Re: [OpenIndiana-discuss] NTP not starting in Zones

2018-09-17 Thread Brian Wilson 
On Thu, Sep 13, 2018 at 1:08 PM Jonathan Adams 
wrote:

> strange, I prefer to run all my daemons in a zone as it keeps them separate
> from the core operating system, and reduces the access to resources.
>
> it's easy for a global zone to access the resources of the child, it's hard
> for the child to access the global zone.
>
>
Unless you give the child zone the privileges it needs to do so - like
sys_time.  Though I don't know that that one's a big deal.
I would take the opposite approach - lock down logins to the global zone
and run privileged 'global' services like NTP, monitoring, backups and/or
NFS there, and then keep the child/local zones as thin as possible so that
the processes running in the zone that faced the Internet were minimal.


> On Thu, 13 Sep 2018 at 18:22, Bob Friesenhahn <
> bfrie...@simple.dallas.tx.us>
> wrote:
>
> > On Thu, 13 Sep 2018, Alexander Pyhalov via openindiana-discuss wrote:
> >
> > > Hello.
> > > What is a point of running ntp in zone?
> > > NTP running in GZ will care about system time.
> >
> > The main reason is usually security.  Running network daemons inside
> > of zones helps avoid problems if there is a security issue with the
> > daemon.
> >
> > I run named and ntp in the global zone since I worry that the host
> > could have some dependencies on these protocols which impacts clean
> > booting.
> >
> > Bob
> > --
> > Bob Friesenhahn
> > bfrie...@simple.dallas.tx.us,
> http://www.simplesystems.org/users/bfriesen/
> > GraphicsMagick Maintainer,http://www.GraphicsMagick.org/
> >
> > ___
> > openindiana-discuss mailing list
> > openindiana-discuss@openindiana.org
> > https://openindiana.org/mailman/listinfo/openindiana-discuss
> >
> ___
> openindiana-discuss mailing list
> openindiana-discuss@openindiana.org
> https://openindiana.org/mailman/listinfo/openindiana-discuss
>
___
openindiana-discuss mailing list
openindiana-discuss@openindiana.org
https://openindiana.org/mailman/listinfo/openindiana-discuss

Re: [OpenIndiana-discuss] NTP not starting in Zones

2018-09-13 Thread Jonathan Adams 
you have a good point about the order of services ... I'm just saying it
was strange that you considered it "safer" to run the daemons in the global
zone, as I'm kinda paranoid about that sort of thing myself.

Jon

On Thu, 13 Sep 2018 at 19:19, Bob Friesenhahn 
wrote:

> On Thu, 13 Sep 2018, Jonathan Adams wrote:
>
> > strange, I prefer to run all my daemons in a zone as it keeps them
> separate
> > from the core operating system, and reduces the access to resources.
> >
> > it's easy for a global zone to access the resources of the child, it's
> hard
> > for the child to access the global zone.
>
> The host (global zone) is booted prior to the zone and so it can not
> use the services of the zone until the zone is booted.  If the DNS
> server is running in the zone then some other means needs to be used
> for hostname/IP resolution while it is down.  The zone is typically
> down while booting and during system updates.
>
> I don't see how this could be considered "strange".
>
> Bob
> --
> Bob Friesenhahn
> bfrie...@simple.dallas.tx.us, http://www.simplesystems.org/users/bfriesen/
> GraphicsMagick Maintainer,http://www.GraphicsMagick.org/
>
> ___
> openindiana-discuss mailing list
> openindiana-discuss@openindiana.org
> https://openindiana.org/mailman/listinfo/openindiana-discuss
>
___
openindiana-discuss mailing list
openindiana-discuss@openindiana.org
https://openindiana.org/mailman/listinfo/openindiana-discuss

Re: [OpenIndiana-discuss] NTP not starting in Zones

2018-09-13 Thread Bob Friesenhahn 

On Thu, 13 Sep 2018, Jonathan Adams wrote:


strange, I prefer to run all my daemons in a zone as it keeps them separate
from the core operating system, and reduces the access to resources.

it's easy for a global zone to access the resources of the child, it's hard
for the child to access the global zone.


The host (global zone) is booted prior to the zone and so it can not 
use the services of the zone until the zone is booted.  If the DNS 
server is running in the zone then some other means needs to be used 
for hostname/IP resolution while it is down.  The zone is typically 
down while booting and during system updates.


I don't see how this could be considered "strange".

