[arch-general] NTP: Possible permissions bug
Hi fellow Archers, I seem to be having trouble with ntpd.service since the 4.2.7 upgrade. I can't get ntpd to run as the ntp user. I'm using the /etc/ntp.conf provided by the package ntp. When starting ntpd.service (systemctl start ntp.service), ntpd spikes the CPU for a moment, and then spikes the CPU about every 5 minutes afterward. What's more is ntpq -p returns "No association ID's returned". I ran "ntpd -g -u ntp:ntp -p /run/ntpd.pid -d" (from the Systemd unit file). The results: <http://sprunge.us/QbYL> The part I found of interest were the lines that read: intres: EAI_SYSTEM errno 11 (Resource temporarily unavailable) means try again, right? select() returned -1: Interrupted system call select() returned -1: Interrupted system call I took out the "-u ntp:ntp" parameter (so ntp runs as root), and these errors disappeared. Also, ntpq -p returns the NTP servers I'm synchronized with. So, I'm pretty sure the issue is permissions related, but I have no idea what it's running into. Any insight? I currently modified /usr/lib/systemd/system/ntpd.service so that ntpd runs as root instead of the user ntp. (Is there a cleaner way to tweak a systemd unit file?) Everything seems to run fine for now. On a side note, the Wiki says that timedatectl (part of systemd) can use ntp for synchronization [1]. However, the man page for timedatectl shows an example where chrony (another NTP server) is running. Does ntpd.service need to be running for timedatectl to set time via NTP? Is there a way to force timedatectl to query NTP (for testing)? --Kyle [1] https://wiki.archlinux.org/index.php/Ntp#systemd_services
[2014-05-08 18:34:54 -0700] Kyle Terrien:
I took out the "-u ntp:ntp" parameter (so ntp runs as root), and these errors disappeared. Also, ntpq -p returns the NTP servers I'm synchronized with. So, I'm pretty sure the issue is permissions related, but I have no idea what it's running into. Any insight?
What does `ls -la /var/lib/ntp/` say? Couldn't there be another daemon binding port 123? -- Gaetan
On 05/08/2014 11:00 PM, Gaetan Bisson wrote:
[2014-05-08 18:34:54 -0700] Kyle Terrien:
I took out the "-u ntp:ntp" parameter (so ntp runs as root), and these errors disappeared. Also, ntpq -p returns the NTP servers I'm synchronized with. So, I'm pretty sure the issue is permissions related, but I have no idea what it's running into. Any insight?
What does `ls -la /var/lib/ntp/` say?
Couldn't there be another daemon binding port 123?
Hmm... In ntp-4.2.7, there is a file called .placeholder. This is not present in ntp-4.2.6. Deleting the file seems to have no effect. kyle@landru /var/lib $ la ntp/ total 12 drwxr-xr-x 2 ntp root 4096 May 6 03:14 . drwxr-xr-x 32 root root 4096 May 9 08:11 .. -rw-r--r-- 1 root root 1 May 6 03:14 .placeholder ntpd eventually creates its ntp.drift in this directory (if ntpd runs correctly). As far as I can tell (using netstat -l to list listening ports), there is nothing holding port 123. - Output for ntp-4.2.6: <http://sprunge.us/FdVa> - Output for ntp-4.2.7: <http://sprunge.us/feHI> --Kyle
[2014-05-09 08:26:59 -0700] Kyle Terrien:
In ntp-4.2.7, there is a file called .placeholder.
I know, I put it there. :) Anyhow I'm glad you diagnosed your problem. -- Gaetan
On 05/08/2014 06:34 PM, Kyle Terrien wrote:
Hi fellow Archers,
I seem to be having trouble with ntpd.service since the 4.2.7 upgrade. I can't get ntpd to run as the ntp user.
Well, I feel dumb. After adding a couple more -d flags to ntpd, I got something about unable to lookup hostnames. I was using an old hpHosts /etc/hosts file (to block ads). I reverted it to the stock /etc/hosts file in the package filesystem, and ntp-4.2.7 runs without thrashing. I'm re-enabling Adblock Plus for now--until I get around to creating an updated hosts table. I'm still unsure why hostnames resolved for root, but not for the ntp user. Could the hosts file have been too large for ntpd (6.4 MB)? --Kyle
On Fri, 2014-05-09 at 08:47 -0700, Kyle Terrien wrote:
I was using an old hpHosts /etc/hosts file (to block ads). I reverted it to the stock /etc/hosts file in the package filesystem, and ntp-4.2.7 runs without thrashing.
I'm re-enabling Adblock Plus for now--until I get around to creating an updated hosts table.
