Re: [chrony-dev] Multihomed (multiple) network interfaces support !
On Tue, Dec 12, 2023 at 04:34:09PM +0300, CpServiceSPb wrote: > Hallelujah. > It has worked. Great. > One question remained - how to bind client instances to the exact wan > interface, not to 0.0.0.0 ? The client's sockets can be bound to an address with the bindacqaddress directive. -- Miroslav Lichvar -- To unsubscribe email chrony-dev-requ...@chrony.tuxfamily.org with "unsubscribe" in the subject. For help email chrony-dev-requ...@chrony.tuxfamily.org with "help" in the subject. Trouble? Email listmas...@chrony.tuxfamily.org.
Re: [chrony-dev] Multihomed (multiple) network interfaces support !
Hallelujah. It has worked. I will think about how to make an appropriate start/stop script. > That suggests there is an unexpected chronyd instance running on the system, maybe from a previous test which > wasn't terminated properly? I investigated. It is when lan/dmz config files are located in the folder specified as conf.d in chrony.conf. One question remained - how to bind client instances to the exact wan interface, not to 0.0.0.0 ? вт, 12 дек. 2023 г. в 16:26, Miroslav Lichvar : > On Tue, Dec 12, 2023 at 04:07:23PM +0300, CpServiceSPb wrote: > > Let' s clarify: > > Yes, that looks good to me. Make sure no other chronyd instance is > running before you start those three. > > -- > Miroslav Lichvar > > > -- > To unsubscribe email chrony-dev-requ...@chrony.tuxfamily.org with > "unsubscribe" in the subject. > For help email chrony-dev-requ...@chrony.tuxfamily.org with "help" in the > subject. > Trouble? Email listmas...@chrony.tuxfamily.org. > >
Re: [chrony-dev] Multihomed (multiple) network interfaces support !
On Tue, Dec 12, 2023 at 04:07:23PM +0300, CpServiceSPb wrote: > Let' s clarify: Yes, that looks good to me. Make sure no other chronyd instance is running before you start those three. -- Miroslav Lichvar -- To unsubscribe email chrony-dev-requ...@chrony.tuxfamily.org with "unsubscribe" in the subject. For help email chrony-dev-requ...@chrony.tuxfamily.org with "help" in the subject. Trouble? Email listmas...@chrony.tuxfamily.org.
Re: [chrony-dev] Multihomed (multiple) network interfaces support !
Let' s clarify: == chronyd -f /etc/chrony-server-lan.conf where /etc/chrony-server-lan.conf: server 127.0.0.1 port 11123 minpoll 0 maxpoll 0 copy bindaddress lanIP allow cmdport 11323 bindcmdaddress /var/run/chrony/chronyd-server-lan.sock pidfile /var/run/chronyd-server-lan.pid driftfile /var/lib/chrony/drift-server-lan == chronyd -f /etc/chrony-server-dmz.conf where /etc/chrony-server-dmz.conf: server 127.0.0.1 port 11123 minpoll 0 maxpoll 0 copy bindaddress dmzIP allow cmdport 11324 bindcmdaddress /var/run/chrony/chronyd-server-dmz.sock pidfile /var/run/chronyd-server-dmz.pid driftfile /var/lib/chrony/drift-server-dmz == chronyd -f /etc/chrony-client-upstream.conf where /etc/chrony-client-upstream.conf : pool pool.ntp.org iburst allow 127.0.0.1 port 11123 driftfile /var/lib/chrony/drift makestep 1 3 rtcsync вт, 12 дек. 2023 г. в 16:00, Miroslav Lichvar : > On Tue, Dec 12, 2023 at 03:49:10PM +0300, CpServiceSPb wrote: > > I will check about unexpected chrony instances. > > I use Ubuntu 22.04 LTS x64. > > > > Should I use the config you posted above and multi script or config and > > chrony -d ? > > Don't use the script. It cannot set different bindaddresses. It was > just an example showing how multiple instances can be started. You > should create the three configs (1 client + 2 servers) at some > location and run > > chronyd -f /etc/chrony.conf.1 > chronyd -f /etc/chrony.conf.2 > chronyd -f /etc/chrony.conf.3 > > -- > Miroslav Lichvar > > > -- > To unsubscribe email chrony-dev-requ...@chrony.tuxfamily.org with > "unsubscribe" in the subject. > For help email chrony-dev-requ...@chrony.tuxfamily.org with "help" in the > subject. > Trouble? Email listmas...@chrony.tuxfamily.org. > >
Re: [chrony-dev] Multihomed (multiple) network interfaces support !
On Tue, Dec 12, 2023 at 03:49:10PM +0300, CpServiceSPb wrote: > I will check about unexpected chrony instances. > I use Ubuntu 22.04 LTS x64. > > Should I use the config you posted above and multi script or config and > chrony -d ? Don't use the script. It cannot set different bindaddresses. It was just an example showing how multiple instances can be started. You should create the three configs (1 client + 2 servers) at some location and run chronyd -f /etc/chrony.conf.1 chronyd -f /etc/chrony.conf.2 chronyd -f /etc/chrony.conf.3 -- Miroslav Lichvar -- To unsubscribe email chrony-dev-requ...@chrony.tuxfamily.org with "unsubscribe" in the subject. For help email chrony-dev-requ...@chrony.tuxfamily.org with "help" in the subject. Trouble? Email listmas...@chrony.tuxfamily.org.
Re: [chrony-dev] Multihomed (multiple) network interfaces support !
I will check about unexpected chrony instances. I use Ubuntu 22.04 LTS x64. Should I use the config you posted above and multi script or config and chrony -d ? вт, 12 дек. 2023 г. в 15:23, Miroslav Lichvar : > On Mon, Dec 11, 2023 at 06:04:18PM +0300, CpServiceSPb wrote: > > Which ports will be listened to, 123 ? > > I mean by server from clients in ln/dmz ? > > Yes, 123. > > > I did such a configuration. > > > > Launched as chronyd -d ang got: > > Could not add source 127.0.0.1 > > That would indicate you have the same source specified multiple times > in the config. Try the configs I posted. They have only one source > specified. > > > If I launched via multi script I got: > > Starting server instance #1 > > Starting server instance #2 > > Starting server instance #3 > > Starting server instance #4 > > Starting client instance > > Fatal error : Another chronyd may already be running (pid=135687), check > > /var/run/chrony/chronyd-server2.pid > > That suggests there is an unexpected chronyd instance running on the > system, maybe from a previous test which wasn't terminated properly? > See what process has the PID 135687. > > Maybe your system is cursed and cannot run chrony as expected. > Try ntpsec. It should be easier to configure for your requirements. > > -- > Miroslav Lichvar > > > -- > To unsubscribe email chrony-dev-requ...@chrony.tuxfamily.org with > "unsubscribe" in the subject. > For help email chrony-dev-requ...@chrony.tuxfamily.org with "help" in the > subject. > Trouble? Email listmas...@chrony.tuxfamily.org. > >
Re: [chrony-dev] Multihomed (multiple) network interfaces support !
On Mon, Dec 11, 2023 at 06:04:18PM +0300, CpServiceSPb wrote: > Which ports will be listened to, 123 ? > I mean by server from clients in ln/dmz ? Yes, 123. > I did such a configuration. > > Launched as chronyd -d ang got: > Could not add source 127.0.0.1 That would indicate you have the same source specified multiple times in the config. Try the configs I posted. They have only one source specified. > If I launched via multi script I got: > Starting server instance #1 > Starting server instance #2 > Starting server instance #3 > Starting server instance #4 > Starting client instance > Fatal error : Another chronyd may already be running (pid=135687), check > /var/run/chrony/chronyd-server2.pid That suggests there is an unexpected chronyd instance running on the system, maybe from a previous test which wasn't terminated properly? See what process has the PID 135687. Maybe your system is cursed and cannot run chrony as expected. Try ntpsec. It should be easier to configure for your requirements. -- Miroslav Lichvar -- To unsubscribe email chrony-dev-requ...@chrony.tuxfamily.org with "unsubscribe" in the subject. For help email chrony-dev-requ...@chrony.tuxfamily.org with "help" in the subject. Trouble? Email listmas...@chrony.tuxfamily.org.
Re: [chrony-dev] Multihomed (multiple) network interfaces support !