Bob
--
Bob Friesenhahn
bfrie...@simple.dallas.tx.us, http://www.simplesystems.org/users/bfriesen/
GraphicsMagick Maintainer,http://www.GraphicsMagick.org/

___
openindiana-discuss mailing list
openindiana-discuss@openindiana.org
https://openindiana.org/mailman/listinfo/openindiana-discuss

Re: [OpenIndiana-discuss] NTP not starting in Zones

2018-09-13 Thread Jonathan Adams 
strange, I prefer to run all my daemons in a zone as it keeps them separate
from the core operating system, and reduces the access to resources.

it's easy for a global zone to access the resources of the child, it's hard
for the child to access the global zone.

On Thu, 13 Sep 2018 at 18:22, Bob Friesenhahn 
wrote:

> On Thu, 13 Sep 2018, Alexander Pyhalov via openindiana-discuss wrote:
>
> > Hello.
> > What is a point of running ntp in zone?
> > NTP running in GZ will care about system time.
>
> The main reason is usually security.  Running network daemons inside
> of zones helps avoid problems if there is a security issue with the
> daemon.
>
> I run named and ntp in the global zone since I worry that the host
> could have some dependencies on these protocols which impacts clean
> booting.
>
> Bob
> --
> Bob Friesenhahn
> bfrie...@simple.dallas.tx.us, http://www.simplesystems.org/users/bfriesen/
> GraphicsMagick Maintainer,http://www.GraphicsMagick.org/
>
> ___
> openindiana-discuss mailing list
> openindiana-discuss@openindiana.org
> https://openindiana.org/mailman/listinfo/openindiana-discuss
>
___
openindiana-discuss mailing list
openindiana-discuss@openindiana.org
https://openindiana.org/mailman/listinfo/openindiana-discuss

Re: [OpenIndiana-discuss] NTP not starting in Zones

2018-09-13 Thread Bob Friesenhahn 

On Thu, 13 Sep 2018, Alexander Pyhalov via openindiana-discuss wrote:


Hello.
What is a point of running ntp in zone?
NTP running in GZ will care about system time.


The main reason is usually security.  Running network daemons inside 
of zones helps avoid problems if there is a security issue with the 
daemon.


I run named and ntp in the global zone since I worry that the host 
could have some dependencies on these protocols which impacts clean 
booting.


Bob
--
Bob Friesenhahn
bfrie...@simple.dallas.tx.us, http://www.simplesystems.org/users/bfriesen/
GraphicsMagick Maintainer,http://www.GraphicsMagick.org/

___
openindiana-discuss mailing list
openindiana-discuss@openindiana.org
https://openindiana.org/mailman/listinfo/openindiana-discuss

Re: [OpenIndiana-discuss] NTP not starting in Zones

2018-09-13 Thread Jonathan Adams 
https://docs.oracle.com/cd/E19044-01/sol.containers/817-1592/z.admin.ov-18/index.html

seems to imply that the privilege is just "sys_time"

On Thu, 13 Sep 2018 at 09:53, Jonathan Adams  wrote:

> I got ntp working inside a zone, by granting a privilege in the master (in
> zonecfg) and modifying the svc script in the client to not reject it ...
> but it was many years ago.
>
> the reason I did it, in that case was that the parent zone didn't have
> access to the internet, but the child zone did.
>
> I'm trying to find the server that did this, but I think it got rebuilt in
> the end.
>
> Jon
>
>
> On Thu, 13 Sep 2018 at 09:11, Alexander Pyhalov via openindiana-discuss <
> openindiana-discuss@openindiana.org> wrote:
>
>> Hello.
>> What is a point of running ntp in zone?
>> NTP running in GZ will care about system time.
>>
>> С уважением,
>> Александр Пыхалов,
>> программист отдела телекоммуникационной инфраструктуры
>> управления информационно-коммуникационной инфраструктуры ЮФУ
>>
>>
>> ____
>> От: Till Wegmüller 
>> Отправлено: 12 сентября 2018 г. 23:59:36
>> Кому: Discussion list for OpenIndiana
>> Тема: [OpenIndiana-discuss] NTP not starting in Zones
>>
>> Hello fellow Community
>>
>> Since some time I get the following error inside all my zones from ntp.
>>
>> --
>> [ Sep 11 06:54:40 Enabled. ]
>> [ Sep 11 06:54:41 Executing start method ("/lib/svc/method/ntp start"). ]
>> [ Sep 11 06:54:41 svc.startd could not set context for method:  ]
>> setppriv: Not owner
>> [ Sep 11 06:54:41 Method "start" exited with status 96. ]
>> [ Sep 11 07:08:18 Leaving maintenance because disable requested. ]
>> [ Sep 11 07:08:18 Disabled. ]
>> [ Sep 11 15:58:33 Enabled. ]
>> [ Sep 11 15:58:33 Executing start method ("/lib/svc/method/ntp start"). ]
>> [ Sep 11 15:58:33 svc.startd could not set context for method:  ]
>> setppriv: Not owner
>> [ Sep 11 15:58:33 Method "start" exited with status 96. ]
>> --
>>
>> Does anybody know what ntp or rather smf is complaining about?
>> Is ntp not suposed to be installed inside zones? If so wouldn't it make
>> sense to configure ntp as variant global?
>>
>> Would love to hear what you know about this.
>> Greetings
>> Till
>>
>> ___
>> openindiana-discuss mailing list
>> openindiana-discuss@openindiana.org
>> https://openindiana.org/mailman/listinfo/openindiana-discuss
>> ___
>> openindiana-discuss mailing list
>> openindiana-discuss@openindiana.org
>> https://openindiana.org/mailman/listinfo/openindiana-discuss
>>
>
___
openindiana-discuss mailing list
openindiana-discuss@openindiana.org
https://openindiana.org/mailman/listinfo/openindiana-discuss

