I’ve written elsewhere how daemons running on jail servers (the main host, not the imprisoned machines) should listen only on a single address. They shouldn’t bind to all addresses on the machine.
Your average empty FreeBSD install has two problem children: syslogd and ntpd. Adding syslogd_flags="-ss"
to /etc/rc.conf handles the first. But FreeBSD’s included ntpd binds to port 123 on all addresses on the machine.
You can run jails while running ntpd. The jail won’t crash in flames. But the jail code expects the jail to have exclusive access to the jail address. This could well come back to bite you later. Besides, it lacks elegance.
Enter openntpd. Openntpd can synch your host clock without binding to any ports. Install it from packages:
# pkg install openntpd
The file /usr/local/etc/ntpd.conf lets you set the preferred server(s) and, if needed, a bind address. This machine is in private address space, so I have to point it at my local time server.
server time.michaelwlucas.com
Now enable openntpd in /etc/rc.conf, and disable the system default ntpd if it’s running.
openntpd_enable="YES"
Run ntpdate to fix the time, then start openntpd.
# ntpdate time.michaelwlucas.com
1 Nov 15:03:22 ntpdate[53689]: adjust time server 192.0.2.130 offset -4.001088 sec
# service openntpd start
Starting openntpd.
The clock is now correct — or, rather, if the clock is wrong, all the servers will be wrong together. And the various jails each has sole access to their own IP addresses.
This particular ntpd issue has long annoyed me too. Having only recently used pkg for the first, I think I now see my next use.
While it is possible to somewhat restrict ntpd’s listening socket(s), it’s a giant pain.
NTP is one of those things that sorely needs an intelligent network-client-only daemon.
timeslave used to do this for the inetd-based time service. Maybe an NTP client should be called ntpslave?
Howsabout a daemonized sntp client called sntpslave?
Hmmm…
I have it installed and running.
One complaint: there is no pid file that I can see. That conflicts with my nagios strategy for confirming that the daemon is running.