I did such a configuration. Launched as chronyd -d ang got: Could not add source 127.0.0.1 and netstat -anupt | grep 123 udp0 0 127.0.0.1:35180 127.0.0.1:11123 ESTABLISHED 135185/chronyd udp0 0 dmzIP:11123 0.0.0.0:* 135185/chronyd If I launched via multi script I got: Starting server instance #1 Starting server instance #2 Starting server instance #3 Starting server instance #4 Starting client instance Fatal error : Another chronyd may already be running (pid=135687), check /var/run/chrony/chronyd-server2.pid and netstat: udp0 0 0.0.0.0:123 0.0.0.0:* 136025/chronyd udp0 0 0.0.0.0:123 0.0.0.0:* 136024/chronyd udp0 0 0.0.0.0:123 0.0.0.0:* 136022/chronyd udp0 0 127.0.0.1:11123 0.0.0.0:* 136026/chronyd I supposed to get something looks like: udp0 lanIP:123 0.0.0.0:* 136025/chronyd udp0 dmzIP:123 0.0.0.0:* 136024/chronyd udp0 0 127.0.0.1:11123 0.0.0.0:* 136026/chronyd Or am I wromg ? пн, 11 дек. 2023 г. в 18:04, CpServiceSPb : > Which ports will be listened to, 123 ? > I mean by server from clients in ln/dmz ? > > > > пн, 11 дек. 2023 г. в 17:26, Miroslav Lichvar : > >> On Mon, Dec 11, 2023 at 05:08:32PM +0300, CpServiceSPb wrote: >> > Would you be so kind to post 2 config files for 2 different interfaces, >> for >> > example: >> > lan = 192.168.0.254/99 >> > dmz = 172.17.0.254/99 >> >> 1st server instance: >> server 127.0.0.1 port 11123 minpoll 0 maxpoll 0 copy >> bindaddress 192.168.0.254 >> allow >> cmdport 11323 >> bindcmdaddress /var/run/chrony/chronyd-server1.sock >> pidfile /var/run/chronyd-server1.pid >> driftfile /var/lib/chrony/drift-server1 >> >> 2nd server instance: >> server 127.0.0.1 port 11123 minpoll 0 maxpoll 0 copy >> bindaddress 172.17.0.254 >> allow >> cmdport 11324 >> bindcmdaddress /var/run/chrony/chronyd-server2.sock >> pidfile /var/run/chronyd-server2.pid >> driftfile /var/lib/chrony/drift-server2 >> >> client instance synchornizing clock and providing time to the server >> instances: >> pool pool.ntp.org iburst >> allow 127.0.0.1 >> port 11123 >> driftfile /var/lib/chrony/drift >> makestep 1 3 >> rtcsync >> >> -- >> Miroslav Lichvar >> >> >> -- >> To unsubscribe email chrony-dev-requ...@chrony.tuxfamily.org with >> "unsubscribe" in the subject. >> For help email chrony-dev-requ...@chrony.tuxfamily.org with "help" in >> the subject. >> Trouble? Email listmas...@chrony.tuxfamily.org. >> >>
Re: [chrony-dev] Multihomed (multiple) network interfaces support !
Which ports will be listened to, 123 ? I mean by server from clients in ln/dmz ? пн, 11 дек. 2023 г. в 17:26, Miroslav Lichvar : > On Mon, Dec 11, 2023 at 05:08:32PM +0300, CpServiceSPb wrote: > > Would you be so kind to post 2 config files for 2 different interfaces, > for > > example: > > lan = 192.168.0.254/99 > > dmz = 172.17.0.254/99 > > 1st server instance: > server 127.0.0.1 port 11123 minpoll 0 maxpoll 0 copy > bindaddress 192.168.0.254 > allow > cmdport 11323 > bindcmdaddress /var/run/chrony/chronyd-server1.sock > pidfile /var/run/chronyd-server1.pid > driftfile /var/lib/chrony/drift-server1 > > 2nd server instance: > server 127.0.0.1 port 11123 minpoll 0 maxpoll 0 copy > bindaddress 172.17.0.254 > allow > cmdport 11324 > bindcmdaddress /var/run/chrony/chronyd-server2.sock > pidfile /var/run/chronyd-server2.pid > driftfile /var/lib/chrony/drift-server2 > > client instance synchornizing clock and providing time to the server > instances: > pool pool.ntp.org iburst > allow 127.0.0.1 > port 11123 > driftfile /var/lib/chrony/drift > makestep 1 3 > rtcsync > > -- > Miroslav Lichvar > > > -- > To unsubscribe email chrony-dev-requ...@chrony.tuxfamily.org with > "unsubscribe" in the subject. > For help email chrony-dev-requ...@chrony.tuxfamily.org with "help" in the > subject. > Trouble? Email listmas...@chrony.tuxfamily.org. > >
Re: [chrony-dev] Multihomed (multiple) network interfaces support !
On Mon, Dec 11, 2023 at 05:08:32PM +0300, CpServiceSPb wrote: > Would you be so kind to post 2 config files for 2 different interfaces, for > example: > lan = 192.168.0.254/99 > dmz = 172.17.0.254/99 1st server instance: server 127.0.0.1 port 11123 minpoll 0 maxpoll 0 copy bindaddress 192.168.0.254 allow cmdport 11323 bindcmdaddress /var/run/chrony/chronyd-server1.sock pidfile /var/run/chronyd-server1.pid driftfile /var/lib/chrony/drift-server1 2nd server instance: server 127.0.0.1 port 11123 minpoll 0 maxpoll 0 copy bindaddress 172.17.0.254 allow cmdport 11324 bindcmdaddress /var/run/chrony/chronyd-server2.sock pidfile /var/run/chronyd-server2.pid driftfile /var/lib/chrony/drift-server2 client instance synchornizing clock and providing time to the server instances: pool pool.ntp.org iburst allow 127.0.0.1 port 11123 driftfile /var/lib/chrony/drift makestep 1 3 rtcsync -- Miroslav Lichvar -- To unsubscribe email chrony-dev-requ...@chrony.tuxfamily.org with "unsubscribe" in the subject. For help email chrony-dev-requ...@chrony.tuxfamily.org with "help" in the subject. Trouble? Email listmas...@chrony.tuxfamily.org.
Re: [chrony-dev] Multihomed (multiple) network interfaces support !
Would you be so kind to post 2 config files for 2 different interfaces, for example: lan = 192.168.0.254/99 dmz = 172.17.0.254/99 and multiple launching script. пн, 11 дек. 2023 г. в 17:05, Miroslav Lichvar : > On Thu, Dec 07, 2023 at 12:33:57AM +0300, CpServiceSPb wrote: > > I really don't understand how to specify the interface address for each > > instance. > > Here are my config files: > > *conf.d/lan.conf* > > server lanIP port 11123 minpoll 0 maxpoll 0 copy > > allow > > bindcmdaddress /var/run/chrony/chronyd-server_lan.sock > > cmdport 11323 > > pidfile /var/run/chrony/chronyd-server_lan.pid > > driftfile /var/lib/chrony/drift-server_lan > > There should be a bindaddress or binddevice directive. > > -- > Miroslav Lichvar > > > -- > To unsubscribe email chrony-dev-requ...@chrony.tuxfamily.org with > "unsubscribe" in the subject. > For help email chrony-dev-requ...@chrony.tuxfamily.org with "help" in the > subject. > Trouble? Email listmas...@chrony.tuxfamily.org. > >
Re: [chrony-dev] Multihomed (multiple) network interfaces support !
On Thu, Dec 07, 2023 at 12:33:57AM +0300, CpServiceSPb wrote: > I really don't understand how to specify the interface address for each > instance. > Here are my config files: > *conf.d/lan.conf* > server lanIP port 11123 minpoll 0 maxpoll 0 copy > allow > bindcmdaddress /var/run/chrony/chronyd-server_lan.sock > cmdport 11323 > pidfile /var/run/chrony/chronyd-server_lan.pid > driftfile /var/lib/chrony/drift-server_lan There should be a bindaddress or binddevice directive. -- Miroslav Lichvar -- To unsubscribe email chrony-dev-requ...@chrony.tuxfamily.org with "unsubscribe" in the subject. For help email chrony-dev-requ...@chrony.tuxfamily.org with "help" in the subject. Trouble? Email listmas...@chrony.tuxfamily.org.
Re: [chrony-dev] Multihomed (multiple) network interfaces support !