Re: [OpenIndiana-discuss] NTP not starting in Zones

2018-09-13 Thread Jonathan Adams 
I got ntp working inside a zone, by granting a privilege in the master (in
zonecfg) and modifying the svc script in the client to not reject it ...
but it was many years ago.

the reason I did it, in that case was that the parent zone didn't have
access to the internet, but the child zone did.

I'm trying to find the server that did this, but I think it got rebuilt in
the end.

Jon


On Thu, 13 Sep 2018 at 09:11, Alexander Pyhalov via openindiana-discuss <
openindiana-discuss@openindiana.org> wrote:

> Hello.
> What is a point of running ntp in zone?
> NTP running in GZ will care about system time.
>
> С уважением,
> Александр Пыхалов,
> программист отдела телекоммуникационной инфраструктуры
> управления информационно-коммуникационной инфраструктуры ЮФУ
>
>
> 
> От: Till Wegmüller 
> Отправлено: 12 сентября 2018 г. 23:59:36
> Кому: Discussion list for OpenIndiana
> Тема: [OpenIndiana-discuss] NTP not starting in Zones
>
> Hello fellow Community
>
> Since some time I get the following error inside all my zones from ntp.
>
> --
> [ Sep 11 06:54:40 Enabled. ]
> [ Sep 11 06:54:41 Executing start method ("/lib/svc/method/ntp start"). ]
> [ Sep 11 06:54:41 svc.startd could not set context for method:  ]
> setppriv: Not owner
> [ Sep 11 06:54:41 Method "start" exited with status 96. ]
> [ Sep 11 07:08:18 Leaving maintenance because disable requested. ]
> [ Sep 11 07:08:18 Disabled. ]
> [ Sep 11 15:58:33 Enabled. ]
> [ Sep 11 15:58:33 Executing start method ("/lib/svc/method/ntp start"). ]
> [ Sep 11 15:58:33 svc.startd could not set context for method:  ]
> setppriv: Not owner
> [ Sep 11 15:58:33 Method "start" exited with status 96. ]
> --
>
> Does anybody know what ntp or rather smf is complaining about?
> Is ntp not suposed to be installed inside zones? If so wouldn't it make
> sense to configure ntp as variant global?
>
> Would love to hear what you know about this.
> Greetings
> Till
>
> ___
> openindiana-discuss mailing list
> openindiana-discuss@openindiana.org
> https://openindiana.org/mailman/listinfo/openindiana-discuss
> ___
> openindiana-discuss mailing list
> openindiana-discuss@openindiana.org
> https://openindiana.org/mailman/listinfo/openindiana-discuss
>
___
openindiana-discuss mailing list
openindiana-discuss@openindiana.org
https://openindiana.org/mailman/listinfo/openindiana-discuss

Re: [OpenIndiana-discuss] NTP not starting in Zones

2018-09-13 Thread Alexander Pyhalov via openindiana-discuss 
Hello.
What is a point of running ntp in zone?
NTP running in GZ will care about system time.

С уважением,
Александр Пыхалов,
программист отдела телекоммуникационной инфраструктуры
управления информационно-коммуникационной инфраструктуры ЮФУ



От: Till Wegmüller 
Отправлено: 12 сентября 2018 г. 23:59:36
Кому: Discussion list for OpenIndiana
Тема: [OpenIndiana-discuss] NTP not starting in Zones

Hello fellow Community

Since some time I get the following error inside all my zones from ntp.

