Serveur ntp: pas de résolution de nom en CHROOT ?

Support Debian
#1

bonjur,
debian lenny 2.6.26-2 x686
j’ai installé, le ntp avec le fichier de conf suivant:

# /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help
logfile /var/log/ntpd
driftfile /var/lib/ntp/ntp.drift
statsdir /var/log/ntpstats/

statistics loopstats peerstats clockstats
filegen loopstats file loopstats type day enable
filegen peerstats file peerstats type day enable
filegen clockstats file clockstats type day enable


# You do need to talk to an NTP server or two (or three).
#server ntp.your-provider.example
# pool.ntp.org maps to about 1000 low-stratum NTP servers.  Your server will
# pick a different set every time it starts up.  Please consider joining the
# pool: <http://www.pool.ntp.org/join.html>

server 0.debian.pool.ntp.org iburst dynamic
server 1.debian.pool.ntp.org iburst dynamic
server 2.debian.pool.ntp.org iburst dynamic
server 3.debian.pool.ntp.org iburst dynamic
#server ntp.univ-lyon1.fr
#server ntp.imag.fr
#server ntp.laas.fr
#server ntp.unilim.fr
server 127.127.1.0
fudge 127.127.0.0 stratum 10


# Access control configuration; see /usr/share/doc/ntp-doc/html/accopt.html for
# details.  The web page <http://support.ntp.org/bin/view/Support/AccessRestrictions>
# might also be helpful.
#
# Note that "restrict" applies to both servers and clients, so a configuration
# that might be intended to block requests from certain clients could also end
# up blocking replies from your own upstream servers.

# By default, exchange time with everybody, but don't allow configuration.
restrict -4 default kod notrap nomodify nopeer noquery
restrict -6 default kod notrap nomodify nopeer noquery

# Local users may interrogate the ntp server more closely.
restrict 127.0.0.1
#restrict ::1

# Clients from this (example!) subnet have unlimited access, but only if
# cryptographically authenticated.
restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap
#restrict 172.16.1.0 mask 255.255.255.0 nomodify notrap



# If you want to provide time to your local subnet, change the next line.
# (Again, the address is an example only.)
#broadcast 172.16.1.0 mask 255.255.0.0
broadcast 192.168.1.0 mask 255.255.255.0


# If you want to listen to time broadcasts on your local subnet, de-comment the
# next lines.  Please do this only if you trust everybody on the network!
#disable auth
#broadcastclient

la prison se constitue d’un dossier chrooté, avec tout les fichiers nécessaires, puisque le démon se lance en prison sans probleme (chroot /prison /usr/sbin/ntpd -p $pidfilerelatifenprison -u $user:$group)

quand je le lance hors prison, ntpq -p donne des résultats satifaisants. Quand je le lance enprisoné, ntpq -p rend une requête timed out…
je precise que le dossier PROC est monté à la racine de la prison. le par-feu est bien ouvert puisque hors prison ca marche…

PKOI Y FE CA?

ca c’est hors de la prison:

[code]#/home/CHROOT/ntpd/>ntpq -p
remote refid st t when poll reach delay offset jitter

*ddb3.europeacon 138.96.64.10 2 u 17 64 377 602.197 72.647 101.469
+web01.ookoo.org 145.238.203.14 2 u 35 64 377 635.538 54.671 103.058
dnscache-paris. 140.203.204.77 2 u 469 64 200 616.277 69.821 10.814
+ks35603.kimsufi 91.121.45.45 3 u 25 64 377 600.334 77.057 29.078
LOCAL(0) .LOCL. 5 l 59 64 377 0.000 0.000 0.001
[/code]

ca c’est dedans

#/home/CHROOT/ntpd/>ntpq -p localhost: timed out, nothing received ***Request timed out

#2

en chroot
ifconfig
tu as copier le /etc/resolv.conf dans le chroot
?
ntp a besoin du réseau?
ping localhost
ficher /etc/hosts présent
?

#3

dans l’ordre :
non je n’est pas mis le resolv.conf, je vais le faire et voir.

besoin du reseau ? bha oui en mode serveur ntp, je pense qu’il en a besoins pour broadcaster les clients.mais le daemon se lance sans soucis. si il avait un soucis il ne se lancerais pas… c’est bizarre.

oui, le ping fonctionne bien, et le ping sur 127.127.1.0 aussi.