I use chronyd version 4.3 on Ubuntu 22.04 x64 LTS. чт, 7 дек. 2023 г. в 00:33, CpServiceSPb : > I really don't understand how to specify the interface address for each > instance. > Here are my config files: > *conf.d/lan.conf* > server lanIP port 11123 minpoll 0 maxpoll 0 copy > allow > bindcmdaddress /var/run/chrony/chronyd-server_lan.sock > cmdport 11323 > pidfile /var/run/chrony/chronyd-server_lan.pid > driftfile /var/lib/chrony/drift-server_lan > > *conf.d/van.conf* (not wan, but van) > server vanIP port 11123 minpoll 0 maxpoll 0 copy > allow > bindcmdaddress /var/run/chrony/chronyd-server_van.sock > cmdport 11323 > pidfile /var/run/chrony/chronyd-server_van.pid > driftfile /var/lib/chrony/drift-server_van > > I used a sent script. > > Here is *netstat -anupt | grep 123* > udp0 0 127.0.0.1:11123 0.0.0.0:* > 35124/chronyd > udp0 0 vanIP:49629van IP :11123 ESTABLISHED > 35124/chronyd > udp0 0 lanIP:56374 lanIP :11123ESTABLISHED > 35124/chronyd > udp0 0 0.0.0.0:123 0.0.0.0:* > 35122/chronyd > udp0 0 0.0.0.0:123 0.0.0.0:* > 35120/chronyd > udp0 0 0.0.0.0:123 0.0.0.0:* > 35123/chronyd > udp0 0 0.0.0.0:123 0.0.0.0:* > 35121/chronyd > > Where is > udp0 lanIP:123 0.0.0.0:* > x/chronyd > udp0 vanIP:123 0.0.0.0:* > x/chronyd > > And why are here > udp0 0 0.0.0.0:123 0.0.0.0:* > 35121/chronyd > udp0 0 0.0.0.0:123 0.0.0.0:* > 35121/chronyd > udp0 0 0.0.0.0:123 0.0.0.0:* > 35121/chronyd > udp0 0 0.0.0.0:123 0.0.0.0:* > 35121/chronyd > > How chrony will know addresses to bind to ? > > ср, 6 дек. 2023 г. в 11:25, Miroslav Lichvar : > >> On Wed, Dec 06, 2023 at 12:28:01AM +0300, CpServiceSPb wrote: >> > Can you either post a link or detailed instruction on how to launch >> > multiple chrony server instances for the same port but different >> > interfaces/addresses ? >> >> Here is an example: >> >> https://chrony-project.org/faq.html#_can_ntp_server_be_separated_from_ntp_client >> >> and a script: >> https://gist.github.com/mlichvar/d2260423e2c5c3d83ec9608feaa749f1 >> >> You would just need to modify it to set different binddevice >> for each server instance. >> >> -- >> Miroslav Lichvar >> >> >> -- >> To unsubscribe email chrony-dev-requ...@chrony.tuxfamily.org with >> "unsubscribe" in the subject. >> For help email chrony-dev-requ...@chrony.tuxfamily.org with "help" in >> the subject. >> Trouble? Email listmas...@chrony.tuxfamily.org. >> >>
Re: [chrony-dev] Multihomed (multiple) network interfaces support !
I really don't understand how to specify the interface address for each instance. Here are my config files: *conf.d/lan.conf* server lanIP port 11123 minpoll 0 maxpoll 0 copy allow bindcmdaddress /var/run/chrony/chronyd-server_lan.sock cmdport 11323 pidfile /var/run/chrony/chronyd-server_lan.pid driftfile /var/lib/chrony/drift-server_lan *conf.d/van.conf* (not wan, but van) server vanIP port 11123 minpoll 0 maxpoll 0 copy allow bindcmdaddress /var/run/chrony/chronyd-server_van.sock cmdport 11323 pidfile /var/run/chrony/chronyd-server_van.pid driftfile /var/lib/chrony/drift-server_van I used a sent script. Here is *netstat -anupt | grep 123* udp0 0 127.0.0.1:11123 0.0.0.0:* 35124/chronyd udp0 0 vanIP:49629van IP :11123 ESTABLISHED 35124/chronyd udp0 0 lanIP:56374 lanIP :11123ESTABLISHED 35124/chronyd udp0 0 0.0.0.0:123 0.0.0.0:* 35122/chronyd udp0 0 0.0.0.0:123 0.0.0.0:* 35120/chronyd udp0 0 0.0.0.0:123 0.0.0.0:* 35123/chronyd udp0 0 0.0.0.0:123 0.0.0.0:* 35121/chronyd Where is udp0 lanIP:123 0.0.0.0:* x/chronyd udp0 vanIP:123 0.0.0.0:* x/chronyd And why are here udp0 0 0.0.0.0:123 0.0.0.0:* 35121/chronyd udp0 0 0.0.0.0:123 0.0.0.0:* 35121/chronyd udp0 0 0.0.0.0:123 0.0.0.0:* 35121/chronyd udp0 0 0.0.0.0:123 0.0.0.0:* 35121/chronyd How chrony will know addresses to bind to ? ср, 6 дек. 2023 г. в 11:25, Miroslav Lichvar : > On Wed, Dec 06, 2023 at 12:28:01AM +0300, CpServiceSPb wrote: > > Can you either post a link or detailed instruction on how to launch > > multiple chrony server instances for the same port but different > > interfaces/addresses ? > > Here is an example: > > https://chrony-project.org/faq.html#_can_ntp_server_be_separated_from_ntp_client > > and a script: > https://gist.github.com/mlichvar/d2260423e2c5c3d83ec9608feaa749f1 > > You would just need to modify it to set different binddevice > for each server instance. > > -- > Miroslav Lichvar > > > -- > To unsubscribe email chrony-dev-requ...@chrony.tuxfamily.org with > "unsubscribe" in the subject. > For help email chrony-dev-requ...@chrony.tuxfamily.org with "help" in the > subject. > Trouble? Email listmas...@chrony.tuxfamily.org. > >
Re: [chrony-dev] Multihomed (multiple) network interfaces support !
On Wed, Dec 06, 2023 at 12:28:01AM +0300, CpServiceSPb wrote: > Can you either post a link or detailed instruction on how to launch > multiple chrony server instances for the same port but different > interfaces/addresses ? Here is an example: https://chrony-project.org/faq.html#_can_ntp_server_be_separated_from_ntp_client and a script: https://gist.github.com/mlichvar/d2260423e2c5c3d83ec9608feaa749f1 You would just need to modify it to set different binddevice for each server instance. -- Miroslav Lichvar -- To unsubscribe email chrony-dev-requ...@chrony.tuxfamily.org with "unsubscribe" in the subject. For help email chrony-dev-requ...@chrony.tuxfamily.org with "help" in the subject. Trouble? Email listmas...@chrony.tuxfamily.org.
Re: [chrony-dev] Multihomed (multiple) network interfaces support !
It seems I found out what is permissions issue where.
It is necessary to add in apparmor chroyd file appropriate paths with write
permissions.
For example:
@{run}/chrony1/{,*} rw,
@{run}/chrony2/{,*} rw,
and there is no necessity to set permissions manually.
All is done automatically.
But in this case chronyd hangs up during starting.
ср, 6 дек. 2023 г. в 00:48, CpServiceSPb :
> I set up _chrony user and _chrony group for /var/run/chrony1 and even set
> up 755 permission to the folder.
> Here is my one config at :/etc/chrony/conf.d /lan.conf
> At the time only one file:
> server 192.168.0.200 port 1123 minpoll 0 maxpoll 0 copy
> allow
> cmdport 1123
> bindcmdaddress /var/run/chrony1/chronyd-server_lan.sock
> pidfile /var/run/chrony1/chronyd-server_lan.pid
> driftfile /var/lib/drift-server1_lan
>
> Launch chronyd either from systemctl start chronyd or chronyd -D and get:
> 2023-12-05T21:45:17Z chronyd version 4.3 starting (+CMDMON +NTP +REFCLOCK
> +RTC +PRIVDROP +SCFILTER +SIGND +ASYNCDNS +NTS +SECHASH +IPV6 -DEBUG)
> 2023-12-05T21:45:17Z Wrong permissions on /var/run/chrony1
> 2023-12-05T21:45:17Z Disabled command socket
> /var/run/chrony1/chronyd-server_lan.sock
> 2023-12-05T21:45:17Z Fatal error : Could not open
> /var/run/chrony1/chronyd-server_lan.pid : Permission denied
>
> What and where is wrong ?
>
>
>
> ср, 6 дек. 2023 г. в 00:28, CpServiceSPb :
>
>> Can you either post a link or detailed instruction on how to launch
>> multiple chrony server instances for the same port but different
>> interfaces/addresses ?
