpd started with but no dice:
$this->bbcode_second_pass_code('', '(sbox-2710)[root@rpi2-arch-00 etc]# lsof -p 31091
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
ntpd 31091 ntp cwd DIR 179,2 4096 2 /
ntpd 31091 ntp rtd DIR 179,2 4096 2 /
ntpd 31091 ntp txt REG 179,2 586772 152120 /usr/bin/ntpd
ntpd 31091 ntp mem REG 179,2 83900 149563 /usr/lib/libresolv-2.21.so
ntpd 31091 ntp mem REG 179,2 26308 149560 /usr/lib/libnss_dns-2.21.so
ntpd 31091 ntp mem REG 179,2 50928 149383 /usr/lib/libnss_files-2.21.so
ntpd 31091 ntp mem REG 179,2 75484 149344 /usr/lib/libz.so.1.2.8
ntpd 31091 ntp mem REG 179,2 18044 149602 /usr/lib/libdl-2.21.so
ntpd 31091 ntp mem REG 179,2 14624 149523 /usr/lib/libattr.so.1.1.0
ntpd 31091 ntp mem REG 179,2 1567704 149380 /usr/lib/libc-2.21.so
ntpd 31091 ntp mem REG 179,2 134556 149692 /usr/lib/libpthread-2.21.so
ntpd 31091 ntp mem REG 179,2 1872788 136578 /usr/lib/libcrypto.so.1.0.0
ntpd 31091 ntp mem REG 179,2 448172 149355 /usr/lib/libm-2.21.so
ntpd 31091 ntp mem REG 179,2 13136 149564 /usr/lib/libcap.so.2.24
ntpd 31091 ntp mem REG 179,2 1352892 149432 /usr/lib/libgcc_s.so.1
ntpd 31091 ntp mem REG 179,2 161004 149477 /usr/lib/ld-2.21.so
ntpd 31091 ntp 0r CHR 1,3 0t0 1031 /dev/null
ntpd 31091 ntp 1r CHR 1,3 0t0 1031 /dev/null
ntpd 31091 ntp 2r CHR 1,3 0t0 1031 /dev/null
ntpd 31091 ntp 3u unix 0xb8f74a00 0t0 71827 type=DGRAM
ntpd 31091 ntp 16u IPv6 71835 0t0 UDP *:ntp
ntpd 31091 ntp 17u IPv4 71838 0t0 UDP *:ntp
ntpd 31091 ntp 18u IPv4 71842 0t0 UDP localhost.localdomain:ntp
ntpd 31091 ntp 19u IPv4 71844 0t0 UDP rpi2-arch-00:ntp
ntpd 31091 ntp 20u IPv6 71846 0t0 UDP localhost.localdomain:ntp
ntpd 31091 ntp 21u IPv6 71848 0t0 UDP rpi2-arch-00:ntp
ntpd 31091 ntp 22u netlink 0t0 71849 ROUTE')

The man page says it opens "/etc/ntp.conf" by default. So... Guess not. Or it only consumes it on start. I'm too lazy to remember how to watch the process starting though. If anybody wants to Google that for me, thanks. :)

OK, fine - I give up. Let's just go modify "/usr/lib/systemd/system/ntpd.service" to pass it -c, since it looks like ntp is starting without the "-c" flag, which shouldn't be a problem (again according to the man page) but...

Changed:
$this->bbcode_second_pass_code('', 'ExecStart=/usr/bin/ntpd -g -u ntp:ntp
...to...
ExecStart=/usr/bin/ntpd -c /etc/ntp.conf -g -u ntp:ntp')

Did a "systemctl daemon-reload", then a "systemctl start ntpd". Now everything looks fine. Very odd. So... Is the package broken? Where is ntp getting it's configuration that listens on every interface?

Maybe I missed something, I haven't had coffee yet this morning...

TL;DR
Don't install NTP as a service unless you trust your local network with it. And if you have an ARM7 box on the public Internet I'd suggest you fix how NTP is running.

Edit_1: Updated the config file with the correct ignore lines. Also - on second glance (I rebooted the Rpi2), this actually doesn't fix the problem. Even with the ntpd.service referencing /etc/ntp.conf the service still ignores the configuration file and listens on all available addresses. Fail?
windexh8er
 
Posts: 7
Joined: Wed Jul 22, 2015 2:04 pm

Re: Default NTP Installation - Open Network Service

Postby WarheadsSE » Wed Jul 22, 2015 4:17 pm

Did you disable systemd-timesyncd ?

Also, I would suggest using systemd drop-ins (/etc/systemd/system/ntpd.service.d/) instead of editing the main service file, if necessary.
Core Developer
Remember: Arch Linux ARM is entirely community donation supported!
WarheadsSE
Developer
 
Posts: 6807
Joined: Mon Oct 18, 2010 2:12 pm

Re: Default NTP Installation - Open Network Service

Postby windexh8er » Tue Jul 28, 2015 3:45 pm

I looked and timesyncd didn't appear to be enabled by default. I'm curious why that would impact how ntpd would start and why it would ignore specific configuration options?

Thanks for the info on drop-ins, I haven't changed default service profiles much so that's a great pointer. Much appreciated!

What is the recommended approach? I'm running Ubiquiti UniFi controller software on the RPi2 and want to make sure time is accurate for the roaming events that take place between access points and how the controller deals with that. Also for logging purposes. Ultimately I just want time continually in-sync and I assumed NTP was the preferred path but if there is a better way I'm all ears.

Thanks!
windexh8er
 
Posts: 7
Joined: Wed Jul 22, 2015 2:04 pm

Re: Default NTP Installation - Open Network Service

Postby WarheadsSE » Tue Jul 28, 2015 5:28 pm

Using NTP is a preferred path, yes. That doesn't mean it has to be with ntpd though. And as for why it is not using the correct configuration options I can't say at this time as I have not had opportunity to investigate further.
Core Developer
Remember: Arch Linux ARM is entirely community donation supported!
WarheadsSE
Developer
 
Posts: 6807
Joined: Mon Oct 18, 2010 2:12 pm


Return to ARMv7h

Who is online

Users browsing this forum: No registered users and 15 guests