--
[ Sep 11 06:54:40 Enabled. ]
[ Sep 11 06:54:41 Executing start method ("/lib/svc/method/ntp start"). ]
[ Sep 11 06:54:41 svc.startd could not set context for method:  ]
setppriv: Not owner
[ Sep 11 06:54:41 Method "start" exited with status 96. ]
[ Sep 11 07:08:18 Leaving maintenance because disable requested. ]
[ Sep 11 07:08:18 Disabled. ]
[ Sep 11 15:58:33 Enabled. ]
[ Sep 11 15:58:33 Executing start method ("/lib/svc/method/ntp start"). ]
[ Sep 11 15:58:33 svc.startd could not set context for method:  ]
setppriv: Not owner
[ Sep 11 15:58:33 Method "start" exited with status 96. ]
--

Does anybody know what ntp or rather smf is complaining about?
Is ntp not suposed to be installed inside zones? If so wouldn't it make
sense to configure ntp as variant global?

Would love to hear what you know about this.
Greetings
Till

___
openindiana-discuss mailing list
openindiana-discuss@openindiana.org
https://openindiana.org/mailman/listinfo/openindiana-discuss
___
openindiana-discuss mailing list
openindiana-discuss@openindiana.org
https://openindiana.org/mailman/listinfo/openindiana-discuss

Re: [OpenIndiana-discuss] NTP not starting in Zones

2018-09-12 Thread Jerry Kemp 
Maybe I'm doing it wrong, but typically, I typically only set time/run NTP in 
the Global zone, and my observations are that, NTP in
the Global zone will take care of the GZ, HW time and everything else.

As such, I do not run NTP, or do anything else to set time, aside from 
configuring the TZ (time zone) in local zones.

This has generally served me well since the Solaris 10 beta's.  I wouldn't 
expect a local zone to be able to access the HW clock.

Am I doing this wrong?

Jerry




 Original Message 
From: Till Wegmüller
Sent: Wed, Sep 12, 2018 3:59 PM CDT
To: Discussion list for OpenIndiana
Subject: [OpenIndiana-discuss] NTP not starting in Zones

Hello fellow Community

Since some time I get the following error inside all my zones from ntp.

--
[ Sep 11 06:54:40 Enabled. ]
[ Sep 11 06:54:41 Executing start method ("/lib/svc/method/ntp start"). ]
[ Sep 11 06:54:41 svc.startd could not set context for method:  ]
setppriv: Not owner
[ Sep 11 06:54:41 Method "start" exited with status 96. ]
[ Sep 11 07:08:18 Leaving maintenance because disable requested. ]
[ Sep 11 07:08:18 Disabled. ]
[ Sep 11 15:58:33 Enabled. ]
[ Sep 11 15:58:33 Executing start method ("/lib/svc/method/ntp start"). ]
[ Sep 11 15:58:33 svc.startd could not set context for method:  ]
setppriv: Not owner
[ Sep 11 15:58:33 Method "start" exited with status 96. ]
--

Does anybody know what ntp or rather smf is complaining about?
Is ntp not suposed to be installed inside zones? If so wouldn't it make
sense to configure ntp as variant global?

Would love to hear what you know about this.
Greetings
Till

___
openindiana-discuss mailing list
openindiana-discuss@openindiana.org
https://openindiana.org/mailman/listinfo/openindiana-discuss



___
openindiana-discuss mailing list
openindiana-discuss@openindiana.org
https://openindiana.org/mailman/listinfo/openindiana-discuss

Re: [OpenIndiana-discuss] NTP not starting in Zones

2018-09-12 Thread Till Wegmüller 
Hi

No unfortuantely not.
SMF Manifest has:








and
~# ls -alh /lib/svc/method/ntp
-r-xr-xr-x   1 root bin3.26K Feb 22  2018 /lib/svc/method/ntp

~# ls -alh /usr/lib/inet/ntpd
-r-xr-xr-x   1 root bin1.20M Sep  9 22:53 /usr/lib/inet/ntpd

Unfortunately not. Or do I need to check on another spot?