>>
>> пн, 4 дек. 2023 г. в 18:25, Miroslav Lichvar :
>>
>>> On Thu, Nov 30, 2023 at 11:04:37PM +0300, CpServiceSPb wrote:
>>> > But there is
>>> > сен 05 22:55:07 key chronyd[152706]: chronyd version 4.3 starting
>>> (+CMDMON
>>> > +NTP +REFCLOCK +RTC +PRIVDROP +SCFILTER +SIGND +ASYNCDNS +NTS +SECHASH
>>> > +IPV6 -DEBUG)
>>> > сен 05 22:55:07 key chronyd-starter.sh[152704]: Could not open
>>> > /var/run/cc/chronyd-server1.pid : Permission denied
>>> > сен 05 22:55:07 key chronyd[152706]: Wrong permissions on /var/run/cc
>>>
>>> You will need to fix the permission of the directory to be writable by
>>> the chrony user.
>>>
>>> --
>>> Miroslav Lichvar
>>>
>>>
>>> --
>>> To unsubscribe email chrony-dev-requ...@chrony.tuxfamily.org with
>>> "unsubscribe" in the subject.
>>> For help email chrony-dev-requ...@chrony.tuxfamily.org with "help" in
>>> the subject.
>>> Trouble? Email listmas...@chrony.tuxfamily.org.
>>>
>>>
Re: [chrony-dev] Multihomed (multiple) network interfaces support !
I set up _chrony user and _chrony group for /var/run/chrony1 and even set up 755 permission to the folder. Here is my one config at :/etc/chrony/conf.d /lan.conf At the time only one file: server 192.168.0.200 port 1123 minpoll 0 maxpoll 0 copy allow cmdport 1123 bindcmdaddress /var/run/chrony1/chronyd-server_lan.sock pidfile /var/run/chrony1/chronyd-server_lan.pid driftfile /var/lib/drift-server1_lan Launch chronyd either from systemctl start chronyd or chronyd -D and get: 2023-12-05T21:45:17Z chronyd version 4.3 starting (+CMDMON +NTP +REFCLOCK +RTC +PRIVDROP +SCFILTER +SIGND +ASYNCDNS +NTS +SECHASH +IPV6 -DEBUG) 2023-12-05T21:45:17Z Wrong permissions on /var/run/chrony1 2023-12-05T21:45:17Z Disabled command socket /var/run/chrony1/chronyd-server_lan.sock 2023-12-05T21:45:17Z Fatal error : Could not open /var/run/chrony1/chronyd-server_lan.pid : Permission denied What and where is wrong ? ср, 6 дек. 2023 г. в 00:28, CpServiceSPb : > Can you either post a link or detailed instruction on how to launch > multiple chrony server instances for the same port but different > interfaces/addresses ? > > пн, 4 дек. 2023 г. в 18:25, Miroslav Lichvar : > >> On Thu, Nov 30, 2023 at 11:04:37PM +0300, CpServiceSPb wrote: >> > But there is >> > сен 05 22:55:07 key chronyd[152706]: chronyd version 4.3 starting >> (+CMDMON >> > +NTP +REFCLOCK +RTC +PRIVDROP +SCFILTER +SIGND +ASYNCDNS +NTS +SECHASH >> > +IPV6 -DEBUG) >> > сен 05 22:55:07 key chronyd-starter.sh[152704]: Could not open >> > /var/run/cc/chronyd-server1.pid : Permission denied >> > сен 05 22:55:07 key chronyd[152706]: Wrong permissions on /var/run/cc >> >> You will need to fix the permission of the directory to be writable by >> the chrony user. >> >> -- >> Miroslav Lichvar >> >> >> -- >> To unsubscribe email chrony-dev-requ...@chrony.tuxfamily.org with >> "unsubscribe" in the subject. >> For help email chrony-dev-requ...@chrony.tuxfamily.org with "help" in >> the subject. >> Trouble? Email listmas...@chrony.tuxfamily.org. >> >>
Re: [chrony-dev] Multihomed (multiple) network interfaces support !
Can you either post a link or detailed instruction on how to launch multiple chrony server instances for the same port but different interfaces/addresses ? пн, 4 дек. 2023 г. в 18:25, Miroslav Lichvar : > On Thu, Nov 30, 2023 at 11:04:37PM +0300, CpServiceSPb wrote: > > But there is > > сен 05 22:55:07 key chronyd[152706]: chronyd version 4.3 starting > (+CMDMON > > +NTP +REFCLOCK +RTC +PRIVDROP +SCFILTER +SIGND +ASYNCDNS +NTS +SECHASH > > +IPV6 -DEBUG) > > сен 05 22:55:07 key chronyd-starter.sh[152704]: Could not open > > /var/run/cc/chronyd-server1.pid : Permission denied > > сен 05 22:55:07 key chronyd[152706]: Wrong permissions on /var/run/cc > > You will need to fix the permission of the directory to be writable by > the chrony user. > > -- > Miroslav Lichvar > > > -- > To unsubscribe email chrony-dev-requ...@chrony.tuxfamily.org with > "unsubscribe" in the subject. > For help email chrony-dev-requ...@chrony.tuxfamily.org with "help" in the > subject. > Trouble? Email listmas...@chrony.tuxfamily.org. > >
Re: [chrony-dev] Multihomed (multiple) network interfaces support !
On Thu, Nov 30, 2023 at 11:04:37PM +0300, CpServiceSPb wrote: > But there is > сен 05 22:55:07 key chronyd[152706]: chronyd version 4.3 starting (+CMDMON > +NTP +REFCLOCK +RTC +PRIVDROP +SCFILTER +SIGND +ASYNCDNS +NTS +SECHASH > +IPV6 -DEBUG) > сен 05 22:55:07 key chronyd-starter.sh[152704]: Could not open > /var/run/cc/chronyd-server1.pid : Permission denied > сен 05 22:55:07 key chronyd[152706]: Wrong permissions on /var/run/cc You will need to fix the permission of the directory to be writable by the chrony user. -- Miroslav Lichvar -- To unsubscribe email chrony-dev-requ...@chrony.tuxfamily.org with "unsubscribe" in the subject. For help email chrony-dev-requ...@chrony.tuxfamily.org with "help" in the subject. Trouble? Email listmas...@chrony.tuxfamily.org.
Re: [chrony-dev] Multihomed (multiple) network interfaces support !
