FreeBSD Jails and ntpd

I’ve written elsewhere how daemons running on jail servers (the main host, not the imprisoned machines) should listen only on a single address. They shouldn’t bind to all addresses on the machine.

Your average empty FreeBSD install has two problem children: syslogd and ntpd. Adding syslogd_flags="-ss" to /etc/rc.conf handles the first. But FreeBSD’s included ntpd binds to port 123 on all addresses on the machine.

You can run jails while running ntpd. The jail won’t crash in flames. But the jail code expects the jail to have exclusive access to the jail address. This could well come back to bite you later. Besides, it lacks elegance.

Enter openntpd. Openntpd can synch your host clock without binding to any ports. Install it from packages:

# pkg install openntpd

The file /usr/local/etc/ntpd.conf lets you set the preferred server(s) and, if needed, a bind address. This machine is in private address space, so I have to point it at my local time server.


Now enable openntpd in /etc/rc.conf, and disable the system default ntpd if it’s running.


Run ntpdate to fix the time, then start openntpd.

# ntpdate
1 Nov 15:03:22 ntpdate[53689]: adjust time server offset -4.001088 sec
# service openntpd start
Starting openntpd.

The clock is now correct — or, rather, if the clock is wrong, all the servers will be wrong together. And the various jails each has sole access to their own IP addresses.

3 Replies to “FreeBSD Jails and ntpd”

  1. While it is possible to somewhat restrict ntpd’s listening socket(s), it’s a giant pain.

    NTP is one of those things that sorely needs an intelligent network-client-only daemon.

    timeslave used to do this for the inetd-based time service. Maybe an NTP client should be called ntpslave?

    Howsabout a daemonized sntp client called sntpslave?


  2. I have it installed and running.

    One complaint: there is no pid file that I can see. That conflicts with my nagios strategy for confirming that the daemon is running.

Comments are closed.