-Till
On 09/12/18 11:08 PM, ken mays via openindiana-discuss wrote:
>  Check owner status (non-root)...~K
> 
> On Wednesday, September 12, 2018, 2:01:29 PM PDT, Till Wegmüller 
>  wrote:  
>  
>  Hello fellow Community
> 
> Since some time I get the following error inside all my zones from ntp.
> 
> --
> [ Sep 11 06:54:40 Enabled. ]
> [ Sep 11 06:54:41 Executing start method ("/lib/svc/method/ntp start"). ]
> [ Sep 11 06:54:41 svc.startd could not set context for method:  ]
> setppriv: Not owner
> [ Sep 11 06:54:41 Method "start" exited with status 96. ]
> [ Sep 11 07:08:18 Leaving maintenance because disable requested. ]
> [ Sep 11 07:08:18 Disabled. ]
> [ Sep 11 15:58:33 Enabled. ]
> [ Sep 11 15:58:33 Executing start method ("/lib/svc/method/ntp start"). ]
> [ Sep 11 15:58:33 svc.startd could not set context for method:  ]
> setppriv: Not owner
> [ Sep 11 15:58:33 Method "start" exited with status 96. ]
> --
> 
> Does anybody know what ntp or rather smf is complaining about?
> Is ntp not suposed to be installed inside zones? If so wouldn't it make
> sense to configure ntp as variant global?
> 
> Would love to hear what you know about this.
> Greetings
> Till
> 
> ___
> openindiana-discuss mailing list
> openindiana-discuss@openindiana.org
> https://openindiana.org/mailman/listinfo/openindiana-discuss
>   
> ___
> openindiana-discuss mailing list
> openindiana-discuss@openindiana.org
> https://openindiana.org/mailman/listinfo/openindiana-discuss
> 

___
openindiana-discuss mailing list
openindiana-discuss@openindiana.org
https://openindiana.org/mailman/listinfo/openindiana-discuss

Re: [OpenIndiana-discuss] NTP not starting in Zones

2018-09-12 Thread ken mays via openindiana-discuss 
 Check owner status (non-root)...~K

On Wednesday, September 12, 2018, 2:01:29 PM PDT, Till Wegmüller 
 wrote:  
 
 Hello fellow Community

Since some time I get the following error inside all my zones from ntp.

--
[ Sep 11 06:54:40 Enabled. ]
[ Sep 11 06:54:41 Executing start method ("/lib/svc/method/ntp start"). ]
[ Sep 11 06:54:41 svc.startd could not set context for method:  ]
setppriv: Not owner
[ Sep 11 06:54:41 Method "start" exited with status 96. ]
[ Sep 11 07:08:18 Leaving maintenance because disable requested. ]
[ Sep 11 07:08:18 Disabled. ]
[ Sep 11 15:58:33 Enabled. ]
[ Sep 11 15:58:33 Executing start method ("/lib/svc/method/ntp start"). ]
[ Sep 11 15:58:33 svc.startd could not set context for method:  ]
setppriv: Not owner
[ Sep 11 15:58:33 Method "start" exited with status 96. ]
--

Does anybody know what ntp or rather smf is complaining about?
Is ntp not suposed to be installed inside zones? If so wouldn't it make
sense to configure ntp as variant global?

Would love to hear what you know about this.
Greetings
Till

___
openindiana-discuss mailing list
openindiana-discuss@openindiana.org
https://openindiana.org/mailman/listinfo/openindiana-discuss
  
___
openindiana-discuss mailing list
openindiana-discuss@openindiana.org
https://openindiana.org/mailman/listinfo/openindiana-discuss

[OpenIndiana-discuss] NTP not starting in Zones

2018-09-12 Thread Till Wegmüller 
Hello fellow Community

Since some time I get the following error inside all my zones from ntp.

--
[ Sep 11 06:54:40 Enabled. ]
[ Sep 11 06:54:41 Executing start method ("/lib/svc/method/ntp start"). ]
[ Sep 11 06:54:41 svc.startd could not set context for method:  ]
setppriv: Not owner
[ Sep 11 06:54:41 Method "start" exited with status 96. ]
[ Sep 11 07:08:18 Leaving maintenance because disable requested. ]
[ Sep 11 07:08:18 Disabled. ]
[ Sep 11 15:58:33 Enabled. ]
[ Sep 11 15:58:33 Executing start method ("/lib/svc/method/ntp start"). ]
[ Sep 11 15:58:33 svc.startd could not set context for method:  ]
setppriv: Not owner
[ Sep 11 15:58:33 Method "start" exited with status 96. ]
--

Does anybody know what ntp or rather smf is complaining about?
Is ntp not suposed to be installed inside zones? If so wouldn't it make
sense to configure ntp as variant global?

Would love to hear what you know about this.
Greetings
Till

___
openindiana-discuss mailing list
openindiana-discuss@openindiana.org
https://openindiana.org/mailman/listinfo/openindiana-discuss