I couldn' t launch multiple instances of chrony. I added lan.conf to the conf.d folder additionally to the main config file: server lan_IP port 123 minpoll 0 maxpoll 0 copy allow cmdport 123 bindcmdaddress /var/run/cc/chronyd-server1.sock pidfile /var/run/cc/chronyd-server1.pid driftfile /var/lib/cc/drift-server1 I even made /var/run/cc folder. But there is сен 05 22:55:07 key chronyd[152706]: chronyd version 4.3 starting (+CMDMON +NTP +REFCLOCK +RTC +PRIVDROP +SCFILTER +SIGND +ASYNCDNS +NTS +SECHASH +IPV6 -DEBUG) сен 05 22:55:07 key chronyd-starter.sh[152704]: Could not open /var/run/cc/chronyd-server1.pid : Permission denied сен 05 22:55:07 key chronyd[152706]: Wrong permissions on /var/run/cc сен 05 22:55:07 key chronyd[152706]: Disabled command socket /var/run/cc/chronyd-server1.sock сен 05 22:55:07 key chronyd[152706]: Fatal error : Could not open /var/run/cc/chronyd-server1.pid : Permission denied сен 05 22:55:07 key systemd[1]: chrony.service: Control process exited, code=exited, status=1/FAILURE сен 05 22:55:07 key systemd[1]: chrony.service: Failed with result 'exit-code'. сен 05 22:55:07 key systemd[1]: Failed to start chrony, an NTP client/server. вт, 5 сент. 2023 г. в 23:06, CpServiceSPb : > I couldn' t launch multiple instances of chrony. > > I added lan.conf to the conf.d folder additionally to the main config file: > server lan_IP port 123 minpoll 0 maxpoll 0 copy > allow > cmdport 123 > bindcmdaddress /var/run/cc/chronyd-server1.sock > pidfile /var/run/cc/chronyd-server1.pid > driftfile /var/lib/cc/drift-server1 > > I even made /var/run/cc folder. > > But there is > сен 05 22:55:07 key chronyd[152706]: chronyd version 4.3 starting (+CMDMON > +NTP +REFCLOCK +RTC +PRIVDROP +SCFILTER +SIGND +ASYNCDNS +NTS +SECHASH > +IPV6 -DEBUG) > сен 05 22:55:07 key chronyd-starter.sh[152704]: Could not open > /var/run/cc/chronyd-server1.pid : Permission denied > сен 05 22:55:07 key chronyd[152706]: Wrong permissions on /var/run/cc > сен 05 22:55:07 key chronyd[152706]: Disabled command socket > /var/run/cc/chronyd-server1.sock > сен 05 22:55:07 key chronyd[152706]: Fatal error : Could not open > /var/run/cc/chronyd-server1.pid : Permission denied > сен 05 22:55:07 key systemd[1]: chrony.service: Control process exited, > code=exited, status=1/FAILURE > сен 05 22:55:07 key systemd[1]: chrony.service: Failed with result > 'exit-code'. > сен 05 22:55:07 key systemd[1]: Failed to start chrony, an NTP > client/server. > > > > вт, 5 сент. 2023 г. в 17:46, CpServiceSPb : > >> Adding this way of packet handling will bring a huge competition >> advantage for chrony. >> I think. >> >> Here is some onfi about netlink practical usgee, in Russian, but you can >> read it via Google translator. >> >> Anyway, thanks in advance. >> >> вт, 5 сент. 2023 г. в 17:03, Miroslav Lichvar : >> >>> On Tue, Sep 05, 2023 at 04:33:11PM +0300, CpServiceSPb wrote: >>> > > That would make more sense for security. However, it's not a simple >>> thing >>> > > to implement as peer associations use the server sockets too, so >>> there >>> > > would need to be some code selecting the right socket. >>> > Maybe it is worth looking at NTP sources for aspects of the topic. >>> > It supports multiple bindings as I know. >>> >>> The ntpd I/O code was designed around having a separate socket for >>> each interface. It monitors changes in network configuration (on Linux >>> using netlink socket). It needs that to be able to respond from the >>> right address on multihomed hosts. The amount of code needed for that >>> is huge and lot of it is system-specific. >>> >>> chronyd relies on the IP_PKTINFO socket option to get the destination >>> address of requests. This is much simpler, but probably not available >>> on all systems that ntpd currently supports. >>> >>> > I believe you will be able to implement correctly the functionality. >>> > And will wait for the version to test it. >>> >>> I added it to my todo list, but don't get your hopes up. >>> >>> -- >>> Miroslav Lichvar >>> >>> >>> -- >>> To unsubscribe email chrony-dev-requ...@chrony.tuxfamily.org with >>> "unsubscribe" in the subject. >>> For help email chrony-dev-requ...@chrony.tuxfamily.org with "help" in >>> the subject. >>> Trouble? Email listmas...@chrony.tuxfamily.org. >>> >>>
Re: [chrony-dev] Multihomed (multiple) network interfaces support !
I couldn' t launch multiple instances of chrony. I added lan.conf to the conf.d folder additionally to the main config file: server lan_IP port 123 minpoll 0 maxpoll 0 copy allow cmdport 123 bindcmdaddress /var/run/cc/chronyd-server1.sock pidfile /var/run/cc/chronyd-server1.pid driftfile /var/lib/cc/drift-server1 I even made /var/run/cc folder. But there is сен 05 22:55:07 key chronyd[152706]: chronyd version 4.3 starting (+CMDMON +NTP +REFCLOCK +RTC +PRIVDROP +SCFILTER +SIGND +ASYNCDNS +NTS +SECHASH +IPV6 -DEBUG) сен 05 22:55:07 key chronyd-starter.sh[152704]: Could not open /var/run/cc/chronyd-server1.pid : Permission denied сен 05 22:55:07 key chronyd[152706]: Wrong permissions on /var/run/cc сен 05 22:55:07 key chronyd[152706]: Disabled command socket /var/run/cc/chronyd-server1.sock сен 05 22:55:07 key chronyd[152706]: Fatal error : Could not open /var/run/cc/chronyd-server1.pid : Permission denied сен 05 22:55:07 key systemd[1]: chrony.service: Control process exited, code=exited, status=1/FAILURE сен 05 22:55:07 key systemd[1]: chrony.service: Failed with result 'exit-code'. сен 05 22:55:07 key systemd[1]: Failed to start chrony, an NTP client/server. вт, 5 сент. 2023 г. в 17:46, CpServiceSPb : > Adding this way of packet handling will bring a huge competition advantage > for chrony. > I think. > > Here is some onfi about netlink practical usgee, in Russian, but you can > read it via Google translator. > > Anyway, thanks in advance. > > вт, 5 сент. 2023 г. в 17:03, Miroslav Lichvar : > >> On Tue, Sep 05, 2023 at 04:33:11PM +0300, CpServiceSPb wrote: >> > > That would make more sense for security. However, it's not a simple >> thing >> > > to implement as peer associations use the server sockets too, so there >> > > would need to be some code selecting the right socket. >> > Maybe it is worth looking at NTP sources for aspects of the topic. >> > It supports multiple bindings as I know. >> >> The ntpd I/O code was designed around having a separate socket for >> each interface. It monitors changes in network configuration (on Linux >> using netlink socket). It needs that to be able to respond from the >> right address on multihomed hosts. The amount of code needed for that >> is huge and lot of it is system-specific. >> >> chronyd relies on the IP_PKTINFO socket option to get the destination >> address of requests. This is much simpler, but probably not available >> on all systems that ntpd currently supports. >> >> > I believe you will be able to implement correctly the functionality. >> > And will wait for the version to test it. >> >> I added it to my todo list, but don't get your hopes up. >> >> -- >> Miroslav Lichvar >> >> >> -- >> To unsubscribe email chrony-dev-requ...@chrony.tuxfamily.org with >> "unsubscribe" in the subject. >> For help email chrony-dev-requ...@chrony.tuxfamily.org with "help" in >> the subject. >> Trouble? Email listmas...@chrony.tuxfamily.org. >> >>
Re: [chrony-dev] Multihomed (multiple) network interfaces support !
Adding this way of packet handling will bring a huge competition advantage for chrony. I think. Here is some onfi about netlink practical usgee, in Russian, but you can read it via Google translator. Anyway, thanks in advance. вт, 5 сент. 2023 г. в 17:03, Miroslav Lichvar : > On Tue, Sep 05, 2023 at 04:33:11PM +0300, CpServiceSPb wrote: > > > That would make more sense for security. However, it's not a simple > thing > > > to implement as peer associations use the server sockets too, so there > > > would need to be some code selecting the right socket. > > Maybe it is worth looking at NTP sources for aspects of the topic. > > It supports multiple bindings as I know. > > The ntpd I/O code was designed around having a separate socket for > each interface. It monitors changes in network configuration (on Linux > using netlink socket). It needs that to be able to respond from the > right address on multihomed hosts. The amount of code needed for that > is huge and lot of it is system-specific. > > chronyd relies on the IP_PKTINFO socket option to get the destination > address of requests. This is much simpler, but probably not available > on all systems that ntpd currently supports. > > > I believe you will be able to implement correctly the functionality. > > And will wait for the version to test it. > > I added it to my todo list, but don't get your hopes up. > > -- > Miroslav Lichvar > > > -- > To unsubscribe email chrony-dev-requ...@chrony.tuxfamily.org with > "unsubscribe" in the subject. > For help email chrony-dev-requ...@chrony.tuxfamily.org with "help" in the > subject. > Trouble? Email listmas...@chrony.tuxfamily.org. > >
Re: [chrony-dev] Multihomed (multiple) network interfaces support !
On Tue, Sep 05, 2023 at 04:33:11PM +0300, CpServiceSPb wrote: > > That would make more sense for security. However, it's not a simple thing > > to implement as peer associations use the server sockets too, so there > > would need to be some code selecting the right socket. > Maybe it is worth looking at NTP sources for aspects of the topic. > It supports multiple bindings as I know. The ntpd I/O code was designed around having a separate socket for each interface. It monitors changes in network configuration (on Linux using netlink socket). It needs that to be able to respond from the right address on multihomed hosts. The amount of code needed for that is huge and lot of it is system-specific. chronyd relies on the IP_PKTINFO socket option to get the destination address of requests. This is much simpler, but probably not available on all systems that ntpd currently supports. > I believe you will be able to implement correctly the functionality. > And will wait for the version to test it. I added it to my todo list, but don't get your hopes up. -- Miroslav Lichvar -- To unsubscribe email chrony-dev-requ...@chrony.tuxfamily.org with "unsubscribe" in the subject. For help email chrony-dev-requ...@chrony.tuxfamily.org with "help" in the subject. Trouble? Email listmas...@chrony.tuxfamily.org.
