Hi, Well, due to the recent ntp vulnerabilities (and previous ntp bugs & vulnerabilities), running ntpd chrooted seems like a sane default. So, isn't it time that NetBSD gets 'echo "ntpd_chrootdir=/var/chroot/ntpd/“ > /etc/rc.conf.d/ntpd’ ? This has been working fine on the stable branches AFAIK.
Anyway, I discovered that on a recent netbsd-7_BETA (and on 7.99.1), chrooting ntpd doesn’t seem work well if you have /etc/resolv.conf configured with 127.0.0.1 (or ::1) as the first nameserver. If I change it to an “external” nameserver and restart ntpd, it works. (I can't replicate this problem on netbsd-6 or netbsd-5) I get this in /var/log/messages: Dec 27 04:08:39 netbsd-7_BETA ntpd[1805]: ntpd exiting on signal 15 (Terminated) Dec 27 04:08:41 netbsd-7_BETA ntpd[4385]: ntpd 4.2.8-o Fri Dec 19 21:49:44 EST 2014 (import): Starting Dec 27 04:08:41 netbsd-7_BETA ntpd[4385]: Command line: /usr/sbin/ntpd -u ntpd:ntpd -i /var/chroot/ntpd/ -p /var/run/ntpd.pid Dec 27 04:08:41 netbsd-7_BETA ntpd[6375]: proto: precision = 3.631 usec (-18) Dec 27 04:08:41 netbsd-7_BETA ntpd[6375]: Listen and drop on 0 v6wildcard [::]:123 Dec 27 04:08:41 netbsd-7_BETA ntpd[6375]: Listen and drop on 1 v4wildcard 0.0.0.0:123 Dec 27 04:08:41 netbsd-7_BETA ntpd[6375]: Listen normally on 2 bge0 [fe80::20e:7fff:feac:fa6c%1]:123 Dec 27 04:08:41 netbsd-7_BETA ntpd[6375]: Listen normally on 3 bge0 193.10.5.xx:123 Dec 27 04:08:41 netbsd-7_BETA ntpd[6375]: Listen normally on 4 bge0 193.10.5.yy:123 Dec 27 04:08:41 netbsd-7_BETA ntpd[6375]: Listen normally on 5 bge0 [2001:6b0:8::xx]:123 Dec 27 04:08:41 netbsd-7_BETA ntpd[6375]: Listen normally on 6 bge0 [2001:6b0:8::yy]:123 Dec 27 04:08:41 netbsd-7_BETA ntpd[6375]: Listen normally on 7 lo0 127.0.0.1:123 Dec 27 04:08:41 netbsd-7_BETA ntpd[6375]: Listen normally on 8 lo0 [::1]:123 Dec 27 04:08:41 netbsd-7_BETA ntpd[6375]: Listen normally on 9 lo0 [fe80::1%3]:123 Dec 27 04:08:41 netbsd-7_BETA ntpd[6375]: Listening on routing socket on fd #30 for interface updates Dec 27 04:08:41 netbsd-7_BETA ntpd[6375]: restrict default: KOD does nothing without LIMITED. Dec 27 04:08:41 netbsd-7_BETA ntpd[6375]: running as non-root disables dynamic interface tracking Dec 27 04:08:41 netbsd-7_BETA ntpd[6375]: giving up resolving host 0.netbsd.pool.ntp.org: servname not supported for ai_socktype (9) Dec 27 04:08:41 netbsd-7_BETA ntpd[6375]: giving up resolving host 1.netbsd.pool.ntp.org: servname not supported for ai_socktype (9) … bash-4.3# ntpq -p No association ID's returned Running ntpd without chrooting it on netbsd-7_BETA (and on 7.99.1) doesn’t give me this problem... Re, /P