#/etc/apt/>ping 127.0.0.1 PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data. 64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.027 ms 64 bytes from 127.0.0.1: icmp_seq=2 ttl=64 time=0.017 ms 64 bytes from 127.0.0.1: icmp_seq=3 ttl=64 time=0.018 ms ^C --- 127.0.0.1 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 1998ms rtt min/avg/max/mdev = 0.017/0.020/0.027/0.006 ms #/etc/apt/>ping 127.127.1.0 PING 127.127.1.0 (127.127.1.0) 56(84) bytes of data. 64 bytes from 127.127.1.0: icmp_seq=1 ttl=64 time=0.018 ms 64 bytes from 127.127.1.0: icmp_seq=2 ttl=64 time=0.017 ms 64 bytes from 127.127.1.0: icmp_seq=3 ttl=64 time=0.017 ms ^C --- 127.127.1.0 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 1998ms rtt min/avg/max/mdev = 0.017/0.017/0.018/0.003 ms
Non le host n’est pas dans le chroot, je vais essayer ca aussi.

voici les messages reccurents en prison:

7 May 11:13:34 ntpd[21723]: frequency initialized 0.000 PPM from /var/lib/ntp/ntp.drift
 7 May 11:13:34 ntpd[21723]: open failed for /tmp/ntpjq5vAw: No such file or directory
 7 May 11:13:34 ntpd[21723]: open failed for /tmp/ntpMEeM0S: No such file or directory
 7 May 11:13:34 ntpd[21723]: open failed for /tmp/ntphq8Tqf: No such file or directory
 7 May 11:13:34 ntpd[21723]: open failed for /tmp/ntpykARQB: No such file or directory
 7 May 11:13:34 ntpd[21723]: open failed for /tmp/ntpTO3GgY: No such file or directory
 7 May 11:13:34 ntpd[21723]: getaddrinfo: "127.127.0.0" invalid host address, ignored
 7 May 11:13:34 ntpd[21723]: getaddrinfo: "127.0.0.1" invalid host address, ignored
 7 May 11:13:34 ntpd[21723]: getaddrinfo: "192.168.1.0" invalid host address, ignored
 7 May 11:13:34 ntpd[21723]: configure: keyword "mask" unknown, line ignored
 7 May 11:13:34 ntpd[21723]: configure: keyword "255.255.255.0" unknown, line ignored
 7 May 12:14:37 ntpd[21723]: ntpd exiting on signal 15

voici les messages hors prison…

7 May 14:03:53 ntpd[21639]: frequency initialized 26.058 PPM from /var/lib/ntp/ntp.drift 7 May 14:04:02 ntpd[21639]: configure: keyword "mask" unknown, line ignored 7 May 14:04:02 ntpd[21639]: configure: keyword "255.255.255.0" unknown, line ignored 7 May 14:04:21 ntpd[21639]: synchronized to 213.251.173.182, stratum 3 7 May 14:04:20 ntpd[21639]: time reset -0.170599 s 7 May 14:04:20 ntpd[21639]: kernel time sync status change 4001 7 May 14:05:06 ntpd[21639]: ntpd exiting on signal 15 7 May 15:40:57 ntpd[21986]: frequency initialized 26.058 PPM from /var/lib/ntp/ntp.drift 7 May 15:41:04 ntpd[21986]: configure: keyword "mask" unknown, line ignored 7 May 15:41:04 ntpd[21986]: configure: keyword "255.255.255.0" unknown, line ignored 7 May 15:41:13 ntpd[21986]: synchronized to 88.191.108.178, stratum 2 7 May 15:41:13 ntpd[21986]: time reset +0.331341 s 7 May 15:41:13 ntpd[21986]: kernel time sync status change 4001 7 May 15:45:04 ntpd[21986]: synchronized to LOCAL(0), stratum 5 7 May 15:45:04 ntpd[21986]: kernel time sync status change 0001 7 May 15:45:51 ntpd[21986]: synchronized to 88.191.108.178, stratum 2 7 May 15:58:48 ntpd[21986]: synchronized to 91.121.45.45, stratum 2 7 May 16:00:07 ntpd[21986]: ntpd exiting on signal 15
il prend des sous réseau pour des noeuds…