Re: [chrony-dev] Multihomed (multiple) network interfaces support !
> It makes no difference. These settings are about ARP (L2->L3,translation) and multiple interfaces in the > same network. So strange. I thought that it is for multiple interfaces ... > That would make more sense for security. However, it's not a simple thing > to implement as peer associations use the server sockets too, so there > would need to be some code selecting the right socket. Maybe it is worth looking at NTP sources for aspects of the topic. It supports multiple bindings as I know. > My recommendation is to run multiple instances of chronyd, each bound > to a different interface. I will try to use it but as a temporarily solutiononly if I am able to launch it. I believe you will be able to implement correctly the functionality. And will wait for the version to test it. вт, 5 сент. 2023 г. в 15:57, Miroslav Lichvar : > On Tue, Sep 05, 2023 at 03:44:35PM +0300, CpServiceSPb wrote: > > Due to Weak ES mode in Linux OSes, please remake a test but change a > little > > bit test conditions: > > When aiming for Strong ES Model in Linux, you'll first need these sysctl > > settings: > > net.ipv4.conf.all.arp_filter=1 > > net.ipv4.conf.all.arp_ignore=1 # or even 2 > > net.ipv4.conf.all.arp_announce=2 > > It makes no difference. These settings are about ARP (L2->L3 > translation) and multiple interfaces in the same network. > > > *And I see the only way is to implement not bindaddress but binddevice > > available multiple times for listening and receiving requests to.* > > That would make more sense for security. However, it's not a simple thing > to implement as peer associations use the server sockets too, so there > would need to be some code selecting the right socket. > > My recommendation is to run multiple instances of chronyd, each bound > to a different interface. > > -- > Miroslav Lichvar > > > -- > To unsubscribe email chrony-dev-requ...@chrony.tuxfamily.org with > "unsubscribe" in the subject. > For help email chrony-dev-requ...@chrony.tuxfamily.org with "help" in the > subject. > Trouble? Email listmas...@chrony.tuxfamily.org. > >
Re: [chrony-dev] Multihomed (multiple) network interfaces support !
On Tue, Sep 05, 2023 at 03:44:35PM +0300, CpServiceSPb wrote: > Due to Weak ES mode in Linux OSes, please remake a test but change a little > bit test conditions: > When aiming for Strong ES Model in Linux, you'll first need these sysctl > settings: > net.ipv4.conf.all.arp_filter=1 > net.ipv4.conf.all.arp_ignore=1 # or even 2 > net.ipv4.conf.all.arp_announce=2 It makes no difference. These settings are about ARP (L2->L3 translation) and multiple interfaces in the same network. > *And I see the only way is to implement not bindaddress but binddevice > available multiple times for listening and receiving requests to.* That would make more sense for security. However, it's not a simple thing to implement as peer associations use the server sockets too, so there would need to be some code selecting the right socket. My recommendation is to run multiple instances of chronyd, each bound to a different interface. -- Miroslav Lichvar -- To unsubscribe email chrony-dev-requ...@chrony.tuxfamily.org with "unsubscribe" in the subject. For help email chrony-dev-requ...@chrony.tuxfamily.org with "help" in the subject. Trouble? Email listmas...@chrony.tuxfamily.org.
Re: [chrony-dev] Multihomed (multiple) network interfaces support !
As I found out unfortunately we are both right. But I am right for BSD and Vista+ OSes, you are right for Linux OSes. I am talking about Weak and Strong ES modes. Due to Weak ES mode in Linux OSes, please remake a test but change a little bit test conditions: When aiming for Strong ES Model in Linux, you'll first need these sysctl settings: net.ipv4.conf.all.arp_filter=1 net.ipv4.conf.all.arp_ignore=1 # or even 2 net.ipv4.conf.all.arp_announce=2 *And I see the only way is to implement not bindaddress but binddevice available multiple times for listening and receiving requests to.* *To avoid a quite complicated set**ting up of Linux OSes.* Additionally, lhere are: https://stackoverflow.com/questions/33917575/choosing-socket-output-interface-so-bindtodevice-vs-bind-before-connect https://learn.microsoft.com/en-us/previous-versions/technet-magazine/cc137807(v=msdn.10)?redirectedfrom=MSDN https://networkengineering.stackexchange.com/questions/59836/bind-to-specific-address https://unix.stackexchange.com/questions/258810/linux-source-routing-strong-end-system-model-strong-host-model https://wiki.treck.com/Appendix_C:_Strong_End_System_Model_/_Weak_End_System_Model вт, 5 сент. 2023 г. в 15:31, CpServiceSPb : > Maybe did multiple binddeviceinstead for the specified purpose ? > > вт, 5 сент. 2023 г. в 15:17, CpServiceSPb : > >> I don' t understand how packets are thrown between interfaces with IP >> forwarding off. >> Maybe nevertheless there is 0.0.0.0 binding. >> >> >> вт, 5 сент. 2023 г. в 15:10, CpServiceSPb : >> >>> As you added the functionality, can you send this version ? >>> I will test as well on my own. >>> >>> >>> вт, 5 сент. 2023 г. в 13:54, Miroslav Lichvar : >>> On Thu, Aug 31, 2023 at 12:06:35AM +0300, CpServiceSPb wrote: > I may be wrong but as I understand that binding to an address is almost the > same as binding to an interface. I think those are two different things. In chrony there is the binddevice directive for binding to a device. It can be used only once for the same reasons as bindaddress. > Maybe I am wrong, again. > And it is meaning that an appropriate opened socket will receive packers > only from the corresponding interface, of course if IP forwarding, source > nat and so on is not set up. I ran a test. I started the server with 'bindaddress 192.168.50.2' and checked tcpdump output on the other interface, which has network 192.168.70.0/24 and no other routes. 10:46:41.686783 IP 192.168.70.1.53545 > 192.168.50.2.ntp: NTPv4, Client, length 48 10:46:41.686863 IP 192.168.50.2.ntp > 192.168.70.1.53545: NTPv4, Server, length 48 It is happily responding to clients sending to the bound address, even if it's a different interface. IP forwarding is disabled. There is no NAT. The rp_filter setting doesn't seem to affect this. I think it's supposed to check only the source address. > So, it can be checked practically. > Is it true or false. > When you will add such functionality, I will build a new version of chrony > and will turn off nat, ip forwarding and will launch tcpdump and will see > what happens on the lan interface when some client from dmz sends a request > to dmz interface. > That is, will any packets come to the lan interface or not. You can verify that with single bindaddress. If you really need multiple addresses, you can start multiple servers instances as explained here: https://chrony-project.org/faq.html#_can_ntp_server_be_separated_from_ntp_client -- Miroslav Lichvar -- To unsubscribe email chrony-dev-requ...@chrony.tuxfamily.org with "unsubscribe" in the subject. For help email chrony-dev-requ...@chrony.tuxfamily.org with "help" in the subject. Trouble? Email listmas...@chrony.tuxfamily.org.
Re: [chrony-dev] Multihomed (multiple) network interfaces support !
Maybe did multiple binddeviceinstead for the specified purpose ? вт, 5 сент. 2023 г. в 15:17, CpServiceSPb : > I don' t understand how packets are thrown between interfaces with IP > forwarding off. > Maybe nevertheless there is 0.0.0.0 binding. > > > вт, 5 сент. 2023 г. в 15:10, CpServiceSPb : > >> As you added the functionality, can you send this version ? >> I will test as well on my own. >> >> >> вт, 5 сент. 2023 г. в 13:54, Miroslav Lichvar : >> >>> On Thu, Aug 31, 2023 at 12:06:35AM +0300, CpServiceSPb wrote: >>> > I may be wrong but as I understand that binding to an address is >>> almost the >>> > same as binding to an interface. >>> >>> I think those are two different things. In chrony there is the >>> binddevice directive for binding to a device. It can be used only once >>> for the same reasons as bindaddress. >>> >>> > Maybe I am wrong, again. >>> > And it is meaning that an appropriate opened socket will receive >>> packers >>> > only from the corresponding interface, of course if IP forwarding, >>> source >>> > nat and so on is not set up. >>> >>> I ran a test. I started the server with 'bindaddress 192.168.50.2' and >>> checked tcpdump output on the other interface, which has network >>> 192.168.70.0/24 and no other routes. >>> >>> 10:46:41.686783 IP 192.168.70.1.53545 > 192.168.50.2.ntp: NTPv4, Client, >>> length 48 >>> 10:46:41.686863 IP 192.168.50.2.ntp > 192.168.70.1.53545: NTPv4, Server, >>> length 48 >>> >>> It is happily responding to clients sending to the bound address, even >>> if it's a different interface. IP forwarding is disabled. There is no >>> NAT. The rp_filter setting doesn't seem to affect this. I think it's >>> supposed to check only the source address. >>> >>> > So, it can be checked practically. >>> > Is it true or false. >>> > When you will add such functionality, I will build a new version of >>> chrony >>> > and will turn off nat, ip forwarding and will launch tcpdump and will >>> see >>> > what happens on the lan interface when some client from dmz sends a >>> request >>> > to dmz interface. >>> > That is, will any packets come to the lan interface or not. >>> >>> You can verify that with single bindaddress. >>> >>> If you really need multiple addresses, you can start multiple servers >>> instances as explained here: >>> >>> https://chrony-project.org/faq.html#_can_ntp_server_be_separated_from_ntp_client >>> >>> -- >>> Miroslav Lichvar >>> >>> >>> -- >>> To unsubscribe email chrony-dev-requ...@chrony.tuxfamily.org with >>> "unsubscribe" in the subject. >>> For help email chrony-dev-requ...@chrony.tuxfamily.org with "help" in >>> the subject. >>> Trouble? Email listmas...@chrony.tuxfamily.org. >>> >>>
Re: [chrony-dev] Multihomed (multiple) network interfaces support !