I'm using the ad-blocking hosts file from http://someonewhocares.org/hosts/zero/ though I replace 0.0.0.0 with 0.0.0.1 so that connect() returns EINVAL instead of connecting to localhost. However, that file is under 300KB, while the hpHosts file is currently over 16MB. From looking at output from $ ltrace -S telnet telnet> open telnet.google.com Server lookup failure: telnet.google.com:telnet, Name or service not known telnet> open telnet.apple.com Server lookup failure: telnet.apple.com:telnet, Name or service not known telnet> it appears that getaddrinfo() rescans /etc/hosts in full for each lookup. That's not obviously related to the problem you're having with ntpd, but it does seem that huge ad-blocking host files are horribly inefficient. Does anyone know a way to load them into database of some sort, perhaps a NIS database that could be referenced in /etc/host.conf, e.g. order hosts,nis,bind Carl
On Fri, May 09, 2014 at 12:43:11PM -0400, Carl Schaefer wrote:
it appears that getaddrinfo() rescans /etc/hosts in full for each lookup. That's not obviously related to the problem you're having with ntpd, but it does seem that huge ad-blocking host files are horribly inefficient. Does anyone know a way to load them into database of some sort, perhaps a NIS database that could be referenced in /etc/host.conf, e.g. To cache your values of /etc/hosts, you can install a dns server locally (like dnsmasq). That way, dns resolution of cached values are nearly instantaneous, and you can have a lot of dns rules. I have an /etc/hosts of 16M, and yet I have a really fast DNS resolution.
On Fri, 2014-05-09 at 18:34 +0200, luc.linux@mailoo.org wrote:
To cache your values of /etc/hosts, you can install a dns server locally (like dnsmasq). That way, dns resolution of cached values are nearly instantaneous, and you can have a lot of dns rules. I have an /etc/hosts of 16M, and yet I have a really fast DNS resolution.
thanks, that looks like a good solution. This is what I ended up doing: . revert /etc/hosts to local definitions . download the ad-blocker hosts file to /etc/hosts-adblock . install dnsmasq, and add to /etc/dnsmasq.conf: addn-hosts=/etc/hosts-adblock . remove "hosts" from /etc/host.conf Also, since my machine doesn't travel: . add "nohook resolv.conf" to /etc/dhcpcd.conf . put "nameserver 127.0.0.1" in /etc/resolv.conf . add to /etc/dnsmasq.conf no-resolv server=8.8.8.8 server=8.8.4.4 I haven't set this up on a laptop yet, but I imagine that would be more complicated because sometimes the google DNS servers will be inaccessible (e.g. hotel wifi). Using OpenDNS on port 5353 might be a good alternative. Carl
On Sat, May 10, 2014 at 12:41:36PM -0400, Carl Schaefer wrote:
Also, since my machine doesn't travel: . add "nohook resolv.conf" to /etc/dhcpcd.conf . put "nameserver 127.0.0.1" in /etc/resolv.conf . add to /etc/dnsmasq.conf no-resolv server=8.8.8.8 server=8.8.4.4
I haven't set this up on a laptop yet, but I imagine that would be more complicated because sometimes the google DNS servers will be inaccessible (e.g. hotel wifi). Using OpenDNS on port 5353 might be a good alternative. Carl for that case, I have modified /etc/resolvconf.conf to make netctl generate dns information on /etc/resolvdns.conf. I then setted /etc/resolv.conf to localhost, and configured dnsmasq to use /etc/resolvdns.conf. It is a bit a a hack, but it works.
On 05/10/14 at 06:43pm, luc.linux@mailoo.org wrote:
On Sat, May 10, 2014 at 12:41:36PM -0400, Carl Schaefer wrote:
Also, since my machine doesn't travel: . add "nohook resolv.conf" to /etc/dhcpcd.conf . put "nameserver 127.0.0.1" in /etc/resolv.conf . add to /etc/dnsmasq.conf no-resolv server=8.8.8.8 server=8.8.4.4
I haven't set this up on a laptop yet, but I imagine that would be more complicated because sometimes the google DNS servers will be inaccessible (e.g. hotel wifi). Using OpenDNS on port 5353 might be a good alternative. Carl for that case, I have modified /etc/resolvconf.conf to make netctl generate dns information on /etc/resolvdns.conf. I then setted /etc/resolv.conf to localhost, and configured dnsmasq to use /etc/resolvdns.conf. It is a bit a a hack, but it works.
Instead of all that, you can simply use /etc/resolv.conf.head. Whatever you put in there will be put in the top of /etc/resolv.conf. This only works with dhcpcd though. For dhclient, you can configure this in /etc/dhclient.conf. -- Curtis Shimamoto
Thanks everyone for all of the suggestions on how to block ads at the DNS level. I'm currently trying out Carl Schaefer's favorite hosts file [1], but I look forward to experimenting with dnsmasq when my finals are over. --Kyle [1] http://someonewhocares.org/hosts/zero/
participants (5)
-
Carl Schaefer
-
Curtis Shimamoto
-
Gaetan Bisson
-
Kyle Terrien
-
luc.linux@mailoo.org