#4

/tmp présent ?
mount -o bind /tmp /chroot/tmp
pour tester

les règles iptables selinux qui bloque le port d’écoute?
(je ne connais pas les règles de filtrage …)

netstat -an
dans le chroot et hors du chroot

#5

j’ai réglé le probleme du tmp en recréant un tmp dans la prison. mais le réseau demeure un probleme, il n’y a pas de résolution de nom, lors de la recherche de serveurs de temps dans la prison.

le service est bien actif

[code]
25560 pts/0 00:00:00 bash
26252 ? 00:00:00 ntpd
26260 pts/0 00:00:00 ps

[code]

un ifconfig dans la prison fonctionne parfaitement.
un netstat aussi, le service et bien au port 123…

IPV4
udp        0      0 192.168.1.87:123        *:*
udp        0      0 172.16.3.1:123          *:*
udp        0      0 172.16.2.1:123          *:*
udp        0      0 172.16.1.1:123          *:*
udp        0      0 172.16.0.1:123          *:*
udp        0      0 127.0.0.1:123           *:*
udp        0      0 *:123                   *:*
IPV6
udp6       0      0 fe80::21b:21ff:fe3e:123 [::]:*
udp6       0      0 fe80::224:e8ff:fe3f:123 [::]:*
udp6       0      0 fe80::224:e8ff:fe3f:123 [::]:*
udp6       0      0 fe80::224:e8ff:fe3f:123 [::]:*
udp6       0      0 ::1%3214874536:123      [::]:*
udp6       0      0 [::]:123                [::]:*
#6

on avance…
J’ai modifié le ntp de init.d

OPT=" -i /home/CHROOT/ntpd/"
#chroot $CHROOT $DAEMON -p $PIDFILE -u $UGID $NTPD_OPTS
		start-stop-daemon --start --quiet --oknodo --pidfile $CHROOT$PIDFILE --startas $DAEMON -- -p CHROOT$PIDFILE -u $UGID $NTPD_OPTS $OPT

au resultat j’ai quelque chose qui fonctionne, mais… y a rien de chrooter la dedans… le ntpd.log dans la prison n’est plus mis a jour.

voici pour le ntpq -p avec cette demarche (option -i …)

     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
 ntp.tuxfamily.n 145.238.203.14   2 u  154   64  374  1863.54  -554.48 406.560
 imag.imag.fr    193.52.184.106   2 u   24   64  377  1045.41  -126.55 498.584
 LOCAL(0)        .LOCL.           5 l   26   64  377    0.000    0.000   0.001
*diane.ensma.fr  193.204.114.232  2 u   46   64  377  1321.49  -262.91  71.812
 digi00161.digic 87.98.160.237    3 u  165   64  364  1585.25  -458.01  87.668

Y a vraiment pas moyen d’utiliser chroot pour lancer le demon emprisonné dès le départ ??
avec la commande chroot, les résultats suivant (log/ifconfig/netstat):
log:

11 May 11:09:01 ntpd[26908]: frequency initialized 29.511 PPM from /var/lib/ntp/ntp.drift
11 May 11:09:01 ntpd[26908]: getaddrinfo: "127.127.0.0" invalid host address, ignored
11 May 11:09:01 ntpd[26908]: getaddrinfo: "127.0.0.1" invalid host address, ignored
11 May 11:09:01 ntpd[26908]: getaddrinfo: "::1" invalid host address, ignored
11 May 11:09:01 ntpd[26908]: getaddrinfo: "192.168.1.0" invalid host address, ignored
11 May 11:09:03 ntpd[26911]: host name not found: pool.ntp.org
11 May 11:09:03 ntpd[26911]: couldn't resolve `pool.ntp.org', giving up on it
11 May 11:09:03 ntpd[26911]: getaddrinfo failed: No such file or directory

ifconfig:

chroot /home/CHROOT/ntpd ifconfig
eth0      Link encap:Ethernet  HWaddr 00:1b:21:3e:f1:a8
          inet addr:192.168.1.87  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::21b:21ff:fe3e:f1a8/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:453738 errors:0 dropped:0 overruns:0 frame:0
          TX packets:82199 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:39617120 (37.7 MiB)  TX bytes:25036994 (23.8 MiB)
          Memory:df9c0000-df9e0000