I don' t understand how packets are thrown between interfaces with IP forwarding off. Maybe nevertheless there is 0.0.0.0 binding. вт, 5 сент. 2023 г. в 15:10, CpServiceSPb : > As you added the functionality, can you send this version ? > I will test as well on my own. > > > вт, 5 сент. 2023 г. в 13:54, Miroslav Lichvar : > >> On Thu, Aug 31, 2023 at 12:06:35AM +0300, CpServiceSPb wrote: >> > I may be wrong but as I understand that binding to an address is almost >> the >> > same as binding to an interface. >> >> I think those are two different things. In chrony there is the >> binddevice directive for binding to a device. It can be used only once >> for the same reasons as bindaddress. >> >> > Maybe I am wrong, again. >> > And it is meaning that an appropriate opened socket will receive packers >> > only from the corresponding interface, of course if IP forwarding, >> source >> > nat and so on is not set up. >> >> I ran a test. I started the server with 'bindaddress 192.168.50.2' and >> checked tcpdump output on the other interface, which has network >> 192.168.70.0/24 and no other routes. >> >> 10:46:41.686783 IP 192.168.70.1.53545 > 192.168.50.2.ntp: NTPv4, Client, >> length 48 >> 10:46:41.686863 IP 192.168.50.2.ntp > 192.168.70.1.53545: NTPv4, Server, >> length 48 >> >> It is happily responding to clients sending to the bound address, even >> if it's a different interface. IP forwarding is disabled. There is no >> NAT. The rp_filter setting doesn't seem to affect this. I think it's >> supposed to check only the source address. >> >> > So, it can be checked practically. >> > Is it true or false. >> > When you will add such functionality, I will build a new version of >> chrony >> > and will turn off nat, ip forwarding and will launch tcpdump and will >> see >> > what happens on the lan interface when some client from dmz sends a >> request >> > to dmz interface. >> > That is, will any packets come to the lan interface or not. >> >> You can verify that with single bindaddress. >> >> If you really need multiple addresses, you can start multiple servers >> instances as explained here: >> >> https://chrony-project.org/faq.html#_can_ntp_server_be_separated_from_ntp_client >> >> -- >> Miroslav Lichvar >> >> >> -- >> To unsubscribe email chrony-dev-requ...@chrony.tuxfamily.org with >> "unsubscribe" in the subject. >> For help email chrony-dev-requ...@chrony.tuxfamily.org with "help" in >> the subject. >> Trouble? Email listmas...@chrony.tuxfamily.org. >> >>
Re: [chrony-dev] Multihomed (multiple) network interfaces support !
As you added the functionality, can you send this version ? I will test as well on my own. вт, 5 сент. 2023 г. в 13:54, Miroslav Lichvar : > On Thu, Aug 31, 2023 at 12:06:35AM +0300, CpServiceSPb wrote: > > I may be wrong but as I understand that binding to an address is almost > the > > same as binding to an interface. > > I think those are two different things. In chrony there is the > binddevice directive for binding to a device. It can be used only once > for the same reasons as bindaddress. > > > Maybe I am wrong, again. > > And it is meaning that an appropriate opened socket will receive packers > > only from the corresponding interface, of course if IP forwarding, source > > nat and so on is not set up. > > I ran a test. I started the server with 'bindaddress 192.168.50.2' and > checked tcpdump output on the other interface, which has network > 192.168.70.0/24 and no other routes. > > 10:46:41.686783 IP 192.168.70.1.53545 > 192.168.50.2.ntp: NTPv4, Client, > length 48 > 10:46:41.686863 IP 192.168.50.2.ntp > 192.168.70.1.53545: NTPv4, Server, > length 48 > > It is happily responding to clients sending to the bound address, even > if it's a different interface. IP forwarding is disabled. There is no > NAT. The rp_filter setting doesn't seem to affect this. I think it's > supposed to check only the source address. > > > So, it can be checked practically. > > Is it true or false. > > When you will add such functionality, I will build a new version of > chrony > > and will turn off nat, ip forwarding and will launch tcpdump and will see > > what happens on the lan interface when some client from dmz sends a > request > > to dmz interface. > > That is, will any packets come to the lan interface or not. > > You can verify that with single bindaddress. > > If you really need multiple addresses, you can start multiple servers > instances as explained here: > > https://chrony-project.org/faq.html#_can_ntp_server_be_separated_from_ntp_client > > -- > Miroslav Lichvar > > > -- > To unsubscribe email chrony-dev-requ...@chrony.tuxfamily.org with > "unsubscribe" in the subject. > For help email chrony-dev-requ...@chrony.tuxfamily.org with "help" in the > subject. > Trouble? Email listmas...@chrony.tuxfamily.org. > >
Re: [chrony-dev] Multihomed (multiple) network interfaces support !
On Thu, Aug 31, 2023 at 12:06:35AM +0300, CpServiceSPb wrote: > I may be wrong but as I understand that binding to an address is almost the > same as binding to an interface. I think those are two different things. In chrony there is the binddevice directive for binding to a device. It can be used only once for the same reasons as bindaddress. > Maybe I am wrong, again. > And it is meaning that an appropriate opened socket will receive packers > only from the corresponding interface, of course if IP forwarding, source > nat and so on is not set up. I ran a test. I started the server with 'bindaddress 192.168.50.2' and checked tcpdump output on the other interface, which has network 192.168.70.0/24 and no other routes. 10:46:41.686783 IP 192.168.70.1.53545 > 192.168.50.2.ntp: NTPv4, Client, length 48 10:46:41.686863 IP 192.168.50.2.ntp > 192.168.70.1.53545: NTPv4, Server, length 48 It is happily responding to clients sending to the bound address, even if it's a different interface. IP forwarding is disabled. There is no NAT. The rp_filter setting doesn't seem to affect this. I think it's supposed to check only the source address. > So, it can be checked practically. > Is it true or false. > When you will add such functionality, I will build a new version of chrony > and will turn off nat, ip forwarding and will launch tcpdump and will see > what happens on the lan interface when some client from dmz sends a request > to dmz interface. > That is, will any packets come to the lan interface or not. You can verify that with single bindaddress. If you really need multiple addresses, you can start multiple servers instances as explained here: https://chrony-project.org/faq.html#_can_ntp_server_be_separated_from_ntp_client -- Miroslav Lichvar -- To unsubscribe email chrony-dev-requ...@chrony.tuxfamily.org with "unsubscribe" in the subject. For help email chrony-dev-requ...@chrony.tuxfamily.org with "help" in the subject. Trouble? Email listmas...@chrony.tuxfamily.org.
Re: [chrony-dev] Multihomed (multiple) network interfaces support !