eth4      Link encap:Ethernet  HWaddr 00:24:e8:3f:b0:b5
          inet addr:172.16.0.1  Bcast:172.16.255.255  Mask:255.255.0.0
          inet6 addr: fe80::224:e8ff:fe3f:b0b5/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
          Interrupt:36 Memory:d6000000-d6012100

eth5      Link encap:Ethernet  HWaddr 00:24:e8:3f:b0:b7
          inet addr:172.16.1.1  Bcast:172.16.1.255  Mask:255.255.255.0
          inet6 addr: fe80::224:e8ff:fe3f:b0b7/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
          Interrupt:48 Memory:d8000000-d8012100

eth6      Link encap:Ethernet  HWaddr 00:24:e8:3f:b0:b9
          inet addr:172.16.2.1  Bcast:172.16.2.255  Mask:255.255.255.0
          inet6 addr: fe80::224:e8ff:fe3f:b0b9/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
          Interrupt:32 Memory:da000000-da012100

eth7      Link encap:Ethernet  HWaddr 00:24:e8:3f:b0:bb
          inet addr:172.16.3.1  Bcast:172.16.3.255  Mask:255.255.255.0
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
          Interrupt:42 Memory:dc000000-dc012100

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:1023 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1023 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:159236 (155.5 KiB)  TX bytes:159236 (155.5 KiB)

netstat -an:

#/home/CHROOT/ntpd/>chroot /home/CHROOT/ntpd netstat -an
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTEN
tcp        0      0 127.0.0.1:14321         0.0.0.0:*               LISTEN
tcp        0      0 192.168.1.87:14321      0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:35475           0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN
tcp        0      0 192.168.1.87:22         192.168.1.248:49479     ESTABLISHED
tcp6       0      0 :::22                   :::*                    LISTEN
udp        0      0 0.0.0.0:10000           0.0.0.0:*
udp        0      0 0.0.0.0:68              0.0.0.0:*
udp        0      0 0.0.0.0:842             0.0.0.0:*
udp        0      0 0.0.0.0:37352           0.0.0.0:*
udp        0      0 0.0.0.0:111             0.0.0.0:*
udp        0      0 192.168.1.87:123        0.0.0.0:*
udp        0      0 172.16.3.1:123          0.0.0.0:*
udp        0      0 172.16.2.1:123          0.0.0.0:*
udp        0      0 172.16.1.1:123          0.0.0.0:*
udp        0      0 172.16.0.1:123          0.0.0.0:*
udp        0      0 127.0.0.1:123           0.0.0.0:*
udp        0      0 0.0.0.0:123             0.0.0.0:*
udp6       0      0 fe80::21b:21ff:fe3e:123 :::*
udp6       0      0 fe80::224:e8ff:fe3f:123 :::*
udp6       0      0 fe80::224:e8ff:fe3f:123 :::*
udp6       0      0 fe80::224:e8ff:fe3f:123 :::*
udp6       0      0 ::1:123                 :::*
udp6       0      0 :::123                  :::*
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags       Type       State         I-Node   Path
unix  3      [ ]         DGRAM                    171096   /dev/log
unix  2      [ ]         DGRAM                    1682     @/org/kernel/udev/udevd
unix  2      [ ACC ]     STREAM     LISTENING     5074     /var/run/acpid.socket
unix  3      [ ]         STREAM     CONNECTED     173313
unix  3      [ ]         STREAM     CONNECTED     173312
unix  2      [ ]         DGRAM                    173311
unix  2      [ ]         DGRAM                    166071
unix  2      [ ]         DGRAM                    152658
unix  2      [ ]         STREAM     CONNECTED     149468   /var/run/acpid.socket
unix  2      [ ]         DGRAM                    100423
unix  2      [ ]         DGRAM                    5076

ntpdate:

[code]#/home/CHROOT/ntpd/>chroot /home/CHROOT/ntpd ntpdate -q 127.0.0.1
Error : Servname not supported for ai_socktype
11 May 12:06:58 ntpdate[26992]: can’t find host 127.0.0.1

11 May 12:06:58 ntpdate[26992]: no servers can be used, exiting
[/code]