Hi. Any new information regarding adding functionality specified by the topic ? чт, 31 авг. 2023 г. в 00:06, CpServiceSPb : > Each opened (listening) socket in the system is a potential vulnerability. > > I may be wrong but as I understand that binding to an address is almost > the same as binding to an interface. > Maybe I am wrong, again. > And it is meaning that an appropriate opened socket will receive packers > only from the corresponding interface, of course if IP forwarding, source > nat and so on is not set up. > > So, it can be checked practically. > Is it true or false. > When you will add such functionality, I will build a new version of chrony > and will turn off nat, ip forwarding and will launch tcpdump and will see > what happens on the lan interface when some client from dmz sends a request > to dmz interface. > That is, will any packets come to the lan interface or not. > > > > > > > ср, 30 авг. 2023 г. в 13:29, Miroslav Lichvar : > >> On Wed, Aug 30, 2023 at 12:49:34PM +0300, CpServiceSPb wrote: >> > > Why is it not good? Is it meant to be a security measure? Would >> firewall >> > not work better? >> > There are sockets in a system. >> > Sometimes a firewall can pass packets due to its malfunction or not >> > accurate settings. >> > If there are no extra sockets it is much much better for security. >> >> Can you please elaborate? The security benefits are not very clear to >> me. >> >> There are some misconceptions. Binding a socket to an address doesn't >> mean it will not receive packets from other interfaces. For example, >> if eth1 has ADDR1 and eth2 has ADDR2, and chronyd is configured to >> listen only on ADDR1, I think on a typical system it will respond to >> requests send to ADDR1 no matter if they are received from eth1 or >> eth2. >> >> There are exceptions to this like the loopback range (127.0.0.0/8) >> which the kernel should drop as "martian packets" if received from >> real network interfaces, so default bindcmdaddress of 127.0.0.1 should >> prevent responding to requests from network. >> >> -- >> Miroslav Lichvar >> >> >> -- >> To unsubscribe email chrony-dev-requ...@chrony.tuxfamily.org with >> "unsubscribe" in the subject. >> For help email chrony-dev-requ...@chrony.tuxfamily.org with "help" in >> the subject. >> Trouble? Email listmas...@chrony.tuxfamily.org. >> >>
Re: [chrony-dev] Multihomed (multiple) network interfaces support !
Each opened (listening) socket in the system is a potential vulnerability. I may be wrong but as I understand that binding to an address is almost the same as binding to an interface. Maybe I am wrong, again. And it is meaning that an appropriate opened socket will receive packers only from the corresponding interface, of course if IP forwarding, source nat and so on is not set up. So, it can be checked practically. Is it true or false. When you will add such functionality, I will build a new version of chrony and will turn off nat, ip forwarding and will launch tcpdump and will see what happens on the lan interface when some client from dmz sends a request to dmz interface. That is, will any packets come to the lan interface or not. ср, 30 авг. 2023 г. в 13:29, Miroslav Lichvar : > On Wed, Aug 30, 2023 at 12:49:34PM +0300, CpServiceSPb wrote: > > > Why is it not good? Is it meant to be a security measure? Would > firewall > > not work better? > > There are sockets in a system. > > Sometimes a firewall can pass packets due to its malfunction or not > > accurate settings. > > If there are no extra sockets it is much much better for security. > > Can you please elaborate? The security benefits are not very clear to > me. > > There are some misconceptions. Binding a socket to an address doesn't > mean it will not receive packets from other interfaces. For example, > if eth1 has ADDR1 and eth2 has ADDR2, and chronyd is configured to > listen only on ADDR1, I think on a typical system it will respond to > requests send to ADDR1 no matter if they are received from eth1 or > eth2. > > There are exceptions to this like the loopback range (127.0.0.0/8) > which the kernel should drop as "martian packets" if received from > real network interfaces, so default bindcmdaddress of 127.0.0.1 should > prevent responding to requests from network. > > -- > Miroslav Lichvar > > > -- > To unsubscribe email chrony-dev-requ...@chrony.tuxfamily.org with > "unsubscribe" in the subject. > For help email chrony-dev-requ...@chrony.tuxfamily.org with "help" in the > subject. > Trouble? Email listmas...@chrony.tuxfamily.org. > >
Re: [chrony-dev] Multihomed (multiple) network interfaces support !
On Wed, Aug 30, 2023 at 12:49:34PM +0300, CpServiceSPb wrote: > > Why is it not good? Is it meant to be a security measure? Would firewall > not work better? > There are sockets in a system. > Sometimes a firewall can pass packets due to its malfunction or not > accurate settings. > If there are no extra sockets it is much much better for security. Can you please elaborate? The security benefits are not very clear to me. There are some misconceptions. Binding a socket to an address doesn't mean it will not receive packets from other interfaces. For example, if eth1 has ADDR1 and eth2 has ADDR2, and chronyd is configured to listen only on ADDR1, I think on a typical system it will respond to requests send to ADDR1 no matter if they are received from eth1 or eth2. There are exceptions to this like the loopback range (127.0.0.0/8) which the kernel should drop as "martian packets" if received from real network interfaces, so default bindcmdaddress of 127.0.0.1 should prevent responding to requests from network. -- Miroslav Lichvar -- To unsubscribe email chrony-dev-requ...@chrony.tuxfamily.org with "unsubscribe" in the subject. For help email chrony-dev-requ...@chrony.tuxfamily.org with "help" in the subject. Trouble? Email listmas...@chrony.tuxfamily.org.
Re: [chrony-dev] Multihomed (multiple) network interfaces support !
> Why is it not good? Is it meant to be a security measure? Would firewall not work better? There are sockets in a system. Sometimes a firewall can pass packets due to its malfunction or not accurate settings. If there are no extra sockets it is much much better for security. > For compatibility with current configuration, which effectively applies only the last occurence per IPv4/IPv6, >I think it would need to be specified on one line like this >bindaddress 192.168.0.0/24 172.10.0.0/24 It seems very good way in the case. > It can be implemented, but there should be a good use case for it. I ilked Chrony and will use it instead of NTPd on 3 of 5 interfaces of the server. One thing that stopped me from using Chrony on a real server is lack of multiple bindings. ср, 30 авг. 2023 г. в 11:40, Miroslav Lichvar : > On Wed, Aug 30, 2023 at 10:19:56AM +0300, CpServiceSPb wrote: > > There are some multihomed computers which have several network > interfaces, > > for example lan, wif1i, wifi2, dmz, wan. > > At the time chrony are binded either to 0.0.0.0 address, which is > meaning " > > listen on every available network interface " or only once specified > > interface/address by "bind..." directives. > > Yes, there is "allow" directive as well. > > But anyway there is listening to all the interfaces remaining, that is > not > > good. > > Why is it not good? Is it meant to be a security measure? Would > firewall not work better? > > > Dear developers, please add availability of binding to several interfaces > > specified in conf file may be by specifying multiple times of binddevice > > or bindaddress, for example: > > bindaddress192.168.0.0/24 # lan > > bindaddress172.10.0.0/24 # dmz > > For compatibility with current configuration, which effectively > applies only the last occurence per IPv4/IPv6, I think it would need > to be specified on one line like this > > bindaddress 192.168.0.0/24 172.10.0.0/24 > > It can be implemented, but there should be a good use case for it. > > -- > Miroslav Lichvar > > > -- > To unsubscribe email chrony-dev-requ...@chrony.tuxfamily.org with > "unsubscribe" in the subject. > For help email chrony-dev-requ...@chrony.tuxfamily.org with "help" in the > subject. > Trouble? Email listmas...@chrony.tuxfamily.org. > >
Re: [chrony-dev] Multihomed (multiple) network interfaces support !
On Wed, Aug 30, 2023 at 10:19:56AM +0300, CpServiceSPb wrote: > There are some multihomed computers which have several network interfaces, > for example lan, wif1i, wifi2, dmz, wan. > At the time chrony are binded either to 0.0.0.0 address, which is meaning " > listen on every available network interface " or only once specified > interface/address by "bind..." directives. > Yes, there is "allow" directive as well. > But anyway there is listening to all the interfaces remaining, that is not > good. Why is it not good? Is it meant to be a security measure? Would firewall not work better? > Dear developers, please add availability of binding to several interfaces > specified in conf file may be by specifying multiple times of binddevice > or bindaddress, for example: > bindaddress192.168.0.0/24 # lan > bindaddress172.10.0.0/24 # dmz For compatibility with current configuration, which effectively applies only the last occurence per IPv4/IPv6, I think it would need to be specified on one line like this bindaddress 192.168.0.0/24 172.10.0.0/24 It can be implemented, but there should be a good use case for it. -- Miroslav Lichvar -- To unsubscribe email chrony-dev-requ...@chrony.tuxfamily.org with "unsubscribe" in the subject. For help email chrony-dev-requ...@chrony.tuxfamily.org with "help" in the subject. Trouble? Email listmas...@chrony.tuxfamily.org.
